2018-10-28 Babak Shafiei <bshafiei@apple.com> Cherry-pick r237325. rdar://problem/45363533 DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType. https://bugs.webkit.org/show_bug.cgi?id=190515 <rdar://problem/45222379> Reviewed by Saam Barati. JSTests: * stress/regress-190515.js: Added. Source/JavaScriptCore: 1. Fixes calls to asArrayModes() to take a structure's IndexingMode instead of IndexingType. 2. DFG's compileNewArrayBuffer()'s HaveABadTime case was previously using the node's indexingType (instead of indexingMode) to choose the array structure to use for creating an array buffer with. This turns out to not be an issue because when the VM is in having a bad time, all the arrayStructureForIndexingTypeDuringAllocation structure pointers will point to the SlowPutArrayStorage structure anyway. However, to be strictly correct, we'll fix it to use the structure for the node's indexingMode. * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::set): (JSC::DFG::AbstractValue::mergeOSREntryValue): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::validate const): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::executeOSRExit): * dfg/DFGRegisteredStructureSet.cpp: (JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237325 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-10-22 Mark Lam <mark.lam@apple.com> DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType. https://bugs.webkit.org/show_bug.cgi?id=190515 <rdar://problem/45222379> Reviewed by Saam Barati. 1. Fixes calls to asArrayModes() to take a structure's IndexingMode instead of IndexingType. 2. DFG's compileNewArrayBuffer()'s HaveABadTime case was previously using the node's indexingType (instead of indexingMode) to choose the array structure to use for creating an array buffer with. This turns out to not be an issue because when the VM is in having a bad time, all the arrayStructureForIndexingTypeDuringAllocation structure pointers will point to the SlowPutArrayStorage structure anyway. However, to be strictly correct, we'll fix it to use the structure for the node's indexingMode. * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::set): (JSC::DFG::AbstractValue::mergeOSREntryValue): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::validate const): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::executeOSRExit): * dfg/DFGRegisteredStructureSet.cpp: (JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer): 2018-10-26 Mark Lam <mark.lam@apple.com> Cherry-pick r237469. rdar://problem/45363534 2018-10-26 Mark Lam <mark.lam@apple.com> Fix missing edge cases with JSGlobalObjects having a bad time. https://bugs.webkit.org/show_bug.cgi?id=189028 <rdar://problem/45204939> Reviewed by Saam Barati. Consider the following scenario: let object O1 (of global G1) have an indexing type that is not SlowPut. let global G2 have a bad time. let object O2 (of global G2) be set as the prototype of O1. let object O3 (of global G2) have indexed accessors. In the existing code, if we set O3 as O2's prototype, we'll have a bug where O1 will not be made aware that that there are indexed accessors in its prototype chain. In this patch, we solve this issue by introducing a new invariant: A prototype chain is considered to possibly have indexed accessors if any object in the chain belongs to a global object that is having a bad time. We apply this invariant as follows: 1. Enhance JSGlobalObject::haveABadTime() to also check if other global objects are affected by it having a bad time. If so, it also ensures that those affected global objects have a bad time. The original code for JSGlobalObject::haveABadTime() uses a ObjectsWithBrokenIndexingFinder to find all objects affected by the global object having a bad time. We enhance ObjectsWithBrokenIndexingFinder to also check for the possibility that any global objects may be affected by other global objects having a bad time i.e. let g1 = global1 let g2 = global2 let o1 = an object in g1 let o2 = an object in g2 let g1 have a bad time g2 is affected if o1 is in the prototype chain of o2, and o2 may be a prototype. If the ObjectsWithBrokenIndexingFinder does find the possibility of other global objects being affected, it will abort its heap scan and let haveABadTime() take a slow path to do a more complete multi global object scan. The slow path works as follows: 1. Iterate the heap and record the graph of all global object dependencies. For each global object, record the list of other global objects that are affected by it. 2. Compute a list of global objects that need to have a bad time using the current global object dependency graph. 3. For each global object in the list of affected global objects, fire their HaveABadTime watchpoint and convert all their array structures to the SlowPut alternatives. 4. Re-run ObjectsWithBrokenIndexingFinder to find all objects that are affected by any of the globals in the list from (2). 2. Enhance Structure::mayInterceptIndexedAccesses() to also return true if the structure's global object is having a bad time. Note: there are 3 scenarios that we need to consider: let g1 = global1 let g2 = global2 let o1 = an object in g1 let o2 = an object in g2 Scenario 1: o2 is a prototype, and g1 has a bad time after o1 is inserted into the o2's prototype chain. Scenario 2: o2 is a prototype, and o1 is inserted into the o2's prototype chain after g1 has a bad time. Scenario 3: o2 is NOT a prototype, and o1 is inserted into the o2's prototype chain after g1 has a bad time. For scenario 1, when g1 has a bad time, we need to also make sure g2 has a bad time. This is handled by enhancement 1 above. For scenario 2, when o1 is inserted into o2's prototype chain, we need to check if o1's global object has a bad time. If so, then we need to make sure o2's global also has a bad time (because o2 is a prototype) and convert o2's storage type to SlowPut. This is handled by enhancement 2 above in conjunction with JSObject::setPrototypeDirect(). For scenario 3, when o1 is inserted into o2's prototype chain, we need to check if o1's global object has a bad time. If so, then we only need to convert o2's storage type to SlowPut (because o2 is NOT a prototype). This is handled by enhancement 2 above. 3. Also add $vm.isHavingABadTime(), $vm.createGlobalObject() to enable us to write some tests for this issue. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut): (JSC::JSGlobalObject::haveABadTime): * runtime/JSGlobalObject.h: * runtime/JSObject.h: (JSC::JSObject::mayInterceptIndexedAccesses): Deleted. * runtime/JSObjectInlines.h: (JSC::JSObject::mayInterceptIndexedAccesses): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::mayInterceptIndexedAccesses const): * tools/JSDollarVM.cpp: (JSC::functionHaveABadTime): (JSC::functionIsHavingABadTime): (JSC::functionCreateGlobalObject): (JSC::JSDollarVM::finishCreation): 2018-10-23 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r236606. rdar://problem/45285669 Gardening: speculative build fix. <rdar://problem/44869924> Not reviewed. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236606 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-28 Mark Lam <mark.lam@apple.com> Gardening: speculative build fix. <rdar://problem/44869924> Not reviewed. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): 2018-10-23 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r236604. rdar://problem/45285669 [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions. https://bugs.webkit.org/show_bug.cgi?id=190080 Reviewed by Mark Lam. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::link): (JSC::ARMv7Assembler::linkJumpT1): (JSC::ARMv7Assembler::linkJumpT2): (JSC::ARMv7Assembler::linkJumpT3): (JSC::ARMv7Assembler::linkJumpT4): (JSC::ARMv7Assembler::linkConditionalJumpT4): (JSC::ARMv7Assembler::linkBX): (JSC::ARMv7Assembler::linkConditionalBX): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::link): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236604 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-28 Guillaume Emont <guijemont@igalia.com> [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions. https://bugs.webkit.org/show_bug.cgi?id=190080 Reviewed by Mark Lam. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::link): (JSC::ARMv7Assembler::linkJumpT1): (JSC::ARMv7Assembler::linkJumpT2): (JSC::ARMv7Assembler::linkJumpT3): (JSC::ARMv7Assembler::linkJumpT4): (JSC::ARMv7Assembler::linkConditionalJumpT4): (JSC::ARMv7Assembler::linkBX): (JSC::ARMv7Assembler::linkConditionalBX): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::link): 2018-10-23 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r236589. rdar://problem/45285669 Verify the contents of AssemblerBuffer on arm64e https://bugs.webkit.org/show_bug.cgi?id=190057 <rdar://problem/38916630> Reviewed by Mark Lam. JSTests: * stress/regress-189132.js: Source/JavaScriptCore: * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::ARM64Assembler): (JSC::ARM64Assembler::fillNops): (JSC::ARM64Assembler::link): (JSC::ARM64Assembler::linkJumpOrCall): (JSC::ARM64Assembler::linkCompareAndBranch): (JSC::ARM64Assembler::linkConditionalBranch): (JSC::ARM64Assembler::linkTestAndBranch): (JSC::ARM64Assembler::unlinkedCode): Deleted. * assembler/ARMAssembler.h: (JSC::ARMAssembler::fillNops): * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::unlinkedCode): Deleted. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::emitNops): (JSC::AbstractMacroAssembler::AbstractMacroAssembler): * assembler/AssemblerBuffer.h: (JSC::ARM64EHash::ARM64EHash): (JSC::ARM64EHash::update): (JSC::ARM64EHash::hash const): (JSC::ARM64EHash::randomSeed const): (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::putShort): (JSC::AssemblerBuffer::putIntUnchecked): (JSC::AssemblerBuffer::putInt): (JSC::AssemblerBuffer::hash const): (JSC::AssemblerBuffer::data const): (JSC::AssemblerBuffer::putIntegralUnchecked): (JSC::AssemblerBuffer::append): Deleted. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::fillNops): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::jumpsToLink): (JSC::MacroAssemblerARM64::link): (JSC::MacroAssemblerARM64::unlinkedCode): Deleted. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::jumpsToLink): (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted. * assembler/X86Assembler.h: (JSC::X86Assembler::fillNops): Source/WTF: * wtf/PtrTag.h: (WTF::tagInt): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236589 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-27 Saam barati <sbarati@apple.com> Verify the contents of AssemblerBuffer on arm64e https://bugs.webkit.org/show_bug.cgi?id=190057 <rdar://problem/38916630> Reviewed by Mark Lam. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::ARM64Assembler): (JSC::ARM64Assembler::fillNops): (JSC::ARM64Assembler::link): (JSC::ARM64Assembler::linkJumpOrCall): (JSC::ARM64Assembler::linkCompareAndBranch): (JSC::ARM64Assembler::linkConditionalBranch): (JSC::ARM64Assembler::linkTestAndBranch): (JSC::ARM64Assembler::unlinkedCode): Deleted. * assembler/ARMAssembler.h: (JSC::ARMAssembler::fillNops): * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::unlinkedCode): Deleted. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::emitNops): (JSC::AbstractMacroAssembler::AbstractMacroAssembler): * assembler/AssemblerBuffer.h: (JSC::ARM64EHash::ARM64EHash): (JSC::ARM64EHash::update): (JSC::ARM64EHash::hash const): (JSC::ARM64EHash::randomSeed const): (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::putShort): (JSC::AssemblerBuffer::putIntUnchecked): (JSC::AssemblerBuffer::putInt): (JSC::AssemblerBuffer::hash const): (JSC::AssemblerBuffer::data const): (JSC::AssemblerBuffer::putIntegralUnchecked): (JSC::AssemblerBuffer::append): Deleted. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::fillNops): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::jumpsToLink): (JSC::MacroAssemblerARM64::link): (JSC::MacroAssemblerARM64::unlinkedCode): Deleted. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::jumpsToLink): (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted. * assembler/X86Assembler.h: (JSC::X86Assembler::fillNops): 2018-10-25 Kocsen Chung <kocsen_chung@apple.com> Revert r237373. rdar://problem/45285669 2018-10-25 Kocsen Chung <kocsen_chung@apple.com> Revert r236604. rdar://problem/45285669 2018-10-25 Kocsen Chung <kocsen_chung@apple.com> Revert r236606. rdar://problem/45285669 2018-10-23 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r236606. rdar://problem/45285669 Gardening: speculative build fix. <rdar://problem/44869924> Not reviewed. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236606 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-28 Mark Lam <mark.lam@apple.com> Gardening: speculative build fix. <rdar://problem/44869924> Not reviewed. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): 2018-10-23 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r236589. rdar://problem/45285669 Verify the contents of AssemblerBuffer on arm64e https://bugs.webkit.org/show_bug.cgi?id=190057 <rdar://problem/38916630> Reviewed by Mark Lam. JSTests: * stress/regress-189132.js: Source/JavaScriptCore: * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::ARM64Assembler): (JSC::ARM64Assembler::fillNops): (JSC::ARM64Assembler::link): (JSC::ARM64Assembler::linkJumpOrCall): (JSC::ARM64Assembler::linkCompareAndBranch): (JSC::ARM64Assembler::linkConditionalBranch): (JSC::ARM64Assembler::linkTestAndBranch): (JSC::ARM64Assembler::unlinkedCode): Deleted. * assembler/ARMAssembler.h: (JSC::ARMAssembler::fillNops): * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::unlinkedCode): Deleted. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::emitNops): (JSC::AbstractMacroAssembler::AbstractMacroAssembler): * assembler/AssemblerBuffer.h: (JSC::ARM64EHash::ARM64EHash): (JSC::ARM64EHash::update): (JSC::ARM64EHash::hash const): (JSC::ARM64EHash::randomSeed const): (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::putShort): (JSC::AssemblerBuffer::putIntUnchecked): (JSC::AssemblerBuffer::putInt): (JSC::AssemblerBuffer::hash const): (JSC::AssemblerBuffer::data const): (JSC::AssemblerBuffer::putIntegralUnchecked): (JSC::AssemblerBuffer::append): Deleted. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::fillNops): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::jumpsToLink): (JSC::MacroAssemblerARM64::link): (JSC::MacroAssemblerARM64::unlinkedCode): Deleted. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::jumpsToLink): (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted. * assembler/X86Assembler.h: (JSC::X86Assembler::fillNops): Source/WTF: * wtf/PtrTag.h: (WTF::tagInt): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236589 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-27 Saam barati <sbarati@apple.com> Verify the contents of AssemblerBuffer on arm64e https://bugs.webkit.org/show_bug.cgi?id=190057 <rdar://problem/38916630> Reviewed by Mark Lam. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::ARM64Assembler): (JSC::ARM64Assembler::fillNops): (JSC::ARM64Assembler::link): (JSC::ARM64Assembler::linkJumpOrCall): (JSC::ARM64Assembler::linkCompareAndBranch): (JSC::ARM64Assembler::linkConditionalBranch): (JSC::ARM64Assembler::linkTestAndBranch): (JSC::ARM64Assembler::unlinkedCode): Deleted. * assembler/ARMAssembler.h: (JSC::ARMAssembler::fillNops): * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::unlinkedCode): Deleted. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::emitNops): (JSC::AbstractMacroAssembler::AbstractMacroAssembler): * assembler/AssemblerBuffer.h: (JSC::ARM64EHash::ARM64EHash): (JSC::ARM64EHash::update): (JSC::ARM64EHash::hash const): (JSC::ARM64EHash::randomSeed const): (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::putShort): (JSC::AssemblerBuffer::putIntUnchecked): (JSC::AssemblerBuffer::putInt): (JSC::AssemblerBuffer::hash const): (JSC::AssemblerBuffer::data const): (JSC::AssemblerBuffer::putIntegralUnchecked): (JSC::AssemblerBuffer::append): Deleted. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::fillNops): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::jumpsToLink): (JSC::MacroAssemblerARM64::link): (JSC::MacroAssemblerARM64::unlinkedCode): Deleted. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::jumpsToLink): (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted. * assembler/X86Assembler.h: (JSC::X86Assembler::fillNops): 2018-10-23 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r236604. rdar://problem/45285669 [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions. https://bugs.webkit.org/show_bug.cgi?id=190080 Reviewed by Mark Lam. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::link): (JSC::ARMv7Assembler::linkJumpT1): (JSC::ARMv7Assembler::linkJumpT2): (JSC::ARMv7Assembler::linkJumpT3): (JSC::ARMv7Assembler::linkJumpT4): (JSC::ARMv7Assembler::linkConditionalJumpT4): (JSC::ARMv7Assembler::linkBX): (JSC::ARMv7Assembler::linkConditionalBX): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::link): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236604 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-28 Guillaume Emont <guijemont@igalia.com> [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions. https://bugs.webkit.org/show_bug.cgi?id=190080 Reviewed by Mark Lam. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::link): (JSC::ARMv7Assembler::linkJumpT1): (JSC::ARMv7Assembler::linkJumpT2): (JSC::ARMv7Assembler::linkJumpT3): (JSC::ARMv7Assembler::linkJumpT4): (JSC::ARMv7Assembler::linkConditionalJumpT4): (JSC::ARMv7Assembler::linkBX): (JSC::ARMv7Assembler::linkConditionalBX): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::link): 2018-10-21 Babak Shafiei <bshafiei@apple.com> Cherry-pick r237215. rdar://problem/45445113 GetIndexedPropertyStorage can GC. https://bugs.webkit.org/show_bug.cgi?id=190625 <rdar://problem/45309366> Reviewed by Saam Barati. This is because if the ArrayMode type is String, the DFG and FTL will be emitting a call to operationResolveRope, and operationResolveRope can GC. This patch updates doesGC() to reflect this. * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237215 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-10-16 Mark Lam <mark.lam@apple.com> GetIndexedPropertyStorage can GC. https://bugs.webkit.org/show_bug.cgi?id=190625 <rdar://problem/45309366> Reviewed by Saam Barati. This is because if the ArrayMode type is String, the DFG and FTL will be emitting a call to operationResolveRope, and operationResolveRope can GC. This patch updates doesGC() to reflect this. * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): 2018-10-21 Babak Shafiei <bshafiei@apple.com> Cherry-pick r236804. rdar://problem/45285687 Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX. https://bugs.webkit.org/show_bug.cgi?id=190187 <rdar://problem/42512909> Reviewed by Michael Saboff. JSTests: * stress/regress-190187.js: Added. Source/JavaScriptCore: Allowing different max string lengths at each level opens up opportunities for bugs to creep in. With 2 different max length values, it is more difficult to keep the story straight on how we do overflow / bounds checks at each place in the code. It's also difficult to tell if a seemingly valid check at the WTF level will have bad ramifications at the JSC level. Also, it's also not meaningful to support a max length > INT_MAX. To eliminate this class of bugs, we'll standardize on a MaxLength of INT_MAX at all levels. We'll also standardize the way we do length overflow checks on using CheckedArithmetic, and add some asserts to document the assumptions of the code. * runtime/FunctionConstructor.cpp: (JSC::constructFunctionSkippingEvalEnabledCheck): - Fix OOM error handling which crashed a test after the new MaxLength was applied. * runtime/JSString.h: (JSC::JSString::finishCreation): (JSC::JSString::createHasOtherOwner): (JSC::JSString::setLength): * runtime/JSStringInlines.h: (JSC::jsMakeNontrivialString): * runtime/Operations.h: (JSC::jsString): Source/WTF: * wtf/text/StringConcatenate.h: (WTF::tryMakeStringFromAdapters): (WTF::sumWithOverflow): Deleted. * wtf/text/StringImpl.h: * wtf/text/WTFString.h: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236804 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-10-03 Mark Lam <mark.lam@apple.com> Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX. https://bugs.webkit.org/show_bug.cgi?id=190187 <rdar://problem/42512909> Reviewed by Michael Saboff. Allowing different max string lengths at each level opens up opportunities for bugs to creep in. With 2 different max length values, it is more difficult to keep the story straight on how we do overflow / bounds checks at each place in the code. It's also difficult to tell if a seemingly valid check at the WTF level will have bad ramifications at the JSC level. Also, it's also not meaningful to support a max length > INT_MAX. To eliminate this class of bugs, we'll standardize on a MaxLength of INT_MAX at all levels. We'll also standardize the way we do length overflow checks on using CheckedArithmetic, and add some asserts to document the assumptions of the code. * runtime/FunctionConstructor.cpp: (JSC::constructFunctionSkippingEvalEnabledCheck): - Fix OOM error handling which crashed a test after the new MaxLength was applied. * runtime/JSString.h: (JSC::JSString::finishCreation): (JSC::JSString::createHasOtherOwner): (JSC::JSString::setLength): * runtime/JSStringInlines.h: (JSC::jsMakeNontrivialString): * runtime/Operations.h: (JSC::jsString): 2018-10-21 Babak Shafiei <bshafiei@apple.com> Cherry-pick r234127. rdar://problem/45285391 [INTL] Language tags are not canonicalized https://bugs.webkit.org/show_bug.cgi?id=185836 Patch by Andy VanWagoner <andy@vanwagoner.family> on 2018-07-23 Reviewed by Keith Miller. JSTests: Remove expected failures that have been fixed. * test262/expectations.yaml: Source/JavaScriptCore: Canonicalize language tags, replacing deprecated tag parts with the preferred values. Remove broken support for algorithmic numbering systems, that can cause an error in icu, and are not supported in other engines. Generate the lookup functions from the language-subtag-registry. Also initialize the UNumberFormat in initializeNumberFormat so any failures are thrown immediately instead of failing to format later. * CMakeLists.txt: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * Scripts/generateIntlCanonicalizeLanguage.py: Added. * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::initializeDateTimeFormat): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): (JSC::IntlNumberFormat::formatNumber): (JSC::IntlNumberFormat::formatToParts): (JSC::IntlNumberFormat::createNumberFormat): Deleted. * runtime/IntlNumberFormat.h: * runtime/IntlObject.cpp: (JSC::intlNumberOption): (JSC::intlDefaultNumberOption): (JSC::preferredLanguage): (JSC::preferredRegion): (JSC::canonicalLangTag): (JSC::canonicalizeLanguageTag): (JSC::defaultLocale): (JSC::removeUnicodeLocaleExtension): (JSC::numberingSystemsForLocale): (JSC::grandfatheredLangTag): Deleted. * runtime/IntlObject.h: * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::initializePluralRules): * runtime/JSGlobalObject.cpp: (JSC::addMissingScriptLocales): (JSC::JSGlobalObject::intlCollatorAvailableLocales): (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales): (JSC::JSGlobalObject::intlNumberFormatAvailableLocales): (JSC::JSGlobalObject::intlPluralRulesAvailableLocales): * ucd/language-subtag-registry.txt: Added. LayoutTests: Use gregory instead of gregorian, matching test262/intl402 and other engines. Remove tests for algorithmic numbering systems. Add NumberFormat numbering system tests. * js/intl-datetimeformat-expected.txt: * js/intl-numberformat-expected.txt: * js/script-tests/intl-datetimeformat.js: * js/script-tests/intl-numberformat.js: (string_appeared_here): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234127 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-07-23 Andy VanWagoner <andy@vanwagoner.family> [INTL] Language tags are not canonicalized https://bugs.webkit.org/show_bug.cgi?id=185836 Reviewed by Keith Miller. Canonicalize language tags, replacing deprecated tag parts with the preferred values. Remove broken support for algorithmic numbering systems, that can cause an error in icu, and are not supported in other engines. Generate the lookup functions from the language-subtag-registry. Also initialize the UNumberFormat in initializeNumberFormat so any failures are thrown immediately instead of failing to format later. * CMakeLists.txt: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * Scripts/generateIntlCanonicalizeLanguage.py: Added. * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::initializeDateTimeFormat): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): (JSC::IntlNumberFormat::formatNumber): (JSC::IntlNumberFormat::formatToParts): (JSC::IntlNumberFormat::createNumberFormat): Deleted. * runtime/IntlNumberFormat.h: * runtime/IntlObject.cpp: (JSC::intlNumberOption): (JSC::intlDefaultNumberOption): (JSC::preferredLanguage): (JSC::preferredRegion): (JSC::canonicalLangTag): (JSC::canonicalizeLanguageTag): (JSC::defaultLocale): (JSC::removeUnicodeLocaleExtension): (JSC::numberingSystemsForLocale): (JSC::grandfatheredLangTag): Deleted. * runtime/IntlObject.h: * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::initializePluralRules): * runtime/JSGlobalObject.cpp: (JSC::addMissingScriptLocales): (JSC::JSGlobalObject::intlCollatorAvailableLocales): (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales): (JSC::JSGlobalObject::intlNumberFormatAvailableLocales): (JSC::JSGlobalObject::intlPluralRulesAvailableLocales): * ucd/language-subtag-registry.txt: Added. 2018-10-18 Babak Shafiei <bshafiei@apple.com> Cherry-pick r237129. rdar://problem/45285646 JSArray::shiftCountWithArrayStorage is wrong when an array has holes https://bugs.webkit.org/show_bug.cgi?id=190262 <rdar://problem/44986241> Reviewed by Mark Lam. JSTests: * stress/array-prototype-concat-of-long-spliced-arrays.js: (test): * stress/slice-array-storage-with-holes.js: Added. (main): Source/JavaScriptCore: We would take the fast path for shiftCountWithArrayStorage when the array hasHoles(). However, the code for this was wrong. It'd incorrectly update ArrayStorage::m_numValuesInVector. Since the hasHoles() for ArrayStorage path is never taken in JetStream 2, this patch just removes that from the fast path. Instead, we just fallback to the slow path when hasHoles(). If we find evidence that this matters for real use cases, we can figure out a way to make the fast path work. * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithArrayStorage): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237129 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-10-15 Saam Barati <sbarati@apple.com> JSArray::shiftCountWithArrayStorage is wrong when an array has holes https://bugs.webkit.org/show_bug.cgi?id=190262 <rdar://problem/44986241> Reviewed by Mark Lam. We would take the fast path for shiftCountWithArrayStorage when the array hasHoles(). However, the code for this was wrong. It'd incorrectly update ArrayStorage::m_numValuesInVector. Since the hasHoles() for ArrayStorage path is never taken in JetStream 2, this patch just removes that from the fast path. Instead, we just fallback to the slow path when hasHoles(). If we find evidence that this matters for real use cases, we can figure out a way to make the fast path work. * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithArrayStorage): 2018-09-27 Mark Lam <mark.lam@apple.com> Cherry-pick r236554. rdar://problem/44855120 2018-09-27 Mark Lam <mark.lam@apple.com> JITMathIC should not use integer offsets into machine code. https://bugs.webkit.org/show_bug.cgi?id=190030 <rdar://problem/44803307> Reviewed by Saam Barati. We'll replace them with CodeLocation smart pointers instead. * jit/JITMathIC.h: (JSC::isProfileEmpty): 2018-09-27 Mark Lam <mark.lam@apple.com> Cherry-pick r236587. rdar://problem/44855118 2018-09-27 Mark Lam <mark.lam@apple.com> ByValInfo should not use integer offsets. https://bugs.webkit.org/show_bug.cgi?id=190070 <rdar://problem/44803430> Reviewed by Saam Barati. Also moved some fields around to allow the ByValInfo struct to be more densely packed. * bytecode/ByValInfo.h: (JSC::ByValInfo::ByValInfo): * jit/JIT.cpp: (JSC::JIT::link): * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITPropertyAccess.cpp: (JSC::JIT::privateCompileGetByVal): (JSC::JIT::privateCompileGetByValWithCachedId): (JSC::JIT::privateCompilePutByVal): (JSC::JIT::privateCompilePutByValWithCachedId): 2018-09-27 Mark Lam <mark.lam@apple.com> Cherry-pick r236576. rdar://problem/44855116 2018-09-27 Mark Lam <mark.lam@apple.com> DFG::OSREntry::m_machineCodeOffset should be a CodeLocation. https://bugs.webkit.org/show_bug.cgi?id=190054 <rdar://problem/44803543> Reviewed by Saam Barati. * dfg/DFGJITCode.h: (JSC::DFG::JITCode::appendOSREntryData): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::noticeOSREntry): * dfg/DFGOSREntry.cpp: (JSC::DFG::OSREntryData::dumpInContext const): (JSC::DFG::prepareOSREntry): * dfg/DFGOSREntry.h: * runtime/JSCPtrTag.h: 2018-09-27 Saam barati <sbarati@apple.com> Cherry-pick r236585. rdar://problem/44848947 DFG::OSRExit::m_patchableCodeOffset should not be an int https://bugs.webkit.org/show_bug.cgi?id=190066 <rdar://problem/39498244> Reviewed by Mark Lam. dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::link): dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::codeLocationForRepatch const): (JSC::DFG::OSRExit::compileOSRExit): (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted. (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted. (JSC::DFG::OSRExit::correctJump): Deleted. dfg/DFGOSRExit.h: dfg/DFGOSRExitCompilationInfo.h: 2018-09-27 Saam barati <sbarati@apple.com> Cherry-pick r236584. rdar://problem/44848936 Don't use int offsets in StructureStubInfo https://bugs.webkit.org/show_bug.cgi?id=190064 <rdar://problem/44784719> Reviewed by Mark Lam. bytecode/InlineAccess.cpp: (JSC::linkCodeInline): bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::slowPathCallLocation): (JSC::StructureStubInfo::doneLocation): (JSC::StructureStubInfo::slowPathStartLocation): jit/JITInlineCacheGenerator.cpp: (JSC::JITInlineCacheGenerator::finalize): 2018-09-21 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r236223. rdar://problem/44682814 AI rule for MultiPutByOffset executes its effects in the wrong order https://bugs.webkit.org/show_bug.cgi?id=189757 <rdar://problem/43535257> Reviewed by Michael Saboff. JSTests: * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added. (foo): (Foo): (g): Source/JavaScriptCore: The AI rule for MultiPutByOffset was executing effects in the wrong order. It first executed the transition effects and the effects on the base, and then executed the filtering effects on the value being stored. However, you can end up with the wrong type when the base and the value being stored are the same. E.g, in a program like `o.f = o`. These effects need to happen in the opposite order, modeling what happens in the runtime executing of MultiPutByOffset. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236223 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-19 Saam barati <sbarati@apple.com> AI rule for MultiPutByOffset executes its effects in the wrong order https://bugs.webkit.org/show_bug.cgi?id=189757 <rdar://problem/43535257> Reviewed by Michael Saboff. The AI rule for MultiPutByOffset was executing effects in the wrong order. It first executed the transition effects and the effects on the base, and then executed the filtering effects on the value being stored. However, you can end up with the wrong type when the base and the value being stored are the same. E.g, in a program like `o.f = o`. These effects need to happen in the opposite order, modeling what happens in the runtime executing of MultiPutByOffset. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 2018-09-19 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r236161. rdar://problem/44613375 Ensure that ForInContexts are invalidated if their loop local is over-written. https://bugs.webkit.org/show_bug.cgi?id=189571 <rdar://problem/44402277> Reviewed by Saam Barati. JSTests: * stress/regress-189571.js: Added. Source/JavaScriptCore: Instead of hunting down every place in the BytecodeGenerator that potentially needs to invalidate an enclosing ForInContext (if one exists), we simply iterate the bytecode range of the loop body when the ForInContext is popped, and invalidate the context if we ever find the loop temp variable over-written. This has 2 benefits: 1. It ensures that every type of opcode that can write to the loop temp will be handled appropriately, not just the op_mov that we've hunted down. 2. It avoids us having to check the BytecodeGenerator's m_forInContextStack every time we emit an op_mov (or other opcodes that can write to a local) even when we're not inside a for-in loop. JSC benchmarks show that that this change is performance neutral. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::pushIndexedForInScope): (JSC::BytecodeGenerator::popIndexedForInScope): (JSC::BytecodeGenerator::pushStructureForInScope): (JSC::BytecodeGenerator::popStructureForInScope): (JSC::ForInContext::finalize): (JSC::StructureForInContext::finalize): (JSC::IndexedForInContext::finalize): (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted. * bytecompiler/BytecodeGenerator.h: (JSC::ForInContext::ForInContext): (JSC::ForInContext::bodyBytecodeStartOffset const): (JSC::StructureForInContext::StructureForInContext): (JSC::IndexedForInContext::IndexedForInContext): * bytecompiler/NodesCodegen.cpp: (JSC::PostfixNode::emitResolve): (JSC::PrefixNode::emitResolve): (JSC::ReadModifyResolveNode::emitBytecode): (JSC::AssignResolveNode::emitBytecode): (JSC::EmptyLetExpression::emitBytecode): (JSC::ForInNode::emitLoopHeader): (JSC::ForOfNode::emitBytecode): (JSC::BindingNode::bindValue const): (JSC::AssignmentElementNode::bindValue const): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236161 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-18 Mark Lam <mark.lam@apple.com> Ensure that ForInContexts are invalidated if their loop local is over-written. https://bugs.webkit.org/show_bug.cgi?id=189571 <rdar://problem/44402277> Reviewed by Saam Barati. Instead of hunting down every place in the BytecodeGenerator that potentially needs to invalidate an enclosing ForInContext (if one exists), we simply iterate the bytecode range of the loop body when the ForInContext is popped, and invalidate the context if we ever find the loop temp variable over-written. This has 2 benefits: 1. It ensures that every type of opcode that can write to the loop temp will be handled appropriately, not just the op_mov that we've hunted down. 2. It avoids us having to check the BytecodeGenerator's m_forInContextStack every time we emit an op_mov (or other opcodes that can write to a local) even when we're not inside a for-in loop. JSC benchmarks show that that this change is performance neutral. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::pushIndexedForInScope): (JSC::BytecodeGenerator::popIndexedForInScope): (JSC::BytecodeGenerator::pushStructureForInScope): (JSC::BytecodeGenerator::popStructureForInScope): (JSC::ForInContext::finalize): (JSC::StructureForInContext::finalize): (JSC::IndexedForInContext::finalize): (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted. * bytecompiler/BytecodeGenerator.h: (JSC::ForInContext::ForInContext): (JSC::ForInContext::bodyBytecodeStartOffset const): (JSC::StructureForInContext::StructureForInContext): (JSC::IndexedForInContext::IndexedForInContext): * bytecompiler/NodesCodegen.cpp: (JSC::PostfixNode::emitResolve): (JSC::PrefixNode::emitResolve): (JSC::ReadModifyResolveNode::emitBytecode): (JSC::AssignResolveNode::emitBytecode): (JSC::EmptyLetExpression::emitBytecode): (JSC::ForInNode::emitLoopHeader): (JSC::ForOfNode::emitBytecode): (JSC::BindingNode::bindValue const): (JSC::AssignmentElementNode::bindValue const): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): 2018-09-19 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r236018. rdar://problem/44613375 Refactor some ForInContext code for better encapsulation. https://bugs.webkit.org/show_bug.cgi?id=189626 <rdar://problem/44466415> Reviewed by Keith Miller. 1. Add a ForInContext::m_type field to store the context type. This does not increase the class size, but eliminates the need for a virtual call to get the type. Note: we still need a virtual destructor because we'll be mingling IndexedForInContexts and StructureForInContexts in the BytecodeGenerator::m_forInContextStack. 2. Add ForInContext::isIndexedForInContext() and ForInContext::isStructureForInContext() convenience methods. 3. Add ForInContext::asIndexedForInContext() and ForInContext::asStructureForInContext() to do the casting to the subclass types. This ensures that we'll properly assert that the casting is legal. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGetByVal): (JSC::BytecodeGenerator::popIndexedForInScope): (JSC::BytecodeGenerator::popStructureForInScope): * bytecompiler/BytecodeGenerator.h: (JSC::ForInContext::type const): (JSC::ForInContext::isIndexedForInContext const): (JSC::ForInContext::isStructureForInContext const): (JSC::ForInContext::asIndexedForInContext): (JSC::ForInContext::asStructureForInContext): (JSC::ForInContext::ForInContext): (JSC::StructureForInContext::StructureForInContext): (JSC::IndexedForInContext::IndexedForInContext): (JSC::ForInContext::~ForInContext): Deleted. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236018 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-14 Mark Lam <mark.lam@apple.com> Refactor some ForInContext code for better encapsulation. https://bugs.webkit.org/show_bug.cgi?id=189626 <rdar://problem/44466415> Reviewed by Keith Miller. 1. Add a ForInContext::m_type field to store the context type. This does not increase the class size, but eliminates the need for a virtual call to get the type. Note: we still need a virtual destructor because we'll be mingling IndexedForInContexts and StructureForInContexts in the BytecodeGenerator::m_forInContextStack. 2. Add ForInContext::isIndexedForInContext() and ForInContext::isStructureForInContext() convenience methods. 3. Add ForInContext::asIndexedForInContext() and ForInContext::asStructureForInContext() to do the casting to the subclass types. This ensures that we'll properly assert that the casting is legal. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGetByVal): (JSC::BytecodeGenerator::popIndexedForInScope): (JSC::BytecodeGenerator::popStructureForInScope): * bytecompiler/BytecodeGenerator.h: (JSC::ForInContext::type const): (JSC::ForInContext::isIndexedForInContext const): (JSC::ForInContext::isStructureForInContext const): (JSC::ForInContext::asIndexedForInContext): (JSC::ForInContext::asStructureForInContext): (JSC::ForInContext::ForInContext): (JSC::StructureForInContext::StructureForInContext): (JSC::IndexedForInContext::IndexedForInContext): (JSC::ForInContext::~ForInContext): Deleted. 2018-09-19 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r235827. rdar://problem/44613379 Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions. https://bugs.webkit.org/show_bug.cgi?id=189317 <rdar://problem/44152198> Reviewed by Filip Pizlo. JSTests: * stress/regress-189317.js: Added. (testGetter): (testSetter): Source/JavaScriptCore: handleIntrinsicCall() is normally used for checking if an op_call is a call to an intrinsic function, and inlining it if it's a match. However, getter and setter functions also does calls, and uses handleCall() to implement the call. handleCall() eventually calls handleIntrinsicCall() to check for intrinsics. This results in a bug because handleIntrinsicCall() sometimes relies on the ArrayProfile* of the instruction, and is always assuming that the instruction is op_call shaped. This turns out to be not true: getters and setters can get there with op_get_by_val and op_put_by_val instead. Since the intrinsic functions handled by handleIntrinsicCall() are never intended to be used as getter / setter functions anyway, we can prevent this whole class of bugs by having handleIntrinsicCall() fail early if the instruction is not op_call shaped. To implement this fix, we did the following: 1. Introduced the OpcodeShape enum. 2. Introduced isOpcodeShape<OpcodeShape>() for testing if a instruction of the shape of the specified OpcodeShape. 3. Introduced arrayProfileFor<OpcodeShape>() for fetching the ArrayProfile* from the instruction given the OpcodeShape. Using this arrayProfileFor template has the following benefits: 1. Centralizes the definition of which instructions has an ArrayProfile* operand. 2. Centralizes the definition of which operand is the ArrayProfile*. 3. Asserts that the instruction is of the expected shape when retrieving the ArrayProfile*. 4. Added ArrayProfile::m_typeName and ArrayProfile::s_typeName which are used in ArrayProfile::isValid() as a sanity check that a retrieved ArrayProfile* indeed does point to an ArrayProfile. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/ArrayProfile.cpp: * bytecode/ArrayProfile.h: (JSC::ArrayProfile::isValid const): * bytecode/OpcodeInlines.h: Added. (JSC::isOpcodeShape): (JSC::arrayProfileFor): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): (JSC::DFG::ByteCodeParser::parseBlock): * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_has_indexed_property): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_has_indexed_property): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emit_op_put_by_val): (JSC::JIT::emitGenericContiguousPutByVal): (JSC::JIT::emitArrayStoragePutByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emit_op_put_by_val): (JSC::JIT::emitGenericContiguousPutByVal): (JSC::JIT::emitArrayStoragePutByVal): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::getByVal): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235827 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-07 Mark Lam <mark.lam@apple.com> Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions. https://bugs.webkit.org/show_bug.cgi?id=189317 <rdar://problem/44152198> Reviewed by Filip Pizlo. handleIntrinsicCall() is normally used for checking if an op_call is a call to an intrinsic function, and inlining it if it's a match. However, getter and setter functions also does calls, and uses handleCall() to implement the call. handleCall() eventually calls handleIntrinsicCall() to check for intrinsics. This results in a bug because handleIntrinsicCall() sometimes relies on the ArrayProfile* of the instruction, and is always assuming that the instruction is op_call shaped. This turns out to be not true: getters and setters can get there with op_get_by_val and op_put_by_val instead. Since the intrinsic functions handled by handleIntrinsicCall() are never intended to be used as getter / setter functions anyway, we can prevent this whole class of bugs by having handleIntrinsicCall() fail early if the instruction is not op_call shaped. To implement this fix, we did the following: 1. Introduced the OpcodeShape enum. 2. Introduced isOpcodeShape<OpcodeShape>() for testing if a instruction of the shape of the specified OpcodeShape. 3. Introduced arrayProfileFor<OpcodeShape>() for fetching the ArrayProfile* from the instruction given the OpcodeShape. Using this arrayProfileFor template has the following benefits: 1. Centralizes the definition of which instructions has an ArrayProfile* operand. 2. Centralizes the definition of which operand is the ArrayProfile*. 3. Asserts that the instruction is of the expected shape when retrieving the ArrayProfile*. 4. Added ArrayProfile::m_typeName and ArrayProfile::s_typeName which are used in ArrayProfile::isValid() as a sanity check that a retrieved ArrayProfile* indeed does point to an ArrayProfile. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/ArrayProfile.cpp: * bytecode/ArrayProfile.h: (JSC::ArrayProfile::isValid const): * bytecode/OpcodeInlines.h: Added. (JSC::isOpcodeShape): (JSC::arrayProfileFor): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): (JSC::DFG::ByteCodeParser::parseBlock): * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_has_indexed_property): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_has_indexed_property): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emit_op_put_by_val): (JSC::JIT::emitGenericContiguousPutByVal): (JSC::JIT::emitArrayStoragePutByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emit_op_put_by_val): (JSC::JIT::emitGenericContiguousPutByVal): (JSC::JIT::emitArrayStoragePutByVal): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::getByVal): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): 2018-09-19 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r235356. rdar://problem/44613253 [JSC] Array.prototype.reverse modifies JSImmutableButterfly https://bugs.webkit.org/show_bug.cgi?id=188794 Reviewed by Saam Barati. JSTests: * stress/reverse-with-immutable-butterfly.js: Added. (shouldBe): (reverseInt): (reverseDouble): (reverseContiguous): Source/JavaScriptCore: While Array.prototype.reverse modifies the butterfly of the given Array, it does not account JSImmutableButterfly case. So it accidentally modifies the content of JSImmutableButterfly. This patch converts CoW arrays to writable arrays before reversing. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncReverse): * runtime/JSObject.h: (JSC::JSObject::ensureWritable): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235356 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-08-24 Yusuke Suzuki <yusukesuzuki@slowstart.org> [JSC] Array.prototype.reverse modifies JSImmutableButterfly https://bugs.webkit.org/show_bug.cgi?id=188794 Reviewed by Saam Barati. While Array.prototype.reverse modifies the butterfly of the given Array, it does not account JSImmutableButterfly case. So it accidentally modifies the content of JSImmutableButterfly. This patch converts CoW arrays to writable arrays before reversing. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncReverse): * runtime/JSObject.h: (JSC::JSObject::ensureWritable): 2018-09-06 Babak Shafiei <bshafiei@apple.com> Cherry-pick r235251. rdar://problem/44209840 [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave https://bugs.webkit.org/show_bug.cgi?id=188829 Reviewed by Tim Horton. Source/JavaScriptCore: * Configurations/FeatureDefines.xcconfig: Source/WebCore: Test: http/tests/ssl/applepay/ApplePaySessionV4.html * Configurations/FeatureDefines.xcconfig: * testing/MockPaymentCoordinator.cpp: (WebCore::MockPaymentCoordinator::supportsVersion): Source/WebCore/PAL: * Configurations/FeatureDefines.xcconfig: Source/WebKit: * Configurations/FeatureDefines.xcconfig: * WebProcess/ApplePay/WebPaymentCoordinator.cpp: (WebKit::WebPaymentCoordinator::supportsVersion): Source/WebKitLegacy/mac: * Configurations/FeatureDefines.xcconfig: Tools: * TestWebKitAPI/Configurations/FeatureDefines.xcconfig: LayoutTests: * http/tests/ssl/applepay/ApplePaySession-expected.txt: * http/tests/ssl/applepay/ApplePaySession.html: * http/tests/ssl/applepay/ApplePaySessionV3-expected.txt: * http/tests/ssl/applepay/ApplePaySessionV3.html: * http/tests/ssl/applepay/ApplePaySessionV4-expected.txt: Added. * http/tests/ssl/applepay/ApplePaySessionV4.html: Added. * platform/mac-wk2/TestExpectations: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235251 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-08-23 Andy Estes <aestes@apple.com> [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave https://bugs.webkit.org/show_bug.cgi?id=188829 Reviewed by Tim Horton. * Configurations/FeatureDefines.xcconfig: 2018-09-06 Babak Shafiei <bshafiei@apple.com> Cherry-pick r235742. rdar://problem/44169344 Gardening: only visit m_cachedStructureID if it's not null. https://bugs.webkit.org/show_bug.cgi?id=189124 <rdar://problem/43863605> Not reviewed. * runtime/JSPropertyNameEnumerator.cpp: (JSC::JSPropertyNameEnumerator::visitChildren): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235742 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-06 Mark Lam <mark.lam@apple.com> Gardening: only visit m_cachedStructureID if it's not null. https://bugs.webkit.org/show_bug.cgi?id=189124 <rdar://problem/43863605> Not reviewed. * runtime/JSPropertyNameEnumerator.cpp: (JSC::JSPropertyNameEnumerator::visitChildren): 2018-09-06 Mark Lam <mark.lam@apple.com> Cherry-pick r235254, r235419, r235666. rdar://problem/44169332 2018-08-23 Mark Lam <mark.lam@apple.com> Move vmEntryGlobalObject() to VM from CallFrame. https://bugs.webkit.org/show_bug.cgi?id=188900 <rdar://problem/43655753> Reviewed by Michael Saboff. Also introduced CallFrame::isGlobalExec() which makes use of one property of GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs. CallFrame::initGlobalExec() ensures this. In contrast, normal CallFrames always have a callerFrame (because they must at least be preceded by a VM EntryFrame) and a returnPC (at least return to the VM entry glue). * API/APIUtils.h: (handleExceptionIfNeeded): (setException): * API/JSBase.cpp: (JSEvaluateScript): (JSCheckScriptSyntax): * API/JSContextRef.cpp: (JSGlobalContextRetain): (JSGlobalContextRelease): (JSGlobalContextCopyName): (JSGlobalContextSetName): (JSGlobalContextGetRemoteInspectionEnabled): (JSGlobalContextSetRemoteInspectionEnabled): (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions): (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions): (JSGlobalContextGetDebuggerRunLoop): (JSGlobalContextSetDebuggerRunLoop): (JSGlobalContextGetAugmentableInspectorController): * API/JSValue.mm: (reportExceptionToInspector): * API/glib/JSCClass.cpp: (jscContextForObject): * API/glib/JSCContext.cpp: (jsc_context_evaluate_in_object): * debugger/Debugger.cpp: (JSC::Debugger::pauseIfNeeded): * debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::vmEntryGlobalObject const): (JSC::DebuggerCallFrame::evaluateWithScopeExtension): * interpreter/CallFrame.cpp: (JSC::CallFrame::vmEntryGlobalObject): Deleted. * interpreter/CallFrame.h: (JSC::ExecState::scope const): (JSC::ExecState::noCaller): (JSC::ExecState::isGlobalExec const): * interpreter/Interpreter.cpp: (JSC::notifyDebuggerOfUnwinding): (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown): (JSC::Interpreter::debug): * runtime/CallData.cpp: (JSC::profiledCall): * runtime/Completion.cpp: (JSC::evaluate): (JSC::profiledEvaluate): (JSC::evaluateWithScopeExtension): (JSC::loadAndEvaluateModule): (JSC::loadModule): (JSC::linkAndEvaluateModule): (JSC::importModule): * runtime/ConstructData.cpp: (JSC::profiledConstruct): * runtime/Error.cpp: (JSC::getStackTrace): * runtime/VM.cpp: (JSC::VM::throwException): (JSC::VM::vmEntryGlobalObject const): * runtime/VM.h: 2018-08-27 Mark Lam <mark.lam@apple.com> Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names. https://bugs.webkit.org/show_bug.cgi?id=188577 <rdar://problem/42985684> Reviewed by Saam Barati. 1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame. The StackOverflowFrame is a sentinel frame that the low level code (exception throwing code, stack visitor, and stack unwinding code) will know to skip over. The StackOverflowFrame will also have a valid JSCallee so that client code can compute the globalObject or VM from this frame. As a result, client code that throws StackOverflowErrors no longer need to compute the caller frame to throw from: it just converts the top frame into a StackOverflowFrame and everything should *Just Work*. 2. NativeCallFrameTracerWithRestore is now obsolete. Instead, client code should always call convertToStackOverflowFrame() on the frame before instantiating a NativeCallFrameTracer with it. This means that topCallFrame will always point to the top CallFrame (which may be a StackOverflowFrame), and topEntryFrame will always point to the top EntryFrame. We'll never temporarily point them to the previous EntryFrame (which we used to do with NativeCallFrameTracerWithRestore). 3. genericUnwind() and Interpreter::unwind() will now always unwind from the top CallFrame, and will know how to handle a StackOverflowFrame if they see one. This obsoletes the UnwindStart flag. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * debugger/Debugger.cpp: (JSC::Debugger::pauseIfNeeded): * interpreter/CallFrame.cpp: (JSC::CallFrame::callerFrame const): (JSC::CallFrame::unsafeCallerFrame const): (JSC::CallFrame::convertToStackOverflowFrame): (JSC::CallFrame::callerFrame): Deleted. (JSC::CallFrame::unsafeCallerFrame): Deleted. * interpreter/CallFrame.h: (JSC::ExecState::iterate): * interpreter/CallFrameInlines.h: Added. (JSC::CallFrame::isStackOverflowFrame const): (JSC::CallFrame::isWasmFrame const): * interpreter/EntryFrame.h: Added. (JSC::EntryFrame::vmEntryRecordOffset): (JSC::EntryFrame::calleeSaveRegistersBufferOffset): * interpreter/FrameTracers.h: (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted. (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted. * interpreter/Interpreter.cpp: (JSC::Interpreter::unwind): * interpreter/Interpreter.h: * interpreter/StackVisitor.cpp: (JSC::StackVisitor::StackVisitor): * interpreter/StackVisitor.h: (JSC::StackVisitor::visit): (JSC::StackVisitor::topEntryFrameIsEmpty const): * interpreter/VMEntryRecord.h: (JSC::VMEntryRecord::callee const): (JSC::EntryFrame::vmEntryRecordOffset): Deleted. (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted. * jit/AssemblyHelpers.h: * jit/JITExceptions.cpp: (JSC::genericUnwind): * jit/JITExceptions.h: * jit/JITOperations.cpp: * llint/LLIntOffsetsExtractor.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CallData.cpp: * runtime/CommonSlowPaths.cpp: (JSC::throwArityCheckStackOverflowError): (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPathsExceptions.cpp: Removed. * runtime/CommonSlowPathsExceptions.h: Removed. * runtime/Completion.cpp: (JSC::evaluateWithScopeExtension): * runtime/JSGeneratorFunction.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::stackOverflowFrameCallee const): * runtime/VM.cpp: (JSC::VM::throwException): * runtime/VM.h: * runtime/VMInlines.h: (JSC::VM::topJSCallFrame const): 2018-09-05 David Kilzer <ddkilzer@apple.com> REGRESSION (r235419): DFGCFG.h is missing from JavaScriptCore Xcode project Found using `tidy-Xcode-project-file --missing` (see Bug 188754). Fix was made manually. * JavaScriptCore.xcodeproj/project.pbxproj: (dfg/DFGCFG.h): Revert accidental change in r235419 by restoring `name` and `path` values to file reference. 2018-09-06 Babak Shafiei <bshafiei@apple.com> Cherry-pick r235715. rdar://problem/44169344 JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID. https://bugs.webkit.org/show_bug.cgi?id=189124 <rdar://problem/43863605> Reviewed by Filip Pizlo. JSTests: * stress/regress-189124.js: Added. Source/JavaScriptCore: It is assumed that the Structure for the m_cachedStructureID will remain alive while the m_cachedStructureID is in use. This prevents the structureID from being re-used for a different Structure. * runtime/JSPropertyNameEnumerator.cpp: (JSC::JSPropertyNameEnumerator::visitChildren): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235715 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-09-05 Mark Lam <mark.lam@apple.com> JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID. https://bugs.webkit.org/show_bug.cgi?id=189124 <rdar://problem/43863605> Reviewed by Filip Pizlo. It is assumed that the Structure for the m_cachedStructureID will remain alive while the m_cachedStructureID is in use. This prevents the structureID from being re-used for a different Structure. * runtime/JSPropertyNameEnumerator.cpp: (JSC::JSPropertyNameEnumerator::visitChildren): 2018-09-06 Babak Shafiei <bshafiei@apple.com> Cherry-pick r235177. rdar://problem/44169333 The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions. https://bugs.webkit.org/show_bug.cgi?id=188298 <rdar://problem/42888427> Reviewed by Saam Barati. JSTests: * stress/bug-188298.js: Added. Source/JavaScriptCore: In the event that both targets of a Branch is the same block, then even if we'll always take one path of the branch, the other target is not unreachable because it is the same target as the one in the taken path. Hence, it should not be jettisoned. * JavaScriptCore.xcodeproj/project.pbxproj: - Added DFGCFG.h which is in use and should have been added to the project. * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::run): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235177 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-08-22 Mark Lam <mark.lam@apple.com> The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions. https://bugs.webkit.org/show_bug.cgi?id=188298 <rdar://problem/42888427> Reviewed by Saam Barati. In the event that both targets of a Branch is the same block, then even if we'll always take one path of the branch, the other target is not unreachable because it is the same target as the one in the taken path. Hence, it should not be jettisoned. * JavaScriptCore.xcodeproj/project.pbxproj: - Added DFGCFG.h which is in use and should have been added to the project. * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::run): 2018-09-05 Babak Shafiei <bshafiei@apple.com> Cherry-pick r235007. rdar://problem/44144079 intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point https://bugs.webkit.org/show_bug.cgi?id=188707 <rdar://problem/43015442> Reviewed by Mark Lam. JSTests: * stress/cfa-expected-values-must-set-clobbered-to-false.js: Added. (foo): (let.comp.valueOf): (result): Source/JavaScriptCore: We use the values in intersectionOfPastValuesAtHead to verify that it is safe to OSR enter at the head of a block. We verify it's safe to OSR enter by checking that each incoming value is compatible with its corresponding AbstractValue. The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead with abstract values that were clobbererd. This meant that the value we're verifying with at OSR entry effectively has an infinite structure set because it's clobbered. So, imagine we have code like this: ``` ---> We OSR enter here, and we're clobbered here InvalidationPoint GetByOffset(@base) ``` The abstract value for @base inside intersectionOfPastValuesAtHead has a clobberred structure set, so we'd allow an incoming object with any structure. However, this is wrong because the invalidation point is no longer fulfilling its promise that it filters the structure that @base has. We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead as if the incoming value may be live past an InvalidationPoint. This places a stricter requirement that to safely OSR enter at any basic block, all incoming values must be compatible as if they lived past the execution of an invalidation point. * dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::run): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235007 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-08-17 Saam barati <sbarati@apple.com> intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point https://bugs.webkit.org/show_bug.cgi?id=188707 <rdar://problem/43015442> Reviewed by Mark Lam. We use the values in intersectionOfPastValuesAtHead to verify that it is safe to OSR enter at the head of a block. We verify it's safe to OSR enter by checking that each incoming value is compatible with its corresponding AbstractValue. The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead with abstract values that were clobbererd. This meant that the value we're verifying with at OSR entry effectively has an infinite structure set because it's clobbered. So, imagine we have code like this: ``` ---> We OSR enter here, and we're clobbered here InvalidationPoint GetByOffset(@base) ``` The abstract value for @base inside intersectionOfPastValuesAtHead has a clobberred structure set, so we'd allow an incoming object with any structure. However, this is wrong because the invalidation point is no longer fulfilling its promise that it filters the structure that @base has. We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead as if the incoming value may be live past an InvalidationPoint. This places a stricter requirement that to safely OSR enter at any basic block, all incoming values must be compatible as if they lived past the execution of an invalidation point. * dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::run): 2018-09-05 Babak Shafiei <bshafiei@apple.com> Cherry-pick r234649. rdar://problem/43009920 Use a more specific PtrTag for PlatformRegisters PC and LR. https://bugs.webkit.org/show_bug.cgi?id=188366 <rdar://problem/42984123> Reviewed by Keith Miller. Also fixed a bug in linkRegister(), which was previously returning the PC instead of LR. It now returns LR. * runtime/JSCPtrTag.h: * runtime/MachineContext.h: (JSC::MachineContext::instructionPointer): (JSC::MachineContext::linkRegister): * runtime/VMTraps.cpp: (JSC::SignalContext::SignalContext): * tools/SigillCrashAnalyzer.cpp: (JSC::SignalContext::SignalContext): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234649 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-08-07 Mark Lam <mark.lam@apple.com> Use a more specific PtrTag for PlatformRegisters PC and LR. https://bugs.webkit.org/show_bug.cgi?id=188366 <rdar://problem/42984123> Reviewed by Keith Miller. Also fixed a bug in linkRegister(), which was previously returning the PC instead of LR. It now returns LR. * runtime/JSCPtrTag.h: * runtime/MachineContext.h: (JSC::MachineContext::instructionPointer): (JSC::MachineContext::linkRegister): * runtime/VMTraps.cpp: (JSC::SignalContext::SignalContext): * tools/SigillCrashAnalyzer.cpp: (JSC::SignalContext::SignalContext): 2018-08-06 Kocsen Chung <kocsen_chung@apple.com> Cherry-pick r234576. rdar://problem/42973449 Give the `jsc` shell the JIT entitlement https://bugs.webkit.org/show_bug.cgi?id=188324 <rdar://problem/42885806> Reviewed by Dan Bernstein. This should help us in ensuring the system jsc is able to JIT. * Configurations/JSC.xcconfig: * JavaScriptCore.xcodeproj/project.pbxproj: * allow-jit-macOS.entitlements: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234576 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-08-03 Saam Barati <sbarati@apple.com> Give the `jsc` shell the JIT entitlement https://bugs.webkit.org/show_bug.cgi?id=188324 <rdar://problem/42885806> Reviewed by Dan Bernstein. This should help us in ensuring the system jsc is able to JIT. * Configurations/JSC.xcconfig: * JavaScriptCore.xcodeproj/project.pbxproj: * allow-jit-macOS.entitlements: Added. 2018-08-02 Babak Shafiei <bshafiei@apple.com> Cherry-pick r234528. rdar://problem/42883788 Source/JavaScriptCore: Reading instructionPointer from PlatformRegisters may fail when using pointer profiling https://bugs.webkit.org/show_bug.cgi?id=188271 <rdar://problem/42850884> Reviewed by Michael Saboff. This patch defends against the instructionPointer containing garbage bits. See radar for details. * runtime/MachineContext.h: (JSC::MachineContext::instructionPointer): * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::takeSample): * runtime/VMTraps.cpp: (JSC::SignalContext::SignalContext): (JSC::SignalContext::tryCreate): * tools/CodeProfiling.cpp: (JSC::profilingTimer): * tools/SigillCrashAnalyzer.cpp: (JSC::SignalContext::SignalContext): (JSC::SignalContext::tryCreate): (JSC::SignalContext::dump): (JSC::installCrashHandler): * wasm/WasmFaultSignalHandler.cpp: (JSC::Wasm::trapHandler): Source/WTF: Reading instructionPointer from PlatformRegisters may fail when using pointer tagging https://bugs.webkit.org/show_bug.cgi?id=188271 <rdar://problem/42850884> Reviewed by Michael Saboff. * wtf/PtrTag.h: (WTF::isTaggedWith): (WTF::usesPointerTagging): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234528 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-08-02 Saam Barati <sbarati@apple.com> Reading instructionPointer from PlatformRegisters may fail when using pointer profiling https://bugs.webkit.org/show_bug.cgi?id=188271 <rdar://problem/42850884> Reviewed by Michael Saboff. This patch defends against the instructionPointer containing garbage bits. See radar for details. * runtime/MachineContext.h: (JSC::MachineContext::instructionPointer): * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::takeSample): * runtime/VMTraps.cpp: (JSC::SignalContext::SignalContext): (JSC::SignalContext::tryCreate): * tools/CodeProfiling.cpp: (JSC::profilingTimer): * tools/SigillCrashAnalyzer.cpp: (JSC::SignalContext::SignalContext): (JSC::SignalContext::tryCreate): (JSC::SignalContext::dump): (JSC::installCrashHandler): * wasm/WasmFaultSignalHandler.cpp: (JSC::Wasm::trapHandler): 2018-07-26 Babak Shafiei <bshafiei@apple.com> Cherry-pick r234269. rdar://problem/42650430 arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array. https://bugs.webkit.org/show_bug.cgi?id=188065 <rdar://problem/42515726> Reviewed by Saam Barati. JSTests: * stress/regress-188065.js: Added. Source/JavaScriptCore: * runtime/ArrayPrototype.cpp: (JSC::clearElement): (JSC::copyElements): (JSC::arrayProtoPrivateFuncConcatMemcpy): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234269 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-07-26 Mark Lam <mark.lam@apple.com> arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array. https://bugs.webkit.org/show_bug.cgi?id=188065 <rdar://problem/42515726> Reviewed by Saam Barati. * runtime/ArrayPrototype.cpp: (JSC::clearElement): (JSC::copyElements): (JSC::arrayProtoPrivateFuncConcatMemcpy): 2018-07-26 Babak Shafiei <bshafiei@apple.com> Cherry-pick r234272. rdar://problem/42645434 Unreviewed, rolling out r234181 and r234189. https://bugs.webkit.org/show_bug.cgi?id=188075 These are not needed right now (Requested by thorton on #webkit). Reverted changesets: "Enable Web Content Filtering on watchOS" https://bugs.webkit.org/show_bug.cgi?id=187979 https://trac.webkit.org/changeset/234181 "HAVE(PARENTAL_CONTROLS) should be true on watchOS" https://bugs.webkit.org/show_bug.cgi?id=187985 https://trac.webkit.org/changeset/234189 git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234272 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-07-26 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r234181 and r234189. https://bugs.webkit.org/show_bug.cgi?id=188075 These are not needed right now (Requested by thorton on #webkit). Reverted changesets: "Enable Web Content Filtering on watchOS" https://bugs.webkit.org/show_bug.cgi?id=187979 https://trac.webkit.org/changeset/234181 "HAVE(PARENTAL_CONTROLS) should be true on watchOS" https://bugs.webkit.org/show_bug.cgi?id=187985 https://trac.webkit.org/changeset/234189 2018-07-25 Babak Shafiei <bshafiei@apple.com> Cherry-pick r234181. rdar://problem/42604524 Enable Web Content Filtering on watchOS https://bugs.webkit.org/show_bug.cgi?id=187979 <rdar://problem/42559346> Reviewed by Wenson Hsieh. Source/JavaScriptCore: * Configurations/FeatureDefines.xcconfig: Source/WebCore: * Configurations/FeatureDefines.xcconfig: Source/WebCore/PAL: * Configurations/FeatureDefines.xcconfig: Source/WebKit: * Configurations/FeatureDefines.xcconfig: Source/WebKitLegacy/mac: * Configurations/FeatureDefines.xcconfig: Tools: * TestWebKitAPI/Configurations/FeatureDefines.xcconfig: git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234181 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-07-24 Tim Horton <timothy_horton@apple.com> Enable Web Content Filtering on watchOS https://bugs.webkit.org/show_bug.cgi?id=187979 <rdar://problem/42559346> Reviewed by Wenson Hsieh. * Configurations/FeatureDefines.xcconfig: 2018-07-24 Babak Shafiei <bshafiei@apple.com> Cherry-pick r234106. rdar://problem/42545682 Add some asserts to help diagnose a crash. https://bugs.webkit.org/show_bug.cgi?id=187915 <rdar://problem/42508166> Reviewed by Michael Saboff. Add some asserts to verify that an CodeBlock alternative should always have a non-null jitCode. Also change a RELEASE_ASSERT_NOT_REACHED() in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT() so that we'll retain the state of the variables that failed the assertion (again to help with diagnosis). * bytecode/CodeBlock.cpp: (JSC::CodeBlock::setAlternative): (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): * dfg/DFGPlan.cpp: (JSC::DFG::Plan::Plan): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234106 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-07-23 Mark Lam <mark.lam@apple.com> Add some asserts to help diagnose a crash. https://bugs.webkit.org/show_bug.cgi?id=187915 <rdar://problem/42508166> Reviewed by Michael Saboff. Add some asserts to verify that an CodeBlock alternative should always have a non-null jitCode. Also change a RELEASE_ASSERT_NOT_REACHED() in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT() so that we'll retain the state of the variables that failed the assertion (again to help with diagnosis). * bytecode/CodeBlock.cpp: (JSC::CodeBlock::setAlternative): (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): * dfg/DFGPlan.cpp: (JSC::DFG::Plan::Plan): 2018-07-23 Babak Shafiei <bshafiei@apple.com> Cherry-pick r234075. rdar://problem/42451525 DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray https://bugs.webkit.org/show_bug.cgi?id=187827 rdar://problem/42146858 Reviewed by Saam Barati. JSTests: New regression tests. * stress/direct-arguments-check-array.js: Added. (setup.f2): (setup): (forOfArray): (forOfArgs): (callEveryOnArgs): * stress/scoped-arguments-check-array.js: Added. (setup.foo): (setup.f2): (setup): (forOfArray): (forOfArgs): (callEveryOnArgs): Source/JavaScriptCore: When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape). We can't end up with other shapes, Int32, Double, etc because GenericArguments sets InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a putByIndex() path that doesn't change the shape. * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234075 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-07-20 Michael Saboff <msaboff@apple.com> DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray https://bugs.webkit.org/show_bug.cgi?id=187827 rdar://problem/42146858 Reviewed by Saam Barati. When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape). We can't end up with other shapes, Int32, Double, etc because GenericArguments sets InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a putByIndex() path that doesn't change the shape. * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const): 2018-07-20 Babak Shafiei <bshafiei@apple.com> Cherry-pick r234022. rdar://problem/42417126 Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash https://bugs.webkit.org/show_bug.cgi?id=187836 <rdar://problem/42409527> Reviewed by Mark Lam. We have crash reports that we're crashing on source->getDirect in Object.assign's fast path. Mark investigated this and determined we end up with a nullptr for butterfly. This is curious, because source's Structure indicated that it has out of line properties. My leading hypothesis for this at the moment is a bit handwavy, but it's essentially: - We end up firing a watchpoint when assigning to the target (this can happen if a watchpoint was set up for storing to that particular field) - When we fire that watchpoint, we end up doing some kind work on the source, perhaps causing it to flattenDictionaryStructure. Therefore, we end up mutating source. I'm not super convinced this is what we're running into, but just by reading the code, I think it needs to be something similar to this. Seeing if this change fixes the crasher will give us good data to determine if something like this is happening or if the bug is something else entirely. * runtime/ObjectConstructor.cpp: (JSC::objectConstructorAssign): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234022 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-07-19 Saam Barati <sbarati@apple.com> Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash https://bugs.webkit.org/show_bug.cgi?id=187836 <rdar://problem/42409527> Reviewed by Mark Lam. We have crash reports that we're crashing on source->getDirect in Object.assign's fast path. Mark investigated this and determined we end up with a nullptr for butterfly. This is curious, because source's Structure indicated that it has out of line properties. My leading hypothesis for this at the moment is a bit handwavy, but it's essentially: - We end up firing a watchpoint when assigning to the target (this can happen if a watchpoint was set up for storing to that particular field) - When we fire that watchpoint, we end up doing some kind work on the source, perhaps causing it to flattenDictionaryStructure. Therefore, we end up mutating source. I'm not super convinced this is what we're running into, but just by reading the code, I think it needs to be something similar to this. Seeing if this change fixes the crasher will give us good data to determine if something like this is happening or if the bug is something else entirely. * runtime/ObjectConstructor.cpp: (JSC::objectConstructorAssign): 2018-07-18 Babak Shafiei <bshafiei@apple.com> Cherry-pick r233893. rdar://problem/42345044 CodeBlock::baselineVersion() should account for executables with purged codeBlocks. https://bugs.webkit.org/show_bug.cgi?id=187736 <rdar://problem/42114371> Reviewed by Michael Saboff. CodeBlock::baselineVersion() currently checks for a null replacement but does not account for the fact that that the replacement can also be null due to the executable having being purged of its codeBlocks due to a memory event (see ExecutableBase::clearCode()). This patch adds code to account for this. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::baselineVersion): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233893 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2018-07-17 Mark Lam <mark.lam@apple.com> CodeBlock::baselineVersion() should account for executables with purged codeBlocks. https://bugs.webkit.org/show_bug.cgi?id=187736 <rdar://problem/42114371> Reviewed by Michael Saboff. CodeBlock::baselineVersion() currently checks for a null replacement but does not account for the fact that that the replacement can also be null due to the executable having being purged of its codeBlocks due to a memory event (see ExecutableBase::clearCode()). This patch adds code to account for this. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::baselineVersion): 2018-07-15 Carlos Garcia Campos <cgarcia@igalia.com> [GLIB] Add API to evaluate code using a given object to store global symbols https://bugs.webkit.org/show_bug.cgi?id=187639 Reviewed by Michael Catanzaro. Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the evaluated script are added as properties to the new object instead of to the context global object. This is similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a scope for assignments, so we have to create a new context and get its global object. This patch also updates jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new jsc_context_evaluate_in_object(). * API/glib/JSCContext.cpp: (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri(). (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef. (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext(). (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension scope of it. Evaluate the script in the new context and get its global object to be returned as parameter. * API/glib/JSCContext.h: * API/glib/docs/jsc-glib-4.0-sections.txt: 2018-07-13 Yusuke Suzuki <utatane.tea@gmail.com> [32bit JSC tests] stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing https://bugs.webkit.org/show_bug.cgi?id=187561 Reviewed by Darin Adler. This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code. We clean up 32bit put_by_val code. 1. We remove inline out-of-bounds recording code since it is done in C operation code. This change aligns 32bit implementation to 64bit implementation. 2. We add CoW array checking, which is done in 64bit implementation. * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_val): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_by_val): (JSC::JIT::emitSlow_op_put_by_val): 2018-07-12 Mark Lam <mark.lam@apple.com> Need to handle CodeBlock::replacement() being null. https://bugs.webkit.org/show_bug.cgi?id=187569 <rdar://problem/41468692> Reviewed by Saam Barati. CodeBlock::replacement() may return a nullptr. Some of our code already checks for this while others do not. We should add null checks in all the places that need it. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::hasOptimizedReplacement): (JSC::CodeBlock::jettison): (JSC::CodeBlock::numberOfDFGCompiles): (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): * dfg/DFGOperations.cpp: * dfg/DFGToFTLDeferredCompilationCallback.cpp: (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously): (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete): * jit/JITOperations.cpp: 2018-07-12 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Thread VM& to JSCell::methodTable(VM&) https://bugs.webkit.org/show_bug.cgi?id=187548 Reviewed by Saam Barati. This patch threads VM& to methodTable(VM&) and remove methodTable(). We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations. * API/APICast.h: (toJS): * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::JSCallbackObject<Parent>::className): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::estimatedSize): * bytecode/CodeBlock.h: * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::estimatedSize): * bytecode/UnlinkedCodeBlock.h: * debugger/DebuggerScope.cpp: (JSC::DebuggerScope::className): * debugger/DebuggerScope.h: * heap/Heap.cpp: (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData): (JSC::GatherHeapSnapshotData::operator() const): (JSC::Heap::gatherExtraHeapSnapshotData): * heap/HeapSnapshotBuilder.cpp: (JSC::HeapSnapshotBuilder::json): * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): * runtime/ClassInfo.h: * runtime/DirectArguments.cpp: (JSC::DirectArguments::estimatedSize): * runtime/DirectArguments.h: * runtime/HashMapImpl.cpp: (JSC::HashMapImpl<HashMapBucket>::estimatedSize): * runtime/HashMapImpl.h: * runtime/JSArrayBuffer.cpp: (JSC::JSArrayBuffer::estimatedSize): * runtime/JSArrayBuffer.h: * runtime/JSBigInt.cpp: (JSC::JSBigInt::estimatedSize): * runtime/JSBigInt.h: * runtime/JSCell.cpp: (JSC::JSCell::dump const): (JSC::JSCell::estimatedSizeInBytes const): (JSC::JSCell::estimatedSize): (JSC::JSCell::className): * runtime/JSCell.h: * runtime/JSCellInlines.h: * runtime/JSGenericTypedArrayView.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): * runtime/JSObject.cpp: (JSC::JSObject::estimatedSize): (JSC::JSObject::className): (JSC::JSObject::toStringName): (JSC::JSObject::calculatedClassName): * runtime/JSObject.h: * runtime/JSProxy.cpp: (JSC::JSProxy::className): * runtime/JSProxy.h: * runtime/JSString.cpp: (JSC::JSString::estimatedSize): * runtime/JSString.h: * runtime/RegExp.cpp: (JSC::RegExp::estimatedSize): * runtime/RegExp.h: * runtime/WeakMapImpl.cpp: (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize): * runtime/WeakMapImpl.h: 2018-07-11 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r233714. https://bugs.webkit.org/show_bug.cgi?id=187579 it made tests time out (Requested by pizlo on #webkit). Reverted changeset: "Change the reoptimization backoff base to 1.3 from 2" https://bugs.webkit.org/show_bug.cgi?id=187540 https://trac.webkit.org/changeset/233714 2018-07-11 Carlos Garcia Campos <cgarcia@igalia.com> [GLIB] Add API to allow creating variadic functions https://bugs.webkit.org/show_bug.cgi?id=187517 Reviewed by Michael Catanzaro. Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue. * API/glib/JSCCallbackFunction.cpp: (JSC::JSCCallbackFunction::create): Make the parameters optional. (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto. (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of JSCValue for the arguments. (JSC::JSCCallbackFunction::construct): Ditto. * API/glib/JSCCallbackFunction.h: * API/glib/JSCClass.cpp: (jscClassCreateConstructor): Make the parameters optional. (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor. (jscClassAddMethod): Make the parameters optional. (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod. * API/glib/JSCClass.h: * API/glib/JSCValue.cpp: (jsc_value_object_define_property_accessor): Update now that parameters are optional. (jscValueFunctionCreate): Make the parameters optional. (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate. * API/glib/JSCValue.h: * API/glib/docs/jsc-glib-4.0-sections.txt: 2018-07-11 Carlos Garcia Campos <cgarcia@igalia.com> [GLIB] Add jsc_context_get_global_object() to GLib API https://bugs.webkit.org/show_bug.cgi?id=187515 Reviewed by Michael Catanzaro. This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global object. However, getting the global object could be useful in some cases, for example to give it a well known name like 'window' in browsers and GJS. * API/glib/JSCContext.cpp: (jsc_context_get_global_object): * API/glib/JSCContext.h: * API/glib/docs/jsc-glib-4.0-sections.txt: 2018-07-11 Carlos Garcia Campos <cgarcia@igalia.com> [GLIB] Handle G_TYPE_STRV in glib API https://bugs.webkit.org/show_bug.cgi?id=187512 Reviewed by Michael Catanzaro. Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters. * API/glib/JSCContext.cpp: (jscContextGValueToJSValue): (jscContextJSValueToGValue): * API/glib/JSCValue.cpp: (jsc_value_new_array_from_strv): * API/glib/JSCValue.h: * API/glib/docs/jsc-glib-4.0-sections.txt: 2018-07-11 Yusuke Suzuki <utatane.tea@gmail.com> Iterator of Array.keys() returns object in wrong order https://bugs.webkit.org/show_bug.cgi?id=185197 Reviewed by Keith Miller. * builtins/ArrayIteratorPrototype.js: (globalPrivate.arrayIteratorValueNext): (globalPrivate.arrayIteratorKeyNext): (globalPrivate.arrayIteratorKeyValueNext): * builtins/AsyncFromSyncIteratorPrototype.js: * builtins/AsyncGeneratorPrototype.js: (globalPrivate.asyncGeneratorResolve): * builtins/GeneratorPrototype.js: (globalPrivate.generatorResume): * builtins/MapIteratorPrototype.js: (globalPrivate.mapIteratorNext): * builtins/SetIteratorPrototype.js: (globalPrivate.setIteratorNext): * builtins/StringIteratorPrototype.js: (next): * runtime/IteratorOperations.cpp: (JSC::createIteratorResultObjectStructure): (JSC::createIteratorResultObject): 2018-07-10 Mark Lam <mark.lam@apple.com> constructArray() should always allocate the requested length. https://bugs.webkit.org/show_bug.cgi?id=187543 <rdar://problem/41947884> Reviewed by Saam Barati. Currently, it does not when we're having a bad time. We fix this by switching back to using tryCreateUninitializedRestricted() exclusively in constructArray(). If we detect that a structure transition is possible before we can initialize the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly. We will introduce JSArray::eagerlyInitializeButterfly() to handle this. Also enhanced the DisallowScope and ObjectInitializationScope to support this eager initialization when needed. * dfg/DFGOperations.cpp: - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects the array allocation to always succeed. Adding this RELEASE_ASSERT here makes it clearer that we encountered an OutOfMemory condition instead of failing in FTL generated code, which will appear as a generic null pointer dereference. * runtime/ArrayPrototype.cpp: (JSC::concatAppendOne): - the code here clearly wants to check for an allocation failure. Switched to using JSArray::tryCreate() instead of JSArray::create(). * runtime/DisallowScope.h: (JSC::DisallowScope::disable): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::JSArray::eagerlyInitializeButterfly): (JSC::constructArray): * runtime/JSArray.h: * runtime/ObjectInitializationScope.cpp: (JSC::ObjectInitializationScope::notifyInitialized): * runtime/ObjectInitializationScope.h: (JSC::ObjectInitializationScope::notifyInitialized): 2018-07-05 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove getTypedArrayImpl https://bugs.webkit.org/show_bug.cgi?id=187338 Reviewed by Mark Lam. getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine. This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView. * runtime/ClassInfo.h: * runtime/GenericTypedArrayView.h: (JSC::GenericTypedArrayView::data const): Deleted. (JSC::GenericTypedArrayView::set): Deleted. (JSC::GenericTypedArrayView::setRange): Deleted. (JSC::GenericTypedArrayView::zeroRange): Deleted. (JSC::GenericTypedArrayView::zeroFill): Deleted. (JSC::GenericTypedArrayView::length const): Deleted. (JSC::GenericTypedArrayView::item const): Deleted. (JSC::GenericTypedArrayView::set const): Deleted. (JSC::GenericTypedArrayView::setNative const): Deleted. (JSC::GenericTypedArrayView::getRange): Deleted. (JSC::GenericTypedArrayView::checkInboundData const): Deleted. (JSC::GenericTypedArrayView::internalByteLength const): Deleted. * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::possiblySharedImpl): * runtime/JSArrayBufferView.h: * runtime/JSArrayBufferViewInlines.h: (JSC::JSArrayBufferView::possiblySharedImpl): Deleted. * runtime/JSCell.cpp: (JSC::JSCell::getTypedArrayImpl): Deleted. * runtime/JSCell.h: * runtime/JSDataView.cpp: (JSC::JSDataView::getTypedArrayImpl): Deleted. * runtime/JSDataView.h: * runtime/JSGenericTypedArrayView.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted. 2018-07-10 Keith Miller <keith_miller@apple.com> hasOwnProperty returns true for out of bounds property index on TypedArray https://bugs.webkit.org/show_bug.cgi?id=187520 Reviewed by Saam Barati. * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot): 2018-07-10 Michael Saboff <msaboff@apple.com> DFG JIT: compileMathIC produces incorrect machine code https://bugs.webkit.org/show_bug.cgi?id=187537 Reviewed by Saam Barati. Added checks for constant multipliers in JITMulGenerator::generateInline(). If we have a constant multiplier, fall back to the fast path generator which handles such cases. * jit/JITMulGenerator.cpp: (JSC::JITMulGenerator::generateInline): 2018-07-10 Filip Pizlo <fpizlo@apple.com> Change the reoptimization backoff base to 1.3 from 2 https://bugs.webkit.org/show_bug.cgi?id=187540 Reviewed by Saam Barati. I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2. I also have data that hints that a backoff base of 1 might be even better, but I think that we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::reoptimizationRetryCounter const): (JSC::CodeBlock::countReoptimization): (JSC::CodeBlock::adjustedCounterValue): * runtime/Options.cpp: (JSC::recomputeDependentOptions): * runtime/Options.h: 2018-07-10 Mark Lam <mark.lam@apple.com> [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized. https://bugs.webkit.org/show_bug.cgi?id=187362 <rdar://problem/42027210> Reviewed by Saam Barati. On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid value to use for initializing unused properties. Updated an assertion to account for this. * runtime/ObjectInitializationScope.cpp: (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized): 2018-07-10 Michael Saboff <msaboff@apple.com> YARR: . doesn't match non-BMP Unicode characters in some cases https://bugs.webkit.org/show_bug.cgi?id=187248 Reviewed by Geoffrey Garen. The safety check in optimizeAlternative() for moving character classes that only consist of BMP characters did not take into account that the character class is inverted. In this case, we represent '.' as "not a newline" using the newline character class with an inverted check. Clearly that includes non-BMP characters. The fix is to check that the character class doesn't have non-BMP characters AND it isn't an inverted use of that character class. * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::optimizeAlternative): 2018-07-09 Mark Lam <mark.lam@apple.com> Add --traceLLIntExecution and --traceLLIntSlowPath options. https://bugs.webkit.org/show_bug.cgi?id=187479 Reviewed by Yusuke Suzuki and Saam Barati. These options are only available if LLINT_TRACING is enabled in LLIntCommon.h. The details: 1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING. 2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath. This makes it such that enabling LLINT_TRACING doesn't means that we'll continually spammed with logging until we rebuild. 3. Fixed slow path LLINT tracing to work with exception check validation. * llint/LLIntCommon.h: * llint/LLIntExceptions.cpp: (JSC::LLInt::returnToThrow): (JSC::LLInt::callToThrow): * llint/LLIntOfflineAsmConfig.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::slowPathLog): (JSC::LLInt::slowPathLn): (JSC::LLInt::slowPathLogF): (JSC::LLInt::slowPathLogLn): (JSC::LLInt::llint_trace_operand): (JSC::LLInt::llint_trace_value): (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::traceFunctionPrologue): (JSC::LLInt::handleHostCall): (JSC::LLInt::setUpCall): * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter.asm: * runtime/CommonSlowPathsExceptions.cpp: (JSC::CommonSlowPaths::interpreterThrowInCaller): * runtime/Options.cpp: (JSC::Options::isAvailable): * runtime/Options.h: 2018-07-09 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock https://bugs.webkit.org/show_bug.cgi?id=187477 Reviewed by Mark Lam. Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData. However, it is not necessary since JSCells can be reside in a constant buffer. This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp vector from RareData. We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream. * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper<Block>::dumpBytecode): (JSC::BytecodeDumper<Block>::dumpBlock): (JSC::regexpToSourceString): Deleted. (JSC::regexpName): Deleted. (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted. * bytecode/BytecodeDumper.h: * bytecode/CodeBlock.h: (JSC::CodeBlock::regexp const): Deleted. (JSC::CodeBlock::numberOfRegExps const): Deleted. * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::visitChildren): (JSC::UnlinkedCodeBlock::shrinkToFit): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::addRegExp): Deleted. (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted. (JSC::UnlinkedCodeBlock::regexp const): Deleted. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitNewRegExp): (JSC::BytecodeGenerator::addRegExp): Deleted. * bytecompiler/BytecodeGenerator.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_regexp): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/JSCJSValue.cpp: (JSC::JSValue::dumpInContextAssumingStructure const): * runtime/RegExp.cpp: (JSC::regexpToSourceString): (JSC::RegExp::dumpToStream): * runtime/RegExp.h: 2018-07-09 Brian Burg <bburg@apple.com> REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js https://bugs.webkit.org/show_bug.cgi?id=187350 <rdar://problem/41728249> Reviewed by Matt Baker. Add a new command that toggles whether or not to blackbox internal scripts. If blackboxed, the scripts will not be shown to the frontend and the debugger will not pause in source frames from blackboxed scripts. Sometimes we want to break into those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code that injects scripts. * inspector/agents/InspectorDebuggerAgent.cpp: (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts): (Inspector::InspectorDebuggerAgent::didParseSource): * inspector/agents/InspectorDebuggerAgent.h: * inspector/protocol/Debugger.json: 2018-07-09 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Make some data members of UnlinkedCodeBlock private https://bugs.webkit.org/show_bug.cgi?id=187467 Reviewed by Mark Lam. This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private. We also remove m_numCapturedVars since it is no longer used. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * bytecode/CodeBlock.h: * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): * bytecode/UnlinkedCodeBlock.h: 2018-07-09 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase https://bugs.webkit.org/show_bug.cgi?id=187465 Reviewed by Keith Miller. ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com. This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase from 104 to 96 since it inherits ProxyableAccessCase. * bytecode/AccessCase.h: (JSC::AccessCase::viaProxy const): (JSC::AccessCase::AccessCase): * bytecode/ProxyableAccessCase.cpp: (JSC::ProxyableAccessCase::ProxyableAccessCase): * bytecode/ProxyableAccessCase.h: 2018-07-08 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, build fix for debug builds after r233630 https://bugs.webkit.org/show_bug.cgi?id=187441 * jit/JIT.cpp: (JSC::JIT::frameRegisterCountFor): * llint/LLIntEntrypoint.cpp: (JSC::LLInt::frameRegisterCountFor): 2018-07-08 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Optimize layout of CodeBlock to reduce padding https://bugs.webkit.org/show_bug.cgi?id=187441 Reviewed by Mark Lam. Arrange the order of members to reduce the size of CodeBlock from 552 to 544. We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this, Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation. We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock. * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper<Block>::dumpBlock): * bytecode/BytecodeUseDef.h: (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * bytecode/CodeBlock.h: (JSC::CodeBlock::numVars const): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::numVars const): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::flushForTerminalImpl): (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): (JSC::DFG::ByteCodeParser::inlineCall): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::handlePutById): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.h: (JSC::DFG::Graph::forAllLocalsLiveInBytecode): * dfg/DFGOSREntrypointCreationPhase.cpp: (JSC::DFG::OSREntrypointCreationPhase::run): * dfg/DFGVariableEventStream.cpp: (JSC::DFG::VariableEventStream::reconstruct const): * ftl/FTLOSREntry.cpp: (JSC::FTL::prepareOSREntry): * ftl/FTLState.cpp: (JSC::FTL::State::State): * interpreter/Interpreter.cpp: (JSC::Interpreter::dumpRegisters): * jit/JIT.cpp: (JSC::JIT::frameRegisterCountFor): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_enter): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_enter): * jit/JITOperations.cpp: * llint/LLIntEntrypoint.cpp: (JSC::LLInt::frameRegisterCountFor): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::traceFunctionPrologue): (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/JSCJSValue.h: 2018-07-08 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Optimize padding of UnlinkedCodeBlock to shrink https://bugs.webkit.org/show_bug.cgi?id=187448 Reviewed by Saam Barati. We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock. These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288. * bytecode/CodeType.h: * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::codeType const): (JSC::UnlinkedCodeBlock::didOptimize const): (JSC::UnlinkedCodeBlock::setDidOptimize): * bytecode/VirtualRegister.h: 2018-07-08 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Optimize padding of InferredTypeTable by using cellLock https://bugs.webkit.org/show_bug.cgi?id=187447 Reviewed by Mark Lam. Use cellLock() in InferredTypeTable to guard changes of internal structures. This is the same usage to SparseArrayValueMap. By using cellLock(), we can reduce the size of InferredTypeTable from 40 to 32. * runtime/InferredTypeTable.cpp: (JSC::InferredTypeTable::visitChildren): (JSC::InferredTypeTable::get): (JSC::InferredTypeTable::willStoreValue): (JSC::InferredTypeTable::makeTop): * runtime/InferredTypeTable.h: Using enum class and using. And remove `isEmpty()` since it is not used. * runtime/Structure.h: 2018-07-07 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Optimize layout of SourceProvider to reduce padding https://bugs.webkit.org/show_bug.cgi?id=187440 Reviewed by Mark Lam. Arrange members of SourceProvider to reduce the size from 80 to 72. * parser/SourceProvider.cpp: (JSC::SourceProvider::SourceProvider): * parser/SourceProvider.h: 2018-07-08 Mark Lam <mark.lam@apple.com> PropertyTable::skipDeletedEntries() should guard against iterating past the table end. https://bugs.webkit.org/show_bug.cgi?id=187444 <rdar://problem/41282849> Reviewed by Saam Barati. PropertyTable supports C++ iteration by offering begin() and end() methods, and an iterator class. The begin() methods and the iterator operator++() method uses PropertyTable::skipDeletedEntries() to skip over deleted entries in the table. However, PropertyTable::skipDeletedEntries() does not prevent the iteration pointer from being incremented past the end of the table. As a result, we can iterate past the end of the table. Note that the C++ iteration protocol tests for the iterator not being equal to the end() value. It does not do a <= test. If the iterator ever shoots past end, the loop will effectively not terminate. This issue can manifest if and only if the last entry in the table is a deleted one, and the key field of the PropertyMapEntry shaped space at the end of the table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY) value. No test because manifesting this issue requires uncontrollable happenstance where memory just beyond the end of the table looks like a deleted entry. * runtime/PropertyMapHashTable.h: (JSC::PropertyTable::begin): (JSC::PropertyTable::end): (JSC::PropertyTable::begin const): (JSC::PropertyTable::end const): (JSC::PropertyTable::skipDeletedEntries): 2018-07-07 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Optimize layout of SymbolTable to reduce padding https://bugs.webkit.org/show_bug.cgi?id=187437 Reviewed by Mark Lam. Arrange the layout of SymbolTable to reduce the size from 88 to 72. * runtime/SymbolTable.h: 2018-07-07 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Optimize layout of RegExp to reduce padding https://bugs.webkit.org/show_bug.cgi?id=187438 Reviewed by Mark Lam. Reduce the size of RegExp from 168 to 144. * runtime/RegExp.cpp: (JSC::RegExp::RegExp): * runtime/RegExp.h: * runtime/RegExpKey.h: * yarr/YarrErrorCode.h: 2018-07-07 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Optimize layout of ValueProfile to reduce padding https://bugs.webkit.org/show_bug.cgi?id=187439 Reviewed by Mark Lam. Reduce the size of ValueProfile from 40 to 32 by reordering members. * bytecode/ValueProfile.h: (JSC::ValueProfileBase::ValueProfileBase): 2018-07-05 Saam Barati <sbarati@apple.com> ProgramExecutable may be collected as we checkSyntax on it https://bugs.webkit.org/show_bug.cgi?id=187359 <rdar://problem/41832135> Reviewed by Mark Lam. The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as the ProgramExecutable itself may be collected. The fix here is to make a copy of the field instead of passing in a reference inside of ParserError::toErrorObject. No new tests here as this was already caught by our iOS JSC testers. * parser/ParserError.h: (JSC::ParserError::toErrorObject): 2018-07-04 Tim Horton <timothy_horton@apple.com> Introduce PLATFORM(IOSMAC) https://bugs.webkit.org/show_bug.cgi?id=187315 Reviewed by Dan Bernstein. * Configurations/Base.xcconfig: * Configurations/FeatureDefines.xcconfig: 2018-07-03 Mark Lam <mark.lam@apple.com> [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)). https://bugs.webkit.org/show_bug.cgi?id=187255 <rdar://problem/41785257> Reviewed by Saam Barati. The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties too: basically, do what the 64-bit code is doing. At present, this change only serves to pacify an assertion. It is not needed for correctness because the concurrent GC is not used on 32-bit builds. This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js test. * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_create_this): 2018-07-03 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView https://bugs.webkit.org/show_bug.cgi?id=187290 Reviewed by Saam Barati. slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited, we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be easily calculated from JSType. This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView. * runtime/ClassInfo.h: * runtime/JSArrayBufferView.cpp: (JSC::elementSize): (JSC::JSArrayBufferView::slowDownAndWasteMemory): * runtime/JSArrayBufferView.h: * runtime/JSArrayBufferViewInlines.h: (JSC::JSArrayBufferView::possiblySharedBuffer): * runtime/JSCell.cpp: (JSC::JSCell::slowDownAndWasteMemory): Deleted. * runtime/JSCell.h: * runtime/JSDataView.cpp: (JSC::JSDataView::slowDownAndWasteMemory): Deleted. * runtime/JSDataView.h: * runtime/JSGenericTypedArrayView.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted. 2018-07-02 Sukolsak Sakshuwong <sukolsak@gmail.com> Regular expressions with ".?" expressions at the start and the end match the entire string https://bugs.webkit.org/show_bug.cgi?id=119191 Reviewed by Michael Saboff. r90962 optimized regular expressions in the form of /.*abc.*/ by looking for "abc" first and then processing the leading and trailing dot stars to find the beginning and the end of the match. However, it erroneously enabled this optimization for regular expressions whose leading or trailing dots had quantifiers that were not of arbitrary length, e.g., /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to match the entire string when it shouldn't. This patch disables the optimization for those cases. * yarr/YarrPattern.cpp: (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions): 2018-07-02 Sukolsak Sakshuwong <sukolsak@gmail.com> RegExp.exec returns wrong value with a long integer quantifier https://bugs.webkit.org/show_bug.cgi?id=187042 Reviewed by Saam Barati. Prior to this patch, the Yarr parser checked for integer overflow when parsing quantifiers in regular expressions by adding one digit at a time to a number and checking if the result got larger. This is wrong; The parser would fail to detect overflow when parsing, for example, 10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000. Another issue was that once it detected overflow, it stopped consuming the remaining digits. Since it didn't find the closing bracket, it parsed the quantifier as a normal string instead. This patch fixes these issues by reading all the digits and checking for overflow with Checked<unsigned, RecordOverflow>. If it overflows, it returns the largest possible value (quantifyInfinite in this case). This matches Chrome [1], Firefox [2], and Edge [3]. [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042 [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310 [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149 * yarr/YarrParser.h: (JSC::Yarr::Parser::consumeNumber): 2018-07-02 Keith Miller <keith_miller@apple.com> InstanceOf IC should do generic if the prototype is not an object. https://bugs.webkit.org/show_bug.cgi?id=187250 Reviewed by Mark Lam. The old code was wrong for two reasons. First, the AccessCase expected that the prototype value would be non-null. Second, we would end up returning false instead of throwing an exception. * jit/Repatch.cpp: (JSC::tryCacheInstanceOf): 2018-07-01 Mark Lam <mark.lam@apple.com> Builtins and host functions should get their own structures. https://bugs.webkit.org/show_bug.cgi?id=187211 <rdar://problem/41646336> Reviewed by Saam Barati. JSFunctions do lazy reification of properties, but ordinary functions applies different rules of property reification than builtin and host functions. Hence, we should give builtins and host functions their own structures. * runtime/JSFunction.cpp: (JSC::JSFunction::selectStructureForNewFuncExp): (JSC::JSFunction::create): (JSC::JSFunction::getOwnPropertySlot): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::hostFunctionStructure const): (JSC::JSGlobalObject::arrowFunctionStructure const): (JSC::JSGlobalObject::sloppyFunctionStructure const): (JSC::JSGlobalObject::strictFunctionStructure const): 2018-07-01 David Kilzer <ddkilzer@apple.com> JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined <https://webkit.org/b/187233> Reviewed by Mark Lam. * b3/air/AirEliminateDeadCode.cpp: (JSC::B3::Air::eliminateDeadCode): Initialize `changed`. * parser/ParserTokens.h: (JSC::JSTextPosition::JSTextPosition): Add struct member initialization. Simplify default constructor. (JSC::JSTokenLocation::JSTokenData): Move largest struct in the union to the beginning to make it easy to zero out all fields. (JSC::JSTokenLocation::JSTokenLocation): Add struct member initialization. Simplify default constructor. Note that `endOffset` was not being initialized previously. (JSC::JSTextPosition::JSToken): Add struct member initialization where necessary. * runtime/IntlObject.cpp: (JSC::MatcherResult): Add struct member initialization. 2018-06-23 Darin Adler <darin@apple.com> [Cocoa] Improve ARC compatibility of more code in JavaScriptCore https://bugs.webkit.org/show_bug.cgi?id=186973 Reviewed by Dan Bernstein. * API/JSContext.mm: (WeakContextRef::WeakContextRef): Deleted. (WeakContextRef::~WeakContextRef): Deleted. (WeakContextRef::get): Deleted. (WeakContextRef::set): Deleted. * API/JSContextInternal.h: Removed unneeded header guards since this is an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap since neither is used outside the class implementation. * API/JSManagedValue.mm: (-[JSManagedValue initWithValue:]): Use a bridging cast. (-[JSManagedValue dealloc]): Ditto. (-[JSManagedValue didAddOwner:]): Ditto. (-[JSManagedValue didRemoveOwner:]): Ditto. (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto. (JSManagedValueHandleOwner::finalize): Ditto. * API/JSValue.mm: (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto. (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto. (-[JSValue valueForProperty:]): Ditto. (-[JSValue setValue:forProperty:]): Ditto. (-[JSValue deleteProperty:]): Ditto. (-[JSValue hasProperty:]): Ditto. (-[JSValue invokeMethod:withArguments:]): Ditto. (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names. (valueToArray): Ditto. (valueToDictionary): Ditto. (objectToValueWithoutCopy): Ditto. (objectToValue): Ditto. * API/JSVirtualMachine.mm: (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto. (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto. (-[JSVirtualMachine isOldExternalObject:]): Ditto. (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto. (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto. (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto. (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto. (scanExternalObjectGraph): Ditto. (scanExternalRememberedSet): Ditto. * API/JSWrapperMap.mm: (makeWrapper): Ditto. (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto. (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto. (tryUnwrapObjcObject): Ditto. * API/ObjCCallbackFunction.mm: (blockSignatureContainsClass): Ditto. (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not sure we will be keeping this the same way under ARC. (objCCallbackFunctionForBlock): Use a bridging cast. * API/ObjcRuntimeExtras.h: (protocolImplementsProtocol): Use a more specific type that includes the explicit __unsafe_unretained for copied protocol lists. (forEachProtocolImplementingProtocol): Ditto. * inspector/remote/cocoa/RemoteInspectorCocoa.mm: (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro. (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil. * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the CFXPCBridge SPI to a header named CFXPCBridgeSPI.h. (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF. (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement. (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast. 2018-06-30 Adam Barth <abarth@webkit.org> Port JavaScriptCore to OS(FUCHSIA) https://bugs.webkit.org/show_bug.cgi?id=187223 Reviewed by Daniel Bates. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache. * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc. (JSC::MachineContext::stackPointerImpl): (JSC::MachineContext::framePointerImpl): (JSC::MachineContext::instructionPointerImpl): (JSC::MachineContext::argumentPointer<1>): (JSC::MachineContext::llintInstructionPointer): 2018-06-30 David Kilzer <ddkilzer@apple.com> Fix clang static analyzer warnings: Garbage return value <https://webkit.org/b/187224> Reviewed by Eric Carlson. * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): - Use brace initialization for local variables. * debugger/DebuggerCallFrame.cpp: (class JSC::LineAndColumnFunctor): - Use class member initialization for member variables. 2018-06-29 Saam Barati <sbarati@apple.com> Unreviewed. Try to fix Windows build after r233377 * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::createExecutable): 2018-06-29 Saam Barati <sbarati@apple.com> Don't use tracePoints in JS/Wasm entry https://bugs.webkit.org/show_bug.cgi?id=187196 Reviewed by Mark Lam. This puts VM entry and Wasm entry tracePoints behind a runtime option. This is a ~4x speedup on a soon to be released Wasm benchmark. tracePoints should basically never run more than 50 times a second. Entering the VM and entering Wasm are user controlled, and can happen hundreds of thousands of times in a second. Depending on how the Wasm/JS code is structured, this can be disastrous for performance. * runtime/Options.h: * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): (JSC::VMEntryScope::~VMEntryScope): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::compileFunctions): * wasm/js/WebAssemblyFunction.cpp: (JSC::callWebAssemblyFunction): 2018-06-29 Saam Barati <sbarati@apple.com> We shouldn't recurse into the parser when gathering metadata about various function offsets https://bugs.webkit.org/show_bug.cgi?id=184074 <rdar://problem/37165897> Reviewed by Mark Lam. Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable for that builtin. This required calling into the parser. However, the parser may throw a stack overflow. We were not able to recover from that. The only reason we called into the parser here is that we were gathering text offsets and various metadata for things in the builtin function. This patch writes a mini parser that figures this information out without calling into the full parser. (I've also added a debug assert that verifies the mini parser stays in sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable always succeeds. * builtins/AsyncFromSyncIteratorPrototype.js: (globalPrivate.createAsyncFromSyncIterator): (globalPrivate.AsyncFromSyncIteratorConstructor): * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::createExecutable): * builtins/GlobalOperations.js: (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter): (globalPrivate.speciesConstructor): (globalPrivate.copyDataProperties): (globalPrivate.copyDataPropertiesNoExclusions): * builtins/PromiseOperations.js: (globalPrivate.newHandledRejectedPromise): * builtins/RegExpPrototype.js: (globalPrivate.hasObservableSideEffectsForRegExpMatch): (globalPrivate.hasObservableSideEffectsForRegExpSplit): * builtins/StringPrototype.js: (globalPrivate.hasObservableSideEffectsForStringReplace): (globalPrivate.getDefaultCollator): * parser/Nodes.cpp: (JSC::FunctionMetadataNode::FunctionMetadataNode): (JSC::FunctionMetadataNode::operator== const): (JSC::FunctionMetadataNode::dump const): * parser/Nodes.h: * parser/Parser.h: (JSC::parse): * parser/ParserError.h: (JSC::ParserError::type const): * parser/ParserTokens.h: (JSC::JSTextPosition::operator== const): (JSC::JSTextPosition::operator!= const): * parser/SourceCode.h: (JSC::SourceCode::operator== const): (JSC::SourceCode::operator!= const): (JSC::SourceCode::subExpression const): (JSC::SourceCode::subExpression): Deleted. 2018-06-28 Michael Saboff <msaboff@apple.com> IsoCellSet::sweepToFreeList() not safe when Full GC in process https://bugs.webkit.org/show_bug.cgi?id=187157 Reviewed by Mark Lam. * heap/IsoCellSet.cpp: (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what is in MarkedBlock::Handle::specializedSweep where it takes into account whether or not we are in the process of marking during a full GC. * heap/MarkedBlock.h: * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper. 2018-06-27 Saam Barati <sbarati@apple.com> Add some more register state information when we crash in repatchPutById https://bugs.webkit.org/show_bug.cgi?id=187112 Reviewed by Mark Lam. This will help us gather info when we end up seeing a ObjectPropertyConditionSet with an offset that is different than what the put tells us. * jit/Repatch.cpp: (JSC::tryCachePutByID): 2018-06-27 Mark Lam <mark.lam@apple.com> Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print. https://bugs.webkit.org/show_bug.cgi?id=187119 Reviewed by Keith Miller. $vm.callFrame()'s JSDollarVMCallFrame::finishCreation() should be checking for codeBlock instead of !codeBlock before using the codeBlock. I also renamed some other "print" functions to use "dump" instead to match their underlying C++ code that they will call e.g. CodeBlock::dumpSource(). * tools/JSDollarVM.cpp: (WTF::JSDollarVMCallFrame::finishCreation): (JSC::functionDumpSourceFor): (JSC::functionDumpBytecodeFor): (JSC::doPrint): (JSC::functionDataLog): (JSC::functionPrint): (JSC::functionDumpCallFrame): (JSC::functionDumpStack): (JSC::JSDollarVM::finishCreation): (JSC::functionPrintSourceFor): Deleted. (JSC::functionPrintBytecodeFor): Deleted. (JSC::doPrintln): Deleted. (JSC::functionPrintln): Deleted. (JSC::functionPrintCallFrame): Deleted. (JSC::functionPrintStack): Deleted. * tools/VMInspector.cpp: (JSC::DumpFrameFunctor::DumpFrameFunctor): (JSC::DumpFrameFunctor::operator() const): (JSC::VMInspector::dumpCallFrame): (JSC::VMInspector::dumpStack): (JSC::VMInspector::dumpValue): (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted. (JSC::PrintFrameFunctor::operator() const): Deleted. (JSC::VMInspector::printCallFrame): Deleted. (JSC::VMInspector::printStack): Deleted. (JSC::VMInspector::printValue): Deleted. * tools/VMInspector.h: 2018-06-27 Keith Miller <keith_miller@apple.com> Add logging to try to diagnose where we get a null structure. https://bugs.webkit.org/show_bug.cgi?id=187106 Reviewed by Mark Lam. Add a logging to JSObject::toPrimitive to help diagnose a nullptr structure crash. This code should be removed when we fix <rdar://problem/33451840> * runtime/JSObject.cpp: (JSC::callToPrimitiveFunction): * runtime/JSObject.h: (JSC::JSObject::getPropertySlot): 2018-06-27 Mark Lam <mark.lam@apple.com> DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties. https://bugs.webkit.org/show_bug.cgi?id=187091 <rdar://problem/41395624> Reviewed by Yusuke Suzuki. Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage() take their slow paths, the slow path would jump back to the fast path right after the emitted code which clears the unused property values. As a result, the unused properties are not initialized. We've fixed this by adding the slow path generators before we emit the code to clear the unused properties. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): 2018-06-27 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr https://bugs.webkit.org/show_bug.cgi?id=185943 Reviewed by Mark Lam. ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.". This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst. ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol, but it should be done in a separate patch since it would be performance sensitive. * bytecompiler/NodesCodegen.cpp: (JSC::ArrayPatternNode::emitDirectBinding): 2018-06-26 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Pass VM& to functions more https://bugs.webkit.org/show_bug.cgi?id=186241 Reviewed by Mark Lam. This patch threads VM& to functions requiring VM& more. * API/JSObjectRef.cpp: (JSObjectIsConstructor): * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp: (JSC::AdaptiveInferredPropertyValueWatchpointBase::install): (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire): (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal): (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal): * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h: * bytecode/CodeBlockJettisoningWatchpoint.cpp: (JSC::CodeBlockJettisoningWatchpoint::fireInternal): * bytecode/CodeBlockJettisoningWatchpoint.h: * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install): (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal): * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: * bytecode/StructureStubClearingWatchpoint.cpp: (JSC::StructureStubClearingWatchpoint::fireInternal): * bytecode/StructureStubClearingWatchpoint.h: * bytecode/Watchpoint.cpp: (JSC::Watchpoint::fire): (JSC::WatchpointSet::fireAllWatchpoints): * bytecode/Watchpoint.h: * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp: (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire): * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h: * dfg/DFGAdaptiveStructureWatchpoint.cpp: (JSC::DFG::AdaptiveStructureWatchpoint::install): (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal): * dfg/DFGAdaptiveStructureWatchpoint.h: * dfg/DFGDesiredWatchpoints.cpp: (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setupGetByIdPrototypeCache): * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint): (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire): * runtime/ECMAScriptSpecInternalFunctions.cpp: (JSC::esSpecIsConstructor): * runtime/FunctionRareData.cpp: (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal): * runtime/FunctionRareData.h: * runtime/InferredStructureWatchpoint.cpp: (JSC::InferredStructureWatchpoint::fireInternal): * runtime/InferredStructureWatchpoint.h: * runtime/InternalFunction.cpp: (JSC::InternalFunction::createSubclassStructureSlow): * runtime/InternalFunction.h: (JSC::InternalFunction::createSubclassStructure): * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::isConstructor const): * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::isConstructor): (JSC::JSCell::methodTable const): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): * runtime/ProxyObject.cpp: (JSC::ProxyObject::finishCreation): * runtime/ReflectObject.cpp: (JSC::reflectObjectConstruct): * runtime/StructureRareData.cpp: (JSC::StructureRareData::setObjectToStringValue): (JSC::ObjectToStringAdaptiveStructureWatchpoint::install): (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal): (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire): 2018-06-26 Mark Lam <mark.lam@apple.com> eval() is wrong about the LiteralParser never throwing any exceptions. https://bugs.webkit.org/show_bug.cgi?id=187074 <rdar://problem/41461099> Reviewed by Saam Barati. Added the missing exception check, and removed an erroneous assertion. * interpreter/Interpreter.cpp: (JSC::eval): 2018-06-26 Saam Barati <sbarati@apple.com> JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary https://bugs.webkit.org/show_bug.cgi?id=186878 <rdar://problem/40568659> Reviewed by Filip Pizlo. This patch fixes a bug in our JSImmutableButterfly implementation uncovered by our stress GC bots. Before this patch, JSImmutableButterfly was allocated with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except conservative scan knows to treat it like a butterfly in when we we may be pointing into the middle of it. The way we were crashing on the stress GC bots is that our conservative marking won't do cell visiting for things that are Auxiliary. This meant that if the stack were the only thing pointing to a JSImmutableButterfly when a GC took place, that JSImmutableButterfly would not be visited. This is now fixed. * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::emitBytecode): * debugger/Debugger.cpp: * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::genericAddPointer): * heap/Heap.cpp: (JSC::GatherHeapSnapshotData::operator() const): (JSC::RemoveDeadHeapSnapshotNodes::operator() const): (JSC::Heap::globalObjectCount): (JSC::Heap::objectTypeCounts): (JSC::Heap::deleteAllCodeBlocks): * heap/HeapCell.cpp: (WTF::printInternal): * heap/HeapCell.h: (JSC::isJSCellKind): (JSC::hasInteriorPointers): * heap/HeapUtil.h: (JSC::HeapUtil::findGCObjectPointersForMarking): (JSC::HeapUtil::isPointerGCObjectJSCell): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::didAddToDirectory): * heap/SlotVisitor.cpp: (JSC::SlotVisitor::appendJSCellOrAuxiliary): * runtime/JSGlobalObject.cpp: * runtime/JSImmutableButterfly.h: (JSC::JSImmutableButterfly::subspaceFor): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * tools/CellProfile.h: (JSC::CellProfile::CellProfile): (JSC::CellProfile::isJSCell const): * tools/HeapVerifier.cpp: (JSC::HeapVerifier::validateCell): 2018-06-26 Mark Lam <mark.lam@apple.com> Skip some unnecessary work in Interpreter::getStackTrace(). https://bugs.webkit.org/show_bug.cgi?id=187070 Reviewed by Michael Saboff. * interpreter/Interpreter.cpp: (JSC::Interpreter::getStackTrace): 2018-06-26 Mark Lam <mark.lam@apple.com> ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow(). https://bugs.webkit.org/show_bug.cgi?id=187060 <rdar://problem/41452767> Reviewed by Keith Miller. JSObject::ensureLengthSlow() may be called only because it needs to do a copy on write conversion. Hence, we can return early after the conversion if the vector length is already sufficient to cover the requested length. * runtime/JSObject.cpp: (JSC::JSObject::ensureLengthSlow): 2018-06-26 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r233184. https://bugs.webkit.org/show_bug.cgi?id=187059 "It regressed JetStream between 5-8%" (Requested by saamyjoon on #webkit). Reverted changeset: "JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary" https://bugs.webkit.org/show_bug.cgi?id=186878 https://trac.webkit.org/changeset/233184 2018-06-26 Carlos Alberto Lopez Perez <clopez@igalia.com> REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5 https://bugs.webkit.org/show_bug.cgi?id=187051 Reviewed by Mark Lam. Revert r233065 changes over UnlinkedCodeBlock.h to allow clang-3.8 to be able to compile this back (with libstdc++5) * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile): 2018-06-26 Tadeu Zagallo <tzagallo@apple.com> Fix testapi build when DFG_JIT is disabled https://bugs.webkit.org/show_bug.cgi?id=187038 Reviewed by Mark Lam. r233158 added a new API and tests for configuring the number of JIT threads, but the API is only available when DFG_JIT is enabled and so should the tests. * API/tests/testapi.mm: (runJITThreadLimitTests): 2018-06-25 Saam Barati <sbarati@apple.com> JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary https://bugs.webkit.org/show_bug.cgi?id=186878 <rdar://problem/40568659> Reviewed by Mark Lam. This patch fixes a bug in our JSImmutableButterfly implementation uncovered by our stress GC bots. Before this patch, JSImmutableButterfly was allocated with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC bots is that our conservative marking won't do cell marking for things that are Auxiliary. This means that if the stack is the only thing pointing to a JSImmutableButterfly when a GC took place, that JSImmutableButterfly would not be visited. This patch fixes this bug. This patch also extends our conservative marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell. * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::emitBytecode): * heap/HeapUtil.h: (JSC::HeapUtil::findGCObjectPointersForMarking): * runtime/JSImmutableButterfly.h: (JSC::JSImmutableButterfly::subspaceFor): 2018-06-25 Mark Lam <mark.lam@apple.com> constructArray() should set m_numValuesInVector to the specified length. https://bugs.webkit.org/show_bug.cgi?id=187010 <rdar://problem/41392167> Reviewed by Filip Pizlo. Its client will fill in the storage vector with some values using initializeIndex() and expects m_numValuesInVector to be set to the length i.e. the number of values to be initialized. * runtime/JSArray.cpp: (JSC::constructArray): 2018-06-25 Mark Lam <mark.lam@apple.com> Add missing exception check in RegExpObjectInlines.h's collectMatches. https://bugs.webkit.org/show_bug.cgi?id=187006 <rdar://problem/41418412> Reviewed by Keith Miller. * runtime/RegExpObjectInlines.h: (JSC::collectMatches): 2018-06-25 Tadeu Zagallo <tzagallo@apple.com> Add API for configuring the number of threads used by DFG and FTL https://bugs.webkit.org/show_bug.cgi?id=186859 <rdar://problem/41093519> Reviewed by Filip Pizlo. Add new private APIs for limiting the number of threads to be used by the DFG and FTL compilers. It was already possible to configure the limit through JSC Options, but now it can be changed at runtime, even in the case when the VM is already running. Add a test for both cases: when trying to configure the limit before and after the Worklist has been created, but in order to simulate the first scenario, we must guarantee that the test runs at the very beginning, so I also added a check for that. * API/JSVirtualMachine.mm: (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]): (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]): * API/JSVirtualMachinePrivate.h: * API/tests/testapi.mm: (runJITThreadLimitTests): (testObjectiveCAPIMain): * dfg/DFGWorklist.cpp: (JSC::DFG::Worklist::finishCreation): (JSC::DFG::Worklist::createNewThread): (JSC::DFG::Worklist::setNumberOfThreads): * dfg/DFGWorklist.h: 2018-06-25 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove unnecessary PLATFORM guards https://bugs.webkit.org/show_bug.cgi?id=186995 Reviewed by Mark Lam. * assembler/AssemblerCommon.h: (JSC::isIOS): Add constexpr. * inspector/JSGlobalObjectInspectorController.cpp: (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): StackFrame works in all the platforms. If StackFrame::demangle failed, it just returns std::nullopt. And it is correctly handled in this code. 2018-06-23 Mark Lam <mark.lam@apple.com> Add more debugging features to $vm. https://bugs.webkit.org/show_bug.cgi?id=186947 Reviewed by Keith Miller. Adding the following features: // We now have println in addition to print. // println automatically adds a '\n' at the end. $vm.println("Hello"); // We can now capture some info about a stack frame. var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0); var callerCallerFrame = $vm.callFrame(2); // We can inspect the following values associated with the frame: if (currentFrame.valid) { $vm.println("name is ", currentFrame.name)); // Note: For a WASM frame, all of these will be undefined. $vm.println("callee is ", $vm.value(currentFrame.callee)); $vm.println("codeBlock is ", currentFrame.codeBlock); $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock); $vm.println("executable is ", currentFrame.executable); } // Note that callee is a JSObject. I printed its $vm.value() because I wanted // to dataLog its JSValue instead of its toString() result. // Note that $vm.println() (and $vm.print()) can now print internal JSCells // (and Symbols) as JSValue dumps. It won't just fail on trying to do a // toString on a non-object. // Does what it says about enabling/disabling debugger mode. $vm.enableDebuggerModeWhenIdle(); $vm.disableDebuggerModeWhenIdle(); * tools/JSDollarVM.cpp: (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame): (WTF::JSDollarVMCallFrame::createStructure): (WTF::JSDollarVMCallFrame::create): (WTF::JSDollarVMCallFrame::finishCreation): (WTF::JSDollarVMCallFrame::addProperty): (JSC::functionCallFrame): (JSC::functionCodeBlockForFrame): (JSC::codeBlockFromArg): (JSC::doPrintln): (JSC::functionPrint): (JSC::functionPrintln): (JSC::changeDebuggerModeWhenIdle): (JSC::functionEnableDebuggerModeWhenIdle): (JSC::functionDisableDebuggerModeWhenIdle): (JSC::JSDollarVM::finishCreation): 2018-06-22 Keith Miller <keith_miller@apple.com> We need to have a getDirectConcurrently for use in the compilers https://bugs.webkit.org/show_bug.cgi?id=186954 Reviewed by Mark Lam. It used to be that the propertyStorage of an object never shrunk so if you called getDirect with some offset it would never be an OOB read. However, this property storage can shrink when calling flattenDictionaryStructure. Fortunately, flattenDictionaryStructure holds the Structure's ConcurrentJSLock while shrinking. This patch, adds a getDirectConcurrently that will safely try to load from the butterfly. * bytecode/ObjectPropertyConditionSet.cpp: * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::tryGetConstantProperty): * runtime/JSObject.h: (JSC::JSObject::getDirectConcurrently const): 2018-06-22 Yusuke Suzuki <utatane.tea@gmail.com> [WTF] Use Ref<> for the result type of non-failing factory functions https://bugs.webkit.org/show_bug.cgi?id=186920 Reviewed by Darin Adler. * dfg/DFGWorklist.cpp: (JSC::DFG::Worklist::ThreadBody::ThreadBody): (JSC::DFG::Worklist::finishCreation): * dfg/DFGWorklist.h: * heap/Heap.cpp: (JSC::Heap::Thread::Thread): * heap/Heap.h: * jit/JITWorklist.cpp: (JSC::JITWorklist::Thread::Thread): * jit/JITWorklist.h: * runtime/VMTraps.cpp: * runtime/VMTraps.h: * wasm/WasmWorklist.cpp: * wasm/WasmWorklist.h: 2018-06-23 Yusuke Suzuki <utatane.tea@gmail.com> [WTF] Add user-defined literal for ASCIILiteral https://bugs.webkit.org/show_bug.cgi?id=186839 Reviewed by Darin Adler. * API/JSCallbackObjectFunctions.h: (JSC::JSCallbackObject<Parent>::staticFunctionGetter): (JSC::JSCallbackObject<Parent>::callbackGetter): * API/JSObjectRef.cpp: (JSObjectMakeFunctionWithCallback): * API/JSTypedArray.cpp: (JSObjectGetArrayBufferBytesPtr): * API/JSValue.mm: (valueToArray): (valueToDictionary): * API/ObjCCallbackFunction.mm: (JSC::objCCallbackFunctionCallAsFunction): (JSC::objCCallbackFunctionCallAsConstructor): (JSC::ObjCCallbackFunctionImpl::call): * API/glib/JSCCallbackFunction.cpp: (JSC::JSCCallbackFunction::call): (JSC::JSCCallbackFunction::construct): * API/glib/JSCContext.cpp: (jscContextJSValueToGValue): * API/glib/JSCValue.cpp: (jsc_value_object_define_property_accessor): (jscValueFunctionCreate): * builtins/BuiltinUtils.h: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::nameForRegister): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitEnumeration): (JSC::BytecodeGenerator::emitIteratorNext): (JSC::BytecodeGenerator::emitIteratorClose): (JSC::BytecodeGenerator::emitDelegateYield): * bytecompiler/NodesCodegen.cpp: (JSC::FunctionCallValueNode::emitBytecode): (JSC::PostfixNode::emitBytecode): (JSC::PrefixNode::emitBytecode): (JSC::AssignErrorNode::emitBytecode): (JSC::ForInNode::emitBytecode): (JSC::ForOfNode::emitBytecode): (JSC::ClassExprNode::emitBytecode): (JSC::ObjectPatternNode::bindValue const): * dfg/DFGDriver.cpp: (JSC::DFG::compileImpl): * dfg/DFGOperations.cpp: (JSC::DFG::newTypedArrayWithSize): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * inspector/ConsoleMessage.cpp: (Inspector::ConsoleMessage::addToFrontend): (Inspector::ConsoleMessage::clear): * inspector/ContentSearchUtilities.cpp: (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): * inspector/InjectedScript.cpp: (Inspector::InjectedScript::InjectedScript): (Inspector::InjectedScript::evaluate): (Inspector::InjectedScript::callFunctionOn): (Inspector::InjectedScript::evaluateOnCallFrame): (Inspector::InjectedScript::getFunctionDetails): (Inspector::InjectedScript::functionDetails): (Inspector::InjectedScript::getPreview): (Inspector::InjectedScript::getProperties): (Inspector::InjectedScript::getDisplayableProperties): (Inspector::InjectedScript::getInternalProperties): (Inspector::InjectedScript::getCollectionEntries): (Inspector::InjectedScript::saveResult): (Inspector::InjectedScript::wrapCallFrames const): (Inspector::InjectedScript::wrapObject const): (Inspector::InjectedScript::wrapJSONString const): (Inspector::InjectedScript::wrapTable const): (Inspector::InjectedScript::previewValue const): (Inspector::InjectedScript::setExceptionValue): (Inspector::InjectedScript::clearExceptionValue): (Inspector::InjectedScript::findObjectById const): (Inspector::InjectedScript::inspectObject): (Inspector::InjectedScript::releaseObject): (Inspector::InjectedScript::releaseObjectGroup): * inspector/InjectedScriptBase.cpp: (Inspector::InjectedScriptBase::makeEvalCall): * inspector/InjectedScriptManager.cpp: (Inspector::InjectedScriptManager::injectedScriptForObjectId): * inspector/InjectedScriptModule.cpp: (Inspector::InjectedScriptModule::ensureInjected): * inspector/InspectorBackendDispatcher.cpp: (Inspector::BackendDispatcher::dispatch): (Inspector::BackendDispatcher::sendResponse): (Inspector::BackendDispatcher::sendPendingErrors): * inspector/JSGlobalObjectConsoleClient.cpp: (Inspector::JSGlobalObjectConsoleClient::profile): (Inspector::JSGlobalObjectConsoleClient::profileEnd): (Inspector::JSGlobalObjectConsoleClient::timeStamp): * inspector/JSGlobalObjectInspectorController.cpp: (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): * inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension): (Inspector::JSInjectedScriptHost::subtype): (Inspector::JSInjectedScriptHost::getInternalProperties): * inspector/JSJavaScriptCallFrame.cpp: (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension): (Inspector::JSJavaScriptCallFrame::type const): * inspector/ScriptArguments.cpp: (Inspector::ScriptArguments::getFirstArgumentAsString): * inspector/ScriptCallStackFactory.cpp: (Inspector::extractSourceInformationFromException): * inspector/agents/InspectorAgent.cpp: (Inspector::InspectorAgent::InspectorAgent): * inspector/agents/InspectorConsoleAgent.cpp: (Inspector::InspectorConsoleAgent::InspectorConsoleAgent): (Inspector::InspectorConsoleAgent::clearMessages): (Inspector::InspectorConsoleAgent::count): (Inspector::InspectorConsoleAgent::setLoggingChannelLevel): * inspector/agents/InspectorDebuggerAgent.cpp: (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent): (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth): (Inspector::buildObjectForBreakpointCookie): (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): (Inspector::parseLocation): (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): (Inspector::InspectorDebuggerAgent::setBreakpoint): (Inspector::InspectorDebuggerAgent::continueToLocation): (Inspector::InspectorDebuggerAgent::searchInContent): (Inspector::InspectorDebuggerAgent::getScriptSource): (Inspector::InspectorDebuggerAgent::getFunctionDetails): (Inspector::InspectorDebuggerAgent::resume): (Inspector::InspectorDebuggerAgent::setPauseOnExceptions): (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): (Inspector::InspectorDebuggerAgent::didParseSource): (Inspector::InspectorDebuggerAgent::assertPaused): * inspector/agents/InspectorHeapAgent.cpp: (Inspector::InspectorHeapAgent::InspectorHeapAgent): (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier): (Inspector::InspectorHeapAgent::getPreview): (Inspector::InspectorHeapAgent::getRemoteObject): * inspector/agents/InspectorRuntimeAgent.cpp: (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent): (Inspector::InspectorRuntimeAgent::callFunctionOn): (Inspector::InspectorRuntimeAgent::getPreview): (Inspector::InspectorRuntimeAgent::getProperties): (Inspector::InspectorRuntimeAgent::getDisplayableProperties): (Inspector::InspectorRuntimeAgent::getCollectionEntries): (Inspector::InspectorRuntimeAgent::saveResult): (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): (Inspector::InspectorRuntimeAgent::getBasicBlocks): * inspector/agents/InspectorScriptProfilerAgent.cpp: (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent): * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval): * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval): * inspector/scripts/codegen/cpp_generator_templates.py: * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: (CppProtocolTypesImplementationGenerator): * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command): (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: (ObjCFrontendDispatcherImplementationGenerator._generate_event): (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters): * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string): * inspector/scripts/codegen/objc_generator_templates.py: * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: * inspector/scripts/tests/generic/expected/domain-availability.json-result: * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: * inspector/scripts/tests/generic/expected/enum-values.json-result: * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result: * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result: * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result: * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result: * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result: * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result: * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result: * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result: * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: * interpreter/CallFrame.cpp: (JSC::CallFrame::friendlyFunctionName): * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): * interpreter/StackVisitor.cpp: (JSC::StackVisitor::Frame::functionName const): (JSC::StackVisitor::Frame::sourceURL const): * jit/JIT.cpp: (JSC::JIT::doMainThreadPreparationBeforeCompile): * jit/JITOperations.cpp: * jsc.cpp: (resolvePath): (GlobalObject::moduleLoaderImportModule): (GlobalObject::moduleLoaderResolve): (functionDescribeArray): (functionRun): (functionLoad): (functionCheckSyntax): (functionDollarEvalScript): (functionDollarAgentStart): (functionDollarAgentReceiveBroadcast): (functionDollarAgentBroadcast): (functionTransferArrayBuffer): (functionLoadModule): (functionSamplingProfilerStackTraces): (functionAsyncTestStart): (functionWebAssemblyMemoryMode): (runWithOptions): * parser/Lexer.cpp: (JSC::Lexer<T>::invalidCharacterMessage const): (JSC::Lexer<T>::parseString): (JSC::Lexer<T>::parseComplexEscape): (JSC::Lexer<T>::parseStringSlowCase): (JSC::Lexer<T>::parseTemplateLiteral): (JSC::Lexer<T>::lex): * parser/Parser.cpp: (JSC::Parser<LexerType>::parseInner): * parser/Parser.h: (JSC::Parser::setErrorMessage): * runtime/AbstractModuleRecord.cpp: (JSC::AbstractModuleRecord::finishCreation): * runtime/ArrayBuffer.cpp: (JSC::errorMesasgeForTransfer): * runtime/ArrayBufferSharingMode.h: (JSC::arrayBufferSharingModeName): * runtime/ArrayConstructor.cpp: (JSC::constructArrayWithSizeQuirk): (JSC::isArraySlowInline): * runtime/ArrayPrototype.cpp: (JSC::setLength): (JSC::shift): (JSC::unshift): (JSC::arrayProtoFuncPop): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncUnShift): * runtime/AtomicsObject.cpp: (JSC::atomicsFuncWait): (JSC::atomicsFuncWake): * runtime/BigIntConstructor.cpp: (JSC::BigIntConstructor::finishCreation): (JSC::toBigInt): (JSC::callBigIntConstructor): * runtime/BigIntObject.cpp: (JSC::BigIntObject::toStringName): * runtime/BigIntPrototype.cpp: (JSC::bigIntProtoFuncToString): (JSC::bigIntProtoFuncValueOf): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/ConsoleClient.cpp: (JSC::ConsoleClient::printConsoleMessageWithArguments): * runtime/ConsoleObject.cpp: (JSC::valueOrDefaultLabelString): (JSC::consoleProtoFuncTime): (JSC::consoleProtoFuncTimeEnd): * runtime/DatePrototype.cpp: (JSC::formatLocaleDate): (JSC::formateDateInstance): (JSC::DatePrototype::finishCreation): (JSC::dateProtoFuncToISOString): (JSC::dateProtoFuncToJSON): * runtime/Error.cpp: (JSC::createNotEnoughArgumentsError): (JSC::throwSyntaxError): (JSC::createTypeError): (JSC::createOutOfMemoryError): * runtime/Error.h: (JSC::throwVMError): * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::finishCreation): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::sanitizedToString): * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::finishCreation): (JSC::errorProtoFuncToString): * runtime/ExceptionFuzz.cpp: (JSC::doExceptionFuzzing): * runtime/ExceptionHelpers.cpp: (JSC::TerminatedExecutionError::defaultValue): (JSC::createStackOverflowError): (JSC::createNotAConstructorError): (JSC::createNotAFunctionError): (JSC::createNotAnObjectError): * runtime/GetterSetter.cpp: (JSC::callSetter): * runtime/IntlCollator.cpp: (JSC::sortLocaleData): (JSC::searchLocaleData): (JSC::IntlCollator::initializeCollator): (JSC::IntlCollator::compareStrings): (JSC::IntlCollator::usageString): (JSC::IntlCollator::sensitivityString): (JSC::IntlCollator::caseFirstString): (JSC::IntlCollator::resolvedOptions): * runtime/IntlCollator.h: * runtime/IntlCollatorConstructor.cpp: (JSC::IntlCollatorConstructor::finishCreation): * runtime/IntlCollatorPrototype.cpp: (JSC::IntlCollatorPrototypeGetterCompare): (JSC::IntlCollatorPrototypeFuncResolvedOptions): * runtime/IntlDateTimeFormat.cpp: (JSC::defaultTimeZone): (JSC::canonicalizeTimeZoneName): (JSC::IntlDTFInternal::localeData): (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate): (JSC::IntlDateTimeFormat::initializeDateTimeFormat): (JSC::IntlDateTimeFormat::weekdayString): (JSC::IntlDateTimeFormat::eraString): (JSC::IntlDateTimeFormat::yearString): (JSC::IntlDateTimeFormat::monthString): (JSC::IntlDateTimeFormat::dayString): (JSC::IntlDateTimeFormat::hourString): (JSC::IntlDateTimeFormat::minuteString): (JSC::IntlDateTimeFormat::secondString): (JSC::IntlDateTimeFormat::timeZoneNameString): (JSC::IntlDateTimeFormat::resolvedOptions): (JSC::IntlDateTimeFormat::format): (JSC::IntlDateTimeFormat::partTypeString): (JSC::IntlDateTimeFormat::formatToParts): * runtime/IntlDateTimeFormat.h: * runtime/IntlDateTimeFormatConstructor.cpp: (JSC::IntlDateTimeFormatConstructor::finishCreation): * runtime/IntlDateTimeFormatPrototype.cpp: (JSC::IntlDateTimeFormatPrototypeGetterFormat): (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): (JSC::IntlNumberFormat::formatNumber): (JSC::IntlNumberFormat::styleString): (JSC::IntlNumberFormat::currencyDisplayString): (JSC::IntlNumberFormat::resolvedOptions): (JSC::IntlNumberFormat::partTypeString): (JSC::IntlNumberFormat::formatToParts): * runtime/IntlNumberFormat.h: * runtime/IntlNumberFormatConstructor.cpp: (JSC::IntlNumberFormatConstructor::finishCreation): * runtime/IntlNumberFormatPrototype.cpp: (JSC::IntlNumberFormatPrototypeGetterFormat): (JSC::IntlNumberFormatPrototypeFuncFormatToParts): (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): * runtime/IntlObject.cpp: (JSC::grandfatheredLangTag): (JSC::canonicalizeLocaleList): (JSC::resolveLocale): (JSC::supportedLocales): * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::initializePluralRules): (JSC::IntlPluralRules::resolvedOptions): (JSC::IntlPluralRules::select): * runtime/IntlPluralRulesConstructor.cpp: (JSC::IntlPluralRulesConstructor::finishCreation): * runtime/IntlPluralRulesPrototype.cpp: (JSC::IntlPluralRulesPrototypeFuncSelect): (JSC::IntlPluralRulesPrototypeFuncResolvedOptions): * runtime/IteratorOperations.cpp: (JSC::iteratorNext): (JSC::iteratorClose): (JSC::hasIteratorMethod): (JSC::iteratorMethod): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::JSArray::defineOwnProperty): (JSC::JSArray::put): (JSC::JSArray::setLengthWithArrayStorage): (JSC::JSArray::appendMemcpy): (JSC::JSArray::pop): * runtime/JSArray.h: * runtime/JSArrayBufferConstructor.cpp: (JSC::JSArrayBufferConstructor::finishCreation): * runtime/JSArrayBufferPrototype.cpp: (JSC::arrayBufferProtoFuncSlice): (JSC::arrayBufferProtoGetterFuncByteLength): (JSC::sharedArrayBufferProtoGetterFuncByteLength): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::toStringName): * runtime/JSArrayInlines.h: (JSC::JSArray::pushInline): * runtime/JSBigInt.cpp: (JSC::JSBigInt::divide): (JSC::JSBigInt::remainder): (JSC::JSBigInt::toNumber const): * runtime/JSCJSValue.cpp: (JSC::JSValue::putToPrimitive): (JSC::JSValue::putToPrimitiveByIndex): (JSC::JSValue::toStringSlowCase const): * runtime/JSCJSValueInlines.h: (JSC::toPreferredPrimitiveType): * runtime/JSDataView.cpp: (JSC::JSDataView::create): (JSC::JSDataView::put): (JSC::JSDataView::defineOwnProperty): * runtime/JSDataViewPrototype.cpp: (JSC::getData): (JSC::setData): * runtime/JSFunction.cpp: (JSC::JSFunction::callerGetter): (JSC::JSFunction::put): (JSC::JSFunction::defineOwnProperty): * runtime/JSGenericTypedArrayView.h: * runtime/JSGenericTypedArrayViewConstructorInlines.h: (JSC::constructGenericTypedArrayViewWithArguments): (JSC::constructGenericTypedArrayView): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty): * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: (JSC::speciesConstruct): (JSC::genericTypedArrayViewProtoFuncSet): (JSC::genericTypedArrayViewProtoFuncIndexOf): (JSC::genericTypedArrayViewProtoFuncLastIndexOf): (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObjectDebuggable.cpp: (JSC::JSGlobalObjectDebuggable::name const): * runtime/JSGlobalObjectFunctions.cpp: (JSC::encode): (JSC::decode): (JSC::globalFuncProtoSetter): * runtime/JSGlobalObjectFunctions.h: * runtime/JSMap.cpp: (JSC::JSMap::toStringName): * runtime/JSModuleEnvironment.cpp: (JSC::JSModuleEnvironment::put): * runtime/JSModuleNamespaceObject.cpp: (JSC::JSModuleNamespaceObject::put): (JSC::JSModuleNamespaceObject::putByIndex): (JSC::JSModuleNamespaceObject::defineOwnProperty): * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): (JSC::JSONProtoFuncParse): (JSC::JSONProtoFuncStringify): * runtime/JSObject.cpp: (JSC::getClassPropertyNames): (JSC::JSObject::calculatedClassName): (JSC::ordinarySetSlow): (JSC::JSObject::putInlineSlow): (JSC::JSObject::setPrototypeWithCycleCheck): (JSC::callToPrimitiveFunction): (JSC::JSObject::ordinaryToPrimitive const): (JSC::JSObject::defaultHasInstance): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage): (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): (JSC::validateAndApplyPropertyDescriptor): * runtime/JSObject.h: * runtime/JSObjectInlines.h: (JSC::JSObject::putInlineForJSObject): * runtime/JSPromiseConstructor.cpp: (JSC::JSPromiseConstructor::finishCreation): * runtime/JSSet.cpp: (JSC::JSSet::toStringName): * runtime/JSSymbolTableObject.h: (JSC::symbolTablePut): * runtime/JSTypedArrayViewConstructor.cpp: (JSC::constructTypedArrayView): * runtime/JSTypedArrayViewPrototype.cpp: (JSC::typedArrayViewPrivateFuncLength): (JSC::typedArrayViewProtoFuncSet): (JSC::typedArrayViewProtoFuncCopyWithin): (JSC::typedArrayViewProtoFuncLastIndexOf): (JSC::typedArrayViewProtoFuncIndexOf): (JSC::typedArrayViewProtoFuncJoin): (JSC::typedArrayViewProtoGetterFuncBuffer): (JSC::typedArrayViewProtoGetterFuncLength): (JSC::typedArrayViewProtoGetterFuncByteLength): (JSC::typedArrayViewProtoGetterFuncByteOffset): (JSC::typedArrayViewProtoFuncReverse): (JSC::typedArrayViewPrivateFuncSubarrayCreate): (JSC::typedArrayViewProtoFuncSlice): (JSC::JSTypedArrayViewPrototype::finishCreation): * runtime/JSWeakMap.cpp: (JSC::JSWeakMap::toStringName): * runtime/JSWeakSet.cpp: (JSC::JSWeakSet::toStringName): * runtime/LiteralParser.cpp: (JSC::LiteralParser<CharType>::Lexer::lex): (JSC::LiteralParser<CharType>::Lexer::lexStringSlow): (JSC::LiteralParser<CharType>::Lexer::lexNumber): (JSC::LiteralParser<CharType>::parse): * runtime/LiteralParser.h: (JSC::LiteralParser::getErrorMessage): * runtime/Lookup.cpp: (JSC::reifyStaticAccessor): * runtime/Lookup.h: (JSC::putEntry): * runtime/MapPrototype.cpp: (JSC::getMap): * runtime/NullSetterFunction.cpp: (JSC::NullSetterFunctionInternal::callReturnUndefined): * runtime/NumberPrototype.cpp: (JSC::numberProtoFuncToExponential): (JSC::numberProtoFuncToFixed): (JSC::numberProtoFuncToPrecision): (JSC::extractToStringRadixArgument): * runtime/ObjectConstructor.cpp: (JSC::objectConstructorSetPrototypeOf): (JSC::objectConstructorAssign): (JSC::objectConstructorValues): (JSC::toPropertyDescriptor): (JSC::objectConstructorDefineProperty): (JSC::objectConstructorDefineProperties): (JSC::objectConstructorCreate): (JSC::objectConstructorSeal): (JSC::objectConstructorFreeze): * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncDefineGetter): (JSC::objectProtoFuncDefineSetter): * runtime/Operations.cpp: (JSC::jsAddSlowCase): * runtime/Operations.h: (JSC::jsSub): (JSC::jsMul): * runtime/ProgramExecutable.cpp: (JSC::ProgramExecutable::initializeGlobalProperties): * runtime/ProxyConstructor.cpp: (JSC::makeRevocableProxy): (JSC::proxyRevocableConstructorThrowError): (JSC::ProxyConstructor::finishCreation): (JSC::constructProxyObject): * runtime/ProxyObject.cpp: (JSC::ProxyObject::toStringName): (JSC::ProxyObject::finishCreation): (JSC::performProxyGet): (JSC::ProxyObject::performInternalMethodGetOwnProperty): (JSC::ProxyObject::performHasProperty): (JSC::ProxyObject::performPut): (JSC::performProxyCall): (JSC::performProxyConstruct): (JSC::ProxyObject::performDelete): (JSC::ProxyObject::performPreventExtensions): (JSC::ProxyObject::performIsExtensible): (JSC::ProxyObject::performDefineOwnProperty): (JSC::ProxyObject::performGetOwnPropertyNames): (JSC::ProxyObject::performSetPrototype): (JSC::ProxyObject::performGetPrototype): * runtime/ReflectObject.cpp: (JSC::reflectObjectConstruct): (JSC::reflectObjectDefineProperty): (JSC::reflectObjectGet): (JSC::reflectObjectGetOwnPropertyDescriptor): (JSC::reflectObjectGetPrototypeOf): (JSC::reflectObjectIsExtensible): (JSC::reflectObjectOwnKeys): (JSC::reflectObjectPreventExtensions): (JSC::reflectObjectSet): (JSC::reflectObjectSetPrototypeOf): * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::finishCreation): (JSC::toFlags): * runtime/RegExpObject.cpp: (JSC::RegExpObject::defineOwnProperty): * runtime/RegExpObject.h: * runtime/RegExpPrototype.cpp: (JSC::regExpProtoFuncCompile): (JSC::regExpProtoGetterGlobal): (JSC::regExpProtoGetterIgnoreCase): (JSC::regExpProtoGetterMultiline): (JSC::regExpProtoGetterDotAll): (JSC::regExpProtoGetterSticky): (JSC::regExpProtoGetterUnicode): (JSC::regExpProtoGetterFlags): (JSC::regExpProtoGetterSourceInternal): (JSC::regExpProtoGetterSource): * runtime/RuntimeType.cpp: (JSC::runtimeTypeAsString): * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::StackFrame::displayName): (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests): * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::prepareForExecutionImpl): * runtime/SetPrototype.cpp: (JSC::getSet): * runtime/SparseArrayValueMap.cpp: (JSC::SparseArrayValueMap::putEntry): (JSC::SparseArrayValueMap::putDirect): (JSC::SparseArrayEntry::put): * runtime/StackFrame.cpp: (JSC::StackFrame::sourceURL const): (JSC::StackFrame::functionName const): * runtime/StringConstructor.cpp: (JSC::stringFromCodePoint): * runtime/StringObject.cpp: (JSC::StringObject::put): (JSC::StringObject::putByIndex): * runtime/StringPrototype.cpp: (JSC::StringPrototype::finishCreation): (JSC::toLocaleCase): (JSC::stringProtoFuncNormalize): * runtime/Symbol.cpp: (JSC::Symbol::toNumber const): * runtime/SymbolConstructor.cpp: (JSC::symbolConstructorKeyFor): * runtime/SymbolObject.cpp: (JSC::SymbolObject::toStringName): * runtime/SymbolPrototype.cpp: (JSC::SymbolPrototype::finishCreation): * runtime/TypeSet.cpp: (JSC::TypeSet::dumpTypes const): (JSC::TypeSet::displayName const): (JSC::StructureShape::leastCommonAncestor): * runtime/TypeSet.h: (JSC::StructureShape::setConstructorName): * runtime/VM.cpp: (JSC::VM::dumpTypeProfilerData): * runtime/WeakMapPrototype.cpp: (JSC::getWeakMap): (JSC::protoFuncWeakMapSet): * runtime/WeakSetPrototype.cpp: (JSC::getWeakSet): (JSC::protoFuncWeakSetAdd): * tools/JSDollarVM.cpp: (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): (WTF::DOMJITGetterComplex::customGetter): (JSC::functionSetImpureGetterDelegate): (JSC::functionCreateElement): (JSC::functionGetHiddenValue): (JSC::functionSetHiddenValue): (JSC::functionFindTypeForExpression): (JSC::functionReturnTypeFor): (JSC::functionLoadGetterFromGetterSetter): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::fail const): * wasm/WasmIndexOrName.cpp: (JSC::Wasm::makeString): * wasm/WasmParser.h: (JSC::Wasm::FailureHelper::makeString): (JSC::Wasm::Parser::fail const): * wasm/WasmPlan.cpp: (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast): * wasm/WasmValidate.cpp: (JSC::Wasm::Validate::fail const): * wasm/js/JSWebAssemblyCodeBlock.cpp: (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): * wasm/js/JSWebAssemblyHelpers.h: (JSC::toNonWrappingUint32): (JSC::getWasmBufferFromValue): * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::create): * wasm/js/JSWebAssemblyMemory.cpp: (JSC::JSWebAssemblyMemory::grow): * wasm/js/WasmToJS.cpp: (JSC::Wasm::handleBadI64Use): * wasm/js/WebAssemblyCompileErrorConstructor.cpp: (JSC::WebAssemblyCompileErrorConstructor::finishCreation): * wasm/js/WebAssemblyInstanceConstructor.cpp: (JSC::constructJSWebAssemblyInstance): (JSC::WebAssemblyInstanceConstructor::finishCreation): * wasm/js/WebAssemblyInstancePrototype.cpp: (JSC::getInstance): * wasm/js/WebAssemblyLinkErrorConstructor.cpp: (JSC::WebAssemblyLinkErrorConstructor::finishCreation): * wasm/js/WebAssemblyMemoryConstructor.cpp: (JSC::constructJSWebAssemblyMemory): (JSC::WebAssemblyMemoryConstructor::finishCreation): * wasm/js/WebAssemblyMemoryPrototype.cpp: (JSC::getMemory): * wasm/js/WebAssemblyModuleConstructor.cpp: (JSC::webAssemblyModuleCustomSections): (JSC::webAssemblyModuleImports): (JSC::webAssemblyModuleExports): (JSC::WebAssemblyModuleConstructor::finishCreation): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::link): (JSC::dataSegmentFail): (JSC::WebAssemblyModuleRecord::evaluate): * wasm/js/WebAssemblyPrototype.cpp: (JSC::resolve): (JSC::webAssemblyInstantiateFunc): (JSC::webAssemblyInstantiateStreamingInternal): * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation): * wasm/js/WebAssemblyTableConstructor.cpp: (JSC::constructJSWebAssemblyTable): (JSC::WebAssemblyTableConstructor::finishCreation): * wasm/js/WebAssemblyTablePrototype.cpp: (JSC::getTable): (JSC::webAssemblyTableProtoFuncGrow): (JSC::webAssemblyTableProtoFuncGet): (JSC::webAssemblyTableProtoFuncSet): 2018-06-22 Keith Miller <keith_miller@apple.com> unshift should zero unused property storage https://bugs.webkit.org/show_bug.cgi?id=186960 Reviewed by Saam Barati. Also, this patch adds the zeroed unused property storage assertion to one more place it was missing. * runtime/JSArray.cpp: (JSC::JSArray::unshiftCountSlowCase): * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): 2018-06-22 Mark Lam <mark.lam@apple.com> PropertyCondition::isValidValueForAttributes() should also consider deleted values. https://bugs.webkit.org/show_bug.cgi?id=186943 <rdar://problem/41370337> Reviewed by Saam Barati. PropertyCondition::isValidValueForAttributes() should check if the passed in value is a deleted one before it does a jsDynamicCast on it. * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::isValidValueForAttributes): * runtime/JSCJSValueInlines.h: - removed an unnecessary #if. 2018-06-22 Keith Miller <keith_miller@apple.com> performProxyCall should toThis the value passed to its handler https://bugs.webkit.org/show_bug.cgi?id=186951 Reviewed by Mark Lam. * runtime/ProxyObject.cpp: (JSC::performProxyCall): 2018-06-22 Saam Barati <sbarati@apple.com> ensureWritableX should only convert away from CoW when it will succeed https://bugs.webkit.org/show_bug.cgi?id=186898 Reviewed by Keith Miller. Otherwise, when we OSR exit, we'll end up profiling the array after it has been converted away from CoW. It's better for the ArrayProfile to see the array as it's still in CoW mode. This patch also renames ensureWritableX to tryMakeWritableX since these were never really "ensure" operations -- they may fail and return null. * dfg/DFGOperations.cpp: * runtime/JSObject.cpp: (JSC::JSObject::tryMakeWritableInt32Slow): (JSC::JSObject::tryMakeWritableDoubleSlow): (JSC::JSObject::tryMakeWritableContiguousSlow): (JSC::JSObject::ensureWritableInt32Slow): Deleted. (JSC::JSObject::ensureWritableDoubleSlow): Deleted. (JSC::JSObject::ensureWritableContiguousSlow): Deleted. * runtime/JSObject.h: (JSC::JSObject::tryMakeWritableInt32): (JSC::JSObject::tryMakeWritableDouble): (JSC::JSObject::tryMakeWritableContiguous): (JSC::JSObject::ensureWritableInt32): Deleted. (JSC::JSObject::ensureWritableDouble): Deleted. (JSC::JSObject::ensureWritableContiguous): Deleted. 2018-06-22 Keith Miller <keith_miller@apple.com> We should call visitChildren on Base not the exact typename https://bugs.webkit.org/show_bug.cgi?id=186928 Reviewed by Mark Lam. A lot of places were not properly calling visitChildren on their superclass. For most of them it didn't matter because they had immortal structures. If code changed in the future this might break things however. Also, block off more of the MethodTable for GetterSetter objects. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitChildren): * bytecode/ExecutableToCodeBlockEdge.cpp: (JSC::ExecutableToCodeBlockEdge::visitChildren): * debugger/DebuggerScope.cpp: (JSC::DebuggerScope::visitChildren): * runtime/EvalExecutable.cpp: (JSC::EvalExecutable::visitChildren): * runtime/FunctionExecutable.cpp: (JSC::FunctionExecutable::visitChildren): * runtime/FunctionRareData.cpp: (JSC::FunctionRareData::visitChildren): * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::visitChildren): * runtime/GetterSetter.cpp: (JSC::GetterSetter::visitChildren): * runtime/GetterSetter.h: * runtime/InferredType.cpp: (JSC::InferredType::visitChildren): * runtime/InferredTypeTable.cpp: (JSC::InferredTypeTable::visitChildren): * runtime/InferredValue.cpp: (JSC::InferredValue::visitChildren): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::visitChildren): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): * runtime/ModuleProgramExecutable.cpp: (JSC::ModuleProgramExecutable::visitChildren): * runtime/ProgramExecutable.cpp: (JSC::ProgramExecutable::visitChildren): * runtime/ScopedArguments.cpp: (JSC::ScopedArguments::visitChildren): * runtime/ScopedArguments.h: * runtime/Structure.cpp: (JSC::Structure::visitChildren): * runtime/StructureRareData.cpp: (JSC::StructureRareData::visitChildren): * runtime/SymbolTable.cpp: (JSC::SymbolTable::visitChildren): 2018-06-20 Darin Adler <darin@apple.com> [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity https://bugs.webkit.org/show_bug.cgi?id=186875 Reviewed by Anders Carlsson. * API/tests/testapi.mm: (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file. 2018-06-22 Carlos Garcia Campos <cgarcia@igalia.com> [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message https://bugs.webkit.org/show_bug.cgi?id=186915 Reviewed by Žan Doberšek. Update StartAutomationSession message handling to receive a dictionary of session capabilities. * inspector/remote/glib/RemoteInspectorServer.cpp: (Inspector::processSessionCapabilities): Helper method to process the session capabilities. 2018-06-21 Mark Lam <mark.lam@apple.com> WebKit (JavaScriptCore) compilation error with Clang ≥ 6. https://bugs.webkit.org/show_bug.cgi?id=185947 <rdar://problem/40131933> Reviewed by Saam Barati. Newer Clang versions (due to C++17 support) is not happy with how I implemented conversions between CodeLocation types. We'll fix this by adding a conversion operator for converting between CodeLocation types. * assembler/CodeLocation.h: (JSC::CodeLocationCommon::operator T): 2018-06-21 Saam Barati <sbarati@apple.com> Do some CoW cleanup https://bugs.webkit.org/show_bug.cgi?id=186896 Reviewed by Mark Lam. * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile): We don't need to WTFMove() ints * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): remove a TODO. * runtime/JSObject.cpp: (JSC::JSObject::putByIndex): We were checking for isCopyOnWrite even after we converted away from CoW in above code. (JSC::JSObject::ensureWritableInt32Slow): Model this in the same way the other ensureWritableXSlow are modeled. 2018-06-20 Keith Miller <keith_miller@apple.com> flattenDictionaryStruture needs to zero inline storage. https://bugs.webkit.org/show_bug.cgi?id=186869 Reviewed by Saam Barati. This patch also adds the assetion that unused property storage is zero or JSValue() to putDirectInternal. Additionally, functions have been added to $vm that flatten dictionary objects and return the inline capacity of an object. * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): * tools/JSDollarVM.cpp: (JSC::functionInlineCapacity): (JSC::functionFlattenDictionaryObject): (JSC::JSDollarVM::finishCreation): 2018-06-21 Mark Lam <mark.lam@apple.com> Use IsoCellSets to track Executables with clearable code. https://bugs.webkit.org/show_bug.cgi?id=186877 Reviewed by Filip Pizlo. Here’s an example of the results that this fix may yield: 1. The workload: load cnn.com, wait for it to fully load, scroll down and up. 2. Statistics on memory touched and memory freed by VM::deleteAllCode(): Visiting Executables: Old New Number of objects visited: 70897 14264 Number of objects with deletable code: 14264 (20.1%) 14264 (100%) Number of memory pages visited: 3224 1602 Number of memory pages with deletable code: 1602 (49.7%) 1602 (100%) Visitng UnlinkedFunctionExecutables: Old New Number of objects visited: 105454 17231 Number of objects with deletable code: 42319 (20.1%) 17231 (100%) ** Number of memory pages visited: 4796 1349 Number of memory pages with deletable code: 4013 (83.7%) 1349 (100%) ** The number of objects differ because the old code only visit unlinked executables indirectly via linked executables, whereas the new behavior visit all unlinked executables with deletable code directly. This means: a. we used to not visit unlinked executables that have not been linked yet i.e. deleteAllCode() may not delete all code (especially code that is not used). b. we had to visit all linked executables to check if they of type FunctionExecutable, before going on to visit their unlinked executable, and this includes the ones that do not have deletable code. This means that we would touch more memory in the process. Both of these these issues are now fixed with the new code. This code was tested with manually inserted instrumentation to track the above statistics. It is not feasible to write an automated test for this without leaving a lot of invasive instrumentation in the code. * bytecode/UnlinkedFunctionExecutable.cpp: (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor): * bytecode/UnlinkedFunctionExecutable.h: * heap/CodeBlockSetInlines.h: (JSC::CodeBlockSet::iterateViaSubspaces): * heap/Heap.cpp: (JSC::Heap::deleteAllCodeBlocks): (JSC::Heap::deleteAllUnlinkedCodeBlocks): (JSC::Heap::deleteUnmarkedCompiledCode): (JSC::Heap::clearUnmarkedExecutables): Deleted. (JSC::Heap::addExecutable): Deleted. * heap/Heap.h: * runtime/DirectEvalExecutable.h: * runtime/ExecutableBase.cpp: (JSC::ExecutableBase::hasClearableCode const): - this is written based on the implementation of ExecutableBase::clearCode(). * runtime/ExecutableBase.h: * runtime/FunctionExecutable.h: * runtime/IndirectEvalExecutable.h: * runtime/ModuleProgramExecutable.h: * runtime/ProgramExecutable.h: * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::clearCode): (JSC::ScriptExecutable::installCode): * runtime/ScriptExecutable.h: (JSC::ScriptExecutable::finishCreation): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): (JSC::VM::forEachScriptExecutableSpace): (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): 2018-06-21 Zan Dobersek <zdobersek@igalia.com> [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions https://bugs.webkit.org/show_bug.cgi?id=186884 Reviewed by Carlos Garcia Campos. Add a tuple array input parameter to the StartAutomationSession DBus message, representing a list of host-and-certificate pairs that have to be allowed for a given session. This array is then unpacked and used to fill out the certificates Vector object in the SessionCapabilities struct. * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of String pairs representing hosts and the certificate file paths. * inspector/remote/glib/RemoteInspectorServer.cpp: 2018-06-20 Keith Miller <keith_miller@apple.com> Expand concurrent GC assertion to accept JSValue() or 0 https://bugs.webkit.org/show_bug.cgi?id=186855 Reviewed by Mark Lam. We tend to set unused property slots to either JSValue() or 0 depending on the context. On 64-bit these are the same but on 32-bit JSValue() has a NaN tag. This patch makes it so we the accept either JSValue() or 0. * runtime/JSObjectInlines.h: (JSC::JSObject::prepareToPutDirectWithoutTransition): 2018-06-20 Guillaume Emont <guijemont@igalia.com> [Armv7] Linkbuffer: executableOffsetFor() fails for location 2 https://bugs.webkit.org/show_bug.cgi?id=186765 Reviewed by Michael Saboff. This widens the check for 0 so that we handle that case more correctly. * assembler/LinkBuffer.h: (JSC::LinkBuffer::executableOffsetFor): 2018-06-19 Keith Miller <keith_miller@apple.com> Fix broken assertion on 32-bit https://bugs.webkit.org/show_bug.cgi?id=186830 Reviewed by Mark Lam. The assertion was intended to catch concurrent GC issues. We don't run them on 32-bit so we don't need this assertion there. The assertion was broken because zero is not JSValue() on 32-bit. * runtime/JSObjectInlines.h: (JSC::JSObject::prepareToPutDirectWithoutTransition): 2018-06-19 Keith Miller <keith_miller@apple.com> flattenDictionaryStructure needs to zero properties that have been compressed away https://bugs.webkit.org/show_bug.cgi?id=186828 Reviewed by Mark Lam. This patch fixes a bunch of crashing Mozilla tests on the bots. * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): 2018-06-19 Saam Barati <sbarati@apple.com> DirectArguments::create needs to initialize to undefined instead of the empty value https://bugs.webkit.org/show_bug.cgi?id=186818 <rdar://problem/38415177> Reviewed by Filip Pizlo. The bug here is that we will emit code that just loads from DirectArguments as long as the index is within the known capacity of the arguments object (op_get_from_arguments). The arguments object has at least enough capacity to hold the declared parameters. When we materialized this object in OSR exit, we initialized up to to the capacity with JSValue(). In OSR exit, though, we only filled up to the length of the object with actual values. So we'd end up with a DirectArguments object with capacity minus length slots of JSValue(). To fix this, we need initialize up to capacity with jsUndefined during construction. The invariant of this object is that the capacity minus length slots at the end are filled in with jsUndefined. * runtime/DirectArguments.cpp: (JSC::DirectArguments::create): 2018-06-19 Michael Saboff <msaboff@apple.com> Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM https://bugs.webkit.org/show_bug.cgi?id=186827 Reviewed by Saam Barati. Need to set VM::lastStackTop before any possible calls to sanitizeStack(). * runtime/JSLock.cpp: (JSC::JSLock::didAcquireLock): 2018-06-19 Tadeu Zagallo <tzagallo@apple.com> ShadowChicken crashes with stack overflow in the LLInt https://bugs.webkit.org/show_bug.cgi?id=186540 <rdar://problem/39682133> Reviewed by Saam Barati. Stack overflows in the LLInt were crashing in ShadowChicken when compiling with debug opcodes because it was accessing the scope of the incomplete top frame, which hadn't been set yet. Check that we have moved past the first opcode (enter) and that the scope is not undefined (enter will initialize it to undefined). * interpreter/ShadowChicken.cpp: (JSC::ShadowChicken::update): 2018-06-19 Keith Miller <keith_miller@apple.com> constructArray variants should take the slow path for subclasses of Array https://bugs.webkit.org/show_bug.cgi?id=186812 Reviewed by Saam Barati and Mark Lam. This patch fixes a crashing test in ObjectInitializationScope where we would allocate a new structure for an indexing type change while initializing a subclass of Array. Since the new array hasn't been fully initialized if the GC ran it would see garbage and we might crash. * runtime/JSArray.cpp: (JSC::constructArray): (JSC::constructArrayNegativeIndexed): * runtime/JSArray.h: (JSC::constructArray): Deleted. (JSC::constructArrayNegativeIndexed): Deleted. 2018-06-19 Saam Barati <sbarati@apple.com> Wasm: Any function argument of type Void should be a validation error https://bugs.webkit.org/show_bug.cgi?id=186794 <rdar://problem/41140257> Reviewed by Keith Miller. * wasm/WasmModuleParser.cpp: (JSC::Wasm::ModuleParser::parseType): 2018-06-18 Keith Miller <keith_miller@apple.com> JSImmutableButterfly should assert m_header is adjacent to the data https://bugs.webkit.org/show_bug.cgi?id=186795 Reviewed by Saam Barati. * runtime/JSImmutableButterfly.cpp: * runtime/JSImmutableButterfly.h: 2018-06-18 Keith Miller <keith_miller@apple.com> Unreviewed, fix the build... * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): 2018-06-18 Keith Miller <keith_miller@apple.com> Unreviewed, remove bad assertion. * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): 2018-06-18 Keith Miller <keith_miller@apple.com> Properly zero unused property storage offsets https://bugs.webkit.org/show_bug.cgi?id=186692 Reviewed by Filip Pizlo. Since the concurrent GC might see a property slot before the mutator has actually stored the value there, we need to ensure that slot doesn't have garbage in it. Right now when calling constructConvertedArrayStorageWithoutCopyingElements or creating a RegExp matches array, we never cleared the unused property storage. ObjectIntializationScope has also been upgraded to look for our invariants around property storage. Additionally, a new assertion has been added to check for JSValue() when adding a new property. We used to put undefined into deleted property offsets. To make things simpler, this patch causes us to store JSValue() there instead. Lastly, this patch fixes an issue where we would initialize the array storage of RegExpMatchesArray twice. First with 0 and secondly with the actual result. Now we only zero memory between vector length and public length. * runtime/Butterfly.h: (JSC::Butterfly::offsetOfVectorLength): * runtime/ButterflyInlines.h: (JSC::Butterfly::tryCreateUninitialized): (JSC::Butterfly::createUninitialized): (JSC::Butterfly::tryCreate): (JSC::Butterfly::create): (JSC::Butterfly::createOrGrowPropertyStorage): (JSC::Butterfly::createOrGrowArrayRight): (JSC::Butterfly::growArrayRight): (JSC::Butterfly::resizeArray): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted. * runtime/JSArray.h: (JSC::tryCreateArrayButterfly): * runtime/JSObject.cpp: (JSC::JSObject::createArrayStorageButterfly): (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): (JSC::JSObject::deleteProperty): (JSC::JSObject::shiftButterflyAfterFlattening): * runtime/JSObject.h: * runtime/JSObjectInlines.h: (JSC::JSObject::prepareToPutDirectWithoutTransition): * runtime/ObjectInitializationScope.cpp: (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized): * runtime/ObjectInitializationScope.h: (JSC::ObjectInitializationScope::release): * runtime/RegExpMatchesArray.h: (JSC::tryCreateUninitializedRegExpMatchesArray): (JSC::createRegExpMatchesArray): * runtime/Butterfly.h: (JSC::Butterfly::offsetOfVectorLength): * runtime/ButterflyInlines.h: (JSC::Butterfly::tryCreateUninitialized): (JSC::Butterfly::createUninitialized): (JSC::Butterfly::tryCreate): (JSC::Butterfly::create): (JSC::Butterfly::createOrGrowPropertyStorage): (JSC::Butterfly::createOrGrowArrayRight): (JSC::Butterfly::growArrayRight): (JSC::Butterfly::resizeArray): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted. * runtime/JSArray.h: (JSC::tryCreateArrayButterfly): * runtime/JSObject.cpp: (JSC::JSObject::createArrayStorageButterfly): (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): (JSC::JSObject::deleteProperty): (JSC::JSObject::shiftButterflyAfterFlattening): * runtime/JSObject.h: * runtime/JSObjectInlines.h: (JSC::JSObject::prepareToPutDirectWithoutTransition): * runtime/ObjectInitializationScope.cpp: (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized): * runtime/RegExpMatchesArray.cpp: (JSC::createEmptyRegExpMatchesArray): * runtime/RegExpMatchesArray.h: (JSC::tryCreateUninitializedRegExpMatchesArray): (JSC::createRegExpMatchesArray): 2018-06-18 Tadeu Zagallo <tzagallo@apple.com> Share structure across instances of classes exported through the ObjC API https://bugs.webkit.org/show_bug.cgi?id=186579 <rdar://problem/40969212> Reviewed by Saam Barati. A new structure was being created for each instance of exported ObjC classes due to setting the prototype in the structure for every object, since prototype transitions are not cached by the structure. Cache the Structure in the JSObjcClassInfo to avoid the transition. * API/JSWrapperMap.mm: (-[JSObjCClassInfo wrapperForObject:inContext:]): (-[JSObjCClassInfo structureInContext:]): * API/tests/JSWrapperMapTests.h: Added. * API/tests/JSWrapperMapTests.mm: Added. (+[JSWrapperMapTests testStructureIdentity]): (runJSWrapperMapTests): * API/tests/testapi.mm: (testObjectiveCAPIMain): * JavaScriptCore.xcodeproj/project.pbxproj: 2018-06-18 Michael Saboff <msaboff@apple.com> Support Unicode 11 in RegExp https://bugs.webkit.org/show_bug.cgi?id=186685 Reviewed by Mark Lam. Updated the UCD tables used to generate RegExp property tables to version 11.0. * Scripts/generateYarrUnicodePropertyTables.py: * ucd/CaseFolding.txt: * ucd/DerivedBinaryProperties.txt: * ucd/DerivedCoreProperties.txt: * ucd/DerivedNormalizationProps.txt: * ucd/PropList.txt: * ucd/PropertyAliases.txt: * ucd/PropertyValueAliases.txt: * ucd/ScriptExtensions.txt: * ucd/Scripts.txt: * ucd/UnicodeData.txt: * ucd/emoji-data.txt: 2018-06-18 Carlos Alberto Lopez Perez <clopez@igalia.com> [WTF] Remove workarounds needed to support libstdc++-4 https://bugs.webkit.org/show_bug.cgi?id=186762 Reviewed by Michael Catanzaro. Revert r226299, r226300 r226301 and r226302. * API/tests/TypedArrayCTest.cpp: (assertEqualsAsNumber): 2018-06-16 Michael Catanzaro <mcatanzaro@igalia.com> REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB https://bugs.webkit.org/show_bug.cgi?id=182923 Reviewed by Mark Lam. The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB. Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x. * heap/MarkedBlock.h: 2018-06-16 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition https://bugs.webkit.org/show_bug.cgi?id=186723 Reviewed by Mark Lam. Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple. This patch improves SixSpeed/spread-literal.es5. baseline patched spread-literal.es5 114.4140+-4.5146 ^ 104.5475+-3.6157 ^ definitely 1.0944x faster * runtime/JSArrayInlines.h: (JSC::JSArray::pushInline): * runtime/Structure.cpp: (JSC::Structure::nonPropertyTransitionSlow): (JSC::Structure::nonPropertyTransition): Deleted. * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::nonPropertyTransition): 2018-06-16 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array https://bugs.webkit.org/show_bug.cgi?id=186721 Reviewed by Keith Miller. We still have several other OSRExits, but this patch reduces that. 1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures. So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits. 2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly non-appropriate. These changes a bit fix Kraken/crypto-aes regression. baseline patched stanford-crypto-aes 63.718+-2.312 ^ 56.140+-0.966 ^ definitely 1.1350x faster * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): 2018-06-15 Yusuke Suzuki <utatane.tea@gmail.com> [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned https://bugs.webkit.org/show_bug.cgi?id=186460 Reviewed by Saam Barati. Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong. We should return JSFixedArray for Spread. This patch adds a code generating a JSFixedArray from JSImmutableButterfly. Merging JSFixedArray into JSImmutableButterfly is possible future extension. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileSpread): * runtime/JSFixedArray.h: 2018-06-15 Saam Barati <sbarati@apple.com> Annotate shrinkFootprintWhenIdle with NS_AVAILABLE https://bugs.webkit.org/show_bug.cgi?id=186687 <rdar://problem/40071332> Reviewed by Keith Miller. * API/JSVirtualMachinePrivate.h: 2018-06-15 Saam Barati <sbarati@apple.com> Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex https://bugs.webkit.org/show_bug.cgi?id=186648 Reviewed by Michael Saboff. This patch is neutral on SunSpider/bitops-bitwise-and. That test originally regressed with my first version of ForceOSRExit CFG pruning. This patch makes ForceOSRExit CFG pruning more aggressive by not ignoring everything that can reach any loop_hint, but only ignoring blocks that can reach a loop_hint if it's the plan's osr entry bytecode target. The goal is to get a speedometer 2 speedup with this change on iOS. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parse): 2018-06-15 Michael Catanzaro <mcatanzaro@igalia.com> Unreviewed, rolling out r232816. Suggested by Caitlin: "this patch clearly does get some things wrong, and it's not easy to find what those things are" Reverted changeset: "[LLInt] use loadp consistently for get_from_scope/put_to_scope" https://bugs.webkit.org/show_bug.cgi?id=132333 https://trac.webkit.org/changeset/232816 2018-06-14 Michael Saboff <msaboff@apple.com> REGRESSION(232741): Crash running ARES-6 https://bugs.webkit.org/show_bug.cgi?id=186630 Reviewed by Saam Barati. The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it treated edges between identical predecessor->successor pairs independently. This fixes the issue by handling such edges once, using the added intermediate pad for all instances of the edges between the same pairs. * dfg/DFGCriticalEdgeBreakingPhase.cpp: (JSC::DFG::CriticalEdgeBreakingPhase::run): (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted. 2018-06-14 Carlos Garcia Campos <cgarcia@igalia.com> [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability https://bugs.webkit.org/show_bug.cgi?id=186560 Reviewed by Brian Burg. Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one that always receives the session capabilities. * inspector/remote/RemoteInspector.h: * inspector/remote/RemoteInspectorConstants.h: * inspector/remote/cocoa/RemoteInspectorCocoa.mm: (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from WebKit here and fill the SessionCapabilities instead. * inspector/remote/glib/RemoteInspectorGlib.cpp: (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client. * inspector/remote/glib/RemoteInspectorServer.cpp: (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities. * inspector/remote/glib/RemoteInspectorServer.h: 2018-06-13 Adrian Perez de Castro <aperez@igalia.com> [WPE] Trying to access the remote inspector hits an assertion in the UIProcess https://bugs.webkit.org/show_bug.cgi?id=186588 Reviewed by Carlos Garcia Campos. Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix for resource paths, which avoids needing a switcheroo depending on the port. * inspector/remote/glib/RemoteInspectorUtils.cpp: 2018-06-13 Caitlin Potter <caitp@igalia.com> [LLInt] use loadp consistently for get_from_scope/put_to_scope https://bugs.webkit.org/show_bug.cgi?id=132333 Reviewed by Mark Lam. Using `loadis` for register indexes and `loadp` for constant scopes / symboltables makes sense, but is problematic for big-endian architectures. Consistently treating the operand as a pointer simplifies determining how to access the operand, and helps avoid bad accesses and crashes on big-endian ports. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/Instruction.h: * jit/JITOperations.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): 2018-06-13 Keith Miller <keith_miller@apple.com> AutomaticThread should have a way to provide a thread name https://bugs.webkit.org/show_bug.cgi?id=186604 Reviewed by Filip Pizlo. Add names for JSC's automatic threads. * dfg/DFGWorklist.cpp: * heap/Heap.cpp: * jit/JITWorklist.cpp: * runtime/VMTraps.cpp: * wasm/WasmWorklist.cpp: 2018-06-13 Saam Barati <sbarati@apple.com> CFGSimplificationPhase should de-dupe jettisonedBlocks https://bugs.webkit.org/show_bug.cgi?id=186583 Reviewed by Filip Pizlo. When making the predecessors list unique in r232741, it revealed a bug inside of CFG simplification, where we try to remove the same predecessor more than once from a blocks predecessors list. We built the list of blocks to remove from the list of successors, which is not unique, causing us to try to remove the same predecessor more than once. The solution here is to just add to this list of blocks to remove only if the block is not already in the list. * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::run): 2018-06-13 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Always use Nuke & Set procedure for x86 https://bugs.webkit.org/show_bug.cgi?id=186592 Reviewed by Keith Miller. We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86. By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector threads. * runtime/JSObject.cpp: (JSC::JSObject::convertContiguousToArrayStorage): 2018-06-12 Saam Barati <sbarati@apple.com> Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle https://bugs.webkit.org/show_bug.cgi?id=186071 Reviewed by Mark Lam. * API/JSVirtualMachine.mm: (-[JSVirtualMachine shrinkFootprint]): Deleted. * API/JSVirtualMachinePrivate.h: 2018-06-11 Saam Barati <sbarati@apple.com> Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable https://bugs.webkit.org/show_bug.cgi?id=181409 <rdar://problem/36383749> Reviewed by Keith Miller. This patch is me redoing r226655. This is a patch I wrote when profiling Speedometer. Fil rolled this change out in r230928. He showed this slowed down a sunspider tests by ~2x. This sunspider regression revealed a real performance bug in the original change: we would kill blocks that reached OSR entry targets, sometimes leading us to not do OSR entry into the DFG, since we could end up deleting entire loops from the CFG. The reason for this is that code that has run ~once and that reaches loops often has ForceOSRExits inside of it. The solution to this is to not perform this optimization on blocks that can reach OSR entry targets. The reason I'm redoing this patch is that it turns out Fil rolling out the change was a Speedometer 2 regression. This is a modified version of the original ChangeLog I wrote in r226655: When I was looking at profiler data for Speedometer, I noticed that one of the hottest functions in Speedometer is around 1100 bytecode operations long. Only about 100 of those bytecode ops ever execute. However, we ended up spending a lot of time compiling basic blocks that never executed. We often plant ForceOSRExit nodes when we parse bytecodes that have a null value profile. This is the case when such a node never executes. This patch makes it so that anytime a block has a ForceOSRExit, and that block can not reach an OSR entry target, we replace its terminal node with an Unreachable node, and remove all nodes after the ForceOSRExit. This cuts down the graph size since it removes control flow edges from the CFG. This allows us to get rid of huge chunks of the CFG in certain programs. When doing this transformation, we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode live-in to the ForceOSRExit. Using ForceOSRExit as the signal for this is a bit of a hack. It definitely does not get rid of all the CFG that it could. If we decide it's worth it, we could use additional inputs into this mechanism. For example, we could profile if a basic block ever executes inside the LLInt/Baseline, and remove parts of the CFG based on that. When running Speedometer with the concurrent JIT turned off, this patch improves DFG/FTL compile times by around 5%. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addToGraph): (JSC::DFG::ByteCodeParser::inlineCall): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::blocksInPostOrder): 2018-06-11 Saam Barati <sbarati@apple.com> The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated https://bugs.webkit.org/show_bug.cgi?id=184829 Reviewed by Michael Saboff. This patch codifies that a BasicBlock's list of predecessors is de-duplicated. In B3/Air, this just meant writing a validation rule. In DFG, this meant ensuring this property when building up the predecessors list, and also adding a validation rule. The NaturalLoops algorithm relies on this property. * b3/B3Validate.cpp: * b3/air/AirValidate.cpp: * b3/testb3.cpp: (JSC::B3::testLoopWithMultipleHeaderEdges): (JSC::B3::run): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::handleSuccessor): * dfg/DFGValidate.cpp: 2018-06-11 Keith Miller <keith_miller@apple.com> Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire which churns 65KB of memory https://bugs.webkit.org/show_bug.cgi?id=186467 Reviewed by Simon Fraser. This patch adds a LazyFireDetail that wraps ScopedLambda so that we don't actually malloc any strings for firing unless those Strings are actually going to be printed. * bytecode/Watchpoint.h: (JSC::LazyFireDetail::LazyFireDetail): * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp: (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire): * dfg/DFGAdaptiveStructureWatchpoint.cpp: (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal): * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire): 2018-06-11 Mark Lam <mark.lam@apple.com> Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner. https://bugs.webkit.org/show_bug.cgi?id=186451 <rdar://problem/40875792> Reviewed by Tim Horton. Enhance setOptions() to be able to take a comma separated options string in addition to white space separated options strings. * runtime/Options.cpp: (JSC::isSeparator): (JSC::Options::setOptions): 2018-06-11 Michael Saboff <msaboff@apple.com> JavaScriptCore: Disable 32-bit JIT on Windows https://bugs.webkit.org/show_bug.cgi?id=185989 Reviewed by Mark Lam. Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported. * llint/LLIntData.h: (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int. * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not have a case label because these aren't opcodes. * runtime/Options.cpp: Made assembler related Windows conditional code also conditional on the JIT being enabled. (JSC::recomputeDependentOptions): 2018-06-11 Michael Saboff <msaboff@apple.com> Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled https://bugs.webkit.org/show_bug.cgi?id=186477 Reviewed by Filip Pizlo. Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin YARR interpreter nodes. This caused us to overwrite other frame information. Added frame offset debugging code to YARR interpreter. * yarr/YarrInterpreter.cpp: (JSC::Yarr::ByteCompiler::emitDisjunction): (JSC::Yarr::ByteCompiler::dumpDisjunction): 2018-06-10 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Array.prototype.sort should rejects null comparator https://bugs.webkit.org/show_bug.cgi?id=186458 Reviewed by Keith Miller. This relaxed behavior is once introduced in r216169 to fix some pages by aligning the behavior to Chrome and Firefox. However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore accepts it. This patch reverts r216169 to align JSC to the other engines and fix the spec issue. * builtins/ArrayPrototype.js: (sort): 2018-06-09 Dan Bernstein <mitz@apple.com> [Xcode] Clean up and modernize some build setting definitions https://bugs.webkit.org/show_bug.cgi?id=186463 Reviewed by Sam Weinig. * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS is true for all supported Xcode versions. * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11. * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version. * Configurations/Version.xcconfig: Removed definition for macOS 10.11. * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11. 2018-06-09 Dan Bernstein <mitz@apple.com> Added missing file references to the Configuration group. * JavaScriptCore.xcodeproj/project.pbxproj: 2018-06-08 Darin Adler <darin@apple.com> [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC https://bugs.webkit.org/show_bug.cgi?id=186436 Reviewed by Anders Carlsson. * heap/Heap.cpp: Include FoundationSPI.h rather than directly including objc-internal.h and explicitly declaring the alternative. 2018-06-08 Wenson Hsieh <wenson_hsieh@apple.com> [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1) https://bugs.webkit.org/show_bug.cgi?id=186442 <rdar://problem/40879364> Reviewed by Tim Horton. * Configurations/FeatureDefines.xcconfig: 2018-06-08 Tadeu Zagallo <tzagallo@apple.com> jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt https://bugs.webkit.org/show_bug.cgi?id=186446 <rdar://problem/40949995> Reviewed by Mark Lam. On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for boolean literals, but it would only work for false. Change it so that it takes the fast path for true, false, null and undefined. * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: 2018-06-08 Brian Burg <bburg@apple.com> [Cocoa] Web Automation: include browser name and version in listing for automation targets https://bugs.webkit.org/show_bug.cgi?id=186204 <rdar://problem/36950423> Reviewed by Darin Adler. Ask the client what the reported browser name and version should be, then send this as part of the listing for an automation target. * inspector/remote/RemoteInspectorConstants.h: * inspector/remote/cocoa/RemoteInspectorCocoa.mm: (Inspector::RemoteInspector::listingForAutomationTarget const): 2018-06-07 Chris Dumez <cdumez@apple.com> Add base class to get WeakPtrFactory member and avoid some boilerplate code https://bugs.webkit.org/show_bug.cgi?id=186407 Reviewed by Brent Fulgham. Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in order to avoid some boilerplate code in every class needing a WeakPtrFactory. This also gets rid of old-style createWeakPtr() methods in favor of the newer makeWeakPtr(). * wasm/WasmInstance.h: * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::registerInstance): 2018-06-07 Tadeu Zagallo <tzagallo@apple.com> Don't try to allocate JIT memory if we don't have the JIT entitlement https://bugs.webkit.org/show_bug.cgi?id=182605 <rdar://problem/38271229> Reviewed by Mark Lam. Check that the current process has the correct entitlements before trying to allocate JIT memory to silence warnings. * jit/ExecutableAllocator.cpp: (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate 2018-06-07 Saam Barati <sbarati@apple.com> TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops https://bugs.webkit.org/show_bug.cgi?id=186386 Reviewed by Filip Pizlo. This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest. * dfg/DFGTierUpCheckInjectionPhase.cpp: (JSC::DFG::TierUpCheckInjectionPhase::run): 2018-06-02 Filip Pizlo <fpizlo@apple.com> FunctionRareData::m_objectAllocationProfileWatchpoint is racy https://bugs.webkit.org/show_bug.cgi?id=186237 Reviewed by Saam Barati. We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but that means that we never notice that it fired if it fires between when the DFG decides to watch it and when it actually adds the watchpoint. Most watchpoints are initialized watched for this purpose. This one had a somewhat good reason for being initialized blind: that's how we knew to ignore changes to the prototype before the first allocation. However, that functionality also arose out of the fact that the rare data is created lazily and usually won't exist until the first allocation. The fix here is to make the watchpoint go into watched mode as soon as we initialize the object allocation profile. It's hard to repro this race, however it started causing spurious test failures for me after bug 164904. * runtime/FunctionRareData.cpp: (JSC::FunctionRareData::FunctionRareData): (JSC::FunctionRareData::initializeObjectAllocationProfile): 2018-06-07 Saam Barati <sbarati@apple.com> Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones https://bugs.webkit.org/show_bug.cgi?id=186218 <rdar://problem/38449540> Reviewed by Filip Pizlo. This patch makes tierUpCommon a tad bit more sane. There are a few things that I did: - There were a few release asserts that were crashing. Those release asserts were incorrect. They were making assumptions about how the code and data structures were ordered that were wrong. This patch removes them. The code was using the loop hierarchy vector to make assumptions about which loop we were currently executing in, which is incorrect. The only information that can be used about where we're currently executing is the bytecode index we're at. - This makes it so that we go back to trying to compile outer loops before inner loops. JF accidentally reverted this behavior that Ben implemented. JF made it so that we just compiled the inner most loop. I make this functionality work by first triggering a compile for the outer most loop that the code is currently executing in and that can perform OSR entry. However, some programs can get stuck in inner loops. The code works by progressively asking inner loops to compile if program execution has not yet reached an outer loop. * dfg/DFGOperations.cpp: 2018-06-06 Guillaume Emont <guijemont@igalia.com> ArityFixup should adjust SP first on 32-bit platforms too https://bugs.webkit.org/show_bug.cgi?id=186351 Reviewed by Yusuke Suzuki. * jit/ThunkGenerators.cpp: (JSC::arityFixupGenerator): 2018-06-06 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Compare operations do not respect negative zeros https://bugs.webkit.org/show_bug.cgi?id=183729 Reviewed by Saam Barati. Compare operations do not respect negative zeros. So propagating this can reduce the size of the produced code for negative zero case. This pattern can be seen in Kraken stanford-crypto-aes. This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false. However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero. This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this. * bytecode/SpeculatedType.cpp: (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations): SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0. To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of SpecDoubleReal. * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::propagate): 2018-06-06 Saam Barati <sbarati@apple.com> generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype https://bugs.webkit.org/show_bug.cgi?id=186363 Rubber-stamped by Filip Pizlo. The code was assuming that the object it was creating an OPC for always had a non-poly-proto structure. However, this assumption was wrong. For example, an object in the prototype chain could be poly proto. That type of object graph would cause a crash in this code. This patch makes it so that we fail to generate an ObjectPropertyConditionSet if we see a poly proto object as we traverse the prototype chain. * bytecode/ObjectPropertyConditionSet.cpp: (JSC::generateConditionsForInstanceOf): 2018-06-05 Brent Fulgham <bfulgham@apple.com> Adjust compile and runtime flags to match shippable state of features https://bugs.webkit.org/show_bug.cgi?id=186319 <rdar://problem/40352045> Reviewed by Maciej Stachowiak, Jon Lee, and others. This patch revises the compile time and runtime state for various features to match their suitability for end-user releases. * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for Cocoa builds. * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR or ENABLE_INPUT_TYPE_COLOR_POPOVER. * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES at runtime for non-production builds. 2018-06-05 Brent Fulgham <bfulgham@apple.com> Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds https://bugs.webkit.org/show_bug.cgi?id=186286 <rdar://problem/40782992> Reviewed by Dan Bernstein. Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds) to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually change this flag when preparing for a production release. * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine whether experimental features should be enabled, and use it to properly define the feature flag. 2018-06-05 Darin Adler <darin@apple.com> [Cocoa] Update some JavaScriptCore code to be more ready for ARC https://bugs.webkit.org/show_bug.cgi?id=186301 Reviewed by Anders Carlsson. * API/JSContext.mm: (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast. (-[JSContext setName:]): Removed unnecessary call to copy, since the JSStringCreateWithCFString function already reads the characters out of the string and does not retain the string, so there is no need to make an immutable copy. And used __bridge for typecast. * inspector/remote/cocoa/RemoteInspectorCocoa.mm: (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage): Ditto. * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Use CFBridgingRelease instead of autorelease for a CF dictionary that we return as an NSDictionary. 2018-06-04 Keith Miller <keith_miller@apple.com> Remove missing files from JavaScriptCore Xcode project https://bugs.webkit.org/show_bug.cgi?id=186297 Reviewed by Saam Barati. * JavaScriptCore.xcodeproj/project.pbxproj: 2018-06-04 Keith Miller <keith_miller@apple.com> Add test for CoW conversions in the DFG/FTL https://bugs.webkit.org/show_bug.cgi?id=186295 Reviewed by Saam Barati. Add a function to $vm that returns a JSString containing the dataLog dump of the indexingMode of an Object. * tools/JSDollarVM.cpp: (JSC::functionIndexingMode): (JSC::JSDollarVM::finishCreation): 2018-06-04 Saam Barati <sbarati@apple.com> Set the activeLength of all ScratchBuffers to zero when exiting the VM https://bugs.webkit.org/show_bug.cgi?id=186284 <rdar://problem/40780738> Reviewed by Keith Miller. Simon recently found instances where we leak global objects from the ScratchBuffer. Yusuke found that we forgot to set the active length back to zero when doing catch OSR entry in the DFG/FTL. His solution to this was adding a node that cleared the active length. This is a good node to have, but it's not a complete solution: the DFG/FTL could OSR exit before that node executes, which would cause us to leak the data in it. This patch makes it so that we set each scratch buffer's active length to zero on VM exit. This helps prevent leaks for JS code that eventually exits the VM (which is essentially all code on the web and all API users). * runtime/VM.cpp: (JSC::VM::clearScratchBuffers): * runtime/VM.h: * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::~VMEntryScope): 2018-06-04 Keith Miller <keith_miller@apple.com> JSLock should clear last exception when releasing the lock https://bugs.webkit.org/show_bug.cgi?id=186277 Reviewed by Mark Lam. If we don't clear the last exception we essentially leak the object and everything referenced by it until another exception is thrown. * runtime/JSLock.cpp: (JSC::JSLock::willReleaseLock): 2018-06-04 Yusuke Suzuki <utatane.tea@gmail.com> Get rid of UnconditionalFinalizers and WeakReferenceHarvesters https://bugs.webkit.org/show_bug.cgi?id=180248 Reviewed by Sam Weinig. As a final step, this patch removes ListableHandler from JSC. Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/Heap.h: * heap/ListableHandler.h: Removed. 2018-06-03 Yusuke Suzuki <utatane.tea@gmail.com> LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it) https://bugs.webkit.org/show_bug.cgi?id=186223 Reviewed by Keith Miller. After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer. It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long. This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length. We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make this ClearCatchLocals valid. The existing tests for ExtractCatchLocal just pass. * dfg/DFGAbstractHeap.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGMayExit.cpp: * dfg/DFGNodeType.h: * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareCatchOSREntry): * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileClearCatchLocals): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals): 2018-06-02 Darin Adler <darin@apple.com> [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption https://bugs.webkit.org/show_bug.cgi?id=186227 Reviewed by Dan Bernstein. * API/JSContext.mm: (-[JSContext name]): Use CFBridgingRelease instead of autorelease. * API/JSValue.mm: (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease. (containerValueToObject): Use adoptCF instead of autorelease. This is not only more ARC-compatible, but more efficient. (valueToString): Use CFBridgingRelease instead of autorelease. 2018-06-02 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for addition operations https://bugs.webkit.org/show_bug.cgi?id=179002 Reviewed by Yusuke Suzuki. This patch is implementing support to BigInt Operands into binary "+" and binary "-" operators. Right now, we have limited support to DFG and FTL JIT layers, but we plan to fix this support in future patches. * jit/JITOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::parseInt): (JSC::JSBigInt::stringToBigInt): (JSC::JSBigInt::toString): (JSC::JSBigInt::multiply): (JSC::JSBigInt::divide): (JSC::JSBigInt::remainder): (JSC::JSBigInt::add): (JSC::JSBigInt::sub): (JSC::JSBigInt::absoluteAdd): (JSC::JSBigInt::absoluteSub): (JSC::JSBigInt::toStringGeneric): (JSC::JSBigInt::allocateFor): (JSC::JSBigInt::toNumber const): (JSC::JSBigInt::getPrimitiveNumber const): * runtime/JSBigInt.h: * runtime/JSCJSValueInlines.h: * runtime/Operations.cpp: (JSC::jsAddSlowCase): * runtime/Operations.h: (JSC::jsSub): 2018-06-02 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r232439. https://bugs.webkit.org/show_bug.cgi?id=186238 It breaks gtk-linux-32-release (Requested by caiolima on #webkit). Reverted changeset: "[ESNext][BigInt] Implement support for addition operations" https://bugs.webkit.org/show_bug.cgi?id=179002 https://trac.webkit.org/changeset/232439 2018-06-01 Yusuke Suzuki <utatane.tea@gmail.com> Baseline op_jtrue emits an insane amount of code https://bugs.webkit.org/show_bug.cgi?id=185708 Reviewed by Filip Pizlo. op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by, 1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey} to jump directly. This tightens the code. 2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code. This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes. [ 12] jtrue arg1, 6(->18) 0x7f233170162c: mov 0x30(%rbp), %rax 0x7f2331701630: mov %rax, %rsi 0x7f2331701633: xor $0x6, %rsi 0x7f2331701637: test $0xfffffffffffffffe, %rsi 0x7f233170163e: jnz 0x7f2331701654 0x7f2331701644: cmp $0x7, %eax 0x7f2331701647: setz %sil 0x7f233170164b: movzx %sil, %esi 0x7f233170164f: jmp 0x7f2331701705 0x7f2331701654: test %rax, %r14 0x7f2331701657: jz 0x7f233170169c 0x7f233170165d: cmp %r14, %rax 0x7f2331701660: jb 0x7f2331701675 0x7f2331701666: test %eax, %eax 0x7f2331701668: setnz %sil 0x7f233170166c: movzx %sil, %esi 0x7f2331701670: jmp 0x7f2331701705 0x7f2331701675: lea (%r14,%rax), %rsi 0x7f2331701679: movq %rsi, %xmm0 0x7f233170167e: xorps %xmm1, %xmm1 0x7f2331701681: ucomisd %xmm1, %xmm0 0x7f2331701685: jz 0x7f2331701695 0x7f233170168b: mov $0x1, %esi 0x7f2331701690: jmp 0x7f2331701705 0x7f2331701695: xor %esi, %esi 0x7f2331701697: jmp 0x7f2331701705 0x7f233170169c: test %rax, %r15 0x7f233170169f: jnz 0x7f2331701703 0x7f23317016a5: cmp $0x1, 0x5(%rax) 0x7f23317016a9: jnz 0x7f23317016c1 0x7f23317016af: mov 0x8(%rax), %esi 0x7f23317016b2: test %esi, %esi 0x7f23317016b4: setnz %sil 0x7f23317016b8: movzx %sil, %esi 0x7f23317016bc: jmp 0x7f2331701705 0x7f23317016c1: test $0x1, 0x6(%rax) 0x7f23317016c5: jz 0x7f23317016f9 0x7f23317016cb: mov (%rax), %esi 0x7f23317016cd: mov $0x7f23315000c8, %rdx 0x7f23317016d7: mov (%rdx), %rdx 0x7f23317016da: mov (%rdx,%rsi,8), %rsi 0x7f23317016de: mov $0x7f2330de0000, %rdx 0x7f23317016e8: cmp %rdx, 0x18(%rsi) 0x7f23317016ec: jnz 0x7f23317016f9 0x7f23317016f2: xor %esi, %esi 0x7f23317016f4: jmp 0x7f2331701705 0x7f23317016f9: mov $0x1, %esi 0x7f23317016fe: jmp 0x7f2331701705 0x7f2331701703: xor %esi, %esi 0x7f2331701705: test %esi, %esi 0x7f2331701707: jnz 0x7f233170171b [ 12] jtrue arg1, 6(->18) 0x7f6c8710156c: mov 0x30(%rbp), %rax 0x7f6c87101570: test %rax, %r15 0x7f6c87101573: jnz 0x7f6c871015c8 0x7f6c87101579: cmp $0x1, 0x5(%rax) 0x7f6c8710157d: jnz 0x7f6c87101592 0x7f6c87101583: cmp $0x0, 0x8(%rax) 0x7f6c87101587: jnz 0x7f6c87101623 0x7f6c8710158d: jmp 0x7f6c87101615 0x7f6c87101592: test $0x1, 0x6(%rax) 0x7f6c87101596: jz 0x7f6c87101623 0x7f6c8710159c: mov (%rax), %esi 0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx 0x7f6c871015a8: mov (%rdx), %rdx 0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi 0x7f6c871015af: mov $0x7f6c867e0000, %rdx 0x7f6c871015b9: cmp %rdx, 0x18(%rsi) 0x7f6c871015bd: jnz 0x7f6c87101623 0x7f6c871015c3: jmp 0x7f6c87101615 0x7f6c871015c8: cmp %r14, %rax 0x7f6c871015cb: jb 0x7f6c871015de 0x7f6c871015d1: test %eax, %eax 0x7f6c871015d3: jnz 0x7f6c87101623 0x7f6c871015d9: jmp 0x7f6c87101615 0x7f6c871015de: test %rax, %r14 0x7f6c871015e1: jz 0x7f6c87101602 0x7f6c871015e7: lea (%r14,%rax), %rsi 0x7f6c871015eb: movq %rsi, %xmm0 0x7f6c871015f0: xorps %xmm1, %xmm1 0x7f6c871015f3: ucomisd %xmm1, %xmm0 0x7f6c871015f7: jz 0x7f6c87101615 0x7f6c871015fd: jmp 0x7f6c87101623 0x7f6c87101602: mov $0x7, %r11 0x7f6c8710160c: cmp %r11, %rax 0x7f6c8710160f: jz 0x7f6c87101623 * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitBranch): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitBranch): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitConvertValueToBoolean): (JSC::AssemblyHelpers::branchIfValue): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfTruthy): (JSC::AssemblyHelpers::branchIfFalsey): * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::addJump): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_jfalse): (JSC::JIT::emit_op_jtrue): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_jfalse): (JSC::JIT::emit_op_jtrue): 2018-06-02 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove WeakReferenceHarvester https://bugs.webkit.org/show_bug.cgi?id=186102 Reviewed by Filip Pizlo. After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester. Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap by using output constraints & Subspace iteration. This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our output constraint set iterates marked JSWeakMap by using Subspace. And we also add locking for JSWeakMap's rehash and output constraint visiting. Attached microbenchmark does not show any regression. * API/JSAPIWrapperObject.h: * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/Heap.cpp: (JSC::Heap::endMarking): (JSC::Heap::addCoreConstraints): * heap/Heap.h: * heap/SlotVisitor.cpp: (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted. * heap/SlotVisitor.h: * heap/WeakReferenceHarvester.h: Removed. * runtime/WeakMapImpl.cpp: (JSC::WeakMapImpl<WeakMapBucket>::visitChildren): (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints): (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints): (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted. (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted. * runtime/WeakMapImpl.h: (JSC::WeakMapImpl::WeakMapImpl): (JSC::WeakMapImpl::finishCreation): (JSC::WeakMapImpl::rehash): (JSC::WeakMapImpl::makeAndSetNewBuffer): (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted. 2018-06-02 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Object.create should have intrinsic https://bugs.webkit.org/show_bug.cgi?id=186200 Reviewed by Filip Pizlo. Object.create is used in various JS code. `Object.create(null)` is particularly used to create empty plain object with null [[Prototype]]. We can find `Object.create(null)` call in ARES-6/Babylon code. This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype object is null. It offers significant performance boost for `Object.create(null)`. baseline patched object-create-null 53.7940+-1.5297 ^ 19.8846+-0.6584 ^ definitely 2.7053x faster object-create-unknown-object-prototype 38.9977+-1.1364 ^ 37.2207+-0.6143 ^ definitely 1.0477x faster object-create-untyped-prototype 22.5632+-0.6917 22.2539+-0.6876 might be 1.0139x faster * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::convertToNewObject): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileObjectCreate): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate): * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::nullPrototypeObjectStructure const): * runtime/ObjectConstructor.cpp: 2018-06-02 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for addition operations https://bugs.webkit.org/show_bug.cgi?id=179002 Reviewed by Yusuke Suzuki. This patch is implementing support to BigInt Operands into binary "+" and binary "-" operators. Right now, we have limited support to DFG and FTL JIT layers, but we plan to fix this support in future patches. * jit/JITOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::parseInt): (JSC::JSBigInt::stringToBigInt): (JSC::JSBigInt::toString): (JSC::JSBigInt::multiply): (JSC::JSBigInt::divide): (JSC::JSBigInt::remainder): (JSC::JSBigInt::add): (JSC::JSBigInt::sub): (JSC::JSBigInt::absoluteAdd): (JSC::JSBigInt::absoluteSub): (JSC::JSBigInt::toStringGeneric): (JSC::JSBigInt::allocateFor): (JSC::JSBigInt::toNumber const): (JSC::JSBigInt::getPrimitiveNumber const): * runtime/JSBigInt.h: * runtime/JSCJSValueInlines.h: * runtime/Operations.cpp: (JSC::jsAddSlowCase): * runtime/Operations.h: (JSC::jsSub): 2018-06-01 Wenson Hsieh <wenson_hsieh@apple.com> Fix the watchOS build after r232385 https://bugs.webkit.org/show_bug.cgi?id=186203 Reviewed by Keith Miller. Add a missing header include for JSImmutableButterfly. * runtime/ArrayPrototype.cpp: 2018-05-29 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Add Symbol.prototype.description getter https://bugs.webkit.org/show_bug.cgi?id=186053 Reviewed by Keith Miller. Symbol.prototype.description accessor is now stage 3[1]. This adds a getter to retrieve [[Description]] value from Symbol. Previously, Symbol#toString() returns `Symbol(${description})` value. So users need to extract `description` part if they want it. [1]: https://tc39.github.io/proposal-Symbol-description/ * runtime/Symbol.cpp: (JSC::Symbol::description const): * runtime/Symbol.h: * runtime/SymbolPrototype.cpp: (JSC::tryExtractSymbol): (JSC::symbolProtoGetterDescription): (JSC::symbolProtoFuncToString): (JSC::symbolProtoFuncValueOf): 2018-06-01 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Correct values and members of JSBigInt appropriately https://bugs.webkit.org/show_bug.cgi?id=186196 Reviewed by Darin Adler. This patch cleans up a bit to select more appropriate values and members of JSBigInt. 1. JSBigInt's structure should be StructureIsImmortal. 2. JSBigInt::allocationSize should be annotated with `inline`. 3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren. 4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation. * runtime/JSBigInt.cpp: (JSC::JSBigInt::allocationSize): (JSC::JSBigInt::allocateFor): (JSC::JSBigInt::compareToDouble): (JSC::JSBigInt::visitChildren): Deleted. (JSC::JSBigInt::finishCreation): Deleted. * runtime/JSBigInt.h: 2018-05-30 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] InById should be converted to MatchStructure https://bugs.webkit.org/show_bug.cgi?id=185803 Reviewed by Keith Miller. MatchStructure is introduced for instanceof optimization. But this node is also useful for InById node. This patch converts InById to MatchStructure node with CheckStructures if possible by using InByIdStatus. Added microbenchmarks show improvements. baseline patched in-by-id-removed 18.1196+-0.8108 ^ 16.1702+-0.9773 ^ definitely 1.1206x faster in-by-id-match 16.3912+-0.2608 ^ 15.2736+-0.8173 ^ definitely 1.0732x faster * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/InByIdStatus.cpp: Added. (JSC::InByIdStatus::appendVariant): (JSC::InByIdStatus::computeFor): (JSC::InByIdStatus::hasExitSite): (JSC::InByIdStatus::computeForStubInfo): (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback): (JSC::InByIdStatus::filter): (JSC::InByIdStatus::dump const): * bytecode/InByIdStatus.h: Added. (JSC::InByIdStatus::InByIdStatus): (JSC::InByIdStatus::state const): (JSC::InByIdStatus::isSet const): (JSC::InByIdStatus::operator bool const): (JSC::InByIdStatus::isSimple const): (JSC::InByIdStatus::numVariants const): (JSC::InByIdStatus::variants const): (JSC::InByIdStatus::at const): (JSC::InByIdStatus::operator[] const): (JSC::InByIdStatus::takesSlowPath const): * bytecode/InByIdVariant.cpp: Added. (JSC::InByIdVariant::InByIdVariant): (JSC::InByIdVariant::attemptToMerge): (JSC::InByIdVariant::dump const): (JSC::InByIdVariant::dumpInContext const): * bytecode/InByIdVariant.h: Added. (JSC::InByIdVariant::isSet const): (JSC::InByIdVariant::operator bool const): (JSC::InByIdVariant::structureSet const): (JSC::InByIdVariant::structureSet): (JSC::InByIdVariant::conditionSet const): (JSC::InByIdVariant::offset const): (JSC::InByIdVariant::isHit const): * bytecode/PolyProtoAccessChain.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): 2018-06-01 Keith Miller <keith_miller@apple.com> move should only emit the move if it's actually needed https://bugs.webkit.org/show_bug.cgi?id=186123 Reviewed by Saam Barati. This patch relpaces move with moveToDestinationIfNeeded. This will prevent us from emiting moves to the same location. The old move, has been renamed to emitMove and made private. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::emitMove): (JSC::BytecodeGenerator::emitGetGlobalPrivate): (JSC::BytecodeGenerator::emitGetAsyncIterator): (JSC::BytecodeGenerator::move): Deleted. * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::move): (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted. * bytecompiler/NodesCodegen.cpp: (JSC::ThisNode::emitBytecode): (JSC::SuperNode::emitBytecode): (JSC::NewTargetNode::emitBytecode): (JSC::ResolveNode::emitBytecode): (JSC::TaggedTemplateNode::emitBytecode): (JSC::ArrayNode::emitBytecode): (JSC::ObjectLiteralNode::emitBytecode): (JSC::EvalFunctionCallNode::emitBytecode): (JSC::FunctionCallResolveNode::emitBytecode): (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect): (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate): (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect): (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber): (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString): (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject): (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile): (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray): (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject): (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject): (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject): (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray): (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap): (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet): (JSC::CallFunctionCallDotNode::emitBytecode): (JSC::ApplyFunctionCallDotNode::emitBytecode): (JSC::emitPostIncOrDec): (JSC::PostfixNode::emitBracket): (JSC::PostfixNode::emitDot): (JSC::PrefixNode::emitResolve): (JSC::PrefixNode::emitBracket): (JSC::PrefixNode::emitDot): (JSC::LogicalOpNode::emitBytecode): (JSC::ReadModifyResolveNode::emitBytecode): (JSC::AssignResolveNode::emitBytecode): (JSC::AssignDotNode::emitBytecode): (JSC::AssignBracketNode::emitBytecode): (JSC::FunctionNode::emitBytecode): (JSC::ClassExprNode::emitBytecode): (JSC::DestructuringAssignmentNode::emitBytecode): (JSC::ArrayPatternNode::emitDirectBinding): (JSC::ObjectPatternNode::bindValue const): (JSC::AssignmentElementNode::bindValue const): (JSC::ObjectSpreadExpressionNode::emitBytecode): 2018-05-31 Yusuke Suzuki <utatane.tea@gmail.com> [Baseline] Store constant directly in emit_op_mov https://bugs.webkit.org/show_bug.cgi?id=186182 Reviewed by Saam Barati. In the old code, we first move a constant to a register and store it to the specified address. But in 64bit JSC, we can directly store a constant to the specified address. This reduces the generated code size. Since the old code was emitting a constant in a code anyway, this change never increases the size of the generated code. * jit/JITInlines.h: (JSC::JIT::emitGetVirtualRegister): We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded from the stack. If we transfer values in registers without loading values from the stack, it breaks this assumption. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_mov): 2018-05-31 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for "=<" and ">=" relational operation https://bugs.webkit.org/show_bug.cgi?id=185929 Reviewed by Yusuke Suzuki. This patch is introducing support to BigInt operands into ">=" and "<=" operators. Here we introduce ```bigIntCompareResult``` that is a helper function to reuse code between "less than" and "less than or equal" operators. * runtime/JSBigInt.h: * runtime/Operations.h: (JSC::bigIntCompareResult): (JSC::bigIntCompare): (JSC::jsLess): (JSC::jsLessEq): (JSC::bigIntCompareLess): Deleted. 2018-05-31 Saam Barati <sbarati@apple.com> Cache toString results for CoW arrays https://bugs.webkit.org/show_bug.cgi?id=186160 Reviewed by Keith Miller. This patch makes it so that we cache the result of toString on arrays with a CoW butterfly. This cache lives on Heap and is cleared after every GC. We only cache the toString result when the CoW butterfly doesn't have a hole (currently, all CoW arrays have a hole, but this isn't an invariant we want to rely on). The reason for this is that if there is a hole, the value may be loaded from the prototype, and the cache may produce a stale result. This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall progression on ARES. * heap/Heap.cpp: (JSC::Heap::finalize): (JSC::Heap::addCoreConstraints): * heap/Heap.h: * runtime/ArrayPrototype.cpp: (JSC::canUseFastJoin): (JSC::holesMustForwardToPrototype): (JSC::isHole): (JSC::containsHole): (JSC::fastJoin): (JSC::arrayProtoFuncToString): 2018-05-31 Saam Barati <sbarati@apple.com> PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear https://bugs.webkit.org/show_bug.cgi?id=186169 Reviewed by Mark Lam. If we don't do this, the CFA validation rule about StructureID being clobbered but AI not clobbering or folding a clobber will cause us to crash. Simon was running into this yesterday on arstechnica.com. I couldn't come up with a test case for this, but it's obvious what the issue is by looking at the IR dump at the time of the crash. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 2018-05-31 Saam Barati <sbarati@apple.com> JSImmutableButterfly should align its variable storage https://bugs.webkit.org/show_bug.cgi?id=186159 Reviewed by Mark Lam. I'm also making the use of reinterpret_cast and bitwise_cast consistent inside of JSImmutableButterfly. I switched everything to use bitwise_cast. * runtime/JSImmutableButterfly.h: (JSC::JSImmutableButterfly::toButterfly const): (JSC::JSImmutableButterfly::fromButterfly): (JSC::JSImmutableButterfly::offsetOfData): (JSC::JSImmutableButterfly::allocationSize): 2018-05-31 Keith Miller <keith_miller@apple.com> DFGArrayModes needs to know more about CoW arrays https://bugs.webkit.org/show_bug.cgi?id=186162 Reviewed by Filip Pizlo. This patch fixes two issues in DFGArrayMode. 1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite. 2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order to vend an accurate original structure. Additionally, this patch fixes some places in Bytecode parsing where we told the array mode we were doing a read but actually doing a write. Also, DFGArrayMode will now print the action it is expecting when being dumped. * bytecode/ArrayProfile.h: (JSC::hasSeenWritableArray): * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::fromObserved): (JSC::DFG::ArrayMode::refine const): (JSC::DFG::ArrayMode::originalArrayStructure const): (JSC::DFG::arrayActionToString): (JSC::DFG::arrayClassToString): (JSC::DFG::ArrayMode::dump const): (WTF::printInternal): * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::withProfile const): (JSC::DFG::ArrayMode::isJSArray const): (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const): (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify): 2018-05-30 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Pass VM& parameter as much as possible https://bugs.webkit.org/show_bug.cgi?id=186085 Reviewed by Saam Barati. JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter. For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&). If we can get VM& from ExecState* or the other place, it reduces the inlined code size. This patch attempts to pass VM& parameter to such functions as much as possible. * API/APICast.h: (toJS): (toJSForGC): * API/JSCallbackObjectFunctions.h: (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex): (JSC::JSCallbackObject<Parent>::deletePropertyByIndex): (JSC::JSCallbackObject<Parent>::staticFunctionGetter): * API/JSObjectRef.cpp: (JSObjectIsConstructor): * API/JSTypedArray.cpp: (JSObjectGetTypedArrayBuffer): * API/JSValueRef.cpp: (JSValueIsInstanceOfConstructor): * bindings/ScriptFunctionCall.cpp: (Deprecated::ScriptFunctionCall::call): * bindings/ScriptValue.cpp: (Inspector::jsToInspectorValue): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): * bytecode/ObjectPropertyConditionSet.cpp: (JSC::generateConditionsForInstanceOf): * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::isWatchableWhenValid const): (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const): * bytecode/StructureStubClearingWatchpoint.cpp: (JSC::StructureStubClearingWatchpoint::fireInternal): * debugger/Debugger.cpp: (JSC::Debugger::detach): * debugger/DebuggerScope.cpp: (JSC::DebuggerScope::create): (JSC::DebuggerScope::put): (JSC::DebuggerScope::deleteProperty): (JSC::DebuggerScope::getOwnPropertyNames): (JSC::DebuggerScope::defineOwnProperty): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::mergeOSREntryValue): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::refine const): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor): (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): (JSC::DFG::ByteCodeParser::check): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::tryGetConstantProperty): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnString): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): * ftl/FTLOperations.cpp: (JSC::FTL::operationPopulateObjectInOSR): * inspector/InjectedScriptManager.cpp: (Inspector::InjectedScriptManager::createInjectedScript): * inspector/JSJavaScriptCallFrame.cpp: (Inspector::JSJavaScriptCallFrame::caller const): (Inspector::JSJavaScriptCallFrame::scopeChain const): * interpreter/CallFrame.cpp: (JSC::CallFrame::wasmAwareLexicalGlobalObject): * interpreter/Interpreter.cpp: (JSC::Interpreter::executeProgram): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::execute): (JSC::Interpreter::executeModuleProgram): * jit/JITOperations.cpp: (JSC::getByVal): * jit/Repatch.cpp: (JSC::tryCacheInByID): * jsc.cpp: (functionDollarAgentReceiveBroadcast): (functionHasCustomProperties): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::setupGetByIdPrototypeCache): (JSC::LLInt::getByVal): (JSC::LLInt::handleHostCall): (JSC::LLInt::llint_throw_stack_overflow_error): * runtime/AbstractModuleRecord.cpp: (JSC::AbstractModuleRecord::finishCreation): * runtime/ArrayConstructor.cpp: (JSC::constructArrayWithSizeQuirk): * runtime/ArrayPrototype.cpp: (JSC::speciesWatchpointIsValid): (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint): * runtime/AsyncFunctionConstructor.cpp: (JSC::callAsyncFunctionConstructor): (JSC::constructAsyncFunctionConstructor): * runtime/AsyncGeneratorFunctionConstructor.cpp: (JSC::callAsyncGeneratorFunctionConstructor): (JSC::constructAsyncGeneratorFunctionConstructor): * runtime/BooleanConstructor.cpp: (JSC::constructWithBooleanConstructor): * runtime/ClonedArguments.cpp: (JSC::ClonedArguments::createEmpty): (JSC::ClonedArguments::createWithInlineFrame): (JSC::ClonedArguments::createWithMachineFrame): (JSC::ClonedArguments::createByCopyingFrom): (JSC::ClonedArguments::getOwnPropertySlot): (JSC::ClonedArguments::materializeSpecials): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly): * runtime/ConstructData.cpp: (JSC::construct): * runtime/DateConstructor.cpp: (JSC::constructWithDateConstructor): * runtime/DatePrototype.cpp: (JSC::dateProtoFuncToJSON): * runtime/DirectArguments.cpp: (JSC::DirectArguments::overrideThings): * runtime/Error.cpp: (JSC::getStackTrace): * runtime/ErrorConstructor.cpp: (JSC::Interpreter::constructWithErrorConstructor): (JSC::Interpreter::callErrorConstructor): * runtime/FunctionConstructor.cpp: (JSC::constructWithFunctionConstructor): (JSC::callFunctionConstructor): * runtime/GeneratorFunctionConstructor.cpp: (JSC::callGeneratorFunctionConstructor): (JSC::constructGeneratorFunctionConstructor): * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::getOwnPropertySlot): * runtime/InferredStructureWatchpoint.cpp: (JSC::InferredStructureWatchpoint::fireInternal): * runtime/InferredType.cpp: (JSC::InferredType::removeStructure): * runtime/InferredType.h: * runtime/InferredTypeInlines.h: (JSC::InferredType::finalizeUnconditionally): * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): * runtime/IntlCollatorConstructor.cpp: (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): * runtime/IntlCollatorPrototype.cpp: (JSC::IntlCollatorPrototypeGetterCompare): * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::initializeDateTimeFormat): (JSC::IntlDateTimeFormat::formatToParts): * runtime/IntlDateTimeFormatConstructor.cpp: (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): * runtime/IntlDateTimeFormatPrototype.cpp: (JSC::IntlDateTimeFormatPrototypeGetterFormat): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): (JSC::IntlNumberFormat::formatToParts): * runtime/IntlNumberFormatConstructor.cpp: (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): * runtime/IntlNumberFormatPrototype.cpp: (JSC::IntlNumberFormatPrototypeGetterFormat): * runtime/IntlObject.cpp: (JSC::canonicalizeLocaleList): (JSC::defaultLocale): (JSC::lookupSupportedLocales): (JSC::intlObjectFuncGetCanonicalLocales): * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::initializePluralRules): (JSC::IntlPluralRules::resolvedOptions): * runtime/IntlPluralRulesConstructor.cpp: (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf): * runtime/IteratorOperations.cpp: (JSC::iteratorNext): (JSC::iteratorClose): (JSC::iteratorForIterable): * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithArrayStorage): (JSC::JSArray::unshiftCountWithArrayStorage): (JSC::JSArray::isIteratorProtocolFastAndNonObservable): * runtime/JSArrayBufferConstructor.cpp: (JSC::JSArrayBufferConstructor::finishCreation): (JSC::constructArrayBuffer): * runtime/JSArrayBufferPrototype.cpp: (JSC::arrayBufferProtoFuncSlice): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::unsharedJSBuffer): (JSC::JSArrayBufferView::possiblySharedJSBuffer): * runtime/JSAsyncFunction.cpp: (JSC::JSAsyncFunction::createImpl): (JSC::JSAsyncFunction::create): (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint): * runtime/JSAsyncGeneratorFunction.cpp: (JSC::JSAsyncGeneratorFunction::createImpl): (JSC::JSAsyncGeneratorFunction::create): (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint): * runtime/JSBoundFunction.cpp: (JSC::boundThisNoArgsFunctionCall): (JSC::boundFunctionCall): (JSC::boundThisNoArgsFunctionConstruct): (JSC::boundFunctionConstruct): (JSC::getBoundFunctionStructure): (JSC::JSBoundFunction::create): (JSC::JSBoundFunction::boundArgsCopy): * runtime/JSCJSValue.cpp: (JSC::JSValue::putToPrimitive): * runtime/JSCellInlines.h: (JSC::JSCell::setStructure): (JSC::JSCell::methodTable const): (JSC::JSCell::toBoolean const): * runtime/JSFunction.h: (JSC::JSFunction::createImpl): * runtime/JSGeneratorFunction.cpp: (JSC::JSGeneratorFunction::createImpl): (JSC::JSGeneratorFunction::create): (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint): * runtime/JSGenericTypedArrayViewConstructorInlines.h: (JSC::constructGenericTypedArrayViewWithArguments): (JSC::constructGenericTypedArrayView): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex): (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: (JSC::genericTypedArrayViewProtoFuncSlice): (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::exposeDollarVM): (JSC::JSGlobalObject::finishCreation): * runtime/JSGlobalObject.h: * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncEval): * runtime/JSInternalPromise.cpp: (JSC::JSInternalPromise::then): * runtime/JSInternalPromiseConstructor.cpp: (JSC::constructPromise): * runtime/JSJob.cpp: (JSC::JSJobMicrotask::run): * runtime/JSLexicalEnvironment.cpp: (JSC::JSLexicalEnvironment::getOwnPropertySlot): (JSC::JSLexicalEnvironment::put): * runtime/JSMap.cpp: (JSC::JSMap::isIteratorProtocolFastAndNonObservable): * runtime/JSMapIterator.cpp: (JSC::JSMapIterator::createPair): * runtime/JSModuleLoader.cpp: (JSC::JSModuleLoader::provideFetch): (JSC::JSModuleLoader::loadAndEvaluateModule): (JSC::JSModuleLoader::loadModule): (JSC::JSModuleLoader::linkAndEvaluateModule): (JSC::JSModuleLoader::requestImportModule): * runtime/JSONObject.cpp: (JSC::JSONProtoFuncParse): * runtime/JSObject.cpp: (JSC::JSObject::putInlineSlow): (JSC::JSObject::putByIndex): (JSC::JSObject::notifyPresenceOfIndexedAccessors): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToArrayStorage): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::convertFromCopyOnWrite): (JSC::JSObject::ensureWritableInt32Slow): (JSC::JSObject::ensureWritableDoubleSlow): (JSC::JSObject::ensureWritableContiguousSlow): (JSC::JSObject::ensureArrayStorageSlow): (JSC::JSObject::setPrototypeDirect): (JSC::JSObject::deleteProperty): (JSC::callToPrimitiveFunction): (JSC::JSObject::hasInstance): (JSC::JSObject::getOwnNonIndexPropertyNames): (JSC::JSObject::preventExtensions): (JSC::JSObject::isExtensible): (JSC::JSObject::reifyAllStaticProperties): (JSC::JSObject::fillGetterPropertySlot): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage): (JSC::JSObject::putByIndexBeyondVectorLength): (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength): (JSC::JSObject::getNewVectorLength): (JSC::JSObject::increaseVectorLength): (JSC::JSObject::reallocateAndShrinkButterfly): (JSC::JSObject::shiftButterflyAfterFlattening): (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const): (JSC::JSObject::prototypeChainMayInterceptStoreTo): (JSC::JSObject::needsSlowPutIndexing const): (JSC::JSObject::suggestedArrayStorageTransition const): * runtime/JSObject.h: (JSC::JSObject::mayInterceptIndexedAccesses): (JSC::JSObject::hasIndexingHeader const): (JSC::JSObject::hasCustomProperties): (JSC::JSObject::hasGetterSetterProperties): (JSC::JSObject::hasCustomGetterSetterProperties): (JSC::JSObject::isExtensibleImpl): (JSC::JSObject::isStructureExtensible): (JSC::JSObject::indexingShouldBeSparse): (JSC::JSObject::staticPropertiesReified): (JSC::JSObject::globalObject const): (JSC::JSObject::finishCreation): (JSC::JSNonFinalObject::finishCreation): (JSC::getCallData): (JSC::getConstructData): (JSC::JSObject::getOwnNonIndexPropertySlot): (JSC::JSObject::putOwnDataProperty): (JSC::JSObject::putOwnDataPropertyMayBeIndex): (JSC::JSObject::butterflyPreCapacity): (JSC::JSObject::butterflyTotalSize): * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): * runtime/JSPromise.cpp: (JSC::JSPromise::initialize): (JSC::JSPromise::resolve): * runtime/JSPromiseConstructor.cpp: (JSC::constructPromise): * runtime/JSPromiseDeferred.cpp: (JSC::newPromiseCapability): (JSC::callFunction): * runtime/JSScope.cpp: (JSC::abstractAccess): * runtime/JSScope.h: (JSC::JSScope::globalObject): Deleted. Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject(). * runtime/JSSet.cpp: (JSC::JSSet::isIteratorProtocolFastAndNonObservable): * runtime/JSSetIterator.cpp: (JSC::JSSetIterator::createPair): * runtime/JSStringIterator.cpp: (JSC::JSStringIterator::clone): * runtime/Lookup.cpp: (JSC::reifyStaticAccessor): (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: (JSC::getStaticPropertySlotFromTable): (JSC::replaceStaticPropertySlot): (JSC::reifyStaticProperty): * runtime/MapConstructor.cpp: (JSC::constructMap): * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::finishCreation): * runtime/ObjectConstructor.cpp: (JSC::constructObject): (JSC::objectConstructorAssign): (JSC::toPropertyDescriptor): * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncDefineGetter): (JSC::objectProtoFuncDefineSetter): (JSC::objectProtoFuncToLocaleString): * runtime/Operations.cpp: (JSC::jsIsFunctionType): Deleted. Replace it with JSValue::isFunction(VM&). * runtime/Operations.h: * runtime/ProgramExecutable.cpp: (JSC::ProgramExecutable::initializeGlobalProperties): * runtime/RegExpConstructor.cpp: (JSC::constructWithRegExpConstructor): (JSC::callRegExpConstructor): * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::processUnverifiedStackTraces): (JSC::SamplingProfiler::StackFrame::nameFromCallee): * runtime/ScopedArguments.cpp: (JSC::ScopedArguments::overrideThings): * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::newCodeBlockFor): (JSC::ScriptExecutable::prepareForExecutionImpl): * runtime/SetConstructor.cpp: (JSC::constructSet): * runtime/SparseArrayValueMap.cpp: (JSC::SparseArrayValueMap::putEntry): (JSC::SparseArrayValueMap::putDirect): * runtime/StringConstructor.cpp: (JSC::constructWithStringConstructor): * runtime/StringPrototype.cpp: (JSC::replaceUsingRegExpSearch): (JSC::replaceUsingStringSearch): (JSC::stringProtoFuncIterator): * runtime/Structure.cpp: (JSC::Structure::materializePropertyTable): (JSC::Structure::willStoreValueSlow): * runtime/StructureCache.cpp: (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure): * runtime/StructureInlines.h: (JSC::Structure::get): * runtime/WeakMapConstructor.cpp: (JSC::constructWeakMap): * runtime/WeakSetConstructor.cpp: (JSC::constructWeakSet): * tools/HeapVerifier.cpp: (JSC::HeapVerifier::reportCell): * tools/JSDollarVM.cpp: (JSC::functionGlobalObjectForObject): (JSC::JSDollarVM::finishCreation): * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::finalizeCreation): * wasm/js/WasmToJS.cpp: (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJSException): * wasm/js/WebAssemblyCompileErrorConstructor.cpp: (JSC::constructJSWebAssemblyCompileError): (JSC::callJSWebAssemblyCompileError): * wasm/js/WebAssemblyLinkErrorConstructor.cpp: (JSC::constructJSWebAssemblyLinkError): (JSC::callJSWebAssemblyLinkError): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::evaluate): * wasm/js/WebAssemblyPrototype.cpp: (JSC::instantiate): * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: (JSC::constructJSWebAssemblyRuntimeError): (JSC::callJSWebAssemblyRuntimeError): * wasm/js/WebAssemblyToJSCallee.cpp: (JSC::WebAssemblyToJSCallee::create): 2018-05-30 Saam Barati <sbarati@apple.com> DFG combined liveness needs to say that the machine CodeBlock's arguments are live https://bugs.webkit.org/show_bug.cgi?id=186121 <rdar://problem/39377796> Reviewed by Keith Miller. DFG's combined liveness was reporting that the machine CodeBlock's |this| argument was dead at certain points in the program. However, a CodeBlock's arguments are considered live for the entire function. This fixes a bug where object allocation sinking phase skipped materializing an allocation because it thought that the argument it was associated with, |this|, was dead. * dfg/DFGCombinedLiveness.cpp: (JSC::DFG::liveNodesAtHead): 2018-05-30 Daniel Bates <dabates@apple.com> Web Inspector: Annotate Same-Site cookies https://bugs.webkit.org/show_bug.cgi?id=184897 <rdar://problem/35178209> Reviewed by Brian Burg. Update protocol to include cookie Same-Site policy. * inspector/protocol/Page.json: 2018-05-29 Keith Miller <keith_miller@apple.com> Error instances should not strongly hold onto StackFrames https://bugs.webkit.org/show_bug.cgi?id=185996 Reviewed by Mark Lam. Previously, we would hold onto all the StackFrames until the the user looked at one of the properties on the Error object. This patch makes us only weakly retain the StackFrames and collect all the information if we are about to collect any frame. This patch also adds a method to $vm that returns the heaps count of live global objects. * heap/Heap.cpp: (JSC::Heap::finalizeUnconditionalFinalizers): * interpreter/Interpreter.cpp: (JSC::Interpreter::stackTraceAsString): * interpreter/Interpreter.h: * runtime/Error.cpp: (JSC::addErrorInfo): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::finalizeUnconditionally): (JSC::ErrorInstance::computeErrorInfo): (JSC::ErrorInstance::materializeErrorInfoIfNeeded): (JSC::ErrorInstance::visitChildren): Deleted. * runtime/ErrorInstance.h: (JSC::ErrorInstance::subspaceFor): * runtime/JSFunction.cpp: (JSC::getCalculatedDisplayName): * runtime/StackFrame.h: (JSC::StackFrame::isMarked const): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * tools/JSDollarVM.cpp: (JSC::functionGlobalObjectCount): (JSC::JSDollarVM::finishCreation): 2018-05-30 Keith Miller <keith_miller@apple.com> LLInt get_by_id prototype caching doesn't properly handle changes https://bugs.webkit.org/show_bug.cgi?id=186112 Reviewed by Filip Pizlo. The caching would sometimes fail to track that a prototype had changed and wouldn't update its set of watchpoints. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finalizeLLIntInlineCaches): * bytecode/CodeBlock.h: * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): * bytecode/ObjectPropertyConditionSet.h: (JSC::ObjectPropertyConditionSet::size const): * bytecode/Watchpoint.h: (JSC::Watchpoint::Watchpoint): Deleted. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setupGetByIdPrototypeCache): 2018-05-30 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for "%" operation https://bugs.webkit.org/show_bug.cgi?id=184327 Reviewed by Yusuke Suzuki. We are introducing the support of BigInt into remainder (a.k.a mod) operation. * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::remainder): (JSC::JSBigInt::rightTrim): * runtime/JSBigInt.h: 2018-05-30 Saam Barati <sbarati@apple.com> AI for Atomics.load() is too conservative in always clobbering world https://bugs.webkit.org/show_bug.cgi?id=185738 <rdar://problem/40342214> Reviewed by Yusuke Suzuki. It fails the assertion that Fil added for catching disagreements between AI and clobberize. This patch fixes that. You'd run into this if you manually enabled SAB in a build and ran any SAB tests. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 2018-05-30 Michael Saboff <msaboff@apple.com> REGRESSION(r232212): Broke Win32 Builds https://bugs.webkit.org/show_bug.cgi?id=186061 Reviewed by Yusuke Suzuki. Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h instead of LowLevelInterpreterWin.asm. * CMakeLists.txt: 2018-05-30 Dominik Infuehr <dinfuehr@igalia.com> [MIPS] Fix build on MIPS32r1 https://bugs.webkit.org/show_bug.cgi?id=185944 Reviewed by Yusuke Suzuki. Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported on MIPS32r1. * offlineasm/mips.rb: 2018-05-29 Saam Barati <sbarati@apple.com> Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle https://bugs.webkit.org/show_bug.cgi?id=186064 Reviewed by Mark Lam. shrinkFootprint was implemented as: ``` sanitizeStackForVM(this); deleteAllCode(DeleteAllCodeIfNotCollecting); heap.collectNow(Synchronousness::Sync); WTF::releaseFastMallocFreeMemory(); ``` However, for correctness reasons, deleteAllCode is implemented to do work when the VM is idle: no JS is running on the stack. This means that if shrinkFootprint is called when JS is running on the stack, it ends up freeing less memory than it could have if it waited to run until the VM goes idle. This patch makes it so we wait until idle before doing work. I'm seeing a 10% footprint progression when testing this against a client of the JSC SPI. Because this is a semantic change in how the SPI works, this patch adds new SPI named shrinkFootprintWhenIdle. The plan is to move all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle. Once that happens, we will delete shrinkFootprint. Until then, we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does. * API/JSVirtualMachine.mm: (-[JSVirtualMachine shrinkFootprint]): (-[JSVirtualMachine shrinkFootprintWhenIdle]): * API/JSVirtualMachinePrivate.h: * runtime/VM.cpp: (JSC::VM::shrinkFootprintWhenIdle): (JSC::VM::shrinkFootprint): Deleted. * runtime/VM.h: 2018-05-29 Saam Barati <sbarati@apple.com> shrinkFootprint needs to request a full collection https://bugs.webkit.org/show_bug.cgi?id=186069 Reviewed by Mark Lam. * runtime/VM.cpp: (JSC::VM::shrinkFootprint): 2018-05-29 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for "<" and ">" relational operation https://bugs.webkit.org/show_bug.cgi?id=185379 Reviewed by Yusuke Suzuki. This patch is changing the ``jsLess``` operation to follow the semantics of Abstract Relational Comparison[1] that supports BigInt. For that, we create 2 new helper functions ```bigIntCompareLess``` and ```toPrimitiveNumeric``` that considers BigInt as a valid type to be compared. [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison * runtime/JSBigInt.cpp: (JSC::JSBigInt::unequalSign): (JSC::JSBigInt::absoluteGreater): (JSC::JSBigInt::absoluteLess): (JSC::JSBigInt::compare): (JSC::JSBigInt::absoluteCompare): * runtime/JSBigInt.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::isPrimitive const): * runtime/Operations.h: (JSC::bigIntCompareLess): (JSC::toPrimitiveNumeric): (JSC::jsLess): 2018-05-29 Yusuke Suzuki <utatane.tea@gmail.com> [Baseline] Merge loading functionalities https://bugs.webkit.org/show_bug.cgi?id=185907 Reviewed by Saam Barati. This patch unifies emitXXXLoad functions in 32bit and 64bit. * jit/JITInlines.h: (JSC::JIT::emitDoubleGetByVal): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDoubleLoad): (JSC::JIT::emitContiguousLoad): (JSC::JIT::emitArrayStorageLoad): (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): Define register usage first, and share the same code in 32bit and 64bit. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitSlow_op_put_by_val): Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86. We can remove this special handling. (JSC::JIT::emitContiguousLoad): Deleted. (JSC::JIT::emitDoubleLoad): Deleted. (JSC::JIT::emitArrayStorageLoad): Deleted. 2018-05-29 Saam Barati <sbarati@apple.com> JSC should put bmalloc's scavenger into mini mode https://bugs.webkit.org/show_bug.cgi?id=185988 Reviewed by Michael Saboff. When we InitializeThreading, we'll now enable bmalloc's mini mode if the VM is in mini mode. This is an 8-10% progression on the footprint at end score in run-testmem, making it a 4-5% memory score progression. It's between a 0-1% regression in its time score. * runtime/InitializeThreading.cpp: (JSC::initializeThreading): 2018-05-29 Caitlin Potter <caitp@igalia.com> [JSC] Fix Array.prototype.concat fast case when single argument is Proxy https://bugs.webkit.org/show_bug.cgi?id=184267 Reviewed by Saam Barati. Before this patch, the fast case for Array.prototype.concat was taken if there was a single argument passed to the function, which is either a non-JSCell, or an ObjectType JSCell not marked as concat-spreadable. This incorrectly prevented Proxy objects from being spread when they were the only argument passed to A.prototype.concat(), violating ECMA-262. * builtins/ArrayPrototype.js: (concat): 2018-05-27 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures https://bugs.webkit.org/show_bug.cgi?id=186022 Reviewed by Darin Adler. digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask creation has an issue (`s` should be casted to signed one before negating). They cause test failures in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written in asm. This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values. This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32 in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor` is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation. This patch also fixes naming convention for constant values. * runtime/JSBigInt.cpp: (JSC::JSBigInt::digitMul): (JSC::JSBigInt::digitDiv): * runtime/JSBigInt.h: 2018-05-27 Yusuke Suzuki <utatane.tea@gmail.com> [WTF] Add clz32 / clz64 for MSVC https://bugs.webkit.org/show_bug.cgi?id=186023 Reviewed by Daniel Bates. Move clz32 and clz64 to WTF. * runtime/MathCommon.h: (JSC::clz32): Deleted. (JSC::clz64): Deleted. 2018-05-27 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement "+" and "-" unary operation https://bugs.webkit.org/show_bug.cgi?id=182214 Reviewed by Yusuke Suzuki. This Patch is implementing support to "-" unary operation on BigInt. It is also changing the logic of ASTBuilder::makeNegateNode to calculate BigInt literals with properly sign, avoiding unecessary operation. It required a refactoring into JSBigInt::parseInt to consider the sign as parameter. We are also introducing a new DFG Node called ValueNegate to handle BigInt negate operations. With the introduction of BigInt, it is not true that every negate operation returns a Number. As ArithNegate is a node that considers its result is always a Number, like all other Arith<Operation>, we decided to keep this consistency and use ValueNegate when speculation indicates that the operand is a BigInt. This design is following the same distinction between ArithAdd and ValueAdd. Also, this new node will make simpler the introduction of optimizations when we create speculation paths for BigInt in future patches. In the case of "+" unary operation on BigInt, the current semantic we already have is correctly, since it needs to throw TypeError because of ToNumber call[1]. In such case, we are adding tests to verify other edge cases. [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::addBigIntConstant): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::BigIntNode::jsValue const): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::makeSafe): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::arithNodeFlags): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueNegate): (JSC::DFG::SpeculativeJIT::compileArithNegate): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate): (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate): * jit/JITOperations.cpp: * parser/ASTBuilder.h: (JSC::ASTBuilder::createBigIntWithSign): (JSC::ASTBuilder::createBigIntFromUnaryOperation): (JSC::ASTBuilder::makeNegateNode): * parser/NodeConstructors.h: (JSC::BigIntNode::BigIntNode): * parser/Nodes.h: * runtime/CommonSlowPaths.cpp: (JSC::updateArithProfileForUnaryArithOp): (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::parseInt): * runtime/JSBigInt.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::strictEqualSlowCaseInline): 2018-05-27 Dan Bernstein <mitz@apple.com> Tried to fix the 32-bit !ASSERT_DISABLED build after r232211. * jit/JITOperations.cpp: 2018-05-26 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Rename Array#flatten to flat https://bugs.webkit.org/show_bug.cgi?id=186012 Reviewed by Saam Barati. Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten conflicts with the mootools' function name. * builtins/ArrayPrototype.js: (globalPrivate.flatIntoArray): (flat): (globalPrivate.flatIntoArrayWithCallback): (flatMap): (globalPrivate.flattenIntoArray): Deleted. (flatten): Deleted. (globalPrivate.flattenIntoArrayWithCallback): Deleted. * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::finishCreation): 2018-05-25 Mark Lam <mark.lam@apple.com> for-in loops should preserve and restore the TDZ stack for each of its internal loops. https://bugs.webkit.org/show_bug.cgi?id=185995 <rdar://problem/40173142> Reviewed by Saam Barati. This is because there's no guarantee that any of the loop bodies will be executed. Hence, there's no guarantee that the TDZ variables will have been initialized after each loop body. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::preserveTDZStack): (JSC::BytecodeGenerator::restoreTDZStack): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ForInNode::emitBytecode): 2018-05-25 Mark Lam <mark.lam@apple.com> MachineContext's instructionPointer() should handle null PCs correctly. https://bugs.webkit.org/show_bug.cgi?id=186004 <rdar://problem/40570067> Reviewed by Saam Barati. instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>. However, MacroAssemblerCodePtr's constructor does not accept a null pointer value and will assert accordingly with a debug ASSERT. This is inconsequential for release builds, but to avoid this assertion failure, we should check for a null PC and return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead). Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check for null pointers, but I rather not do that yet. In general, MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to leave it that way for now. Note: this assertion failure only manifests when we have signal traps enabled, and encounter a null pointer deref. * runtime/MachineContext.h: (JSC::MachineContext::instructionPointer): 2018-05-25 Mark Lam <mark.lam@apple.com> Enforce invariant that GetterSetter objects are invariant. https://bugs.webkit.org/show_bug.cgi?id=185968 <rdar://problem/40541416> Reviewed by Saam Barati. The code already assumes the invariant that GetterSetter objects are immutable. For example, the use of @tryGetById in builtins expect this invariant to be true. The existing code mostly enforces this except for one case: JSObject's validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter object. This patch enforces this invariant by removing the setGetter and setSetter methods of GetterSetter, and requiring the getter/setter callback functions to be specified at construction time. * jit/JITOperations.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/GetterSetter.cpp: (JSC::GetterSetter::withGetter): Deleted. (JSC::GetterSetter::withSetter): Deleted. * runtime/GetterSetter.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSObject.cpp: (JSC::JSObject::putIndexedDescriptor): (JSC::JSObject::putDirectNativeIntrinsicGetter): (JSC::putDescriptor): (JSC::validateAndApplyPropertyDescriptor): * runtime/JSTypedArrayViewPrototype.cpp: (JSC::JSTypedArrayViewPrototype::finishCreation): * runtime/Lookup.cpp: (JSC::reifyStaticAccessor): * runtime/PropertyDescriptor.cpp: (JSC::PropertyDescriptor::slowGetterSetter): 2018-05-25 Saam Barati <sbarati@apple.com> Make JSC have a mini mode that kicks in when the JIT is disabled https://bugs.webkit.org/show_bug.cgi?id=185931 Reviewed by Mark Lam. This patch makes JSC have a mini VM mode. This currently only kicks in when the process can't JIT. Mini VM now means a few things: - We always use a 1.27x heap growth factor. This number was the best tradeoff between memory use progression and time regression in run-testmem. We may want to tune this more in the future as we make other mini VM changes. - We always sweep synchronously. - We disable generational GC. I'm going to continue to extend what mini VM mode means in future changes. This patch is a 50% memory progression and an ~8-9% time regression on run-testmem when running in mini VM mode with the JIT disabled. * heap/Heap.cpp: (JSC::Heap::collectNow): (JSC::Heap::finalize): (JSC::Heap::useGenerationalGC): (JSC::Heap::shouldSweepSynchronously): (JSC::Heap::shouldDoFullCollection): * heap/Heap.h: * runtime/Options.h: * runtime/VM.cpp: (JSC::VM::isInMiniMode): * runtime/VM.h: 2018-05-25 Saam Barati <sbarati@apple.com> Have a memory test where we can validate JSCs mini memory mode https://bugs.webkit.org/show_bug.cgi?id=185932 Reviewed by Mark Lam. This patch adds the testmem CLI. It takes as input a file to run and the number of iterations to run it (by default it runs it 20 times). Each iteration runs in a new JSContext. Each JSContext belongs to a VM that is created once. When finished, the CLI dumps out the peak memory usage of the process, the memory usage at the end of running all the iterations of the process, and the total time it took to run all the iterations. * JavaScriptCore.xcodeproj/project.pbxproj: * testmem: Added. * testmem/testmem.mm: Added. (description): (Footprint::now): (main): 2018-05-25 David Kilzer <ddkilzer@apple.com> Fix issues with -dealloc methods found by clang static analyzer <https://webkit.org/b/185887> Reviewed by Joseph Pecoraro. * API/JSValue.mm: (-[JSValue dealloc]): (-[JSValue description]): - Move method implementations from (Internal) category to the main category since these are public API. This fixes the false positive warning about a missing -dealloc method. 2018-05-24 Yusuke Suzuki <utatane.tea@gmail.com> [Baseline] Remove a hack for DCE removal of NewFunction https://bugs.webkit.org/show_bug.cgi?id=185945 Reviewed by Saam Barati. This `undefined` check in baseline is originally introduced in r177871. The problem was, when NewFunction is removed in DFG DCE, its referencing scope DFG node is also removed. While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot retrieve this into the stack since the scope is not referenced from anywhere. In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx implementation. But rather than that, just emitting `Phantom` for this scope is clean and consistent to the other DFG nodes like GetClosureVar. This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline. While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice since it conservatively guards the scope, and it does not introduce any additional overhead compared to the current status. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * jit/JITOpcodes.cpp: (JSC::JIT::emitNewFuncExprCommon): 2018-05-23 Keith Miller <keith_miller@apple.com> Expose $vm if window.internals is exposed https://bugs.webkit.org/show_bug.cgi?id=185900 Reviewed by Mark Lam. This is useful for testing vm internals when running LayoutTests. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): (JSC::JSGlobalObject::exposeDollarVM): * runtime/JSGlobalObject.h: 2018-05-23 Keith Miller <keith_miller@apple.com> Define length on CoW array should properly convert to writable https://bugs.webkit.org/show_bug.cgi?id=185927 Reviewed by Yusuke Suzuki. * runtime/JSArray.cpp: (JSC::JSArray::setLength): 2018-05-23 Keith Miller <keith_miller@apple.com> InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format https://bugs.webkit.org/show_bug.cgi?id=185923 Reviewed by Saam Barati. Previously, we could confuse AI by overly broadening a type. This happens when a block in a loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example, Block 1: @1: GetLocal(loc42, FlushedInt32); @2: PutStructure(Check: Cell: @1); @3: Jump(Block 1); Would cause us to claim that loc42 could be either an int32 or a some cell. However, the type of an local cannot change without writing to it. This fixes a crash in destructuring-rest-element.js * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::endBasicBlock): 2018-05-23 Filip Pizlo <fpizlo@apple.com> Speed up JetStream/base64 https://bugs.webkit.org/show_bug.cgi?id=185914 Reviewed by Michael Saboff. Make allocation fast paths ALWAYS_INLINE. This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by ~6%. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/AllocatorInlines.h: (JSC::Allocator::allocate const): * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::allocateNonVirtual): Deleted. * heap/CompleteSubspace.h: * heap/CompleteSubspaceInlines.h: Added. (JSC::CompleteSubspace::allocateNonVirtual): * heap/FreeListInlines.h: (JSC::FreeList::allocate): * heap/IsoSubspace.cpp: (JSC::IsoSubspace::allocateNonVirtual): Deleted. * heap/IsoSubspace.h: (JSC::IsoSubspace::allocatorForNonVirtual): * heap/IsoSubspaceInlines.h: Added. (JSC::IsoSubspace::allocateNonVirtual): * runtime/JSCellInlines.h: * runtime/VM.h: 2018-05-23 Rick Waldron <waldron.rick@gmail.com> Conversion misspelled "Convertion" in error message string https://bugs.webkit.org/show_bug.cgi?id=185436 Reviewed by Saam Barati, Michael Saboff * runtime/JSBigInt.cpp: (JSC::JSBigInt::toNumber const): 2018-05-22 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Clean up stringGetByValStubGenerator https://bugs.webkit.org/show_bug.cgi?id=185864 Reviewed by Saam Barati. We clean up stringGetByValStubGenerator. 1. Unify 32bit and 64bit implementations. 2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp. 3. Remove string type check since this code is invoked only when we know regT0 is JSString*. 4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side. 5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32. * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::stringGetByValStubGenerator): Deleted. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::stringGetByValStubGenerator): Deleted. * jit/ThunkGenerators.cpp: (JSC::stringGetByValGenerator): * jit/ThunkGenerators.h: 2018-05-22 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Use branchIfString/branchIfNotString instead of structure checkings https://bugs.webkit.org/show_bug.cgi?id=185810 Reviewed by Saam Barati. Let's use branchIfString/branchIfNotString helper functions instead of checking structure with jsString's structure. It's easy to read. And it emits less code since we do not need to embed string structure's raw pointer in 32bit environment. * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::emitLoadCharacterString): (JSC::JIT::checkStructure): Deleted. * jit/JITOpcodes32_64.cpp: (JSC::JIT::emitSlow_op_eq): (JSC::JIT::compileOpEqJumpSlow): (JSC::JIT::emitSlow_op_neq): * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::emitByValIdentifierCheck): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::emitSlow_op_get_by_val): * jit/JSInterfaceJIT.h: (JSC::ThunkHelpers::jsStringLengthOffset): Deleted. (JSC::ThunkHelpers::jsStringValueOffset): Deleted. * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::loadJSStringArgument): * jit/ThunkGenerators.cpp: (JSC::stringCharLoad): (JSC::charCodeAtThunkGenerator): (JSC::charAtThunkGenerator): * runtime/JSString.h: 2018-05-22 Mark Lam <mark.lam@apple.com> BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled. https://bugs.webkit.org/show_bug.cgi?id=185896 <rdar://problem/40471403> Reviewed by Saam Barati. * bytecode/BytecodeGeneratorification.cpp: (JSC::BytecodeGeneratorification::run): 2018-05-22 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Fix CachedCall's argument count if RegExp has named captures https://bugs.webkit.org/show_bug.cgi?id=185587 Reviewed by Mark Lam. If the given RegExp has named captures, the argument count of CachedCall in String#replace should be increased by one. This causes crash with assertion in test262. This patch corrects the argument count. This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely the same. * runtime/StringPrototype.cpp: (JSC::replaceUsingRegExpSearch): 2018-05-22 Mark Lam <mark.lam@apple.com> StringImpl utf8 conversion should not fail silently. https://bugs.webkit.org/show_bug.cgi?id=185888 <rdar://problem/40464506> Reviewed by Filip Pizlo. * dfg/DFGLazyJSValue.cpp: (JSC::DFG::LazyJSValue::dumpInContext const): * runtime/DateConstructor.cpp: (JSC::constructDate): (JSC::dateParse): * runtime/JSDateMath.cpp: (JSC::parseDate): * runtime/JSDateMath.h: 2018-05-22 Keith Miller <keith_miller@apple.com> Remove the UnconditionalFinalizer class https://bugs.webkit.org/show_bug.cgi?id=185881 Reviewed by Filip Pizlo. The only remaining user of this API is JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock to use the newer template based API and removes the old class. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.h: * heap/Heap.cpp: (JSC::Heap::finalizeUnconditionalFinalizers): * heap/Heap.h: * heap/SlotVisitor.cpp: (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted. * heap/SlotVisitor.h: * heap/UnconditionalFinalizer.h: Removed. * wasm/js/JSWebAssemblyCodeBlock.cpp: (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): (JSC::JSWebAssemblyCodeBlock::visitChildren): (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally): (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted. * wasm/js/JSWebAssemblyCodeBlock.h: * wasm/js/JSWebAssemblyModule.h: * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.h: * heap/Heap.cpp: (JSC::Heap::finalizeUnconditionalFinalizers): * heap/Heap.h: * heap/SlotVisitor.cpp: (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted. * heap/SlotVisitor.h: * heap/UnconditionalFinalizer.h: Removed. * wasm/js/JSWebAssemblyCodeBlock.cpp: (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): (JSC::JSWebAssemblyCodeBlock::visitChildren): (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally): (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted. * wasm/js/JSWebAssemblyCodeBlock.h: * wasm/js/JSWebAssemblyModule.h: 2018-05-22 Keith Miller <keith_miller@apple.com> Unreviewed, fix internal build. * runtime/JSImmutableButterfly.cpp: 2018-05-22 Saam Barati <sbarati@apple.com> DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails https://bugs.webkit.org/show_bug.cgi?id=144525 Reviewed by Filip Pizlo. This patch teaches LICM to fall back to hoisting a node's type checks when hoisting the entire node fails. This patch follow the same principles we use when deciding to hoist nodes in general: - If the pre header is control equivalent to where the current check is, we go ahead and hoist the check. - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and hoist the check. If hoisting failed in the past, we will not hoist the check. * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGUseKind.h: (JSC::DFG::checkMayCrashIfInputIsEmpty): 2018-05-21 Filip Pizlo <fpizlo@apple.com> Get rid of TLCs https://bugs.webkit.org/show_bug.cgi?id=185846 Rubber stamped by Geoffrey Garen. This removes support for thread-local caches from the GC in order to speed up allocation a bit. We added TLCs as part of Spectre mitigations, which we have since removed. We will want some kind of TLCs eventually, since they allow us to: - have a global GC, which may be a perf optimization at some point. - allocate objects from JIT threads, which we've been wanting to do for a while. This change keeps the most interesting aspect of TLCs, which is the LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement TLCs again in the future if we wanted this feature. This change removes the part of TLCs that causes a perf regression, namely that Allocator is an offset that requires a bounds check and lookup that makes the rest of the allocation fast path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so you can directly use it to allocate. This removes two loads and a check from the allocation fast path. In hindsight, I probably could have made that whole thing more efficient, had I allowed us to have a statically known set of LocalAllocators. This would have removed the bounds check (one load and one branch) and it would have made it possible to CSE the load of the TLC data structure, since that would no longer resize. But that's a harder change that this patch, and we don't need it right now. While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does that check already. Previously, the TLC bounds check doubled as this check. This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfile::initializeProfile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCreateThis): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl): (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): (JSC::FTL::DFG::LowerDFGToB3::allocateObject): (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): * heap/Allocator.cpp: (JSC::Allocator::cellSize const): * heap/Allocator.h: (JSC::Allocator::Allocator): (JSC::Allocator::localAllocator const): (JSC::Allocator::operator== const): (JSC::Allocator::offset const): Deleted. * heap/AllocatorInlines.h: (JSC::Allocator::allocate const): (JSC::Allocator::tryAllocate const): Deleted. * heap/BlockDirectory.cpp: (JSC::BlockDirectory::BlockDirectory): (JSC::BlockDirectory::~BlockDirectory): * heap/BlockDirectory.h: (JSC::BlockDirectory::allocator const): Deleted. * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::allocateNonVirtual): (JSC::CompleteSubspace::allocatorForSlow): (JSC::CompleteSubspace::tryAllocateSlow): * heap/CompleteSubspace.h: * heap/Heap.cpp: (JSC::Heap::Heap): * heap/Heap.h: (JSC::Heap::threadLocalCacheLayout): Deleted. * heap/IsoSubspace.cpp: (JSC::IsoSubspace::IsoSubspace): (JSC::IsoSubspace::allocateNonVirtual): * heap/IsoSubspace.h: (JSC::IsoSubspace::allocatorForNonVirtual): * heap/LocalAllocator.cpp: (JSC::LocalAllocator::LocalAllocator): (JSC::LocalAllocator::~LocalAllocator): * heap/LocalAllocator.h: (JSC::LocalAllocator::cellSize const): (JSC::LocalAllocator::tlc const): Deleted. * heap/ThreadLocalCache.cpp: Removed. * heap/ThreadLocalCache.h: Removed. * heap/ThreadLocalCacheInlines.h: Removed. * heap/ThreadLocalCacheLayout.cpp: Removed. * heap/ThreadLocalCacheLayout.h: Removed. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): (JSC::AssemblyHelpers::emitAllocate): (JSC::AssemblyHelpers::emitAllocateVariableSized): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_create_this): * runtime/JSLock.cpp: (JSC::JSLock::didAcquireLock): * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::~VM): * runtime/VM.h: * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::~VMEntryScope): * runtime/VMEntryScope.h: 2018-05-22 Keith Miller <keith_miller@apple.com> We should have a CoW storage for NewArrayBuffer arrays. https://bugs.webkit.org/show_bug.cgi?id=185003 Reviewed by Filip Pizlo. This patch adds copy on write storage for new array buffers. In order to do this there needed to be significant changes to the layout of IndexingType. The new indexing type has the following shape: struct IndexingTypeAndMisc { struct IndexingModeIncludingHistory { struct IndexingMode { struct IndexingType { uint8_t isArray:1; // bit 0 uint8_t shape:3; // bit 1 - 3 }; uint8_t copyOnWrite:1; // bit 4 }; uint8_t mayHaveIndexedAccessors:1; // bit 5 }; uint8_t cellLockBits:2; // bit 6 - 7 }; For simplicity ArrayStorage shapes cannot be CoW. So the only valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and ArrayWithContiguous. The backing store for a CoW array is a new class JSImmutableButterfly, which looks exactly the same as a normal butterfly except that it has a JSCell header. Like other butterflies, JSImmutableButterfies are allocated out of the Auxiliary Gigacage and are pointed to by JSCells in the same way. However, when marking JSImmutableButterflies they are marked as if they were a property. With CoW arrays, the new_array_buffer bytecode will reallocate the shared JSImmutableButterfly if it sees from the allocation profile that the last array it allocated has transitioned to a different indexing type. From then on, all arrays created by that new_array_buffer bytecode will have the promoted indexing type. This is more or less the same as what we used to do. The only difference is that we don't promote all the way to array storage even if we have seen it before. Transitioning from a CoW indexing mode occurs whenever someone tries to store to an element, grow the array, or add properties. Storing or growing the array will call into code that does the stupid thing of copying the butterfly then continue into the old code. This doesn't end up costing us as future allocations will use any upgraded indexing shape. We get adding properties for free by just changing the indexing mode on transition (our C++ code always updates the indexing mode). * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/ArrayAllocationProfile.cpp: (JSC::ArrayAllocationProfile::updateProfile): * bytecode/ArrayAllocationProfile.h: (JSC::ArrayAllocationProfile::initializeIndexingMode): * bytecode/ArrayProfile.cpp: (JSC::dumpArrayModes): (JSC::ArrayProfile::briefDescriptionWithoutUpdating): * bytecode/ArrayProfile.h: (JSC::asArrayModes): (JSC::arrayModeFromStructure): (JSC::arrayModesInclude): (JSC::hasSeenCopyOnWriteArray): * bytecode/BytecodeList.json: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/InlineAccess.cpp: (JSC::InlineAccess::generateArrayLength): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::newArrayAllocationProfile): (JSC::BytecodeGenerator::emitNewArrayBuffer): (JSC::BytecodeGenerator::emitNewArray): (JSC::BytecodeGenerator::emitNewArrayWithSize): (JSC::BytecodeGenerator::emitExpectedFunctionSnippet): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::emitBytecode): (JSC::ArrayPatternNode::bindValue const): (JSC::ArrayPatternNode::emitDirectBinding): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGArgumentsUtilities.cpp: (JSC::DFG::emitCodeToGetArgumentsArrayLength): * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::fromObserved): (JSC::DFG::ArrayMode::refine const): (JSC::DFG::ArrayMode::alreadyChecked const): * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::ArrayMode): (JSC::DFG::ArrayMode::action const): (JSC::DFG::ArrayMode::withSpeculation const): (JSC::DFG::ArrayMode::withArrayClass const): (JSC::DFG::ArrayMode::withType const): (JSC::DFG::ArrayMode::withConversion const): (JSC::DFG::ArrayMode::withTypeAndConversion const): (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const): (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): (JSC::DFG::ByteCodeParser::handleIntrinsicGetter): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion): (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGNode.h: (JSC::DFG::Node::indexingType): (JSC::DFG::Node::indexingMode): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): (JSC::DFG::SpeculativeJIT::arrayify): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): (JSC::DFG::SpeculativeJIT::compileGetArrayLength): (JSC::DFG::SpeculativeJIT::compileCreateRest): (JSC::DFG::SpeculativeJIT::compileArraySlice): (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGValidate.cpp: * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure): (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice): (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread): (JSC::FTL::DFG::LowerDFGToB3::storeStructure): (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify): * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): * generate-bytecode-files: * interpreter/Interpreter.cpp: (JSC::sizeOfVarargs): (JSC::loadVarargs): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): * jit/JITOperations.cpp: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_val): (JSC::JIT::emitSlow_op_put_by_val): * jit/Repatch.cpp: (JSC::tryCachePutByID): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/Butterfly.h: (JSC::ContiguousData::Data::Data): (JSC::ContiguousData::Data::operator bool const): (JSC::ContiguousData::Data::operator=): (JSC::ContiguousData::Data::operator const T& const): (JSC::ContiguousData::Data::set): (JSC::ContiguousData::Data::setWithoutWriteBarrier): (JSC::ContiguousData::Data::clear): (JSC::ContiguousData::Data::get const): (JSC::ContiguousData::atUnsafe): (JSC::ContiguousData::at const): Deleted. (JSC::ContiguousData::at): Deleted. * runtime/ButterflyInlines.h: (JSC::ContiguousData<T>::at const): (JSC::ContiguousData<T>::at): * runtime/ClonedArguments.cpp: (JSC::ClonedArguments::createEmpty): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::allocateNewArrayBuffer): * runtime/IndexingType.cpp: (JSC::leastUpperBoundOfIndexingTypeAndType): (JSC::leastUpperBoundOfIndexingTypeAndValue): (JSC::dumpIndexingType): * runtime/IndexingType.h: (JSC::hasIndexedProperties): (JSC::hasUndecided): (JSC::hasInt32): (JSC::hasDouble): (JSC::hasContiguous): (JSC::hasArrayStorage): (JSC::hasAnyArrayStorage): (JSC::hasSlowPutArrayStorage): (JSC::shouldUseSlowPut): (JSC::isCopyOnWrite): (JSC::arrayIndexFromIndexingType): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::JSArray::put): (JSC::JSArray::appendMemcpy): (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::fastSlice): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSArrayInlines.h: (JSC::JSArray::pushInline): * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::JSCell): (JSC::JSCell::finishCreation): (JSC::JSCell::indexingType const): (JSC::JSCell::indexingMode const): (JSC::JSCell::setStructure): * runtime/JSFixedArray.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::haveABadTime): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::originalArrayStructureForIndexingType const): (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const): (JSC::JSGlobalObject::isOriginalArrayStructure): * runtime/JSImmutableButterfly.cpp: Added. (JSC::JSImmutableButterfly::visitChildren): (JSC::JSImmutableButterfly::copyToArguments): * runtime/JSImmutableButterfly.h: Added. (JSC::JSImmutableButterfly::createStructure): (JSC::JSImmutableButterfly::tryCreate): (JSC::JSImmutableButterfly::create): (JSC::JSImmutableButterfly::publicLength const): (JSC::JSImmutableButterfly::vectorLength const): (JSC::JSImmutableButterfly::length const): (JSC::JSImmutableButterfly::toButterfly const): (JSC::JSImmutableButterfly::fromButterfly): (JSC::JSImmutableButterfly::get const): (JSC::JSImmutableButterfly::subspaceFor): (JSC::JSImmutableButterfly::setIndex): (JSC::JSImmutableButterfly::allocationSize): (JSC::JSImmutableButterfly::JSImmutableButterfly): * runtime/JSObject.cpp: (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties): (JSC::JSObject::visitButterflyImpl): (JSC::JSObject::getOwnPropertySlotByIndex): (JSC::JSObject::putByIndex): (JSC::JSObject::createInitialInt32): (JSC::JSObject::createInitialDouble): (JSC::JSObject::createInitialContiguous): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::createInitialForValueAndSet): (JSC::JSObject::convertInt32ForValue): (JSC::JSObject::convertFromCopyOnWrite): (JSC::JSObject::ensureWritableInt32Slow): (JSC::JSObject::ensureWritableDoubleSlow): (JSC::JSObject::ensureWritableContiguousSlow): (JSC::JSObject::ensureArrayStorageSlow): (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode): (JSC::JSObject::switchToSlowPutArrayStorage): (JSC::JSObject::deletePropertyByIndex): (JSC::JSObject::getOwnPropertyNames): (JSC::canDoFastPutDirectIndex): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage): (JSC::JSObject::putByIndexBeyondVectorLength): (JSC::JSObject::countElements): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::getEnumerableLength): (JSC::JSObject::ensureInt32Slow): Deleted. (JSC::JSObject::ensureDoubleSlow): Deleted. (JSC::JSObject::ensureContiguousSlow): Deleted. * runtime/JSObject.h: (JSC::JSObject::putDirectIndex): (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::ensureWritableInt32): (JSC::JSObject::ensureWritableDouble): (JSC::JSObject::ensureWritableContiguous): (JSC::JSObject::ensureLength): (JSC::JSObject::ensureInt32): Deleted. (JSC::JSObject::ensureDouble): Deleted. (JSC::JSObject::ensureContiguous): Deleted. * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): * runtime/JSType.h: * runtime/RegExpMatchesArray.h: (JSC::tryCreateUninitializedRegExpMatchesArray): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::addNewPropertyTransition): (JSC::Structure::nonPropertyTransition): * runtime/Structure.h: * runtime/StructureIDBlob.h: (JSC::StructureIDBlob::StructureIDBlob): (JSC::StructureIDBlob::indexingModeIncludingHistory const): (JSC::StructureIDBlob::setIndexingModeIncludingHistory): (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset): (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted. (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted. (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted. * runtime/StructureTransitionTable.h: (JSC::newIndexingType): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2018-05-22 Ryan Haddad <ryanhaddad@apple.com> Unreviewed, rolling out r232052. Breaks internal builds. Reverted changeset: "Use more C++17" https://bugs.webkit.org/show_bug.cgi?id=185176 https://trac.webkit.org/changeset/232052 2018-05-22 Alberto Garcia <berto@igalia.com> [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations https://bugs.webkit.org/show_bug.cgi?id=182622 <rdar://problem/40292317> Reviewed by Michael Catanzaro. We were linking JavaScriptCore against libatomic in MIPS because in that architecture __atomic_fetch_add_8() is not a compiler intrinsic and is provided by that library instead. However other architectures (e.g armel) are in the same situation, so we need a generic test. That test already exists in WebKit/CMakeLists.txt, so we just have to move it to a common file (WebKitCompilerFlags.cmake) and use its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here. * CMakeLists.txt: 2018-05-22 Michael Catanzaro <mcatanzaro@igalia.com> Unreviewed, rolling out r231843. Broke cross build Reverted changeset: "[CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations" https://bugs.webkit.org/show_bug.cgi?id=182622 https://trac.webkit.org/changeset/231843 2018-05-21 Yusuke Suzuki <utatane.tea@gmail.com> Use more C++17 https://bugs.webkit.org/show_bug.cgi?id=185176 Reviewed by JF Bastien. * Configurations/Base.xcconfig: 2018-05-21 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove duplicate methods in JSInterfaceJIT https://bugs.webkit.org/show_bug.cgi?id=185813 Reviewed by Saam Barati. Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones. This patch removes these ones and use AssemblyHelpers' ones instead. This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::tagFor): (JSC::AssemblyHelpers::payloadFor): * jit/JIT.h: * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_unsigned): (JSC::JIT::emit_compareUnsigned): (JSC::JIT::emit_op_inc): (JSC::JIT::emit_op_dec): (JSC::JIT::emit_op_mod): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): * jit/JITInlines.h: (JSC::JIT::emitPutIntToCallFrameHeader): (JSC::JIT::updateTopCallFrame): (JSC::JIT::emitInitRegister): (JSC::JIT::emitLoad): (JSC::JIT::emitStore): (JSC::JIT::emitStoreInt32): (JSC::JIT::emitStoreCell): (JSC::JIT::emitStoreBool): (JSC::JIT::emitGetVirtualRegister): (JSC::JIT::emitPutVirtualRegister): (JSC::JIT::emitTagBool): Deleted. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_overrides_has_instance): (JSC::JIT::emit_op_is_empty): (JSC::JIT::emit_op_is_undefined): (JSC::JIT::emit_op_is_boolean): (JSC::JIT::emit_op_is_number): (JSC::JIT::emit_op_is_cell_with_type): (JSC::JIT::emit_op_is_object): (JSC::JIT::emit_op_eq): (JSC::JIT::emit_op_neq): (JSC::JIT::compileOpStrictEq): (JSC::JIT::emit_op_eq_null): (JSC::JIT::emit_op_neq_null): (JSC::JIT::emitSlow_op_eq): (JSC::JIT::emitSlow_op_neq): (JSC::JIT::emitSlow_op_instanceof_custom): (JSC::JIT::emitNewFuncExprCommon): * jit/JSInterfaceJIT.h: (JSC::JSInterfaceJIT::emitLoadInt32): (JSC::JSInterfaceJIT::emitLoadDouble): (JSC::JSInterfaceJIT::emitPutToCallFrameHeader): (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader): (JSC::JSInterfaceJIT::tagFor): Deleted. (JSC::JSInterfaceJIT::payloadFor): Deleted. (JSC::JSInterfaceJIT::intPayloadFor): Deleted. (JSC::JSInterfaceJIT::intTagFor): Deleted. (JSC::JSInterfaceJIT::emitTagInt): Deleted. (JSC::JSInterfaceJIT::addressFor): Deleted. * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::returnDouble): * jit/ThunkGenerators.cpp: (JSC::nativeForGenerator): (JSC::arityFixupGenerator): 2018-05-21 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, reland InById cache https://bugs.webkit.org/show_bug.cgi?id=185682 Includes Dominik's 32bit fix. * bytecode/AccessCase.cpp: (JSC::AccessCase::fromStructureStubInfo): (JSC::AccessCase::generateWithGuard): (JSC::AccessCase::generateImpl): * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper<Block>::printInByIdCacheStatus): (JSC::BytecodeDumper<Block>::dumpBytecode): * bytecode/BytecodeDumper.h: * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/InlineAccess.cpp: (JSC::InlineAccess::generateSelfInAccess): * bytecode/InlineAccess.h: * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::initInByIdSelf): (JSC::StructureStubInfo::deref): (JSC::StructureStubInfo::aboutToDie): (JSC::StructureStubInfo::reset): (JSC::StructureStubInfo::visitWeakReferences): (JSC::StructureStubInfo::propagateTransitions): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::patchableJump): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitInByVal): (JSC::BytecodeGenerator::emitInById): (JSC::BytecodeGenerator::emitIn): Deleted. * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::InNode::emitBytecode): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::addInById): (JSC::DFG::InRecord::InRecord): Deleted. (JSC::DFG::JITCompiler::addIn): Deleted. * dfg/DFGNode.h: (JSC::DFG::Node::convertToInById): (JSC::DFG::Node::hasIdentifier): (JSC::DFG::Node::hasArrayMode): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInById): (JSC::DFG::SpeculativeJIT::compileInByVal): (JSC::DFG::SpeculativeJIT::compileIn): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileInByVal): (JSC::FTL::DFG::LowerDFGToB3::compileInById): (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::boxBoolean): * jit/ICStats.h: * jit/JIT.cpp: (JSC::JIT::JIT): (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): (JSC::JIT::link): * jit/JIT.h: * jit/JITInlineCacheGenerator.cpp: (JSC::JITInByIdGenerator::JITInByIdGenerator): (JSC::JITInByIdGenerator::generateFastPath): * jit/JITInlineCacheGenerator.h: (JSC::JITInByIdGenerator::JITInByIdGenerator): * jit/JITOperations.cpp: * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_in_by_id): (JSC::JIT::emitSlow_op_in_by_id): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_in_by_id): (JSC::JIT::emitSlow_op_in_by_id): * jit/Repatch.cpp: (JSC::tryCacheInByID): (JSC::repatchInByID): (JSC::resetInByID): (JSC::tryCacheIn): Deleted. (JSC::repatchIn): Deleted. (JSC::resetIn): Deleted. * jit/Repatch.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * parser/NodeConstructors.h: (JSC::InNode::InNode): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::opInByVal): (JSC::CommonSlowPaths::opIn): Deleted. 2018-05-21 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r231998 and r232017. https://bugs.webkit.org/show_bug.cgi?id=185842 causes crashes on 32 JSC bot (Requested by realdawei on #webkit). Reverted changesets: "[JSC] JSC should have consistent InById IC" https://bugs.webkit.org/show_bug.cgi?id=185682 https://trac.webkit.org/changeset/231998 "Unreviewed, fix 32bit and scope release" https://bugs.webkit.org/show_bug.cgi?id=185682 https://trac.webkit.org/changeset/232017 2018-05-21 Jer Noble <jer.noble@apple.com> Complete fix for enabling modern EME by default https://bugs.webkit.org/show_bug.cgi?id=185770 <rdar://problem/40368220> Reviewed by Eric Carlson. * Configurations/FeatureDefines.xcconfig: 2018-05-21 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, fix 32bit and scope release https://bugs.webkit.org/show_bug.cgi?id=185682 * jit/JITOperations.cpp: * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitSlow_op_in_by_id): 2018-05-20 Filip Pizlo <fpizlo@apple.com> Revert the B3 compiler pipeline's treatment of taildup https://bugs.webkit.org/show_bug.cgi?id=185808 Reviewed by Yusuke Suzuki. While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline. But then path specialization turned out to be a negative result. This reverts the pipeline to the way it was before that work. 1.5% progression on V8Spider-CompileTime. * b3/B3Generate.cpp: (JSC::B3::generateToAir): 2018-05-20 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase https://bugs.webkit.org/show_bug.cgi?id=185802 Reviewed by Saam Barati. * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): 2018-05-18 Filip Pizlo <fpizlo@apple.com> DFG should inline InstanceOf ICs https://bugs.webkit.org/show_bug.cgi?id=185695 Reviewed by Yusuke Suzuki. This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then be folded to a CheckStructure + JSConstant. In the process of testing this, I found a bug where LICM was not hoisting things that depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed. This is a ~5% speed-up on boyer. ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and instanceof-sometimes-hit microbenchmarks. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::appendVariant): (JSC::GetByIdStatus::filter): * bytecode/GetByIdStatus.h: (JSC::GetByIdStatus::operator bool const): (JSC::GetByIdStatus::operator! const): Deleted. * bytecode/GetByIdVariant.h: (JSC::GetByIdVariant::operator bool const): (JSC::GetByIdVariant::operator! const): Deleted. * bytecode/ICStatusUtils.h: Added. (JSC::appendICStatusVariant): (JSC::filterICStatusVariants): * bytecode/InstanceOfStatus.cpp: Added. (JSC::InstanceOfStatus::appendVariant): (JSC::InstanceOfStatus::computeFor): (JSC::InstanceOfStatus::computeForStubInfo): (JSC::InstanceOfStatus::commonPrototype const): (JSC::InstanceOfStatus::filter): * bytecode/InstanceOfStatus.h: Added. (JSC::InstanceOfStatus::InstanceOfStatus): (JSC::InstanceOfStatus::state const): (JSC::InstanceOfStatus::isSet const): (JSC::InstanceOfStatus::operator bool const): (JSC::InstanceOfStatus::isSimple const): (JSC::InstanceOfStatus::takesSlowPath const): (JSC::InstanceOfStatus::numVariants const): (JSC::InstanceOfStatus::variants const): (JSC::InstanceOfStatus::at const): (JSC::InstanceOfStatus::operator[] const): * bytecode/InstanceOfVariant.cpp: Added. (JSC::InstanceOfVariant::InstanceOfVariant): (JSC::InstanceOfVariant::attemptToMerge): (JSC::InstanceOfVariant::dump const): (JSC::InstanceOfVariant::dumpInContext const): * bytecode/InstanceOfVariant.h: Added. (JSC::InstanceOfVariant::InstanceOfVariant): (JSC::InstanceOfVariant::operator bool const): (JSC::InstanceOfVariant::structureSet const): (JSC::InstanceOfVariant::structureSet): (JSC::InstanceOfVariant::conditionSet const): (JSC::InstanceOfVariant::prototype const): (JSC::InstanceOfVariant::isHit const): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::StructureStubInfo): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::considerCaching): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGNode.cpp: (JSC::DFG::Node::remove): * dfg/DFGNode.h: (JSC::DFG::Node::hasMatchStructureData): (JSC::DFG::Node::matchStructureData): * dfg/DFGNodeType.h: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileMatchStructure): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure): 2018-05-19 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] JSC should have consistent InById IC https://bugs.webkit.org/show_bug.cgi?id=185682 Reviewed by Filip Pizlo. Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers, when we found that DFG::In's parameter is constant string. We should align this IC to the other ById ICs to clean up and remove adhoc code in DFG and FTL. This patch cleans up our "In" IC by aligning it to the other ById ICs. We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id has a inline access cache for own property case, which is the same to JITGetByIdGenerator. And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same to the original In DFG node. DFG AI attempts to lower InByVal to InById if AI figured out that the property name is a constant string. And in InById node, we use JITInByIdGenerator code. This patch cleans up DFG and FTL's adhoc In IC code. In a subsequent patch, we should introduce InByIdStatus to optimize InById in DFG and FTL. We would like to have a new InByIdStatus instead of reusing GetByIdStatus since GetByIdStatus becomes too complicated, and AccessCase::Types are different from them (AccessCase::InHit / InMiss). * bytecode/AccessCase.cpp: (JSC::AccessCase::fromStructureStubInfo): (JSC::AccessCase::generateWithGuard): * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper<Block>::printInByIdCacheStatus): (JSC::BytecodeDumper<Block>::dumpBytecode): * bytecode/BytecodeDumper.h: * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/InlineAccess.cpp: (JSC::InlineAccess::generateSelfInAccess): * bytecode/InlineAccess.h: * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::initInByIdSelf): (JSC::StructureStubInfo::deref): (JSC::StructureStubInfo::aboutToDie): (JSC::StructureStubInfo::reset): (JSC::StructureStubInfo::visitWeakReferences): (JSC::StructureStubInfo::propagateTransitions): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::patchableJump): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitInByVal): (JSC::BytecodeGenerator::emitInById): (JSC::BytecodeGenerator::emitIn): Deleted. * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::InNode::emitBytecode): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::addInById): (JSC::DFG::InRecord::InRecord): Deleted. (JSC::DFG::JITCompiler::addIn): Deleted. * dfg/DFGNode.h: (JSC::DFG::Node::convertToInById): (JSC::DFG::Node::hasIdentifier): (JSC::DFG::Node::hasArrayMode): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInById): (JSC::DFG::SpeculativeJIT::compileInByVal): (JSC::DFG::SpeculativeJIT::compileIn): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileInByVal): (JSC::FTL::DFG::LowerDFGToB3::compileInById): (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted. * jit/ICStats.h: * jit/JIT.cpp: (JSC::JIT::JIT): (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): (JSC::JIT::link): * jit/JIT.h: * jit/JITInlineCacheGenerator.cpp: (JSC::JITInByIdGenerator::JITInByIdGenerator): (JSC::JITInByIdGenerator::generateFastPath): * jit/JITInlineCacheGenerator.h: (JSC::JITInByIdGenerator::JITInByIdGenerator): * jit/JITOperations.cpp: * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_in_by_id): (JSC::JIT::emitSlow_op_in_by_id): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_in_by_id): (JSC::JIT::emitSlow_op_in_by_id): * jit/Repatch.cpp: (JSC::tryCacheInByID): (JSC::repatchInByID): (JSC::resetInByID): (JSC::tryCacheIn): Deleted. (JSC::repatchIn): Deleted. (JSC::resetIn): Deleted. * jit/Repatch.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * parser/NodeConstructors.h: (JSC::InNode::InNode): * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::opInByVal): (JSC::CommonSlowPaths::opIn): Deleted. 2018-05-18 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r231982. https://bugs.webkit.org/show_bug.cgi?id=185793 Caused layout test failures (Requested by realdawei on #webkit). Reverted changeset: "Complete fix for enabling modern EME by default" https://bugs.webkit.org/show_bug.cgi?id=185770 https://trac.webkit.org/changeset/231982 2018-05-18 Keith Miller <keith_miller@apple.com> op_in should mark if it sees out of bounds accesses https://bugs.webkit.org/show_bug.cgi?id=185792 Reviewed by Filip Pizlo. This would used to cause us to OSR loop since we would always speculate we were in bounds in HasIndexedProperty. * bytecode/ArrayProfile.cpp: (JSC::ArrayProfile::observeIndexedRead): * bytecode/ArrayProfile.h: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::opIn): 2018-05-18 Mark Lam <mark.lam@apple.com> Add missing exception check. https://bugs.webkit.org/show_bug.cgi?id=185786 <rdar://problem/35686560> Reviewed by Michael Saboff. * runtime/JSPropertyNameEnumerator.h: (JSC::propertyNameEnumerator): 2018-05-18 Jer Noble <jer.noble@apple.com> Complete fix for enabling modern EME by default https://bugs.webkit.org/show_bug.cgi?id=185770 <rdar://problem/40368220> Reviewed by Eric Carlson. * Configurations/FeatureDefines.xcconfig: 2018-05-18 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, fix exception checking, part 2 https://bugs.webkit.org/show_bug.cgi?id=185350 * dfg/DFGOperations.cpp: (JSC::DFG::putByValInternal): * jit/JITOperations.cpp: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::putDirectAccessorWithReify): 2018-05-16 Filip Pizlo <fpizlo@apple.com> JSC should have InstanceOf inline caching https://bugs.webkit.org/show_bug.cgi?id=185652 Reviewed by Saam Barati. This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate too many cases, we emit the generic instanceof implementation instead. All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator abstraction. This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache. * API/tests/testapi.mm: (testObjectiveCAPIMain): * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * b3/B3Effects.h: (JSC::B3::Effects::forReadOnlyCall): * bytecode/AccessCase.cpp: (JSC::AccessCase::guardedByStructureCheck const): (JSC::AccessCase::canReplace const): (JSC::AccessCase::visitWeak const): (JSC::AccessCase::generateWithGuard): (JSC::AccessCase::generateImpl): * bytecode/AccessCase.h: * bytecode/InstanceOfAccessCase.cpp: Added. (JSC::InstanceOfAccessCase::create): (JSC::InstanceOfAccessCase::dumpImpl const): (JSC::InstanceOfAccessCase::clone const): (JSC::InstanceOfAccessCase::~InstanceOfAccessCase): (JSC::InstanceOfAccessCase::InstanceOfAccessCase): * bytecode/InstanceOfAccessCase.h: Added. (JSC::InstanceOfAccessCase::prototype const): * bytecode/ObjectPropertyCondition.h: (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier): (JSC::ObjectPropertyCondition::hasPrototype): * bytecode/ObjectPropertyConditionSet.cpp: (JSC::generateConditionsForInstanceOf): * bytecode/ObjectPropertyConditionSet.h: * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::addCases): (JSC::PolymorphicAccess::regenerate): (WTF::printInternal): * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::dumpInContext const): (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const): (WTF::printInternal): * bytecode/PropertyCondition.h: (JSC::PropertyCondition::absenceWithoutBarrier): (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier): (JSC::PropertyCondition::hasPrototypeWithoutBarrier): (JSC::PropertyCondition::hasPrototype): (JSC::PropertyCondition::hasPrototype const): (JSC::PropertyCondition::prototype const): (JSC::PropertyCondition::hash const): (JSC::PropertyCondition::operator== const): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::StructureStubInfo): (JSC::StructureStubInfo::reset): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::considerCaching): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGInlineCacheWrapper.h: * dfg/DFGInlineCacheWrapperInlines.h: (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::addInstanceOf): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::usedRegisters): (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells): (JSC::DFG::SpeculativeJIT::compileInstanceOf): (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty): (JSC::FTL::DFG::LowerDFGToB3::compilePutById): (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger): (JSC::FTL::DFG::LowerDFGToB3::compileIn): (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf): (JSC::FTL::DFG::LowerDFGToB3::getById): (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis): * jit/ICStats.h: * jit/JIT.cpp: (JSC::JIT::privateCompileSlowCases): (JSC::JIT::link): * jit/JIT.h: * jit/JITInlineCacheGenerator.cpp: (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator): (JSC::JITInlineCacheGenerator::finalize): (JSC::JITByIdGenerator::JITByIdGenerator): (JSC::JITByIdGenerator::finalize): (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator): (JSC::JITInstanceOfGenerator::generateFastPath): (JSC::JITInstanceOfGenerator::finalize): * jit/JITInlineCacheGenerator.h: (JSC::JITInlineCacheGenerator::reportSlowPathCall): (JSC::JITInlineCacheGenerator::slowPathBegin const): (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator): (JSC::finalizeInlineCaches): (JSC::JITByIdGenerator::reportSlowPathCall): Deleted. (JSC::JITByIdGenerator::slowPathBegin const): Deleted. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_instanceof): (JSC::JIT::emitSlow_op_instanceof): * jit/JITOperations.cpp: * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::privateCompileGetByValWithCachedId): (JSC::JIT::privateCompilePutByValWithCachedId): * jit/RegisterSet.cpp: (JSC::RegisterSet::stubUnavailableRegisters): * jit/Repatch.cpp: (JSC::tryCacheIn): (JSC::tryCacheInstanceOf): (JSC::repatchInstanceOf): (JSC::resetPatchableJump): (JSC::resetIn): (JSC::resetInstanceOf): * jit/Repatch.h: * runtime/Options.h: * runtime/Structure.h: 2018-05-18 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, fix exception checking https://bugs.webkit.org/show_bug.cgi?id=185350 * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::putDirectWithReify): (JSC::CommonSlowPaths::putDirectAccessorWithReify): 2018-05-17 Michael Saboff <msaboff@apple.com> We don't throw SyntaxErrors for runtime generated regular expressions with errors https://bugs.webkit.org/show_bug.cgi?id=185755 Reviewed by Keith Miller. Added a new helper that creates the correct exception to throw for each type of error when compiling a RegExp. Using that new helper, added missing checks for RegExp for the cases where we create a new RegExp from an existing one. Also refactored other places that we throw SyntaxErrors after a failed RegExp compile to use the new helper. * runtime/RegExp.h: * runtime/RegExpConstructor.cpp: (JSC::regExpCreate): (JSC::constructRegExp): * runtime/RegExpPrototype.cpp: (JSC::regExpProtoFuncCompile): * yarr/YarrErrorCode.cpp: (JSC::Yarr::errorToThrow): * yarr/YarrErrorCode.h: 2018-05-17 Saam Barati <sbarati@apple.com> Remove shrinkFootprint test from apitests since it's flaky https://bugs.webkit.org/show_bug.cgi?id=185754 Reviewed by Mark Lam. This test is flaky as it keeps failing on certain people's machines. Having a test about OS footprint seems like it'll forever be doomed to being flaky. * API/tests/testapi.mm: (testObjectiveCAPIMain): 2018-05-17 Saam Barati <sbarati@apple.com> defaultConstructorSourceCode needs to makeSource every time it's called https://bugs.webkit.org/show_bug.cgi?id=185753 Rubber-stamped by Mark Lam. The bug here is multiple VMs can be running concurrently to one another in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted if we copy a static SourceCode. instead, we create a new one each time this function is called. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::defaultConstructorSourceCode): 2018-05-17 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Use AssemblyHelpers' type checking functions as much as possible https://bugs.webkit.org/show_bug.cgi?id=185730 Reviewed by Saam Barati. Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex bit and register operations for type tagging of JSValue. It is really useful when we would like to tweak type tagging representation since the code is collected into AssemblyHelpers. And the named function is more readable than some branching operations. We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate to AssemblyHelpers' one. We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg) functions even for 32bit environment. In 32bit environment, this function takes tag register. This semantics is aligned to the existing branchIfCell / branchIfNotCell. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateWithGuard): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueToInt32): (JSC::DFG::SpeculativeJIT::compileDoubleRep): (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): (JSC::DFG::SpeculativeJIT::compileSpread): (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering): (JSC::DFG::SpeculativeJIT::speculateCellType): (JSC::DFG::SpeculativeJIT::speculateNumber): (JSC::DFG::SpeculativeJIT::speculateMisc): (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet): (JSC::DFG::SpeculativeJIT::compileCreateThis): (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf): (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::convertAnyInt): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfInt32): (JSC::AssemblyHelpers::branchIfNotInt32): (JSC::AssemblyHelpers::branchIfNumber): (JSC::AssemblyHelpers::branchIfNotNumber): (JSC::AssemblyHelpers::branchIfBoolean): (JSC::AssemblyHelpers::branchIfNotBoolean): (JSC::AssemblyHelpers::branchIfEmpty): (JSC::AssemblyHelpers::branchIfNotEmpty): (JSC::AssemblyHelpers::branchIfUndefined): (JSC::AssemblyHelpers::branchIfNotUndefined): (JSC::AssemblyHelpers::branchIfNull): (JSC::AssemblyHelpers::branchIfNotNull): * jit/JIT.h: * jit/JITArithmetic.cpp: (JSC::JIT::emit_compareAndJump): (JSC::JIT::emit_compareAndJumpSlow): * jit/JITArithmetic32_64.cpp: (JSC::JIT::emit_compareAndJump): (JSC::JIT::emit_op_unsigned): (JSC::JIT::emit_op_inc): (JSC::JIT::emit_op_dec): (JSC::JIT::emitBinaryDoubleOp): (JSC::JIT::emit_op_mod): * jit/JITCall.cpp: (JSC::JIT::compileCallEval): (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileCallEval): (JSC::JIT::compileOpCall): * jit/JITInlines.h: (JSC::JIT::emitJumpSlowCaseIfNotJSCell): (JSC::JIT::emitJumpIfBothJSCells): (JSC::JIT::emitJumpSlowCaseIfJSCell): (JSC::JIT::emitJumpIfNotInt): (JSC::JIT::emitJumpSlowCaseIfNotInt): (JSC::JIT::emitJumpSlowCaseIfNotNumber): (JSC::JIT::emitJumpIfCellObject): Deleted. (JSC::JIT::emitJumpIfCellNotObject): Deleted. (JSC::JIT::emitJumpIfJSCell): Deleted. (JSC::JIT::emitJumpIfInt): Deleted. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_instanceof): (JSC::JIT::emit_op_is_undefined): (JSC::JIT::emit_op_is_cell_with_type): (JSC::JIT::emit_op_is_object): (JSC::JIT::emit_op_to_primitive): (JSC::JIT::emit_op_jeq_null): (JSC::JIT::emit_op_jneq_null): (JSC::JIT::compileOpStrictEq): (JSC::JIT::compileOpStrictEqJump): (JSC::JIT::emit_op_to_number): (JSC::JIT::emit_op_to_string): (JSC::JIT::emit_op_to_object): (JSC::JIT::emit_op_eq_null): (JSC::JIT::emit_op_neq_null): (JSC::JIT::emit_op_to_this): (JSC::JIT::emit_op_create_this): (JSC::JIT::emit_op_check_tdz): (JSC::JIT::emitNewFuncExprCommon): (JSC::JIT::emit_op_profile_type): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_instanceof): (JSC::JIT::emit_op_is_undefined): (JSC::JIT::emit_op_is_cell_with_type): (JSC::JIT::emit_op_is_object): (JSC::JIT::emit_op_to_primitive): (JSC::JIT::emit_op_not): (JSC::JIT::emit_op_jeq_null): (JSC::JIT::emit_op_jneq_null): (JSC::JIT::emit_op_jneq_ptr): (JSC::JIT::emit_op_eq): (JSC::JIT::emit_op_jeq): (JSC::JIT::emit_op_neq): (JSC::JIT::emit_op_jneq): (JSC::JIT::compileOpStrictEq): (JSC::JIT::compileOpStrictEqJump): (JSC::JIT::emit_op_eq_null): (JSC::JIT::emit_op_neq_null): (JSC::JIT::emit_op_to_number): (JSC::JIT::emit_op_to_string): (JSC::JIT::emit_op_to_object): (JSC::JIT::emit_op_create_this): (JSC::JIT::emit_op_to_this): (JSC::JIT::emit_op_check_tdz): (JSC::JIT::emit_op_profile_type): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emitGetByValWithCachedId): (JSC::JIT::emitGenericContiguousPutByVal): (JSC::JIT::emitPutByValWithCachedId): (JSC::JIT::emit_op_get_from_scope): (JSC::JIT::emit_op_put_to_scope): (JSC::JIT::emitWriteBarrier): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emitContiguousLoad): (JSC::JIT::emitArrayStorageLoad): (JSC::JIT::emitGetByValWithCachedId): (JSC::JIT::emitGenericContiguousPutByVal): (JSC::JIT::emitPutByValWithCachedId): (JSC::JIT::emit_op_get_from_scope): (JSC::JIT::emit_op_put_to_scope): * jit/JSInterfaceJIT.h: (JSC::JSInterfaceJIT::emitLoadJSCell): (JSC::JSInterfaceJIT::emitLoadInt32): (JSC::JSInterfaceJIT::emitLoadDouble): (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted. (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted. (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted. * jit/Repatch.cpp: (JSC::linkPolymorphicCall): * jit/ThunkGenerators.cpp: (JSC::virtualThunkFor): (JSC::absThunkGenerator): * tools/JSDollarVM.cpp: (WTF::DOMJITNode::checkSubClassSnippet): (WTF::DOMJITFunctionObject::checkSubClassSnippet): 2018-05-17 Saam Barati <sbarati@apple.com> Unreviewed. Fix the build after my attempted build fix broke the build. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::defaultConstructorSourceCode): (JSC::BuiltinExecutables::createDefaultConstructor): * builtins/BuiltinExecutables.h: 2018-05-17 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove reifyPropertyNameIfNeeded https://bugs.webkit.org/show_bug.cgi?id=185350 Reviewed by Saam Barati. reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path. This is a virtual call, and it is only used by JSFunction right now. Since this causes too much cost, we should remove this from the critical path. This patch removes this function call from the critical path. And in our slow paths, we call helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction. While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls and care the edge cases. The other callsites of putDirect should know the type of the given object and the name of the property (And avoid these edge cases). This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause regressions of the existing tests. baseline patched Kraken: json-parse-financial 35.522+-0.069 ^ 34.708+-0.097 ^ definitely 1.0234x faster SixSpeed: object-assign.es6 145.8779+-0.2838 ^ 140.1019+-0.8007 ^ definitely 1.0412x faster * dfg/DFGOperations.cpp: (JSC::DFG::putByValInternal): (JSC::DFG::putByValCellInternal): * jit/JITOperations.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/ClassInfo.h: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::putDirectWithReify): (JSC::CommonSlowPaths::putDirectAccessorWithReify): * runtime/JSCell.cpp: (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted. * runtime/JSCell.h: * runtime/JSFunction.cpp: (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted. * runtime/JSFunction.h: * runtime/JSObject.cpp: (JSC::JSObject::putDirectAccessor): (JSC::JSObject::putDirectNonIndexAccessor): * runtime/JSObject.h: * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): 2018-05-17 Saam Barati <sbarati@apple.com> Unreviewed. Try to fix windows build. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::defaultConstructorSourceCode): 2018-05-16 Saam Barati <sbarati@apple.com> UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors https://bugs.webkit.org/show_bug.cgi?id=185637 Reviewed by Keith Miller. We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent source code. However, we were only using this for default class constructors. There are only two types of default class constructors. This patch makes it so that we just store this information inside of a single bit, and ask for the source code as needed instead of holding it in a nullable field that is 24 bytes in size. This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes. This has the consequence of making it allocated out of a 160 byte size class instead of a 224 byte size class. This should bring down its memory footprint by ~40%. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::defaultConstructorSourceCode): (JSC::BuiltinExecutables::createDefaultConstructor): (JSC::BuiltinExecutables::createExecutable): * builtins/BuiltinExecutables.h: * bytecode/UnlinkedFunctionExecutable.cpp: (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): (JSC::UnlinkedFunctionExecutable::link): * bytecode/UnlinkedFunctionExecutable.h: * runtime/CodeCache.cpp: (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): 2018-05-16 Saam Barati <sbarati@apple.com> VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps https://bugs.webkit.org/show_bug.cgi?id=185707 Reviewed by Mark Lam. * runtime/VM.cpp: (JSC::VM::shrinkFootprint): 2018-05-16 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for "/" operation https://bugs.webkit.org/show_bug.cgi?id=183996 Reviewed by Yusuke Suzuki. This patch is introducing the support for BigInt into divide operation int LLInt and JIT layers. * dfg/DFGOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::divide): (JSC::JSBigInt::copy): (JSC::JSBigInt::unaryMinus): (JSC::JSBigInt::absoluteCompare): (JSC::JSBigInt::absoluteDivLarge): (JSC::JSBigInt::productGreaterThan): (JSC::JSBigInt::inplaceAdd): (JSC::JSBigInt::inplaceSub): (JSC::JSBigInt::inplaceRightShift): (JSC::JSBigInt::specialLeftShift): (JSC::JSBigInt::digit): (JSC::JSBigInt::setDigit): * runtime/JSBigInt.h: 2018-05-16 Saam Barati <sbarati@apple.com> Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance https://bugs.webkit.org/show_bug.cgi?id=185670 Reviewed by Yusuke Suzuki. This patch makes it so that we constant fold CheckTypeInfoFlags for ImplementsDefaultHasInstance inside of AI/constant folding. We constant fold in three ways: - When the incoming value is a constant, we just look at its inline type flags. Since those flags never change after an object is created, this is sound. - Based on the incoming value having a finite structure set. We just iterate all structures and ensure they have the bit set. - Based on speculated type. To do this, I split up SpecFunction into two subheaps where one is for functions that have the bit set, and one for functions that don't have the bit set. The latter is currently only comprised of JSBoundFunctions. To constant fold, we check that the incoming value only has the SpecFunction type with ImplementsDefaultHasInstance set. * bytecode/SpeculatedType.cpp: (JSC::speculationFromClassInfo): * bytecode/SpeculatedType.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * runtime/JSFunction.cpp: (JSC::JSFunction::JSFunction): (JSC::JSFunction::assertTypeInfoFlagInvariants): * runtime/JSFunction.h: (JSC::JSFunction::assertTypeInfoFlagInvariants): * runtime/JSFunctionInlines.h: (JSC::JSFunction::JSFunction): 2018-05-16 Devin Rousso <webkit@devinrousso.com> Web Inspector: create a navigation item for toggling the overlay rulers/guides https://bugs.webkit.org/show_bug.cgi?id=185644 Reviewed by Matt Baker. * inspector/protocol/OverlayTypes.json: * inspector/protocol/Page.json: 2018-05-16 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r231845. https://bugs.webkit.org/show_bug.cgi?id=185702 it is breaking Apple High Sierra 32-bit JSC bot (Requested by caiolima on #webkit). Reverted changeset: "[ESNext][BigInt] Implement support for "/" operation" https://bugs.webkit.org/show_bug.cgi?id=183996 https://trac.webkit.org/changeset/231845 2018-05-16 Filip Pizlo <fpizlo@apple.com> DFG models InstanceOf incorrectly https://bugs.webkit.org/show_bug.cgi?id=185694 Reviewed by Keith Miller. Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or hoist it. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGNodeType.h: 2018-05-16 Andy VanWagoner <andy@vanwagoner.family> Add support for Intl NumberFormat formatToParts https://bugs.webkit.org/show_bug.cgi?id=185375 Reviewed by Yusuke Suzuki. Add flag for NumberFormat formatToParts. Implement formatToParts using unum_formatDoubleForFields. Because the fields are nested and come back in no guaranteed order, the simple algorithm to convert them to the desired format is roughly O(n^2). However, even with Number.MAX_VALUE it appears to perform well enough for the initial implementation. Another issue has been created to improve this algorithm. This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled on macOS, since only v57 is available. * Configurations/FeatureDefines.xcconfig: * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const): (JSC::IntlNumberFormat::partTypeString): (JSC::IntlNumberFormat::formatToParts): * runtime/IntlNumberFormat.h: * runtime/IntlNumberFormatPrototype.cpp: (JSC::IntlNumberFormatPrototype::create): (JSC::IntlNumberFormatPrototype::finishCreation): (JSC::IntlNumberFormatPrototypeFuncFormatToParts): * runtime/IntlNumberFormatPrototype.h: * runtime/Options.h: 2018-05-16 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for "/" operation https://bugs.webkit.org/show_bug.cgi?id=183996 Reviewed by Yusuke Suzuki. This patch is introducing the support for BigInt into divide operation int LLInt and JIT layers. * dfg/DFGOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::divide): (JSC::JSBigInt::copy): (JSC::JSBigInt::unaryMinus): (JSC::JSBigInt::absoluteCompare): (JSC::JSBigInt::absoluteDivLarge): (JSC::JSBigInt::productGreaterThan): (JSC::JSBigInt::inplaceAdd): (JSC::JSBigInt::inplaceSub): (JSC::JSBigInt::inplaceRightShift): (JSC::JSBigInt::specialLeftShift): (JSC::JSBigInt::digit): (JSC::JSBigInt::setDigit): * runtime/JSBigInt.h: 2018-05-16 Alberto Garcia <berto@igalia.com> [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations https://bugs.webkit.org/show_bug.cgi?id=182622 Reviewed by Michael Catanzaro. We were linking JavaScriptCore against libatomic in MIPS because in that architecture __atomic_fetch_add_8() is not a compiler intrinsic and is provided by that library instead. However other architectures (e.g armel) are in the same situation, so we need a generic test. That test already exists in WebKit/CMakeLists.txt, so we just have to move it to a common file (WebKitCompilerFlags.cmake) and use its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here. * CMakeLists.txt: 2018-05-15 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function https://bugs.webkit.org/show_bug.cgi?id=185601 Reviewed by Saam Barati. Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData before calling getCallData when we would like to check whether a given object is callable since getCallData is a virtual call. When we call the object anyway, directly calling getCallData is fine. But if we would like to check whether the object is callable, we can have non callable objects frequently. In that case, we should not call getCallData if we can avoid it. To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable} and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform OverridesGetCallData checking before calling getCallData. We found that this virtual call exists in JSON.stringify's critial path. Checking OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%. baseline patched json-stringify-tinderbox 38.807+-0.350 ^ 37.216+-0.337 ^ definitely 1.0427x faster In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path since major cases are covered by this fast JSFunctionType checking. * API/JSCallbackObject.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull): (JSC::DFG::SpeculativeJIT::compileIsFunction): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::emitTypeOf): * runtime/ExceptionHelpers.cpp: (JSC::createError): (JSC::createInvalidFunctionApplyParameterError): * runtime/FunctionPrototype.cpp: (JSC::functionProtoFuncToString): * runtime/InternalFunction.h: * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::isFunction const): (JSC::JSValue::isCallable const): * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::isFunction): ALWAYS_INLINE works well for my environment. (JSC::JSCell::isCallable): * runtime/JSFunction.h: * runtime/JSONObject.cpp: (JSC::Stringifier::toJSON): (JSC::Stringifier::toJSONImpl): (JSC::Stringifier::appendStringifiedValue): * runtime/JSObjectInlines.h: (JSC::createListFromArrayLike): * runtime/JSTypeInfo.h: (JSC::TypeInfo::overridesGetCallData const): (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted. * runtime/Operations.cpp: (JSC::jsTypeStringForValue): (JSC::jsIsObjectTypeOrNull): * runtime/ProxyObject.h: * runtime/RuntimeType.cpp: (JSC::runtimeTypeForValue): * runtime/RuntimeType.h: * runtime/Structure.cpp: (JSC::Structure::Structure): * runtime/TypeProfilerLog.cpp: (JSC::TypeProfilerLog::TypeProfilerLog): (JSC::TypeProfilerLog::processLogEntries): * runtime/TypeProfilerLog.h: * runtime/VM.cpp: (JSC::VM::enableTypeProfiler): * tools/JSDollarVM.cpp: (JSC::functionFindTypeForExpression): (JSC::functionReturnTypeFor): (JSC::functionHasBasicBlockExecuted): (JSC::functionBasicBlockExecutionCount): * wasm/js/JSWebAssemblyHelpers.h: (JSC::getWasmBufferFromValue): * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::create): * wasm/js/WebAssemblyFunction.cpp: (JSC::callWebAssemblyFunction): * wasm/js/WebAssemblyInstanceConstructor.cpp: (JSC::constructJSWebAssemblyInstance): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::link): * wasm/js/WebAssemblyPrototype.cpp: (JSC::webAssemblyInstantiateFunc): (JSC::webAssemblyInstantiateStreamingInternal): * wasm/js/WebAssemblyWrapperFunction.cpp: (JSC::WebAssemblyWrapperFunction::finishCreation): 2018-05-15 Devin Rousso <webkit@devinrousso.com> Web Inspector: Add rulers and guides https://bugs.webkit.org/show_bug.cgi?id=32263 <rdar://problem/19281564> Reviewed by Matt Baker. * inspector/protocol/OverlayTypes.json: 2018-05-14 Keith Miller <keith_miller@apple.com> Remove butterflyMask from DFGAbstractHeap https://bugs.webkit.org/show_bug.cgi?id=185640 Reviewed by Saam Barati. We don't have a butterfly indexing mask anymore so we don't need the abstract heap information for it anymore. * dfg/DFGAbstractHeap.h: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2018-05-14 Andy VanWagoner <andy@vanwagoner.family> [INTL] Handle error in defineProperty for supported locales length https://bugs.webkit.org/show_bug.cgi?id=185623 Reviewed by Saam Barati. Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the length of the supported locales array. * runtime/IntlObject.cpp: (JSC::supportedLocales): 2018-05-14 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Tweak LiteralParser to improve lexing performance https://bugs.webkit.org/show_bug.cgi?id=185541 Reviewed by Saam Barati. This patch attemps to improve LiteralParser performance. This patch improves Kraken/json-parse-financial by roughly ~10%. baseline patched json-parse-financial 65.810+-1.591 ^ 59.943+-1.784 ^ definitely 1.0979x faster * parser/Lexer.cpp: (JSC::Lexer<T>::Lexer): * runtime/ArgList.h: (JSC::MarkedArgumentBuffer::takeLast): Add takeLast() for idiomatic last() + removeLast() calls. * runtime/LiteralParser.cpp: (JSC::LiteralParser<CharType>::Lexer::lex): Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path. We should not include this mode in its template parameter to reduce the code size. And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good. Also, we construct TokenType table to remove bunch of unnecessary switch cases. (JSC::LiteralParser<CharType>::Lexer::next): (JSC::isSafeStringCharacter): Take mode in its template parameter. But do not take terminator character in its template parameter. (JSC::LiteralParser<CharType>::Lexer::lexString): (JSC::LiteralParser<CharType>::Lexer::lexStringSlow): Duplicate while statements manually since this is a critical path. (JSC::LiteralParser<CharType>::parse): Use takeLast(). * runtime/LiteralParser.h: 2018-05-14 Dominik Infuehr <dinfuehr@igalia.com> [MIPS] Use btpz to compare against 0 instead of bpeq https://bugs.webkit.org/show_bug.cgi?id=185607 Reviewed by Yusuke Suzuki. Fixes build on MIPS since MIPS doesn't have an instruction to compare a register against an immediate. Since the immediate is just 0 in this case the simplest solution is just to use btpz instead of bpeq to compare to 0. * llint/LowLevelInterpreter.asm: 2018-05-12 Filip Pizlo <fpizlo@apple.com> CachedCall::call() should be faster https://bugs.webkit.org/show_bug.cgi?id=185583 Reviewed by Yusuke Suzuki. CachedCall is an optimization for String.prototype.replace(r, f) where f is a function. Unfortunately, because of a combination of abstraction and assertions, this code path had a lot of overhead. This patch reduces this overhead by: - Turning off some assertions. These assertions don't look to have security value; they're mostly for sanity. I turned off stack alignment checks and VM state checks having to do with whether the JSLock is held. The JSLock checks are not relevant when doing a cached call, considering that the caller would have already been strongly assuming that the JSLock is held. - Making more things inlineable. This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code. * JavaScriptCore.xcodeproj/project.pbxproj: * interpreter/CachedCall.h: (JSC::CachedCall::call): * interpreter/Interpreter.cpp: (JSC::checkedReturn): Deleted. * interpreter/Interpreter.h: (JSC::Interpreter::checkedReturn): * interpreter/InterpreterInlines.h: (JSC::Interpreter::execute): * jit/JITCode.cpp: (JSC::JITCode::execute): Deleted. * jit/JITCodeInlines.h: Added. (JSC::JITCode::execute): * llint/LowLevelInterpreter.asm: * runtime/StringPrototype.cpp: 2018-05-13 Andy VanWagoner <andy@vanwagoner.family> [INTL] Improve spec & test262 compliance for Intl APIs https://bugs.webkit.org/show_bug.cgi?id=185578 Reviewed by Yusuke Suzuki. Use putDirectIndex over push for lists to arrays. Update default options to construct with a null prototype. Define constructor and toStringTag on prototypes. Add proper time clipping. Remove some outdated comment spec text, use url instead. * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): * runtime/IntlCollatorConstructor.cpp: (JSC::IntlCollatorConstructor::finishCreation): * runtime/IntlCollatorPrototype.cpp: (JSC::IntlCollatorPrototype::finishCreation): * runtime/IntlDateTimeFormatConstructor.cpp: (JSC::IntlDateTimeFormatConstructor::finishCreation): * runtime/IntlDateTimeFormatPrototype.cpp: (JSC::IntlDateTimeFormatPrototype::finishCreation): (JSC::IntlDateTimeFormatFuncFormatDateTime): (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): * runtime/IntlNumberFormatConstructor.cpp: (JSC::IntlNumberFormatConstructor::finishCreation): * runtime/IntlNumberFormatPrototype.cpp: (JSC::IntlNumberFormatPrototype::finishCreation): * runtime/IntlObject.cpp: (JSC::lookupSupportedLocales): (JSC::supportedLocales): (JSC::intlObjectFuncGetCanonicalLocales): * runtime/IntlPluralRules.cpp: (JSC::IntlPluralRules::resolvedOptions): * runtime/IntlPluralRulesConstructor.cpp: (JSC::IntlPluralRulesConstructor::finishCreation): 2018-05-11 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for "*" operation https://bugs.webkit.org/show_bug.cgi?id=183721 Reviewed by Yusuke Suzuki. Added BigInt support into times binary operator into LLInt and on JITOperations profiledMul and unprofiledMul. We are also replacing all uses of int to unsigned when there is no negative values for variables. * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * jit/JITOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::JSBigInt): (JSC::JSBigInt::allocationSize): (JSC::JSBigInt::createWithLength): (JSC::JSBigInt::toString): (JSC::JSBigInt::multiply): (JSC::JSBigInt::digitDiv): (JSC::JSBigInt::internalMultiplyAdd): (JSC::JSBigInt::multiplyAccumulate): (JSC::JSBigInt::equals): (JSC::JSBigInt::absoluteDivSmall): (JSC::JSBigInt::calculateMaximumCharactersRequired): (JSC::JSBigInt::toStringGeneric): (JSC::JSBigInt::rightTrim): (JSC::JSBigInt::allocateFor): (JSC::JSBigInt::parseInt): (JSC::JSBigInt::digit): (JSC::JSBigInt::setDigit): * runtime/JSBigInt.h: * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::toNumeric const): * runtime/Operations.h: (JSC::jsMul): 2018-05-11 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r231316 and r231332. https://bugs.webkit.org/show_bug.cgi?id=185564 Appears to be a Speedometer2/MotionMark regression (Requested by keith_miller on #webkit). Reverted changesets: "Remove the prototype caching for get_by_id in the LLInt" https://bugs.webkit.org/show_bug.cgi?id=185226 https://trac.webkit.org/changeset/231316 "Unreviewed, fix 32-bit profile offset for change in bytecode" https://trac.webkit.org/changeset/231332 2018-05-11 Michael Saboff <msaboff@apple.com> [DFG] Compiler uses incorrect output register for NumberIsInteger operation https://bugs.webkit.org/show_bug.cgi?id=185328 Reviewed by Keith Miller. Fixed a typo from when this code was added in r228968 where resultGPR was assigned the input register instead of the result.gpr(). * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2018-05-11 Saam Barati <sbarati@apple.com> Don't use inferred types when the JIT is disabled https://bugs.webkit.org/show_bug.cgi?id=185539 Reviewed by Yusuke Suzuki. There are many JSC API clients that run with the JIT disabled. They were all allocating and tracking inferred types for no benefit. Inferred types only benefit programs when they make it to the DFG/FTL. I was seeing cases where the inferred type machinery used ~0.5MB. This patch makes is so we don't allocate that machinery when the JIT is disabled. * runtime/Structure.cpp: (JSC::Structure::willStoreValueSlow): * runtime/Structure.h: 2018-05-11 Saam Barati <sbarati@apple.com> Don't allocate value profiles when the JIT is disabled https://bugs.webkit.org/show_bug.cgi?id=185525 Reviewed by Michael Saboff. There are many JSC API clients that run with the JIT disabled. We were still allocating a ton of value profiles in this use case even though these clients get no benefit from doing value profiling. This patch makes it so that we don't allocate value profiles or argument value profiles when we're not using the JIT. We now just make all value profiles in the instruction stream point to a global value profile that the VM owns. And we make the argument value profile array have zero length and teach the LLInt how to handle that. Heap clears the global value profile on each GC. In an app that I'm testing this against, this saves ~1MB of memory. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::setNumParameters): * bytecode/CodeBlock.h: (JSC::CodeBlock::numberOfArgumentValueProfiles): (JSC::CodeBlock::valueProfileForArgument): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitProfiledOpcode): * heap/Heap.cpp: (JSC::Heap::runEndPhase): * llint/LowLevelInterpreter.asm: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2018-05-10 Carlos Garcia Campos <cgarcia@igalia.com> [JSC][GLIB] Add introspectable alternatives to functions using vargars https://bugs.webkit.org/show_bug.cgi?id=185508 Reviewed by Michael Catanzaro. * API/glib/JSCClass.cpp: (jscClassCreateConstructor): (jsc_class_add_constructor): (jsc_class_add_constructorv): (jscClassAddMethod): (jsc_class_add_method): (jsc_class_add_methodv): * API/glib/JSCClass.h: * API/glib/JSCValue.cpp: (jsObjectCall): (jscValueCallFunction): (jsc_value_object_invoke_methodv): (jscValueFunctionCreate): (jsc_value_new_function): (jsc_value_new_functionv): (jsc_value_function_callv): (jsc_value_constructor_callv): * API/glib/JSCValue.h: * API/glib/docs/jsc-glib-4.0-sections.txt: 2018-05-10 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Make return types of construction functions tight https://bugs.webkit.org/show_bug.cgi?id=185509 Reviewed by Saam Barati. Array and Object construction functions should return strict types instead of returning JSObject*/JSValue. * runtime/ArrayConstructor.cpp: (JSC::constructArrayWithSizeQuirk): * runtime/ArrayConstructor.h: * runtime/ObjectConstructor.h: (JSC::constructEmptyObject): 2018-05-09 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Object.assign for final objects should be faster https://bugs.webkit.org/show_bug.cgi?id=185348 Reviewed by Saam Barati. Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases. If enumerating properties of source objects and putting properties to target object are non observable, we can avoid hash table looking up of source object properties. We can enumerate object property entries, and put them to target object. This patch adds this fast path to Object.assign implementation. When enumerating properties, we need to ensure that the given |source| object does not include "__proto__" property since we cannot perform fast [[Put]] for the |target| object. We add a new flag "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state. This improves object-assign.es6 by 1.85x. baseline patched object-assign.es6 368.6132+-8.3508 ^ 198.8775+-4.9042 ^ definitely 1.8535x faster And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms. * runtime/JSObject.h: * runtime/JSObjectInlines.h: (JSC::JSObject::canPerformFastPutInlineExcludingProto): (JSC::JSObject::canPerformFastPutInline): * runtime/ObjectConstructor.cpp: (JSC::objectConstructorAssign): * runtime/Structure.cpp: (JSC::Structure::Structure): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::forEachProperty): (JSC::Structure::add): 2018-05-10 Filip Pizlo <fpizlo@apple.com> DFG CFA should pick the right time to inject OSR entry data https://bugs.webkit.org/show_bug.cgi?id=185530 Reviewed by Saam Barati. Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA reexecutions while minimizing the likelihood that we have CFA execute constants in paths that would eventually LUB to non-constant. This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of useless regexp/string execution in the compiler. * dfg/DFGBlockSet.h: (JSC::DFG::BlockSet::remove): * dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::run): (JSC::DFG::CFAPhase::injectOSR): (JSC::DFG::CFAPhase::performBlockCFA): 2018-05-09 Filip Pizlo <fpizlo@apple.com> InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time https://bugs.webkit.org/show_bug.cgi?id=185452 Reviewed by Michael Saboff. We were spending a lot of time in beginBasicBlock() just copying the state of all variables from the block head to InPlaceAbstractState::m_variables. It is necessary for InPlaceAbstractState to have its own copy since we need to mutate it separately from block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot of superfluous work. This change adds a bitvector called m_activeVariables that tracks which variables have been copied. We lazily copy the variables on first use. Variables that were never copied also have a simplified merging path, which just needs to consider if the variable got clobbered between head and tail. This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime. * bytecode/Operands.h: (JSC::Operands::argumentIndex const): (JSC::Operands::localIndex const): (JSC::Operands::argument): (JSC::Operands::argument const): (JSC::Operands::local): (JSC::Operands::local const): (JSC::Operands::operandIndex const): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::fastForwardFromTo): * dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::performForwardCFA): * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::beginBasicBlock): (JSC::DFG::InPlaceAbstractState::variablesForDebugging): (JSC::DFG::InPlaceAbstractState::activateAllVariables): (JSC::DFG::InPlaceAbstractState::endBasicBlock): (JSC::DFG::InPlaceAbstractState::activateVariable): (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted. * dfg/DFGInPlaceAbstractState.h: (JSC::DFG::InPlaceAbstractState::variableAt): (JSC::DFG::InPlaceAbstractState::operand): (JSC::DFG::InPlaceAbstractState::local): (JSC::DFG::InPlaceAbstractState::argument): (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary): (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted. 2018-05-09 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for "==" operation https://bugs.webkit.org/show_bug.cgi?id=184474 Reviewed by Yusuke Suzuki. This patch is implementing support of BigInt for equals operator following the spec semantics[1]. [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison * runtime/JSBigInt.cpp: (JSC::JSBigInt::parseInt): (JSC::JSBigInt::stringToBigInt): (JSC::JSBigInt::toString): (JSC::JSBigInt::setDigit): (JSC::JSBigInt::equalsToNumber): (JSC::JSBigInt::compareToDouble): * runtime/JSBigInt.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::equalSlowCaseInline): 2018-05-09 Filip Pizlo <fpizlo@apple.com> Speed up AbstractInterpreter::executeEdges https://bugs.webkit.org/show_bug.cgi?id=185457 Reviewed by Saam Barati. This patch started out with the desire to make executeEdges() faster by making filtering faster. However, when I studied the disassembly, I found that there are many opportunities for improvement and I implemented all of them: - Filtering itself now has an inline fast path for when the filtering didn't change the value or for non-cells. - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded, since fast-forwarding is only interesting for cells and only if we have a clobbered value. - Similarly, edge verification doesn't need to fast-forward in the common case. - A bunch of stuff related to Graph::doToChildren is now inlined properly. - The edge doesn't even have to be considered for execution if it's UntypedUse. That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because it means proving that the value could either be formatted as a double (with impure NaN values), or as any JSValue, or as an Int52. There is no value that could possibly hold all of those states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need to be careful about picking either SpecFullDouble (if returning a DoubleRep) or SpecBytecodeNumber (if returning a JSValueRep). But that fix revealed an amazing timeout in stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without ever realizing that we should jettison something. The problem was with how triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks. This is a 1% improvement in V8Spider-CompileTime. * bytecode/ExitKind.cpp: (JSC::exitKindMayJettison): * dfg/DFGAbstractInterpreter.h: (JSC::DFG::AbstractInterpreter::filterEdgeByUse): (JSC::DFG::AbstractInterpreter::filterByType): Deleted. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc): (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges): (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType): (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::filterSlow): (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::filter): (JSC::DFG::AbstractValue::fastForwardToAndFilter): (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven): (JSC::DFG::AbstractValue::makeTop): * dfg/DFGAtTailAbstractState.h: (JSC::DFG::AtTailAbstractState::fastForward): (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward): (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven): * dfg/DFGGraph.h: (JSC::DFG::Graph::doToChildren): * dfg/DFGInPlaceAbstractState.h: (JSC::DFG::InPlaceAbstractState::fastForward): (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven): (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::executeOSRExit): * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::handleExitCounts): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: 2018-05-09 Saam Barati <sbarati@apple.com> Add JSVirtualMachine SPI to shrink the memory footprint of the VM https://bugs.webkit.org/show_bug.cgi?id=185441 <rdar://problem/39999414> Reviewed by Keith Miller. This patch adds JSVirtualMachine SPI to release as much memory as possible. The SPI does: - Deletes all code caches. - Synchronous GC. - Run the scavenger. * API/JSVirtualMachine.mm: (-[JSVirtualMachine shrinkFootprint]): * API/JSVirtualMachinePrivate.h: Added. * API/tests/testapi.mm: (testObjectiveCAPIMain): * JavaScriptCore.xcodeproj/project.pbxproj: * runtime/VM.cpp: (JSC::VM::shrinkFootprint): * runtime/VM.h: 2018-05-09 Leo Balter <leonardo.balter@gmail.com> [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array Error found in the following Test262 tests: - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js The ArraySpeciesCreate should throw a RangeError with non-Array custom objects presenting a length > 2**32-1 https://bugs.webkit.org/show_bug.cgi?id=185476 Reviewed by Yusuke Suzuki. * runtime/ArrayPrototype.cpp: 2018-05-09 Michael Catanzaro <mcatanzaro@igalia.com> [WPE] Build cleanly with GCC 8 and ICU 60 https://bugs.webkit.org/show_bug.cgi?id=185462 Reviewed by Carlos Alberto Lopez Perez. * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings. (jsc_class_add_constructor): (jsc_class_add_method): * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings. (jsc_value_object_define_property_accessor): (jsc_value_new_function): * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a problem with GCC 7 too, but might as well fix it now. * assembler/ProbeContext.h: (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning. (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber. * b3/air/AirArg.h: (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning. * builtins/BuiltinNames.cpp: (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag. * builtins/BuiltinNames.h: (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp. * dfg/DFGDoubleFormatState.h: (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings. * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings. * runtime/ConfigFile.cpp: (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called with the wrong length parameter and the result is not null-terminated. Also, silence a -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX. * runtime/IntlDateTimeFormat.cpp: (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident. (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed. 2018-05-09 Yusuke Suzuki <utatane.tea@gmail.com> [ARMv7] Drop ARMv7 disassembler in favor of capstone https://bugs.webkit.org/show_bug.cgi?id=185423 Reviewed by Michael Catanzaro. This patch removes ARMv7Disassembler in our tree. We already adopted Capstone, and it is already used in ARMv7 JIT environments. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed. * disassembler/ARMv7/ARMv7DOpcode.h: Removed. * disassembler/ARMv7Disassembler.cpp: Removed. 2018-05-09 Srdjan Lazarevic <srdjan.lazarevic@rt-rk.com> [MIPS] Optimize generated JIT code using r2 https://bugs.webkit.org/show_bug.cgi?id=184584 Reviewed by Yusuke Suzuki. EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible. Also, done some code size optimizations that were discovered in meantime. * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::ext): (JSC::MIPSAssembler::mfhc1): * assembler/MacroAssemblerMIPS.cpp: * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::isPowerOf2): (JSC::MacroAssemblerMIPS::bitPosition): (JSC::MacroAssemblerMIPS::loadAddress): (JSC::MacroAssemblerMIPS::getEffectiveAddress): (JSC::MacroAssemblerMIPS::load8): (JSC::MacroAssemblerMIPS::load8SignedExtendTo32): (JSC::MacroAssemblerMIPS::load32): (JSC::MacroAssemblerMIPS::load16Unaligned): (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords): (JSC::MacroAssemblerMIPS::load16): (JSC::MacroAssemblerMIPS::load16SignedExtendTo32): (JSC::MacroAssemblerMIPS::store8): (JSC::MacroAssemblerMIPS::store16): (JSC::MacroAssemblerMIPS::store32): (JSC::MacroAssemblerMIPS::branchTest32): (JSC::MacroAssemblerMIPS::loadFloat): (JSC::MacroAssemblerMIPS::loadDouble): (JSC::MacroAssemblerMIPS::storeFloat): (JSC::MacroAssemblerMIPS::storeDouble): 2018-05-06 Yusuke Suzuki <utatane.tea@gmail.com> [JSC][GTK][JSCONLY] Use capstone disassembler https://bugs.webkit.org/show_bug.cgi?id=185283 Reviewed by Michael Catanzaro. Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler. And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports. And we remove ARM LLVM disassembler. Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree. * CMakeLists.txt: * Sources.txt: * disassembler/ARMLLVMDisassembler.cpp: Removed. * disassembler/CapstoneDisassembler.cpp: Added. (JSC::tryToDisassemble): 2018-05-09 Dominik Infuehr <dinfuehr@igalia.com> [MIPS] Use mfhc1 and mthc1 to fix assembler error https://bugs.webkit.org/show_bug.cgi?id=185464 Reviewed by Yusuke Suzuki. The binutils-assembler started to report failures for copying words between GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead of mfc1 and mtc1 for conversion. * offlineasm/mips.rb: 2018-05-08 Dominik Infuehr <dinfuehr@igalia.com> [MIPS] Collect callee-saved register using inline assembly https://bugs.webkit.org/show_bug.cgi?id=185428 Reviewed by Yusuke Suzuki. MIPS used setjmp instead of collecting registers with inline assembly like other architectures. * heap/RegisterState.h: 2018-05-07 Yusuke Suzuki <utatane.tea@gmail.com> [BigInt] Simplifying JSBigInt by using bool addition https://bugs.webkit.org/show_bug.cgi?id=185374 Reviewed by Alex Christensen. Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub. Just adding overflow flag to carry/borrow produces setb + add in x86. Also we annotate small helper functions and accessors with `inline` not to call these functions inside internalMultiplyAdd loop. * runtime/JSBigInt.cpp: (JSC::JSBigInt::isZero): (JSC::JSBigInt::inplaceMultiplyAdd): (JSC::JSBigInt::digitAdd): (JSC::JSBigInt::digitSub): (JSC::JSBigInt::digitMul): (JSC::JSBigInt::digitPow): (JSC::JSBigInt::digitDiv): (JSC::JSBigInt::offsetOfData): (JSC::JSBigInt::dataStorage): (JSC::JSBigInt::digit): (JSC::JSBigInt::setDigit): 2018-05-08 Michael Saboff <msaboff@apple.com> Replace multiple Watchpoint Set fireAll() methods with templates https://bugs.webkit.org/show_bug.cgi?id=185456 Reviewed by Saam Barati. Refactored to minimize duplicate code. * bytecode/Watchpoint.h: (JSC::WatchpointSet::fireAll): (JSC::InlineWatchpointSet::fireAll): 2018-05-08 Filip Pizlo <fpizlo@apple.com> DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA https://bugs.webkit.org/show_bug.cgi?id=185453 Reviewed by Michael Saboff. Tiny improvement for compile times. * dfg/DFGFlowMap.h: (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA. * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452. 2018-05-08 Michael Saboff <msaboff@apple.com> Deferred firing of structure transition watchpoints is racy https://bugs.webkit.org/show_bug.cgi?id=185438 Reviewed by Saam Barati. Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire and fire them in the destructor. When the watchpoints are taken from the original WatchpointSet, that WatchpointSet if marked invalid. * bytecode/Watchpoint.cpp: (JSC::WatchpointSet::fireAllSlow): (JSC::WatchpointSet::take): (JSC::DeferredWatchpointFire::DeferredWatchpointFire): (JSC::DeferredWatchpointFire::~DeferredWatchpointFire): (JSC::DeferredWatchpointFire::fireAll): (JSC::DeferredWatchpointFire::takeWatchpointsToFire): * bytecode/Watchpoint.h: (JSC::WatchpointSet::fireAll): (JSC::InlineWatchpointSet::fireAll): * runtime/JSObject.cpp: (JSC::JSObject::setPrototypeDirect): (JSC::JSObject::convertToDictionary): * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): (JSC::DeferredStructureTransitionWatchpointFire::dump const): (JSC::Structure::didTransitionFromThisStructure const): (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted. * runtime/Structure.h: (JSC::DeferredStructureTransitionWatchpointFire::structure const): 2018-05-08 Eric Carlson <eric.carlson@apple.com> Consecutive messages logged as JSON are coalesced https://bugs.webkit.org/show_bug.cgi?id=185432 Reviewed by Joseph Pecoraro. * inspector/ConsoleMessage.cpp: (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal. 2018-05-06 Filip Pizlo <fpizlo@apple.com> InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values https://bugs.webkit.org/show_bug.cgi?id=185365 Reviewed by Saam Barati. This patch does three things to improve compile times: - Fixes some inlining goofs. - Adds the ability to measure compile times with run-jsc-benchmarks. - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the code that clears abstract values. It turns out that on constant folding "needed" this, in the sense that this was the only thing protecting it from loading the abstract value of a no-result node and then concluding that because it had a non-empty m_value, it could be constant-folded. Any node that produces a result will explicitly set its abstract value, so this problem can also be guarded by just having constant folding check if the node it wants to fold returns any result. Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime. Rolling back in after fixing cloop build. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::set): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::merge): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGGraph.h: (JSC::DFG::Graph::doToChildrenWithNode): (JSC::DFG::Graph::doToChildren): * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::beginBasicBlock): * jit/JIT.cpp: (JSC::JIT::totalCompileTime): * jit/JIT.h: * jsc.cpp: (GlobalObject::finishCreation): (functionTotalCompileTime): 2018-05-08 Ryan Haddad <ryanhaddad@apple.com> Unreviewed, rolling out r231468. Broke the CLoop build Reverted changeset: "InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values" https://bugs.webkit.org/show_bug.cgi?id=185365 https://trac.webkit.org/changeset/231468 2018-05-07 Daniel Bates <dabates@apple.com> Check X-Frame-Options and CSP frame-ancestors in network process https://bugs.webkit.org/show_bug.cgi?id=185410 <rdar://problem/37733934> Reviewed by Ryosuke Niwa. Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC. * runtime/ConsoleTypes.h: 2018-05-07 Saam Barati <sbarati@apple.com> Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them https://bugs.webkit.org/show_bug.cgi?id=185329 <rdar://problem/39961536> Reviewed by Michael Saboff. I was made aware of a memory goof inside of JSC where we would inefficiently use space to represent an UnlinkedFunctionExecutable's parent TDZ variables. We did two things badly: 1. We used a HashMap instead of a Vector to represent the environment. Having a HashMap is useful when looking things up when generating bytecode, but it's space inefficient. Because UnlinkedFunctionExecutables live a long time because of the code cache, we should have them store this information efficiently inside of a Vector. 2. We didn't hash-cons these environments together. If you think about how some programs are structured, hash-consing these together is hugely profitable. Consider some code like this: ``` const/let V_1 = ...; const/let V_2 = ...; ... const/let V_n = ...; function f_1() { ... }; function f_2() { ... }; ... function f_n() { ... }; ``` Each f_i would store an identical hash map for its parent TDZ variables consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing, each f_i just holds onto a reference to the environment. I benchmarked this change against an app that made heavy use of the above code pattern and it reduced its peak memory footprint from ~220MB to ~160MB. * bytecode/UnlinkedFunctionExecutable.cpp: (JSC::generateUnlinkedFunctionCodeBlock): (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): * bytecode/UnlinkedFunctionExecutable.h: * parser/VariableEnvironment.cpp: (JSC::CompactVariableEnvironment::CompactVariableEnvironment): (JSC::CompactVariableEnvironment::operator== const): (JSC::CompactVariableEnvironment::toVariableEnvironment const): (JSC::CompactVariableMap::get): (JSC::CompactVariableMap::Handle::~Handle): * parser/VariableEnvironment.h: (JSC::VariableEnvironmentEntry::bits const): (JSC::VariableEnvironmentEntry::operator== const): (JSC::VariableEnvironment::isEverythingCaptured const): (JSC::CompactVariableEnvironment::hash const): (JSC::CompactVariableMapKey::CompactVariableMapKey): (JSC::CompactVariableMapKey::hash): (JSC::CompactVariableMapKey::equal): (JSC::CompactVariableMapKey::makeDeletedValue): (JSC::CompactVariableMapKey::isHashTableDeletedValue const): (JSC::CompactVariableMapKey::isHashTableEmptyValue const): (JSC::CompactVariableMapKey::environment): (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue): (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue): (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue): (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue): (JSC::CompactVariableMap::Handle::Handle): (JSC::CompactVariableMap::Handle::environment const): (JSC::VariableEnvironment::VariableEnvironment): Deleted. * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2018-05-06 Yusuke Suzuki <utatane.tea@gmail.com> [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers https://bugs.webkit.org/show_bug.cgi?id=185371 Reviewed by Mark Lam. Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers. As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden, but actually MIPS have much more registers. This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to have extra mechanism. Then, we remove several unnecessary MIPS code in our JIT infrastructure. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/CCallHelpers.h: * jit/GPRInfo.h: (JSC::GPRInfo::toRegister): (JSC::GPRInfo::toIndex): * offlineasm/mips.rb: 2018-05-05 Filip Pizlo <fpizlo@apple.com> DFG AI should have O(1) clobbering https://bugs.webkit.org/show_bug.cgi?id=185287 Reviewed by Saam Barati. This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we would traverse all of the state available to the AI at that time and clobber it. This changes clobberWorld() to be O(1). It just does some math to a clobber epoch. This is a ~1% speed-up for compile times. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * dfg/DFGAbstractInterpreter.h: (JSC::DFG::AbstractInterpreter::forNode): (JSC::DFG::AbstractInterpreter::setForNode): (JSC::DFG::AbstractInterpreter::clearForNode): (JSC::DFG::AbstractInterpreter::variables): Deleted. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld): (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues): (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::fastForwardToSlow): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::fastForwardTo): (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted. (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted. (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted. * dfg/DFGAbstractValueClobberEpoch.cpp: Added. (JSC::DFG::AbstractValueClobberEpoch::dump const): * dfg/DFGAbstractValueClobberEpoch.h: Added. (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch): (JSC::DFG::AbstractValueClobberEpoch::first): (JSC::DFG::AbstractValueClobberEpoch::clobber): (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint): (JSC::DFG::AbstractValueClobberEpoch::operator== const): (JSC::DFG::AbstractValueClobberEpoch::operator!= const): (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const): (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const): * dfg/DFGAtTailAbstractState.h: (JSC::DFG::AtTailAbstractState::setForNode): (JSC::DFG::AtTailAbstractState::clearForNode): (JSC::DFG::AtTailAbstractState::numberOfArguments const): (JSC::DFG::AtTailAbstractState::numberOfLocals const): (JSC::DFG::AtTailAbstractState::operand): (JSC::DFG::AtTailAbstractState::local): (JSC::DFG::AtTailAbstractState::argument): (JSC::DFG::AtTailAbstractState::clobberStructures): (JSC::DFG::AtTailAbstractState::observeInvalidationPoint): (JSC::DFG::AtTailAbstractState::variables): Deleted. * dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::performBlockCFA): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGFlowMap.h: (JSC::DFG::FlowMap::at): (JSC::DFG::FlowMap::atShadow): (JSC::DFG::FlowMap::at const): (JSC::DFG::FlowMap::atShadow const): * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::beginBasicBlock): (JSC::DFG::InPlaceAbstractState::endBasicBlock): * dfg/DFGInPlaceAbstractState.h: (JSC::DFG::InPlaceAbstractState::forNode): (JSC::DFG::InPlaceAbstractState::setForNode): (JSC::DFG::InPlaceAbstractState::clearForNode): (JSC::DFG::InPlaceAbstractState::variablesForDebugging): (JSC::DFG::InPlaceAbstractState::numberOfArguments const): (JSC::DFG::InPlaceAbstractState::numberOfLocals const): (JSC::DFG::InPlaceAbstractState::operand): (JSC::DFG::InPlaceAbstractState::local): (JSC::DFG::InPlaceAbstractState::argument): (JSC::DFG::InPlaceAbstractState::variableAt): (JSC::DFG::InPlaceAbstractState::clobberStructures): (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint): (JSC::DFG::InPlaceAbstractState::fastForward): (JSC::DFG::InPlaceAbstractState::variables): Deleted. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetStack): 2018-05-06 Filip Pizlo <fpizlo@apple.com> InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values https://bugs.webkit.org/show_bug.cgi?id=185365 Reviewed by Saam Barati. This patch does three things to improve compile times: - Fixes some inlining goofs. - Adds the ability to measure compile times with run-jsc-benchmarks. - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the code that clears abstract values. It turns out that on constant folding "needed" this, in the sense that this was the only thing protecting it from loading the abstract value of a no-result node and then concluding that because it had a non-empty m_value, it could be constant-folded. Any node that produces a result will explicitly set its abstract value, so this problem can also be guarded by just having constant folding check if the node it wants to fold returns any result. Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::set): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::merge): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGGraph.h: (JSC::DFG::Graph::doToChildrenWithNode): (JSC::DFG::Graph::doToChildren): * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::beginBasicBlock): * jit/JIT.cpp: (JSC::JIT::totalCompileTime): * jit/JIT.h: * jsc.cpp: (GlobalObject::finishCreation): (functionTotalCompileTime): 2018-05-05 Filip Pizlo <fpizlo@apple.com> DFG AI doesn't need to merge valuesAtTail - it can just assign them https://bugs.webkit.org/show_bug.cgi?id=185355 Reviewed by Mark Lam. This is a further attempt to improve compile times. Assigning AbstractValue ought to always be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and merging will get the same answer because the value computed this time will be either the same as or more general than the value computed last time. If the value does change for some reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value changes, then we have no reason to believe that this new value is less right than the last one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail. * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::endBasicBlock): 2018-05-07 Andy VanWagoner <andy@vanwagoner.family> Remove defunct email address https://bugs.webkit.org/show_bug.cgi?id=185396 Reviewed by Mark Lam. The email address thetalecrafter@gmail.com is no longer valid, as the associated google account has been closed. This updates the email address so questions about these Intl contributions go to the right place. * builtins/DatePrototype.js: * builtins/NumberPrototype.js: * builtins/StringPrototype.js: * runtime/IntlCollator.cpp: * runtime/IntlCollator.h: * runtime/IntlCollatorConstructor.cpp: * runtime/IntlCollatorConstructor.h: * runtime/IntlCollatorPrototype.cpp: * runtime/IntlCollatorPrototype.h: * runtime/IntlDateTimeFormat.cpp: * runtime/IntlDateTimeFormat.h: * runtime/IntlDateTimeFormatConstructor.cpp: * runtime/IntlDateTimeFormatConstructor.h: * runtime/IntlDateTimeFormatPrototype.cpp: * runtime/IntlDateTimeFormatPrototype.h: * runtime/IntlNumberFormat.cpp: * runtime/IntlNumberFormat.h: * runtime/IntlNumberFormatConstructor.cpp: * runtime/IntlNumberFormatConstructor.h: * runtime/IntlNumberFormatPrototype.cpp: * runtime/IntlNumberFormatPrototype.h: * runtime/IntlObject.cpp: * runtime/IntlObject.h: * runtime/IntlPluralRules.cpp: * runtime/IntlPluralRules.h: * runtime/IntlPluralRulesConstructor.cpp: * runtime/IntlPluralRulesConstructor.h: * runtime/IntlPluralRulesPrototype.cpp: * runtime/IntlPluralRulesPrototype.h: 2018-05-06 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF https://bugs.webkit.org/show_bug.cgi?id=185362 Reviewed by Sam Weinig. "namespace std" may include many names. It can conflict with names defined by our code, and the other platform provided headers. For example, std::byte conflicts with Windows' ::byte. This patch removes "using namespace std;" from JSC and bmalloc. * API/JSClassRef.cpp: (OpaqueJSClass::create): * bytecode/Opcode.cpp: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::newRegister): * heap/Heap.cpp: (JSC::Heap::updateAllocationLimits): * interpreter/Interpreter.cpp: * jit/JIT.cpp: * parser/Parser.cpp: * runtime/JSArray.cpp: * runtime/JSLexicalEnvironment.cpp: * runtime/JSModuleEnvironment.cpp: * runtime/Structure.cpp: * shell/DLLLauncherMain.cpp: (getStringValue): (applePathFromRegistry): (appleApplicationSupportDirectory): (copyEnvironmentVariable): (prependPath): (fatalError): (directoryExists): (modifyPath): (getLastErrorString): (wWinMain): 2018-05-05 Filip Pizlo <fpizlo@apple.com> DFG CFA phase should only do clobber asserts in debug https://bugs.webkit.org/show_bug.cgi?id=185354 Reviewed by Saam Barati. Clobber asserts are responsible for 1% of compile time. That's too much. This disables them unless asserts are enabled. * dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::performBlockCFA): 2018-05-04 Keith Miller <keith_miller@apple.com> isCacheableArrayLength should return true for undecided arrays https://bugs.webkit.org/show_bug.cgi?id=185309 Reviewed by Michael Saboff. Undecided arrays have butterflies so there is no reason why we should not be able to cache their length. * bytecode/InlineAccess.cpp: (JSC::InlineAccess::isCacheableArrayLength): 2018-05-03 Yusuke Suzuki <utatane.tea@gmail.com> Remove std::random_shuffle https://bugs.webkit.org/show_bug.cgi?id=185292 Reviewed by Darin Adler. std::random_shuffle is deprecated in C++14 and removed in C++17, since std::random_shuffle relies on rand and srand. Use std::shuffle instead. * jit/BinarySwitch.cpp: (JSC::RandomNumberGenerator::RandomNumberGenerator): (JSC::RandomNumberGenerator::operator()): (JSC::RandomNumberGenerator::min): (JSC::RandomNumberGenerator::max): (JSC::BinarySwitch::build): 2018-05-03 Saam Barati <sbarati@apple.com> Don't prevent CreateThis being folded to NewObject when the structure is poly proto https://bugs.webkit.org/show_bug.cgi?id=185177 Reviewed by Filip Pizlo. This patch teaches the DFG/FTL how to constant fold CreateThis with a known poly proto Structure to NewObject. We do it by emitting a NewObject followed by a PutByOffset for the prototype value. We make it so that ObjectAllocationProfile holds the prototype value. This is sound because JSFunction clears that profile when its 'prototype' field changes. This patch also renames underscoreProtoPrivateName to polyProtoName since that name was nonsensical: it was only used for poly proto. This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had regressed that benchmark when I first introduced poly proto. * builtins/BuiltinNames.cpp: * builtins/BuiltinNames.h: (JSC::BuiltinNames::BuiltinNames): (JSC::BuiltinNames::polyProtoName const): (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted. * bytecode/ObjectAllocationProfile.h: (JSC::ObjectAllocationProfile::prototype): (JSC::ObjectAllocationProfile::clear): (JSC::ObjectAllocationProfile::visitAggregate): * bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfile::initializeProfile): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/FunctionRareData.h: * runtime/Structure.cpp: (JSC::Structure::create): 2018-05-03 Michael Saboff <msaboff@apple.com> OSR entry pruning of Program Bytecodes doesn't take into account try/catch https://bugs.webkit.org/show_bug.cgi?id=185281 Reviewed by Saam Barati. When we compute bytecode block reachability, we need to take into account blocks containing try/catch. * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): 2018-05-03 Dominik Infuehr <dinfuehr@igalia.com> ARM: Wrong offset for operand rt in disassembler https://bugs.webkit.org/show_bug.cgi?id=184083 Reviewed by Yusuke Suzuki. * disassembler/ARMv7/ARMv7DOpcode.h: (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt): (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt): 2018-05-03 Dominik Infuehr <dinfuehr@igalia.com> ARM: Support vstr in disassembler https://bugs.webkit.org/show_bug.cgi?id=184084 Reviewed by Yusuke Suzuki. * disassembler/ARMv7/ARMv7DOpcode.cpp: (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format): (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted. * disassembler/ARMv7/ARMv7DOpcode.h: (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName): (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted. (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted. (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted. (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted. (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted. (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted. 2018-05-03 Dominik Infuehr <dinfuehr@igalia.com> Invoke ensureArrayStorage for all arguments https://bugs.webkit.org/show_bug.cgi?id=185247 Reviewed by Yusuke Suzuki. ensureArrayStorage was only invoked for first argument in each loop iteration. * jsc.cpp: (functionEnsureArrayStorage): 2018-05-03 Filip Pizlo <fpizlo@apple.com> Make it easy to log compile times for all optimizing tiers https://bugs.webkit.org/show_bug.cgi?id=185270 Reviewed by Keith Miller. This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used it. This should help us reduce compile times by telling us where to look. So, far, it looks like CFA is the worst. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * b3/B3Common.cpp: (JSC::B3::shouldMeasurePhaseTiming): Deleted. * b3/B3Common.h: * b3/B3TimingScope.cpp: Removed. * b3/B3TimingScope.h: (JSC::B3::TimingScope::TimingScope): * dfg/DFGPhase.h: (JSC::DFG::runAndLog): * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThread): * tools/CompilerTimingScope.cpp: Added. (JSC::CompilerTimingScope::CompilerTimingScope): (JSC::CompilerTimingScope::~CompilerTimingScope): * tools/CompilerTimingScope.h: Added. * runtime/Options.cpp: (JSC::recomputeDependentOptions): * runtime/Options.h: 2018-05-03 Filip Pizlo <fpizlo@apple.com> Strings should not be allocated in a gigacage https://bugs.webkit.org/show_bug.cgi?id=185218 Reviewed by Saam Barati. * runtime/JSBigInt.cpp: (JSC::JSBigInt::toStringGeneric): * runtime/JSString.cpp: (JSC::JSRopeString::resolveRopeToAtomicString const): (JSC::JSRopeString::resolveRope const): * runtime/JSString.h: (JSC::JSString::create): (JSC::JSString::createHasOtherOwner): * runtime/VM.h: (JSC::VM::gigacageAuxiliarySpace): 2018-05-03 Keith Miller <keith_miller@apple.com> Unreviewed, fix 32-bit profile offset for change in bytecode length of the get_by_id and get_array_length opcodes. * llint/LowLevelInterpreter32_64.asm: 2018-05-03 Michael Saboff <msaboff@apple.com> WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript https://bugs.webkit.org/show_bug.cgi?id=185231 Reviewed by Saam Barati. We weren't clearing the scratch register cache when switching back and forth between allowing scratch register usage. We disallow scratch register usage when we are in code that will freely allocate and use any register. Such usage can change the contents of scratch registers. For ARM64, where we cache the contents of scratch registers to reuse some or all of the contained values, we need to invalidate these caches. We do this when re-enabling scratch register usage, that is when we transition from disallow to allow scratch register usage. Added a new Air regression test. * assembler/AllowMacroScratchRegisterUsage.h: (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage): * assembler/AllowMacroScratchRegisterUsageIf.h: (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf): * assembler/DisallowMacroScratchRegisterUsage.h: (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage): * b3/air/testair.cpp: 2018-05-03 Keith Miller <keith_miller@apple.com> Remove the prototype caching for get_by_id in the LLInt https://bugs.webkit.org/show_bug.cgi?id=185226 Reviewed by Michael Saboff. There is no evidence that this is actually a speedup and we keep getting bugs with it. At this point it seems like we should just remove this code. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper<Block>::printGetByIdOp): (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus): (JSC::BytecodeDumper<Block>::dumpBytecode): * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finalizeLLIntInlineCaches): * bytecode/CodeBlock.h: (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted. * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed. * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGetById): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::setupGetByIdPrototypeCache): Deleted. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/Options.h: 2018-05-03 Ryan Haddad <ryanhaddad@apple.com> Unreviewed, rolling out r231197. The test added with this change crashes on the 32-bit JSC bot. Reverted changeset: "Correctly detect string overflow when using the 'Function' constructor" https://bugs.webkit.org/show_bug.cgi?id=184883 https://trac.webkit.org/changeset/231197 2018-05-03 Dominik Infuehr <dinfuehr@igalia.com> Disable usage of fused multiply-add instructions for JSC with compiler flag https://bugs.webkit.org/show_bug.cgi?id=184909 Reviewed by Yusuke Suzuki. Adds -ffp-contract as compiler flag for building JSC. This ensures that functions like parseInt() do not return slightly different results depending on whether the compiler was able to use fused multiply-add instructions or not. * CMakeLists.txt: 2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, fix build failure in ARM, ARMv7 and MIPS https://bugs.webkit.org/show_bug.cgi?id=185192 compareDouble relies on MacroAssembler::invert function. * assembler/MacroAssembler.h: (JSC::MacroAssembler::compareDouble): * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::compareDouble): Deleted. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::compareDouble): Deleted. * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::compareDouble): Deleted. 2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Add MacroAssembler::and16 and store16 https://bugs.webkit.org/show_bug.cgi?id=185188 Reviewed by Mark Lam. r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations. This patch adds these methods for ARM. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::and16): (JSC::MacroAssemblerARM::store16): 2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Unify compare related code in 32bit and 64bit https://bugs.webkit.org/show_bug.cgi?id=185189 Reviewed by Mark Lam. This patch unifies some part of compare related code in 32bit and 64bit to reduce the size of 32bit specific DFG code. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInt32Compare): (JSC::DFG::SpeculativeJIT::compileDoubleCompare): (JSC::DFG::SpeculativeJIT::compileObjectEquality): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted. (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted. (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted. (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted. (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted. 2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64 https://bugs.webkit.org/show_bug.cgi?id=185192 Reviewed by Mark Lam. Now Object.is starts using compareDouble. So we would like to have efficient implementation for compareDouble and compareFloat for major architectures, ARM64, X86, and X86_64. This patch adds compareDouble and compareFloat implementations for these architectures. And generic implementation is moved to each architecture's MacroAssembler implementation. We also add tests for them in testmasm. To implement this test easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the major architectures. * assembler/MacroAssembler.h: (JSC::MacroAssembler::compareDouble): Deleted. (JSC::MacroAssembler::compareFloat): Deleted. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::compareDouble): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::compareDouble): (JSC::MacroAssemblerARM64::compareFloat): (JSC::MacroAssemblerARM64::loadFloat): (JSC::MacroAssemblerARM64::floatingPointCompare): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::compareDouble): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::compareDouble): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::loadFloat): (JSC::MacroAssemblerX86Common::compareDouble): (JSC::MacroAssemblerX86Common::compareFloat): (JSC::MacroAssemblerX86Common::floatingPointCompare): * assembler/X86Assembler.h: (JSC::X86Assembler::movss_mr): (JSC::X86Assembler::movss_rm): * assembler/testmasm.cpp: (JSC::floatOperands): (JSC::testCompareFloat): (JSC::run): 2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, fix 32bit DFG code https://bugs.webkit.org/show_bug.cgi?id=185065 * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileSameValue): 2018-05-02 Filip Pizlo <fpizlo@apple.com> JSC should know how to cache custom getter accesses on the prototype chain https://bugs.webkit.org/show_bug.cgi?id=185213 Reviewed by Keith Miller. This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test. * jit/Repatch.cpp: (JSC::tryCacheGetByID): 2018-05-01 Filip Pizlo <fpizlo@apple.com> JSC should be able to cache custom setter calls on the prototype chain https://bugs.webkit.org/show_bug.cgi?id=185174 Reviewed by Saam Barati. We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty() condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for custom accessors because it won't find the custom property in the structure. The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty(). This is a 4x speed-up on assign-custom-setter.js. * bytecode/AccessCase.cpp: (JSC::AccessCase::hasAlternateBase const): (JSC::AccessCase::alternateBase const): (JSC::AccessCase::generateImpl): * bytecode/AccessCase.h: (JSC::AccessCase::alternateBase const): Deleted. * bytecode/GetterSetterAccessCase.cpp: (JSC::GetterSetterAccessCase::hasAlternateBase const): (JSC::GetterSetterAccessCase::alternateBase const): * bytecode/GetterSetterAccessCase.h: * bytecode/ObjectPropertyConditionSet.cpp: (JSC::generateConditionsForPrototypePropertyHitCustom): * bytecode/ObjectPropertyConditionSet.h: * jit/Repatch.cpp: (JSC::tryCacheGetByID): (JSC::tryCachePutByID): 2018-05-02 Dominik Infuehr <dinfuehr@igalia.com> [MIPS] Implement and16 and store16 for MacroAssemblerMIPS https://bugs.webkit.org/show_bug.cgi?id=185195 Reviewed by Mark Lam. This implements the given function for MIPS, such that it builds again. * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::and16): (JSC::MacroAssemblerMIPS::store16): 2018-05-02 Rick Waldron <waldron.rick@gmail.com> Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts https://bugs.webkit.org/show_bug.cgi?id=185043 Reviewed by Filip Pizlo. * jsc.cpp: (GlobalObject::finishCreation): (functionDollarAgentMonotonicNow): 2018-05-02 Dominik Infuehr <dinfuehr@igalia.com> [ARM] Implement and16 and store16 for MacroAssemblerARMv7 https://bugs.webkit.org/show_bug.cgi?id=185196 Reviewed by Mark Lam. This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::and16): (JSC::MacroAssemblerARMv7::store16): 2018-05-02 Robin Morisset <rmorisset@apple.com> emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread https://bugs.webkit.org/show_bug.cgi?id=183172 Reviewed by Filip Pizlo. DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength, but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength. I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength. Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit. * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGArgumentsUtilities.cpp: (JSC::DFG::emitCodeToGetArgumentsArrayLength): 2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, stackPointer signature is different from declaration https://bugs.webkit.org/show_bug.cgi?id=184790 * runtime/MachineContext.h: (JSC::MachineContext::stackPointer): 2018-05-01 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Add SameValue DFG node https://bugs.webkit.org/show_bug.cgi?id=185065 Reviewed by Saam Barati. This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node. And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have implementations for these SameValue nodes. This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler" has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are correctly using set32 to zero-extending the result, and setting the initial value of `dest` register correctly for DoubleEqual and DoubleNotEqualOrUnordered cases. Added microbenchmark shows performance improvement. object-is 651.0053+-38.8204 ^ 241.3467+-15.8753 ^ definitely 2.6974x faster * assembler/MacroAssembler.h: * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::compareDouble): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::compareDouble): Deleted. * assembler/testmasm.cpp: (JSC::doubleOperands): (JSC::testCompareDouble): (JSC::run): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileSameValue): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGValidate.cpp: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileSameValue): * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/ObjectConstructor.cpp: 2018-04-30 Filip Pizlo <fpizlo@apple.com> B3::demoteValues should be able to handle patchpoint terminals https://bugs.webkit.org/show_bug.cgi?id=185151 Reviewed by Saam Barati. If we try to demote a patchpoint terminal then prior to this change we would append a Set to the basic block that the patchpoint terminated. That's wrong because then the terminal is no longer the last thing in the block. Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't really do that because demotion happens as a prerequisite to other transformations. One solution might have been to make demoteValues insert a basic block whenever it encounters this problem. But that would break clients that do CFG analysis before demoteValues and use the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges, so it's not bad to introduce that requirement. So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint terminal as if it had multiple successors. This means that a patchpoint terminal's successors will only have it as their predecessor. Then, demoteValues just prepends the Set to the successors of the patchpoint terminal. This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added a unit test in testb3. * b3/B3BreakCriticalEdges.cpp: (JSC::B3::breakCriticalEdges): * b3/B3BreakCriticalEdges.h: * b3/B3FixSSA.cpp: (JSC::B3::demoteValues): (JSC::B3::fixSSA): * b3/B3FixSSA.h: * b3/B3Value.cpp: (JSC::B3::Value::foldIdentity const): (JSC::B3::Value::performSubstitution): * b3/B3Value.h: * b3/testb3.cpp: (JSC::B3::testDemotePatchpointTerminal): (JSC::B3::run): 2018-05-01 Robin Morisset <rmorisset@apple.com> Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType https://bugs.webkit.org/show_bug.cgi?id=184772 <rdar://problem/39146327> Reviewed by Filip Pizlo. Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing. This patch now makes sure that the check correctly detects if there is an integer overflow. * runtime/JSArray.cpp: (JSC::JSArray::unshiftCountWithAnyIndexingType): 2018-05-01 Robin Morisset <rmorisset@apple.com> Correctly detect string overflow when using the 'Function' constructor https://bugs.webkit.org/show_bug.cgi?id=184883 <rdar://problem/36320331> Reviewed by Filip Pizlo. The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation. Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case. I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened). In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB. I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing. * runtime/FunctionConstructor.cpp: (JSC::constructFunctionSkippingEvalEnabledCheck): * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): 2018-05-01 Robin Morisset <rmorisset@apple.com> IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u' https://bugs.webkit.org/show_bug.cgi?id=185162 Reviewed by Filip Pizlo. * runtime/IntlObject.cpp: (JSC::removeUnicodeLocaleExtension): 2018-05-01 Dominik Infuehr <dinfuehr@igalia.com> Add SetCallee as DFG-Operation https://bugs.webkit.org/show_bug.cgi?id=184582 Reviewed by Filip Pizlo. For recursive tail calls not only the argument count can change but also the callee. Add SetCallee to DFG that sets the callee slot in the current call frame. Also update the callee when optimizing a recursive tail call. Enable recursive tail call optimization also for closures. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): (JSC::DFG::ByteCodeParser::handleCallVariant): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGMayExit.cpp: * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileSetCallee): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee): 2018-05-01 Oleksandr Skachkov <gskachkov@gmail.com> WebAssembly: add support for stream APIs - JavaScript API https://bugs.webkit.org/show_bug.cgi?id=183442 Reviewed by Yusuke Suzuki and JF Bastien. Add WebAssembly stream API. Current patch only add functions WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but, does not add streaming way of the implementation. So in current version it only wait for load whole module, than start to parse. * CMakeLists.txt: * Configurations/FeatureDefines.xcconfig: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * builtins/BuiltinNames.h: * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h. (compileStreaming): (instantiateStreaming): * jsc.cpp: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: * runtime/Options.h: * runtime/PromiseDeferredTimer.cpp: (JSC::PromiseDeferredTimer::hasPendingPromise): (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise): * runtime/PromiseDeferredTimer.h: * wasm/js/WebAssemblyPrototype.cpp: (JSC::webAssemblyModuleValidateAsyncInternal): (JSC::webAssemblyCompileFunc): (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync): (JSC::webAssemblyModuleInstantinateAsyncInternal): (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync): (JSC::webAssemblyCompileStreamingInternal): (JSC::webAssemblyInstantiateStreamingInternal): (JSC::WebAssemblyPrototype::create): (JSC::WebAssemblyPrototype::finishCreation): * wasm/js/WebAssemblyPrototype.h: 2018-04-30 Saam Barati <sbarati@apple.com> ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit https://bugs.webkit.org/show_bug.cgi?id=185149 <rdar://problem/39455917> Reviewed by Filip Pizlo. The bug was that we were deleting checks that we shouldn't have deleted. This patch makes a helper inside strength reduction that converts to a LazyJSConstant while maintaining checks, and switches users of the node API inside strength reduction to instead call the helper function. This patch also fixes a potential bug where StringReplace and StringReplaceRegExp may not preserve all their checks. * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue): 2018-04-29 Filip Pizlo <fpizlo@apple.com> LICM shouldn't hoist nodes if hoisted nodes exited in that code block https://bugs.webkit.org/show_bug.cgi?id=185126 Reviewed by Saam Barati. This change is just restoring functionality that we've already had for a while. It had been accidentally broken due to an unrelated CodeBlock refactoring. * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): 2018-04-30 Mark Lam <mark.lam@apple.com> Apply PtrTags to the MetaAllocator and friends. https://bugs.webkit.org/show_bug.cgi?id=185110 <rdar://problem/39533895> Reviewed by Saam Barati. 1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer. 2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool, and add a sanity check to verify that allocated code buffers are within those bounds. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl): (JSC::LinkBuffer::copyCompactAndLinkCode): (JSC::LinkBuffer::linkCode): (JSC::LinkBuffer::allocate): * assembler/LinkBuffer.h: (JSC::LinkBuffer::LinkBuffer): (JSC::LinkBuffer::debugAddress): (JSC::LinkBuffer::code): * assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef): * bytecode/InlineAccess.cpp: (JSC::linkCodeInline): (JSC::InlineAccess::rewireStubAsJump): * dfg/DFGJITCode.cpp: (JSC::DFG::JITCode::findPC): * ftl/FTLJITCode.cpp: (JSC::FTL::JITCode::findPC): * jit/ExecutableAllocator.cpp: (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator): (JSC::ExecutableAllocator::allocate): * jit/ExecutableAllocator.h: (JSC::isJITPC): (JSC::performJITMemcpy): * jit/JIT.cpp: (JSC::JIT::link): * jit/JITMathIC.h: (JSC::isProfileEmpty): * runtime/JSCPtrTag.h: * wasm/WasmCallee.cpp: (JSC::Wasm::Callee::Callee): * wasm/WasmFaultSignalHandler.cpp: (JSC::Wasm::trapHandler): 2018-04-30 Keith Miller <keith_miller@apple.com> Move the MayBePrototype JSCell header bit to InlineTypeFlags https://bugs.webkit.org/show_bug.cgi?id=185143 Reviewed by Mark Lam. * runtime/IndexingType.h: * runtime/JSCellInlines.h: (JSC::JSCell::setStructure): (JSC::JSCell::mayBePrototype const): (JSC::JSCell::didBecomePrototype): * runtime/JSTypeInfo.h: (JSC::TypeInfo::mayBePrototype): (JSC::TypeInfo::mergeInlineTypeFlags): 2018-04-30 Keith Miller <keith_miller@apple.com> Remove unneeded exception check from String.fromCharCode https://bugs.webkit.org/show_bug.cgi?id=185083 Reviewed by Mark Lam. * runtime/StringConstructor.cpp: (JSC::stringFromCharCode): 2018-04-30 Keith Miller <keith_miller@apple.com> Move StructureIsImmortal to out of line flags. https://bugs.webkit.org/show_bug.cgi?id=185101 Reviewed by Saam Barati. This will free up a bit in the inline flags where we can move the isPrototype bit to. This will, in turn, free a bit for use in implementing copy on write butterflies. Also, this patch removes an assertion from Structure::typeInfo() that inadvertently makes the function invalid to call while cleaning up the vm. * heap/HeapCellType.cpp: (JSC::DefaultDestroyFunc::operator() const): * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::callDestructor): Deleted. * runtime/JSTypeInfo.h: (JSC::TypeInfo::hasStaticPropertyTable): (JSC::TypeInfo::structureIsImmortal const): * runtime/Structure.h: 2018-04-30 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove arity fixup check if the number of parameters is 1 https://bugs.webkit.org/show_bug.cgi?id=183984 Reviewed by Mark Lam. If the number of parameters is one (|this|), we never hit arity fixup check. We do not need to emit arity fixup check code. * dfg/DFGDriver.cpp: (JSC::DFG::compileImpl): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGJITCompiler.h: * ftl/FTLLink.cpp: (JSC::FTL::link): * jit/JIT.cpp: (JSC::JIT::compileWithoutLinking): 2018-04-30 Yusuke Suzuki <utatane.tea@gmail.com> Use WordLock instead of std::mutex for Threading https://bugs.webkit.org/show_bug.cgi?id=185121 Reviewed by Geoffrey Garen. ThreadGroup starts using WordLock. * heap/MachineStackMarker.h: (JSC::MachineThreads::getLock): 2018-04-29 Filip Pizlo <fpizlo@apple.com> B3 should run tail duplication at the bitter end https://bugs.webkit.org/show_bug.cgi?id=185123 Reviewed by Geoffrey Garen. Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral everywhere else. The goal of this change is to allow us to run path specialization after switch lowering but before tail duplication. * b3/B3Generate.cpp: (JSC::B3::generateToAir): * runtime/Options.h: 2018-04-29 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r231137. https://bugs.webkit.org/show_bug.cgi?id=185118 It is breaking Test262 language/expressions/multiplication /order-of-evaluation.js (Requested by caiolima on #webkit). Reverted changeset: "[ESNext][BigInt] Implement support for "*" operation" https://bugs.webkit.org/show_bug.cgi?id=183721 https://trac.webkit.org/changeset/231137 2018-04-28 Saam Barati <sbarati@apple.com> We don't model regexp effects properly https://bugs.webkit.org/show_bug.cgi?id=185059 <rdar://problem/39736150> Reviewed by Filip Pizlo. RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if the regexp is global. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2018-04-28 Rick Waldron <waldron.rick@gmail.com> Token misspelled "tocken" in error message string https://bugs.webkit.org/show_bug.cgi?id=185030 Reviewed by Saam Barati. * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string (JSC::Parser<LexerType>::Parser): (JSC::Parser<LexerType>::didFinishParsing): (JSC::Parser<LexerType>::parseSourceElements): (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements): (JSC::Parser<LexerType>::parseVariableDeclaration): (JSC::Parser<LexerType>::parseWhileStatement): (JSC::Parser<LexerType>::parseVariableDeclarationList): (JSC::Parser<LexerType>::createBindingPattern): (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements): (JSC::Parser<LexerType>::parseObjectRestElement): (JSC::Parser<LexerType>::parseDestructuringPattern): (JSC::Parser<LexerType>::parseForStatement): (JSC::Parser<LexerType>::parseBreakStatement): (JSC::Parser<LexerType>::parseContinueStatement): (JSC::Parser<LexerType>::parseThrowStatement): (JSC::Parser<LexerType>::parseWithStatement): (JSC::Parser<LexerType>::parseSwitchStatement): (JSC::Parser<LexerType>::parseSwitchClauses): (JSC::Parser<LexerType>::parseTryStatement): (JSC::Parser<LexerType>::parseBlockStatement): (JSC::Parser<LexerType>::parseFormalParameters): (JSC::Parser<LexerType>::parseFunctionParameters): (JSC::Parser<LexerType>::parseFunctionInfo): (JSC::Parser<LexerType>::parseExpressionOrLabelStatement): (JSC::Parser<LexerType>::parseExpressionStatement): (JSC::Parser<LexerType>::parseIfStatement): (JSC::Parser<LexerType>::parseAssignmentExpression): (JSC::Parser<LexerType>::parseConditionalExpression): (JSC::Parser<LexerType>::parseBinaryExpression): (JSC::Parser<LexerType>::parseObjectLiteral): (JSC::Parser<LexerType>::parseStrictObjectLiteral): (JSC::Parser<LexerType>::parseArrayLiteral): (JSC::Parser<LexerType>::parseArguments): (JSC::Parser<LexerType>::parseMemberExpression): (JSC::operatorString): (JSC::Parser<LexerType>::parseUnaryExpression): (JSC::Parser<LexerType>::printUnexpectedTokenText): 2018-04-28 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for "*" operation https://bugs.webkit.org/show_bug.cgi?id=183721 Reviewed by Saam Barati. Added BigInt support into times binary operator into LLInt and on JITOperations profiledMul and unprofiledMul. We are also replacing all uses of int to unsigned when there is no negative values for variables. * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * jit/JITOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::JSBigInt): (JSC::JSBigInt::allocationSize): (JSC::JSBigInt::createWithLength): (JSC::JSBigInt::toString): (JSC::JSBigInt::multiply): (JSC::JSBigInt::digitDiv): (JSC::JSBigInt::internalMultiplyAdd): (JSC::JSBigInt::multiplyAccumulate): (JSC::JSBigInt::equals): (JSC::JSBigInt::absoluteDivSmall): (JSC::JSBigInt::calculateMaximumCharactersRequired): (JSC::JSBigInt::toStringGeneric): (JSC::JSBigInt::rightTrim): (JSC::JSBigInt::allocateFor): (JSC::JSBigInt::parseInt): (JSC::JSBigInt::digit): (JSC::JSBigInt::setDigit): * runtime/JSBigInt.h: * runtime/Operations.h: (JSC::jsMul): 2018-04-28 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r231131. https://bugs.webkit.org/show_bug.cgi?id=185112 It is breaking Debug build due to unchecked exception (Requested by caiolima on #webkit). Reverted changeset: "[ESNext][BigInt] Implement support for "*" operation" https://bugs.webkit.org/show_bug.cgi?id=183721 https://trac.webkit.org/changeset/231131 2018-04-27 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for "*" operation https://bugs.webkit.org/show_bug.cgi?id=183721 Reviewed by Saam Barati. Added BigInt support into times binary operator into LLInt and on JITOperations profiledMul and unprofiledMul. We are also replacing all uses of int to unsigned when there is no negative values for variables. * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * jit/JITOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::JSBigInt): (JSC::JSBigInt::allocationSize): (JSC::JSBigInt::createWithLength): (JSC::JSBigInt::toString): (JSC::JSBigInt::multiply): (JSC::JSBigInt::digitDiv): (JSC::JSBigInt::internalMultiplyAdd): (JSC::JSBigInt::multiplyAccumulate): (JSC::JSBigInt::equals): (JSC::JSBigInt::absoluteDivSmall): (JSC::JSBigInt::calculateMaximumCharactersRequired): (JSC::JSBigInt::toStringGeneric): (JSC::JSBigInt::rightTrim): (JSC::JSBigInt::allocateFor): (JSC::JSBigInt::parseInt): (JSC::JSBigInt::digit): (JSC::JSBigInt::setDigit): * runtime/JSBigInt.h: * runtime/Operations.h: (JSC::jsMul): 2018-04-27 JF Bastien <jfbastien@apple.com> Make the first 64 bits of JSString look like a double JSValue https://bugs.webkit.org/show_bug.cgi?id=185081 Reviewed by Filip Pizlo. We can be clever about how we lay out JSString so that, were it reinterpreted as a JSValue, it would look like a double. * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::and16): * assembler/X86Assembler.h: (JSC::X86Assembler::andw_mr): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileMakeRope): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): * ftl/FTLOutput.h: (JSC::FTL::Output::store32As8): (JSC::FTL::Output::store32As16): * runtime/JSString.h: (JSC::JSString::JSString): 2018-04-27 Yusuke Suzuki <utatane.tea@gmail.com> [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector https://bugs.webkit.org/show_bug.cgi?id=185055 Reviewed by JF Bastien. This patch is paving the way to emitting jscvt instruction if possible. To do that, we need to determine jscvt instruction is supported in the given CPU. We add a function collectCPUFeatures, which is responsible to collect CPU features if necessary. In Linux, we can use auxiliary vector to get the information without parsing /proc/cpuinfo. Currently, nobody calls this function. It is later called when we emit jscvt instruction. To make it possible, we also need to add disassembler support too. * assembler/AbstractMacroAssembler.h: * assembler/MacroAssemblerARM64.cpp: (JSC::MacroAssemblerARM64::collectCPUFeatures): * assembler/MacroAssemblerARM64.h: * assembler/MacroAssemblerX86Common.h: 2018-04-26 Filip Pizlo <fpizlo@apple.com> Also run foldPathConstants before mussing up SSA https://bugs.webkit.org/show_bug.cgi?id=185069 Reviewed by Saam Barati. This isn't needed now, but will be once I implement the phase in bug 185060. This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral. Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to be landed separately and measured separately from that phase. It's probably nice for sanity to have this and reduceStrength run before tail duplication and another round of reduceStrength, since that make for something that is closer to a fixpoint. But it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or neutral. It all depends on what programs typically look like. * b3/B3Generate.cpp: (JSC::B3::generateToAir): 2018-04-27 Ryan Haddad <ryanhaddad@apple.com> Unreviewed, rolling out r231086. Caused JSC test failures due to an unchecked exception. Reverted changeset: "[ESNext][BigInt] Implement support for "*" operation" https://bugs.webkit.org/show_bug.cgi?id=183721 https://trac.webkit.org/changeset/231086 2018-04-26 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement support for "*" operation https://bugs.webkit.org/show_bug.cgi?id=183721 Reviewed by Saam Barati. Added BigInt support into times binary operator into LLInt and on JITOperations profiledMul and unprofiledMul. We are also replacing all uses of int to unsigned when there is no negative values for variables. * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * jit/JITOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSBigInt.cpp: (JSC::JSBigInt::JSBigInt): (JSC::JSBigInt::allocationSize): (JSC::JSBigInt::createWithLength): (JSC::JSBigInt::toString): (JSC::JSBigInt::multiply): (JSC::JSBigInt::digitDiv): (JSC::JSBigInt::internalMultiplyAdd): (JSC::JSBigInt::multiplyAccumulate): (JSC::JSBigInt::equals): (JSC::JSBigInt::absoluteDivSmall): (JSC::JSBigInt::calculateMaximumCharactersRequired): (JSC::JSBigInt::toStringGeneric): (JSC::JSBigInt::rightTrim): (JSC::JSBigInt::allocateFor): (JSC::JSBigInt::parseInt): (JSC::JSBigInt::digit): (JSC::JSBigInt::setDigit): * runtime/JSBigInt.h: * runtime/Operations.h: (JSC::jsMul): 2018-04-26 Mark Lam <mark.lam@apple.com> Gardening: Speculative build fix for Windows. https://bugs.webkit.org/show_bug.cgi?id=184976 <rdar://problem/39723901> Not reviewed. * runtime/JSCPtrTag.h: 2018-04-26 Mark Lam <mark.lam@apple.com> Gardening: Windows build fix. Not reviewed. * runtime/Options.cpp: 2018-04-26 Jer Noble <jer.noble@apple.com> WK_COCOA_TOUCH all the things. https://bugs.webkit.org/show_bug.cgi?id=185006 <rdar://problem/39736025> Reviewed by Tim Horton. * Configurations/Base.xcconfig: 2018-04-26 Per Arne Vollan <pvollan@apple.com> Disable content filtering in minimal simulator mode https://bugs.webkit.org/show_bug.cgi?id=185027 <rdar://problem/39736091> Reviewed by Jer Noble. * Configurations/FeatureDefines.xcconfig: 2018-04-26 Andy VanWagoner <thetalecrafter@gmail.com> [INTL] Implement Intl.PluralRules https://bugs.webkit.org/show_bug.cgi?id=184312 Reviewed by JF Bastien. Use UNumberFormat to enforce formatting, and then UPluralRules to find the correct plural rule for the given number. Relies on ICU v59+ for resolvedOptions().pluralCategories and trailing 0 detection. Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag. * CMakeLists.txt: * Configurations/FeatureDefines.xcconfig: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * builtins/BuiltinNames.h: * runtime/BigIntObject.cpp: (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition. * runtime/BigIntObject.h: * runtime/CommonIdentifiers.h: * runtime/IntlObject.cpp: (JSC::IntlObject::finishCreation): * runtime/IntlObject.h: * runtime/IntlPluralRules.cpp: Added. (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const): (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const): (JSC::UEnumerationDeleter::operator() const): (JSC::IntlPluralRules::create): (JSC::IntlPluralRules::createStructure): (JSC::IntlPluralRules::IntlPluralRules): (JSC::IntlPluralRules::finishCreation): (JSC::IntlPluralRules::destroy): (JSC::IntlPluralRules::visitChildren): (JSC::IntlPRInternal::localeData): (JSC::IntlPluralRules::initializePluralRules): (JSC::IntlPluralRules::resolvedOptions): (JSC::IntlPluralRules::select): * runtime/IntlPluralRules.h: Added. * runtime/IntlPluralRulesConstructor.cpp: Added. (JSC::IntlPluralRulesConstructor::create): (JSC::IntlPluralRulesConstructor::createStructure): (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor): (JSC::IntlPluralRulesConstructor::finishCreation): (JSC::constructIntlPluralRules): (JSC::callIntlPluralRules): (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf): (JSC::IntlPluralRulesConstructor::visitChildren): * runtime/IntlPluralRulesConstructor.h: Added. * runtime/IntlPluralRulesPrototype.cpp: Added. (JSC::IntlPluralRulesPrototype::create): (JSC::IntlPluralRulesPrototype::createStructure): (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype): (JSC::IntlPluralRulesPrototype::finishCreation): (JSC::IntlPluralRulesPrototypeFuncSelect): (JSC::IntlPluralRulesPrototypeFuncResolvedOptions): * runtime/IntlPluralRulesPrototype.h: Added. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::intlPluralRulesAvailableLocales): * runtime/JSGlobalObject.h: * runtime/Options.h: * runtime/RegExpPrototype.cpp: Added inlines header. * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2018-04-26 Dominik Infuehr <dinfuehr@igalia.com> [MIPS] Fix branch offsets in branchNeg32 https://bugs.webkit.org/show_bug.cgi?id=185025 Reviewed by Yusuke Suzuki. Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted. * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::branchNeg32): 2018-04-25 Robin Morisset <rmorisset@apple.com> In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint https://bugs.webkit.org/show_bug.cgi?id=184773 <rdar://problem/37773612> Reviewed by Filip Pizlo. We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous). arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'. This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32). We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time. This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest): 2018-04-25 Mark Lam <mark.lam@apple.com> Push the definition of PtrTag down to the WTF layer. https://bugs.webkit.org/show_bug.cgi?id=184976 <rdar://problem/39723901> Reviewed by Saam Barati. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/ARM64Assembler.h: * assembler/AbstractMacroAssembler.h: * assembler/MacroAssemblerCodeRef.cpp: * assembler/MacroAssemblerCodeRef.h: * b3/B3MathExtras.cpp: * bytecode/LLIntCallLinkInfo.h: * disassembler/Disassembler.h: * ftl/FTLJITCode.cpp: * interpreter/InterpreterInlines.h: * jit/ExecutableAllocator.h: * jit/JITOperations.cpp: * jit/ThunkGenerator.h: * jit/ThunkGenerators.h: * llint/LLIntOffsetsExtractor.cpp: * llint/LLIntPCRanges.h: * runtime/JSCPtrTag.h: Added. * runtime/NativeFunction.h: * runtime/PtrTag.h: Removed. * runtime/VMTraps.cpp: 2018-04-25 Keith Miller <keith_miller@apple.com> getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set https://bugs.webkit.org/show_bug.cgi?id=184998 Reviewed by Saam Barati. * runtime/CodeCache.cpp: (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): 2018-04-25 Keith Miller <keith_miller@apple.com> Add missing scope release to functionProtoFuncToString https://bugs.webkit.org/show_bug.cgi?id=184995 Reviewed by Saam Barati. * runtime/FunctionPrototype.cpp: (JSC::functionProtoFuncToString): 2018-04-25 Yusuke Suzuki <utatane.tea@gmail.com> REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)' https://bugs.webkit.org/show_bug.cgi?id=184730 Reviewed by Mark Lam. Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM). And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0. We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to ARMv7 implementation. * assembler/ARMAssembler.h: * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::add32): (JSC::MacroAssemblerARM::and32): (JSC::MacroAssemblerARM::lshift32): (JSC::MacroAssemblerARM::mul32): (JSC::MacroAssemblerARM::or32): (JSC::MacroAssemblerARM::rshift32): (JSC::MacroAssemblerARM::urshift32): (JSC::MacroAssemblerARM::sub32): (JSC::MacroAssemblerARM::xor32): (JSC::MacroAssemblerARM::load8): (JSC::MacroAssemblerARM::abortWithReason): (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch): (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch): (JSC::MacroAssemblerARM::store8): (JSC::MacroAssemblerARM::store32): (JSC::MacroAssemblerARM::push): (JSC::MacroAssemblerARM::swap): (JSC::MacroAssemblerARM::branch8): (JSC::MacroAssemblerARM::branchPtr): (JSC::MacroAssemblerARM::branch32): (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords): (JSC::MacroAssemblerARM::branchTest8): (JSC::MacroAssemblerARM::branchTest32): (JSC::MacroAssemblerARM::jump): (JSC::MacroAssemblerARM::branchAdd32): (JSC::MacroAssemblerARM::mull32): (JSC::MacroAssemblerARM::branchMul32): (JSC::MacroAssemblerARM::patchableBranch32): (JSC::MacroAssemblerARM::nearCall): (JSC::MacroAssemblerARM::compare32): (JSC::MacroAssemblerARM::compare8): (JSC::MacroAssemblerARM::test32): (JSC::MacroAssemblerARM::test8): (JSC::MacroAssemblerARM::add64): (JSC::MacroAssemblerARM::load32): (JSC::MacroAssemblerARM::call): (JSC::MacroAssemblerARM::branchPtrWithPatch): (JSC::MacroAssemblerARM::branch32WithPatch): (JSC::MacroAssemblerARM::storePtrWithPatch): (JSC::MacroAssemblerARM::loadDouble): (JSC::MacroAssemblerARM::storeDouble): (JSC::MacroAssemblerARM::addDouble): (JSC::MacroAssemblerARM::divDouble): (JSC::MacroAssemblerARM::subDouble): (JSC::MacroAssemblerARM::mulDouble): (JSC::MacroAssemblerARM::convertInt32ToDouble): (JSC::MacroAssemblerARM::branchDouble): (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32): (JSC::MacroAssemblerARM::truncateDoubleToInt32): (JSC::MacroAssemblerARM::truncateDoubleToUint32): (JSC::MacroAssemblerARM::branchConvertDoubleToInt32): (JSC::MacroAssemblerARM::branchDoubleNonZero): (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN): (JSC::MacroAssemblerARM::call32): (JSC::MacroAssemblerARM::internalCompare32): 2018-04-25 Ross Kirsling <ross.kirsling@sony.com> [WinCairo] Fix js/regexp-unicode.html crash. https://bugs.webkit.org/show_bug.cgi?id=184891 Reviewed by Yusuke Suzuki. On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]". RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS. * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generateEnter): (JSC::Yarr::YarrGenerator::generateReturn): Unconditionally save and restore RDI on 64-bit Windows. 2018-04-25 Michael Catanzaro <mcatanzaro@igalia.com> [GTK] Miscellaneous build cleanups https://bugs.webkit.org/show_bug.cgi?id=184399 Reviewed by Žan Doberšek. * PlatformGTK.cmake: 2018-04-24 Keith Miller <keith_miller@apple.com> fromCharCode is missing some exception checks https://bugs.webkit.org/show_bug.cgi?id=184952 Reviewed by Saam Barati. I also removed the pointless slow path function and moved it into the main function. * runtime/StringConstructor.cpp: (JSC::stringFromCharCode): (JSC::stringFromCharCodeSlowCase): Deleted. 2018-04-24 Filip Pizlo <fpizlo@apple.com> MultiByOffset should emit one fewer branches in the case that the set of structures is proved already https://bugs.webkit.org/show_bug.cgi?id=184923 Reviewed by Saam Barati. If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved (i.e. we know that the object has one of those structures), then previously we would still emit a switch with a case per structure along with a default case. That would mean one extra redundant branch to check that whatever structure we wound up with belongs to the set. In that case, we were already making the default case be an Oops. One possible solution would be to say that the default case being Oops means that B3 doesn't need to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html) seem to allow this, I don't particularly like that style of optimization. I like Oops to mean trap. So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the extra branch. This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to read. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset): (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset): (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset): 2018-04-24 Filip Pizlo <fpizlo@apple.com> DFG CSE should know how to decay a MultiGetByOffset https://bugs.webkit.org/show_bug.cgi?id=159859 Reviewed by Keith Miller. This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that clobberize() can report a def() for MultiGetByOffset. This is a slight improvement to codegen in splay because splay is a heavy user of MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to removing MultiXByOffset-related redundancies, which by my estimates account for 16% of splay's time. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGNode.cpp: (JSC::DFG::Node::remove): (JSC::DFG::Node::removeWithoutChecks): (JSC::DFG::Node::replaceWith): (JSC::DFG::Node::replaceWithWithoutChecks): * dfg/DFGNode.h: (JSC::DFG::Node::convertToMultiGetByOffset): (JSC::DFG::Node::replaceWith): Deleted. * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: 2018-04-24 Keith Miller <keith_miller@apple.com> Update API docs with information on which run loop the VM will use https://bugs.webkit.org/show_bug.cgi?id=184900 <rdar://problem/39166054> Reviewed by Mark Lam. * API/JSContextRef.h: * API/JSVirtualMachine.h: 2018-04-24 Filip Pizlo <fpizlo@apple.com> $vm.totalGCTime() should be a thing https://bugs.webkit.org/show_bug.cgi?id=184916 Reviewed by Sam Weinig. When debugging regressions in tests that are GC heavy, it's nice to be able to query the total time spent in GC to determine if the regression is because the GC got slower. This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds. * heap/Heap.cpp: (JSC::Heap::runEndPhase): * heap/Heap.h: (JSC::Heap::totalGCTime const): * tools/JSDollarVM.cpp: (JSC::functionTotalGCTime): (JSC::JSDollarVM::finishCreation): 2018-04-23 Zalan Bujtas <zalan@apple.com> [LayoutFormattingContext] Initial commit. https://bugs.webkit.org/show_bug.cgi?id=184896 Reviewed by Antti Koivisto. * Configurations/FeatureDefines.xcconfig: 2018-04-23 Filip Pizlo <fpizlo@apple.com> Unreviewed, revert accidental change to verbose flag. * dfg/DFGByteCodeParser.cpp: 2018-04-23 Filip Pizlo <fpizlo@apple.com> Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled. Rubber stamped by Saam Barati. This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot. Seems sensible to just roll it out. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addToGraph): (JSC::DFG::ByteCodeParser::parse): 2018-04-22 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove ModuleLoaderPrototype https://bugs.webkit.org/show_bug.cgi?id=184784 Reviewed by Mark Lam. When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users. However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader. This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader. * CMakeLists.txt: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::proxyRevokeStructure const): (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted. * runtime/JSModuleLoader.cpp: (JSC::moduleLoaderParseModule): (JSC::moduleLoaderRequestedModules): (JSC::moduleLoaderModuleDeclarationInstantiation): (JSC::moduleLoaderResolve): (JSC::moduleLoaderResolveSync): (JSC::moduleLoaderFetch): (JSC::moduleLoaderGetModuleNamespaceObject): (JSC::moduleLoaderEvaluate): * runtime/JSModuleLoader.h: * runtime/ModuleLoaderPrototype.cpp: Removed. * runtime/ModuleLoaderPrototype.h: Removed. 2018-04-20 Carlos Garcia Campos <cgarcia@igalia.com> [GLIB] All API tests fail in debug builds https://bugs.webkit.org/show_bug.cgi?id=184813 Reviewed by Mark Lam. This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler. * API/glib/JSCContext.cpp: (JSCContextExceptionHandler::JSCContextExceptionHandler): (JSCContextExceptionHandler::~JSCContextExceptionHandler): (jscContextConstructed): (ExceptionHandler::ExceptionHandler): Deleted. (ExceptionHandler::~ExceptionHandler): Deleted. 2018-04-20 Tim Horton <timothy_horton@apple.com> Adjust geolocation feature flag https://bugs.webkit.org/show_bug.cgi?id=184856 Reviewed by Wenson Hsieh. * Configurations/FeatureDefines.xcconfig: 2018-04-20 Brian Burg <bburg@apple.com> Web Inspector: remove some dead code in IdentifiersFactory https://bugs.webkit.org/show_bug.cgi?id=184839 Reviewed by Timothy Hatcher. This was never used on non-Chrome ports, so the identifier always has a prefix of '0.'. We may change this in the future, but for now remove this. Using a PID for this purpose is problematic anyway. * inspector/IdentifiersFactory.cpp: (Inspector::addPrefixToIdentifier): (Inspector::IdentifiersFactory::createIdentifier): (Inspector::IdentifiersFactory::requestId): (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted. * inspector/IdentifiersFactory.h: 2018-04-20 Mark Lam <mark.lam@apple.com> Add the ability to use a hash for setting PtrTag enum values. https://bugs.webkit.org/show_bug.cgi?id=184852 <rdar://problem/39613891> Reviewed by Saam Barati. * runtime/PtrTag.h: 2018-04-20 Mark Lam <mark.lam@apple.com> Some JSEntryPtrTags should actually be JSInternalPtrTags. https://bugs.webkit.org/show_bug.cgi?id=184712 <rdar://problem/39507381> Reviewed by Michael Saboff. 1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags. 2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them only when needed. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/ByValInfo.h: (JSC::ByValInfo::ByValInfo): * bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::callReturnLocation): (JSC::CallLinkInfo::patchableJump): (JSC::CallLinkInfo::hotPathBegin): (JSC::CallLinkInfo::slowPathStart): * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::setCallLocations): (JSC::CallLinkInfo::hotPathOther): * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::regenerate): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::doneLocation): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * dfg/DFGOSRExit.cpp: (JSC::DFG::reifyInlinedCallFrames): * ftl/FTLLazySlowPath.cpp: (JSC::FTL::LazySlowPath::initialize): * ftl/FTLLazySlowPath.h: (JSC::FTL::LazySlowPath::done const): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileIn): (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): * jit/JIT.cpp: (JSC::JIT::link): * jit/JITExceptions.cpp: (JSC::genericUnwind): * jit/JITMathIC.h: (JSC::isProfileEmpty): * llint/LLIntData.cpp: (JSC::LLInt::initialize): * llint/LLIntData.h: (JSC::LLInt::getCodePtr): (JSC::LLInt::getExecutableAddress): Deleted. * llint/LLIntExceptions.cpp: (JSC::LLInt::callToThrow): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): 2018-04-18 Jer Noble <jer.noble@apple.com> Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds https://bugs.webkit.org/show_bug.cgi?id=184762 Reviewed by Dan Bernstein. * Configurations/Base.xcconfig: * JavaScriptCore.xcodeproj/project.pbxproj: 2018-04-20 Daniel Bates <dabates@apple.com> Remove code for compilers that did not support NSDMI for aggregates https://bugs.webkit.org/show_bug.cgi?id=184599 Reviewed by Per Arne Vollan. Remove workaround for earlier Visual Studio versions that did not support non-static data member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org and EWS bots to a newer version that supports this feature. * domjit/DOMJITEffect.h: (JSC::DOMJIT::Effect::Effect): Deleted. * runtime/HasOwnPropertyCache.h: (JSC::HasOwnPropertyCache::Entry::Entry): Deleted. * wasm/WasmFormat.h: (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted. 2018-04-20 Mark Lam <mark.lam@apple.com> Build fix for internal builds after r230826. https://bugs.webkit.org/show_bug.cgi?id=184790 <rdar://problem/39301369> Not reviewed. * runtime/Options.cpp: (JSC::overrideDefaults): * tools/SigillCrashAnalyzer.cpp: (JSC::SignalContext::dump): 2018-04-19 Tadeu Zagallo <tzagallo@apple.com> REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts https://bugs.webkit.org/show_bug.cgi?id=184254 <rdar://problem/39140200> Reviewed by Daniel Bates. Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues. * runtime/ArrayBuffer.h: (JSC::ArrayBufferContents::ArrayBufferContents): 2018-04-19 Mark Lam <mark.lam@apple.com> Apply pointer profiling to Signal pointers. https://bugs.webkit.org/show_bug.cgi?id=184790 <rdar://problem/39301369> Reviewed by Michael Saboff. 1. Change stackPointer, framePointer, and instructionPointer accessors to be a pair of getter/setter functions. 2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a a pointer profiling variants of these accessors. 3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN). * JavaScriptCorePrefix.h: * runtime/MachineContext.h: (JSC::MachineContext::stackPointerImpl): (JSC::MachineContext::stackPointer): (JSC::MachineContext::setStackPointer): (JSC::MachineContext::framePointerImpl): (JSC::MachineContext::framePointer): (JSC::MachineContext::setFramePointer): (JSC::MachineContext::instructionPointerImpl): (JSC::MachineContext::instructionPointer): (JSC::MachineContext::setInstructionPointer): (JSC::MachineContext::linkRegisterImpl): (JSC::MachineContext::linkRegister): (JSC::MachineContext::setLinkRegister): * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::takeSample): * runtime/VMTraps.cpp: (JSC::SignalContext::SignalContext): (JSC::VMTraps::tryInstallTrapBreakpoints): * tools/CodeProfiling.cpp: (JSC::profilingTimer): * tools/SigillCrashAnalyzer.cpp: (JSC::SignalContext::dump): (JSC::installCrashHandler): (JSC::SigillCrashAnalyzer::analyze): * wasm/WasmFaultSignalHandler.cpp: (JSC::Wasm::trapHandler): 2018-04-19 David Kilzer <ddkilzer@apple.com> Enable Objective-C weak references <https://webkit.org/b/184789> <rdar://problem/39571716> Reviewed by Dan Bernstein. * Configurations/Base.xcconfig: (CLANG_ENABLE_OBJC_WEAK): Enable. * Configurations/ToolExecutable.xcconfig: (CLANG_ENABLE_OBJC_ARC): Simplify. 2018-04-17 Filip Pizlo <fpizlo@apple.com> The InternalFunction hierarchy should be in IsoSubspaces https://bugs.webkit.org/show_bug.cgi?id=184721 Reviewed by Saam Barati. This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces, but subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses appear to just override methods, which are called dynamically via the structure or class of the object. So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another. * API/JSBase.h: * API/JSCallbackFunction.h: * API/ObjCCallbackFunction.h: (JSC::ObjCCallbackFunction::subspaceFor): * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * heap/IsoSubspacePerVM.cpp: Added. (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace): (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace): (JSC::IsoSubspacePerVM::IsoSubspacePerVM): (JSC::IsoSubspacePerVM::~IsoSubspacePerVM): (JSC::IsoSubspacePerVM::forVM): * heap/IsoSubspacePerVM.h: Added. (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters): * runtime/Error.h: * runtime/ErrorConstructor.h: * runtime/InternalFunction.h: (JSC::InternalFunction::subspaceFor): * runtime/IntlCollatorConstructor.h: * runtime/IntlDateTimeFormatConstructor.h: * runtime/IntlNumberFormatConstructor.h: * runtime/JSArrayBufferConstructor.h: * runtime/NativeErrorConstructor.h: * runtime/ProxyRevoke.h: * runtime/RegExpConstructor.h: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2018-04-19 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, Fix jsc shell https://bugs.webkit.org/show_bug.cgi?id=184600 WebAssembly module loading does not finish with drainMicrotasks(). So JSNativeStdFunction's capturing variables become invalid. This patch fixes this issue. * jsc.cpp: (functionDollarAgentStart): (runWithOptions): (runJSC): (jscmain): 2018-04-18 Ross Kirsling <ross.kirsling@sony.com> REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments https://bugs.webkit.org/show_bug.cgi?id=184725 Reviewed by Mark Lam. * jit/JIT.h: 2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com> [WebAssembly][Modules] Import tables in wasm modules https://bugs.webkit.org/show_bug.cgi?id=184738 Reviewed by JF Bastien. This patch simply allows wasm modules to import table from wasm modules / js re-exporting. Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link just works. * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::create): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::link): 2018-04-18 Dominik Infuehr <dinfuehr@igalia.com> [ARM] Fix build error and crash after PtrTag change https://bugs.webkit.org/show_bug.cgi?id=184732 Reviewed by Mark Lam. Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer twice with ARM-Thumb2. * assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitSlow_op_put_by_val): * jit/Repatch.cpp: (JSC::linkPolymorphicCall): 2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com> [WebAssembly][Modules] Import globals from wasm modules https://bugs.webkit.org/show_bug.cgi?id=184736 Reviewed by JF Bastien. This patch implements a feature importing globals to/from wasm modules. Since we are not supporting mutable globals now, we can just copy the global data when importing. Currently we do not support importing/exporting i64 globals. This will be supported once (1) mutable global bindings are specified and (2) BigInt based i64 importing/exporting is specified. * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::create): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::link): 2018-04-18 Tomas Popela <tpopela@redhat.com> Unreviewed, fix build on ARM * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::readCallTarget): 2018-04-18 Tomas Popela <tpopela@redhat.com> Unreviewed, fix build with GCC * assembler/LinkBuffer.h: (JSC::LinkBuffer::finalizeCodeWithDisassembly): 2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, reland r230697, r230720, and r230724. https://bugs.webkit.org/show_bug.cgi?id=184600 With CatchScope check. * JavaScriptCore.xcodeproj/project.pbxproj: * builtins/ModuleLoaderPrototype.js: (globalPrivate.newRegistryEntry): (requestInstantiate): (link): * jsc.cpp: (convertShebangToJSComment): (fillBufferWithContentsOfFile): (fetchModuleFromLocalFileSystem): (GlobalObject::moduleLoaderFetch): (functionDollarAgentStart): (checkException): (runWithOptions): * parser/NodesAnalyzeModule.cpp: (JSC::ImportDeclarationNode::analyzeModule): * parser/SourceProvider.h: (JSC::WebAssemblySourceProvider::create): (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider): * runtime/AbstractModuleRecord.cpp: (JSC::AbstractModuleRecord::hostResolveImportedModule): (JSC::AbstractModuleRecord::resolveImport): (JSC::AbstractModuleRecord::link): (JSC::AbstractModuleRecord::evaluate): (JSC::identifierToJSValue): Deleted. * runtime/AbstractModuleRecord.h: (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull): (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted. * runtime/JSModuleEnvironment.cpp: (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames): * runtime/JSModuleLoader.cpp: (JSC::JSModuleLoader::evaluate): * runtime/JSModuleRecord.cpp: (JSC::JSModuleRecord::link): (JSC::JSModuleRecord::instantiateDeclarations): * runtime/JSModuleRecord.h: * runtime/ModuleLoaderPrototype.cpp: (JSC::moduleLoaderPrototypeParseModule): (JSC::moduleLoaderPrototypeRequestedModules): (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation): * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h. * wasm/js/JSWebAssemblyHelpers.h: (JSC::getWasmBufferFromValue): (JSC::createSourceBufferFromValue): * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::finalizeCreation): (JSC::JSWebAssemblyInstance::createPrivateModuleKey): (JSC::JSWebAssemblyInstance::create): * wasm/js/JSWebAssemblyInstance.h: * wasm/js/WebAssemblyInstanceConstructor.cpp: (JSC::constructJSWebAssemblyInstance): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::prepareLink): (JSC::WebAssemblyModuleRecord::link): * wasm/js/WebAssemblyModuleRecord.h: * wasm/js/WebAssemblyPrototype.cpp: (JSC::resolve): (JSC::instantiate): (JSC::compileAndInstantiate): (JSC::WebAssemblyPrototype::instantiate): (JSC::webAssemblyInstantiateFunc): (JSC::webAssemblyValidateFunc): * wasm/js/WebAssemblyPrototype.h: 2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com> [GLIB] Make it possible to handle JSCClass external properties not added to the prototype https://bugs.webkit.org/show_bug.cgi?id=184687 Reviewed by Michael Catanzaro. Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for JSClassDefinition. This is required to implement dynamic properties that can't be added with jsc_class_add_property() for example to implement something like imports object in seed/gjs. * API/glib/JSCClass.cpp: (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that can throw exceptions. (VTableExceptionHandler::~VTableExceptionHandler): (getProperty): Iterate the class chain to call get_property function. (setProperty): Iterate the class chain to call set_property function. (hasProperty): Iterate the class chain to call has_property function. (deleteProperty): Iterate the class chain to call delete_property function. (getPropertyNames): Iterate the class chain to call enumerate_properties function. (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in jscClassCreate now. (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition. * API/glib/JSCClass.h: * API/glib/JSCClassPrivate.h: * API/glib/JSCContext.cpp: (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef. (jsc_context_register_class): Add JSCClassVTable parameter. * API/glib/JSCContext.h: * API/glib/JSCContextPrivate.h: * API/glib/JSCWrapperMap.cpp: (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef. * API/glib/JSCWrapperMap.h: * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols. 2018-04-17 Mark Lam <mark.lam@apple.com> Templatize CodePtr/Refs/FunctionPtrs with PtrTags. https://bugs.webkit.org/show_bug.cgi?id=184702 <rdar://problem/35391681> Reviewed by Filip Pizlo and Saam Barati. 1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants to take a PtrTag template argument. 2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::differenceBetweenCodePtr): (JSC::AbstractMacroAssembler::linkJump): (JSC::AbstractMacroAssembler::linkPointer): (JSC::AbstractMacroAssembler::getLinkerAddress): (JSC::AbstractMacroAssembler::repatchJump): (JSC::AbstractMacroAssembler::repatchJumpToNop): (JSC::AbstractMacroAssembler::repatchNearCall): (JSC::AbstractMacroAssembler::repatchCompact): (JSC::AbstractMacroAssembler::repatchInt32): (JSC::AbstractMacroAssembler::repatchPointer): (JSC::AbstractMacroAssembler::readPointer): (JSC::AbstractMacroAssembler::replaceWithLoad): (JSC::AbstractMacroAssembler::replaceWithAddressComputation): * assembler/CodeLocation.h: (JSC::CodeLocationCommon:: const): (JSC::CodeLocationCommon::CodeLocationCommon): (JSC::CodeLocationInstruction::CodeLocationInstruction): (JSC::CodeLocationLabel::CodeLocationLabel): (JSC::CodeLocationLabel::retagged): (JSC::CodeLocationLabel:: const): (JSC::CodeLocationJump::CodeLocationJump): (JSC::CodeLocationJump::retagged): (JSC::CodeLocationCall::CodeLocationCall): (JSC::CodeLocationCall::retagged): (JSC::CodeLocationNearCall::CodeLocationNearCall): (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32): (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact): (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr): (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad): (JSC::CodeLocationCommon<tag>::instructionAtOffset): (JSC::CodeLocationCommon<tag>::labelAtOffset): (JSC::CodeLocationCommon<tag>::jumpAtOffset): (JSC::CodeLocationCommon<tag>::callAtOffset): (JSC::CodeLocationCommon<tag>::nearCallAtOffset): (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset): (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset): (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset): (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset): (JSC::CodeLocationCommon::instructionAtOffset): Deleted. (JSC::CodeLocationCommon::labelAtOffset): Deleted. (JSC::CodeLocationCommon::jumpAtOffset): Deleted. (JSC::CodeLocationCommon::callAtOffset): Deleted. (JSC::CodeLocationCommon::nearCallAtOffset): Deleted. (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted. (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted. (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted. (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl): (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl): (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted. (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted. * assembler/LinkBuffer.h: (JSC::LinkBuffer::link): (JSC::LinkBuffer::patch): (JSC::LinkBuffer::entrypoint): (JSC::LinkBuffer::locationOf): (JSC::LinkBuffer::locationOfNearCall): (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): (JSC::LinkBuffer::finalizeCodeWithDisassembly): (JSC::LinkBuffer::trampolineAt): * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::readCallTarget): (JSC::MacroAssemblerARM::replaceWithJump): (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress): (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister): (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch): (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch): (JSC::MacroAssemblerARM::repatchCall): (JSC::MacroAssemblerARM::linkCall): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::readCallTarget): (JSC::MacroAssemblerARM64::replaceWithVMHalt): (JSC::MacroAssemblerARM64::replaceWithJump): (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister): (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress): (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress): (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch): (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch): (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch): (JSC::MacroAssemblerARM64::repatchCall): (JSC::MacroAssemblerARM64::linkCall): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::replaceWithJump): (JSC::MacroAssemblerARMv7::readCallTarget): (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister): (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch): (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress): (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress): (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch): (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch): (JSC::MacroAssemblerARMv7::repatchCall): (JSC::MacroAssemblerARMv7::linkCall): * assembler/MacroAssemblerCodeRef.cpp: (JSC::MacroAssemblerCodePtrBase::dumpWithName): (JSC::MacroAssemblerCodeRefBase::tryToDisassemble): (JSC::MacroAssemblerCodeRefBase::disassembly): (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted. (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted. (JSC::MacroAssemblerCodePtr::dump const): Deleted. (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted. (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted. (JSC::MacroAssemblerCodeRef::disassembly const): Deleted. (JSC::MacroAssemblerCodeRef::dump const): Deleted. * assembler/MacroAssemblerCodeRef.h: (JSC::FunctionPtr::FunctionPtr): (JSC::FunctionPtr::retagged const): (JSC::FunctionPtr::retaggedExecutableAddress const): (JSC::FunctionPtr::operator== const): (JSC::FunctionPtr::operator!= const): (JSC::ReturnAddressPtr::ReturnAddressPtr): (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): (JSC::MacroAssemblerCodePtr::createFromExecutableAddress): (JSC::MacroAssemblerCodePtr::retagged const): (JSC::MacroAssemblerCodePtr:: const): (JSC::MacroAssemblerCodePtr::dumpWithName const): (JSC::MacroAssemblerCodePtr::dump const): (JSC::MacroAssemblerCodePtrHash::hash): (JSC::MacroAssemblerCodePtrHash::equal): (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef): (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef): (JSC::MacroAssemblerCodeRef::code const): (JSC::MacroAssemblerCodeRef::retaggedCode const): (JSC::MacroAssemblerCodeRef::retagged const): (JSC::MacroAssemblerCodeRef::tryToDisassemble const): (JSC::MacroAssemblerCodeRef::disassembly const): (JSC::MacroAssemblerCodeRef::dump const): (JSC::FunctionPtr<tag>::FunctionPtr): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::readCallTarget): (JSC::MacroAssemblerMIPS::replaceWithJump): (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress): (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister): (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch): (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress): (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch): (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch): (JSC::MacroAssemblerMIPS::repatchCall): (JSC::MacroAssemblerMIPS::linkCall): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::readCallTarget): (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister): (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress): (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress): (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch): (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch): (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch): (JSC::MacroAssemblerX86::repatchCall): (JSC::MacroAssemblerX86::linkCall): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::repatchCompact): (JSC::MacroAssemblerX86Common::replaceWithVMHalt): (JSC::MacroAssemblerX86Common::replaceWithJump): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::readCallTarget): (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister): (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister): (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress): (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress): (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch): (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch): (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch): (JSC::MacroAssemblerX86_64::repatchCall): (JSC::MacroAssemblerX86_64::linkCall): * assembler/testmasm.cpp: (JSC::compile): (JSC::invoke): (JSC::testProbeModifiesProgramCounter): * b3/B3Compilation.cpp: (JSC::B3::Compilation::Compilation): * b3/B3Compilation.h: (JSC::B3::Compilation::code const): (JSC::B3::Compilation::codeRef const): * b3/B3Compile.cpp: (JSC::B3::compile): * b3/B3LowerMacros.cpp: * b3/air/AirDisassembler.cpp: (JSC::B3::Air::Disassembler::dump): * b3/air/testair.cpp: * b3/testb3.cpp: (JSC::B3::invoke): (JSC::B3::testInterpreter): (JSC::B3::testEntrySwitchSimple): (JSC::B3::testEntrySwitchNoEntrySwitch): (JSC::B3::testEntrySwitchWithCommonPaths): (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint): (JSC::B3::testEntrySwitchLoop): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/AccessCaseSnippetParams.cpp: (JSC::SlowPathCallGeneratorWithArguments::generateImpl): * bytecode/ByValInfo.h: (JSC::ByValInfo::ByValInfo): * bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::callReturnLocation): (JSC::CallLinkInfo::patchableJump): (JSC::CallLinkInfo::hotPathBegin): (JSC::CallLinkInfo::slowPathStart): * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::setCallLocations): (JSC::CallLinkInfo::hotPathOther): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): * bytecode/GetByIdVariant.cpp: (JSC::GetByIdVariant::GetByIdVariant): (JSC::GetByIdVariant::dumpInContext const): * bytecode/GetByIdVariant.h: (JSC::GetByIdVariant::customAccessorGetter const): * bytecode/GetterSetterAccessCase.cpp: (JSC::GetterSetterAccessCase::create): (JSC::GetterSetterAccessCase::GetterSetterAccessCase): (JSC::GetterSetterAccessCase::dumpImpl const): * bytecode/GetterSetterAccessCase.h: (JSC::GetterSetterAccessCase::customAccessor const): (): Deleted. * bytecode/HandlerInfo.h: (JSC::HandlerInfo::initialize): * bytecode/InlineAccess.cpp: (JSC::linkCodeInline): (JSC::InlineAccess::rewireStubAsJump): * bytecode/InlineAccess.h: * bytecode/JumpTable.h: (JSC::StringJumpTable::ctiForValue): (JSC::SimpleJumpTable::ctiForValue): * bytecode/LLIntCallLinkInfo.h: (JSC::LLIntCallLinkInfo::unlink): * bytecode/PolymorphicAccess.cpp: (JSC::AccessGenerationState::emitExplicitExceptionHandler): (JSC::PolymorphicAccess::regenerate): * bytecode/PolymorphicAccess.h: (JSC::AccessGenerationResult::AccessGenerationResult): (JSC::AccessGenerationResult::code const): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::slowPathCallLocation): (JSC::StructureStubInfo::doneLocation): (JSC::StructureStubInfo::slowPathStartLocation): (JSC::StructureStubInfo::patchableJumpForIn): * dfg/DFGCommonData.h: (JSC::DFG::CommonData::appendCatchEntrypoint): * dfg/DFGDisassembler.cpp: (JSC::DFG::Disassembler::dumpDisassembly): * dfg/DFGDriver.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::compileExceptionHandlers): (JSC::DFG::JITCompiler::link): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::noticeCatchEntrypoint): * dfg/DFGJITCompiler.h: (JSC::DFG::CallLinkRecord::CallLinkRecord): (JSC::DFG::JITCompiler::appendCall): (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord): (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord): (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord): * dfg/DFGJITFinalizer.cpp: (JSC::DFG::JITFinalizer::JITFinalizer): (JSC::DFG::JITFinalizer::finalize): (JSC::DFG::JITFinalizer::finalizeFunction): * dfg/DFGJITFinalizer.h: * dfg/DFGJumpReplacement.h: (JSC::DFG::JumpReplacement::JumpReplacement): * dfg/DFGNode.h: * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): (JSC::DFG::prepareCatchOSREntry): * dfg/DFGOSREntry.h: (JSC::DFG::prepareOSREntry): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::executeOSRExit): (JSC::DFG::reifyInlinedCallFrames): (JSC::DFG::adjustAndJumpToTarget): (JSC::DFG::OSRExit::codeLocationForRepatch const): (JSC::DFG::OSRExit::emitRestoreArguments): (JSC::DFG::OSRExit::compileOSRExit): * dfg/DFGOSRExit.h: * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::handleExitCounts): (JSC::DFG::reifyInlinedCallFrames): (JSC::DFG::osrWriteBarrier): (JSC::DFG::adjustAndJumpToTarget): * dfg/DFGOperations.cpp: * dfg/DFGSlowPathGenerator.h: (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate): (JSC::DFG::slowPathCall): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileMathIC): (JSC::DFG::SpeculativeJIT::compileCallDOM): (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): (JSC::DFG::SpeculativeJIT::emitSwitchImm): (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): (JSC::DFG::SpeculativeJIT::compileGetDirectPname): (JSC::DFG::SpeculativeJIT::cachedPutById): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): (JSC::DFG::SpeculativeJIT::appendCall): (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException): (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult): (JSC::DFG::SpeculativeJIT::appendCallSetResult): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGThunks.cpp: (JSC::DFG::osrExitThunkGenerator): (JSC::DFG::osrExitGenerationThunkGenerator): (JSC::DFG::osrEntryThunkGenerator): * dfg/DFGThunks.h: * disassembler/ARM64Disassembler.cpp: (JSC::tryToDisassemble): * disassembler/ARMv7Disassembler.cpp: (JSC::tryToDisassemble): * disassembler/Disassembler.cpp: (JSC::disassemble): (JSC::disassembleAsynchronously): * disassembler/Disassembler.h: (JSC::tryToDisassemble): * disassembler/UDis86Disassembler.cpp: (JSC::tryToDisassembleWithUDis86): * disassembler/UDis86Disassembler.h: (JSC::tryToDisassembleWithUDis86): * disassembler/X86Disassembler.cpp: (JSC::tryToDisassemble): * ftl/FTLCompile.cpp: (JSC::FTL::compile): * ftl/FTLExceptionTarget.cpp: (JSC::FTL::ExceptionTarget::label): (JSC::FTL::ExceptionTarget::jumps): * ftl/FTLExceptionTarget.h: * ftl/FTLGeneratedFunction.h: * ftl/FTLJITCode.cpp: (JSC::FTL::JITCode::initializeB3Code): (JSC::FTL::JITCode::initializeAddressForCall): (JSC::FTL::JITCode::initializeArityCheckEntrypoint): (JSC::FTL::JITCode::addressForCall): (JSC::FTL::JITCode::executableAddressAtOffset): * ftl/FTLJITCode.h: (JSC::FTL::JITCode::b3Code const): * ftl/FTLJITFinalizer.cpp: (JSC::FTL::JITFinalizer::finalizeCommon): * ftl/FTLLazySlowPath.cpp: (JSC::FTL::LazySlowPath::initialize): (JSC::FTL::LazySlowPath::generate): * ftl/FTLLazySlowPath.h: (JSC::FTL::LazySlowPath::patchableJump const): (JSC::FTL::LazySlowPath::done const): (JSC::FTL::LazySlowPath::stub const): * ftl/FTLLazySlowPathCall.h: (JSC::FTL::createLazyCallGenerator): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint): (JSC::FTL::DFG::LowerDFGToB3::compileIn): (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): * ftl/FTLOSRExit.cpp: (JSC::FTL::OSRExit::codeLocationForRepatch const): * ftl/FTLOSRExit.h: * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): (JSC::FTL::compileFTLOSRExit): * ftl/FTLOSRExitHandle.cpp: (JSC::FTL::OSRExitHandle::emitExitThunk): * ftl/FTLOperations.cpp: (JSC::FTL::compileFTLLazySlowPath): * ftl/FTLPatchpointExceptionHandle.cpp: (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind): * ftl/FTLSlowPathCall.cpp: (JSC::FTL::SlowPathCallContext::keyWithTarget const): (JSC::FTL::SlowPathCallContext::makeCall): * ftl/FTLSlowPathCall.h: (JSC::FTL::callOperation): * ftl/FTLSlowPathCallKey.cpp: (JSC::FTL::SlowPathCallKey::dump const): * ftl/FTLSlowPathCallKey.h: (JSC::FTL::SlowPathCallKey::SlowPathCallKey): (JSC::FTL::SlowPathCallKey::callTarget const): (JSC::FTL::SlowPathCallKey::withCallTarget): (JSC::FTL::SlowPathCallKey::hash const): (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted. * ftl/FTLState.cpp: (JSC::FTL::State::State): * ftl/FTLThunks.cpp: (JSC::FTL::genericGenerationThunkGenerator): (JSC::FTL::osrExitGenerationThunkGenerator): (JSC::FTL::lazySlowPathGenerationThunkGenerator): (JSC::FTL::slowPathCallThunkGenerator): * ftl/FTLThunks.h: (JSC::FTL::generateIfNecessary): (JSC::FTL::keyForThunk): (JSC::FTL::Thunks::getSlowPathCallThunk): (JSC::FTL::Thunks::keyForSlowPathCallThunk): * interpreter/InterpreterInlines.h: (JSC::Interpreter::getOpcodeID): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::callExceptionFuzz): (JSC::AssemblyHelpers::emitDumbVirtualCall): (JSC::AssemblyHelpers::debugCall): * jit/CCallHelpers.cpp: (JSC::CCallHelpers::ensureShadowChickenPacket): * jit/ExecutableAllocator.cpp: (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps): (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator): * jit/ExecutableAllocator.h: (JSC::performJITMemcpy): * jit/GCAwareJITStubRoutine.cpp: (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine): (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine): (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler): (JSC::createJITStubRoutine): * jit/GCAwareJITStubRoutine.h: (JSC::createJITStubRoutine): * jit/JIT.cpp: (JSC::ctiPatchCallByReturnAddress): (JSC::JIT::compileWithoutLinking): (JSC::JIT::link): (JSC::JIT::privateCompileExceptionHandlers): * jit/JIT.h: (JSC::CallRecord::CallRecord): * jit/JITArithmetic.cpp: (JSC::JIT::emitMathICFast): (JSC::JIT::emitMathICSlow): * jit/JITCall.cpp: (JSC::JIT::compileOpCallSlowCase): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCallSlowCase): * jit/JITCode.cpp: (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef): (JSC::JITCodeWithCodeRef::executableAddressAtOffset): (JSC::DirectJITCode::DirectJITCode): (JSC::DirectJITCode::initializeCodeRef): (JSC::DirectJITCode::addressForCall): (JSC::NativeJITCode::NativeJITCode): (JSC::NativeJITCode::initializeCodeRef): (JSC::NativeJITCode::addressForCall): * jit/JITCode.h: * jit/JITCodeMap.h: (JSC::JITCodeMap::Entry::Entry): (JSC::JITCodeMap::Entry::codeLocation): (JSC::JITCodeMap::append): (JSC::JITCodeMap::find const): * jit/JITDisassembler.cpp: (JSC::JITDisassembler::dumpDisassembly): * jit/JITExceptions.cpp: (JSC::genericUnwind): * jit/JITInlineCacheGenerator.cpp: (JSC::JITByIdGenerator::finalize): * jit/JITInlines.h: (JSC::JIT::emitNakedCall): (JSC::JIT::emitNakedTailCall): (JSC::JIT::appendCallWithExceptionCheck): (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): (JSC::JIT::appendCallWithCallFrameRollbackOnException): (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult): (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): * jit/JITMathIC.h: (JSC::isProfileEmpty): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_catch): (JSC::JIT::emit_op_switch_imm): (JSC::JIT::emit_op_switch_char): (JSC::JIT::emit_op_switch_string): (JSC::JIT::privateCompileHasIndexedProperty): (JSC::JIT::emitSlow_op_has_indexed_property): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITOperations.cpp: (JSC::getByVal): * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::emitGetByValWithCachedId): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::emitPutByValWithCachedId): (JSC::JIT::emitSlow_op_put_by_val): (JSC::JIT::emitSlow_op_try_get_by_id): (JSC::JIT::emitSlow_op_get_by_id_direct): (JSC::JIT::emitSlow_op_get_by_id): (JSC::JIT::emitSlow_op_get_by_id_with_this): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::privateCompileGetByVal): (JSC::JIT::privateCompileGetByValWithCachedId): (JSC::JIT::privateCompilePutByVal): (JSC::JIT::privateCompilePutByValWithCachedId): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::emitSlow_op_put_by_val): * jit/JITStubRoutine.h: (JSC::JITStubRoutine::JITStubRoutine): (JSC::JITStubRoutine::createSelfManagedRoutine): (JSC::JITStubRoutine::code const): (JSC::JITStubRoutine::asCodePtr): * jit/JITThunks.cpp: (JSC::JITThunks::ctiNativeCall): (JSC::JITThunks::ctiNativeConstruct): (JSC::JITThunks::ctiNativeTailCall): (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags): (JSC::JITThunks::ctiInternalFunctionCall): (JSC::JITThunks::ctiInternalFunctionConstruct): (JSC::JITThunks::ctiStub): (JSC::JITThunks::existingCTIStub): (JSC::JITThunks::hostFunctionStub): * jit/JITThunks.h: * jit/PCToCodeOriginMap.cpp: (JSC::PCToCodeOriginMap::PCToCodeOriginMap): * jit/PCToCodeOriginMap.h: * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine): * jit/PolymorphicCallStubRoutine.h: * jit/Repatch.cpp: (JSC::readPutICCallTarget): (JSC::ftlThunkAwareRepatchCall): (JSC::appropriateOptimizingGetByIdFunction): (JSC::appropriateGetByIdFunction): (JSC::tryCacheGetByID): (JSC::repatchGetByID): (JSC::tryCachePutByID): (JSC::repatchPutByID): (JSC::tryCacheIn): (JSC::repatchIn): (JSC::linkSlowFor): (JSC::linkFor): (JSC::linkDirectFor): (JSC::revertCall): (JSC::unlinkFor): (JSC::linkVirtualFor): (JSC::linkPolymorphicCall): (JSC::resetGetByID): (JSC::resetPutByID): * jit/Repatch.h: * jit/SlowPathCall.h: (JSC::JITSlowPathCall::call): * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::finalize): (JSC::SpecializedThunkJIT::callDoubleToDouble): (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn): * jit/ThunkGenerator.h: * jit/ThunkGenerators.cpp: (JSC::throwExceptionFromCallSlowPathGenerator): (JSC::slowPathFor): (JSC::linkCallThunkGenerator): (JSC::linkPolymorphicCallThunkGenerator): (JSC::virtualThunkFor): (JSC::nativeForGenerator): (JSC::nativeCallGenerator): (JSC::nativeTailCallGenerator): (JSC::nativeTailCallWithoutSavedTagsGenerator): (JSC::nativeConstructGenerator): (JSC::internalFunctionCallGenerator): (JSC::internalFunctionConstructGenerator): (JSC::arityFixupGenerator): (JSC::unreachableGenerator): (JSC::charCodeAtThunkGenerator): (JSC::charAtThunkGenerator): (JSC::fromCharCodeThunkGenerator): (JSC::clz32ThunkGenerator): (JSC::sqrtThunkGenerator): (JSC::floorThunkGenerator): (JSC::ceilThunkGenerator): (JSC::truncThunkGenerator): (JSC::roundThunkGenerator): (JSC::expThunkGenerator): (JSC::logThunkGenerator): (JSC::absThunkGenerator): (JSC::imulThunkGenerator): (JSC::randomThunkGenerator): (JSC::boundThisNoArgsFunctionCallGenerator): * jit/ThunkGenerators.h: * llint/LLIntData.cpp: (JSC::LLInt::initialize): * llint/LLIntData.h: (JSC::LLInt::getExecutableAddress): (JSC::LLInt::getCodePtr): (JSC::LLInt::getCodeRef): (JSC::LLInt::getCodeFunctionPtr): * llint/LLIntEntrypoint.cpp: (JSC::LLInt::setFunctionEntrypoint): (JSC::LLInt::setEvalEntrypoint): (JSC::LLInt::setProgramEntrypoint): (JSC::LLInt::setModuleProgramEntrypoint): * llint/LLIntExceptions.cpp: (JSC::LLInt::callToThrow): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::setUpCall): * llint/LLIntThunks.cpp: (JSC::vmEntryToWasm): (JSC::LLInt::generateThunkWithJumpTo): (JSC::LLInt::functionForCallEntryThunkGenerator): (JSC::LLInt::functionForConstructEntryThunkGenerator): (JSC::LLInt::functionForCallArityCheckThunkGenerator): (JSC::LLInt::functionForConstructArityCheckThunkGenerator): (JSC::LLInt::evalEntryThunkGenerator): (JSC::LLInt::programEntryThunkGenerator): (JSC::LLInt::moduleProgramEntryThunkGenerator): * llint/LLIntThunks.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * profiler/ProfilerCompilation.cpp: (JSC::Profiler::Compilation::addOSRExitSite): * profiler/ProfilerCompilation.h: * profiler/ProfilerOSRExitSite.cpp: (JSC::Profiler::OSRExitSite::toJS const): * profiler/ProfilerOSRExitSite.h: (JSC::Profiler::OSRExitSite::OSRExitSite): (JSC::Profiler::OSRExitSite::codeAddress const): (JSC::Profiler::OSRExitSite:: const): Deleted. * runtime/ExecutableBase.cpp: (JSC::ExecutableBase::clearCode): * runtime/ExecutableBase.h: (JSC::ExecutableBase::entrypointFor): * runtime/NativeExecutable.cpp: (JSC::NativeExecutable::finishCreation): * runtime/NativeFunction.h: (JSC::TaggedNativeFunction::TaggedNativeFunction): (JSC::TaggedNativeFunction::operator NativeFunction): * runtime/PtrTag.h: (JSC::tagCodePtr): (JSC::untagCodePtr): (JSC::retagCodePtr): (JSC::tagCFunctionPtr): (JSC::untagCFunctionPtr): (JSC::nextPtrTagID): Deleted. * runtime/PutPropertySlot.h: (JSC::PutPropertySlot::PutPropertySlot): (JSC::PutPropertySlot::setCustomValue): (JSC::PutPropertySlot::setCustomAccessor): (JSC::PutPropertySlot::customSetter const): * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::installCode): * runtime/VM.cpp: (JSC::VM::getHostFunction): (JSC::VM::getCTIInternalFunctionTrampolineFor): * runtime/VM.h: (JSC::VM::getCTIStub): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::B3IRGenerator): (JSC::Wasm::B3IRGenerator::emitExceptionCheck): (JSC::Wasm::B3IRGenerator::emitTierUpCheck): (JSC::Wasm::B3IRGenerator::addCall): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::prepare): (JSC::Wasm::BBQPlan::complete): * wasm/WasmBBQPlan.h: * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmBinding.h: * wasm/WasmCallee.h: (JSC::Wasm::Callee::entrypoint const): * wasm/WasmCallingConvention.h: (JSC::Wasm::CallingConvention::setupFrameInPrologue const): * wasm/WasmCodeBlock.h: (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace): * wasm/WasmFaultSignalHandler.cpp: (JSC::Wasm::trapHandler): * wasm/WasmFormat.h: * wasm/WasmInstance.h: * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * wasm/WasmThunks.cpp: (JSC::Wasm::throwExceptionFromWasmThunkGenerator): (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator): (JSC::Wasm::triggerOMGTierUpThunkGenerator): (JSC::Wasm::Thunks::stub): (JSC::Wasm::Thunks::existingStub): * wasm/WasmThunks.h: * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/JSWebAssemblyCodeBlock.h: * wasm/js/WasmToJS.cpp: (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJS): * wasm/js/WasmToJS.h: * wasm/js/WebAssemblyFunction.h: * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::loadFromFrameAndJump): (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels): (JSC::Yarr::YarrGenerator::compile): * yarr/YarrJIT.h: (JSC::Yarr::YarrCodeBlock::set8BitCode): (JSC::Yarr::YarrCodeBlock::set16BitCode): (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly): (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly): (JSC::Yarr::YarrCodeBlock::execute): (JSC::Yarr::YarrCodeBlock::clear): 2018-04-17 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r230697, r230720, and r230724. https://bugs.webkit.org/show_bug.cgi?id=184717 These caused multiple failures on the Test262 testers. (Requested by mlewis13 on #webkit). Reverted changesets: "[WebAssembly][Modules] Prototype wasm import" https://bugs.webkit.org/show_bug.cgi?id=184600 https://trac.webkit.org/changeset/230697 "[WebAssembly][Modules] Implement function import from wasm modules" https://bugs.webkit.org/show_bug.cgi?id=184689 https://trac.webkit.org/changeset/230720 "[JSC] Rename runWebAssembly to runWebAssemblySuite" https://bugs.webkit.org/show_bug.cgi?id=184703 https://trac.webkit.org/changeset/230724 2018-04-17 JF Bastien <jfbastien@apple.com> A put is not an ExistingProperty put when we transition a structure because of an attributes change https://bugs.webkit.org/show_bug.cgi?id=184706 <rdar://problem/38871451> Reviewed by Saam Barati. When putting a property on a structure and the slot is a different type, the slot can't be said to have already been existing. * runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): 2018-04-17 Filip Pizlo <fpizlo@apple.com> JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector https://bugs.webkit.org/show_bug.cgi?id=184705 Reviewed by Michael Saboff. My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today while testing an unrelated patch, a concurrent GC thread crashed inside JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's because a typed array became wasteful concurrently to the GC. So, visitChildren() read one mode and another vector. The fix is to lock inside visitChildren and anyone who changes those fields. I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught this. * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::neuter): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): 2018-04-16 Filip Pizlo <fpizlo@apple.com> PutStackSinkingPhase should know that KillStack means ConflictingFlush https://bugs.webkit.org/show_bug.cgi?id=184672 Reviewed by Michael Saboff. We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's intentional - I don't know. Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So, KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a specific flush format, then we would think that we could sink the flush from that path. That's not right, since that could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition. This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to its stack slot for the purpose of clobberize. * dfg/DFGClobberize.h: KillStack "writes" to its stack slot. * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug. * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure. (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments): 2018-04-17 Filip Pizlo <fpizlo@apple.com> JSWebAssemblyCodeBlock should be in an IsoSubspace https://bugs.webkit.org/show_bug.cgi?id=184704 Reviewed by Mark Lam. Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful. CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF protection. * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * wasm/js/JSWebAssemblyCodeBlock.h: 2018-04-17 Jer Noble <jer.noble@apple.com> Only enable useSeparatedWXHeap on ARM64. https://bugs.webkit.org/show_bug.cgi?id=184697 Reviewed by Saam Barati. * runtime/Options.cpp: (JSC::recomputeDependentOptions): 2018-04-17 Yusuke Suzuki <utatane.tea@gmail.com> [WebAssembly][Modules] Implement function import from wasm modules https://bugs.webkit.org/show_bug.cgi?id=184689 Reviewed by JF Bastien. This patch implements function import from wasm modules. We move function importing part from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This is because linking these functions requires that all the dependent modules are created. While we want to move all the linking functionality from JSWebAssemblyInstance to WebAssemblyModuleRecord::link, we do not that in this patch. In this patch, we move only function importing part because efficient compilation of WebAssembly needs to know the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported or attached WebAssembly memory object. So we cannot defer this linking to WebAssemblyModuleRecord::link now. The largest difference from JS module linking is that WebAssembly module linking links function from the module by snapshotting. When you have a cyclic module graph like this, -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+ ^ | +--------------------------------------------------+ we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior is described in [1], and tested in this patch. [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph * JavaScriptCore.xcodeproj/project.pbxproj: * jsc.cpp: (functionDollarAgentStart): (checkException): (runWithOptions): Small fixes for wasm module loading. * parser/NodesAnalyzeModule.cpp: (JSC::ImportDeclarationNode::analyzeModule): * runtime/AbstractModuleRecord.cpp: (JSC::AbstractModuleRecord::resolveImport): (JSC::AbstractModuleRecord::link): * runtime/AbstractModuleRecord.h: (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull): (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted. Now, wasm modules can have import which is named "*". So this function does not work. Since wasm modules never have namespace importing, we check this in JS's module analyzer. * runtime/JSModuleEnvironment.cpp: (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames): * runtime/JSModuleRecord.cpp: (JSC::JSModuleRecord::instantiateDeclarations): * wasm/WasmCreationMode.h: Added. * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::finalizeCreation): (JSC::JSWebAssemblyInstance::create): * wasm/js/JSWebAssemblyInstance.h: * wasm/js/WebAssemblyInstanceConstructor.cpp: (JSC::constructJSWebAssemblyInstance): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::link): * wasm/js/WebAssemblyModuleRecord.h: * wasm/js/WebAssemblyPrototype.cpp: (JSC::resolve): (JSC::instantiate): (JSC::compileAndInstantiate): (JSC::WebAssemblyPrototype::instantiate): (JSC::webAssemblyInstantiateFunc): 2018-04-17 Dominik Infuehr <dinfuehr@igalia.com> Implement setupArgumentsImpl for ARM and MIPS https://bugs.webkit.org/show_bug.cgi?id=183786 Reviewed by Yusuke Suzuki. Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added numCrossSources and extraGPRArgs to ArgCollection to keep track of extra registers used for 64-bit values on 32-bit architectures. numCrossSources keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::moveDouble): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::moveDouble): * jit/CCallHelpers.h: (JSC::CCallHelpers::setupStubCrossArgs): (JSC::CCallHelpers::ArgCollection::ArgCollection): (JSC::CCallHelpers::ArgCollection::pushRegArg): (JSC::CCallHelpers::ArgCollection::pushExtraRegArg): (JSC::CCallHelpers::ArgCollection::addGPRArg): (JSC::CCallHelpers::ArgCollection::addGPRExtraArg): (JSC::CCallHelpers::ArgCollection::addStackArg): (JSC::CCallHelpers::ArgCollection::addPoke): (JSC::CCallHelpers::ArgCollection::argCount): (JSC::CCallHelpers::calculatePokeOffset): (JSC::CCallHelpers::pokeForArgument): (JSC::CCallHelpers::stackAligned): (JSC::CCallHelpers::marshallArgumentRegister): (JSC::CCallHelpers::setupArgumentsImpl): (JSC::CCallHelpers::pokeArgumentsAligned): (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value): (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value): (JSC::CCallHelpers::setupArguments): * jit/FPRInfo.h: (JSC::FPRInfo::toArgumentRegister): 2018-04-17 Saam Barati <sbarati@apple.com> Add system trace points for process launch and for initializeWebProcess https://bugs.webkit.org/show_bug.cgi?id=184669 Reviewed by Simon Fraser. * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): (JSC::VMEntryScope::~VMEntryScope): 2018-04-17 Jer Noble <jer.noble@apple.com> Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH https://bugs.webkit.org/show_bug.cgi?id=184602 Reviewed by Beth Dakin. * JavaScriptCore.xcodeproj/project.pbxproj: 2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com> [GLIB] Add API to clear JSCContext uncaught exception https://bugs.webkit.org/show_bug.cgi?id=184685 Reviewed by Žan Doberšek. Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext. * API/glib/JSCContext.cpp: (jsc_context_clear_exception): * API/glib/JSCContext.h: * API/glib/docs/jsc-glib-4.0-sections.txt: 2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com> [GLIB] Add API to query, delete and enumerate properties https://bugs.webkit.org/show_bug.cgi?id=184647 Reviewed by Michael Catanzaro. Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties(). * API/glib/JSCValue.cpp: (jsc_value_object_has_property): (jsc_value_object_delete_property): (jsc_value_object_enumerate_properties): * API/glib/JSCValue.h: * API/glib/docs/jsc-glib-4.0-sections.txt: 2018-04-16 Yusuke Suzuki <utatane.tea@gmail.com> [WebAssembly][Modules] Prototype wasm import https://bugs.webkit.org/show_bug.cgi?id=184600 Reviewed by JF Bastien. This patch is an initial attempt to implement Wasm loading in module pipeline. Currently, 1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified in whatwg HTML, we should integrate this into WebCore. 2. We only support exporting values from Wasm. Wasm module cannot import anything from the other modules now. When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and module loader pipeline just handles it as the same to JS. When parsing a module, we checks the type of JSSourceCode. If the source code is Wasm source code, we create a WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated. * builtins/ModuleLoaderPrototype.js: (globalPrivate.newRegistryEntry): (requestInstantiate): (link): * jsc.cpp: (convertShebangToJSComment): (fillBufferWithContentsOfFile): (fetchModuleFromLocalFileSystem): (GlobalObject::moduleLoaderFetch): * parser/SourceProvider.h: (JSC::WebAssemblySourceProvider::create): (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider): * runtime/AbstractModuleRecord.cpp: (JSC::AbstractModuleRecord::hostResolveImportedModule): (JSC::AbstractModuleRecord::link): (JSC::AbstractModuleRecord::evaluate): (JSC::identifierToJSValue): Deleted. * runtime/AbstractModuleRecord.h: * runtime/JSModuleLoader.cpp: (JSC::JSModuleLoader::evaluate): * runtime/JSModuleRecord.cpp: (JSC::JSModuleRecord::link): (JSC::JSModuleRecord::instantiateDeclarations): * runtime/JSModuleRecord.h: * runtime/ModuleLoaderPrototype.cpp: (JSC::moduleLoaderPrototypeParseModule): (JSC::moduleLoaderPrototypeRequestedModules): (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation): * wasm/js/JSWebAssemblyHelpers.h: (JSC::getWasmBufferFromValue): (JSC::createSourceBufferFromValue): * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::finalizeCreation): (JSC::JSWebAssemblyInstance::createPrivateModuleKey): (JSC::JSWebAssemblyInstance::create): * wasm/js/JSWebAssemblyInstance.h: * wasm/js/WebAssemblyInstanceConstructor.cpp: (JSC::constructJSWebAssemblyInstance): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::prepareLink): (JSC::WebAssemblyModuleRecord::link): * wasm/js/WebAssemblyModuleRecord.h: * wasm/js/WebAssemblyPrototype.cpp: (JSC::resolve): (JSC::instantiate): (JSC::compileAndInstantiate): (JSC::WebAssemblyPrototype::instantiate): (JSC::webAssemblyInstantiateFunc): (JSC::webAssemblyValidateFunc): * wasm/js/WebAssemblyPrototype.h: 2018-04-14 Filip Pizlo <fpizlo@apple.com> Function.prototype.caller shouldn't return generator bodies https://bugs.webkit.org/show_bug.cgi?id=184630 Reviewed by Yusuke Suzuki. Function.prototype.caller no longer returns generator bodies. Those are meant to be private. Also added some builtin debugging tools so that it's easier to do the investigation that I did. * builtins/BuiltinNames.h: * runtime/JSFunction.cpp: (JSC::JSFunction::callerGetter): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncBuiltinDescribe): * runtime/JSGlobalObjectFunctions.h: 2018-04-13 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Remove duplicate 32bit ProfileType implementation https://bugs.webkit.org/show_bug.cgi?id=184536 Reviewed by Saam Barati. This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileProfileType): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfUndefined): (JSC::AssemblyHelpers::branchIfNull): 2018-04-12 Mark Lam <mark.lam@apple.com> Consolidate some PtrTags. https://bugs.webkit.org/show_bug.cgi?id=184552 <rdar://problem/39389404> Reviewed by Filip Pizlo. Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag. Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::repatchNearCall): * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::readCallTarget): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::readCallTarget): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::readCallTarget): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::readCallTarget): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::readCallTarget): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/InlineAccess.cpp: (JSC::InlineAccess::rewireStubAsJump): * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::regenerate): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::link): (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGJITFinalizer.cpp: (JSC::DFG::JITFinalizer::finalize): (JSC::DFG::JITFinalizer::finalizeFunction): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::executeOSRExit): (JSC::DFG::adjustAndJumpToTarget): (JSC::DFG::OSRExit::compileOSRExit): * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::adjustAndJumpToTarget): * dfg/DFGOperations.cpp: * ftl/FTLJITCode.cpp: (JSC::FTL::JITCode::executableAddressAtOffset): * ftl/FTLJITFinalizer.cpp: (JSC::FTL::JITFinalizer::finalizeCommon): * ftl/FTLLazySlowPath.cpp: (JSC::FTL::LazySlowPath::generate): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileFTLOSRExit): * ftl/FTLOSRExitHandle.cpp: (JSC::FTL::OSRExitHandle::emitExitThunk): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitDumbVirtualCall): * jit/JIT.cpp: (JSC::JIT::compileWithoutLinking): (JSC::JIT::link): * jit/JITCall.cpp: (JSC::JIT::compileOpCallSlowCase): * jit/JITCode.cpp: (JSC::JITCodeWithCodeRef::executableAddressAtOffset): (JSC::NativeJITCode::addressForCall): * jit/JITInlines.h: (JSC::JIT::emitNakedCall): (JSC::JIT::emitNakedTailCall): * jit/JITMathIC.h: (JSC::isProfileEmpty): * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITOperations.cpp: * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::privateCompileGetByVal): (JSC::JIT::privateCompileGetByValWithCachedId): (JSC::JIT::privateCompilePutByVal): (JSC::JIT::privateCompilePutByValWithCachedId): * jit/JITThunks.cpp: (JSC::JITThunks::hostFunctionStub): * jit/Repatch.cpp: (JSC::linkSlowFor): (JSC::linkFor): (JSC::linkPolymorphicCall): * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::finalize): * jit/ThunkGenerators.cpp: (JSC::virtualThunkFor): (JSC::nativeForGenerator): (JSC::boundThisNoArgsFunctionCallGenerator): * llint/LLIntData.cpp: (JSC::LLInt::initialize): * llint/LLIntEntrypoint.cpp: (JSC::LLInt::setEvalEntrypoint): (JSC::LLInt::setProgramEntrypoint): (JSC::LLInt::setModuleProgramEntrypoint): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::setUpCall): * llint/LLIntThunks.cpp: (JSC::LLInt::generateThunkWithJumpTo): (JSC::LLInt::functionForCallEntryThunkGenerator): (JSC::LLInt::functionForConstructEntryThunkGenerator): (JSC::LLInt::functionForCallArityCheckThunkGenerator): (JSC::LLInt::functionForConstructArityCheckThunkGenerator): (JSC::LLInt::evalEntryThunkGenerator): (JSC::LLInt::programEntryThunkGenerator): (JSC::LLInt::moduleProgramEntryThunkGenerator): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * runtime/NativeExecutable.cpp: (JSC::NativeExecutable::finishCreation): * runtime/NativeFunction.h: (JSC::TaggedNativeFunction::TaggedNativeFunction): (JSC::TaggedNativeFunction::operator NativeFunction): * runtime/PtrTag.h: * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::complete): * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * wasm/WasmThunks.cpp: (JSC::Wasm::throwExceptionFromWasmThunkGenerator): (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator): (JSC::Wasm::triggerOMGTierUpThunkGenerator): * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): * wasm/js/WebAssemblyFunction.h: * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::compile): 2018-04-12 Michael Catanzaro <mcatanzaro@igalia.com> [WPE] Move libWPEWebInspectorResources.so to pkglibdir https://bugs.webkit.org/show_bug.cgi?id=184379 Reviewed by Žan Doberšek. Load the module from the new location. * PlatformWPE.cmake: * inspector/remote/glib/RemoteInspectorUtils.cpp: (Inspector::backendCommands): 2018-04-12 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Remove compileBigIntEquality in DFG 32bit https://bugs.webkit.org/show_bug.cgi?id=184535 Reviewed by Saam Barati. We can have the unified implementation for compileBigIntEquality. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileBigIntEquality): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted. 2018-04-12 Michael Catanzaro <mcatanzaro@igalia.com> [WPE] Improve include hierarchy https://bugs.webkit.org/show_bug.cgi?id=184376 Reviewed by Žan Doberšek. Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of /usr/include/wpe-0.1/WPE/jsc. * PlatformWPE.cmake: 2018-04-11 Carlos Garcia Campos <cgarcia@igalia.com> [GLIB] Handle strings containing null characters https://bugs.webkit.org/show_bug.cgi?id=184450 Reviewed by Michael Catanzaro. We should be able to evaluate scripts containing null characters and to handle strings that contains them too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might contain null characters. * API/OpaqueJSString.cpp: (OpaqueJSString::create): Add a create constructor that takes the String. * API/OpaqueJSString.h: (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String. * API/glib/JSCContext.cpp: (jsc_context_evaluate): Add length parameter. (jsc_context_evaluate_with_source_uri): Ditto. * API/glib/JSCContext.h: * API/glib/JSCValue.cpp: (jsc_value_new_string_from_bytes): (jsc_value_to_string): (jsc_value_to_string_as_bytes): (jsc_value_object_is_instance_of): Pass length to evaluate. * API/glib/JSCValue.h: * API/glib/docs/jsc-glib-4.0-sections.txt: 2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue https://bugs.webkit.org/show_bug.cgi?id=184500 Reviewed by Mark Lam. Instead of passing JSValue::JSCellTag to callOperation meta-program to convert JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue. It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just poke held GPR. The benefit from this CellValue is that we can use the same code for 32bit and 64bit. This patch removes several ifdefs. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): (JSC::DFG::SpeculativeJIT::compileGetDirectPname): (JSC::DFG::SpeculativeJIT::cachedPutById): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): * jit/CCallHelpers.h: (JSC::CCallHelpers::CellValue::CellValue): (JSC::CCallHelpers::CellValue::gpr const): (JSC::CCallHelpers::setupArgumentsImpl): 2018-04-11 Mark Lam <mark.lam@apple.com> [Build fix] Replace CompactJITCodeMap with JITCodeMap. https://bugs.webkit.org/show_bug.cgi?id=184512 <rdar://problem/35391728> Not reviewed. * bytecode/CodeBlock.h: * jit/JITCodeMap.h: 2018-04-11 Mark Lam <mark.lam@apple.com> Replace CompactJITCodeMap with JITCodeMap. https://bugs.webkit.org/show_bug.cgi?id=184512 <rdar://problem/35391728> Reviewed by Filip Pizlo. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.h: (JSC::CodeBlock::setJITCodeMap): (JSC::CodeBlock::jitCodeMap const): (JSC::CodeBlock::jitCodeMap): Deleted. * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::executeOSRExit): * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::adjustAndJumpToTarget): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted. * jit/AssemblyHelpers.h: * jit/CompactJITCodeMap.h: Removed. * jit/JIT.cpp: (JSC::JIT::link): * jit/JITCodeMap.h: Added. (JSC::JITCodeMap::Entry::Entry): (JSC::JITCodeMap::Entry::bytecodeIndex const): (JSC::JITCodeMap::Entry::codeLocation): (JSC::JITCodeMap::append): (JSC::JITCodeMap::finish): (JSC::JITCodeMap::find const): (JSC::JITCodeMap::operator bool const): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): 2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Remove CompareSlowPathGenerator https://bugs.webkit.org/show_bug.cgi?id=184492 Reviewed by Mark Lam. Now CompareSlowPathGenerator is just calling a specified function. This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator. We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by introducing a new constructor for GPRTemporary. * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGCompareSlowPathGenerator.h: Removed. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::GPRTemporary::GPRTemporary): (JSC::DFG::SpeculativeJIT::compileIsCellWithType): (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView): (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor): (JSC::DFG::SpeculativeJIT::compileIsObject): (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::GPRTemporary::GPRTemporary): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): 2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, build fix for 32bit https://bugs.webkit.org/show_bug.cgi?id=184236 * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetDirectPname): 2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Remove duplicate 32bit code more https://bugs.webkit.org/show_bug.cgi?id=184236 Reviewed by Mark Lam. Remove duplicate 32bit code more aggressively part 2. * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGCompareSlowPathGenerator.h: Added. (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator): Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead. * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance): (JSC::DFG::SpeculativeJIT::compileLoadVarargs): (JSC::DFG::SpeculativeJIT::compileIsObject): (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty): (JSC::DFG::SpeculativeJIT::compilePutByIdFlush): (JSC::DFG::SpeculativeJIT::compilePutById): (JSC::DFG::SpeculativeJIT::compilePutByIdDirect): (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize): (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): (JSC::DFG::SpeculativeJIT::compileGetDirectPname): (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal): (JSC::DFG::SpeculativeJIT::cachedPutById): (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted. (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted. (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted. (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted. (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted. (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted. (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted. (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted. (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted. (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted. (): Deleted. (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted. (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted. (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted. (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::loadValue): (JSC::AssemblyHelpers::selectScratchGPR): (JSC::AssemblyHelpers::constructRegisterSet): * jit/RegisterSet.h: (JSC::RegisterSet::setAny): Clean up selectScratchGPR code to pass JSValueRegs. 2018-04-10 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Add support for BigInt in SpeculatedType https://bugs.webkit.org/show_bug.cgi?id=182470 Reviewed by Saam Barati. This patch introduces the SpecBigInt type to DFG to enable BigInt speculation into DFG and FTL. With SpecBigInt introduction, we can then specialize "===" operations to BigInts. As we are doing for some cells, we first check if operands are pointing to the same JSCell, and if it is false, we fallback to "operationCompareStrictEqCell". The idea in further patches is to implement BigInt equality check directly in assembly. We are also adding support for BigInt constant folding into TypeOf operation. * bytecode/SpeculatedType.cpp: (JSC::dumpSpeculation): (JSC::speculationFromClassInfo): (JSC::speculationFromStructure): (JSC::speculationFromJSType): (JSC::speculationFromString): * bytecode/SpeculatedType.h: (JSC::isBigIntSpeculation): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::set): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupToThis): (JSC::DFG::FixupPhase::observeUseKindOnNode): * dfg/DFGInferredTypeCheck.cpp: (JSC::DFG::insertInferredTypeCheck): * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateBigInt): * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::SafeToExecuteEdge::operator()): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileStrictEq): (JSC::DFG::SpeculativeJIT::speculateBigInt): (JSC::DFG::SpeculativeJIT::speculate): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileBigIntEquality): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileBigIntEquality): * dfg/DFGUseKind.cpp: (WTF::printInternal): * dfg/DFGUseKind.h: (JSC::DFG::typeFilterFor): (JSC::DFG::isCell): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): (JSC::FTL::DFG::LowerDFGToB3::checkInferredType): (JSC::FTL::DFG::LowerDFGToB3::speculate): (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt): (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::branchIfNotType): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfBigInt): (JSC::AssemblyHelpers::branchIfNotBigInt): * runtime/InferredType.cpp: (JSC::InferredType::Descriptor::forValue): (JSC::InferredType::Descriptor::putByIdFlags const): (JSC::InferredType::Descriptor::merge): (WTF::printInternal): * runtime/InferredType.h: * runtime/JSBigInt.h: 2018-04-10 Filip Pizlo <fpizlo@apple.com> Unreviewed, fix cloop build. * dfg/DFGAbstractInterpreterClobberState.cpp: 2018-04-10 Mark Lam <mark.lam@apple.com> Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT. https://bugs.webkit.org/show_bug.cgi?id=184464 <rdar://problem/39323947> Reviewed by Saam Barati. * heap/MarkedSpace.h: (JSC::MarkedSpace::sizeClassToIndex): 2018-04-09 Filip Pizlo <fpizlo@apple.com> DFG AI and clobberize should agree with each other https://bugs.webkit.org/show_bug.cgi?id=184440 Reviewed by Saam Barati. One way to fix bugs involving underapproximation in AI or clobberize is to assert that they agree with each other. That's what this patch does: it adds an assertion that AI's structure state tracking must be equivalent to JSCell_structureID being clobbered. One subtlety is that AI sometimes folds away structure clobbering using information that clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and ObservedTransitions). This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of clobberize missing a write(Heap). This also makes some cases more precise in order to appease the assertion. Making things more precise might make things faster, but I didn't measure it because that wasn't the goal. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * dfg/DFGAbstractInterpreter.h: * dfg/DFGAbstractInterpreterClobberState.cpp: Added. (WTF::printInternal): * dfg/DFGAbstractInterpreterClobberState.h: Added. (JSC::DFG::mergeClobberStates): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld): (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures): (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures): (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition): (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions): (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted. * dfg/DFGAtTailAbstractState.h: (JSC::DFG::AtTailAbstractState::setClobberState): (JSC::DFG::AtTailAbstractState::mergeClobberState): (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted. * dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::performBlockCFA): * dfg/DFGClobberSet.cpp: (JSC::DFG::writeSet): * dfg/DFGClobberSet.h: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGInPlaceAbstractState.h: (JSC::DFG::InPlaceAbstractState::clobberState const): (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const): (JSC::DFG::InPlaceAbstractState::didClobber const): (JSC::DFG::InPlaceAbstractState::setClobberState): (JSC::DFG::InPlaceAbstractState::mergeClobberState): (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted. 2018-04-10 Filip Pizlo <fpizlo@apple.com> ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally() https://bugs.webkit.org/show_bug.cgi?id=184460 <rdar://problem/37610966> Reviewed by Mark Lam. * bytecode/ExecutableToCodeBlockEdge.cpp: (JSC::ExecutableToCodeBlockEdge::visitChildren): 2018-04-10 Filip Pizlo <fpizlo@apple.com> REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq https://bugs.webkit.org/show_bug.cgi?id=184455 Reviewed by Michael Saboff. LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that the thing being hoisted does have effects, then we get a crash. In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't effectful. Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking clobberize to also think that CompareEq(Untyped:, _) is effectful. This fixes the whole situation by teaching both clobberize and AI that the only effectful form of CompareEq is ComapreEq(Untyped:, Untyped:). * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2018-04-09 Filip Pizlo <fpizlo@apple.com> Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit https://bugs.webkit.org/show_bug.cgi?id=184372 Reviewed by Saam Barati. We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we have already proved, using techniques that are more precise than AI, that the edge has type Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom, because we have a bad habit of treating terminate/terminateSpeculativeExecution as something other than a check - so we think we can call those just because we should have already bailed. It's better to think of them as the result of folding a check. Therefore, we should only do it if there had been a check to begin with. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lowInt32): (JSC::FTL::DFG::LowerDFGToB3::lowInt52): (JSC::FTL::DFG::LowerDFGToB3::lowCell): (JSC::FTL::DFG::LowerDFGToB3::lowBoolean): (JSC::FTL::DFG::LowerDFGToB3::lowDouble): (JSC::FTL::DFG::LowerDFGToB3::speculate): (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther): (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther): 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Introduce @putByIdDirectPrivate https://bugs.webkit.org/show_bug.cgi?id=184400 Reviewed by Saam Barati. This patch adds @putByIdDirectPrivate() to use it for builtin JS. @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics accessing to ECMAScript internal fields. This change removes accidental [[Put]] operation to an object whose [[Prototype]] has internal fields (not direct properties). By using @getByIdDirectPrivate() and @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal fields that accessing to the internal fields does not traverse prototype chains. * builtins/ArrayIteratorPrototype.js: (globalPrivate.arrayIteratorValueNext): (globalPrivate.arrayIteratorKeyNext): (globalPrivate.arrayIteratorKeyValueNext): * builtins/ArrayPrototype.js: (globalPrivate.createArrayIterator): * builtins/AsyncFromSyncIteratorPrototype.js: (globalPrivate.AsyncFromSyncIteratorConstructor): * builtins/AsyncFunctionPrototype.js: (globalPrivate.asyncFunctionResume): * builtins/AsyncGeneratorPrototype.js: (globalPrivate.asyncGeneratorQueueEnqueue): (globalPrivate.asyncGeneratorQueueDequeue): (asyncGeneratorYieldAwaited): (globalPrivate.asyncGeneratorYield): (globalPrivate.doAsyncGeneratorBodyCall): (globalPrivate.asyncGeneratorResumeNext): * builtins/GeneratorPrototype.js: (globalPrivate.generatorResume): * builtins/MapIteratorPrototype.js: (globalPrivate.mapIteratorNext): * builtins/MapPrototype.js: (globalPrivate.createMapIterator): * builtins/ModuleLoaderPrototype.js: (forceFulfillPromise): * builtins/PromiseOperations.js: (globalPrivate.newHandledRejectedPromise): (globalPrivate.rejectPromise): (globalPrivate.fulfillPromise): (globalPrivate.initializePromise): * builtins/PromisePrototype.js: (then): * builtins/SetIteratorPrototype.js: (globalPrivate.setIteratorNext): * builtins/SetPrototype.js: (globalPrivate.createSetIterator): * builtins/StringIteratorPrototype.js: (next): * bytecode/BytecodeIntrinsicRegistry.h: * bytecompiler/NodesCodegen.cpp: (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect): (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate): 2018-04-09 Mark Lam <mark.lam@apple.com> Decorate method table entries to support pointer profiling. https://bugs.webkit.org/show_bug.cgi?id=184430 <rdar://problem/39296190> Reviewed by Saam Barati. * runtime/ClassInfo.h: 2018-04-09 Michael Catanzaro <mcatanzaro@igalia.com> [WPE] Don't install JSC C API headers https://bugs.webkit.org/show_bug.cgi?id=184375 Reviewed by Žan Doberšek. None of the functions declared in these headers are exported in WPE. Use the new jsc API instead. * PlatformWPE.cmake: 2018-04-08 Mark Lam <mark.lam@apple.com> Add pointer profiling to the FTL and supporting code. https://bugs.webkit.org/show_bug.cgi?id=184395 <rdar://problem/39264019> Reviewed by Michael Saboff and Filip Pizlo. * assembler/CodeLocation.h: (JSC::CodeLocationLabel::retagged): (JSC::CodeLocationJump::retagged): * assembler/LinkBuffer.h: (JSC::LinkBuffer::locationOf): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::link): * ftl/FTLCompile.cpp: (JSC::FTL::compile): * ftl/FTLExceptionTarget.cpp: (JSC::FTL::ExceptionTarget::label): (JSC::FTL::ExceptionTarget::jumps): * ftl/FTLExceptionTarget.h: * ftl/FTLJITCode.cpp: (JSC::FTL::JITCode::executableAddressAtOffset): * ftl/FTLLazySlowPath.cpp: (JSC::FTL::LazySlowPath::~LazySlowPath): (JSC::FTL::LazySlowPath::initialize): (JSC::FTL::LazySlowPath::generate): (JSC::FTL::LazySlowPath::LazySlowPath): Deleted. * ftl/FTLLazySlowPath.h: * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): (JSC::FTL::compileFTLOSRExit): * ftl/FTLOSRExitHandle.cpp: (JSC::FTL::OSRExitHandle::emitExitThunk): * ftl/FTLOperations.cpp: (JSC::FTL::compileFTLLazySlowPath): * ftl/FTLOutput.h: (JSC::FTL::Output::callWithoutSideEffects): (JSC::FTL::Output::operation): * ftl/FTLPatchpointExceptionHandle.cpp: (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind): * ftl/FTLSlowPathCall.cpp: (JSC::FTL::SlowPathCallContext::makeCall): * ftl/FTLSlowPathCallKey.h: (JSC::FTL::SlowPathCallKey::withCallTarget): (JSC::FTL::SlowPathCallKey::callPtrTag const): * ftl/FTLThunks.cpp: (JSC::FTL::genericGenerationThunkGenerator): (JSC::FTL::osrExitGenerationThunkGenerator): (JSC::FTL::lazySlowPathGenerationThunkGenerator): (JSC::FTL::slowPathCallThunkGenerator): * jit/JITMathIC.h: (JSC::isProfileEmpty): * jit/Repatch.cpp: (JSC::readPutICCallTarget): (JSC::ftlThunkAwareRepatchCall): (JSC::tryCacheGetByID): (JSC::repatchGetByID): (JSC::tryCachePutByID): (JSC::repatchPutByID): (JSC::repatchIn): (JSC::resetGetByID): (JSC::resetPutByID): (JSC::readCallTarget): Deleted. * jit/Repatch.h: * runtime/PtrTag.h: 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, attempt to fix Windows build https://bugs.webkit.org/show_bug.cgi?id=183508 * jit/JIT.h: 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, build fix for Windows by suppressing padding warning for JIT https://bugs.webkit.org/show_bug.cgi?id=183508 * jit/JIT.h: 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com> Use alignas instead of compiler-specific attributes https://bugs.webkit.org/show_bug.cgi?id=183508 Reviewed by Mark Lam. Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes. * heap/RegisterState.h: * jit/JIT.h: (JSC::JIT::compile): Deleted. (JSC::JIT::compileGetByVal): Deleted. (JSC::JIT::compileGetByValWithCachedId): Deleted. (JSC::JIT::compilePutByVal): Deleted. (JSC::JIT::compileDirectPutByVal): Deleted. (JSC::JIT::compilePutByValWithCachedId): Deleted. (JSC::JIT::compileHasIndexedProperty): Deleted. (JSC::JIT::appendCall): Deleted. (JSC::JIT::appendCallWithSlowPathReturnType): Deleted. (JSC::JIT::exceptionCheck): Deleted. (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted. (JSC::JIT::emitInt32Load): Deleted. (JSC::JIT::emitInt32GetByVal): Deleted. (JSC::JIT::emitInt32PutByVal): Deleted. (JSC::JIT::emitDoublePutByVal): Deleted. (JSC::JIT::emitContiguousPutByVal): Deleted. (JSC::JIT::emitStoreCell): Deleted. (JSC::JIT::getSlowCase): Deleted. (JSC::JIT::linkSlowCase): Deleted. (JSC::JIT::linkDummySlowCase): Deleted. (JSC::JIT::linkAllSlowCases): Deleted. (JSC::JIT::callOperation): Deleted. (JSC::JIT::callOperationWithProfile): Deleted. (JSC::JIT::callOperationWithResult): Deleted. (JSC::JIT::callOperationNoExceptionCheck): Deleted. (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted. (JSC::JIT::emitEnterOptimizationCheck): Deleted. (JSC::JIT::sampleCodeBlock): Deleted. (JSC::JIT::canBeOptimized): Deleted. (JSC::JIT::canBeOptimizedOrInlined): Deleted. (JSC::JIT::shouldEmitProfiling): Deleted. * runtime/VM.h: 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, follow-up patch for DFG 32bit https://bugs.webkit.org/show_bug.cgi?id=183970 * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Fix incorrect assertion for VM's regexp buffer lock https://bugs.webkit.org/show_bug.cgi?id=184398 Reviewed by Mark Lam. isLocked check before taking a lock is incorrect. * runtime/VM.cpp: (JSC::VM::acquireRegExpPatternContexBuffer): 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Introduce op_get_by_id_direct https://bugs.webkit.org/show_bug.cgi?id=183970 Reviewed by Filip Pizlo. This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id. But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this in all the tiers, so using this opcode does not lead to inefficiency. Main purpose of this op_get_by_id_direct is using it for private properties. We are using properties indexed with private symbols to implement ECMAScript internal fields. Before this patch, we just use get and put operations. However, it is not the correct semantics: accessing to the internal fields should not traverse prototype chain, which is specified in the spec. We use op_get_by_id_direct to access to properties which are used internal fields, so that prototype chains are not traversed. To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate(). When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the bytecode `op_get_by_id_direct, object, @name`. * builtins/ArrayIteratorPrototype.js: (next): (globalPrivate.arrayIteratorValueNext): (globalPrivate.arrayIteratorKeyNext): (globalPrivate.arrayIteratorKeyValueNext): * builtins/AsyncFromSyncIteratorPrototype.js: * builtins/AsyncFunctionPrototype.js: (globalPrivate.asyncFunctionResume): * builtins/AsyncGeneratorPrototype.js: (globalPrivate.asyncGeneratorQueueIsEmpty): (globalPrivate.asyncGeneratorQueueEnqueue): (globalPrivate.asyncGeneratorQueueDequeue): (globalPrivate.asyncGeneratorDequeue): (globalPrivate.isExecutionState): (globalPrivate.isSuspendYieldState): (globalPrivate.asyncGeneratorReject): (globalPrivate.asyncGeneratorResolve): (globalPrivate.doAsyncGeneratorBodyCall): (globalPrivate.asyncGeneratorEnqueue): * builtins/GeneratorPrototype.js: (globalPrivate.generatorResume): (next): (return): (throw): * builtins/MapIteratorPrototype.js: (next): * builtins/PromiseOperations.js: (globalPrivate.isPromise): (globalPrivate.rejectPromise): (globalPrivate.fulfillPromise): * builtins/PromisePrototype.js: (then): * builtins/SetIteratorPrototype.js: (next): * builtins/StringIteratorPrototype.js: (next): * builtins/TypedArrayConstructor.js: (of): (from): * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper<Block>::dumpBytecode): * bytecode/BytecodeIntrinsicRegistry.h: * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::finalizeLLIntInlineCaches): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): (JSC::GetByIdStatus::computeFor): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::reset): * bytecode/StructureStubInfo.h: (JSC::appropriateOptimizingGetByIdFunction): (JSC::appropriateGenericGetByIdFunction): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitDirectGetById): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect): (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::convertToGetByOffset): (JSC::DFG::Node::convertToMultiGetByOffset): (JSC::DFG::Node::hasIdentifier): (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetById): (JSC::DFG::SpeculativeJIT::compileGetByIdFlush): (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileGetById): (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): (JSC::FTL::DFG::LowerDFGToB3::getById): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITOperations.cpp: * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_id_direct): (JSC::JIT::emitSlow_op_get_by_id_direct): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_id_direct): (JSC::JIT::emitSlow_op_get_by_id_direct): * jit/Repatch.cpp: (JSC::appropriateOptimizingGetByIdFunction): (JSC::appropriateGetByIdFunction): (JSC::tryCacheGetByID): (JSC::repatchGetByID): (JSC::appropriateGenericGetByIdFunction): Deleted. * jit/Repatch.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::getOwnPropertySlot const): * runtime/JSObject.h: * runtime/JSObjectInlines.h: (JSC::JSObject::getOwnPropertySlotInline): 2018-04-07 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove several asXXX functions https://bugs.webkit.org/show_bug.cgi?id=184355 Reviewed by JF Bastien. Remove asActivation, asInternalFunction, and asGetterSetter. Use jsCast<> / jsDynamicCast<> consistently. * runtime/ArrayConstructor.cpp: (JSC::constructArrayWithSizeQuirk): * runtime/AsyncFunctionConstructor.cpp: (JSC::callAsyncFunctionConstructor): (JSC::constructAsyncFunctionConstructor): * runtime/AsyncGeneratorFunctionConstructor.cpp: (JSC::callAsyncGeneratorFunctionConstructor): (JSC::constructAsyncGeneratorFunctionConstructor): * runtime/BooleanConstructor.cpp: (JSC::constructWithBooleanConstructor): * runtime/DateConstructor.cpp: (JSC::constructWithDateConstructor): * runtime/ErrorConstructor.cpp: (JSC::Interpreter::constructWithErrorConstructor): (JSC::Interpreter::callErrorConstructor): * runtime/FunctionConstructor.cpp: (JSC::constructWithFunctionConstructor): (JSC::callFunctionConstructor): * runtime/FunctionPrototype.cpp: (JSC::functionProtoFuncToString): * runtime/GeneratorFunctionConstructor.cpp: (JSC::callGeneratorFunctionConstructor): (JSC::constructGeneratorFunctionConstructor): * runtime/GetterSetter.h: (JSC::asGetterSetter): Deleted. * runtime/InternalFunction.h: (JSC::asInternalFunction): Deleted. * runtime/JSGenericTypedArrayViewConstructorInlines.h: (JSC::constructGenericTypedArrayView): * runtime/JSLexicalEnvironment.h: (JSC::asActivation): Deleted. * runtime/JSObject.cpp: (JSC::validateAndApplyPropertyDescriptor): * runtime/MapConstructor.cpp: (JSC::constructMap): * runtime/PropertyDescriptor.cpp: (JSC::PropertyDescriptor::setDescriptor): * runtime/RegExpConstructor.cpp: (JSC::constructWithRegExpConstructor): (JSC::callRegExpConstructor): * runtime/SetConstructor.cpp: (JSC::constructSet): * runtime/StringConstructor.cpp: (JSC::constructWithStringConstructor): * runtime/WeakMapConstructor.cpp: (JSC::constructWeakMap): * runtime/WeakSetConstructor.cpp: (JSC::constructWeakSet): * wasm/js/WebAssemblyCompileErrorConstructor.cpp: (JSC::constructJSWebAssemblyCompileError): (JSC::callJSWebAssemblyCompileError): * wasm/js/WebAssemblyLinkErrorConstructor.cpp: (JSC::constructJSWebAssemblyLinkError): (JSC::callJSWebAssemblyLinkError): * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: (JSC::constructJSWebAssemblyRuntimeError): (JSC::callJSWebAssemblyRuntimeError): 2018-04-05 Mark Lam <mark.lam@apple.com> MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7. https://bugs.webkit.org/show_bug.cgi?id=184347 <rdar://problem/39183165> Reviewed by Michael Saboff. * assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): (JSC::MacroAssemblerCodePtr::retagged const): 2018-04-05 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com> [MIPS] Optimize generated JIT code for branches https://bugs.webkit.org/show_bug.cgi?id=183130 Reviewed by Yusuke Suzuki. The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch() to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump. However, this adds a significant overhead for all other types of branches. Since these nop's protect the code that is generated by branchPtrWithPatch, this function seems like a better place to add them. * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::repatchInt32): (JSC::MIPSAssembler::revertJumpToMove): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::branchAdd32): (JSC::MacroAssemblerMIPS::branchMul32): (JSC::MacroAssemblerMIPS::branchSub32): (JSC::MacroAssemblerMIPS::branchNeg32): (JSC::MacroAssemblerMIPS::branchPtrWithPatch): (JSC::MacroAssemblerMIPS::branchEqual): (JSC::MacroAssemblerMIPS::branchNotEqual): 2018-04-05 Yusuke Suzuki <utatane.tea@gmail.com> [WTF] Remove StaticLock https://bugs.webkit.org/show_bug.cgi?id=184332 Reviewed by Mark Lam. * API/JSValue.mm: (handerForStructTag): * API/JSVirtualMachine.mm: (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): * API/glib/JSCVirtualMachine.cpp: (addWrapper): (removeWrapper): * assembler/testmasm.cpp: * b3/air/testair.cpp: * b3/testb3.cpp: * bytecode/SuperSampler.cpp: * dfg/DFGCommon.cpp: * dfg/DFGCommonData.cpp: * dynbench.cpp: * heap/MachineStackMarker.cpp: (JSC::MachineThreads::tryCopyOtherThreadStacks): * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: (Inspector::RemoteTargetHandleRunSourceGlobal): (Inspector::RemoteTargetQueueTaskOnGlobalQueue): * interpreter/CLoopStack.cpp: * parser/SourceProvider.cpp: * profiler/ProfilerDatabase.cpp: * profiler/ProfilerUID.cpp: (JSC::Profiler::UID::create): * runtime/IntlObject.cpp: (JSC::numberingSystemsForLocale): * runtime/JSLock.cpp: * runtime/JSLock.h: * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::registerForReportAtExit): * runtime/VM.cpp: * wasm/WasmFaultSignalHandler.cpp: 2018-04-04 Mark Lam <mark.lam@apple.com> Add pointer profiling support to the DFG and supporting files. https://bugs.webkit.org/show_bug.cgi?id=184316 <rdar://problem/39188524> Reviewed by Filip Pizlo. 1. Profile lots of pointers with PtrTags. 2. Remove PtrTag.cpp and make ptrTagName() into an inline function. It's only used for debugging anyway, and not normally called in the code. Making it an inline function prevents it from taking up code space in builds when not in use. 3. Change the call to the the arityFixupThunk in DFG code to be a near call. It doesn't need to be a far call. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * assembler/testmasm.cpp: (JSC::testProbeModifiesProgramCounter): * b3/B3LowerMacros.cpp: * b3/air/AirCCallSpecial.cpp: (JSC::B3::Air::CCallSpecial::generate): * b3/air/AirCCallSpecial.h: * b3/testb3.cpp: (JSC::B3::testInterpreter): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/HandlerInfo.h: (JSC::HandlerInfo::initialize): * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::regenerate): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileExceptionHandlers): (JSC::DFG::JITCompiler::link): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::noticeCatchEntrypoint): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::appendCall): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGOSRExit.cpp: (JSC::DFG::reifyInlinedCallFrames): (JSC::DFG::adjustAndJumpToTarget): (JSC::DFG::OSRExit::emitRestoreArguments): (JSC::DFG::OSRExit::compileOSRExit): * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::handleExitCounts): (JSC::DFG::reifyInlinedCallFrames): (JSC::DFG::osrWriteBarrier): (JSC::DFG::adjustAndJumpToTarget): * dfg/DFGOperations.cpp: * dfg/DFGSlowPathGenerator.h: (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate): (JSC::DFG::slowPathCall): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileMathIC): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): (JSC::DFG::SpeculativeJIT::appendCall): (JSC::DFG::SpeculativeJIT::appendCallSetResult): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): (JSC::DFG::SpeculativeJIT::cachedPutById): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGThunks.cpp: (JSC::DFG::osrExitThunkGenerator): (JSC::DFG::osrExitGenerationThunkGenerator): (JSC::DFG::osrEntryThunkGenerator): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitDumbVirtualCall): * jit/JIT.cpp: (JSC::JIT::emitEnterOptimizationCheck): (JSC::JIT::compileWithoutLinking): * jit/JITCall.cpp: (JSC::JIT::compileOpCallSlowCase): * jit/JITMathIC.h: (JSC::isProfileEmpty): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_catch): (JSC::JIT::emitSlow_op_loop_hint): * jit/JITOperations.cpp: * jit/Repatch.cpp: (JSC::linkSlowFor): (JSC::linkFor): (JSC::revertCall): (JSC::unlinkFor): (JSC::linkVirtualFor): (JSC::linkPolymorphicCall): * jit/ThunkGenerators.cpp: (JSC::throwExceptionFromCallSlowPathGenerator): (JSC::linkCallThunkGenerator): (JSC::linkPolymorphicCallThunkGenerator): (JSC::virtualThunkFor): (JSC::arityFixupGenerator): (JSC::unreachableGenerator): * runtime/PtrTag.cpp: Removed. * runtime/PtrTag.h: (JSC::ptrTagName): * runtime/VMEntryScope.cpp: * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): 2018-04-04 Filip Pizlo <fpizlo@apple.com> REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain https://bugs.webkit.org/show_bug.cgi?id=184319 Reviewed by Saam Barati. In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before the ArrayPush. But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that with a GetByVal(SaneChain), then we will hit the assertion. This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain. * dfg/DFGCSEPhase.cpp: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArrayPush): 2018-04-04 Filip Pizlo <fpizlo@apple.com> Remove poisoning of typed array vector https://bugs.webkit.org/show_bug.cgi?id=184313 Reviewed by Saam Barati. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfVector): (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted. (JSC::JSArrayBufferView::poisonFor): Deleted. (JSC::JSArrayBufferView::Poison::key): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.h: 2018-04-03 Filip Pizlo <fpizlo@apple.com> Don't do index masking or poisoning for DirectArguments https://bugs.webkit.org/show_bug.cgi?id=184280 Reviewed by Saam Barati. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/AccessCase.cpp: (JSC::AccessCase::generateWithGuard): * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator): * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): (JSC::DFG::SpeculativeJIT::compileGetArrayLength): (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): (JSC::DFG::SpeculativeJIT::compileGetFromArguments): (JSC::DFG::SpeculativeJIT::compilePutToArguments): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments): (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments): (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments): (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted. * heap/SecurityKind.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_from_arguments): (JSC::JIT::emit_op_put_to_arguments): (JSC::JIT::emitDirectArgumentsGetByVal): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_from_arguments): (JSC::JIT::emit_op_put_to_arguments): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/DirectArguments.cpp: (JSC::DirectArguments::DirectArguments): (JSC::DirectArguments::createUninitialized): (JSC::DirectArguments::create): (JSC::DirectArguments::createByCopying): (JSC::DirectArguments::estimatedSize): (JSC::DirectArguments::visitChildren): (JSC::DirectArguments::overrideThings): (JSC::DirectArguments::copyToArguments): (JSC::DirectArguments::mappedArgumentsSize): * runtime/DirectArguments.h: * runtime/JSCPoison.h: * runtime/JSLexicalEnvironment.h: * runtime/JSSymbolTableObject.h: 2018-04-03 Filip Pizlo <fpizlo@apple.com> JSArray::appendMemcpy seems to be missing a barrier https://bugs.webkit.org/show_bug.cgi?id=184290 Reviewed by Mark Lam. If you write to an array that may contain pointers and you didn't just allocate it, then you need to barrier right after. I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt. * runtime/JSArray.cpp: (JSC::JSArray::appendMemcpy): 2018-04-03 Filip Pizlo <fpizlo@apple.com> GC shouldn't do object distancing https://bugs.webkit.org/show_bug.cgi?id=184195 Reviewed by Saam Barati. This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems to be a small speed-up. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * heap/BlockDirectory.cpp: (JSC::BlockDirectory::findBlockForAllocation): (JSC::BlockDirectory::addBlock): * heap/BlockDirectory.h: * heap/CellAttributes.cpp: (JSC::CellAttributes::dump const): * heap/CellAttributes.h: (JSC::CellAttributes::CellAttributes): * heap/LocalAllocator.cpp: (JSC::LocalAllocator::allocateSlowCase): (JSC::LocalAllocator::tryAllocateWithoutCollecting): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::didAddToDirectory): * heap/MarkedBlock.h: (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted. * heap/SecurityKind.cpp: Removed. * heap/SecurityKind.h: Removed. * heap/SecurityOriginToken.cpp: Removed. * heap/SecurityOriginToken.h: Removed. * heap/ThreadLocalCache.cpp: (JSC::ThreadLocalCache::create): (JSC::ThreadLocalCache::ThreadLocalCache): * heap/ThreadLocalCache.h: (JSC::ThreadLocalCache::securityOriginToken const): Deleted. * runtime/JSDestructibleObjectHeapCellType.cpp: (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::threadLocalCache const): Deleted. * runtime/JSSegmentedVariableObjectHeapCellType.cpp: (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType): * runtime/JSStringHeapCellType.cpp: (JSC::JSStringHeapCellType::JSStringHeapCellType): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType): 2018-04-02 Saam Barati <sbarati@apple.com> bmalloc should compute its own estimate of its footprint https://bugs.webkit.org/show_bug.cgi?id=184121 Reviewed by Filip Pizlo. * heap/IsoAlignedMemoryAllocator.cpp: (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator): (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory): (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory): 2018-04-02 Mark Lam <mark.lam@apple.com> We should not trash the stack pointer on OSR entry. https://bugs.webkit.org/show_bug.cgi?id=184243 <rdar://problem/39114319> Reviewed by Filip Pizlo. In the DFG OSR entry path, we momentarily over-write the stack pointer with returnValueGPR2. returnValueGPR2 contains a pointer to a side buffer we malloc'ed. Hence, this assignment is wrong, and it turns out to be unnecessary as well. The stack pointer does get corrected later in the thunk (generated by osrEntryThunkGenerator()) that we jump to. This is why we don't see ill-effects so far. This bug only poses an issue if interrupts use the user stack for their stack frame (e.g. linux), and when we do stack alignment tests during debugging. The fix is simply to remove the assignment. * dfg/DFGThunks.cpp: (JSC::DFG::osrEntryThunkGenerator): * jit/JIT.cpp: (JSC::JIT::emitEnterOptimizationCheck): 2018-04-02 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com> [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand https://bugs.webkit.org/show_bug.cgi?id=183740 Reviewed by Yusuke Suzuki. In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is first generated and a register operand variant of the same method is called to generate the rest of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and generate more efficient code using MIPS instructions with immediate operand. * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::slti): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::lshift32): (JSC::MacroAssemblerMIPS::xor32): (JSC::MacroAssemblerMIPS::branch8): (JSC::MacroAssemblerMIPS::compare8): (JSC::MacroAssemblerMIPS::branch32): (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords): (JSC::MacroAssemblerMIPS::branchTest32): (JSC::MacroAssemblerMIPS::mask8OnTest): (JSC::MacroAssemblerMIPS::branchTest8): (JSC::MacroAssemblerMIPS::branchAdd32): (JSC::MacroAssemblerMIPS::branchNeg32): (JSC::MacroAssemblerMIPS::compare32): (JSC::MacroAssemblerMIPS::test8): 2018-04-02 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] More aggressive removal of duplicate 32bit DFG code https://bugs.webkit.org/show_bug.cgi?id=184089 Reviewed by Saam Barati. This patch more aggressively removes duplicate 32bit DFG code by leveraging JSValueRegs and meta-programmed callOperation. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValWithThis): (JSC::DFG::SpeculativeJIT::compileArithMinMax): (JSC::DFG::SpeculativeJIT::compileNewArray): (JSC::DFG::SpeculativeJIT::compileCheckCell): (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable): (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable): (JSC::DFG::SpeculativeJIT::compileGetClosureVar): (JSC::DFG::SpeculativeJIT::compilePutClosureVar): (JSC::DFG::SpeculativeJIT::compileGetByOffset): (JSC::DFG::SpeculativeJIT::compilePutByOffset): (JSC::DFG::SpeculativeJIT::compileGetExecutable): (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer): (JSC::DFG::SpeculativeJIT::compileToThis): (JSC::DFG::SpeculativeJIT::compileIdentity): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2018-04-01 Filip Pizlo <fpizlo@apple.com> Raise the for-call inlining threshold to 190 to fix JetStream/richards regression https://bugs.webkit.org/show_bug.cgi?id=184228 Reviewed by Yusuke Suzuki. * runtime/Options.h: 2018-03-31 Filip Pizlo <fpizlo@apple.com> JSObject shouldn't do index masking https://bugs.webkit.org/show_bug.cgi?id=184194 Reviewed by Yusuke Suzuki. Remove index masking, because it's not the way we'll mitigate Spectre. * API/tests/JSObjectGetProxyTargetTest.cpp: (testJSObjectGetProxyTarget): * b3/B3LowerToAir.cpp: * b3/B3Validate.cpp: * b3/B3WasmBoundsCheckValue.cpp: (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue): (JSC::B3::WasmBoundsCheckValue::dumpMeta const): * b3/B3WasmBoundsCheckValue.h: (JSC::B3::WasmBoundsCheckValue::bounds const): (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted. * b3/testb3.cpp: (JSC::B3::testWasmBoundsCheck): (JSC::B3::run): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSSALoweringPhase.cpp: (JSC::DFG::SSALoweringPhase::handleNode): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): (JSC::DFG::SpeculativeJIT::compileCreateActivation): (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): (JSC::DFG::SpeculativeJIT::compileArraySlice): (JSC::DFG::SpeculativeJIT::compileNewStringObject): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): (JSC::DFG::SpeculativeJIT::compileNewRegexp): (JSC::DFG::SpeculativeJIT::compileCreateThis): (JSC::DFG::SpeculativeJIT::compileNewObject): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation): (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments): (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation): (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp): (JSC::FTL::DFG::LowerDFGToB3::allocateObject): (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject): (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted. (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted. (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::emitAllocateJSObject): (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize): (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject): (JSC::AssemblyHelpers::emitAllocateDestructibleObject): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_object): (JSC::JIT::emit_op_create_this): * jit/JITOperations.cpp: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDoubleLoad): (JSC::JIT::emitContiguousLoad): (JSC::JIT::emitArrayStorageLoad): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/Butterfly.h: (JSC::ContiguousData::at const): (JSC::ContiguousData::at): (JSC::Butterfly::computeIndexingMask const): Deleted. * runtime/ButterflyInlines.h: (JSC::ContiguousData<T>::at const): Deleted. (JSC::ContiguousData<T>::at): Deleted. * runtime/ClonedArguments.cpp: (JSC::ClonedArguments::createEmpty): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::JSArray::appendMemcpy): (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): * runtime/JSArrayInlines.h: (JSC::JSArray::pushInline): * runtime/JSFixedArray.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.cpp: (JSC::JSObject::getOwnPropertySlotByIndex): (JSC::JSObject::putByIndex): (JSC::JSObject::createInitialUndecided): (JSC::JSObject::createInitialInt32): (JSC::JSObject::createInitialDouble): (JSC::JSObject::createInitialContiguous): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertUndecidedToArrayStorage): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::createInitialForValueAndSet): (JSC::JSObject::deletePropertyByIndex): (JSC::JSObject::getOwnPropertyNames): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::countElements): (JSC::JSObject::increaseVectorLength): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::reallocateAndShrinkButterfly): (JSC::JSObject::getEnumerableLength): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterflyOffset): (JSC::JSObject::setButterfly): (JSC::JSObject::nukeStructureAndSetButterfly): (JSC::JSObject::JSObject): (JSC::JSObject::butterflyIndexingMaskOffset): Deleted. (JSC::JSObject::butterflyIndexingMask const): Deleted. (JSC::JSObject::setButterflyWithIndexingMask): Deleted. * runtime/JSObjectInlines.h: (JSC::JSObject::prepareToPutDirectWithoutTransition): (JSC::JSObject::putDirectInternal): * runtime/RegExpMatchesArray.h: (JSC::tryCreateUninitializedRegExpMatchesArray): * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::B3IRGenerator): (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer): (JSC::Wasm::B3IRGenerator::load): (JSC::Wasm::B3IRGenerator::store): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmInstance.h: (JSC::Wasm::Instance::updateCachedMemory): (JSC::Wasm::Instance::offsetOfCachedMemorySize): (JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted. * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::Memory): (JSC::Wasm::Memory::grow): * wasm/WasmMemory.h: (JSC::Wasm::Memory::size const): (JSC::Wasm::Memory::offsetOfSize): (JSC::Wasm::Memory::indexingMask): Deleted. (JSC::Wasm::Memory::offsetOfIndexingMask): Deleted. * wasm/WasmMemoryInformation.cpp: (JSC::Wasm::PinnedRegisterInfo::get): (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo): * wasm/WasmMemoryInformation.h: (JSC::Wasm::PinnedRegisterInfo::toSave const): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): 2018-03-31 Filip Pizlo <fpizlo@apple.com> JSC crash in JIT code with for-of loop and Array/Set iterators https://bugs.webkit.org/show_bug.cgi?id=183174 Reviewed by Saam Barati. * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site. 2018-03-30 Filip Pizlo <fpizlo@apple.com> Strings and Vectors shouldn't do index masking https://bugs.webkit.org/show_bug.cgi?id=184193 Reviewed by Mark Lam. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt): * jit/ThunkGenerators.cpp: (JSC::stringCharLoad): 2018-03-30 Mark Lam <mark.lam@apple.com> Add pointer profiling support in baseline JIT and supporting files. https://bugs.webkit.org/show_bug.cgi?id=184200 <rdar://problem/39057300> Reviewed by Filip Pizlo. 1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters the code via the arity check entry. 2. To accommodate (1), all JITCode must now populate their arity check entry code pointers as well. For native code, programs, evals, and modules that don't do arity check, we set the normal entry as the arity check entry (though with the CodeEntryWithArityCheckPtrTag profile instead). * assembler/AbstractMacroAssembler.h: * assembler/LinkBuffer.h: (JSC::LinkBuffer::locationOfNearCall): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::readCallTarget): (JSC::MacroAssemblerARM64::linkCall): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/AccessCaseSnippetParams.cpp: (JSC::SlowPathCallGeneratorWithArguments::generateImpl): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::addJITAddIC): (JSC::CodeBlock::addJITMulIC): (JSC::CodeBlock::addJITSubIC): (JSC::CodeBlock::addJITNegIC): * bytecode/CodeBlock.h: (JSC::CodeBlock::addMathIC): * bytecode/InlineAccess.cpp: (JSC::InlineAccess::rewireStubAsJump): * bytecode/LLIntCallLinkInfo.h: (JSC::LLIntCallLinkInfo::unlink): (): Deleted. * bytecode/PolymorphicAccess.cpp: (JSC::AccessGenerationState::emitExplicitExceptionHandler): (JSC::PolymorphicAccess::regenerate): * dfg/DFGJITFinalizer.cpp: (JSC::DFG::JITFinalizer::finalize): (JSC::DFG::JITFinalizer::finalizeFunction): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueAdd): (JSC::DFG::SpeculativeJIT::compileArithSub): (JSC::DFG::SpeculativeJIT::compileArithNegate): (JSC::DFG::SpeculativeJIT::compileArithMul): (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): (JSC::DFG::SpeculativeJIT::emitSwitchImm): (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): * disassembler/ARM64Disassembler.cpp: (JSC::tryToDisassemble): * ftl/FTLJITFinalizer.cpp: (JSC::FTL::JITFinalizer::finalizeCommon): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC): (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): (JSC::FTL::DFG::LowerDFGToB3::compileArithMul): (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate): * heap/JITStubRoutineSet.h: (JSC::JITStubRoutineSet::mark): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::callExceptionFuzz): (JSC::AssemblyHelpers::debugCall): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::emitFunctionPrologue): * jit/CCallHelpers.cpp: (JSC::CCallHelpers::ensureShadowChickenPacket): * jit/CCallHelpers.h: (JSC::CCallHelpers::prepareForTailCallSlow): * jit/CallFrameShuffler.cpp: (JSC::CallFrameShuffler::prepareForTailCall): * jit/ExecutableAllocator.cpp: (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator): * jit/ExecutableAllocator.h: (JSC::performJITMemcpy): * jit/JIT.cpp: (JSC::JIT::compileWithoutLinking): (JSC::JIT::link): * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_negate): (JSC::JIT::emit_op_add): (JSC::JIT::emitMathICFast): (JSC::JIT::emitMathICSlow): (JSC::JIT::emit_op_mul): (JSC::JIT::emit_op_sub): * jit/JITCode.cpp: (JSC::JITCode::execute): (JSC::JITCodeWithCodeRef::executableAddressAtOffset): (JSC::DirectJITCode::DirectJITCode): (JSC::DirectJITCode::initializeCodeRef): (JSC::NativeJITCode::addressForCall): * jit/JITExceptions.cpp: (JSC::genericUnwind): * jit/JITMathIC.h: (JSC::isProfileEmpty): (JSC::JITBinaryMathIC::JITBinaryMathIC): (JSC::JITUnaryMathIC::JITUnaryMathIC): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_switch_imm): (JSC::JIT::emit_op_switch_char): (JSC::JIT::emit_op_switch_string): (JSC::JIT::privateCompileHasIndexedProperty): (JSC::JIT::emitSlow_op_has_indexed_property): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITOperations.cpp: (JSC::getByVal): (JSC::tryGetByValOptimize): * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::emitGetByValWithCachedId): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::emitPutByValWithCachedId): (JSC::JIT::emitSlow_op_put_by_val): (JSC::JIT::emitSlow_op_try_get_by_id): (JSC::JIT::emitSlow_op_get_by_id): (JSC::JIT::emitSlow_op_get_by_id_with_this): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::privateCompileGetByVal): (JSC::JIT::privateCompileGetByValWithCachedId): (JSC::JIT::privateCompilePutByVal): (JSC::JIT::privateCompilePutByValWithCachedId): * jit/JITThunks.cpp: (JSC::JITThunks::hostFunctionStub): * jit/Repatch.cpp: (JSC::tryCacheGetByID): (JSC::repatchGetByID): (JSC::appropriateOptimizingPutByIdFunction): (JSC::tryCachePutByID): (JSC::repatchPutByID): (JSC::linkFor): (JSC::revertCall): (JSC::linkPolymorphicCall): (JSC::resetGetByID): (JSC::resetPutByID): * jit/Repatch.h: * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::finalize): (JSC::SpecializedThunkJIT::callDoubleToDouble): * jit/ThunkGenerators.cpp: (JSC::emitPointerValidation): (JSC::throwExceptionFromCallSlowPathGenerator): (JSC::slowPathFor): (JSC::linkCallThunkGenerator): Deleted. (JSC::linkPolymorphicCallThunkGenerator): Deleted. (JSC::virtualThunkFor): Deleted. (JSC::nativeForGenerator): Deleted. (JSC::nativeCallGenerator): Deleted. (JSC::nativeTailCallGenerator): Deleted. (JSC::nativeTailCallWithoutSavedTagsGenerator): Deleted. (JSC::nativeConstructGenerator): Deleted. (JSC::internalFunctionCallGenerator): Deleted. (JSC::internalFunctionConstructGenerator): Deleted. (JSC::arityFixupGenerator): Deleted. (JSC::unreachableGenerator): Deleted. (JSC::stringCharLoad): Deleted. (JSC::charToString): Deleted. (JSC::charCodeAtThunkGenerator): Deleted. (JSC::charAtThunkGenerator): Deleted. (JSC::fromCharCodeThunkGenerator): Deleted. (JSC::clz32ThunkGenerator): Deleted. (JSC::sqrtThunkGenerator): Deleted. (JSC::floorThunkGenerator): Deleted. (JSC::ceilThunkGenerator): Deleted. (JSC::truncThunkGenerator): Deleted. (JSC::roundThunkGenerator): Deleted. (JSC::expThunkGenerator): Deleted. (JSC::logThunkGenerator): Deleted. (JSC::absThunkGenerator): Deleted. (JSC::imulThunkGenerator): Deleted. (JSC::randomThunkGenerator): Deleted. (JSC::boundThisNoArgsFunctionCallGenerator): Deleted. * llint/LLIntData.cpp: (JSC::LLInt::initialize): * llint/LLIntData.h: (JSC::LLInt::getCodePtr): * llint/LLIntEntrypoint.cpp: (JSC::LLInt::setEvalEntrypoint): (JSC::LLInt::setProgramEntrypoint): (JSC::LLInt::setModuleProgramEntrypoint): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setUpCall): * llint/LLIntThunks.cpp: (JSC::LLInt::generateThunkWithJumpTo): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/ExecutableBase.h: * runtime/NativeExecutable.cpp: (JSC::NativeExecutable::finishCreation): * runtime/NativeFunction.h: (JSC::TaggedNativeFunction::TaggedNativeFunction): (JSC::TaggedNativeFunction::operator NativeFunction): * runtime/PropertySlot.h: (JSC::PropertySlot::setCustom): (JSC::PropertySlot::setCacheableCustom): * runtime/PtrTag.h: * runtime/PutPropertySlot.h: (JSC::PutPropertySlot::setCustomValue): (JSC::PutPropertySlot::setCustomAccessor): * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::takeSample): * runtime/VMTraps.cpp: (JSC::SignalContext::SignalContext): (JSC::VMTraps::tryInstallTrapBreakpoints): * tools/SigillCrashAnalyzer.cpp: (JSC::installCrashHandler): * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper): (JSC::Yarr::YarrGenerator::generateEnter): 2018-03-30 Devin Rousso <webkit@devinrousso.com> Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement https://bugs.webkit.org/show_bug.cgi?id=175223 Reviewed by Matt Baker. * inspector/protocol/Canvas.json: Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the canvas if the given shader program is active immediately before `drawArrays` or `drawElements` is called. The blend is removed and the previous value is applied once the draw is complete. 2018-03-30 JF Bastien <jfbastien@apple.com> WebAssembly: support DataView compilation https://bugs.webkit.org/show_bug.cgi?id=183342 Reviewed by Mark Lam. Compiling a module from a DataView was incorrectly dealing with DataView's offset. * wasm/WasmModuleParser.cpp: (JSC::Wasm::ModuleParser::parse): * wasm/js/JSWebAssemblyHelpers.h: (JSC::getWasmBufferFromValue): (JSC::createSourceBufferFromValue): * wasm/js/WebAssemblyPrototype.cpp: (JSC::webAssemblyValidateFunc): 2018-03-30 Filip Pizlo <fpizlo@apple.com> Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live https://bugs.webkit.org/show_bug.cgi?id=184189 Reviewed by JF Bastien. * bytecompiler/NodesCodegen.cpp: (JSC::ResolveNode::emitBytecode): 2018-03-30 Mark Lam <mark.lam@apple.com> Add pointer profiling support to Wasm. https://bugs.webkit.org/show_bug.cgi?id=184175 <rdar://problem/39027923> Reviewed by JF Bastien. * runtime/PtrTag.h: * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::addGrowMemory): (JSC::Wasm::B3IRGenerator::addCall): (JSC::Wasm::B3IRGenerator::addCallIndirect): (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>): (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::prepare): (JSC::Wasm::BBQPlan::complete): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmBinding.h: * wasm/WasmFaultSignalHandler.cpp: (JSC::Wasm::trapHandler): * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * wasm/WasmThunks.cpp: (JSC::Wasm::throwExceptionFromWasmThunkGenerator): (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator): (JSC::Wasm::triggerOMGTierUpThunkGenerator): * wasm/js/WasmToJS.cpp: (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJS): * wasm/js/WebAssemblyFunction.cpp: (JSC::callWebAssemblyFunction): * wasm/js/WebAssemblyFunction.h: 2018-03-30 Ryan Haddad <ryanhaddad@apple.com> Unreviewed, rolling out r230102. Caused assertion failures on JSC bots. Reverted changeset: "A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception" https://bugs.webkit.org/show_bug.cgi?id=184074 https://trac.webkit.org/changeset/230102 2018-03-30 Robin Morisset <rmorisset@apple.com> Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT https://bugs.webkit.org/show_bug.cgi?id=183812 Reviewed by Keith Miller. The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock). The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::allocateTargetableBlock): (JSC::DFG::ByteCodeParser::inlineCall): 2018-03-30 Robin Morisset <rmorisset@apple.com> A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception https://bugs.webkit.org/show_bug.cgi?id=184074 <rdar://problem/37165897> Reviewed by Keith Miller. Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place. It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError. Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts. As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case. There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow. If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too. Two other minor changes: - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead. - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places. * JavaScriptCore.xcodeproj/project.pbxproj: * Scripts/builtins/builtins_generate_combined_header.py: (BuiltinsCombinedHeaderGenerator.generate_forward_declarations): (ParserError): (generate_section_for_object): Deleted. (generate_externs_for_object): Deleted. (generate_macros_for_object): Deleted. (generate_section_for_code_table_macro): Deleted. (generate_section_for_code_name_macro): Deleted. (generate_section_for_global_private_code_name_macro): Deleted. * Scripts/builtins/builtins_generate_separate_header.py: (generate_secondary_header_includes): * Scripts/builtins/builtins_templates.py: * Sources.txt: * builtins/BuiltinExecutableCreator.cpp: Removed. * builtins/BuiltinExecutableCreator.h: Removed. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::createDefaultConstructor): (JSC::BuiltinExecutables::createBuiltinExecutable): (JSC::createBuiltinExecutable): (JSC::BuiltinExecutables::createExecutableOrCrash): (JSC::BuiltinExecutables::createExecutable): * builtins/BuiltinExecutables.h: * bytecompiler/BytecodeGenerator.h: * parser/ParserError.cpp: Added. (JSC::ParserError::toErrorObject): (JSC::ParserError::throwStackOverflowOrOutOfMemory): (WTF::printInternal): * parser/ParserError.h: (JSC::ParserError::toErrorObject): Deleted. (WTF::printInternal): Deleted. * runtime/AsyncIteratorPrototype.cpp: (JSC::AsyncIteratorPrototype::finishCreation): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::addFunctionProperties): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSObject.cpp: (JSC::JSObject::getOwnStaticPropertySlot): (JSC::JSObject::reifyAllStaticProperties): * runtime/JSObject.h: (JSC::JSObject::getOwnNonIndexPropertySlot): (JSC::JSObject::getOwnPropertySlot): (JSC::JSObject::getPropertySlot): * runtime/JSObjectInlines.h: (JSC::JSObject::getNonIndexPropertySlot): * runtime/JSTypedArrayViewPrototype.cpp: (JSC::JSTypedArrayViewPrototype::finishCreation): * runtime/Lookup.cpp: (JSC::reifyStaticAccessor): (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: (JSC::getStaticPropertySlotFromTable): (JSC::reifyStaticProperty): * runtime/MapPrototype.cpp: (JSC::MapPrototype::finishCreation): * runtime/SetPrototype.cpp: (JSC::SetPrototype::finishCreation): * tools/JSDollarVM.cpp: (JSC::functionCreateBuiltin): 2018-03-30 Robin Morisset <rmorisset@apple.com> Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType https://bugs.webkit.org/show_bug.cgi?id=183657 <rdar://problem/38464399> Reviewed by Keith Miller. There was just a missing check in unshiftCountForIndexingType. I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path', and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp). Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk. * runtime/ArrayPrototype.cpp: (JSC::unshift): * runtime/JSArray.cpp: (JSC::JSArray::unshiftCountWithAnyIndexingType): * runtime/JSObject.h: (JSC::JSObject::ensureLength): 2018-03-29 Mark Lam <mark.lam@apple.com> Add some pointer profiling support to B3 and Air. https://bugs.webkit.org/show_bug.cgi?id=184165 <rdar://problem/39022125> Reviewed by JF Bastien. * b3/B3LowerMacros.cpp: * b3/B3LowerMacrosAfterOptimizations.cpp: * b3/B3MathExtras.cpp: * b3/B3ReduceStrength.cpp: * b3/air/AirCCallSpecial.cpp: (JSC::B3::Air::CCallSpecial::generate): * b3/air/AirCCallSpecial.h: * b3/testb3.cpp: (JSC::B3::testCallSimple): (JSC::B3::testCallRare): (JSC::B3::testCallRareLive): (JSC::B3::testCallSimplePure): (JSC::B3::testCallFunctionWithHellaArguments): (JSC::B3::testCallFunctionWithHellaArguments2): (JSC::B3::testCallFunctionWithHellaArguments3): (JSC::B3::testCallSimpleDouble): (JSC::B3::testCallSimpleFloat): (JSC::B3::testCallFunctionWithHellaDoubleArguments): (JSC::B3::testCallFunctionWithHellaFloatArguments): (JSC::B3::testLinearScanWithCalleeOnStack): (JSC::B3::testInterpreter): (JSC::B3::testLICMPure): (JSC::B3::testLICMPureSideExits): (JSC::B3::testLICMPureWritesPinned): (JSC::B3::testLICMPureWrites): (JSC::B3::testLICMReadsLocalState): (JSC::B3::testLICMReadsPinned): (JSC::B3::testLICMReads): (JSC::B3::testLICMPureNotBackwardsDominant): (JSC::B3::testLICMPureFoiledByChild): (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild): (JSC::B3::testLICMExitsSideways): (JSC::B3::testLICMWritesLocalState): (JSC::B3::testLICMWrites): (JSC::B3::testLICMFence): (JSC::B3::testLICMWritesPinned): (JSC::B3::testLICMControlDependent): (JSC::B3::testLICMControlDependentNotBackwardsDominant): (JSC::B3::testLICMControlDependentSideExits): (JSC::B3::testLICMReadsPinnedWritesPinned): (JSC::B3::testLICMReadsWritesDifferentHeaps): (JSC::B3::testLICMReadsWritesOverlappingHeaps): (JSC::B3::testLICMDefaultCall): (JSC::B3::testShuffleDoesntTrashCalleeSaves): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): * jit/GPRInfo.h: * runtime/PtrTag.h: * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): 2018-03-29 JF Bastien <jfbastien@apple.com> Use Forward.h instead of forward-declaring WTF::String https://bugs.webkit.org/show_bug.cgi?id=184172 <rdar://problem/39026146> Reviewed by Yusuke Suzuki. As part of #184164 I'm changing WTF::String, and the forward declarations are just wrong because I'm making it templated. We should use Forward.h anyways, so do that instead. * runtime/DateConversion.h: 2018-03-29 Mark Lam <mark.lam@apple.com> Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*. https://bugs.webkit.org/show_bug.cgi?id=184163 <rdar://problem/39020397> Reviewed by JF Bastien. With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers. Also renamed some structs, methods, and variable names to be more accurate. Previously, there is some confusion between a code pointer and the address of a code pointer (sometimes referred to in the code as a "LoadLocation"). We now name the LoadLocation variables appropriately to distinguish them from code pointers. * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::addCall): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmCodeBlock.cpp: (JSC::Wasm::CodeBlock::CodeBlock): * wasm/WasmCodeBlock.h: (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace): (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted. * wasm/WasmFormat.h: (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): (JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation): (JSC::Wasm::CallableFunction::CallableFunction): Deleted. (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted. * wasm/WasmInstance.h: (JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation): (JSC::Wasm::Instance::offsetOfWasmToEmbedderStub): (JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted. (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted. * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * wasm/WasmTable.cpp: (JSC::Wasm::Table::Table): (JSC::Wasm::Table::grow): (JSC::Wasm::Table::clearFunction): (JSC::Wasm::Table::setFunction): * wasm/WasmTable.h: (JSC::Wasm::Table::offsetOfFunctions): * wasm/js/JSWebAssemblyCodeBlock.h: * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::finalizeCreation): (JSC::JSWebAssemblyInstance::create): * wasm/js/JSWebAssemblyTable.cpp: (JSC::JSWebAssemblyTable::setFunction): * wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::create): (JSC::WebAssemblyFunction::WebAssemblyFunction): * wasm/js/WebAssemblyFunction.h: * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::link): (JSC::WebAssemblyModuleRecord::evaluate): * wasm/js/WebAssemblyWrapperFunction.cpp: (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction): (JSC::WebAssemblyWrapperFunction::create): * wasm/js/WebAssemblyWrapperFunction.h: 2018-03-29 Yusuke Suzuki <utatane.tea@gmail.com> Remove WTF_EXPORTDATA and JS_EXPORTDATA https://bugs.webkit.org/show_bug.cgi?id=184170 Reviewed by JF Bastien. Replace WTF_EXPORTDATA and JS_EXPORTDATA with WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively. * heap/WriteBarrierSupport.h: * jit/ExecutableAllocator.cpp: * jit/ExecutableAllocator.h: * runtime/JSCPoison.h: * runtime/JSCell.h: * runtime/JSExportMacros.h: * runtime/JSGlobalObject.h: * runtime/JSObject.h: * runtime/Options.h: * runtime/PropertyDescriptor.h: * runtime/PropertyMapHashTable.h: * runtime/SamplingCounter.h: 2018-03-29 Ross Kirsling <ross.kirsling@sony.com> MSVC __forceinline slows down JSC release build fivefold after r229391 https://bugs.webkit.org/show_bug.cgi?id=184062 Reviewed by Alex Christensen. * jit/CCallHelpers.h: (JSC::CCallHelpers::marshallArgumentRegister): Exempt MSVC from a single forced inline used within recursive templates. 2018-03-29 Keith Miller <keith_miller@apple.com> ArrayMode should not try to get the DFG to think it can convert TypedArrays https://bugs.webkit.org/show_bug.cgi?id=184137 Reviewed by Saam Barati. * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::fromObserved): 2018-03-29 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r230062. https://bugs.webkit.org/show_bug.cgi?id=184128 Broke mac port. web content process crashes while loading any web page (Requested by rniwa on #webkit). Reverted changeset: "MSVC __forceinline slows down JSC release build fivefold after r229391" https://bugs.webkit.org/show_bug.cgi?id=184062 https://trac.webkit.org/changeset/230062 2018-03-28 Ross Kirsling <ross.kirsling@sony.com> MSVC __forceinline slows down JSC release build fivefold after r229391 https://bugs.webkit.org/show_bug.cgi?id=184062 Reviewed by Alex Christensen. * jit/CCallHelpers.h: (JSC::CCallHelpers::marshallArgumentRegister): Exempt MSVC from a single forced inline used within recursive templates. 2018-03-28 Mark Lam <mark.lam@apple.com> Enhance ARM64 probe to support pointer profiling. https://bugs.webkit.org/show_bug.cgi?id=184069 <rdar://problem/38939879> Reviewed by JF Bastien. * assembler/MacroAssemblerARM64.cpp: (JSC::MacroAssembler::probe): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::popPair): (JSC::MacroAssemblerX86Common::pushPair): * assembler/testmasm.cpp: (JSC::testProbeReadsArgumentRegisters): (JSC::testProbeWritesArgumentRegisters): * runtime/PtrTag.h: (JSC::tagForPtr): 2018-03-28 Robin Morisset <rmorisset@apple.com> appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards https://bugs.webkit.org/show_bug.cgi?id=183894 Reviewed by Saam Barati. Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle. * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): 2018-03-28 Carlos Garcia Campos <cgarcia@igalia.com> [JSC] Move WeakValueRef class to its own file and use it from Objc and GLib https://bugs.webkit.org/show_bug.cgi?id=184073 Reviewed by Yusuke Suzuki. We currently have duplicated code in Obj and GLib implementations. * API/JSManagedValue.mm: (managedValueHandleOwner): (-[JSManagedValue initWithValue:]): * API/JSWeakValue.cpp: Added. (JSC::JSWeakValue::~JSWeakValue): (JSC::JSWeakValue::clear): (JSC::JSWeakValue::isClear const): (JSC::JSWeakValue::setPrimitive): (JSC::JSWeakValue::setObject): (JSC::JSWeakValue::setString): * API/JSWeakValue.h: Added. (JSC::JSWeakValue::isSet const): (JSC::JSWeakValue::isPrimitive const): (JSC::JSWeakValue::isObject const): (JSC::JSWeakValue::isString const): (JSC::JSWeakValue::object const): (JSC::JSWeakValue::primitive const): (JSC::JSWeakValue::string const): * API/glib/JSCWeakValue.cpp: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: 2018-03-27 Carlos Garcia Campos <cgarcia@igalia.com> [GLIB] Add JSCWeakValue to JavaScriptCore GLib API https://bugs.webkit.org/show_bug.cgi?id=184041 Reviewed by Michael Catanzaro. This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and jsc_weak_value_get_value() will always return nullptr. * API/glib/JSCWeakValue.cpp: Added. (WeakValueRef::~WeakValueRef): (WeakValueRef::clear): (WeakValueRef::isClear const): (WeakValueRef::isSet const): (WeakValueRef::isPrimitive const): (WeakValueRef::isObject const): (WeakValueRef::isString const): (WeakValueRef::setPrimitive): (WeakValueRef::setObject): (WeakValueRef::setString): (WeakValueRef::object const): (WeakValueRef::primitive const): (WeakValueRef::string const): (weakValueHandleOwner): (jscWeakValueInitialize): (jscWeakValueSetProperty): (jscWeakValueDispose): (jsc_weak_value_class_init): (jsc_weak_value_new): (jsc_weak_value_get_value): * API/glib/JSCWeakValue.h: Added. * API/glib/docs/jsc-glib-4.0-sections.txt: * API/glib/docs/jsc-glib-docs.sgml: * API/glib/jsc.h: * GLib.cmake: 2018-03-27 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) https://bugs.webkit.org/show_bug.cgi?id=181292 Reviewed by Saam Barati. By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): (JSC::DFG::SpeculativeJIT::compileCreateRest): (JSC::DFG::SpeculativeJIT::compileArraySlice): (JSC::DFG::SpeculativeJIT::emitSwitchImm): (JSC::DFG::SpeculativeJIT::compilePutDynamicVar): (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal): 2018-03-27 Yusuke Suzuki <utatane.tea@gmail.com> Add Load16Z for B3 and use it in WebAssembly https://bugs.webkit.org/show_bug.cgi?id=165884 Reviewed by JF Bastien. We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly. spec-tests/memory.wast.js already covered this change. * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::emitLoadOp): 2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove repeated iteration of ElementNode https://bugs.webkit.org/show_bug.cgi?id=183987 Reviewed by Keith Miller. BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code. While it is OK for small arrays, this repeated iteration takes much time if the array is very large. For example, Kraken's initialization code includes very large array with numeric literals. This makes bytecode compiling so long. This patch carefully removes unnecessary iteration when emitting arrays. This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms to 9.988050 ms. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitNewArrayBuffer): (JSC::BytecodeGenerator::emitNewArray): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::emitBytecode): (JSC::ArrayPatternNode::bindValue const): (JSC::ArrayPatternNode::emitDirectBinding): 2018-03-26 Ross Kirsling <ross.kirsling@sony.com> JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows. https://bugs.webkit.org/show_bug.cgi?id=183655 Reviewed by Keith Miller. * jit/CCallHelpers.h: (JSC::CCallHelpers::ArgCollection::argCount): (JSC::CCallHelpers::marshallArgumentRegister): (JSC::CCallHelpers::setupArgumentsImpl): On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType. * jit/JIT.h: (JSC::JIT::callOperation): (JSC::JIT::is64BitType): (JSC::JIT::is64BitType<void>): On Win64, ensure special call is used for SlowPathReturnType. * jit/JITOperations.h: Update changed type. 2018-03-26 Yusuke Suzuki <utatane.tea@gmail.com> We should have SSE4 detection in the X86 MacroAssembler. https://bugs.webkit.org/show_bug.cgi?id=165363 Reviewed by JF Bastien. This patch adds popcnt support to WASM in x86_64 environment. To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common. Our spec-tests already cover popcnt. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::supportsCountPopulation): * assembler/MacroAssemblerX86Common.cpp: (JSC::MacroAssemblerX86Common::getCPUID): (JSC::MacroAssemblerX86Common::getCPUIDEx): (JSC::MacroAssemblerX86Common::collectCPUFeatures): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::countPopulation32): (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding): (JSC::MacroAssemblerX86Common::supportsCountPopulation): (JSC::MacroAssemblerX86Common::supportsAVX): (JSC::MacroAssemblerX86Common::supportsLZCNT): (JSC::MacroAssemblerX86Common::supportsBMI1): (JSC::MacroAssemblerX86Common::isSSE2Present): (JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted. * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::countPopulation64): * assembler/X86Assembler.h: (JSC::X86Assembler::popcnt_rr): (JSC::X86Assembler::popcnt_mr): (JSC::X86Assembler::popcntq_rr): (JSC::X86Assembler::popcntq_mr): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>): (JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>): 2018-03-26 Filip Pizlo <fpizlo@apple.com> DFG should know that CreateThis can be effectful https://bugs.webkit.org/show_bug.cgi?id=184013 Reviewed by Saam Barati. As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this is a proxy. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2018-03-25 Saam Barati <sbarati@apple.com> Fix typo in JSC option name https://bugs.webkit.org/show_bug.cgi?id=184001 Reviewed by Mark Lam. enableJITDebugAssetions => enableJITDebugAssertions. * assembler/MacroAssembler.cpp: (JSC::MacroAssembler::jitAssert): * runtime/Options.h: 2018-03-25 Saam Barati <sbarati@apple.com> r228149 accidentally removed code that resets m_emptyCursor at the end of a GC https://bugs.webkit.org/show_bug.cgi?id=183995 Reviewed by Filip Pizlo. The removal of this line of code was unintended and happened during some refactoring Fil was doing. The consequence of removing this line of code is that the m_emptyCursor became a monotonically increasing integer, leading the cursor to usually being out of bounds of the block range (depending on what the program is doing). This made the functionality of finding an empty block to steal almost always fail. * heap/BlockDirectory.cpp: (JSC::BlockDirectory::prepareForAllocation): 2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Introduces fused compare and jump https://bugs.webkit.org/show_bug.cgi?id=177100 Reviewed by Mark Lam. This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq. It offers 3 benefit. 1. They are introduced due to the similar purpose to op_jless etc. It aligns op_eq families to op_jless families. 2. It reduces the size of bytecode to represent the typical code sequence. 3. It offers the way to fuse check and jump in DFG code generation. Since we have MovHint between Branch and CompareEq/CompareStrictEq previously, we cannot do this optimization. It reduces the machine code size in DFG too. It slightly improves Octane/boyer. boyer 6.18038+-0.05002 ^ 6.06990+-0.04176 ^ definitely 1.0182x faster * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper<Block>::dumpBytecode): * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/Opcode.h: (JSC::isBranch): * bytecode/PreciseJumpTargetsInlines.h: (JSC::extractStoredJumpTargetsForBytecodeOffset): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitJumpIfTrue): (JSC::BytecodeGenerator::emitJumpIfFalse): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileStrictEq): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_jeq): (JSC::JIT::emit_op_neq): (JSC::JIT::emit_op_jneq): (JSC::JIT::compileOpStrictEq): (JSC::JIT::emit_op_stricteq): (JSC::JIT::emit_op_nstricteq): (JSC::JIT::compileOpStrictEqJump): (JSC::JIT::emit_op_jstricteq): (JSC::JIT::emit_op_jnstricteq): (JSC::JIT::emitSlow_op_jstricteq): (JSC::JIT::emitSlow_op_jnstricteq): (JSC::JIT::emitSlow_op_jeq): (JSC::JIT::emitSlow_op_jneq): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emitSlow_op_eq): (JSC::JIT::emit_op_jeq): (JSC::JIT::compileOpEqJumpSlow): (JSC::JIT::emitSlow_op_jeq): (JSC::JIT::emit_op_jneq): (JSC::JIT::emitSlow_op_jneq): (JSC::JIT::compileOpStrictEq): (JSC::JIT::emit_op_stricteq): (JSC::JIT::emit_op_nstricteq): (JSC::JIT::compileOpStrictEqJump): (JSC::JIT::emit_op_jstricteq): (JSC::JIT::emit_op_jnstricteq): (JSC::JIT::emitSlow_op_jstricteq): (JSC::JIT::emitSlow_op_jnstricteq): * jit/JITOperations.cpp: * jit/JITOperations.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Improve constants and add comments for CodeBlockHash https://bugs.webkit.org/show_bug.cgi?id=183982 Rubber-stamped by Mark Lam. * bytecode/CodeBlockHash.cpp: (JSC::CodeBlockHash::CodeBlockHash): * bytecode/ParseHash.cpp: (JSC::ParseHash::ParseHash): 2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Add options to report parsing and bytecode compiling times https://bugs.webkit.org/show_bug.cgi?id=183982 Reviewed by Mark Lam. This patch adds reportParseTimes and reportBytecodeCompileTimes options. When they are enabled, JSC reports times consumed for parsing and bytecode compiling. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/ParseHash.cpp: Added. (JSC::ParseHash::ParseHash): * bytecode/ParseHash.h: Added. (JSC::ParseHash::hashForCall const): (JSC::ParseHash::hashForConstruct const): * bytecode/UnlinkedFunctionExecutable.cpp: (JSC::generateUnlinkedFunctionCodeBlock): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::generate): * parser/Parser.h: (JSC::parse): * runtime/CodeCache.h: (JSC::generateUnlinkedCodeBlock): * runtime/Options.h: 2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com> [JIT] Drop ENABLE_JIT_VERBOSE flag https://bugs.webkit.org/show_bug.cgi?id=183983 Reviewed by Mark Lam. Just use JITInternal::verbose value. * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): (JSC::JIT::link): 2018-03-23 Tim Horton <timothy_horton@apple.com> Fix the build with no pasteboard https://bugs.webkit.org/show_bug.cgi?id=183973 Reviewed by Dan Bernstein. * Configurations/FeatureDefines.xcconfig: 2018-03-23 Mark Lam <mark.lam@apple.com> LLInt TypeArray pointer poisoning should not pick its poison dynamically. https://bugs.webkit.org/show_bug.cgi?id=183942 <rdar://problem/38798018> Reviewed by JF Bastien. 1. Move the LLInt TypedArray unpoisoning to just before the array access after all the branches. 2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code. 3. Remove a useless instruction in the implementation of emitX86Lea for a global label. * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/x86.rb: 2018-03-23 Mark Lam <mark.lam@apple.com> Add more support for pointer profiling. https://bugs.webkit.org/show_bug.cgi?id=183943 <rdar://problem/38799068> Reviewed by JF Bastien. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::linkJumpOrCall): * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::repatchNearCall): (JSC::AbstractMacroAssembler::tagReturnAddress): (JSC::AbstractMacroAssembler::untagReturnAddress): 2018-03-23 Yusuke Suzuki <utatane.tea@gmail.com> [WTF] Add standard containers with FastAllocator specialization https://bugs.webkit.org/show_bug.cgi?id=183789 Reviewed by Darin Adler. * b3/air/testair.cpp: * b3/testb3.cpp: (JSC::B3::testDoubleLiteralComparison): (JSC::B3::testFloatEqualOrUnorderedFoldingNaN): * dfg/DFGGraph.h: * dfg/DFGIntegerCheckCombiningPhase.cpp: * dfg/DFGObjectAllocationSinkingPhase.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow): * runtime/FunctionHasExecutedCache.h: * runtime/TypeLocationCache.h: 2018-03-23 Yusuke Suzuki <utatane.tea@gmail.com> [FTL] Fix ArrayPush(ArrayStorage)'s abstract heap https://bugs.webkit.org/show_bug.cgi?id=182960 Reviewed by Saam Barati. This patch fixes ArrayPush(ArrayStorage)'s abstract heap. It should always touch ArrayStorage_vector. To unify vector setting code for the real ArrayStorage_vector and ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to annotate this. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush): 2018-03-23 Zan Dobersek <zdobersek@igalia.com> Unreviewed build fix for GCC 4.9 builds. * assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't supported in 4.9 libstdc++, so wrap the static assert using it in a COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin, as is done in bitwise_cast() in StdLibExtras.h. 2018-03-22 Tim Horton <timothy_horton@apple.com> Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore https://bugs.webkit.org/show_bug.cgi?id=183930 <rdar://problem/38782249> Reviewed by Dan Bernstein. * JavaScriptCore.xcodeproj/project.pbxproj: 2018-03-22 Mark Lam <mark.lam@apple.com> Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register. https://bugs.webkit.org/show_bug.cgi?id=183914 <rdar://problem/38763536> Reviewed by Saam Barati and JF Bastien. This is in preparation for supporting pointer profiling work. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::jump): (JSC::MacroAssemblerARM::call): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::call): (JSC::MacroAssemblerARM64::jump): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::jump): (JSC::MacroAssemblerARMv7::call): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::jump): (JSC::MacroAssemblerMIPS::call): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::call): (JSC::MacroAssemblerX86::jump): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::jump): (JSC::MacroAssemblerX86Common::call): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::call): (JSC::MacroAssemblerX86_64::jump): 2018-03-22 Tim Horton <timothy_horton@apple.com> Improve readability of WebCore's OTHER_LDFLAGS https://bugs.webkit.org/show_bug.cgi?id=183909 <rdar://problem/38760992> Reviewed by Dan Bernstein. * Configurations/Base.xcconfig: * Configurations/FeatureDefines.xcconfig: 2018-03-22 Dominik Infuehr <dinfuehr@igalia.com> [ARM] Thumb: Do not decorate bottom bit twice https://bugs.webkit.org/show_bug.cgi?id=183906 Reviewed by Mark Lam. Use MacroAssemblerCodePtr::createFromExecutableAddress instead of MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as a thumb pointer. * jit/Repatch.cpp: (JSC::linkPolymorphicCall): 2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix https://bugs.webkit.org/show_bug.cgi?id=183559 Reviewed by Mark Lam. When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget to clear NodeMustGenerate for this ToString. It should be since it does not have any user-observable side effect. This patch clears NodeMustGenerate. * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): 2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] List up all candidates in DFGCapabilities and FTLCapabilities https://bugs.webkit.org/show_bug.cgi?id=183897 Reviewed by Mark Lam. We should not use `default:` clause here since it accidentally catches the opcode and DFG nodes which should be optimized. For example, op_super_sampler_begin and op_super_sampler_end are not listed while they have DFG and FTL backend. This patch lists up all candiates in DFGCapabilities and FTLCapabilities. And we also clean up unnecessary checks in FTLCapabilities. Since we already handles all the possible array types for these nodes (which can be checked in DFG's code), we do not need to check array types. We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut. * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): 2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Drop op_put_by_index https://bugs.webkit.org/show_bug.cgi?id=183899 Reviewed by Mark Lam. This patch drops op_put_by_index. 1. This functionality can be just covered by direct put_by_val. 2. put_by_index is not well optimized. It is just calling a C function. And it does not have DFG handling. * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper<Block>::dumpBytecode): * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitPutByIndex): Deleted. * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::emitBytecode): (JSC::ArrayPatternNode::emitDirectBinding): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_index): Deleted. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_by_index): Deleted. * llint/LLIntSlowPaths.cpp: * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter.asm: 2018-03-22 Michael Saboff <msaboff@apple.com> Race Condition in arrayProtoFuncReverse() causes wrong results or crash https://bugs.webkit.org/show_bug.cgi?id=183901 Reviewed by Keith Miller. Added write barriers to ensure the reversed contents are properly marked. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncReverse): 2018-03-21 Filip Pizlo <fpizlo@apple.com> ScopedArguments should do poisoning and index masking https://bugs.webkit.org/show_bug.cgi?id=183863 Reviewed by Mark Lam. This outlines the ScopedArguments overflow storage and adds poisoning. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateWithGuard): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): (JSC::DFG::SpeculativeJIT::compileGetArrayLength): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitScopedArgumentsGetByVal): * runtime/JSCPoison.h: * runtime/ScopedArguments.cpp: (JSC::ScopedArguments::ScopedArguments): (JSC::ScopedArguments::createUninitialized): (JSC::ScopedArguments::visitChildren): * runtime/ScopedArguments.h: 2018-03-21 Mark Lam <mark.lam@apple.com> Refactor the PtrTag list as a macro so that we can auto-generate code that enumerates each PtrTag. https://bugs.webkit.org/show_bug.cgi?id=183861 <rdar://problem/38716822> Reviewed by Filip Pizlo. Also added ptrTagName() to aid debugging. ptrTagName() is implemented using this new PtrTag macro list. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * runtime/PtrTag.cpp: Added. (JSC::ptrTagName): * runtime/PtrTag.h: 2018-03-21 Mark Lam <mark.lam@apple.com> Use CodeBlock::instructions()[] and CodeBlock::bytecodeOffset() instead of doing own pointer math. https://bugs.webkit.org/show_bug.cgi?id=183857 <rdar://problem/38712184> Reviewed by JF Bastien. We should avoid doing pointer math with CodeBlock::instructions().begin(). Instead, we should use the operator[] that comes with CodeBlock::instructions() for computing an Instruction*, and use CodeBlock::bytecodeOffset() for computing the bytecode offset of a given Instruction*. These methods will do assertions which helps catch bugs sooner, plus they are more descriptive of the operation we're trying to do. * bytecode/BytecodeKills.h: (JSC::BytecodeKills::operandIsKilled const): (JSC::BytecodeKills::forEachOperandKilledAt const): * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFromLLInt): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::arithProfileForBytecodeOffset): (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFromLLInt): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit): * dfg/DFGOSRExit.cpp: (JSC::DFG::reifyInlinedCallFrames): * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::reifyInlinedCallFrames): * interpreter/CallFrame.cpp: (JSC::CallFrame::callSiteBitsAsBytecodeOffset const): (JSC::CallFrame::currentVPC const): (JSC::CallFrame::setCurrentVPC): * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITInlines.h: (JSC::JIT::updateTopCallFrame): (JSC::JIT::copiedInstruction): * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITPropertyAccess.cpp: (JSC::JIT::privateCompileGetByVal): (JSC::JIT::privateCompileGetByValWithCachedId): (JSC::JIT::privateCompilePutByVal): (JSC::JIT::privateCompilePutByValWithCachedId): * jit/SlowPathCall.h: (JSC::JITSlowPathCall::call): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::llint_trace_operand): (JSC::LLInt::llint_trace_value): (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::setupGetByIdPrototypeCache): Deleted. (JSC::LLInt::getByVal): Deleted. (JSC::LLInt::handleHostCall): Deleted. (JSC::LLInt::setUpCall): Deleted. (JSC::LLInt::genericCall): Deleted. (JSC::LLInt::varargsSetup): Deleted. (JSC::LLInt::llint_throw_stack_overflow_error): Deleted. (JSC::LLInt::llint_stack_check_at_vm_entry): Deleted. (JSC::LLInt::llint_write_barrier_slow): Deleted. (JSC::LLInt::llint_crash): Deleted. * runtime/SamplingProfiler.cpp: (JSC::tryGetBytecodeIndex): 2018-03-21 Keith Miller <keith_miller@apple.com> btjs should print the bytecode offset in the stack trace for JS frames https://bugs.webkit.org/show_bug.cgi?id=183856 Reviewed by Filip Pizlo. * interpreter/CallFrame.cpp: (JSC::CallFrame::bytecodeOffset): (JSC::CallFrame::dump): 2018-03-21 Carlos Garcia Campos <cgarcia@igalia.com> Unreviewed. Fix GTK and WPE debug build after r229798. Fix a typo in an ASSERT. Also convert several RELEASE_ASSERT to ASSERT that I forgot to do before landing. * API/glib/JSCCallbackFunction.cpp: (JSC::JSCCallbackFunction::JSCCallbackFunction): * API/glib/JSCContext.cpp: (jscContextSetVirtualMachine): (jscContextGetJSContext): (wrapperMap): (jscContextHandleExceptionIfNeeded): * API/glib/JSCValue.cpp: (jscValueCallFunction): * API/glib/JSCVirtualMachine.cpp: (addWrapper): (removeWrapper): (jscVirtualMachineSetContextGroup): (jscVirtualMachineAddContext): (jscVirtualMachineRemoveContext): * API/glib/JSCWrapperMap.cpp: (JSC::WrapperMap::gobjectWrapper): (JSC::WrapperMap::unwrap): (JSC::WrapperMap::registerClass): (JSC::WrapperMap::createJSWrappper): (JSC::WrapperMap::wrappedObject const): 2018-03-21 Carlos Garcia Campos <cgarcia@igalia.com> [GTK][WPE] JSC bindings not introspectable https://bugs.webkit.org/show_bug.cgi?id=136989 Reviewed by Michael Catanzaro. Make it possible to include individual headers when building WebKit layer. * API/glib/JSCAutocleanups.h: * API/glib/JSCClass.h: * API/glib/JSCContext.h: * API/glib/JSCException.h: * API/glib/JSCValue.h: * API/glib/JSCVersion.h.in: * API/glib/JSCVirtualMachine.h: 2018-03-21 Carlos Garcia Campos <cgarcia@igalia.com> [GTK][WPE] Initial implementation of JavaScriptCore glib bindings https://bugs.webkit.org/show_bug.cgi?id=164061 Reviewed by Michael Catanzaro. Add initial GLib API for JavaScriptCore. * API/JSAPIWrapperObject.h: * API/glib/JSAPIWrapperObjectGLib.cpp: Added. (jsAPIWrapperObjectHandleOwner): (JSAPIWrapperObjectHandleOwner::finalize): (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots): (JSC::JSCallbackObject<JSAPIWrapperObject>::createStructure): (JSC::JSAPIWrapperObject::JSAPIWrapperObject): (JSC::JSAPIWrapperObject::finishCreation): (JSC::JSAPIWrapperObject::setWrappedObject): (JSC::JSAPIWrapperObject::visitChildren): * API/glib/JSCAutocleanups.h: Added. * API/glib/JSCCallbackFunction.cpp: Added. (JSC::callAsFunction): (JSC::callAsConstructor): (JSC::JSCCallbackFunction::create): (JSC::JSCCallbackFunction::JSCCallbackFunction): (JSC::JSCCallbackFunction::call): (JSC::JSCCallbackFunction::construct): (JSC::JSCCallbackFunction::destroy): * API/glib/JSCCallbackFunction.h: Added. (JSC::JSCCallbackFunction::createStructure): (JSC::JSCCallbackFunction::functionCallback): (JSC::JSCCallbackFunction::constructCallback): * API/glib/JSCClass.cpp: Added. (jscClassGetProperty): (jscClassSetProperty): (jscClassDispose): (jscClassConstructed): (jsc_class_class_init): (jscClassCreate): (jscClassGetJSClass): (jscClassGetOrCreateJSWrapper): (jscClassInvalidate): (jsc_class_get_name): (jsc_class_get_parent): (jsc_class_add_constructor): (jsc_class_add_method): (jsc_class_add_property): * API/glib/JSCClass.h: Added. * API/glib/JSCClassPrivate.h: Added. * API/glib/JSCContext.cpp: Added. (ExceptionHandler::ExceptionHandler): (ExceptionHandler::~ExceptionHandler): (jscContextSetVirtualMachine): (jscContextGetProperty): (jscContextSetProperty): (jscContextConstructed): (jscContextDispose): (jsc_context_class_init): (jscContextGetOrCreate): (jscContextGetJSContext): (wrapperMap): (jscContextGetOrCreateValue): (jscContextValueDestroyed): (jscContextGetJSWrapper): (jscContextGetOrCreateJSWrapper): (jscContextWrappedObject): (jscContextPushCallback): (jscContextPopCallback): (jscContextGArrayToJSArray): (jscContextJSArrayToGArray): (jscContextGValueToJSValue): (jscContextJSValueToGValue): (jsc_context_new): (jsc_context_new_with_virtual_machine): (jsc_context_get_virtual_machine): (jsc_context_get_exception): (jsc_context_throw): (jsc_context_throw_exception): (jsc_context_push_exception_handler): (jsc_context_pop_exception_handler): (jscContextHandleExceptionIfNeeded): (jsc_context_get_current): (jsc_context_evaluate): (jsc_context_evaluate_with_source_uri): (jsc_context_set_value): (jsc_context_get_value): (jsc_context_register_class): * API/glib/JSCContext.h: Added. * API/glib/JSCContextPrivate.h: Added. * API/glib/JSCDefines.h: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.h. * API/glib/JSCException.cpp: Added. (jscExceptionDispose): (jsc_exception_class_init): (jscExceptionCreate): (jscExceptionGetJSValue): (jscExceptionEnsureProperties): (jsc_exception_new): (jsc_exception_get_message): (jsc_exception_get_line_number): (jsc_exception_get_source_uri): * API/glib/JSCException.h: Added. * API/glib/JSCExceptionPrivate.h: Added. * API/glib/JSCGLibWrapperObject.h: Added. (JSC::JSCGLibWrapperObject::JSCGLibWrapperObject): (JSC::JSCGLibWrapperObject::~JSCGLibWrapperObject): (JSC::JSCGLibWrapperObject::object const): * API/glib/JSCValue.cpp: Added. (jscValueGetProperty): (jscValueSetProperty): (jscValueDispose): (jsc_value_class_init): (jscValueGetJSValue): (jscValueCreate): (jsc_value_get_context): (jsc_value_new_undefined): (jsc_value_is_undefined): (jsc_value_new_null): (jsc_value_is_null): (jsc_value_new_number): (jsc_value_is_number): (jsc_value_to_double): (jsc_value_to_int32): (jsc_value_new_boolean): (jsc_value_is_boolean): (jsc_value_to_boolean): (jsc_value_new_string): (jsc_value_is_string): (jsc_value_to_string): (jsc_value_new_array): (jsc_value_new_array_from_garray): (jsc_value_is_array): (jsc_value_new_object): (jsc_value_is_object): (jsc_value_object_is_instance_of): (jsc_value_object_set_property): (jsc_value_object_get_property): (jsc_value_object_set_property_at_index): (jsc_value_object_get_property_at_index): (jscValueCallFunction): (jsc_value_object_invoke_method): (jsc_value_object_define_property_data): (jsc_value_object_define_property_accessor): (jsc_value_new_function): (jsc_value_is_function): (jsc_value_function_call): (jsc_value_is_constructor): (jsc_value_constructor_call): * API/glib/JSCValue.h: Added. * API/glib/JSCValuePrivate.h: Added. * API/glib/JSCVersion.cpp: Added. (jsc_get_major_version): (jsc_get_minor_version): (jsc_get_micro_version): * API/glib/JSCVersion.h.in: Added. * API/glib/JSCVirtualMachine.cpp: Added. (addWrapper): (removeWrapper): (jscVirtualMachineSetContextGroup): (jscVirtualMachineEnsureContextGroup): (jscVirtualMachineDispose): (jsc_virtual_machine_class_init): (jscVirtualMachineGetOrCreate): (jscVirtualMachineGetContextGroup): (jscVirtualMachineAddContext): (jscVirtualMachineRemoveContext): (jscVirtualMachineGetContext): (jsc_virtual_machine_new): * API/glib/JSCVirtualMachine.h: Added. * API/glib/JSCVirtualMachinePrivate.h: Added. * API/glib/JSCWrapperMap.cpp: Added. (JSC::WrapperMap::WrapperMap): (JSC::WrapperMap::~WrapperMap): (JSC::WrapperMap::gobjectWrapper): (JSC::WrapperMap::unwrap): (JSC::WrapperMap::registerClass): (JSC::WrapperMap::createJSWrappper): (JSC::WrapperMap::jsWrapper const): (JSC::WrapperMap::wrappedObject const): * API/glib/JSCWrapperMap.h: Added. * API/glib/docs/jsc-glib-4.0-sections.txt: Added. * API/glib/docs/jsc-glib-4.0.types: Added. * API/glib/docs/jsc-glib-docs.sgml: Added. * API/glib/jsc.h: Added. * CMakeLists.txt: * GLib.cmake: Added. * JavaScriptCore.gir.in: Removed. * PlatformGTK.cmake: * PlatformWPE.cmake: * heap/Heap.cpp: (JSC::Heap::releaseDelayedReleasedObjects): * heap/Heap.h: * heap/HeapInlines.h: (JSC::Heap::releaseSoon): * javascriptcoregtk.pc.in: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): (JSC::JSGlobalObject::setWrapperMap): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::glibCallbackFunctionStructure const): (JSC::JSGlobalObject::glibWrapperObjectStructure const): (JSC::JSGlobalObject::wrapperMap const): 2018-03-21 Christopher Reid <chris.reid@sony.com> Windows 64-bit build fix after r229767 https://bugs.webkit.org/show_bug.cgi?id=183810 Reviewed by Mark Lam. Removing an extra parameter in the call to m_assember::call. * assembler/MacroAssemblerX86_64.h: 2018-03-20 Dan Bernstein <mitz@apple.com> [Xcode] JSVALUE_MODEL is unused https://bugs.webkit.org/show_bug.cgi?id=183809 Reviewed by Tim Horton. * Configurations/JavaScriptCore.xcconfig: Removed the unused definition. 2018-03-20 Tim Horton <timothy_horton@apple.com> Update the install name for JavaScriptCore when built with WK_ALTERNATE_FRAMEWORKS_DIR https://bugs.webkit.org/show_bug.cgi?id=183808 <rdar://problem/38692079> Reviewed by Dan Bernstein. * Configurations/JavaScriptCore.xcconfig: 2018-03-20 Tim Horton <timothy_horton@apple.com> Enable the minimal simulator feature flag when appropriate https://bugs.webkit.org/show_bug.cgi?id=183807 Reviewed by Dan Bernstein. * Configurations/FeatureDefines.xcconfig: 2018-03-20 Saam Barati <sbarati@apple.com> We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer https://bugs.webkit.org/show_bug.cgi?id=183795 <rdar://problem/38298694> Reviewed by JF Bastien. We were just assuming that the constants we were inserting were always exitOK=true. However, this breaks validation. The exitOK we emit for the constants in the NewArrayBuffer should respect the current exit state of the IR we've emitted. This is just IR bookkeeping since JSConstant is a non-exiting node. * dfg/DFGArgumentsEliminationPhase.cpp: 2018-03-20 Guillaume Emont <guijemont@igalia.com> MIPS+Armv7 builds are broken since r229391 https://bugs.webkit.org/show_bug.cgi?id=183474 Reviewed by Yusuke Suzuki. Add missing armv7 and mips operations and fix arguments to a call to operationGetByValCell. This should fix compilation on MIPS and Armv7 (though it does not implement the missing setupArguments stuff in CCallHelpers). * assembler/MacroAssembler.h: * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::swap): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::swap): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/FPRInfo.h: 2018-03-20 Tim Horton <timothy_horton@apple.com> Add and adopt WK_PLATFORM_NAME and adjust default feature defines https://bugs.webkit.org/show_bug.cgi?id=183758 <rdar://problem/38017644> Reviewed by Dan Bernstein. * Configurations/FeatureDefines.xcconfig: 2018-03-20 Mark Lam <mark.lam@apple.com> Improve FunctionPtr and use it in the JIT CallRecord. https://bugs.webkit.org/show_bug.cgi?id=183756 <rdar://problem/38641335> Reviewed by JF Bastien. 1. FunctionPtr hold a C/C++ function pointer by default. Change its default PtrTag to reflect that. 2. Delete the FunctionPtr::value() method. It is effectively a duplicate of executableAddress(). 3. Fix the FunctionPtr constructor that takes arbitrary pointers to be able to take "any" pointer. "any" in this case means that the pointer may not be typed as a C/C++ function to the C++ compiler (due to upstream casting or usage of void* as a storage type), but it is still expected to be pointing to a C/C++ function. 4. Added a FunctionPtr constructor that takes another FunctionPtr. This is a convenience constructor that lets us retag the underlying pointer. The other FunctionPtr is still expected to point to a C/C++ function. 5. Added PtrTag assertion placeholder functions to be implemented later. 6. Change the JIT CallRecord to embed a FunctionPtr callee instead of a void* to pointer. This improves type safety, and assists in getting pointer tagging right later. 7. Added versions of JIT callOperations methods that will take a PtrTag. This is preparation for more more pointer tagging work later. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::linkCall): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::linkCall): * assembler/MacroAssemblerCodeRef.h: (JSC::FunctionPtr::FunctionPtr): (JSC::FunctionPtr::operator bool const): (JSC::FunctionPtr::operator! const): (JSC::ReturnAddressPtr::ReturnAddressPtr): (JSC::MacroAssemblerCodePtr::retagged const): (JSC::MacroAssemblerCodeRef::retaggedCode const): (JSC::FunctionPtr::value const): Deleted. * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::linkCall): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::linkCall): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): (JSC::MacroAssemblerX86_64::linkCall): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * ftl/FTLSlowPathCall.cpp: (JSC::FTL::SlowPathCallContext::makeCall): * ftl/FTLSlowPathCall.h: (JSC::FTL::callOperation): * ftl/FTLThunks.cpp: (JSC::FTL::osrExitGenerationThunkGenerator): (JSC::FTL::lazySlowPathGenerationThunkGenerator): (JSC::FTL::slowPathCallThunkGenerator): * jit/JIT.cpp: (JSC::JIT::link): (JSC::JIT::privateCompileExceptionHandlers): * jit/JIT.h: (JSC::CallRecord::CallRecord): (JSC::JIT::appendCall): (JSC::JIT::appendCallWithSlowPathReturnType): (JSC::JIT::callOperation): (JSC::JIT::callOperationWithProfile): (JSC::JIT::callOperationWithResult): (JSC::JIT::callOperationNoExceptionCheck): (JSC::JIT::callOperationWithCallFrameRollbackOnException): * jit/JITArithmetic.cpp: (JSC::JIT::emitMathICFast): (JSC::JIT::emitMathICSlow): * jit/JITInlines.h: (JSC::JIT::emitNakedCall): (JSC::JIT::emitNakedTailCall): (JSC::JIT::appendCallWithExceptionCheck): (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): (JSC::JIT::appendCallWithCallFrameRollbackOnException): (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult): (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::emitSlow_op_put_by_val): (JSC::JIT::privateCompileGetByValWithCachedId): (JSC::JIT::privateCompilePutByVal): (JSC::JIT::privateCompilePutByValWithCachedId): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitSlow_op_put_by_val): * jit/Repatch.cpp: (JSC::linkPolymorphicCall): * jit/SlowPathCall.h: (JSC::JITSlowPathCall::JITSlowPathCall): (JSC::JITSlowPathCall::call): * jit/ThunkGenerators.cpp: (JSC::nativeForGenerator): * runtime/PtrTag.h: (JSC::nextPtrTagID): (JSC::assertIsCFunctionPtr): (JSC::assertIsNullOrCFunctionPtr): (JSC::assertIsNotTagged): (JSC::assertIsTagged): (JSC::assertIsNullOrTagged): (JSC::assertIsTaggedWith): (JSC::assertIsNullOrTaggedWith): (JSC::uniquePtrTagID): Deleted. 2018-03-20 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com> [MIPS] Optimize generated JIT code for loads/stores https://bugs.webkit.org/show_bug.cgi?id=183243 Reviewed by Yusuke Suzuki. JIT generates three MIPS instructions for a load/store from/to an absolute address: lui adrTmpReg, address >> 16 ori adrTmpReg, address & 0xffff lw dataReg, 0(adrTmpReg) Since load/store instructions on MIPS have a 16-bit offset, lower 16 bits of the address can be encoded into the load/store and ori instruction can be removed: lui adrTmpReg, (address + 0x8000) >> 16 lw dataReg, (address & 0xffff)(adrTmpReg) Also, in loads/stores with BaseIndex address, the left shift can be omitted if address.scale is 0. * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::add32): (JSC::MacroAssemblerMIPS::add64): (JSC::MacroAssemblerMIPS::or32): (JSC::MacroAssemblerMIPS::sub32): (JSC::MacroAssemblerMIPS::convertibleLoadPtr): (JSC::MacroAssemblerMIPS::load8): (JSC::MacroAssemblerMIPS::load8SignedExtendTo32): (JSC::MacroAssemblerMIPS::load32): (JSC::MacroAssemblerMIPS::store8): (JSC::MacroAssemblerMIPS::store32): (JSC::MacroAssemblerMIPS::branchTest8): (JSC::MacroAssemblerMIPS::branchAdd32): (JSC::MacroAssemblerMIPS::loadDouble): (JSC::MacroAssemblerMIPS::storeDouble): 2018-03-16 Yusuke Suzuki <utatane.tea@gmail.com> [DFG][FTL] Add vectorLengthHint for NewArray https://bugs.webkit.org/show_bug.cgi?id=183694 Reviewed by Saam Barati. While the following code is a common, it is not so efficient. var array = []; for (...) { ... array.push(...); } The array is always allocated with 0 vector length. And it is eventually grown. We have ArrayAllocationProfile, and it tells us that the vector length hint for the allocated arrays. This hint is already used for NewArrayBuffer. This patch extends this support for NewArray DFG node. This patch improves Kraken/stanford-crypto-aes 4%. baseline patched stanford-crypto-aes 64.069+-1.352 61.589+-1.274 might be 1.0403x faster NewArray can be optimized. baseline patched vector-length-hint-new-array 21.8157+-0.0882 ^ 13.1764+-0.0942 ^ definitely 1.6557x faster vector-length-hint-array-constructor 21.9076+-0.0987 ? 22.1168+-0.4814 ? * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGNode.h: (JSC::DFG::Node::hasVectorLengthHint): (JSC::DFG::Node::vectorLengthHint): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNewArray): 2018-03-13 Yusuke Suzuki <utatane.tea@gmail.com> [DFG][FTL] Make ArraySlice(0) code tight https://bugs.webkit.org/show_bug.cgi?id=183590 Reviewed by Saam Barati. This patch tightens ArraySlice code, in particular, startIndex = 0 case. 1. We support array.slice() call. This is a well-used way to clone array. For example, underscore.js uses this technique. 2. We remove several checks if the given index value is a proven constant. * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::propagate): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex): (JSC::DFG::SpeculativeJIT::compileArraySlice): We can skip some of checks if the given value is a proven constant. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice): Change below to belowOrEqual. It does not change meaning in the code. But it allows us to fold BelowEqual(0, x) to true. 2018-03-19 Yusuke Suzuki <utatane.tea@gmail.com> Drop s_exceptionInstructions static initializer https://bugs.webkit.org/show_bug.cgi?id=183732 Reviewed by Darin Adler. Make Instruction constructor constexpr to drop the static constructor of LLInt::Data::s_exceptionInstructions. * bytecode/Instruction.h: (JSC::Instruction::Instruction): 2018-03-19 Dan Bernstein <mitz@apple.com> Investigate why __cpu_indicator_init is used https://bugs.webkit.org/show_bug.cgi?id=183736 Reviewed by Tim Horton. __cpu_indicator_init, which is a global initializer, was included in JavaScriptCore because we were passing the -all_load option to the linker, causing it to bring in all members of every static library being linked in, including the compiler runtime library. We only need to load all members of WTF. The linker option for doing that is -force_load, and it requires a path to the library. To support building against libWTF.a built locally as well as against the copy that is in the SDK, we add a script build phase that palces a symbolic link to the appropriate libWTF.a under the DerivedSources directory, and pass the path to that symlink to the linker. Also, while cleaning up linker flags, make OTHER_LDFLAGS_HIDE_SYMBOLS less verbose by eliminating every other -Wl, remove redundant -lobjc (libobjc is already listed in the Link Binary With Libraries build phase), remove long-unsupported -Y,3, and stop reexporting libobjc. * Configurations/JavaScriptCore.xcconfig: * JavaScriptCore.xcodeproj/project.pbxproj: 2018-03-19 Jiewen Tan <jiewen_tan@apple.com> Unreviewed, another quick fix for r229699 Restricts ENABLE_WEB_AUTHN to only macOS and iOS. * Configurations/FeatureDefines.xcconfig: 2018-03-19 Mark Lam <mark.lam@apple.com> FunctionPtr should be passed by value. https://bugs.webkit.org/show_bug.cgi?id=183746 <rdar://problem/38625311> Reviewed by JF Bastien. It's meant to be an encapsulation of a C/C++ function pointer. There are cases where we use it to pass JIT compiled code (e.g. the VM thunks/stubs), but they are treated as if they are C/C++ functions. Regardless, there's no need to pass it by reference. * assembler/MacroAssemblerCodeRef.h: * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::appendCall): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::appendCall): (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException): (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult): (JSC::DFG::SpeculativeJIT::appendCallSetResult): * jit/JIT.h: (JSC::JIT::appendCall): (JSC::JIT::appendCallWithSlowPathReturnType): * jit/JITInlines.h: (JSC::JIT::appendCallWithExceptionCheck): (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): (JSC::JIT::appendCallWithCallFrameRollbackOnException): (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult): (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): 2018-03-15 Ross Kirsling <ross.kirsling@sony.com> Fix MSVC run-time check after r229391. https://bugs.webkit.org/show_bug.cgi?id=183673 Reviewed by Keith Miller. Replaces attempted fix from r229424/r229432. Apparently MSVC doesn't like it when a zero-length std::array is defined without explicit braces. * jit/CCallHelpers.h: (JSC::CCallHelpers::clampArrayToSize): 2018-03-15 Tim Horton <timothy_horton@apple.com> Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in ANGLE https://bugs.webkit.org/show_bug.cgi?id=183675 <rdar://problem/38515281> Reviewed by Dan Bernstein. * JavaScriptCore.xcodeproj/project.pbxproj: Don't install the JSC alias if we're installing to an alternate location. This should have been a part of r229637. 2018-03-15 Tim Horton <timothy_horton@apple.com> Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in JavaScriptCore https://bugs.webkit.org/show_bug.cgi?id=183649 <rdar://problem/38480526> Reviewed by Dan Bernstein. * Configurations/Base.xcconfig: * JavaScriptCore.xcodeproj/project.pbxproj: 2018-03-14 Mark Lam <mark.lam@apple.com> Enhance the MacroAssembler and LinkBuffer to support pointer profiling. https://bugs.webkit.org/show_bug.cgi?id=183623 <rdar://problem/38443314> Reviewed by Michael Saboff. 1. Added a PtrTag argument to indirect call() and indirect jump() MacroAssembler emitters to support pointer profiling. 2. Also added tagPtr(), untagPtr(), and removePtrTag() placeholder methods. 3. Added a PtrTag to LinkBuffer finalizeCodeWithoutDisassembly() and clients. 4. Updated clients to pass a PtrTag. For the most part, I just apply NoPtrTag as a placeholder until we have time to analyze what pointer profile each client site has later. 5. Apply PtrTags to the YarrJIT. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::linkJumpOrCall): * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::getLinkerAddress): (JSC::AbstractMacroAssembler::tagPtr): (JSC::AbstractMacroAssembler::untagPtr): (JSC::AbstractMacroAssembler::removePtrTag): * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): (JSC::LinkBuffer::finalizeCodeWithDisassembly): * assembler/LinkBuffer.h: (JSC::LinkBuffer::link): (JSC::LinkBuffer::locationOfNearCall): (JSC::LinkBuffer::locationOf): * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::jump): (JSC::MacroAssemblerARM::call): (JSC::MacroAssemblerARM::readCallTarget): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::call): (JSC::MacroAssemblerARM64::jump): (JSC::MacroAssemblerARM64::readCallTarget): (JSC::MacroAssemblerARM64::linkCall): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::jump): (JSC::MacroAssemblerARMv7::relativeTableJump): (JSC::MacroAssemblerARMv7::call): (JSC::MacroAssemblerARMv7::readCallTarget): * assembler/MacroAssemblerCodeRef.cpp: (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): * assembler/MacroAssemblerCodeRef.h: (JSC::FunctionPtr::FunctionPtr): (JSC::FunctionPtr::value const): (JSC::MacroAssemblerCodePtr:: const): (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef): (JSC::MacroAssemblerCodeRef::retaggedCode const): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::jump): (JSC::MacroAssemblerMIPS::call): (JSC::MacroAssemblerMIPS::readCallTarget): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::call): (JSC::MacroAssemblerX86::jump): (JSC::MacroAssemblerX86::readCallTarget): * assembler/MacroAssemblerX86Common.cpp: (JSC::MacroAssembler::probe): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::jump): (JSC::MacroAssemblerX86Common::call): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::call): (JSC::MacroAssemblerX86_64::jump): (JSC::MacroAssemblerX86_64::readCallTarget): * assembler/testmasm.cpp: (JSC::compile): (JSC::invoke): * b3/B3Compile.cpp: (JSC::B3::compile): * b3/B3LowerMacros.cpp: * b3/air/AirCCallSpecial.cpp: (JSC::B3::Air::CCallSpecial::generate): * b3/air/testair.cpp: * b3/testb3.cpp: (JSC::B3::invoke): (JSC::B3::testInterpreter): (JSC::B3::testEntrySwitchSimple): (JSC::B3::testEntrySwitchNoEntrySwitch): (JSC::B3::testEntrySwitchWithCommonPaths): (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint): (JSC::B3::testEntrySwitchLoop): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/AccessCaseSnippetParams.cpp: (JSC::SlowPathCallGeneratorWithArguments::generateImpl): * bytecode/InlineAccess.cpp: (JSC::linkCodeInline): (JSC::InlineAccess::rewireStubAsJump): * bytecode/PolymorphicAccess.cpp: (JSC::AccessGenerationState::emitExplicitExceptionHandler): (JSC::PolymorphicAccess::regenerate): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileExceptionHandlers): (JSC::DFG::JITCompiler::link): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::noticeCatchEntrypoint): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::appendCall): * dfg/DFGJITFinalizer.cpp: (JSC::DFG::JITFinalizer::finalize): (JSC::DFG::JITFinalizer::finalizeFunction): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::emitRestoreArguments): (JSC::DFG::OSRExit::compileOSRExit): * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::handleExitCounts): (JSC::DFG::osrWriteBarrier): (JSC::DFG::adjustAndJumpToTarget): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): (JSC::DFG::SpeculativeJIT::emitSwitchImm): (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGThunks.cpp: (JSC::DFG::osrExitThunkGenerator): (JSC::DFG::osrExitGenerationThunkGenerator): (JSC::DFG::osrEntryThunkGenerator): * ftl/FTLCompile.cpp: (JSC::FTL::compile): * ftl/FTLJITFinalizer.cpp: (JSC::FTL::JITFinalizer::finalizeCommon): * ftl/FTLLazySlowPath.cpp: (JSC::FTL::LazySlowPath::generate): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): (JSC::FTL::compileFTLOSRExit): * ftl/FTLSlowPathCall.cpp: (JSC::FTL::SlowPathCallContext::makeCall): * ftl/FTLThunks.cpp: (JSC::FTL::genericGenerationThunkGenerator): (JSC::FTL::osrExitGenerationThunkGenerator): (JSC::FTL::lazySlowPathGenerationThunkGenerator): (JSC::FTL::slowPathCallThunkGenerator): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::callExceptionFuzz): (JSC::AssemblyHelpers::debugCall): * jit/CCallHelpers.cpp: (JSC::CCallHelpers::ensureShadowChickenPacket): * jit/CCallHelpers.h: (JSC::CCallHelpers::jumpToExceptionHandler): * jit/ExecutableAllocator.cpp: (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator): * jit/JIT.cpp: (JSC::JIT::emitEnterOptimizationCheck): (JSC::JIT::link): (JSC::JIT::privateCompileExceptionHandlers): * jit/JIT.h: (JSC::JIT::appendCall): * jit/JITMathIC.h: (JSC::isProfileEmpty): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_catch): (JSC::JIT::emit_op_switch_imm): (JSC::JIT::emit_op_switch_char): (JSC::JIT::emit_op_switch_string): (JSC::JIT::emitSlow_op_loop_hint): (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_catch): (JSC::JIT::emit_op_switch_imm): (JSC::JIT::emit_op_switch_char): (JSC::JIT::emit_op_switch_string): (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::privateCompileGetByVal): (JSC::JIT::privateCompileGetByValWithCachedId): (JSC::JIT::privateCompilePutByVal): (JSC::JIT::privateCompilePutByValWithCachedId): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::stringGetByValStubGenerator): * jit/JITStubRoutine.h: * jit/Repatch.cpp: (JSC::readCallTarget): (JSC::appropriateOptimizingPutByIdFunction): (JSC::linkPolymorphicCall): (JSC::resetPutByID): * jit/SlowPathCall.h: (JSC::JITSlowPathCall::call): * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::finalize): (JSC::SpecializedThunkJIT::callDoubleToDouble): * jit/ThunkGenerators.cpp: (JSC::throwExceptionFromCallSlowPathGenerator): (JSC::slowPathFor): (JSC::linkCallThunkGenerator): (JSC::linkPolymorphicCallThunkGenerator): (JSC::virtualThunkFor): (JSC::nativeForGenerator): (JSC::arityFixupGenerator): (JSC::unreachableGenerator): (JSC::boundThisNoArgsFunctionCallGenerator): * llint/LLIntThunks.cpp: (JSC::LLInt::generateThunkWithJumpTo): (JSC::LLInt::functionForCallEntryThunkGenerator): (JSC::LLInt::functionForConstructEntryThunkGenerator): (JSC::LLInt::functionForCallArityCheckThunkGenerator): (JSC::LLInt::functionForConstructArityCheckThunkGenerator): (JSC::LLInt::evalEntryThunkGenerator): (JSC::LLInt::programEntryThunkGenerator): (JSC::LLInt::moduleProgramEntryThunkGenerator): * runtime/PtrTag.h: * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::addCall): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::complete): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * wasm/WasmThunks.cpp: (JSC::Wasm::throwExceptionFromWasmThunkGenerator): (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator): (JSC::Wasm::triggerOMGTierUpThunkGenerator): * wasm/js/WasmToJS.cpp: (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJS): * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::loadFromFrameAndJump): (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels): (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper): (JSC::Yarr::YarrGenerator::generateEnter): (JSC::Yarr::YarrGenerator::YarrGenerator): (JSC::Yarr::YarrGenerator::compile): (JSC::Yarr::jitCompile): * yarr/YarrJIT.h: (JSC::Yarr::YarrCodeBlock::execute): 2018-03-14 Caitlin Potter <caitp@igalia.com> [JSC] fix order of evaluation for ClassDefinitionEvaluation https://bugs.webkit.org/show_bug.cgi?id=183523 Reviewed by Keith Miller. Computed property names need to be evaluated in source order during class definition evaluation, as it's observable (and specified to work this way). This change improves compatibility with Chromium. * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitDefineClassElements): * bytecompiler/NodesCodegen.cpp: (JSC::PropertyListNode::emitBytecode): (JSC::ClassExprNode::emitBytecode): * parser/ASTBuilder.h: (JSC::ASTBuilder::createClassExpr): (JSC::ASTBuilder::createGetterOrSetterProperty): (JSC::ASTBuilder::createProperty): * parser/NodeConstructors.h: (JSC::PropertyNode::PropertyNode): (JSC::ClassExprNode::ClassExprNode): * parser/Nodes.cpp: (JSC::PropertyListNode::hasStaticallyNamedProperty): * parser/Nodes.h: (JSC::PropertyNode::isClassProperty const): (JSC::PropertyNode::isStaticClassProperty const): (JSC::PropertyNode::isInstanceClassProperty const): * parser/Parser.cpp: (JSC::Parser<LexerType>::parseClass): (JSC::Parser<LexerType>::parseProperty): (JSC::Parser<LexerType>::parseGetterSetter): * parser/Parser.h: * parser/SyntaxChecker.h: (JSC::SyntaxChecker::createClassExpr): (JSC::SyntaxChecker::createProperty): (JSC::SyntaxChecker::createGetterOrSetterProperty): 2018-03-14 Keith Miller <keith_miller@apple.com> Move jsc CLI breakpoint function to $vm https://bugs.webkit.org/show_bug.cgi?id=183512 Reviewed by Yusuke Suzuki. * jsc.cpp: (GlobalObject::finishCreation): (functionBreakpoint): Deleted. * tools/JSDollarVM.cpp: (JSC::functionBreakpoint): (JSC::JSDollarVM::finishCreation): 2018-03-14 Tim Horton <timothy_horton@apple.com> Fix the build after r229567 * Configurations/FeatureDefines.xcconfig: 2018-03-12 Mark Lam <mark.lam@apple.com> Gardening: speculative build fix for WinCairo. https://bugs.webkit.org/show_bug.cgi?id=183573 Not reviewed. * runtime/NativeFunction.h: (JSC::TaggedNativeFunction::TaggedNativeFunction): 2018-03-12 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, fix obsolete ASSERT https://bugs.webkit.org/show_bug.cgi?id=183310 Now NewObject can be conereted from CallObjectConstructor and CreateThis. * dfg/DFGNode.h: (JSC::DFG::Node::convertToNewObject): 2018-03-12 Tim Horton <timothy_horton@apple.com> Stop using SDK conditionals to control feature definitions https://bugs.webkit.org/show_bug.cgi?id=183430 <rdar://problem/38251619> Reviewed by Dan Bernstein. * Configurations/FeatureDefines.xcconfig: * Configurations/WebKitTargetConditionals.xcconfig: Renamed. 2018-03-12 Yoav Weiss <yoav@yoav.ws> Runtime flag for link prefetch and remove link subresource. https://bugs.webkit.org/show_bug.cgi?id=183540 Reviewed by Chris Dumez. Remove the LINK_PREFETCH build time flag. * Configurations/FeatureDefines.xcconfig: 2018-03-12 Mark Lam <mark.lam@apple.com> Gardening: speculative build fix for Windows. https://bugs.webkit.org/show_bug.cgi?id=183573 Not reviewed. * runtime/NativeFunction.h: (JSC::TaggedNativeFunction::TaggedNativeFunction): 2018-03-12 Mark Lam <mark.lam@apple.com> Add another PtrTag. https://bugs.webkit.org/show_bug.cgi?id=183580 <rdar://problem/38390584> Reviewed by Keith Miller. * runtime/PtrTag.h: 2018-03-12 Mark Lam <mark.lam@apple.com> Make a NativeFunction into a class to support pointer profiling. https://bugs.webkit.org/show_bug.cgi?id=183573 <rdar://problem/38384697> Reviewed by Filip Pizlo. 1. NativeFunction is now a class, and introducing RawNativeFunction and TaggedNativeFunction. RawNativeFunction is the raw pointer type (equivalent to the old definition of NativeFunction). This is mainly used for underlying storage inside the NativeFunction class, and also for global data tables that cannot embed non-trivially constructed objects. NativeFunction's role is mainly to encapsulate a pointer to a C function that we pass into the VM. TaggedNativeFunction encapsulates the tagged version of a pointer to a C function that we track in the VM. 2. Added a convenience constructor for TrustedImmPtr so that we don't have to cast function pointers to void* anymore when constructing a TrustedImmPtr. 3. Removed the unused CALL_RETURN macro in CommonSlowPaths.cpp. 4. Added more PtrTag utility functions. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr): * create_hash_table: * interpreter/Interpreter.cpp: (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): * interpreter/InterpreterInlines.h: (JSC::Interpreter::getOpcodeID): * jit/JITThunks.cpp: (JSC::JITThunks::hostFunctionStub): * jit/JITThunks.h: * llint/LLIntData.cpp: (JSC::LLInt::initialize): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setUpCall): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter.cpp: (JSC::CLoop::execute): * llint/LowLevelInterpreter64.asm: * offlineasm/ast.rb: * runtime/CallData.h: * runtime/CommonSlowPaths.cpp: * runtime/ConstructData.h: * runtime/InternalFunction.h: (JSC::InternalFunction::nativeFunctionFor): * runtime/JSCell.cpp: (JSC::JSCell::getCallData): (JSC::JSCell::getConstructData): * runtime/JSFunction.h: * runtime/JSFunctionInlines.h: (JSC::JSFunction::nativeFunction): (JSC::JSFunction::nativeConstructor): (JSC::isHostFunction): * runtime/Lookup.h: (JSC::HashTableValue::function const): (JSC::HashTableValue::accessorGetter const): (JSC::HashTableValue::accessorSetter const): (JSC::nonCachingStaticFunctionGetter): * runtime/NativeExecutable.cpp: (JSC::NativeExecutable::create): (JSC::NativeExecutable::NativeExecutable): * runtime/NativeExecutable.h: * runtime/NativeFunction.h: Added. (JSC::NativeFunction::NativeFunction): (JSC::NativeFunction::operator intptr_t const): (JSC::NativeFunction::operator bool const): (JSC::NativeFunction::operator! const): (JSC::NativeFunction::operator== const): (JSC::NativeFunction::operator!= const): (JSC::NativeFunction::operator()): (JSC::NativeFunction::rawPointer const): (JSC::NativeFunctionHash::hash): (JSC::NativeFunctionHash::equal): (JSC::TaggedNativeFunction::TaggedNativeFunction): (JSC::TaggedNativeFunction::operator bool const): (JSC::TaggedNativeFunction::operator! const): (JSC::TaggedNativeFunction::operator== const): (JSC::TaggedNativeFunction::operator!= const): (JSC::TaggedNativeFunction::operator()): (JSC::TaggedNativeFunction::operator NativeFunction): (JSC::TaggedNativeFunction::rawPointer const): (JSC::TaggedNativeFunctionHash::hash): (JSC::TaggedNativeFunctionHash::equal): * runtime/PtrTag.h: (JSC::tagCFunctionPtr): (JSC::untagCFunctionPtr): * runtime/VM.h: (JSC::VM::targetMachinePCForThrowOffset): Deleted. 2018-03-12 Filip Pizlo <fpizlo@apple.com> Unreviewed, fix simple goof that was causing 32-bit DFG crashes. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): 2018-03-11 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] AI should convert CreateThis to NewObject if the prototype object is proved https://bugs.webkit.org/show_bug.cgi?id=183310 Reviewed by Filip Pizlo. This patch implements CreateThis -> NewObject conversion in AI if the given function is constant. This contributes to 6% win in Octane/raytrace. baseline patched raytrace x2 1.19915+-0.01862 ^ 1.13156+-0.01589 ^ definitely 1.0597x faster * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): 2018-03-11 Wenson Hsieh <wenson_hsieh@apple.com> Disable Sigill crash analyzer on watchOS https://bugs.webkit.org/show_bug.cgi?id=183548 <rdar://problem/38338032> Reviewed by Mark Lam. Sigill is not supported on watchOS. * runtime/Options.cpp: (JSC::overrideDefaults): 2018-03-09 Filip Pizlo <fpizlo@apple.com> Split DirectArguments into JSValueOOB and JSValueStrict parts https://bugs.webkit.org/show_bug.cgi?id=183458 Reviewed by Yusuke Suzuki. Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK to read and write within a Spectre mitigation window. Writes are important, because within the window, a write could appear to be made speculatively and rolled out later. This means that: - JSValue objects cannot have lengths, masks, or anything else inline. - JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type check, unless that type is in the form of a poison key. This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also means that it's wrong for DirectArguments to have an inline length. This changes DirectArguments to use poisoning according to the universal formula: - The random accessed portions are out-of-line, pointed to by a poisoned pointer. - No inline length. Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations amortize whatever cost there was. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateWithGuard): * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator): * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added. (JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): (JSC::DFG::SpeculativeJIT::compileGetArrayLength): (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): (JSC::DFG::SpeculativeJIT::compileGetFromArguments): (JSC::DFG::SpeculativeJIT::compilePutToArguments): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments): (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments): (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments): (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted. (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted. (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted. * heap/SecurityKind.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_from_arguments): (JSC::JIT::emit_op_put_to_arguments): (JSC::JIT::emitDirectArgumentsGetByVal): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_from_arguments): (JSC::JIT::emit_op_put_to_arguments): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/DirectArguments.cpp: (JSC::DirectArguments::DirectArguments): (JSC::DirectArguments::createUninitialized): (JSC::DirectArguments::create): (JSC::DirectArguments::createByCopying): (JSC::DirectArguments::estimatedSize): (JSC::DirectArguments::visitChildren): (JSC::DirectArguments::overrideThings): (JSC::DirectArguments::copyToArguments): (JSC::DirectArguments::mappedArgumentsSize): * runtime/DirectArguments.h: * runtime/JSCPoison.h: * runtime/JSLexicalEnvironment.h: * runtime/JSSymbolTableObject.h: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2018-03-11 Yusuke Suzuki <utatane.tea@gmail.com> [B3] Above/Below should be strength-reduced for comparison with 0 https://bugs.webkit.org/show_bug.cgi?id=183543 Reviewed by Filip Pizlo. Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively. This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should be converted to `0`. This patch adds such a folding to comparisons. We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test failure with this B3Const32/64Value change. With this patch, we create a flipped value only when we fail to fold it to a constant. * b3/B3Const32Value.cpp: (JSC::B3::Const32Value::lessThanConstant const): (JSC::B3::Const32Value::greaterThanConstant const): (JSC::B3::Const32Value::lessEqualConstant const): (JSC::B3::Const32Value::greaterEqualConstant const): (JSC::B3::Const32Value::aboveConstant const): (JSC::B3::Const32Value::belowConstant const): (JSC::B3::Const32Value::aboveEqualConstant const): (JSC::B3::Const32Value::belowEqualConstant const): * b3/B3Const64Value.cpp: (JSC::B3::Const64Value::lessThanConstant const): (JSC::B3::Const64Value::greaterThanConstant const): (JSC::B3::Const64Value::lessEqualConstant const): (JSC::B3::Const64Value::greaterEqualConstant const): (JSC::B3::Const64Value::aboveConstant const): (JSC::B3::Const64Value::belowConstant const): (JSC::B3::Const64Value::aboveEqualConstant const): (JSC::B3::Const64Value::belowEqualConstant const): * b3/B3ReduceStrength.cpp: * b3/testb3.cpp: (JSC::B3::int64Operands): (JSC::B3::int32Operands): 2018-03-10 Yusuke Suzuki <utatane.tea@gmail.com> [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag https://bugs.webkit.org/show_bug.cgi?id=181848 Reviewed by Sam Weinig. In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not optimized since it sets `lastIndex` value before performing RegExp operation. This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly. RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp in object allocation sinking phase. Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp has a global flag. And it improves the performance. baseline patched regexp-u-global-es5 44.1298+-4.6128 ^ 33.7920+-2.0110 ^ definitely 1.3059x faster regexp-u-global-es6 182.3272+-2.2861 ^ 154.3414+-7.6769 ^ definitely 1.1813x faster * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGMayExit.cpp: * dfg/DFGNode.cpp: (JSC::DFG::Node::convertToRegExpMatchFastGlobal): * dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): (JSC::DFG::Node::hasCellOperand): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal): * runtime/RegExpObject.cpp: (JSC::collectMatches): Deleted. * runtime/RegExpObject.h: * runtime/RegExpObjectInlines.h: (JSC::RegExpObject::execInline): (JSC::RegExpObject::matchInline): (JSC::advanceStringUnicode): (JSC::collectMatches): (JSC::RegExpObject::advanceStringUnicode): Deleted. * runtime/RegExpPrototype.cpp: (JSC::advanceStringIndex): 2018-03-10 Yusuke Suzuki <utatane.tea@gmail.com> B3::reduceStrength should canonicalize integer comparisons https://bugs.webkit.org/show_bug.cgi?id=150958 Reviewed by Filip Pizlo. This patch sorts operands of comparisons by flipping opcode. For example, `Above(0, @2)` is converted to `Below(@2, 0)`. This sorting is the same to handleCommutativity rule. Since we canonicalize comparisons to have constant value at least on the right hand side, we can remove pattern matchings checking leftImm in B3LowerToAir. Since this flipping changes the opcode of the value, to achieve safely, we just create a new value which has flipped opcode and swapped operands. If we can fold it to a constant, we replace m_value with this constant. If we fail to fold it to constant, we replace m_value with the flipped one. These comparisons are already handled in testb3. * b3/B3LowerToAir.cpp: * b3/B3ReduceStrength.cpp: 2018-03-09 Mark Lam <mark.lam@apple.com> offlineasm should reset the Assembler's working state before doing another pass for a new target. https://bugs.webkit.org/show_bug.cgi?id=183538 <rdar://problem/38325955> Reviewed by Michael Saboff. * llint/LowLevelInterpreter.cpp: * offlineasm/asm.rb: * offlineasm/cloop.rb: 2018-03-09 Brian Burg <bburg@apple.com> Web Inspector: there should only be one way for async backend commands to send failure https://bugs.webkit.org/show_bug.cgi?id=183524 Reviewed by Timothy Hatcher. If this is an async command, errors should be reported with BackendDispatcher::CallbackBase::sendFailure. To avoid mixups, don't include the ErrorString out-parameter in generated async command signatures. This change only affects interfaces generated for C++ backend dispatchers. * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: 2018-03-09 Mark Lam <mark.lam@apple.com> Build fix after r229476. https://bugs.webkit.org/show_bug.cgi?id=183488 Not reviewed. * runtime/StackAlignment.h: 2018-03-09 Mark Lam <mark.lam@apple.com> [Re-landing] Add support for ARM64E. https://bugs.webkit.org/show_bug.cgi?id=183398 <rdar://problem/38212621> Reviewed by Michael Saboff. * assembler/MacroAssembler.h: * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/backends.rb: 2018-03-09 Mark Lam <mark.lam@apple.com> [Re-landing] Prepare LLInt code to support pointer profiling. https://bugs.webkit.org/show_bug.cgi?id=183387 <rdar://problem/38199678> Reviewed by JF Bastien. 1. Introduced PtrTag enums for supporting pointer profiling later. 2. Also introduced tagging, untagging, retagging, and tag removal placeholder template functions for the same purpose. 3. Prepare the offlineasm for supporting pointer profiling later. 4. Tagged some pointers in LLInt asm code. Currently, these should have no effect on behavior. 5. Removed returnToThrowForThrownException() because it is not used anywhere. 6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's easier to view and edit these files in Xcode. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/LLIntCallLinkInfo.h: (JSC::LLIntCallLinkInfo::unlink): * llint/LLIntData.cpp: (JSC::LLInt::initialize): * llint/LLIntData.h: * llint/LLIntExceptions.cpp: (JSC::LLInt::returnToThrowForThrownException): Deleted. * llint/LLIntExceptions.h: * llint/LLIntOfflineAsmConfig.h: * llint/LLIntOffsetsExtractor.cpp: * llint/LLIntPCRanges.h: (JSC::LLInt::isLLIntPC): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::handleHostCall): (JSC::LLInt::setUpCall): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/ast.rb: * offlineasm/instructions.rb: * offlineasm/risc.rb: * runtime/PtrTag.h: Added. (JSC::uniquePtrTagID): (JSC::ptrTag): (JSC::tagCodePtr): (JSC::untagCodePtr): (JSC::retagCodePtr): (JSC::removeCodePtrTag): 2018-03-09 Mark Lam <mark.lam@apple.com> Remove unused LLINT_STATS feature. https://bugs.webkit.org/show_bug.cgi?id=183522 <rdar://problem/38313139> Rubber-stamped by Keith Miller. We haven't used this in a while, and it is one more option that makes offlineasm build slower. We can always re-introduce this later if we need it. * jsc.cpp: * llint/LLIntCommon.h: * llint/LLIntData.cpp: (JSC::LLInt::initialize): (JSC::LLInt::Data::finalizeStats): Deleted. (JSC::LLInt::compareStats): Deleted. (JSC::LLInt::Data::dumpStats): Deleted. (JSC::LLInt::Data::ensureStats): Deleted. (JSC::LLInt::Data::loadStats): Deleted. (JSC::LLInt::Data::resetStats): Deleted. (JSC::LLInt::Data::saveStats): Deleted. * llint/LLIntData.h: (): Deleted. (JSC::LLInt::Data::opcodeStats): Deleted. * llint/LLIntOfflineAsmConfig.h: * llint/LLIntSlowPaths.cpp: * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/Options.cpp: (JSC::Options::isAvailable): (JSC::recomputeDependentOptions): * runtime/Options.h: * runtime/TestRunnerUtils.cpp: (JSC::finalizeStatsAtEndOfTesting): 2018-03-09 Michael Saboff <msaboff@apple.com> Relanding "testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64" https://bugs.webkit.org/show_bug.cgi?id=183488 It applied and built just fine locally. * assembler/testmasm.cpp: (JSC::testBranchTruncateDoubleToInt32): 2018-03-09 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, remove WebAssemblyFunctionType https://bugs.webkit.org/show_bug.cgi?id=183429 Drop WebAssemblyFunctionType since it is no longer used. This breaks JSCast assumption that all the derived classes of JSFunction use JSFunctionType. We also add ASSERT for JSFunction::finishCreation. * runtime/JSFunction.cpp: (JSC::JSFunction::finishCreation): * runtime/JSType.h: * wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::createStructure): * wasm/js/WebAssemblyFunction.h: 2018-03-09 Ryan Haddad <ryanhaddad@apple.com> Unreviewed, rolling out r229446. This change relies on changes that have been rolled out. Reverted changeset: "testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64" https://bugs.webkit.org/show_bug.cgi?id=183488 https://trac.webkit.org/changeset/229446 2018-03-08 Chris Dumez <cdumez@apple.com> Safari not handling undefined global variables with same name as element Id correctly. https://bugs.webkit.org/show_bug.cgi?id=183087 <rdar://problem/37927596> Reviewed by Ryosuke Niwa. global variables (var foo;) should not be hidden by: - Named properties - Properties on the prototype chain Therefore, we now have JSGlobalObject::addVar() call JSGlobalObject::addGlobalVar() if !hasOwnProperty() instead of !hasProperty. This aligns our behavior with Chrome and Firefox. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::addVar): 2018-03-08 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r229354 and r229364. https://bugs.webkit.org/show_bug.cgi?id=183492 Breaks internal builds (Requested by ryanhaddad on #webkit). Reverted changesets: "Prepare LLInt code to support pointer profiling." https://bugs.webkit.org/show_bug.cgi?id=183387 https://trac.webkit.org/changeset/229354 "Add support for ARM64E." https://bugs.webkit.org/show_bug.cgi?id=183398 https://trac.webkit.org/changeset/229364 2018-03-08 Michael Saboff <msaboff@apple.com> testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64 https://bugs.webkit.org/show_bug.cgi?id=183488 Reviewed by Mark Lam. Using stackAlignmentBytes() will keep the stack properly aligned. * assembler/testmasm.cpp: (JSC::testBranchTruncateDoubleToInt32): 2018-03-08 Michael Saboff <msaboff@apple.com> Emit code to zero the stack frame on function entry Nhttps://bugs.webkit.org/show_bug.cgi?id=183391 Reviewed by Mark Lam. Added code to zero incoming stack frame behind a new JSC option, zeroStackFrame. The default setting of the option is off. Did some minor refactoring of the YarrJIT stack alignment code. * b3/air/AirCode.cpp: (JSC::B3::Air::defaultPrologueGenerator): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCurrentBlock): * dfg/DFGThunks.cpp: (JSC::DFG::osrEntryThunkGenerator): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::clearStackFrame): * jit/JIT.cpp: (JSC::JIT::compileWithoutLinking): * llint/LowLevelInterpreter.asm: * runtime/Options.h: * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::ialignCallFrameSizeInBytesnitCallFrame): (JSC::Yarr::YarrGenerator::initCallFrame): (JSC::Yarr::YarrGenerator::removeCallFrame): 2018-03-08 Keith Miller <keith_miller@apple.com> Unreviewed, another attempt at fixing the Windows build. I guess the pragma must be outside the function... * jit/CCallHelpers.h: (JSC::CCallHelpers::clampArrayToSize): 2018-03-08 Keith Miller <keith_miller@apple.com> Unreviewed, one last try at fixing the windows build before rollout. * jit/CCallHelpers.h: (JSC::CCallHelpers::clampArrayToSize): 2018-03-08 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Optimize inherits<T> if T is final type https://bugs.webkit.org/show_bug.cgi?id=183435 Reviewed by Mark Lam. If the type T is a final type (`std::is_final<T>::value == true`), there is no classes which is derived from T. It means that `jsDynamicCast<T>` only needs to check the given cell's `classInfo(vm)` is `T::info()`. This patch adds a new specialization for jsDynamicCast<T> / inherits<T> for a final type. And we also add `final` annotations to JS cell types in JSC. This offers, 1. Readability. If the given class is annotated with `final`, we do not need to consider about the derived classes of T. 2. Static Checking. If your class is not intended to be used as a base class, attaching `final` can ensure this invariant. 3. Performance. jsDynamicCast<T> and inherits<T> can be optimized and the code size should be smaller. * API/JSCallbackConstructor.h: (JSC::JSCallbackConstructor::create): Deleted. (JSC::JSCallbackConstructor::classRef const): Deleted. (JSC::JSCallbackConstructor::callback const): Deleted. (JSC::JSCallbackConstructor::createStructure): Deleted. (JSC::JSCallbackConstructor::constructCallback): Deleted. * API/JSCallbackFunction.h: (JSC::JSCallbackFunction::createStructure): Deleted. (JSC::JSCallbackFunction::functionCallback): Deleted. * API/JSCallbackObject.h: (JSC::JSCallbackObject::create): Deleted. (JSC::JSCallbackObject::destroy): Deleted. (JSC::JSCallbackObject::classRef const): Deleted. (JSC::JSCallbackObject::getPrivateProperty const): Deleted. (JSC::JSCallbackObject::setPrivateProperty): Deleted. (JSC::JSCallbackObject::deletePrivateProperty): Deleted. (JSC::JSCallbackObject::visitChildren): Deleted. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::setConstantRegisters): * bytecode/ExecutableToCodeBlockEdge.h: (JSC::ExecutableToCodeBlockEdge::subspaceFor): Deleted. (JSC::ExecutableToCodeBlockEdge::codeBlock const): Deleted. (JSC::ExecutableToCodeBlockEdge::unwrap): Deleted. * bytecode/FunctionCodeBlock.h: (JSC::FunctionCodeBlock::subspaceFor): Deleted. (JSC::FunctionCodeBlock::create): Deleted. (JSC::FunctionCodeBlock::createStructure): Deleted. (JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted. * debugger/DebuggerScope.h: (JSC::DebuggerScope::createStructure): Deleted. (JSC::DebuggerScope::iterator::iterator): Deleted. (JSC::DebuggerScope::iterator::get): Deleted. (JSC::DebuggerScope::iterator::operator++): Deleted. (JSC::DebuggerScope::iterator::operator== const): Deleted. (JSC::DebuggerScope::iterator::operator!= const): Deleted. (JSC::DebuggerScope::isValid const): Deleted. (JSC::DebuggerScope::jsScope const): Deleted. * inspector/JSInjectedScriptHost.h: (Inspector::JSInjectedScriptHost::createStructure): Deleted. (Inspector::JSInjectedScriptHost::create): Deleted. (Inspector::JSInjectedScriptHost::impl const): Deleted. * inspector/JSInjectedScriptHostPrototype.h: (Inspector::JSInjectedScriptHostPrototype::create): Deleted. (Inspector::JSInjectedScriptHostPrototype::createStructure): Deleted. (Inspector::JSInjectedScriptHostPrototype::JSInjectedScriptHostPrototype): Deleted. * inspector/JSJavaScriptCallFrame.h: (Inspector::JSJavaScriptCallFrame::createStructure): Deleted. (Inspector::JSJavaScriptCallFrame::create): Deleted. (Inspector::JSJavaScriptCallFrame::impl const): Deleted. * inspector/JSJavaScriptCallFramePrototype.h: (Inspector::JSJavaScriptCallFramePrototype::create): Deleted. (Inspector::JSJavaScriptCallFramePrototype::createStructure): Deleted. (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): Deleted. * jit/Repatch.cpp: (JSC::tryCacheGetByID): * runtime/ArrayConstructor.h: (JSC::ArrayConstructor::create): Deleted. (JSC::ArrayConstructor::createStructure): Deleted. * runtime/ArrayIteratorPrototype.h: (JSC::ArrayIteratorPrototype::create): Deleted. (JSC::ArrayIteratorPrototype::createStructure): Deleted. (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): Deleted. * runtime/ArrayPrototype.h: (JSC::ArrayPrototype::createStructure): Deleted. * runtime/AsyncFromSyncIteratorPrototype.h: (JSC::AsyncFromSyncIteratorPrototype::createStructure): Deleted. * runtime/AsyncFunctionConstructor.h: (JSC::AsyncFunctionConstructor::create): Deleted. (JSC::AsyncFunctionConstructor::createStructure): Deleted. * runtime/AsyncFunctionPrototype.h: (JSC::AsyncFunctionPrototype::create): Deleted. (JSC::AsyncFunctionPrototype::createStructure): Deleted. * runtime/AsyncGeneratorFunctionConstructor.h: (JSC::AsyncGeneratorFunctionConstructor::create): Deleted. (JSC::AsyncGeneratorFunctionConstructor::createStructure): Deleted. * runtime/AsyncGeneratorFunctionPrototype.h: (JSC::AsyncGeneratorFunctionPrototype::create): Deleted. (JSC::AsyncGeneratorFunctionPrototype::createStructure): Deleted. * runtime/AsyncGeneratorPrototype.h: (JSC::AsyncGeneratorPrototype::create): Deleted. (JSC::AsyncGeneratorPrototype::createStructure): Deleted. (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype): Deleted. * runtime/AsyncIteratorPrototype.h: (JSC::AsyncIteratorPrototype::create): Deleted. (JSC::AsyncIteratorPrototype::createStructure): Deleted. (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype): Deleted. * runtime/AtomicsObject.h: * runtime/BigIntConstructor.h: (JSC::BigIntConstructor::create): Deleted. (JSC::BigIntConstructor::createStructure): Deleted. * runtime/BigIntObject.h: (JSC::BigIntObject::create): Deleted. (JSC::BigIntObject::internalValue const): Deleted. (JSC::BigIntObject::createStructure): Deleted. * runtime/BigIntPrototype.h: (JSC::BigIntPrototype::create): Deleted. (JSC::BigIntPrototype::createStructure): Deleted. * runtime/BooleanConstructor.h: (JSC::BooleanConstructor::create): Deleted. (JSC::BooleanConstructor::createStructure): Deleted. * runtime/BooleanPrototype.h: (JSC::BooleanPrototype::create): Deleted. (JSC::BooleanPrototype::createStructure): Deleted. * runtime/ConsoleObject.h: (JSC::ConsoleObject::create): Deleted. (JSC::ConsoleObject::createStructure): Deleted. * runtime/DOMAttributeGetterSetter.h: (JSC::isDOMAttributeGetterSetter): Deleted. * runtime/DateConstructor.h: (JSC::DateConstructor::create): Deleted. (JSC::DateConstructor::createStructure): Deleted. * runtime/DateInstance.h: (JSC::DateInstance::create): Deleted. (JSC::DateInstance::internalNumber const): Deleted. (JSC::DateInstance::gregorianDateTime const): Deleted. (JSC::DateInstance::gregorianDateTimeUTC const): Deleted. (JSC::DateInstance::createStructure): Deleted. * runtime/DatePrototype.h: (JSC::DatePrototype::create): Deleted. (JSC::DatePrototype::createStructure): Deleted. * runtime/Error.h: (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): Deleted. (JSC::StrictModeTypeErrorFunction::create): Deleted. (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): Deleted. (JSC::StrictModeTypeErrorFunction::callThrowTypeError): Deleted. (JSC::StrictModeTypeErrorFunction::createStructure): Deleted. * runtime/ErrorConstructor.h: (JSC::ErrorConstructor::create): Deleted. (JSC::ErrorConstructor::createStructure): Deleted. (JSC::ErrorConstructor::stackTraceLimit const): Deleted. * runtime/Exception.h: (JSC::Exception::valueOffset): Deleted. (JSC::Exception::value const): Deleted. (JSC::Exception::stack const): Deleted. (JSC::Exception::didNotifyInspectorOfThrow const): Deleted. (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted. * runtime/FunctionConstructor.h: (JSC::FunctionConstructor::create): Deleted. (JSC::FunctionConstructor::createStructure): Deleted. * runtime/FunctionPrototype.h: (JSC::FunctionPrototype::create): Deleted. (JSC::FunctionPrototype::createStructure): Deleted. * runtime/FunctionRareData.h: (JSC::FunctionRareData::offsetOfObjectAllocationProfile): Deleted. (JSC::FunctionRareData::objectAllocationProfile): Deleted. (JSC::FunctionRareData::objectAllocationStructure): Deleted. (JSC::FunctionRareData::allocationProfileWatchpointSet): Deleted. (JSC::FunctionRareData::isObjectAllocationProfileInitialized): Deleted. (JSC::FunctionRareData::internalFunctionAllocationStructure): Deleted. (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase): Deleted. (JSC::FunctionRareData::clearInternalFunctionAllocationProfile): Deleted. (JSC::FunctionRareData::getBoundFunctionStructure): Deleted. (JSC::FunctionRareData::setBoundFunctionStructure): Deleted. (JSC::FunctionRareData::hasReifiedLength const): Deleted. (JSC::FunctionRareData::setHasReifiedLength): Deleted. (JSC::FunctionRareData::hasReifiedName const): Deleted. (JSC::FunctionRareData::setHasReifiedName): Deleted. (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const): Deleted. (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): Deleted. (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint): Deleted. * runtime/GeneratorFunctionConstructor.h: (JSC::GeneratorFunctionConstructor::create): Deleted. (JSC::GeneratorFunctionConstructor::createStructure): Deleted. * runtime/GeneratorFunctionPrototype.h: (JSC::GeneratorFunctionPrototype::create): Deleted. (JSC::GeneratorFunctionPrototype::createStructure): Deleted. * runtime/GeneratorPrototype.h: (JSC::GeneratorPrototype::create): Deleted. (JSC::GeneratorPrototype::createStructure): Deleted. (JSC::GeneratorPrototype::GeneratorPrototype): Deleted. * runtime/InferredValue.h: (JSC::InferredValue::subspaceFor): Deleted. (JSC::InferredValue::inferredValue): Deleted. (JSC::InferredValue::state const): Deleted. (JSC::InferredValue::isStillValid const): Deleted. (JSC::InferredValue::hasBeenInvalidated const): Deleted. (JSC::InferredValue::add): Deleted. (JSC::InferredValue::notifyWrite): Deleted. (JSC::InferredValue::invalidate): Deleted. * runtime/InspectorInstrumentationObject.h: (JSC::InspectorInstrumentationObject::create): Deleted. (JSC::InspectorInstrumentationObject::createStructure): Deleted. * runtime/IntlCollator.h: (JSC::IntlCollator::boundCompare const): Deleted. * runtime/IntlCollatorConstructor.h: (JSC::IntlCollatorConstructor::collatorStructure const): Deleted. * runtime/IntlCollatorPrototype.h: * runtime/IntlDateTimeFormat.h: (JSC::IntlDateTimeFormat::boundFormat const): Deleted. * runtime/IntlDateTimeFormatConstructor.h: (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure const): Deleted. * runtime/IntlDateTimeFormatPrototype.h: * runtime/IntlNumberFormat.h: (JSC::IntlNumberFormat::boundFormat const): Deleted. * runtime/IntlNumberFormatConstructor.h: (JSC::IntlNumberFormatConstructor::numberFormatStructure const): Deleted. * runtime/IntlNumberFormatPrototype.h: * runtime/IntlObject.h: * runtime/IteratorPrototype.h: (JSC::IteratorPrototype::create): Deleted. (JSC::IteratorPrototype::createStructure): Deleted. (JSC::IteratorPrototype::IteratorPrototype): Deleted. * runtime/JSAPIValueWrapper.h: (JSC::JSAPIValueWrapper::value const): Deleted. (JSC::JSAPIValueWrapper::createStructure): Deleted. (JSC::JSAPIValueWrapper::create): Deleted. (JSC::JSAPIValueWrapper::finishCreation): Deleted. (JSC::JSAPIValueWrapper::JSAPIValueWrapper): Deleted. * runtime/JSArrayBufferConstructor.h: (JSC::JSArrayBufferConstructor::sharingMode const): Deleted. * runtime/JSArrayBufferPrototype.h: * runtime/JSAsyncFunction.h: (JSC::JSAsyncFunction::subspaceFor): Deleted. (JSC::JSAsyncFunction::allocationSize): Deleted. (JSC::JSAsyncFunction::createStructure): Deleted. * runtime/JSAsyncGeneratorFunction.h: (JSC::JSAsyncGeneratorFunction::subspaceFor): Deleted. (JSC::JSAsyncGeneratorFunction::allocationSize): Deleted. (JSC::JSAsyncGeneratorFunction::createStructure): Deleted. * runtime/JSBigInt.h: (JSC::JSBigInt::setSign): Deleted. (JSC::JSBigInt::sign const): Deleted. (JSC::JSBigInt::setLength): Deleted. (JSC::JSBigInt::length const): Deleted. * runtime/JSBoundFunction.h: (JSC::JSBoundFunction::subspaceFor): Deleted. (JSC::JSBoundFunction::targetFunction): Deleted. (JSC::JSBoundFunction::boundThis): Deleted. (JSC::JSBoundFunction::boundArgs): Deleted. (JSC::JSBoundFunction::createStructure): Deleted. (JSC::JSBoundFunction::offsetOfTargetFunction): Deleted. (JSC::JSBoundFunction::offsetOfBoundThis): Deleted. * runtime/JSCast.h: (JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric): (JSC::JSCastingHelpers::inheritsJSTypeImpl): (JSC::JSCastingHelpers::InheritsTraits::inherits): (JSC::JSCastingHelpers::inheritsGenericImpl): Deleted. * runtime/JSCustomGetterSetterFunction.cpp: (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall): * runtime/JSCustomGetterSetterFunction.h: (JSC::JSCustomGetterSetterFunction::subspaceFor): Deleted. (JSC::JSCustomGetterSetterFunction::createStructure): Deleted. (JSC::JSCustomGetterSetterFunction::customGetterSetter const): Deleted. (JSC::JSCustomGetterSetterFunction::isSetter const): Deleted. (JSC::JSCustomGetterSetterFunction::propertyName const): Deleted. * runtime/JSDataView.h: (JSC::JSDataView::possiblySharedBuffer const): Deleted. (JSC::JSDataView::unsharedBuffer const): Deleted. * runtime/JSDataViewPrototype.h: * runtime/JSFixedArray.h: (JSC::JSFixedArray::createStructure): Deleted. (JSC::JSFixedArray::tryCreate): Deleted. (JSC::JSFixedArray::create): Deleted. (JSC::JSFixedArray::createFromArray): Deleted. (JSC::JSFixedArray::get const): Deleted. (JSC::JSFixedArray::set): Deleted. (JSC::JSFixedArray::buffer): Deleted. (JSC::JSFixedArray::buffer const): Deleted. (JSC::JSFixedArray::values const): Deleted. (JSC::JSFixedArray::size const): Deleted. (JSC::JSFixedArray::length const): Deleted. (JSC::JSFixedArray::offsetOfSize): Deleted. (JSC::JSFixedArray::offsetOfData): Deleted. (JSC::JSFixedArray::JSFixedArray): Deleted. (JSC::JSFixedArray::allocationSize): Deleted. * runtime/JSGeneratorFunction.h: (JSC::JSGeneratorFunction::subspaceFor): Deleted. (JSC::JSGeneratorFunction::allocationSize): Deleted. (JSC::JSGeneratorFunction::createStructure): Deleted. * runtime/JSGenericTypedArrayView.h: (JSC::JSGenericTypedArrayView::byteLength const): Deleted. (JSC::JSGenericTypedArrayView::byteSize const): Deleted. (JSC::JSGenericTypedArrayView::typedVector const): Deleted. (JSC::JSGenericTypedArrayView::typedVector): Deleted. (JSC::JSGenericTypedArrayView::canGetIndexQuickly): Deleted. (JSC::JSGenericTypedArrayView::canSetIndexQuickly): Deleted. (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): Deleted. (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): Deleted. (JSC::JSGenericTypedArrayView::getIndexQuickly): Deleted. (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): Deleted. (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): Deleted. (JSC::JSGenericTypedArrayView::setIndexQuickly): Deleted. (JSC::JSGenericTypedArrayView::setIndex): Deleted. (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted. (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion): Deleted. (JSC::JSGenericTypedArrayView::sort): Deleted. (JSC::JSGenericTypedArrayView::canAccessRangeQuickly): Deleted. (JSC::JSGenericTypedArrayView::createStructure): Deleted. (JSC::JSGenericTypedArrayView::info): Deleted. (JSC::JSGenericTypedArrayView::purifyArray): Deleted. (JSC::JSGenericTypedArrayView::sortComparison): Deleted. (JSC::JSGenericTypedArrayView::sortFloat): Deleted. * runtime/JSGenericTypedArrayViewConstructor.h: * runtime/JSGenericTypedArrayViewPrototype.h: * runtime/JSInternalPromise.h: * runtime/JSInternalPromiseConstructor.h: * runtime/JSInternalPromisePrototype.h: * runtime/JSMapIterator.h: (JSC::JSMapIterator::createStructure): Deleted. (JSC::JSMapIterator::create): Deleted. (JSC::JSMapIterator::advanceIter): Deleted. (JSC::JSMapIterator::next): Deleted. (JSC::JSMapIterator::nextKeyValue): Deleted. (JSC::JSMapIterator::kind const): Deleted. (JSC::JSMapIterator::iteratedValue const): Deleted. (JSC::JSMapIterator::JSMapIterator): Deleted. (JSC::JSMapIterator::setIterator): Deleted. * runtime/JSModuleLoader.h: (JSC::JSModuleLoader::create): Deleted. (JSC::JSModuleLoader::createStructure): Deleted. * runtime/JSModuleNamespaceObject.h: (JSC::isJSModuleNamespaceObject): Deleted. * runtime/JSModuleRecord.h: (JSC::JSModuleRecord::sourceCode const): Deleted. (JSC::JSModuleRecord::declaredVariables const): Deleted. (JSC::JSModuleRecord::lexicalVariables const): Deleted. * runtime/JSNativeStdFunction.h: (JSC::JSNativeStdFunction::subspaceFor): Deleted. (JSC::JSNativeStdFunction::createStructure): Deleted. (JSC::JSNativeStdFunction::nativeStdFunctionCell): Deleted. * runtime/JSONObject.h: (JSC::JSONObject::create): Deleted. (JSC::JSONObject::createStructure): Deleted. * runtime/JSObject.h: (JSC::JSObject::fillCustomGetterPropertySlot): * runtime/JSScriptFetchParameters.h: (JSC::JSScriptFetchParameters::createStructure): Deleted. (JSC::JSScriptFetchParameters::create): Deleted. (JSC::JSScriptFetchParameters::parameters const): Deleted. (JSC::JSScriptFetchParameters::JSScriptFetchParameters): Deleted. * runtime/JSScriptFetcher.h: (JSC::JSScriptFetcher::createStructure): Deleted. (JSC::JSScriptFetcher::create): Deleted. (JSC::JSScriptFetcher::fetcher const): Deleted. (JSC::JSScriptFetcher::JSScriptFetcher): Deleted. * runtime/JSSetIterator.h: (JSC::JSSetIterator::createStructure): Deleted. (JSC::JSSetIterator::create): Deleted. (JSC::JSSetIterator::advanceIter): Deleted. (JSC::JSSetIterator::next): Deleted. (JSC::JSSetIterator::kind const): Deleted. (JSC::JSSetIterator::iteratedValue const): Deleted. (JSC::JSSetIterator::JSSetIterator): Deleted. (JSC::JSSetIterator::setIterator): Deleted. * runtime/JSSourceCode.h: (JSC::JSSourceCode::createStructure): Deleted. (JSC::JSSourceCode::create): Deleted. (JSC::JSSourceCode::sourceCode const): Deleted. (JSC::JSSourceCode::JSSourceCode): Deleted. * runtime/JSStringIterator.h: (JSC::JSStringIterator::createStructure): Deleted. (JSC::JSStringIterator::create): Deleted. (JSC::JSStringIterator::JSStringIterator): Deleted. * runtime/JSTemplateObjectDescriptor.h: (JSC::isTemplateObjectDescriptor): Deleted. * runtime/JSTypedArrayViewConstructor.h: (JSC::JSTypedArrayViewConstructor::create): Deleted. * runtime/JSTypedArrayViewPrototype.h: * runtime/MapConstructor.h: (JSC::MapConstructor::create): Deleted. (JSC::MapConstructor::createStructure): Deleted. * runtime/MapIteratorPrototype.h: (JSC::MapIteratorPrototype::create): Deleted. (JSC::MapIteratorPrototype::createStructure): Deleted. (JSC::MapIteratorPrototype::MapIteratorPrototype): Deleted. * runtime/MapPrototype.h: (JSC::MapPrototype::create): Deleted. (JSC::MapPrototype::createStructure): Deleted. (JSC::MapPrototype::MapPrototype): Deleted. * runtime/MathObject.h: (JSC::MathObject::create): Deleted. (JSC::MathObject::createStructure): Deleted. * runtime/ModuleLoaderPrototype.h: (JSC::ModuleLoaderPrototype::create): Deleted. (JSC::ModuleLoaderPrototype::createStructure): Deleted. * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::create): Deleted. (JSC::NativeErrorConstructor::createStructure): Deleted. (JSC::NativeErrorConstructor::errorStructure): Deleted. * runtime/NativeErrorPrototype.h: (JSC::NativeErrorPrototype::create): Deleted. * runtime/NativeStdFunctionCell.h: (JSC::NativeStdFunctionCell::createStructure): Deleted. (JSC::NativeStdFunctionCell::function const): Deleted. * runtime/NullGetterFunction.h: (JSC::NullGetterFunction::create): Deleted. (JSC::NullGetterFunction::createStructure): Deleted. * runtime/NullSetterFunction.h: (JSC::NullSetterFunction::create): Deleted. (JSC::NullSetterFunction::createStructure): Deleted. * runtime/NumberConstructor.h: (JSC::NumberConstructor::create): Deleted. (JSC::NumberConstructor::createStructure): Deleted. (JSC::NumberConstructor::isIntegerImpl): Deleted. * runtime/NumberPrototype.h: (JSC::NumberPrototype::create): Deleted. (JSC::NumberPrototype::createStructure): Deleted. * runtime/ObjectConstructor.h: (JSC::ObjectConstructor::create): Deleted. (JSC::ObjectConstructor::createStructure): Deleted. * runtime/ObjectPrototype.h: (JSC::ObjectPrototype::createStructure): Deleted. * runtime/ProxyConstructor.h: (JSC::ProxyConstructor::createStructure): Deleted. * runtime/ProxyRevoke.h: (JSC::ProxyRevoke::createStructure): Deleted. (JSC::ProxyRevoke::proxy): Deleted. (JSC::ProxyRevoke::setProxyToNull): Deleted. * runtime/ReflectObject.h: (JSC::ReflectObject::create): Deleted. (JSC::ReflectObject::createStructure): Deleted. * runtime/RegExpConstructor.cpp: (JSC::regExpConstructorDollar): (JSC::regExpConstructorInput): (JSC::regExpConstructorMultiline): (JSC::regExpConstructorLastMatch): (JSC::regExpConstructorLastParen): (JSC::regExpConstructorLeftContext): (JSC::regExpConstructorRightContext): * runtime/RegExpConstructor.h: (JSC::RegExpConstructor::create): Deleted. (JSC::RegExpConstructor::createStructure): Deleted. (JSC::RegExpConstructor::setMultiline): Deleted. (JSC::RegExpConstructor::multiline const): Deleted. (JSC::RegExpConstructor::setInput): Deleted. (JSC::RegExpConstructor::input): Deleted. (JSC::RegExpConstructor::offsetOfCachedResult): Deleted. (JSC::asRegExpConstructor): Deleted. * runtime/RegExpPrototype.h: (JSC::RegExpPrototype::create): Deleted. (JSC::RegExpPrototype::createStructure): Deleted. (JSC::RegExpPrototype::emptyRegExp const): Deleted. * runtime/SetConstructor.h: (JSC::SetConstructor::create): Deleted. (JSC::SetConstructor::createStructure): Deleted. * runtime/SetIteratorPrototype.h: (JSC::SetIteratorPrototype::create): Deleted. (JSC::SetIteratorPrototype::createStructure): Deleted. (JSC::SetIteratorPrototype::SetIteratorPrototype): Deleted. * runtime/SetPrototype.h: (JSC::SetPrototype::create): Deleted. (JSC::SetPrototype::createStructure): Deleted. (JSC::SetPrototype::SetPrototype): Deleted. * runtime/StringConstructor.h: (JSC::StringConstructor::create): Deleted. (JSC::StringConstructor::createStructure): Deleted. * runtime/StringIteratorPrototype.h: (JSC::StringIteratorPrototype::create): Deleted. (JSC::StringIteratorPrototype::createStructure): Deleted. (JSC::StringIteratorPrototype::StringIteratorPrototype): Deleted. * runtime/StringPrototype.h: (JSC::StringPrototype::createStructure): Deleted. * runtime/SymbolConstructor.h: (JSC::SymbolConstructor::create): Deleted. (JSC::SymbolConstructor::createStructure): Deleted. * runtime/SymbolObject.h: (JSC::SymbolObject::create): Deleted. (JSC::SymbolObject::internalValue const): Deleted. (JSC::SymbolObject::createStructure): Deleted. * runtime/SymbolPrototype.h: (JSC::SymbolPrototype::create): Deleted. (JSC::SymbolPrototype::createStructure): Deleted. * runtime/WeakMapConstructor.h: (JSC::WeakMapConstructor::create): Deleted. (JSC::WeakMapConstructor::createStructure): Deleted. * runtime/WeakMapPrototype.h: (JSC::WeakMapPrototype::create): Deleted. (JSC::WeakMapPrototype::createStructure): Deleted. (JSC::WeakMapPrototype::WeakMapPrototype): Deleted. * runtime/WeakSetConstructor.h: (JSC::WeakSetConstructor::create): Deleted. (JSC::WeakSetConstructor::createStructure): Deleted. * runtime/WeakSetPrototype.h: (JSC::WeakSetPrototype::create): Deleted. (JSC::WeakSetPrototype::createStructure): Deleted. (JSC::WeakSetPrototype::WeakSetPrototype): Deleted. * tools/JSDollarVM.h: (JSC::JSDollarVM::createStructure): Deleted. (JSC::JSDollarVM::create): Deleted. (JSC::JSDollarVM::JSDollarVM): Deleted. * wasm/js/JSWebAssembly.h: * wasm/js/JSWebAssemblyCompileError.h: (JSC::JSWebAssemblyCompileError::create): Deleted. * wasm/js/JSWebAssemblyInstance.h: (JSC::JSWebAssemblyInstance::instance): Deleted. (JSC::JSWebAssemblyInstance::moduleNamespaceObject): Deleted. (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee): Deleted. (JSC::JSWebAssemblyInstance::memory): Deleted. (JSC::JSWebAssemblyInstance::setMemory): Deleted. (JSC::JSWebAssemblyInstance::memoryMode): Deleted. (JSC::JSWebAssemblyInstance::table): Deleted. (JSC::JSWebAssemblyInstance::setTable): Deleted. (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): Deleted. (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): Deleted. (JSC::JSWebAssemblyInstance::module const): Deleted. * wasm/js/JSWebAssemblyLinkError.h: (JSC::JSWebAssemblyLinkError::create): Deleted. * wasm/js/JSWebAssemblyMemory.h: (JSC::JSWebAssemblyMemory::subspaceFor): Deleted. (JSC::JSWebAssemblyMemory::memory): Deleted. * wasm/js/JSWebAssemblyModule.h: * wasm/js/JSWebAssemblyRuntimeError.h: (JSC::JSWebAssemblyRuntimeError::create): Deleted. * wasm/js/JSWebAssemblyTable.h: (JSC::JSWebAssemblyTable::isValidLength): Deleted. (JSC::JSWebAssemblyTable::maximum const): Deleted. (JSC::JSWebAssemblyTable::length const): Deleted. (JSC::JSWebAssemblyTable::allocatedLength const): Deleted. (JSC::JSWebAssemblyTable::table): Deleted. * wasm/js/WebAssemblyCompileErrorConstructor.h: * wasm/js/WebAssemblyCompileErrorPrototype.h: * wasm/js/WebAssemblyInstanceConstructor.h: * wasm/js/WebAssemblyInstancePrototype.h: * wasm/js/WebAssemblyLinkErrorConstructor.h: * wasm/js/WebAssemblyLinkErrorPrototype.h: * wasm/js/WebAssemblyMemoryConstructor.h: * wasm/js/WebAssemblyMemoryPrototype.h: * wasm/js/WebAssemblyModuleConstructor.h: * wasm/js/WebAssemblyModulePrototype.h: * wasm/js/WebAssemblyModuleRecord.h: * wasm/js/WebAssemblyPrototype.h: * wasm/js/WebAssemblyRuntimeErrorConstructor.h: * wasm/js/WebAssemblyRuntimeErrorPrototype.h: * wasm/js/WebAssemblyTableConstructor.h: * wasm/js/WebAssemblyTablePrototype.h: 2018-03-07 Filip Pizlo <fpizlo@apple.com> Make it possible to randomize register allocation https://bugs.webkit.org/show_bug.cgi?id=183416 Reviewed by Keith Miller. This is disabled by default for now, because it reveals a regalloc bug in wasm. * b3/air/AirCode.cpp: (JSC::B3::Air::Code::Code): * b3/air/AirCode.h: (JSC::B3::Air::Code::weakRandom): * runtime/Options.h: 2018-03-08 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Add inherits<T>(VM&) leveraging JSCast fast path https://bugs.webkit.org/show_bug.cgi?id=183429 Reviewed by Mark Lam. Add new member function, JSCell::inherits<T>(VM&) and JSValue::inherits<T>(VM&). They depends on jsDynamicCast<T> implementation and leverage JSType-based fast paths defined in JSCast.h. We extract checking part as `JSCastingHelpers::inherit` and construct jsDynamicCast and JSCell::inherits based on this. And we remove several unnecessary casting functions (asRegExpObject, asDateInstance etc.). In addition, we add jsDynamicCast fast path for RegExpObject by using existing RegExpObjectType. We also fix the implementation of jsDynamicCast for JSObject since it uses LastJSCObjectType. The embedder can add their extended object types after that. * API/JSObjectRef.cpp: (JSObjectGetPrivateProperty): (JSObjectSetPrivateProperty): (JSObjectDeletePrivateProperty): * API/JSValue.mm: (isDate): (isArray): * API/JSValueRef.cpp: (JSValueIsArray): (JSValueIsDate): (JSValueIsObjectOfClass): * API/JSWeakObjectMapRefPrivate.cpp: * API/JSWrapperMap.mm: (tryUnwrapObjcObject): * API/ObjCCallbackFunction.mm: (tryUnwrapConstructor): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGOperations.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp): * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): * inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::subtype): (Inspector::JSInjectedScriptHost::functionDetails): * inspector/agents/InspectorHeapAgent.cpp: (Inspector::InspectorHeapAgent::getPreview): * interpreter/Interpreter.cpp: (JSC::notifyDebuggerOfUnwinding): * interpreter/ShadowChicken.cpp: (JSC::ShadowChicken::update): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JITOperations.cpp: (JSC::operationNewFunctionCommon): * jsc.cpp: (checkException): * runtime/BooleanObject.h: (JSC::asBooleanObject): Deleted. * runtime/BooleanPrototype.cpp: (JSC::booleanProtoFuncToString): (JSC::booleanProtoFuncValueOf): * runtime/DateConstructor.cpp: (JSC::constructDate): * runtime/DateInstance.h: (JSC::asDateInstance): Deleted. * runtime/DatePrototype.cpp: (JSC::formateDateInstance): (JSC::dateProtoFuncToISOString): (JSC::dateProtoFuncToLocaleString): (JSC::dateProtoFuncToLocaleDateString): (JSC::dateProtoFuncToLocaleTimeString): (JSC::dateProtoFuncGetTime): (JSC::dateProtoFuncGetFullYear): (JSC::dateProtoFuncGetUTCFullYear): (JSC::dateProtoFuncGetMonth): (JSC::dateProtoFuncGetUTCMonth): (JSC::dateProtoFuncGetDate): (JSC::dateProtoFuncGetUTCDate): (JSC::dateProtoFuncGetDay): (JSC::dateProtoFuncGetUTCDay): (JSC::dateProtoFuncGetHours): (JSC::dateProtoFuncGetUTCHours): (JSC::dateProtoFuncGetMinutes): (JSC::dateProtoFuncGetUTCMinutes): (JSC::dateProtoFuncGetSeconds): (JSC::dateProtoFuncGetUTCSeconds): (JSC::dateProtoFuncGetMilliSeconds): (JSC::dateProtoFuncGetUTCMilliseconds): (JSC::dateProtoFuncGetTimezoneOffset): (JSC::dateProtoFuncSetTime): (JSC::setNewValueFromTimeArgs): (JSC::setNewValueFromDateArgs): (JSC::dateProtoFuncSetYear): (JSC::dateProtoFuncGetYear): * runtime/ExceptionHelpers.cpp: (JSC::isTerminatedExecutionException): * runtime/FunctionPrototype.cpp: (JSC::functionProtoFuncToString): * runtime/InternalFunction.h: (JSC::asInternalFunction): * runtime/JSArray.h: (JSC::asArray): * runtime/JSCJSValue.cpp: (JSC::JSValue::dumpForBacktrace const): * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::inherits const): * runtime/JSCast.h: (JSC::JSCastingHelpers::inheritsGenericImpl): (JSC::JSCastingHelpers::inheritsJSTypeImpl): (JSC::JSCastingHelpers::InheritsTraits::inherits): (JSC::JSCastingHelpers::inherits): (JSC::jsDynamicCast): (JSC::JSCastingHelpers::jsDynamicCastGenericImpl): Deleted. (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): Deleted. (JSC::JSCastingHelpers::JSDynamicCastTraits::cast): Deleted. * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::inherits const): * runtime/JSFunction.cpp: (JSC::RetrieveCallerFunctionFunctor::operator() const): (JSC::JSFunction::callerGetter): (JSC::JSFunction::getOwnNonIndexPropertyNames): (JSC::JSFunction::reifyLazyBoundNameIfNeeded): * runtime/JSGlobalObject.cpp: (JSC::enqueueJob): * runtime/JSGlobalObject.h: (JSC::asGlobalObject): Deleted. * runtime/JSInternalPromiseDeferred.cpp: (JSC::JSInternalPromiseDeferred::create): * runtime/JSLexicalEnvironment.h: (JSC::asActivation): * runtime/JSONObject.cpp: (JSC::unwrapBoxedPrimitive): (JSC::Stringifier::Stringifier): (JSC::Walker::walk): * runtime/JSPromise.cpp: (JSC::JSPromise::resolve): * runtime/JSPromiseDeferred.cpp: (JSC::JSPromiseDeferred::create): * runtime/JSType.h: * runtime/ProxyObject.h: (JSC::ProxyObject::create): Deleted. (JSC::ProxyObject::createStructure): Deleted. (JSC::ProxyObject::target const): Deleted. (JSC::ProxyObject::handler const): Deleted. * runtime/RegExpConstructor.cpp: (JSC::constructRegExp): * runtime/RegExpConstructor.h: (JSC::asRegExpConstructor): (JSC::isRegExp): * runtime/RegExpObject.cpp: (JSC::RegExpObject::finishCreation): (JSC::RegExpObject::getOwnPropertySlot): (JSC::RegExpObject::defineOwnProperty): (JSC::regExpObjectSetLastIndexStrict): (JSC::regExpObjectSetLastIndexNonStrict): (JSC::RegExpObject::put): * runtime/RegExpObject.h: (JSC::RegExpObject::create): Deleted. (JSC::RegExpObject::setRegExp): Deleted. (JSC::RegExpObject::regExp const): Deleted. (JSC::RegExpObject::setLastIndex): Deleted. (JSC::RegExpObject::getLastIndex const): Deleted. (JSC::RegExpObject::test): Deleted. (JSC::RegExpObject::testInline): Deleted. (JSC::RegExpObject::createStructure): Deleted. (JSC::RegExpObject::offsetOfRegExp): Deleted. (JSC::RegExpObject::offsetOfLastIndex): Deleted. (JSC::RegExpObject::offsetOfLastIndexIsWritable): Deleted. (JSC::RegExpObject::allocationSize): Deleted. (JSC::asRegExpObject): Deleted. * runtime/RegExpPrototype.cpp: (JSC::regExpProtoFuncTestFast): (JSC::regExpProtoFuncExec): (JSC::regExpProtoFuncMatchFast): (JSC::regExpProtoFuncCompile): (JSC::regExpProtoGetterGlobal): (JSC::regExpProtoGetterIgnoreCase): (JSC::regExpProtoGetterMultiline): (JSC::regExpProtoGetterDotAll): (JSC::regExpProtoGetterSticky): (JSC::regExpProtoGetterUnicode): (JSC::regExpProtoGetterSource): (JSC::regExpProtoFuncSearchFast): (JSC::regExpProtoFuncSplitFast): * runtime/StringObject.h: (JSC::asStringObject): Deleted. * runtime/StringPrototype.cpp: (JSC::replaceUsingRegExpSearch): (JSC::replace): (JSC::stringProtoFuncReplaceUsingRegExp): (JSC::stringProtoFuncToString): * runtime/SymbolPrototype.cpp: (JSC::symbolProtoFuncToString): (JSC::symbolProtoFuncValueOf): * tools/JSDollarVM.cpp: (WTF::customGetValue): (WTF::customSetValue): * wasm/js/JSWebAssemblyHelpers.h: (JSC::isWebAssemblyHostFunction): * wasm/js/WebAssemblyWrapperFunction.cpp: (JSC::WebAssemblyWrapperFunction::create): 2018-03-07 Tim Horton <timothy_horton@apple.com> Sort and separate FeatureDefines.xcconfig https://bugs.webkit.org/show_bug.cgi?id=183427 Reviewed by Dan Bernstein. * Configurations/FeatureDefines.xcconfig: Sort and split FeatureDefines into paragraphs (to make it easier to sort later). 2018-03-07 Keith Miller <keith_miller@apple.com> Unreviewed, fix 32-bit build. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): 2018-03-07 Keith Miller <keith_miller@apple.com> Meta-program setupArguments and callOperation https://bugs.webkit.org/show_bug.cgi?id=183263 Rubber-stamped by Filip Pizlo. This patch removes all the custom overrides of callOperation and setupArguments throughout the JITs. In their place there is a new setupArguments that marshalls the arguments into place based on the type of the operation's function pointer. There were a couple of design choices in the implementation of setupArguments: 1) We assume that no TrustedImm floating point values are passed. 2) If ExecState* is the first argument the callFrameRegister should be marshalled implicitly. 3) Types should not be implicitly converted (with the exception of DFG::RegisteredStructure -> Structure*) The new callOperation/setupArguments do their best to make sure it's hard to call a function with the wrong parameters. They will only try to pattern match if the types match up with the next passed argument. Additionally, the base case should static_assert of the number of inferred arguments does not match the arity of the operation's function pointer. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr): (JSC::AbstractMacroAssembler::TrustedImmPtr::asPtr): * assembler/MacroAssembler.h: (JSC::MacroAssembler::poke): (JSC::MacroAssembler::move): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::swap): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::storeDouble): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::loadDouble): (JSC::MacroAssemblerX86Common::swap): (JSC::MacroAssemblerX86Common::move): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/AccessCaseSnippetParams.cpp: (JSC::SlowPathCallGeneratorWithArguments::generateImpl): * bytecode/PolymorphicAccess.cpp: (JSC::AccessGenerationState::emitExplicitExceptionHandler): * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: * dfg/DFGNode.h: * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::emitRestoreArguments): * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::osrWriteBarrier): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSlowPathGenerator.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp): (JSC::DFG::SpeculativeJIT::compileArithMod): (JSC::DFG::SpeculativeJIT::compileArithRounding): (JSC::DFG::SpeculativeJIT::compileArithSqrt): (JSC::DFG::SpeculativeJIT::compileCreateActivation): (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr): (JSC::DFG::SpeculativeJIT::TrustedImmPtr::operator MacroAssembler::TrustedImm const): (JSC::DFG::SpeculativeJIT::initConstantInfo): (JSC::DFG::SpeculativeJIT::callOperation): (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException): (JSC::DFG::SpeculativeJIT::callCustomGetter): Deleted. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): (JSC::DFG::SpeculativeJIT::cachedPutById): (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * ftl/FTLSlowPathCall.h: (JSC::FTL::callOperation): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): * jit/CCallHelpers.cpp: (JSC::CCallHelpers::ensureShadowChickenPacket): * jit/CCallHelpers.h: (JSC::CCallHelpers::setupArgument): (JSC::CCallHelpers::setupStubArgs): (JSC::CCallHelpers::ArgCollection::ArgCollection): (JSC::CCallHelpers::ArgCollection::pushRegArg): (JSC::CCallHelpers::ArgCollection::addGPRArg): (JSC::CCallHelpers::ArgCollection::addStackArg): (JSC::CCallHelpers::ArgCollection::addPoke): (JSC::CCallHelpers::ArgCollection::argCount): (JSC::CCallHelpers::clampArrayToSize): (JSC::CCallHelpers::pokeForArgument): (JSC::CCallHelpers::marshallArgumentRegister): (JSC::CCallHelpers::setupArgumentsImpl): (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value): (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value): (JSC::CCallHelpers::setupArguments): (JSC::CCallHelpers::prepareForTailCallSlow): (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted. (JSC::CCallHelpers::resetCallArguments): Deleted. (JSC::CCallHelpers::addCallArgument): Deleted. (JSC::CCallHelpers::setupArgumentsExecState): Deleted. (JSC::CCallHelpers::setupTwoStubArgsGPR): Deleted. (JSC::CCallHelpers::setupThreeStubArgsGPR): Deleted. (JSC::CCallHelpers::setupFourStubArgsGPR): Deleted. (JSC::CCallHelpers::setupFiveStubArgsGPR): Deleted. (JSC::CCallHelpers::setupTwoStubArgsFPR): Deleted. (JSC::CCallHelpers::setupStubArguments): Deleted. (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Deleted. (JSC::CCallHelpers::setupStubArguments134): Deleted. (JSC::CCallHelpers::setupStubArgsGPR): Deleted. * jit/FPRInfo.h: (JSC::toInfoFromReg): * jit/GPRInfo.h: (JSC::JSValueRegs::JSValueRegs): (JSC::toInfoFromReg): * jit/JIT.h: (JSC::JIT::callOperation): (JSC::JIT::callOperationWithProfile): (JSC::JIT::callOperationWithResult): (JSC::JIT::callOperationNoExceptionCheck): (JSC::JIT::callOperationWithCallFrameRollbackOnException): * jit/JITArithmetic.cpp: (JSC::JIT::emitMathICFast): (JSC::JIT::emitMathICSlow): * jit/JITArithmetic32_64.cpp: (JSC::JIT::emit_compareAndJumpSlow): * jit/JITCall32_64.cpp: (JSC::JIT::compileSetupVarargsFrame): * jit/JITInlines.h: (JSC::JIT::callOperation): Deleted. (JSC::JIT::callOperationNoExceptionCheck): Deleted. (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_array_with_size): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emitSlow_op_instanceof): (JSC::JIT::emitSlow_op_instanceof_custom): (JSC::JIT::emit_op_set_function_name): (JSC::JIT::emitSlow_op_eq): (JSC::JIT::emitSlow_op_neq): (JSC::JIT::emit_op_throw): (JSC::JIT::emit_op_switch_imm): (JSC::JIT::emit_op_switch_char): (JSC::JIT::emit_op_switch_string): (JSC::JIT::emitSlow_op_has_indexed_property): * jit/JITOperations.cpp: * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitGetByValWithCachedId): (JSC::JIT::emitSlow_op_get_by_id): (JSC::JIT::emitSlow_op_get_by_id_with_this): (JSC::JIT::emitSlow_op_get_from_scope): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_by_index): (JSC::JIT::emit_op_put_setter_by_id): (JSC::JIT::emit_op_put_getter_setter_by_id): (JSC::JIT::emit_op_put_getter_by_val): (JSC::JIT::emit_op_put_setter_by_val): (JSC::JIT::emit_op_del_by_id): (JSC::JIT::emit_op_del_by_val): (JSC::JIT::emitGetByValWithCachedId): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::emitPutByValWithCachedId): (JSC::JIT::emitSlow_op_put_by_val): (JSC::JIT::emitSlow_op_try_get_by_id): (JSC::JIT::emitSlow_op_get_by_id): (JSC::JIT::emitSlow_op_get_by_id_with_this): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::emitSlow_op_get_from_scope): * jit/RegisterSet.h: (JSC::RegisterSet::RegisterSet): * jit/ThunkGenerators.cpp: (JSC::throwExceptionFromCallSlowPathGenerator): (JSC::slowPathFor): * jsc.cpp: (GlobalObject::finishCreation): (functionBreakpoint): * runtime/JSCJSValue.h: * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): 2018-03-07 Mark Lam <mark.lam@apple.com> Rename ProtoCallFrame::arityMissMatch to hasArityMismatch. https://bugs.webkit.org/show_bug.cgi?id=183414 <rdar://problem/38231678> Reviewed by Michael Saboff. * interpreter/ProtoCallFrame.cpp: (JSC::ProtoCallFrame::init): * interpreter/ProtoCallFrame.h: 2018-03-07 Mark Lam <mark.lam@apple.com> Simplify the variants of FunctionPtr constructors. https://bugs.webkit.org/show_bug.cgi?id=183399 <rdar://problem/38212980> Reviewed by Yusuke Suzuki. * assembler/MacroAssemblerCodeRef.h: (JSC::FunctionPtr::FunctionPtr): 2018-03-06 Filip Pizlo <fpizlo@apple.com> MarkedArgumentsBuffer should allocate from the JSValue Gigacage https://bugs.webkit.org/show_bug.cgi?id=183377 Reviewed by Michael Saboff. That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap. * runtime/ArgList.cpp: (JSC::MarkedArgumentBuffer::expandCapacity): 2018-03-07 Mark Lam <mark.lam@apple.com> Add support for ARM64E. https://bugs.webkit.org/show_bug.cgi?id=183398 <rdar://problem/38212621> Reviewed by Michael Saboff. * assembler/MacroAssembler.h: * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/backends.rb: 2018-03-07 Yusuke Suzuki <utatane.tea@gmail.com> HTML `pattern` attribute should set `u` flag for regular expressions https://bugs.webkit.org/show_bug.cgi?id=151598 Reviewed by Chris Dumez. Add UnicodeMode for JSC::Yarr::RegularExpression. * yarr/RegularExpression.cpp: (JSC::Yarr::RegularExpression::Private::create): (JSC::Yarr::RegularExpression::Private::Private): (JSC::Yarr::RegularExpression::Private::compile): (JSC::Yarr::RegularExpression::RegularExpression): * yarr/RegularExpression.h: 2018-03-07 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Add more JSType based fast path for jsDynamicCast https://bugs.webkit.org/show_bug.cgi?id=183403 Reviewed by Mark Lam. We add more JSType based fast path for jsDynamicCast. Basically, we add miscellaneous JSTypes which are used for jsDynamicCast in JSC, arguments types, and scope types. We also add ClassInfo to JSScope and JSSegmentedVariableObject since they are used with jsDynamicCast. * jit/JITOperations.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setUpCall): * runtime/ClonedArguments.h: (JSC::ClonedArguments::specialsMaterialized const): Deleted. * runtime/DirectArguments.h: (JSC::DirectArguments::subspaceFor): Deleted. (JSC::DirectArguments::internalLength const): Deleted. (JSC::DirectArguments::length const): Deleted. (JSC::DirectArguments::isMappedArgument const): Deleted. (JSC::DirectArguments::isMappedArgumentInDFG const): Deleted. (JSC::DirectArguments::getIndexQuickly const): Deleted. (JSC::DirectArguments::setIndexQuickly): Deleted. (JSC::DirectArguments::callee): Deleted. (JSC::DirectArguments::argument): Deleted. (JSC::DirectArguments::overrodeThings const): Deleted. (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted. (JSC::DirectArguments::setModifiedArgumentDescriptor): Deleted. (JSC::DirectArguments::isModifiedArgumentDescriptor): Deleted. (JSC::DirectArguments::offsetOfCallee): Deleted. (JSC::DirectArguments::offsetOfLength): Deleted. (JSC::DirectArguments::offsetOfMinCapacity): Deleted. (JSC::DirectArguments::offsetOfMappedArguments): Deleted. (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor): Deleted. (JSC::DirectArguments::storageOffset): Deleted. (JSC::DirectArguments::offsetOfSlot): Deleted. (JSC::DirectArguments::allocationSize): Deleted. (JSC::DirectArguments::storage): Deleted. * runtime/JSCast.h: * runtime/JSGlobalLexicalEnvironment.h: (JSC::JSGlobalLexicalEnvironment::create): Deleted. (JSC::JSGlobalLexicalEnvironment::isEmpty const): Deleted. (JSC::JSGlobalLexicalEnvironment::createStructure): Deleted. (JSC::JSGlobalLexicalEnvironment::JSGlobalLexicalEnvironment): Deleted. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::finishCreation): * runtime/JSMap.h: (JSC::isJSMap): Deleted. * runtime/JSModuleEnvironment.h: (JSC::JSModuleEnvironment::create): Deleted. (JSC::JSModuleEnvironment::createStructure): Deleted. (JSC::JSModuleEnvironment::offsetOfModuleRecord): Deleted. (JSC::JSModuleEnvironment::allocationSize): Deleted. (JSC::JSModuleEnvironment::moduleRecord): Deleted. (JSC::JSModuleEnvironment::moduleRecordSlot): Deleted. * runtime/JSObject.cpp: (JSC::canDoFastPutDirectIndex): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength): * runtime/JSObject.h: (JSC::JSFinalObject::allocationSize): Deleted. (JSC::JSFinalObject::typeInfo): Deleted. (JSC::JSFinalObject::defaultInlineCapacity): Deleted. (JSC::JSFinalObject::maxInlineCapacity): Deleted. (JSC::JSFinalObject::createStructure): Deleted. (JSC::JSFinalObject::finishCreation): Deleted. (JSC::JSFinalObject::JSFinalObject): Deleted. (JSC::isJSFinalObject): Deleted. * runtime/JSScope.cpp: * runtime/JSScope.h: * runtime/JSSegmentedVariableObject.cpp: * runtime/JSSegmentedVariableObject.h: * runtime/JSSet.h: (JSC::isJSSet): Deleted. * runtime/JSType.h: * runtime/JSWeakMap.h: (JSC::isJSWeakMap): Deleted. * runtime/JSWeakSet.h: (JSC::isJSWeakSet): Deleted. * runtime/JSWithScope.h: (JSC::JSWithScope::object): Deleted. * runtime/MapConstructor.cpp: (JSC::constructMap): (JSC::mapPrivateFuncMapBucketHead): * runtime/MapPrototype.cpp: (JSC::getMap): * runtime/NumberObject.cpp: (JSC::NumberObject::finishCreation): * runtime/NumberPrototype.cpp: (JSC::toThisNumber): (JSC::numberProtoFuncToExponential): (JSC::numberProtoFuncToFixed): (JSC::numberProtoFuncToPrecision): (JSC::numberProtoFuncToString): (JSC::numberProtoFuncToLocaleString): (JSC::numberProtoFuncValueOf): * runtime/ObjectConstructor.cpp: (JSC::objectConstructorSeal): (JSC::objectConstructorFreeze): (JSC::objectConstructorIsSealed): (JSC::objectConstructorIsFrozen): * runtime/ProxyObject.cpp: (JSC::ProxyObject::finishCreation): * runtime/ScopedArguments.h: (JSC::ScopedArguments::subspaceFor): Deleted. (JSC::ScopedArguments::internalLength const): Deleted. (JSC::ScopedArguments::length const): Deleted. (JSC::ScopedArguments::isMappedArgument const): Deleted. (JSC::ScopedArguments::isMappedArgumentInDFG const): Deleted. (JSC::ScopedArguments::getIndexQuickly const): Deleted. (JSC::ScopedArguments::setIndexQuickly): Deleted. (JSC::ScopedArguments::callee): Deleted. (JSC::ScopedArguments::overrodeThings const): Deleted. (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted. (JSC::ScopedArguments::setModifiedArgumentDescriptor): Deleted. (JSC::ScopedArguments::isModifiedArgumentDescriptor): Deleted. (JSC::ScopedArguments::offsetOfOverrodeThings): Deleted. (JSC::ScopedArguments::offsetOfTotalLength): Deleted. (JSC::ScopedArguments::offsetOfTable): Deleted. (JSC::ScopedArguments::offsetOfScope): Deleted. (JSC::ScopedArguments::overflowStorageOffset): Deleted. (JSC::ScopedArguments::allocationSize): Deleted. (JSC::ScopedArguments::overflowStorage const): Deleted. * runtime/SetConstructor.cpp: (JSC::constructSet): (JSC::setPrivateFuncSetBucketHead): * runtime/SetPrototype.cpp: (JSC::getSet): * runtime/StrictEvalActivation.h: (JSC::StrictEvalActivation::create): Deleted. (JSC::StrictEvalActivation::createStructure): Deleted. * runtime/WeakMapPrototype.cpp: (JSC::getWeakMap): * runtime/WeakSetPrototype.cpp: (JSC::getWeakSet): 2018-03-07 Dominik Infuehr <dinfuehr@igalia.com> [ARM] offlineasm: fix indentation in armOpcodeReversedOperands https://bugs.webkit.org/show_bug.cgi?id=183400 Reviewed by Mark Lam. * offlineasm/arm.rb: 2018-03-06 Mark Lam <mark.lam@apple.com> Prepare LLInt code to support pointer profiling. https://bugs.webkit.org/show_bug.cgi?id=183387 <rdar://problem/38199678> Reviewed by JF Bastien. 1. Introduced PtrTag enums for supporting pointer profiling later. 2. Also introduced tagging, untagging, retagging, and tag removal placeholder template functions for the same purpose. 3. Prepare the offlineasm for supporting pointer profiling later. 4. Tagged some pointers in LLInt asm code. Currently, these should have no effect on behavior. 5. Removed returnToThrowForThrownException() because it is not used anywhere. 6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's easier to view and edit these files in Xcode. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/LLIntCallLinkInfo.h: (JSC::LLIntCallLinkInfo::unlink): * llint/LLIntData.cpp: (JSC::LLInt::initialize): * llint/LLIntData.h: * llint/LLIntExceptions.cpp: (JSC::LLInt::returnToThrowForThrownException): Deleted. * llint/LLIntExceptions.h: * llint/LLIntOfflineAsmConfig.h: * llint/LLIntOffsetsExtractor.cpp: * llint/LLIntPCRanges.h: (JSC::LLInt::isLLIntPC): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::handleHostCall): (JSC::LLInt::setUpCall): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/ast.rb: * offlineasm/instructions.rb: * offlineasm/risc.rb: * runtime/PtrTag.h: Added. (JSC::uniquePtrTagID): (JSC::ptrTag): (JSC::tagCodePtr): (JSC::untagCodePtr): (JSC::retagCodePtr): (JSC::removeCodePtrTag): 2018-03-06 Dominik Infuehr <dinfuehr@igalia.com> [ARM] Assembler warnings: "use of r13 is deprecated" https://bugs.webkit.org/show_bug.cgi?id=183286 Reviewed by Mark Lam. Usage of sp/r13 as operand Rm is deprecated on ARM. offlineasm sometimes generates assembly code that triggers this warning. Prevent this by simply switching operands. * offlineasm/arm.rb: 2018-03-06 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, fix incorrect assertion after r229309 https://bugs.webkit.org/show_bug.cgi?id=182975 * runtime/TypeProfilerLog.cpp: (JSC::TypeProfilerLog::TypeProfilerLog): 2018-03-05 Yusuke Suzuki <utatane.tea@gmail.com> Fix std::make_unique / new[] using system malloc https://bugs.webkit.org/show_bug.cgi?id=182975 Reviewed by JF Bastien. Use Vector, FAST_ALLOCATED, or UniqueArray instead. * API/JSStringRefCF.cpp: (JSStringCreateWithCFString): * bytecode/BytecodeKills.h: * bytecode/BytecodeLivenessAnalysis.cpp: (JSC::BytecodeLivenessAnalysis::computeKills): * dfg/DFGDisassembler.cpp: (JSC::DFG::Disassembler::dumpDisassembly): * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine): * jit/PolymorphicCallStubRoutine.h: * jit/Repatch.cpp: (JSC::linkPolymorphicCall): * jsc.cpp: (currentWorkingDirectory): * llint/LLIntData.cpp: (JSC::LLInt::initialize): * llint/LLIntData.h: * runtime/ArgList.h: * runtime/StructureChain.h: * runtime/StructureIDTable.cpp: (JSC::StructureIDTable::StructureIDTable): (JSC::StructureIDTable::resize): * runtime/StructureIDTable.h: * runtime/TypeProfilerLog.cpp: (JSC::TypeProfilerLog::TypeProfilerLog): (JSC::TypeProfilerLog::initializeLog): Deleted. * runtime/TypeProfilerLog.h: (JSC::TypeProfilerLog::TypeProfilerLog): Deleted. * runtime/VM.cpp: (JSC::VM::~VM): (JSC::VM::acquireRegExpPatternContexBuffer): * runtime/VM.h: * testRegExp.cpp: (runFromFiles): * tools/HeapVerifier.cpp: (JSC::HeapVerifier::HeapVerifier): * tools/HeapVerifier.h: 2018-03-05 Mark Lam <mark.lam@apple.com> JITThunk functions should only be called when the JIT is enabled. https://bugs.webkit.org/show_bug.cgi?id=183351 <rdar://problem/38160091> Reviewed by Keith Miller. * jit/JITThunks.cpp: (JSC::JITThunks::ctiNativeCall): (JSC::JITThunks::ctiNativeConstruct): (JSC::JITThunks::ctiInternalFunctionCall): (JSC::JITThunks::ctiInternalFunctionConstruct): * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::getCTIInternalFunctionTrampolineFor): 2018-03-05 Mark Lam <mark.lam@apple.com> Gardening: build fix. Not reviewed. * interpreter/AbstractPC.h: (JSC::AbstractPC::AbstractPC): 2018-03-05 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Use WTF::ArithmeticOperations for CLoop overflow operations https://bugs.webkit.org/show_bug.cgi?id=183324 Reviewed by JF Bastien. We have WTF::ArithmeticOperations which has operations with overflow checking. This is suitable for CLoop's overflow checking operations. This patch emits WTF::ArithmeticOperations for CLoop's overflow checking operations. And it is lowered to optimized code using CPU's overflow flag. * offlineasm/cloop.rb: 2018-03-05 Don Olmstead <don.olmstead@sony.com> [CMake] Split JSC header copying into public and private targets https://bugs.webkit.org/show_bug.cgi?id=183251 Reviewed by Konstantin Tokarev. * CMakeLists.txt: 2018-03-04 Yusuke Suzuki <utatane.tea@gmail.com> [WTF] Move currentCPUTime and sleep(Seconds) to CPUTime.h and Seconds.h respectively https://bugs.webkit.org/show_bug.cgi?id=183312 Reviewed by Mark Lam. Remove wtf/CurrentTime.h include pragma. * API/tests/ExecutionTimeLimitTest.cpp: (currentCPUTimeAsJSFunctionCallback): (testExecutionTimeLimit): * bytecode/SuperSampler.cpp: * dfg/DFGPlan.cpp: * heap/BlockDirectory.cpp: * heap/Heap.cpp: * heap/IncrementalSweeper.cpp: * inspector/agents/InspectorConsoleAgent.cpp: * inspector/agents/InspectorRuntimeAgent.cpp: * profiler/ProfilerDatabase.cpp: * runtime/CodeCache.h: * runtime/JSDateMath.cpp: * runtime/TypeProfilerLog.cpp: * runtime/VM.cpp: * runtime/Watchdog.cpp: (JSC::Watchdog::shouldTerminate): (JSC::Watchdog::startTimer): * testRegExp.cpp: * wasm/js/JSWebAssemblyCodeBlock.cpp: 2018-03-04 Tim Horton <timothy_horton@apple.com> Make !ENABLE(DATA_DETECTION) iOS build actually succeed https://bugs.webkit.org/show_bug.cgi?id=183283 <rdar://problem/38062148> Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: 2018-03-02 Mark Lam <mark.lam@apple.com> Make the LLInt probe work for ARM64. https://bugs.webkit.org/show_bug.cgi?id=183298 <rdar://problem/38077413> Reviewed by Filip Pizlo. * llint/LowLevelInterpreter.asm: 2018-03-02 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Annotate more classes with WTF_MAKE_FAST_ALLOCATED https://bugs.webkit.org/show_bug.cgi?id=183279 Reviewed by JF Bastien. * bytecode/BytecodeIntrinsicRegistry.h: * ftl/FTLThunks.h: * heap/CodeBlockSet.h: * heap/GCSegmentedArray.h: * heap/MachineStackMarker.h: * heap/MarkingConstraintSet.h: 2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com> Remove monotonicallyIncreasingTime https://bugs.webkit.org/show_bug.cgi?id=182911 Reviewed by Michael Catanzaro. * debugger/Debugger.cpp: (JSC::Debugger::willEvaluateScript): (JSC::Debugger::didEvaluateScript): * debugger/Debugger.h: * debugger/ScriptProfilingScope.h: * inspector/agents/InspectorDebuggerAgent.cpp: (Inspector::InspectorDebuggerAgent::breakpointActionProbe): * inspector/agents/InspectorHeapAgent.cpp: (Inspector::InspectorHeapAgent::snapshot): (Inspector::InspectorHeapAgent::didGarbageCollect): (Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent): * inspector/agents/InspectorHeapAgent.h: * inspector/agents/InspectorScriptProfilerAgent.cpp: (Inspector::InspectorScriptProfilerAgent::startTracking): (Inspector::InspectorScriptProfilerAgent::willEvaluateScript): (Inspector::InspectorScriptProfilerAgent::didEvaluateScript): (Inspector::InspectorScriptProfilerAgent::addEvent): (Inspector::buildSamples): * inspector/agents/InspectorScriptProfilerAgent.h: * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::takeSample): * runtime/SamplingProfiler.h: 2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com> ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async) https://bugs.webkit.org/show_bug.cgi?id=183173 Reviewed by Saam Barati. Classifier could propagate an error which does not occur at the first token of the given expression. We should check whether the given token is "async" instead of assertion. * parser/Parser.cpp: (JSC::Parser<LexerType>::parseAssignmentExpression): 2018-03-01 Saam Barati <sbarati@apple.com> We need to clear cached structures when having a bad time https://bugs.webkit.org/show_bug.cgi?id=183256 <rdar://problem/36245022> Reviewed by Mark Lam. This patch makes both InternalFunctionAllocationProfile and the VM's structure cache having-a-bad-time aware. For InternalFunctionAllocationProfile, we clear them when they'd produce an object with a bad indexing type. For the VM's Structure cache, we conservatively clear the entire cache since it may be housing Structures with bad indexing types. * runtime/FunctionRareData.h: (JSC::FunctionRareData::clearInternalFunctionAllocationProfile): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::haveABadTime): * runtime/StructureCache.h: (JSC::StructureCache::clear): 2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, fix exception check for ExceptionScope https://bugs.webkit.org/show_bug.cgi?id=183175 * jsc.cpp: (GlobalObject::moduleLoaderFetch): 2018-02-28 Dominik Infuehr <dinfuehr@igalia.com> [ARM] Fix compile error in debug builds by invoking unpoisoned(). Reviewed by Mark Lam. * assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): Fix compile error. (JSC::MacroAssemblerCodePtr::createFromExecutableAddress()): Ditto. (JSC::MacroAssemblerCodePtr::dataLocation()): Ditto. * yarr/YarrInterpreter.cpp: (JSC::Yarr::ByteCompiler::dumpDisjunction): use %zu for printf'ing size_t. 2018-02-28 JF Bastien <jfbastien@apple.com> GC should sweep code block before deleting https://bugs.webkit.org/show_bug.cgi?id=183229 <rdar://problem/32767615> Reviewed by Saam Barati, Fil Pizlo. Stub routines shouldn't get deleted before codeblocks have been swept, otherwise there's a small race window where the codeblock thinks it's still reachable. * heap/Heap.cpp: (JSC::Heap::deleteUnmarkedCompiledCode): (JSC::Heap::sweepInFinalize): 2018-02-28 Yusuke Suzuki <utatane.tea@gmail.com> JSC crash with `import("")` https://bugs.webkit.org/show_bug.cgi?id=183175 Reviewed by Saam Barati. Add file existence and file type check for module loader implementation in jsc.cpp. This is not safe for TOCTOU, but it is OK since this functionality is used for the JSC shell (jsc.cpp): testing purpose. * jsc.cpp: (fillBufferWithContentsOfFile): (fetchModuleFromLocalFileSystem): 2018-02-27 Keith Miller <keith_miller@apple.com> Replace TrustedImmPtr(0) with TrustedImmPtr(nullptr) https://bugs.webkit.org/show_bug.cgi?id=183195 Reviewed by Mark Lam. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr): * assembler/MacroAssembler.h: (JSC::MacroAssembler::patchableBranchPtr): (JSC::MacroAssembler::patchableBranchPtrWithPatch): * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::branchPtrWithPatch): (JSC::MacroAssemblerARM::storePtrWithPatch): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::call): (JSC::MacroAssemblerARM64::tailRecursiveCall): (JSC::MacroAssemblerARM64::branchPtrWithPatch): (JSC::MacroAssemblerARM64::patchableBranchPtrWithPatch): (JSC::MacroAssemblerARM64::storePtrWithPatch): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::branchPtrWithPatch): (JSC::MacroAssemblerARMv7::patchableBranchPtr): (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch): (JSC::MacroAssemblerARMv7::storePtrWithPatch): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::branchPtrWithPatch): (JSC::MacroAssemblerMIPS::storePtrWithPatch): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::branchPtrWithPatch): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): (JSC::MacroAssemblerX86_64::call): (JSC::MacroAssemblerX86_64::tailRecursiveCall): (JSC::MacroAssemblerX86_64::makeTailRecursiveCall): (JSC::MacroAssemblerX86_64::branchPtrWithPatch): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::compileToLowerCase): (JSC::DFG::SpeculativeJIT::compileMakeRope): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread): (JSC::DFG::SpeculativeJIT::compileArraySlice): (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): * dfg/DFGThunks.cpp: (JSC::DFG::osrExitGenerationThunkGenerator): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): * ftl/FTLThunks.cpp: (JSC::FTL::genericGenerationThunkGenerator): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::debugCall): (JSC::AssemblyHelpers::sanitizeStackInline): * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): * jit/ScratchRegisterAllocator.cpp: (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall): * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::initParenContextFreeList): (JSC::Yarr::YarrGenerator::storeToFrameWithPatch): (JSC::Yarr::YarrGenerator::generate): 2018-02-26 Mark Lam <mark.lam@apple.com> Modernize FINALIZE_CODE and peer macros to use __VA_ARGS__ arguments. https://bugs.webkit.org/show_bug.cgi?id=183159 <rdar://problem/37930837> Reviewed by Keith Miller. * assembler/LinkBuffer.h: * assembler/testmasm.cpp: (JSC::compile): * b3/B3Compile.cpp: (JSC::B3::compile): * b3/air/testair.cpp: * b3/testb3.cpp: (JSC::B3::testEntrySwitchSimple): (JSC::B3::testEntrySwitchNoEntrySwitch): (JSC::B3::testEntrySwitchWithCommonPaths): (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint): (JSC::B3::testEntrySwitchLoop): * bytecode/InlineAccess.cpp: (JSC::linkCodeInline): (JSC::InlineAccess::rewireStubAsJump): * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::regenerate): * dfg/DFGJITFinalizer.cpp: (JSC::DFG::JITFinalizer::finalize): (JSC::DFG::JITFinalizer::finalizeFunction): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileOSRExit): * dfg/DFGThunks.cpp: (JSC::DFG::osrExitThunkGenerator): (JSC::DFG::osrExitGenerationThunkGenerator): (JSC::DFG::osrEntryThunkGenerator): * ftl/FTLJITFinalizer.cpp: (JSC::FTL::JITFinalizer::finalizeCommon): * ftl/FTLLazySlowPath.cpp: (JSC::FTL::LazySlowPath::generate): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * ftl/FTLThunks.cpp: (JSC::FTL::genericGenerationThunkGenerator): (JSC::FTL::slowPathCallThunkGenerator): * jit/ExecutableAllocator.cpp: * jit/JIT.cpp: (JSC::JIT::link): * jit/JITMathIC.h: (JSC::isProfileEmpty): * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileHasIndexedProperty): * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::privateCompileGetByVal): (JSC::JIT::privateCompileGetByValWithCachedId): (JSC::JIT::privateCompilePutByVal): (JSC::JIT::privateCompilePutByValWithCachedId): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::stringGetByValStubGenerator): * jit/JITStubRoutine.h: * jit/Repatch.cpp: (JSC::linkPolymorphicCall): * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::finalize): * jit/ThunkGenerators.cpp: (JSC::throwExceptionFromCallSlowPathGenerator): (JSC::linkCallThunkGenerator): (JSC::linkPolymorphicCallThunkGenerator): (JSC::virtualThunkFor): (JSC::nativeForGenerator): (JSC::arityFixupGenerator): (JSC::unreachableGenerator): (JSC::boundThisNoArgsFunctionCallGenerator): * llint/LLIntThunks.cpp: (JSC::LLInt::generateThunkWithJumpTo): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::complete): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * wasm/WasmThunks.cpp: (JSC::Wasm::throwExceptionFromWasmThunkGenerator): (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator): (JSC::Wasm::triggerOMGTierUpThunkGenerator): * wasm/js/WasmToJS.cpp: (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJS): * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::compile): 2018-02-25 Yusuke Suzuki <utatane.tea@gmail.com> [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage) https://bugs.webkit.org/show_bug.cgi?id=182965 Reviewed by Saam Barati. This patch extends FTL coverage for PutByVal by adding ArrayStorage and SlwoPutArrayStorage support. Basically large part of the patch is porting from DFG code. Since PutByVal already emits CheckInBounds for InBounds case, we do not have OutOfBounds check for that case. This is the last change for FTL to support all the types of DFG nodes except for CreateThis. * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds): For consistency, we use operationPutByValXXX and operationPutByValDirectXXX. But except for SlowPutArrayStorage case, basically it is meaningless since we do not have indexed accessors. 2018-02-26 Saam Barati <sbarati@apple.com> validateStackAccess should not validate if the offset is within the stack bounds https://bugs.webkit.org/show_bug.cgi?id=183067 <rdar://problem/37749988> Reviewed by Mark Lam. The validation rule was saying that any load from the stack must be within the stack bounds of the frame. However, it's natural for a user of B3 to emit code that may be outside of B3's stack bounds, but guard such a load with a branch. The FTL does exactly this with GetMyArgumentByVal. B3 is wrong to assert that this is a static property about all stack loads. * b3/B3Validate.cpp: 2018-02-23 Saam Barati <sbarati@apple.com> Make Number.isInteger an intrinsic https://bugs.webkit.org/show_bug.cgi?id=183088 Reviewed by JF Bastien. When profiling the ML subtest in ARES, I noticed it was spending some time in Number.isInteger. This patch makes that operation an intrinsic in the DFG/FTL. It might be a speedup by 1% or so on that subtest, but it's likely not an aggregate speedup on ARES. However, it is definitely faster than calling into a builtin function, so we might as well have it as an intrinsic. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger): (JSC::FTL::DFG::LowerDFGToB3::unboxDouble): * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::finishCreation): (JSC::numberConstructorFuncIsInteger): * runtime/NumberConstructor.h: (JSC::NumberConstructor::isIntegerImpl): 2018-02-23 Oleksandr Skachkov <gskachkov@gmail.com> WebAssembly: cache memory address / size on instance https://bugs.webkit.org/show_bug.cgi?id=177305 Reviewed by JF Bastien. Cache memory address/size in wasm:Instance to avoid load wasm:Memory object during access to memory and memory size property in JiT * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::addCurrentMemory): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmInstance.h: (JSC::Wasm::Instance::cachedMemory const): (JSC::Wasm::Instance::cachedMemorySize const): (JSC::Wasm::Instance::createWeakPtr): (JSC::Wasm::Instance::setMemory): (JSC::Wasm::Instance::updateCachedMemory): (JSC::Wasm::Instance::offsetOfCachedMemory): (JSC::Wasm::Instance::offsetOfCachedMemorySize): (JSC::Wasm::Instance::offsetOfCachedIndexingMask): (JSC::Wasm::Instance::allocationSize): * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::grow): (JSC::Wasm::Memory::registerInstance): * wasm/WasmMemory.h: (JSC::Wasm::Memory::indexingMask): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::evaluate): 2018-02-23 Saam Barati <sbarati@apple.com> ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert https://bugs.webkit.org/show_bug.cgi?id=182982 Reviewed by Yusuke Suzuki. I don't know why this check was not always an assert. When we see a GetByOffset on an eliminated allocation, that allocation *must* be a PhantomClonedArguments. If it weren't, the GetByOffset would have escaped it. Because this transformation happens by visiting blocks in pre-order, and by visiting nodes in a block starting from index zero to index block->size() - 1, we're guaranteed that eliminated allocations get transformed before users of it, since we visit nodes in dominator order. * dfg/DFGArgumentsEliminationPhase.cpp: 2018-02-23 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Implement $vm.ftlTrue function for FTL testing https://bugs.webkit.org/show_bug.cgi?id=183071 Reviewed by Mark Lam. Add $vm.ftlTrue, which becomes true if the caller is compiled in FTL. This is useful for testing whether the caller function is compiled in FTL. We also remove duplicate DFGTrue function in jsc.cpp. We have $vm.dfgTrue. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * jsc.cpp: (GlobalObject::finishCreation): (functionFalse1): (functionFalse2): Deleted. * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * tools/JSDollarVM.cpp: (JSC::functionFTLTrue): (JSC::JSDollarVM::finishCreation): 2018-02-22 Yusuke Suzuki <utatane.tea@gmail.com> [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage https://bugs.webkit.org/show_bug.cgi?id=182792 Reviewed by Mark Lam. This patch adds HasIndexedProperty for ArrayStorage and SlowPutArrayStorage in FTL. HasIndexedProperty with ArrayStorage frequently causes FTL compilation failures in web-tooling-benchmarks. * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): 2018-02-22 Mark Lam <mark.lam@apple.com> Refactor MacroAssembler code to improve reuse and extensibility. https://bugs.webkit.org/show_bug.cgi?id=183054 <rdar://problem/37797337> Reviewed by Saam Barati. * assembler/ARM64Assembler.h: * assembler/MacroAssembler.cpp: * assembler/MacroAssembler.h: * assembler/MacroAssemblerARM.h: * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::canCompact): (JSC::MacroAssemblerARM64::computeJumpType): (JSC::MacroAssemblerARM64::jumpSizeDelta): (JSC::MacroAssemblerARM64::link): (JSC::MacroAssemblerARM64::load64): (JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch): (JSC::MacroAssemblerARM64::load32): (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch): (JSC::MacroAssemblerARM64::load16): (JSC::MacroAssemblerARM64::load16SignedExtendTo32): (JSC::MacroAssemblerARM64::load8): (JSC::MacroAssemblerARM64::load8SignedExtendTo32): (JSC::MacroAssemblerARM64::store64): (JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch): (JSC::MacroAssemblerARM64::store32): (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch): (JSC::MacroAssemblerARM64::store16): (JSC::MacroAssemblerARM64::store8): (JSC::MacroAssemblerARM64::getEffectiveAddress): (JSC::MacroAssemblerARM64::branchDoubleNonZero): (JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN): (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32): (JSC::MacroAssemblerARM64::loadDouble): (JSC::MacroAssemblerARM64::loadFloat): (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare): (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare): (JSC::MacroAssemblerARM64::storeDouble): (JSC::MacroAssemblerARM64::storeFloat): (JSC::MacroAssemblerARM64::call): (JSC::MacroAssemblerARM64::jump): (JSC::MacroAssemblerARM64::tailRecursiveCall): (JSC::MacroAssemblerARM64::setCarry): (JSC::MacroAssemblerARM64::reemitInitialMoveWithPatch): (JSC::MacroAssemblerARM64::isBreakpoint): (JSC::MacroAssemblerARM64::invert): (JSC::MacroAssemblerARM64::readCallTarget): (JSC::MacroAssemblerARM64::replaceWithVMHalt): (JSC::MacroAssemblerARM64::replaceWithJump): (JSC::MacroAssemblerARM64::maxJumpReplacementSize): (JSC::MacroAssemblerARM64::patchableJumpSize): (JSC::MacroAssemblerARM64::repatchCall): (JSC::MacroAssemblerARM64::makeBranch): (JSC::MacroAssemblerARM64::makeCompareAndBranch): (JSC::MacroAssemblerARM64::makeTestBitAndBranch): (JSC::MacroAssemblerARM64::ARM64Condition): (JSC::MacroAssemblerARM64::moveWithFixedWidth): (JSC::MacroAssemblerARM64::load): (JSC::MacroAssemblerARM64::store): (JSC::MacroAssemblerARM64::tryLoadWithOffset): (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset): (JSC::MacroAssemblerARM64::tryStoreWithOffset): (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare): (JSC::MacroAssemblerARM64::linkCall): * assembler/MacroAssemblerARMv7.h: * assembler/MacroAssemblerMIPS.h: * assembler/MacroAssemblerX86Common.h: * assembler/ProbeStack.h: - Removed a forward declaration of an obsolete class. 2018-02-22 Yusuke Suzuki <utatane.tea@gmail.com> Remove sleep(double) and sleepMS(double) interfaces https://bugs.webkit.org/show_bug.cgi?id=183038 Reviewed by Mark Lam. * bytecode/SuperSampler.cpp: (JSC::initializeSuperSampler): 2018-02-21 Don Olmstead <don.olmstead@sony.com> [CMake] Split declaration of JSC headers into public and private https://bugs.webkit.org/show_bug.cgi?id=182980 Reviewed by Michael Catanzaro. * CMakeLists.txt: * PlatformGTK.cmake: * PlatformMac.cmake: * PlatformWPE.cmake: * PlatformWin.cmake: 2018-02-20 Saam Barati <sbarati@apple.com> DFG::VarargsForwardingPhase should eliminate getting argument length https://bugs.webkit.org/show_bug.cgi?id=182959 Reviewed by Keith Miller. This patch teaches the DFG VarargsForwardingPhase to not treat length accesses on Cloned/Direct Arguments objects as escapes. It teaches this phase to materialize the length in the same way the ArgumentsEliminationPhase does. This is around a 0.5-1% speedup on ARES6 on my iMac. It speeds up the ML subtest by 2-4%. This patch also extends compileGetArgumentCountIncludingThis to take a parameter that is the inline call frame to load from (in the case where the inline call frame is a varargs frame). This allows the the emitCodeToGetArgumentsArrayLength helper function to just emit a GetArgumentCountIncludingThis node instead of a GetLocal. If we emitted a GetLocal, we'd need to rerun CPS rethreading. * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGArgumentsUtilities.cpp: (JSC::DFG::emitCodeToGetArgumentsArrayLength): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getArgumentCount): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGNode.h: (JSC::DFG::Node::argumentsInlineCallFrame): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): * dfg/DFGVarargsForwardingPhase.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis): 2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com> [FTL] Support ArrayPush for ArrayStorage https://bugs.webkit.org/show_bug.cgi?id=182782 Reviewed by Saam Barati. This patch adds support for ArrayPush(ArrayStorage). We just port ArrayPush(ArrayStorage) in DFG to FTL. * ftl/FTLAbstractHeapRepository.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush): 2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com> [FTL] Support ArrayPop for ArrayStorage https://bugs.webkit.org/show_bug.cgi?id=182783 Reviewed by Saam Barati. This patch adds ArrayPop(ArrayStorage) support to FTL. We port the implementation in DFG to FTL. * ftl/FTLAbstractHeapRepository.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop): 2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com> [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage https://bugs.webkit.org/show_bug.cgi?id=182731 Reviewed by Saam Barati. This patch adds support for Arrayify(ArrayStorage/SlowPutArrayStorage) to FTL. Due to ArrayifyToStructure and CheckArray changes, necessary changes for supporting Arrayify in FTL are already done. Just allowing it in FTLCapabilities.cpp is enough. We fix FTL's CheckArray logic. Previously, CheckArray(SlowPutArrayStorage) does not pass ArrayStorage in FTL. But now it passes this as DFG does. Moreover, we fix DFG's CheckArray where CheckArray(ArrayStorage+NonArray) can pass ArrayStorage+Array. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::silentFill): (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): * dfg/DFGSpeculativeJIT.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify): 2018-02-19 Saam Barati <sbarati@apple.com> Don't use JSFunction's allocation profile when getting the prototype can be effectful https://bugs.webkit.org/show_bug.cgi?id=182942 <rdar://problem/37584764> Reviewed by Mark Lam. Prior to this patch, the create_this implementation assumed that anything that is a JSFunction can use the object allocation profile and go down the fast path to allocate the |this| object. Implied by this approach is that accessing the 'prototype' property of the incoming function is not an effectful operation. This is inherent to the ObjectAllocationProfile data structure: it caches the prototype field. However, getting the 'prototype' property might be an effectful operation, e.g, it could be a getter. Many variants of functions in JS have the 'prototype' property as non-configurable. However, some functions, like bound functions, do not have the 'prototype' field with these attributes. This patch adds the notion of 'canUseAllocationProfile' to JSFunction and threads it through so that we only go down the fast path and use the allocation profile when the prototype property is non-configurable. * bytecompiler/NodesCodegen.cpp: (JSC::ClassExprNode::emitBytecode): * dfg/DFGOperations.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/JSFunction.cpp: (JSC::JSFunction::prototypeForConstruction): (JSC::JSFunction::allocateAndInitializeRareData): (JSC::JSFunction::initializeRareData): (JSC::JSFunction::getOwnPropertySlot): (JSC::JSFunction::canUseAllocationProfileNonInline): * runtime/JSFunction.h: (JSC::JSFunction::ensureRareDataAndAllocationProfile): * runtime/JSFunctionInlines.h: (JSC::JSFunction::canUseAllocationProfile): 2018-02-19 Saam Barati <sbarati@apple.com> Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain https://bugs.webkit.org/show_bug.cgi?id=182912 <rdar://problem/37685083> Reviewed by Keith Miller. In the baseline JIT and LLInt, when we loading a hole from an original array, with the array prototype chain being normal, we end up marking the ArrayProfile for that GetByVal as out of bounds. However, the DFG knows exactly how to optimize this case by returning undefined when loading from a hole. Currently, it only does this for Contiguous arrays (and sometimes Double arrays). This patch just makes sure to not mark the ArrayProfile as out of bounds in this scenario for Contiguous arrays, since the DFG will always optimize this case. However, we should extend this by profiling when a GetByVal loads a hole. By doing so, we can optimize this for Int32, ArrayStorage, and maybe even Double arrays. That work will happen in: https://bugs.webkit.org/show_bug.cgi?id=182940 This patch is a 30-50% speedup on JetStream's hash-map test. This patch speeds up JetStream by 1% when testing on my iMac. * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::refine const): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * jit/JITOperations.cpp: (JSC::getByVal): (JSC::canAccessArgumentIndexQuickly): Deleted. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::getByVal): (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly): 2018-02-17 Filip Pizlo <fpizlo@apple.com> GetArrayMask should support constant folding https://bugs.webkit.org/show_bug.cgi?id=182907 Reviewed by Saam Barati. Implement constant folding for GetArrayMask. This revealed a bug in tryGetFoldableView, where it was ignoring the result of a jsDynamicCast<>(). This wasn't a bug before because it would have been impossible for that function to get called with a non-null value if the value was not an array view, due to type filtering in CheckArray, the fact that CheckArray had to dominate GetArrayLength, and the fact that the other tryGetFoldableView overload made sure that the array mode was some typed array. This isn't a measurable progression, but it does save a register in the codegen for typed array accesses. Hopefully these improvements add up. * assembler/AssemblerBuffer.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::tryGetFoldableView): 2018-02-18 Dominik Inführ <dominik.infuehr@gmail.com> Offlineasm/MIPS: immediates need to be within 16-bit signed values https://bugs.webkit.org/show_bug.cgi?id=182890 Reviewed by Michael Catanzaro. In Sequence.getModifiedListMIPS(), we allow immediate values within the range -0xffff..0xffff for immediates (addresses and other immediates), but then in Immediate.mipsOperand() and Address.mipsOperand() we raise if immediate values are not within -0x7fff..0x7fff. This is inconsistent, and broke compilation on mips since r228552 made the VM structure bigger meaning we address values with bigger offsets in llint. This change restricts the allowed range, so that a separate load of the value is done for values outside of that range. * offlineasm/mips.rb: 2018-02-17 Darin Adler <darin@apple.com> Web Inspector: get rid of remaining uses of OptOutput<T> https://bugs.webkit.org/show_bug.cgi?id=180607 Reviewed by Brian Burg. * inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that is inside the Inspector namespace already. Also use auto a bit. * inspector/AsyncStackTrace.h: Ditto. * inspector/ConsoleMessage.cpp: Ditto. * inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ... (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a Vector instead of a unique_ptr<Vector>. (Inspector::ContentSearchUtilities::lineEndings): Ditto. (Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted. (Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of a Vector for a fixed size array; also got rid of reinterpret_cast. (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular expression here since it's the only place it was used. * inspector/ContentSearchUtilities.h: Cut down on unneeded includes. * inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that is inside the Inspector namespace already. Also use auto a bit. * inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions. Removed base template for BindingTraits; we only need the specializations. * inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that is inside the Inspector namespace already. Also use auto a bit. * inspector/ScriptCallFrame.h: Ditto. * inspector/ScriptCallStack.cpp: Ditto. * inspector/ScriptCallStack.h: Ditto. * inspector/agents/InspectorConsoleAgent.cpp: Ditto. * inspector/agents/InspectorConsoleAgent.h: Ditto. * inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ... (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of OptOutput* for out arguments. * inspector/agents/InspectorDebuggerAgent.h: Ditto. * inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ... (Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput* for out arguments. * inspector/agents/InspectorHeapAgent.h: Ditto. * inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ... (Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput* for out arguments. (Inspector::InspectorRuntimeAgent::evaluate): Ditto. (Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto. (Inspector::InspectorRuntimeAgent::saveResult): Ditto. * inspector/agents/InspectorRuntimeAgent.h: Ditto. * inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal and removed some bogus const. * inspector/agents/InspectorScriptProfilerAgent.h: Ditto. * inspector/scripts/codegen/cpp_generator.py: (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const. (CppGenerator.cpp_type_for_type_with_name): Ditto. (CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of Inspector::Protocol::OptOutput*. (CppGenerator.cpp_type_for_formal_async_parameter): Ditto. (CppGenerator.cpp_type_for_stack_in_parameter): Ditto. (CppGenerator.cpp_type_for_stack_out_parameter): Ditto. * inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing if ASSERT is disabled. Build strings more simply in a few cases. * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): Use has_value instead of isAssigned and * operator instead of getValue() since std::optional replace OptOutput here. (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Pass by reference instead of pointer now. * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing if ASSERT is disabled. * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true. (CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator. * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings more simply. * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: Rebaselined. 2018-02-16 Matt Lewis <jlewis3@apple.com> Unreviewed, rolling out r228318. The patch that this attempted to fix was rolled out already. Reverted changeset: "Fix build on ARMv7 traditional JSCOnly bot after r228306" https://bugs.webkit.org/show_bug.cgi?id=182563 https://trac.webkit.org/changeset/228318 2018-02-16 Filip Pizlo <fpizlo@apple.com> Unreviewed, roll out r228306 (custom memcpy/memset) because the bots say that it was not a progression. * assembler/AssemblerBuffer.h: (JSC::AssemblerBuffer::append): * heap/LargeAllocation.cpp: (JSC::LargeAllocation::tryCreate): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::didAddToDirectory): * runtime/ArrayBuffer.cpp: (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::copyTo): (JSC::ArrayBuffer::createInternal): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::zeroRangeImpl): * runtime/ArrayConventions.cpp: (JSC::clearArrayMemset): * runtime/ArrayConventions.h: (JSC::clearArray): * runtime/ArrayPrototype.cpp: (JSC::arrayProtoPrivateFuncConcatMemcpy): * runtime/ButterflyInlines.h: (JSC::Butterfly::tryCreate): (JSC::Butterfly::createOrGrowPropertyStorage): (JSC::Butterfly::growArrayRight): (JSC::Butterfly::resizeArray): * runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView<Adaptor>::create): * runtime/JSArray.cpp: (JSC::JSArray::appendMemcpy): (JSC::JSArray::fastSlice): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::set): * runtime/JSObject.cpp: (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): (JSC::JSObject::shiftButterflyAfterFlattening): * runtime/PropertyTable.cpp: (JSC::PropertyTable::PropertyTable): 2018-02-16 Saam Barati <sbarati@apple.com> Fix bugs from r228411 https://bugs.webkit.org/show_bug.cgi?id=182851 <rdar://problem/37577732> Reviewed by JF Bastien. There was a bug from r228411 where inside the constant folding phase, we used an insertCheck method that didn't handle varargs. This would lead to a crash. When thinking about the fix for that function, I realized a made a couple of mistakes in r228411. One is probably a security bug, and the other is a performance bug because it'll prevent CSE for certain flavors of GetByVal nodes. Both blunders are similar in nature. In r228411, I added code in LICM that inserted a CheckVarargs node with children of another varargs node. However, to construct this new node's children, I just copied the AdjacencyList. This does a shallow copy. What we needed was a deep copy. We needed to create a new vararg AdjacencyList that points to edges that are deep copies of the original varargs children. This patch fixes this goof in LICM. r228411 made it so that PureValue over a varargs node would just compare actual AdjacencyLists structs. So, if you had two GetByVals that had equal santized children, their actual AdjacencyList structs are *not* bitwise equal, since they'll have different firstChild values. Instead, we need to do a deep compare of their adjacency lists. This patch teaches PureValue how to do that. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGGraph.h: (JSC::DFG::Graph::copyVarargChildren): * dfg/DFGInsertionSet.h: (JSC::DFG::InsertionSet::insertCheck): * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGPureValue.cpp: (JSC::DFG::PureValue::dump const): * dfg/DFGPureValue.h: (JSC::DFG::PureValue::PureValue): (JSC::DFG::PureValue::op const): (JSC::DFG::PureValue::hash const): (JSC::DFG::PureValue::operator== const): (JSC::DFG::PureValue::isVarargs const): (JSC::DFG::PureValue::children const): Deleted. * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild): 2018-02-16 Matt Lewis <jlewis3@apple.com> Unreviewed, rolling out r228546. This caused a consistent crash on all macOS WK2 platforms. Reverted changeset: "Web Inspector: get rid of remaining uses of OptOutput<T>" https://bugs.webkit.org/show_bug.cgi?id=180607 https://trac.webkit.org/changeset/228546 2018-02-16 Fujii Hironori <Hironori.Fujii@sony.com> fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK https://bugs.webkit.org/show_bug.cgi?id=172952 Reviewed by Michael Catanzaro. Null dereference of VM::topCallFrame happens in Inspector::createScriptCallStackForConsole if the ExecState has no call frames. * inspector/ScriptCallStackFactory.cpp: (Inspector::createScriptCallStack): Do null check of topCallFrame. (Inspector::createScriptCallStackForConsole): Ditto. 2018-02-15 Filip Pizlo <fpizlo@apple.com> Objects that contain dangerous things should be allocated far away from objects that can do OOB https://bugs.webkit.org/show_bug.cgi?id=182843 Reviewed by Saam Barati. To complete our object distancing plan, we need to put objects that can contain unpoisoned data far away from objects that cannot. Objects referenceable from JSValues cannot contain unpoisoned data, but auxiliary data can. This further divides auxiliary data that is meant for storing mostly JSValues from data that is meant for storing anything. This is achieved by having three SecurityKinds that are used for MarkedBlock selection and zeroing sort of the same way SecurityOriginToken already was. This change shouldn't make anything slower. If anything, it will be a small speed-up because it removes some cases of MarkedBlock zeroing since we don't need to zero blocks used for two of the SecurityKinds. * Sources.txt: * bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfile::initializeProfile): * heap/BlockDirectory.cpp: (JSC::BlockDirectory::addBlock): * heap/BlockDirectory.h: * heap/CellAttributes.cpp: (JSC::CellAttributes::dump const): * heap/CellAttributes.h: (JSC::CellAttributes::CellAttributes): * heap/LocalAllocator.cpp: (JSC::LocalAllocator::allocateSlowCase): (JSC::LocalAllocator::tryAllocateWithoutCollecting): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::didAddToDirectory): (JSC::MarkedBlock::Handle::associateWithOrigin): Deleted. * heap/MarkedBlock.h: * heap/SecurityKind.cpp: Added. (WTF::printInternal): * heap/SecurityKind.h: Added. * runtime/JSCellInlines.h: (JSC::JSCell::subspaceFor): * runtime/JSDestructibleObjectHeapCellType.cpp: (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType): * runtime/JSObject.h: (JSC::JSObject::subspaceFor): * runtime/JSSegmentedVariableObjectHeapCellType.cpp: (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType): * runtime/JSStringHeapCellType.cpp: (JSC::JSStringHeapCellType::JSStringHeapCellType): * runtime/Symbol.h: (JSC::Symbol::subspaceFor): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType): 2018-02-15 Darin Adler <darin@apple.com> Web Inspector: get rid of remaining uses of OptOutput<T> https://bugs.webkit.org/show_bug.cgi?id=180607 Reviewed by Brian Burg. * inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that is inside the Inspector namespace already. Also use auto a bit. * inspector/AsyncStackTrace.h: Ditto. * inspector/ConsoleMessage.cpp: Ditto. * inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ... (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a Vector instead of a unique_ptr<Vector>. (Inspector::ContentSearchUtilities::lineEndings): Ditto. (Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted. (Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of a Vector for a fixed size array; also got rid of reinterpret_cast. (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular expression here since it's the only place it was used. * inspector/ContentSearchUtilities.h: Cut down on unneeded includes. * inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that is inside the Inspector namespace already. Also use auto a bit. * inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions. Removed base template for BindingTraits; we only need the specializations. * inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that is inside the Inspector namespace already. Also use auto a bit. * inspector/ScriptCallFrame.h: Ditto. * inspector/ScriptCallStack.cpp: Ditto. * inspector/ScriptCallStack.h: Ditto. * inspector/agents/InspectorConsoleAgent.cpp: Ditto. * inspector/agents/InspectorConsoleAgent.h: Ditto. * inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ... (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of OptOutput* for out arguments. * inspector/agents/InspectorDebuggerAgent.h: Ditto. * inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ... (Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput* for out arguments. * inspector/agents/InspectorHeapAgent.h: Ditto. * inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ... (Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput* for out arguments. (Inspector::InspectorRuntimeAgent::evaluate): Ditto. (Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto. (Inspector::InspectorRuntimeAgent::saveResult): Ditto. * inspector/agents/InspectorRuntimeAgent.h: Ditto. * inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal and removed some bogus const. * inspector/agents/InspectorScriptProfilerAgent.h: Ditto. * inspector/scripts/codegen/cpp_generator.py: (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const. (CppGenerator.cpp_type_for_type_with_name): Ditto. (CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of Inspector::Protocol::OptOutput*. (CppGenerator.cpp_type_for_formal_async_parameter): Ditto. (CppGenerator.cpp_type_for_stack_in_parameter): Ditto. (CppGenerator.cpp_type_for_stack_out_parameter): Ditto. * inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing if ASSERT is disabled. Build strings more simply in a few cases. * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): Use has_value instead of isAssigned and * operator instead of getValue() since std::optional replace OptOutput here. (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Pass by reference instead of pointer now. * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing if ASSERT is disabled. * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true. (CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator. * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings more simply. * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: Rebaselined. 2018-02-15 Filip Pizlo <fpizlo@apple.com> Unreviewed, roll out r228366 since it did not progress anything. * heap/Heap.cpp: (JSC::Heap::finalizeUnconditionalFinalizers): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::visitChildren): (JSC::ErrorInstance::finalizeUnconditionally): Deleted. * runtime/ErrorInstance.h: (JSC::ErrorInstance::stackTrace): (JSC::ErrorInstance::subspaceFor): Deleted. * runtime/Exception.cpp: (JSC::Exception::visitChildren): (JSC::Exception::finalizeUnconditionally): Deleted. * runtime/Exception.h: * runtime/StackFrame.cpp: (JSC::StackFrame::visitChildren): (JSC::StackFrame::isFinalizationCandidate): Deleted. (JSC::StackFrame::finalizeUnconditionally): Deleted. * runtime/StackFrame.h: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2018-02-15 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove monotonicallyIncreasingTime and currentTime https://bugs.webkit.org/show_bug.cgi?id=182793 Reviewed by Saam Barati. We would like to drop monotonicallyIncreasingTime and currentTime from our tree by replacing them with MonotonicTime and WallTime, which are well-typed alternatives, compared to double. This patch removes monotonicallyIncreasingTime and currentTime in JSC. * b3/testb3.cpp: (JSC::B3::testComplex): * dfg/DFGPhase.h: (JSC::DFG::runAndLog): * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThread): (JSC::DFG::Plan::compileInThreadImpl): * dfg/DFGPlan.h: * dynbench.cpp: (JSC::benchmarkImpl): * heap/BlockDirectory.cpp: (JSC::BlockDirectory::isPagedOut): * heap/BlockDirectory.h: * heap/FullGCActivityCallback.cpp: (JSC::FullGCActivityCallback::doCollection): * heap/Heap.cpp: (JSC::Heap::isPagedOut): (JSC::Heap::sweepSynchronously): * heap/Heap.h: * heap/MarkedSpace.cpp: (JSC::MarkedSpace::isPagedOut): * heap/MarkedSpace.h: * inspector/agents/InspectorConsoleAgent.cpp: (Inspector::InspectorConsoleAgent::startTiming): (Inspector::InspectorConsoleAgent::stopTiming): * inspector/agents/InspectorConsoleAgent.h: * inspector/agents/InspectorRuntimeAgent.cpp: (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): * jit/JIT.cpp: (JSC::JIT::compileWithoutLinking): (JSC::JIT::compileTimeStats): * jit/JIT.h: * jsc.cpp: (StopWatch::start): (StopWatch::stop): (StopWatch::getElapsedMS): (functionPreciseTime): (runJSC): * profiler/ProfilerDatabase.cpp: (JSC::Profiler::Database::logEvent): * profiler/ProfilerEvent.cpp: (JSC::Profiler::Event::toJS const): * profiler/ProfilerEvent.h: (JSC::Profiler::Event::Event): (JSC::Profiler::Event::time const): * runtime/CodeCache.cpp: (JSC::CodeCacheMap::pruneSlowCase): * runtime/CodeCache.h: (JSC::CodeCacheMap::CodeCacheMap): (JSC::CodeCacheMap::prune): * runtime/DateConstructor.cpp: (JSC::callDate): * runtime/TypeProfilerLog.cpp: (JSC::TypeProfilerLog::processLogEntries): * testRegExp.cpp: (StopWatch::start): (StopWatch::stop): (StopWatch::getElapsedMS): 2018-02-14 Keith Miller <keith_miller@apple.com> We should be able to jsDynamicCast from JSType when possible https://bugs.webkit.org/show_bug.cgi?id=182804 Reviewed by Filip Pizlo and Mark Lam. This patch beefs up jsDynamicCast in some of the cases where we can use the JSType to quickly determine if a cell is a subclass of the desired type. Since all JSCells have a range of JSTypes they support, if there is a range exclusive to a class and all subclasses we can use that range to quickly determine if the cast should be successful. Additionally, the JSValue versions of jsCast and jsDynamicCast now call the JSCell version after checking the value is a cell. Finally, the casting functions have been moved to a new header, JSCast.h * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CallVariant.h: * bytecode/CodeBlock.h: * bytecode/ExecutableToCodeBlockEdge.h: * bytecode/TrackedReferences.h: * bytecode/UnlinkedCodeBlock.h: * bytecode/UnlinkedFunctionExecutable.h: * dfg/DFGAbstractValue.h: * dfg/DFGCommonData.h: * dfg/DFGFrozenValue.h: * dfg/DFGStructureAbstractValue.h: * heap/CellContainerInlines.h: * heap/ConservativeRoots.cpp: * heap/GCLogging.cpp: * heap/HeapInlines.h: * heap/HeapSnapshotBuilder.cpp: * heap/MarkedBlock.cpp: * heap/MarkedBlockInlines.h: * heap/SubspaceInlines.h: * heap/WeakInlines.h: * jit/JITOpcodes.cpp: * jit/JITOpcodes32_64.cpp: * llint/LLIntOffsetsExtractor.cpp: * runtime/ArrayBufferNeuteringWatchpoint.h: * runtime/BigIntPrototype.cpp: * runtime/ClassInfo.h: * runtime/CustomGetterSetter.h: * runtime/FunctionRareData.h: * runtime/GetterSetter.h: * runtime/InferredType.h: * runtime/InferredTypeTable.h: * runtime/InferredValue.h: * runtime/InternalFunction.cpp: (JSC::InternalFunction::finishCreation): * runtime/JSAPIValueWrapper.h: * runtime/JSArray.h: (JSC::JSArray::finishCreation): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::finishCreation): * runtime/JSCast.h: Added. (JSC::jsCast): (JSC::JSCastingHelpers::jsDynamicCastGenericImpl): (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): (JSC::JSCastingHelpers::JSDynamicCastTraits::cast): (JSC::jsDynamicCast): * runtime/JSCell.cpp: * runtime/JSCell.h: (JSC::jsCast): Deleted. (JSC::jsDynamicCast): Deleted. * runtime/JSCellInlines.h: * runtime/JSFunction.cpp: (JSC::JSFunction::finishCreation): * runtime/JSJob.h: * runtime/JSObject.h: (JSC::JSObject::finishCreation): * runtime/JSPromiseDeferred.h: * runtime/JSPropertyNameEnumerator.h: * runtime/NativeStdFunctionCell.h: * runtime/ScopedArgumentsTable.h: * runtime/SparseArrayValueMap.h: * runtime/Structure.h: * runtime/StructureChain.h: * runtime/StructureRareData.h: * tools/CellProfile.h: * wasm/js/JSWebAssemblyCodeBlock.h: 2018-02-14 Michael Saboff <msaboff@apple.com> Crash: triggerOMGTierUpThunkGenerator() doesn't align the stack pointer before calling C++ code https://bugs.webkit.org/show_bug.cgi?id=182808 Reviewed by Keith Miller. Set up a proper frame with a prologue and epilogue to align the stack pointer for the rest of the thunk. * wasm/WasmThunks.cpp: (JSC::Wasm::triggerOMGTierUpThunkGenerator): 2018-02-14 Saam Barati <sbarati@apple.com> Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock https://bugs.webkit.org/show_bug.cgi?id=182801 Reviewed by Keith Miller. VMTraps would sometimes install traps when it paused the JS thread when it was in C code. This is wrong, as installing traps mallocs, and the JS thread may have been holding the malloc lock while in C code. This could lead to a deadlock when C code was holding the malloc lock. This patch makes it so that we only install traps when we've proven the PC is in JIT or LLInt code. If we're in JIT/LLInt code, we are guaranteed that we're not holding the malloc lock. * jsc.cpp: (GlobalObject::finishCreation): (functionMallocInALoop): * runtime/VMTraps.cpp: (JSC::VMTraps::tryInstallTrapBreakpoints): 2018-02-14 Michael Saboff <msaboff@apple.com> REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow https://bugs.webkit.org/show_bug.cgi?id=182705 Reviewed by Mark Lam. Moved the pattern context buffer used by YARR JIT'ed code from a stack local to a lazily allocated buffer on the VM. Exposed when the buffer is needed to reduce likelihood that we'd allocated it. Guarded use of the buffer with a lock since the DFG compiler may call into YARR JIT'ed code on a compilation thread. * runtime/RegExpInlines.h: (JSC::RegExp::matchInline): * runtime/VM.cpp: (JSC::VM::~VM): (JSC::VM::acquireRegExpPatternContexBuffer): (JSC::VM::releaseRegExpPatternContexBuffer): * runtime/VM.h: * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generate): (JSC::Yarr::YarrGenerator::backtrack): (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern): (JSC::Yarr::YarrGenerator::generateEnter): (JSC::Yarr::YarrGenerator::generateReturn): (JSC::Yarr::YarrGenerator::YarrGenerator): (JSC::Yarr::YarrGenerator::compile): * yarr/YarrJIT.h: (JSC::Yarr::YarrCodeBlock::usesPatternContextBuffer): (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): 2018-02-13 Saam Barati <sbarati@apple.com> putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present https://bugs.webkit.org/show_bug.cgi?id=182755 <rdar://problem/37080864> Reviewed by Keith Miller. putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted the object in question to a dictionary indexing mode when the index is less than the vector length. This makes no sense. If we're defining a getter, setter, or read only property, we must always enter the dictionary indexing mode irrespective of the index in relation to the vector length. * runtime/JSObject.cpp: (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength): 2018-02-13 Saam Barati <sbarati@apple.com> Follup fix to r228411 for 32-bit builds. I missed a place where we used non vararg getter for child2(). * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2018-02-13 Guillaume Emont <guijemont@igalia.com> [YarrJIT][ARM] We need to save r8 as it is the initial start register https://bugs.webkit.org/show_bug.cgi?id=182157 Reviewed by Saam Barati. Register r8 is the initial start register since r224172, so we need to save it. We still need to save r6 as well even though it is not the initial start register any more, since it is used by the MacroAssembler which we use (we get crashes in some situations if we don't save r6). This issue was discovered because stress/regress-174044.js crashes on a raspberry pi 2 when compiled in -O2. * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generateEnter): (JSC::Yarr::YarrGenerator::generateReturn): 2018-02-13 Caitlin Potter <caitp@igalia.com> [JSC] cache TaggedTemplate arrays by callsite rather than by contents https://bugs.webkit.org/show_bug.cgi?id=182717 Reviewed by Yusuke Suzuki. https://github.com/tc39/ecma262/pull/890 imposes a change to template literals, to allow template callsite arrays to be collected when the code containing the tagged template call is collected. This spec change has received concensus and been ratified. This change eliminates the eternal map associating template contents with arrays. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::setConstantRegisters): * bytecode/DirectEvalCodeCache.cpp: (JSC::DirectEvalCodeCache::setSlow): * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::allowDirectEvalCache const): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::addTemplateObjectConstant): (JSC::BytecodeGenerator::emitGetTemplateObject): (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted. * bytecompiler/BytecodeGenerator.h: * parser/Parser.cpp: (JSC::Parser<LexerType>::parseInner): (JSC::Parser<LexerType>::parseMemberExpression): * parser/Parser.h: * parser/ParserModes.h: * runtime/EvalExecutable.h: (JSC::EvalExecutable::allowDirectEvalCache const): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::templateRegistry): Deleted. * runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp. (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor): (JSC::JSTemplateObjectDescriptor::create): (JSC::JSTemplateObjectDescriptor::destroy): (JSC::JSTemplateObjectDescriptor::createTemplateObject): * runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h. (JSC::isTemplateObjectDescriptor): * runtime/JSTemplateRegistryKey.cpp: Removed. * runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp. (JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor): * runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h. (JSC::TemplateObjectDescriptor::operator== const): (JSC::TemplateObjectDescriptor::operator!= const): (JSC::TemplateObjectDescriptor::Hasher::hash): (JSC::TemplateObjectDescriptor::Hasher::equal): (JSC::TemplateObjectDescriptor::create): (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor): (JSC::TemplateObjectDescriptor::calculateHash): * runtime/TemplateRegistry.h: Removed. * runtime/TemplateRegistryKeyTable.cpp: Removed. * runtime/TemplateRegistryKeyTable.h: Removed. * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::templateRegistryKeyTable): Deleted. * runtime/VMEntryScope.cpp: * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::setConstantRegisters): * bytecode/DirectEvalCodeCache.cpp: (JSC::DirectEvalCodeCache::setSlow): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::allowDirectEvalCache const): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::addTemplateObjectConstant): (JSC::BytecodeGenerator::emitGetTemplateObject): (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted. * bytecompiler/BytecodeGenerator.h: * parser/Parser.cpp: (JSC::Parser<LexerType>::parseInner): (JSC::Parser<LexerType>::parseMemberExpression): * parser/Parser.h: * parser/ParserModes.h: * runtime/EvalExecutable.h: (JSC::EvalExecutable::allowDirectEvalCache const): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::templateRegistry): Deleted. * runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp. (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor): (JSC::JSTemplateObjectDescriptor::create): (JSC::JSTemplateObjectDescriptor::destroy): (JSC::JSTemplateObjectDescriptor::createTemplateObject): * runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h. (JSC::isTemplateObjectDescriptor): * runtime/JSTemplateRegistryKey.cpp: Removed. * runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp. (JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor): * runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h. (JSC::TemplateObjectDescriptor::operator== const): (JSC::TemplateObjectDescriptor::operator!= const): (JSC::TemplateObjectDescriptor::Hasher::hash): (JSC::TemplateObjectDescriptor::Hasher::equal): (JSC::TemplateObjectDescriptor::create): (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor): (JSC::TemplateObjectDescriptor::calculateHash): * runtime/TemplateRegistry.h: Removed. * runtime/TemplateRegistryKeyTable.cpp: Removed. * runtime/TemplateRegistryKeyTable.h: Removed. * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::templateRegistryKeyTable): Deleted. * runtime/VMEntryScope.cpp: * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::setConstantRegisters): * bytecode/DirectEvalCodeCache.cpp: (JSC::DirectEvalCodeCache::setSlow): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::allowDirectEvalCache const): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::addTemplateObjectConstant): (JSC::BytecodeGenerator::emitGetTemplateObject): (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted. * bytecompiler/BytecodeGenerator.h: * parser/Parser.cpp: (JSC::Parser<LexerType>::parseInner): (JSC::Parser<LexerType>::parseMemberExpression): * parser/Parser.h: * parser/ParserModes.h: * runtime/EvalExecutable.h: (JSC::EvalExecutable::allowDirectEvalCache const): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::templateRegistry): Deleted. * runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp. (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor): (JSC::JSTemplateObjectDescriptor::create): (JSC::JSTemplateObjectDescriptor::destroy): (JSC::JSTemplateObjectDescriptor::createTemplateObject): * runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h. (JSC::isTemplateObjectDescriptor): * runtime/JSTemplateRegistryKey.cpp: Removed. * runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp. (JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor): * runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h. (JSC::TemplateObjectDescriptor::operator== const): (JSC::TemplateObjectDescriptor::operator!= const): (JSC::TemplateObjectDescriptor::Hasher::hash): (JSC::TemplateObjectDescriptor::Hasher::equal): (JSC::TemplateObjectDescriptor::create): (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor): (JSC::TemplateObjectDescriptor::calculateHash): * runtime/TemplateRegistry.h: Removed. * runtime/TemplateRegistryKeyTable.cpp: Removed. * runtime/TemplateRegistryKeyTable.h: Removed. * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::templateRegistryKeyTable): Deleted. * runtime/VMEntryScope.cpp: 2018-02-13 Yusuke Suzuki <utatane.tea@gmail.com> Support GetArrayLength on ArrayStorage in the FTL https://bugs.webkit.org/show_bug.cgi?id=182625 Reviewed by Saam Barati. This patch adds GetArrayLength and CheckArray + ArrayStorage & SlowPutArrayStorage support for FTL. The implementation is trivial; just porting one in DFG to FTL. This fixes several FTL compilation failures in web-tooling-benchmarks while we still need to support ArrayPush, ArrayPop, Arrayify, and PutByVal. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkArray): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength): (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify): (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray): 2018-02-10 Filip Pizlo <fpizlo@apple.com> Lock down JSFunction https://bugs.webkit.org/show_bug.cgi?id=182652 Reviewed by Saam Barati. This poisons pointers in JSFunction and puts all of the types in the JSFunction hierarchy in isospaces. This is so neutral on JetStream: 0.01% slower with p = 0.969211. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): (JSC::DFG::SpeculativeJIT::compileNewFunction): (JSC::DFG::SpeculativeJIT::compileCreateThis): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr): (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer): (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable): (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): (JSC::FTL::DFG::LowerDFGToB3::weakPointer): (JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer): * ftl/FTLOutput.h: (JSC::FTL::Output::weakPointer): (JSC::FTL::Output::weakPoisonedPointer): * heap/MarkedSpace.cpp: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_create_this): * jit/ThunkGenerators.cpp: (JSC::virtualThunkFor): (JSC::nativeForGenerator): (JSC::boundThisNoArgsFunctionCallGenerator): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * runtime/JSAsyncFunction.h: (JSC::JSAsyncFunction::subspaceFor): * runtime/JSAsyncGeneratorFunction.h: (JSC::JSAsyncGeneratorFunction::subspaceFor): * runtime/JSBoundFunction.h: (JSC::JSBoundFunction::subspaceFor): * runtime/JSCPoison.h: * runtime/JSCustomGetterSetterFunction.h: (JSC::JSCustomGetterSetterFunction::subspaceFor): * runtime/JSFunction.h: (JSC::JSFunction::subspaceFor): * runtime/JSGeneratorFunction.h: (JSC::JSGeneratorFunction::subspaceFor): * runtime/JSNativeStdFunction.h: (JSC::JSNativeStdFunction::subspaceFor): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * wasm/js/WebAssemblyFunction.h: * wasm/js/WebAssemblyWrapperFunction.h: 2018-02-12 Saam Barati <sbarati@apple.com> Add a GetIndexMask node and make it an input to GetByVal for array and typed array accesses in DFG SSA https://bugs.webkit.org/show_bug.cgi?id=182633 <rdar://problem/37441037> Reviewed by Keith Miller. This patch introduces a GetIndexMask node to DFG SSA. This is an input to GetByVal for the GetByVal variants that do conservative index masking. The reason I'm adding this node is I realized there were loads of the butterfly index mask inside loops that B3 couldn't reason about because B3 can't arbitrarily hoist loads out of loops if those loops have side exits (because the side exit might be protecting the safety of the load). However, for these loops I analyzed, the DFG would be able to hoist these loads out of loops because it knows about JS semantics to correctly reason about the safety of hoisting the load. This is a 1% speedup on JetStream on Mac and iOS in my testing. This patch also adds some infrastructure for eliminating and doing CSE on varargs nodes. Because this patch makes GetByVal a varargs node, I ran into issues we never had before. We never had a varargs node that could be CSEd or be hoisted out of a loop until I made GetByVal varargs. To make it all work, I added a CheckVarargs node. This is just like Check, but it's varargs. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGAdjacencyList.h: (JSC::DFG::AdjacencyList::AdjacencyList): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::propagate): * dfg/DFGBasicBlock.cpp: (JSC::DFG::BasicBlock::replaceTerminal): * dfg/DFGBasicBlock.h: (JSC::DFG::BasicBlock::findTerminal const): * dfg/DFGBasicBlockInlines.h: (JSC::DFG::BasicBlock::replaceTerminal): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::mergeBlocks): * dfg/DFGCPSRethreadingPhase.cpp: (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): * dfg/DFGCSEPhase.cpp: * dfg/DFGCleanUpPhase.cpp: (JSC::DFG::CleanUpPhase::run): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::fixUpsilons): * dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::run): (JSC::DFG::DCEPhase::fixupBlock): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupChecksInBlock): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGIntegerCheckCombiningPhase.cpp: (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): * dfg/DFGIntegerRangeOptimizationPhase.cpp: * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGMayExit.cpp: * dfg/DFGNode.cpp: (JSC::DFG::Node::remove): (JSC::DFG::Node::convertToIdentityOn): * dfg/DFGNode.h: (JSC::DFG::Node::replaceWith): * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGPureValue.cpp: (JSC::DFG::PureValue::dump const): * dfg/DFGPureValue.h: (JSC::DFG::PureValue::PureValue): * dfg/DFGPutStackSinkingPhase.cpp: * dfg/DFGSSAConversionPhase.cpp: (JSC::DFG::SSAConversionPhase::run): * dfg/DFGSSALoweringPhase.cpp: (JSC::DFG::SSALoweringPhase::handleNode): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString): (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol): (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStoreBarrierClusteringPhase.cpp: * dfg/DFGValidate.cpp: * dfg/DFGVarargsForwardingPhase.cpp: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray): 2018-02-12 Mark Lam <mark.lam@apple.com> Miscellaneous refactoring of offlineasm. https://bugs.webkit.org/show_bug.cgi?id=182702 <rdar://problem/37467887> Reviewed by Filip Pizlo. 1. Refactor out the emission of $asm.comment, $asm.codeOrigin, $asm.annotation, and $asm.debugAnnotation into a recordMetaData method. This standardizes how we emit this metadata and makes all backends do it the same way. 2. Add the ability to include custom offlineasm scripts from WebKitAdditions in the future. * offlineasm/arm.rb: * offlineasm/arm64.rb: * offlineasm/ast.rb: * offlineasm/backends.rb: * offlineasm/cloop.rb: * offlineasm/config.rb: * offlineasm/mips.rb: * offlineasm/risc.rb: * offlineasm/x86.rb: 2018-02-12 Saam Barati <sbarati@apple.com> DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer https://bugs.webkit.org/show_bug.cgi?id=182706 <rdar://problem/36833681> Reviewed by Filip Pizlo. When we added support for PhantomNewArrayBuffer, we forgot to update the emitCodeToGetArgumentsArrayLength function to handle PhantomNewArrayBuffer. This patch adds that support. It's trivial to generate the length for a PhantomNewArrayBuffer node since it's a constant buffer, with a constant length. * dfg/DFGArgumentsUtilities.cpp: (JSC::DFG::emitCodeToGetArgumentsArrayLength): 2018-02-12 Mark Lam <mark.lam@apple.com> Add more support for pointer preparations. https://bugs.webkit.org/show_bug.cgi?id=182703 <rdar://problem/37469451> Reviewed by Saam Barati. * llint/LLIntData.h: (JSC::LLInt::getCodePtr): * llint/LLIntPCRanges.h: (JSC::LLInt::isLLIntPC): * runtime/Options.cpp: (JSC::recomputeDependentOptions): 2018-02-12 Mark Lam <mark.lam@apple.com> Fix missing exception check in RegExpObject::matchGlobal(). https://bugs.webkit.org/show_bug.cgi?id=182701 <rdar://problem/37465865> Reviewed by Michael Saboff. This issue was discovered when running JSC tests on an asm LLInt build with JSC_useJIT=false. * runtime/RegExpObject.cpp: (JSC::RegExpObject::matchGlobal): 2018-02-11 Guillaume Emont <guijemont@igalia.com> [MIPS] JSC needs to be built with -latomic https://bugs.webkit.org/show_bug.cgi?id=182610 Reviewed by Žan Doberšek. Since r228149, on MIPS we need to link with -latomic, because __atomic_fetch_add_8 is not available as a compiler intrinsic. * CMakeLists.txt: 2018-02-09 Filip Pizlo <fpizlo@apple.com> Don't waste memory for error.stack https://bugs.webkit.org/show_bug.cgi?id=182656 Reviewed by Saam Barati. This makes the StackFrames in ErrorInstance and Exception weak. We simply forget their contents if we GC. This isn't going to happen under normal operation since your callees and code blocks will still be alive when you ask for .stack. Bug 182650 tracks improving this so that it's not lossy. For now, I think it's worth it, since it is likely to recover 3-5 MB on membuster. * heap/Heap.cpp: (JSC::Heap::finalizeUnconditionalFinalizers): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::visitChildren): (JSC::ErrorInstance::finalizeUnconditionally): * runtime/ErrorInstance.h: (JSC::ErrorInstance::subspaceFor): * runtime/Exception.cpp: (JSC::Exception::visitChildren): (JSC::Exception::finalizeUnconditionally): * runtime/Exception.h: (JSC::Exception::valueOffset): Deleted. (JSC::Exception::value const): Deleted. (JSC::Exception::stack const): Deleted. (JSC::Exception::didNotifyInspectorOfThrow const): Deleted. (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted. * runtime/StackFrame.cpp: (JSC::StackFrame::isFinalizationCandidate): (JSC::StackFrame::finalizeUnconditionally): (JSC::StackFrame::visitChildren): Deleted. * runtime/StackFrame.h: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2018-02-09 Carlos Alberto Lopez Perez <clopez@igalia.com> Fix build on ARMv7 traditional JSCOnly bot after r228306 https://bugs.webkit.org/show_bug.cgi?id=182563 Unreviewed build fix. * assembler/AssemblerBuffer.h: 2018-02-08 Filip Pizlo <fpizlo@apple.com> Experiment with alternative implementation of memcpy/memset https://bugs.webkit.org/show_bug.cgi?id=182563 Reviewed by Michael Saboff and Mark Lam. This adopts new fastCopy/fastZeroFill calls for calls to memcpy/memset that do not take a constant size argument. * assembler/AssemblerBuffer.h: (JSC::AssemblerBuffer::append): * runtime/ArrayBuffer.cpp: (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::copyTo): (JSC::ArrayBuffer::createInternal): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::zeroRangeImpl): * runtime/ArrayConventions.cpp: * runtime/ArrayConventions.h: (JSC::clearArray): * runtime/ArrayPrototype.cpp: (JSC::arrayProtoPrivateFuncConcatMemcpy): * runtime/ButterflyInlines.h: (JSC::Butterfly::tryCreate): (JSC::Butterfly::createOrGrowPropertyStorage): (JSC::Butterfly::growArrayRight): (JSC::Butterfly::resizeArray): * runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView<Adaptor>::create): * runtime/JSArray.cpp: (JSC::JSArray::appendMemcpy): (JSC::JSArray::fastSlice): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::set): * runtime/JSObject.cpp: (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): (JSC::JSObject::shiftButterflyAfterFlattening): * runtime/PropertyTable.cpp: (JSC::PropertyTable::PropertyTable): 2018-02-08 Don Olmstead <don.olmstead@sony.com> Remove JavaScriptCore/ForwardingHeaders directory https://bugs.webkit.org/show_bug.cgi?id=182594 Reviewed by Mark Lam. * CMakeLists.txt: * ForwardingHeaders/JavaScriptCore/APICast.h: Removed. * ForwardingHeaders/JavaScriptCore/JSBase.h: Removed. * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Removed. * ForwardingHeaders/JavaScriptCore/JSContextRef.h: Removed. * ForwardingHeaders/JavaScriptCore/JSObjectRef.h: Removed. * ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Removed. * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h: Removed. * ForwardingHeaders/JavaScriptCore/JSStringRef.h: Removed. * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h: Removed. * ForwardingHeaders/JavaScriptCore/JSTypedArray.h: Removed. * ForwardingHeaders/JavaScriptCore/JSValueRef.h: Removed. * ForwardingHeaders/JavaScriptCore/JavaScript.h: Removed. * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h: Removed. * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h: Removed. * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h: Removed. 2018-02-06 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten https://bugs.webkit.org/show_bug.cgi?id=182440 Reviewed by Darin Adler. This patch implements Array.prototype.flatMap and Array.prototype.flatten since they are now stage 3 [1]. [1]: https://tc39.github.io/proposal-flatMap/#sec-FlattenIntoArray * builtins/ArrayPrototype.js: (filter): (map): (globalPrivate.concatSlowPath): (globalPrivate.arraySpeciesCreate): (globalPrivate.flattenIntoArray): (flatten): (globalPrivate.flattenIntoArrayWithCallback): We separate flattenIntoArray from flattenIntoArrayWithCallback due to performance reason. We carefully keep both functions small to encourage inlining. (flatMap): * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::finishCreation): 2018-01-13 Darin Adler <darin@apple.com> Event improvements https://bugs.webkit.org/show_bug.cgi?id=179591 Reviewed by Chris Dumez. Remove all uses of ScriptValue other than in the implementation of ScriptObject. * bindings/ScriptFunctionCall.cpp: Removed include of ScriptValue.h. * bindings/ScriptObject.cpp: Removed unused overload of ScriptObject constructor. * bindings/ScriptObject.h: Ditto. * bindings/ScriptValue.cpp: (Deprecated::ScriptValue::~ScriptValue): Deleted. (Deprecated::ScriptValue::getString const): Deleted. (Deprecated::ScriptValue::toString const): Deleted. (Deprecated::ScriptValue::isEqual const): Deleted. (Deprecated::ScriptValue::isNull const): Deleted. (Deprecated::ScriptValue::isUndefined const): Deleted. (Deprecated::ScriptValue::isObject const): Deleted. (Deprecated::ScriptValue::isFunction const): Deleted. (Deprecated::ScriptValue::toInspectorValue const): Deleted. * bindings/ScriptValue.h: Removed many unused functions. Made the rest protected since this is now used only in ScriptObject. * inspector/ConsoleMessage.cpp: (Inspector::ConsoleMessage::addToFrontend): Stop using ScriptValue. (Inspector::ConsoleMessage::isEqual const): Updated for change to ScriptArguments::isEqual. * inspector/ScriptArguments.cpp: (Inspector::ScriptArguments::create): Take a Vector of JSC::Strong, not ScriptValue, use rvalue reference with move instead of lvalue reference with swap, and take execution state by reference instead of pointer. (Inspector::ScriptArguments::createEmpty): Deleted. Can now use create instead. (Inspector::ScriptArguments::ScriptArguments): Ditto. (Inspector::ScriptArguments::~ScriptArguments): Deleted. (Inspector::ScriptArguments::argumentAt const): Updated to use JSC::Strong. (Inspector::ScriptArguments::getFirstArgumentAsString): Ditto. (Inspector::ScriptArguments::isEqual const): Ditto. Also changed to use JS internals instead of calling through the C API. * inspector/ScriptArguments.h: Updated for the above. * inspector/ScriptCallStackFactory.cpp: (Inspector::createScriptArguments): Updated for changes to ScriptArguments. * inspector/ScriptDebugServer.cpp: Removed include of ScriptValue.h. * inspector/agents/InspectorAgent.cpp: Ditto. * inspector/agents/InspectorDebuggerAgent.cpp: Ditto. (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use JSC::Strong instead of ScriptValue. (Inspector::InspectorDebuggerAgent::currentCallFrames): Ditto. * inspector/agents/InspectorDebuggerAgent.h: Ditto. * runtime/ConsoleClient.cpp: (JSC::ConsoleClient::printConsoleMessageWithArguments): Ditto. (JSC::ConsoleClient::clear): Use ScriptArguments::create and pass an empty vector instead of calling a separate createEmpty function. * runtime/VM.cpp: (JSC::VM::createLeaked): Deleted. * runtime/VM.h: Deleted createLeaked. 2018-02-06 Brian Burg <bburg@apple.com> Web Inspector: protocol generator should automatically deduce the correct include style to use https://bugs.webkit.org/show_bug.cgi?id=182505 Reviewed by Timothy Hatcher. Currently the generated imports use a mix of system header imports (powered by forwarding headers) and framework-style includes. Since forwarding headers are going away, this patch stops using system header includes for headers that are JavaScriptCore private headers. Instead, use either a relative include or a framework include. * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py: (CppAlternateBackendDispatcherHeaderGenerator.generate_output): (CppAlternateBackendDispatcherHeaderGenerator): (CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes): * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: (CppBackendDispatcherHeaderGenerator.generate_output): (CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes): * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: (CppBackendDispatcherImplementationGenerator.generate_output): (CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes): * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py: (CppFrontendDispatcherHeaderGenerator.generate_output): (CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes): * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: (CppFrontendDispatcherImplementationGenerator.generate_output): (CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes): * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: (CppProtocolTypesHeaderGenerator.generate_output): (CppProtocolTypesHeaderGenerator._generate_secondary_header_includes): * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: (CppProtocolTypesImplementationGenerator.generate_output): (CppProtocolTypesImplementationGenerator._generate_secondary_header_includes): * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: (ObjCBackendDispatcherHeaderGenerator): Convert existing header lists to the new entries format, which includes the allowable target frameworks and the relative path to the header. * inspector/scripts/codegen/generator.py: (Generator.generate_includes_from_entries): Copied from the same in the builtins code generator. It still works great. * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: * inspector/scripts/tests/generic/expected/domain-availability.json-result: * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: * inspector/scripts/tests/generic/expected/enum-values.json-result: * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result: * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result: * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result: * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result: * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result: * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result: * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result: * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result: * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result: * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: Rebaseline. 2018-02-06 Keith Miller <keith_miller@apple.com> put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object https://bugs.webkit.org/show_bug.cgi?id=182549 <rdar://problem/36189995> Reviewed by Saam Barati. Previously, the llint/baseline caching for put_to_scope and get_from_scope would cache lexical environments when the varInjectionWatchpoint had been fired for global properties. Code in the DFG does not follow this same assumption so we could potentially return the wrong result. Additionally, the baseline would write barrier the global object rather than the lexical enviroment object. This patch makes it so that we do not cache anything other than the global object for when the resolve type is GlobalPropertyWithVarInjectionChecks or GlobalProperty. * assembler/MacroAssembler.cpp: (JSC::MacroAssembler::jitAssert): * assembler/MacroAssembler.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_from_scope): (JSC::JIT::emit_op_put_to_scope): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): * runtime/Options.h: 2018-01-28 Filip Pizlo <fpizlo@apple.com> Global objects should be able to use TLCs to allocate from different blocks from each other https://bugs.webkit.org/show_bug.cgi?id=182227 Reviewed by JF Bastien. This uses TLCs to create at least `minimumDistanceBetweenCellsFromDifferenOrigins` bytes of distance between objects from different origins, using the following combination of things. For short lets refer to that constant as K. - Since r227721, LargeAllocation puts K bytes padding at the end of each allocation. - Since r227718, MarkedBlock puts at least K bytes in its footer. - Since r227617, global objects can have their own TLCs, which make them allocate from a different set of blocks than other global objects. The TLC of a global object comes into effect when you enter the VM via that global object. - With this change, TLCs and blocks both have security origins. A TLC will only use blocks that share the same security origin or empty blocks (in which case we zero the block and change its security origin). WebCore determines the TLC-GlobalObject mapping. By default, global objects would simply use the VM's default TLC. WebCore makes it so that DOM windows (but not worker global objects) get a TLC based on their document's SecurityOrigin. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * heap/BlockDirectory.cpp: (JSC::BlockDirectory::findBlockForAllocation): (JSC::BlockDirectory::prepareForAllocation): * heap/BlockDirectory.h: * heap/LocalAllocator.cpp: (JSC::LocalAllocator::LocalAllocator): (JSC::LocalAllocator::reset): (JSC::LocalAllocator::~LocalAllocator): (JSC::LocalAllocator::allocateSlowCase): (JSC::LocalAllocator::tryAllocateWithoutCollecting): * heap/LocalAllocator.h: (JSC::LocalAllocator::tlc const): * heap/MarkStackMergingConstraint.cpp: * heap/MarkStackMergingConstraint.h: * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::associateWithOrigin): * heap/MarkedBlock.h: (JSC::MarkedBlock::Handle::securityOriginToken const): * heap/SecurityOriginToken.cpp: Added. (JSC::uniqueSecurityOriginToken): * heap/SecurityOriginToken.h: Added. * heap/ThreadLocalCache.cpp: (JSC::ThreadLocalCache::create): (JSC::ThreadLocalCache::ThreadLocalCache): (JSC::ThreadLocalCache::allocateData): (JSC::ThreadLocalCache::installSlow): * heap/ThreadLocalCache.h: (JSC::ThreadLocalCache::securityOriginToken const): * heap/ThreadLocalCacheInlines.h: (JSC::ThreadLocalCache::install): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): (JSC::JSGlobalObject::createThreadLocalCache): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::threadLocalCache): (JSC::JSGlobalObject::threadLocalCache const): Deleted. * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): (JSC::VMEntryScope::~VMEntryScope): * runtime/VMEntryScope.h: 2018-02-05 Don Olmstead <don.olmstead@sony.com> JavaScriptCore files should not be included relatively https://bugs.webkit.org/show_bug.cgi?id=182452 Reviewed by Keith Miller. * API/JSCallbackConstructor.h: * CMakeLists.txt: * disassembler/ARM64Disassembler.cpp: * disassembler/ARMv7Disassembler.cpp: * heap/LockDuringMarking.h: * inspector/InjectedScriptBase.h: * inspector/InjectedScriptHost.h: * inspector/JavaScriptCallFrame.h: * inspector/ScriptArguments.h: * inspector/ScriptDebugListener.h: * inspector/ScriptDebugServer.h: * inspector/agents/InspectorAgent.h: * inspector/agents/InspectorConsoleAgent.h: * inspector/agents/InspectorDebuggerAgent.h: * inspector/agents/InspectorHeapAgent.h: * inspector/agents/InspectorRuntimeAgent.h: * inspector/agents/InspectorScriptProfilerAgent.h: * runtime/RegExp.h: 2018-02-05 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r228012. https://bugs.webkit.org/show_bug.cgi?id=182493 "It regressed ARES-6 by 2-4%" (Requested by saamyjoon on #webkit). Reverted changeset: "[JSC] Clean up ArraySpeciesCreate" https://bugs.webkit.org/show_bug.cgi?id=182434 https://trac.webkit.org/changeset/228012 2018-02-02 Ryan Haddad <ryanhaddad@apple.com> Rebaseline bindings generator tests after r228032. https://bugs.webkit.org/show_bug.cgi?id=182445 Unreviewed test gardening. * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: 2018-02-02 Saam Barati <sbarati@apple.com> Make various DFG_ASSERTs provide more data to WTFCrashWithInfo https://bugs.webkit.org/show_bug.cgi?id=182453 <rdar://problem/37174236> Reviewed by JF Bastien and Mark Lam. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGArgumentsUtilities.cpp: (JSC::DFG::emitCodeToGetArgumentsArrayLength): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupChecksInBlock): * dfg/DFGFlowIndexing.h: (JSC::DFG::FlowIndexing::shadowIndex const): * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::run): (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGLoopPreHeaderCreationPhase.cpp: (JSC::DFG::LoopPreHeaderCreationPhase::run): * dfg/DFGPutStackSinkingPhase.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithAbs): (JSC::DFG::SpeculativeJIT::compileArithRounding): (JSC::DFG::SpeculativeJIT::compileToPrimitive): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStoreBarrierClusteringPhase.cpp: * dfg/DFGStoreBarrierInsertionPhase.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetStack): (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32): (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs): (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor): (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil): (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc): (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate): (JSC::FTL::DFG::LowerDFGToB3::compilePutById): (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode): (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset): (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): (JSC::FTL::DFG::LowerDFGToB3::compileIn): (JSC::FTL::DFG::LowerDFGToB3::compare): (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse): (JSC::FTL::DFG::LowerDFGToB3::lowInt32): (JSC::FTL::DFG::LowerDFGToB3::lowInt52): (JSC::FTL::DFG::LowerDFGToB3::lowCell): (JSC::FTL::DFG::LowerDFGToB3::lowBoolean): (JSC::FTL::DFG::LowerDFGToB3::lowDouble): (JSC::FTL::DFG::LowerDFGToB3::lowJSValue): 2018-02-02 Don Olmstead <don.olmstead@sony.com> JS Builtins should include JavaScriptCore headers directly https://bugs.webkit.org/show_bug.cgi?id=182445 Reviewed by Yusuke Suzuki. * Scripts/builtins/builtins_generator.py: * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: 2018-02-02 Saam Barati <sbarati@apple.com> When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts https://bugs.webkit.org/show_bug.cgi?id=182368 <rdar://problem/36932466> Reviewed by Mark Lam. When preserving liveness when inserting Unreachable nodes after ForceOSRExit, we must add the VariableAccessData to the given argument position. Otherwise, we may end up with a VariableAccessData that doesn't respect the shouldNeverUnbox bit. If we end up with such a situation, it can lead to invalid IR after the arguments elimination phase optimizes a GetByVal to a GetStack. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::flushImpl): (JSC::DFG::ByteCodeParser::flushForTerminalImpl): (JSC::DFG::ByteCodeParser::flush): (JSC::DFG::ByteCodeParser::flushForTerminal): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): (JSC::DFG::ByteCodeParser::parse): 2018-02-02 Mark Lam <mark.lam@apple.com> More ARM64_32 fixes. https://bugs.webkit.org/show_bug.cgi?id=182441 <rdar://problem/37162310> Reviewed by Dan Bernstein. I also disabled more dynamicPoisoning code in ARM64_32. This code assumes a 64-bit pointer which is not applicable here. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitDynamicPoison): (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): (JSC::AssemblyHelpers::emitDynamicPoisonOnType): 2018-02-02 Saam Barati <sbarati@apple.com> MapHash should return true to doesGC in the DFG depending on useKind because it might resolve a rope https://bugs.webkit.org/show_bug.cgi?id=182402 Reviewed by Yusuke Suzuki. * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): 2018-02-02 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Clean up ArraySpeciesCreate https://bugs.webkit.org/show_bug.cgi?id=182434 Reviewed by Saam Barati. We have duplicate code in filter, map, concatSlowPath. This patch creates a new global private function @arraySpeciesCreate, and use it. * builtins/ArrayPrototype.js: (globalPrivate.arraySpeciesCreate): (filter): (map): (globalPrivate.concatSlowPath): 2018-02-01 Mark Lam <mark.lam@apple.com> Fix broken bounds check in FTL's compileGetMyArgumentByVal(). https://bugs.webkit.org/show_bug.cgi?id=182419 <rdar://problem/37044945> Reviewed by Saam Barati. In compileGetMyArgumentByVal(), it computes: limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip())); ... LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit); where the original "limit" is the number of arguments passed in by the caller. If the original limit is less than numberOfArgumentsToSkip, the resultant limit will be a large unsigned number. As a result, this will defeat the bounds check that follows it. Note: later on in compileGetMyArgumentByVal(), we have to adjust adjust the index value by adding numberOfArgumentsToSkip to it, in order to determine the actual entry in the arguments array to get. The fix is to just add numberOfArgumentsToSkip to index upfront (instead of subtracting it from limit), and doing an overflow speculation check on that addition before doing the bounds check. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal): 2018-02-01 Keith Miller <keith_miller@apple.com> Fix crashes due to mishandling custom sections. https://bugs.webkit.org/show_bug.cgi?id=182404 <rdar://problem/36935863> Reviewed by Saam Barati. This also cleans up some of our validation code. We also mistakenly, allowed unknown (different from custom sections with id: 0) section ids. * wasm/WasmModuleParser.cpp: (JSC::Wasm::ModuleParser::parse): * wasm/WasmModuleParser.h: * wasm/WasmSections.h: (JSC::Wasm::isKnownSection): (JSC::Wasm::decodeSection): (JSC::Wasm::validateOrder): (JSC::Wasm::makeString): (JSC::Wasm::isValidSection): Deleted. 2018-02-01 Michael Catanzaro <mcatanzaro@igalia.com> -Wreturn-type warning in DFGObjectAllocationSinkingPhase.cpp https://bugs.webkit.org/show_bug.cgi?id=182389 Reviewed by Yusuke Suzuki. Fix the warning. As a bonus, remove a couple unreachable breaks for good measure. * dfg/DFGObjectAllocationSinkingPhase.cpp: 2018-02-01 Chris Dumez <cdumez@apple.com> Queue a microtask when a waitUntil() promise is settled https://bugs.webkit.org/show_bug.cgi?id=182372 <rdar://problem/37101019> Reviewed by Mark Lam. Export a symbol so it can be used in WebCore. * runtime/JSGlobalObject.h: 2018-01-31 Don Olmstead <don.olmstead@sony.com> [CMake] Make JavaScriptCore headers copies https://bugs.webkit.org/show_bug.cgi?id=182303 Reviewed by Alex Christensen. * CMakeLists.txt: * PlatformGTK.cmake: * PlatformJSCOnly.cmake: * PlatformMac.cmake: * PlatformWPE.cmake: * PlatformWin.cmake: * shell/CMakeLists.txt: * shell/PlatformWin.cmake: 2018-01-31 Saam Barati <sbarati@apple.com> Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm https://bugs.webkit.org/show_bug.cgi?id=182064 <rdar://problem/36840132> Reviewed by Geoffrey Garen. This patch switches WebAssembly Memory to always use bmalloc's zeroed virtual allocation API. This makes it so that we don't dirty the memory to zero it. It's a huge compile time speedup on WasmBench on iOS. * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::create): (JSC::Wasm::Memory::~Memory): (JSC::Wasm::Memory::addressIsInActiveFastMemory): (JSC::Wasm::Memory::grow): (JSC::Wasm::commitZeroPages): Deleted. 2018-01-31 Mark Lam <mark.lam@apple.com> Build fix for CLoop after r227874. https://bugs.webkit.org/show_bug.cgi?id=182155 <rdar://problem/36286266> Not reviewed. Just needed support for lea of a LabelReference in cloop.rb (just like those added for arm64.rb and x86.rb). * offlineasm/cloop.rb: 2018-01-31 Keith Miller <keith_miller@apple.com> Canonicalize aquiring the JSCell lock. https://bugs.webkit.org/show_bug.cgi?id=182320 Reviewed by Michael Saboff. It's currently kinda annoying to figure out where we aquire the a JSCell's lock. This patch adds a helper to make it easier to grep... * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::visitChildren): (JSC::UnlinkedCodeBlock::setInstructions): (JSC::UnlinkedCodeBlock::shrinkToFit): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::finishCreation): (JSC::ErrorInstance::materializeErrorInfoIfNeeded): (JSC::ErrorInstance::visitChildren): * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithArrayStorage): (JSC::JSArray::unshiftCountWithArrayStorage): * runtime/JSCell.h: (JSC::JSCell::cellLock): * runtime/JSObject.cpp: (JSC::JSObject::visitButterflyImpl): (JSC::JSObject::convertContiguousToArrayStorage): * runtime/JSPropertyNameEnumerator.cpp: (JSC::JSPropertyNameEnumerator::visitChildren): * runtime/SparseArrayValueMap.cpp: (JSC::SparseArrayValueMap::add): (JSC::SparseArrayValueMap::remove): (JSC::SparseArrayValueMap::visitChildren): 2018-01-31 Saam Barati <sbarati@apple.com> JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path) https://bugs.webkit.org/show_bug.cgi?id=182074 <rdar://problem/36846261> Reviewed by Mark Lam. This patch teaches the JSONP evaluator about the global lexical environment. Before, it was using the global object as the global scope, but that's wrong. The global lexical environment is the first node in the global scope chain. * interpreter/Interpreter.cpp: (JSC::Interpreter::executeProgram): * jsc.cpp: (GlobalObject::finishCreation): (shellSupportsRichSourceInfo): (functionDisableRichSourceInfo): * runtime/LiteralParser.cpp: (JSC::LiteralParser<CharType>::tryJSONPParse): * runtime/LiteralParser.h: 2018-01-31 Saam Barati <sbarati@apple.com> clean up pushToSaveImmediateWithoutTouchingRegisters a bit https://bugs.webkit.org/show_bug.cgi?id=181774 Reviewed by JF Bastien. This function on ARM64 was considering what to do with the scratch register. And conditionally invalidated what was in it. This is not relevant though, since the function always recovers what was in that register. This patch just switches it to using dataTempRegister directly and updates the comment to describe why it can do so safely. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters): 2018-01-30 Mark Lam <mark.lam@apple.com> Apply poisoning to TypedArray vector pointers. https://bugs.webkit.org/show_bug.cgi?id=182155 <rdar://problem/36286266> Reviewed by JF Bastien. The TypeArray's vector pointer is now poisoned. The poison value is chosen based on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and LastTypedArrayType. At runtime, we enforce that the index is well-behaved by masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is the number of TypedArray types (10) rounded up to the next power of 2. Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we can use index masking on the index, and be guaranteed that the masked index will be within bounds of the poisons array. 1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not do any unnecessary work if the TypedArray vector is null. FTL's cagedMayBeNull() is no longer needed because it is only used by compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning in a TypedArray specific way. So, might as well do the work inline in compileGetTypedArrayByteOffset() instead. 2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize() because there's already a null check above it that ensures that sizeGPR is never null. 3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the loading of the vector for unpoisoning and uncaging. We don't need the vector if the length is 0. Implementation notes on the need to null check the TypeArray vector: 1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a m_poisonedVector null check because the function is a null check. 2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to cageTypedArrayStorage() which assumes that storageReg cannot be null. 3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null check because the poisoning code is preceded by a sizeGPR null check, which ensures that the storageGPR (vector to be poisoned) is not null. 5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to caged() which assumes that the vector cannot be null. 6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 7. FTL's compileNewTypedArray() does not need a vector null check because the poisoning code is preceded by a size null check, which ensures that the storage (vector to be poisoned) is not null. 8. FTL's speculateTypedArrayIsNotNeutered() does not need a m_poisonedVector null check because the function is a null check. 9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic case needs a null check so that it does not try to unpoison a null vector. 10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 14. LLInt's loadTypedArrayCaged() does not need a vector null check because its client will do a TypedArray length check before calling it. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasArrayMode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted. * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfPoisonedVector): (JSC::JSArrayBufferView::poisonFor): (JSC::JSArrayBufferView::Poison::key): (JSC::JSArrayBufferView::offsetOfVector): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.h: 2018-01-30 Fujii Hironori <Hironori.Fujii@sony.com> [Win] Warning fix. https://bugs.webkit.org/show_bug.cgi?id=177007 Reviewed by Yusuke Suzuki. * interpreter/StackVisitor.cpp: (JSC::StackVisitor::Frame::dump const): Changed the type of locationRawBits from unsigned to uintptr_t. * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::createNumberFormat): Initialize 'style' to avoid potentially uninitialized local variable warning. 2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Implement trimStart and trimEnd https://bugs.webkit.org/show_bug.cgi?id=182233 Reviewed by Mark Lam. String.prototype.{trimStart,trimEnd} are now stage 3[1]. String.prototype.{trimLeft,trimRight} are alias to these functions. We rename these functions to trimStart and trimEnd, and put them as trimLeft and trimRight too. [1]: https://tc39.github.io/proposal-string-left-right-trim/ * runtime/StringPrototype.cpp: (JSC::StringPrototype::finishCreation): (JSC::trimString): (JSC::stringProtoFuncTrim): (JSC::stringProtoFuncTrimStart): (JSC::stringProtoFuncTrimEnd): (JSC::stringProtoFuncTrimLeft): Deleted. (JSC::stringProtoFuncTrimRight): Deleted. 2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Relax line terminators in String to make JSON subset of JS https://bugs.webkit.org/show_bug.cgi?id=182232 Reviewed by Keith Miller. "Subsume JSON" spec is now stage 3[1]. Before this spec change, JSON can accept \u2028 / \u2029 in string while JS cannot do that. It accidentally made JSON non subset of JS. Now we extend our JS string to accept \u2028 / \u2029 to make JSON subset of JS in this spec change. [1]: https://github.com/tc39/proposal-json-superset * parser/Lexer.cpp: (JSC::Lexer<T>::parseStringSlowCase): 2018-01-29 Jiewen Tan <jiewen_tan@apple.com> [WebAuthN] Add a compile-time feature flag https://bugs.webkit.org/show_bug.cgi?id=182211 <rdar://problem/36936365> Reviewed by Brent Fulgham. * Configurations/FeatureDefines.xcconfig: 2018-01-29 Michael Saboff <msaboff@apple.com> REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode() https://bugs.webkit.org/show_bug.cgi?id=182249 Reviewed by Keith Miller. Changed clobberize() handling of CompareEq, et al to properly handle comparisons between Untyped and Object values when compared against built in types. Such comparisons can invoke toNumber() or other methods. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2018-01-29 Matt Lewis <jlewis3@apple.com> Unreviewed, rolling out r227725. This caused internal failures. Reverted changeset: "JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT" https://bugs.webkit.org/show_bug.cgi?id=152729 https://trac.webkit.org/changeset/227725 2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com> JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT https://bugs.webkit.org/show_bug.cgi?id=152729 Reviewed by Saam Barati. This patch extends SamplingProfiler to recognize JIT RegExp execution. We record executing RegExp in VM so that SamplingProfiler can detect it. This is better than the previous VM::isExecutingInRegExpJIT flag approach since 1. isExecutingInRegExpJIT is set after starting executing JIT RegExp code. Thus, if we suspend the thread just before executing this flag, or just after clearing this flag, SamplingProfiler gets invalid frame, and frame validation fails. We should set such a flag before and after executing JIT RegExp code. 2. This removes VM dependency from YarrJIT which is not essential one. We add ExecutionContext enum to RegExp::matchInline not to mark execution if it is done in non JS thread. * bytecode/BytecodeDumper.cpp: (JSC::regexpName): (JSC::BytecodeDumper<Block>::dumpRegExps): (JSC::regexpToSourceString): Deleted. * heap/Heap.cpp: (JSC::Heap::addCoreConstraints): * runtime/RegExp.cpp: (JSC::RegExp::compile): (JSC::RegExp::match): (JSC::RegExp::matchConcurrently): (JSC::RegExp::compileMatchOnly): (JSC::RegExp::toSourceString const): * runtime/RegExp.h: * runtime/RegExpInlines.h: (JSC::RegExp::matchInline): * runtime/RegExpMatchesArray.h: (JSC::createRegExpMatchesArray): * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::SamplingProfiler): (JSC::SamplingProfiler::timerLoop): (JSC::SamplingProfiler::takeSample): (JSC::SamplingProfiler::processUnverifiedStackTraces): (JSC::SamplingProfiler::StackFrame::nameFromCallee): (JSC::SamplingProfiler::StackFrame::displayName): (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests): (JSC::SamplingProfiler::StackFrame::functionStartLine): (JSC::SamplingProfiler::StackFrame::functionStartColumn): (JSC::SamplingProfiler::StackFrame::sourceID): (JSC::SamplingProfiler::StackFrame::url): (WTF::printInternal): (JSC::SamplingProfiler::~SamplingProfiler): Deleted. * runtime/SamplingProfiler.h: * runtime/VM.h: * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generateEnter): (JSC::Yarr::YarrGenerator::generateReturn): (JSC::Yarr::YarrGenerator::YarrGenerator): (JSC::Yarr::jitCompile): * yarr/YarrJIT.h: 2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com> [DFG][FTL] WeakMap#set should have DFG node https://bugs.webkit.org/show_bug.cgi?id=180015 Reviewed by Saam Barati. This patch adds WeakMapSet and WeakSetAdd DFG nodes to handle them efficiently in DFG and FTL. We also define CSE rules for them. Now, WeakMapSet and WeakSetAdd can offer the results of the subsequent WeakMapGet if CSE allows. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addVarArgChild): (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): WeakMap operations do not cause GC. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileWeakSetAdd): (JSC::DFG::SpeculativeJIT::compileWeakMapSet): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd): (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet): * jit/JITOperations.h: * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/WeakMapPrototype.cpp: (JSC::WeakMapPrototype::finishCreation): * runtime/WeakSetPrototype.cpp: (JSC::WeakSetPrototype::finishCreation): 2018-01-28 Filip Pizlo <fpizlo@apple.com> LargeAllocation should do the same distancing as MarkedBlock https://bugs.webkit.org/show_bug.cgi?id=182226 Reviewed by Saam Barati. This makes LargeAllocation do the same exact distancing that MarkedBlock promises to do. To make that possible, this patch first makes MarkedBlock know exactly how much distancing it is doing: - I've rationalized the payloadSize calculation. In particular, I made MarkedSpace use the calculation done in MarkedBlock. MarkedSpace used to do the math a different way. This keeps the old way just for a static_assert. - The promised amount of distancing is now codified in HeapCell.h as minimumDistanceBetweenCellsFromDifferentOrigins. We assert that the footer size is at least as big as this. I didn't want to just use footer size for this constant because then, if you increased the size of the footer, you'd also add padding to every large allocation. Then this patch just adds minimumDistanceBetweenCellsFromDifferentOrigins to each large allocation. It also zeroes that slice of memory to prevent any information leaks that way. This is perf neutral. Large allocations start out at ~8000 bytes. The amount of padding is ~300 bytes. That's 3.75% space overhead for objects that are ~8000 bytes, zero overhead for smaller objects, and diminishing overhead for larger objects. We allocate very few large objects, so we shouldn't have any real space overhead from this. * heap/HeapCell.h: * heap/LargeAllocation.cpp: (JSC::LargeAllocation::tryCreate): * heap/MarkedBlock.h: * heap/MarkedSpace.h: 2018-01-27 Filip Pizlo <fpizlo@apple.com> Make MarkedBlock::Footer bigger https://bugs.webkit.org/show_bug.cgi?id=182220 Reviewed by JF Bastien. This makes the block footer larger by moving the newlyAllocated bits from the handle into the footer. It used to be profitable to put anything we could into the handle because that would free up payload space inside the block. But now that we want to use the footer for padding, it's profitable to put GC state information - especially data that is used by the GC itself and so is not useful for a Spectre attack - into the footer to increase object distancing. * heap/CellContainer.cpp: (JSC::CellContainer::isNewlyAllocated const): * heap/IsoCellSet.cpp: (JSC::IsoCellSet::sweepToFreeList): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::Handle): (JSC::MarkedBlock::Footer::Footer): (JSC::MarkedBlock::Handle::stopAllocating): (JSC::MarkedBlock::Handle::lastChanceToFinalize): (JSC::MarkedBlock::Handle::resumeAllocating): (JSC::MarkedBlock::aboutToMarkSlow): (JSC::MarkedBlock::resetAllocated): (JSC::MarkedBlock::Handle::resetAllocated): Deleted. * heap/MarkedBlock.h: (JSC::MarkedBlock::newlyAllocatedVersion const): (JSC::MarkedBlock::isNewlyAllocated): (JSC::MarkedBlock::setNewlyAllocated): (JSC::MarkedBlock::clearNewlyAllocated): (JSC::MarkedBlock::newlyAllocated const): (JSC::MarkedBlock::Handle::newlyAllocatedVersion const): Deleted. (JSC::MarkedBlock::Handle::isNewlyAllocated): Deleted. (JSC::MarkedBlock::Handle::setNewlyAllocated): Deleted. (JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted. (JSC::MarkedBlock::Handle::newlyAllocated const): Deleted. * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::isNewlyAllocatedStale const): (JSC::MarkedBlock::hasAnyNewlyAllocated): (JSC::MarkedBlock::Handle::isLive): (JSC::MarkedBlock::Handle::specializedSweep): (JSC::MarkedBlock::Handle::newlyAllocatedMode): (JSC::MarkedBlock::Handle::isNewlyAllocatedStale const): Deleted. (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted. * heap/MarkedSpace.cpp: (JSC::MarkedSpace::endMarking): * heap/SlotVisitor.cpp: (JSC::SlotVisitor::appendJSCellOrAuxiliary): 2018-01-27 Filip Pizlo <fpizlo@apple.com> MarkedBlock should have a footer instead of a header https://bugs.webkit.org/show_bug.cgi?id=182217 Reviewed by JF Bastien. This moves the MarkedBlock's meta-data from the header to the footer. This doesn't really change anything except for some compile-time constants, so it should not affect performance. This change is to help protect against Spectre attacks on structure checks, which allow for small-offset out-of-bounds access. By putting the meta-data at the end of the block, small OOBs will only get to other objects in the same block or the block footer. The block footer is not super interesting. So, if we combine this with the TLC change (r227617), this means we can use blocks as the mechanism of achieving distance between objects from different origins. We just need to avoid ever putting objects from different origins in the same block. That's what bug 181636 is about. * heap/BlockDirectory.cpp: (JSC::blockHeaderSize): Deleted. (JSC::BlockDirectory::blockSizeForBytes): Deleted. * heap/BlockDirectory.h: * heap/HeapUtil.h: (JSC::HeapUtil::findGCObjectPointersForMarking): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock): (JSC::MarkedBlock::~MarkedBlock): (JSC::MarkedBlock::Footer::Footer): (JSC::MarkedBlock::Footer::~Footer): (JSC::MarkedBlock::Handle::stopAllocating): (JSC::MarkedBlock::Handle::lastChanceToFinalize): (JSC::MarkedBlock::Handle::resumeAllocating): (JSC::MarkedBlock::aboutToMarkSlow): (JSC::MarkedBlock::resetMarks): (JSC::MarkedBlock::assertMarksNotStale): (JSC::MarkedBlock::Handle::didConsumeFreeList): (JSC::MarkedBlock::markCount): (JSC::MarkedBlock::clearHasAnyMarked): (JSC::MarkedBlock::Handle::didAddToDirectory): (JSC::MarkedBlock::Handle::didRemoveFromDirectory): (JSC::MarkedBlock::Handle::sweep): * heap/MarkedBlock.h: (JSC::MarkedBlock::markingVersion const): (JSC::MarkedBlock::lock): (JSC::MarkedBlock::subspace const): (JSC::MarkedBlock::footer): (JSC::MarkedBlock::footer const): (JSC::MarkedBlock::handle): (JSC::MarkedBlock::handle const): (JSC::MarkedBlock::Handle::blockFooter): (JSC::MarkedBlock::isAtomAligned): (JSC::MarkedBlock::Handle::cellAlign): (JSC::MarkedBlock::blockFor): (JSC::MarkedBlock::vm const): (JSC::MarkedBlock::weakSet): (JSC::MarkedBlock::cellSize): (JSC::MarkedBlock::attributes const): (JSC::MarkedBlock::atomNumber): (JSC::MarkedBlock::areMarksStale): (JSC::MarkedBlock::aboutToMark): (JSC::MarkedBlock::isMarkedRaw): (JSC::MarkedBlock::isMarked): (JSC::MarkedBlock::testAndSetMarked): (JSC::MarkedBlock::marks const): (JSC::MarkedBlock::isAtom): (JSC::MarkedBlock::Handle::forEachCell): (JSC::MarkedBlock::hasAnyMarked const): (JSC::MarkedBlock::noteMarked): (WTF::MarkedBlockHash::hash): (JSC::MarkedBlock::firstAtom): Deleted. * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::marksConveyLivenessDuringMarking): (JSC::MarkedBlock::Handle::isLive): (JSC::MarkedBlock::Handle::specializedSweep): (JSC::MarkedBlock::Handle::forEachLiveCell): (JSC::MarkedBlock::Handle::forEachDeadCell): (JSC::MarkedBlock::Handle::forEachMarkedCell): * heap/MarkedSpace.cpp: * heap/MarkedSpace.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2018-01-27 Yusuke Suzuki <utatane.tea@gmail.com> DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0' https://bugs.webkit.org/show_bug.cgi?id=182213 Reviewed by Mark Lam. toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative. As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string. This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue. We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice, but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization. * runtime/NumberPrototype.cpp: (JSC::toStringWithRadixInternal): 2018-01-26 Saam Barati <sbarati@apple.com> Fix emitAllocateWithNonNullAllocator to work on arm https://bugs.webkit.org/show_bug.cgi?id=182187 <rdar://problem/36906550> Reviewed by Filip Pizlo. This patch unifies the x86 and ARM paths in emitAllocateWithNonNullAllocator and makes it so that emitAllocateWithNonNullAllocator uses the macro scratch register on ARM. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): 2018-01-26 Joseph Pecoraro <pecoraro@apple.com> Rebaselining builtin generator tests after r227685. Unreviewed. * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result: * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result: * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result: * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result: * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result: * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result: * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result: * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: It used to be that the builtins generator was minifying by default. That was an accident and we now only minify on Release builds. The generator tests are now getting the default unminified output behavior so they need to update their expectations for some extra whitespace. 2018-01-26 Mark Lam <mark.lam@apple.com> We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects. https://bugs.webkit.org/show_bug.cgi?id=182180 <rdar://problem/36460697> Reviewed by Michael Saboff. Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance, but not as the Node's first base class. ParserArena::m_deletableObjects is expecting pointers to objects of the shape of ParserArenaDeletable. We ensure this by allocating the Node subclass, and casting it to ParserArenaDeletable to get the correct pointer to append to ParserArena::m_deletableObjects. To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED (analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends ParserArenaDeletable. * parser/NodeConstructors.h: (JSC::ParserArenaDeletable::operator new): * parser/Nodes.h: * parser/ParserArena.h: (JSC::ParserArena::allocateDeletable): 2018-01-26 Joseph Pecoraro <pecoraro@apple.com> JavaScriptCore builtins should be partially minified in Release builds not Debug builds https://bugs.webkit.org/show_bug.cgi?id=182165 Reviewed by Keith Miller. * Scripts/builtins/builtins_model.py: (BuiltinFunction.fromString): Apply minifications on Release builds instead of Debug builds. Also eliminate leading whitespace. 2018-01-26 Filip Pizlo <fpizlo@apple.com> Disable TLS-based TLCs https://bugs.webkit.org/show_bug.cgi?id=182175 Reviewed by Saam Barati. Check for the new USE(FAST_TLS_FOR_TLC) flag instead of just ENABLE(FAST_TLS_JIT). * heap/BlockDirectory.cpp: (JSC::BlockDirectory::~BlockDirectory): * heap/BlockDirectory.h: * heap/ThreadLocalCache.cpp: (JSC::ThreadLocalCache::installSlow): (JSC::ThreadLocalCache::installData): * heap/ThreadLocalCache.h: * heap/ThreadLocalCacheInlines.h: (JSC::ThreadLocalCache::getImpl): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): * runtime/VM.cpp: (JSC::VM::~VM): * runtime/VM.h: 2018-01-25 Yusuke Suzuki <utatane.tea@gmail.com> imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes https://bugs.webkit.org/show_bug.cgi?id=181980 Reviewed by Ryosuke Niwa. We accidentally failed to propagate errored promise in instantiate and satify phase if entry.{instantiate,satisfy} promises are set. Since we just returned `entry`, it becomes succeeded promise even if the dependent fetch, instantiate, and satisfy promises are failed. This patch fixes error propagation by returning `entry.instantiate` and `entry.satisfy` correctly. * builtins/ModuleLoaderPrototype.js: (requestInstantiate): (requestSatisfy): 2018-01-25 Mark Lam <mark.lam@apple.com> Gardening: fix 32-bit build after r227643. https://bugs.webkit.org/show_bug.cgi?id=182086 Not reviewed. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): 2018-01-24 Filip Pizlo <fpizlo@apple.com> DirectArguments should protect itself using dynamic poisoning and precise index masking https://bugs.webkit.org/show_bug.cgi?id=182086 Reviewed by Saam Barati. This implements dynamic poisoning and precise index masking in DirectArguments, using the helpers from <wtf/MathExtras.h> and helpers in AssemblyHelpers and FTL::LowerDFGToB3. We use dynamic poisoning for DirectArguments since this object did not have any additional indirection inside it that could have been poisoned. So, we use the xor of the expected type and the actual type as an additional input into the pointer. We use precise index masking for bounds checks, because it's not worth doing index masking unless we know that precise index masking is too slow. * assembler/MacroAssembler.h: (JSC::MacroAssembler::lshiftPtr): (JSC::MacroAssembler::rshiftPtr): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal): (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64): (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32): (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitPreciseIndexMask32): (JSC::AssemblyHelpers::emitDynamicPoison): (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): (JSC::AssemblyHelpers::emitDynamicPoisonOnType): * jit/AssemblyHelpers.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDirectArgumentsGetByVal): * runtime/DirectArguments.h: (JSC::DirectArguments::getIndexQuickly const): (JSC::DirectArguments::setIndexQuickly): (JSC::DirectArguments::argument): * runtime/GenericArgumentsInlines.h: 2018-01-25 Mark Lam <mark.lam@apple.com> Rename some local vars from type to typedArrayType for greater clarity. https://bugs.webkit.org/show_bug.cgi?id=182148 <rdar://problem/36882310> Reviewed by Saam Barati. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): 2018-01-25 Filip Pizlo <fpizlo@apple.com> JSC GC should support TLCs (thread local caches) https://bugs.webkit.org/show_bug.cgi?id=181559 Reviewed by Mark Lam and Saam Barati. This is a big step towards object distancing by site origin. This patch implements TLCs, or thread-local caches, which allow each thread to allocate from its own free lists. It also means that any given thread can context-switch TLCs. This will allow us to do separate allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this will allow us to have a hard distancing constraint between objects from different origins. In this new design, every "size class" is represented as a BlockDirectory (formerly known as MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some aligned memory allocator (which roughly represents which cage you came out of), and anyone using the same allocator can share those blocks - but so long as they are in that BlockDirectory, they will have the size and type of that directory. Previously, each BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of LocalAllocators, each of which has a FreeList. To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation starts by figuring out what Allocator it wants (often we have this information at JIT time). Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use offsets as opposed to indices to make it easy to do the math on each allocation (if LocalAllocator had a weird size then every allocation would have to do an imul). This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is something there, but it's not significant according to our threshold). Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That function needs to be careful to avoid using the scratch register because the FTL will call it in disallow-scratch-register mode. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * b3/B3LowerToAir.cpp: * b3/B3PatchpointSpecial.cpp: (JSC::B3::PatchpointSpecial::admitsStack): * b3/B3StackmapSpecial.cpp: (JSC::B3::StackmapSpecial::forEachArgImpl): (JSC::B3::StackmapSpecial::isArgValidForRep): * b3/B3StackmapValue.cpp: (JSC::B3::StackmapValue::appendSomeRegisterWithClobber): * b3/B3StackmapValue.h: * b3/B3Validate.cpp: * b3/B3ValueRep.cpp: (JSC::B3::ValueRep::addUsedRegistersTo const): (JSC::B3::ValueRep::dump const): (WTF::printInternal): * b3/B3ValueRep.h: (JSC::B3::ValueRep::ValueRep): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/ObjectAllocationProfile.h: (JSC::ObjectAllocationProfile::ObjectAllocationProfile): (JSC::ObjectAllocationProfile::clear): * bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfile::initializeProfile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::compileMakeRope): (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileCreateThis): (JSC::DFG::SpeculativeJIT::compileNewObject): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::emitAllocateJSCell): (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl): (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): (JSC::FTL::DFG::LowerDFGToB3::allocateObject): (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject): (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell): * heap/Allocator.cpp: Added. (JSC::Allocator::cellSize const): * heap/Allocator.h: Added. (JSC::Allocator::Allocator): (JSC::Allocator::offset const): (JSC::Allocator::operator== const): (JSC::Allocator::operator!= const): (JSC::Allocator::operator bool const): * heap/AllocatorInlines.h: Added. (JSC::Allocator::allocate const): (JSC::Allocator::tryAllocate const): * heap/BlockDirectory.cpp: (JSC::BlockDirectory::BlockDirectory): (JSC::BlockDirectory::findBlockForAllocation): (JSC::BlockDirectory::stopAllocating): (JSC::BlockDirectory::prepareForAllocation): (JSC::BlockDirectory::stopAllocatingForGood): (JSC::BlockDirectory::resumeAllocating): (JSC::BlockDirectory::endMarking): (JSC::BlockDirectory::isFreeListedCell): (JSC::BlockDirectory::didConsumeFreeList): Deleted. (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted. (JSC::BlockDirectory::allocateIn): Deleted. (JSC::BlockDirectory::tryAllocateIn): Deleted. (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted. (JSC::BlockDirectory::allocateSlowCase): Deleted. * heap/BlockDirectory.h: (JSC::BlockDirectory::cellKind const): (JSC::BlockDirectory::allocator const): (JSC::BlockDirectory::freeList const): Deleted. (JSC::BlockDirectory::offsetOfFreeList): Deleted. (JSC::BlockDirectory::offsetOfCellSize): Deleted. * heap/BlockDirectoryInlines.h: (JSC::BlockDirectory::isFreeListedCell const): Deleted. (JSC::BlockDirectory::allocate): Deleted. * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::CompleteSubspace): (JSC::CompleteSubspace::allocatorFor): (JSC::CompleteSubspace::allocate): (JSC::CompleteSubspace::allocateNonVirtual): (JSC::CompleteSubspace::allocatorForSlow): (JSC::CompleteSubspace::allocateSlow): (JSC::CompleteSubspace::tryAllocateSlow): * heap/CompleteSubspace.h: (JSC::CompleteSubspace::allocatorForSizeStep): (JSC::CompleteSubspace::allocatorForNonVirtual): * heap/FreeList.h: * heap/GCDeferralContext.h: * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::lastChanceToFinalize): * heap/Heap.h: (JSC::Heap::threadLocalCacheLayout): * heap/IsoCellSet.h: * heap/IsoSubspace.cpp: (JSC::IsoSubspace::IsoSubspace): (JSC::IsoSubspace::allocatorFor): (JSC::IsoSubspace::allocate): (JSC::IsoSubspace::allocateNonVirtual): * heap/IsoSubspace.h: (JSC::IsoSubspace::allocatorForNonVirtual): * heap/LocalAllocator.cpp: Added. (JSC::LocalAllocator::LocalAllocator): (JSC::LocalAllocator::reset): (JSC::LocalAllocator::~LocalAllocator): (JSC::LocalAllocator::stopAllocating): (JSC::LocalAllocator::resumeAllocating): (JSC::LocalAllocator::prepareForAllocation): (JSC::LocalAllocator::stopAllocatingForGood): (JSC::LocalAllocator::allocateSlowCase): (JSC::LocalAllocator::didConsumeFreeList): (JSC::LocalAllocator::tryAllocateWithoutCollecting): (JSC::LocalAllocator::allocateIn): (JSC::LocalAllocator::tryAllocateIn): (JSC::LocalAllocator::doTestCollectionsIfNeeded): (JSC::LocalAllocator::isFreeListedCell const): * heap/LocalAllocator.h: Added. (JSC::LocalAllocator::offsetOfFreeList): (JSC::LocalAllocator::offsetOfCellSize): * heap/LocalAllocatorInlines.h: Added. (JSC::LocalAllocator::allocate): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::stopAllocatingForGood): * heap/MarkedSpace.h: * heap/SlotVisitor.cpp: * heap/SlotVisitor.h: * heap/Subspace.h: * heap/ThreadLocalCache.cpp: Added. (JSC::ThreadLocalCache::create): (JSC::ThreadLocalCache::ThreadLocalCache): (JSC::ThreadLocalCache::~ThreadLocalCache): (JSC::ThreadLocalCache::allocateData): (JSC::ThreadLocalCache::destroyData): (JSC::ThreadLocalCache::installSlow): (JSC::ThreadLocalCache::installData): (JSC::ThreadLocalCache::allocatorSlow): (JSC::ThreadLocalCache::destructor): * heap/ThreadLocalCache.h: Added. (JSC::ThreadLocalCache::offsetOfSize): (JSC::ThreadLocalCache::offsetOfFirstAllocator): * heap/ThreadLocalCacheInlines.h: Added. (JSC::ThreadLocalCache::getImpl): (JSC::ThreadLocalCache::get): (JSC::ThreadLocalCache::install): (JSC::ThreadLocalCache::allocator): (JSC::ThreadLocalCache::tryGetAllocator): * heap/ThreadLocalCacheLayout.cpp: Added. (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout): (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout): (JSC::ThreadLocalCacheLayout::allocateOffset): (JSC::ThreadLocalCacheLayout::snapshot): (JSC::ThreadLocalCacheLayout::directory): * heap/ThreadLocalCacheLayout.h: Added. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): (JSC::AssemblyHelpers::emitAllocate): (JSC::AssemblyHelpers::emitAllocateVariableSized): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::vm): (JSC::AssemblyHelpers::emitAllocateJSCell): (JSC::AssemblyHelpers::emitAllocateJSObject): (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize): (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted. (JSC::AssemblyHelpers::emitAllocate): Deleted. (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_object): (JSC::JIT::emit_op_create_this): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_new_object): (JSC::JIT::emit_op_create_this): * runtime/ButterflyInlines.h: (JSC::Butterfly::createUninitialized): (JSC::Butterfly::tryCreate): (JSC::Butterfly::growArrayRight): * runtime/DirectArguments.cpp: (JSC::DirectArguments::overrideThings): * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): * runtime/HashMapImpl.h: (JSC::HashMapBuffer::create): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::JSArray::unshiftCountSlowCase): * runtime/JSArray.h: (JSC::JSArray::tryCreate): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSCellInlines.h: (JSC::tryAllocateCellHelper): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::threadLocalCache const): * runtime/JSLock.cpp: (JSC::JSLock::didAcquireLock): * runtime/Options.h: * runtime/RegExpMatchesArray.h: (JSC::tryCreateUninitializedRegExpMatchesArray): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): 2018-01-25 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r227592. https://bugs.webkit.org/show_bug.cgi?id=182110 it made ARM64 (Linux and iOS) crash (Requested by pizlo-mbp on #webkit). Reverted changeset: "JSC GC should support TLCs (thread local caches)" https://bugs.webkit.org/show_bug.cgi?id=181559 https://trac.webkit.org/changeset/227592 2018-01-25 Alejandro G. Castro <alex@igalia.com> undefined reference to 'JSC::B3::BasicBlock::fallThrough() const https://bugs.webkit.org/show_bug.cgi?id=180637 Reviewed by Michael Catanzaro. We need to make sure the implementation of the inline functions is compiled when we compile the code using the function, now that the compilation is divided, or we could end up with undefined symbols when the declaration is not inlined, at least with some compilers and optimizations enabled -O2. * b3/B3SwitchValue.cpp: replace the include. 2018-01-20 Filip Pizlo <fpizlo@apple.com> JSC GC should support TLCs (thread local caches) https://bugs.webkit.org/show_bug.cgi?id=181559 Reviewed by Mark Lam and Saam Barati. This is a big step towards object distancing by site origin. This patch implements TLCs, or thread-local caches, which allow each thread to allocate from its own free lists. It also means that any given thread can context-switch TLCs. This will allow us to do separate allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this will allow us to have a hard distancing constraint between objects from different origins. In this new design, every "size class" is represented as a BlockDirectory (formerly known as MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some aligned memory allocator (which roughly represents which cage you came out of), and anyone using the same allocator can share those blocks - but so long as they are in that BlockDirectory, they will have the size and type of that directory. Previously, each BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of LocalAllocators, each of which has a FreeList. To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation starts by figuring out what Allocator it wants (often we have this information at JIT time). Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use offsets as opposed to indices to make it easy to do the math on each allocation (if LocalAllocator had a weird size then every allocation would have to do an imul). This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is something there, but it's not significant according to our threshold). * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * b3/B3LowerToAir.cpp: * b3/B3PatchpointSpecial.cpp: (JSC::B3::PatchpointSpecial::admitsStack): * b3/B3StackmapSpecial.cpp: (JSC::B3::StackmapSpecial::forEachArgImpl): (JSC::B3::StackmapSpecial::isArgValidForRep): * b3/B3StackmapValue.cpp: (JSC::B3::StackmapValue::appendSomeRegisterWithClobber): * b3/B3StackmapValue.h: * b3/B3Validate.cpp: * b3/B3ValueRep.cpp: (JSC::B3::ValueRep::addUsedRegistersTo const): (JSC::B3::ValueRep::dump const): (WTF::printInternal): * b3/B3ValueRep.h: (JSC::B3::ValueRep::ValueRep): * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/ObjectAllocationProfile.h: (JSC::ObjectAllocationProfile::ObjectAllocationProfile): (JSC::ObjectAllocationProfile::clear): * bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfile::initializeProfile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::compileMakeRope): (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileCreateThis): (JSC::DFG::SpeculativeJIT::compileNewObject): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::emitAllocateJSCell): (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl): (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): (JSC::FTL::DFG::LowerDFGToB3::allocateObject): (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject): (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell): * heap/Allocator.cpp: Added. (JSC::Allocator::cellSize const): * heap/Allocator.h: Added. (JSC::Allocator::Allocator): (JSC::Allocator::offset const): (JSC::Allocator::operator== const): (JSC::Allocator::operator!= const): (JSC::Allocator::operator bool const): * heap/AllocatorInlines.h: Added. (JSC::Allocator::allocate const): (JSC::Allocator::tryAllocate const): * heap/BlockDirectory.cpp: (JSC::BlockDirectory::BlockDirectory): (JSC::BlockDirectory::findBlockForAllocation): (JSC::BlockDirectory::stopAllocating): (JSC::BlockDirectory::prepareForAllocation): (JSC::BlockDirectory::stopAllocatingForGood): (JSC::BlockDirectory::resumeAllocating): (JSC::BlockDirectory::endMarking): (JSC::BlockDirectory::isFreeListedCell): (JSC::BlockDirectory::didConsumeFreeList): Deleted. (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted. (JSC::BlockDirectory::allocateIn): Deleted. (JSC::BlockDirectory::tryAllocateIn): Deleted. (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted. (JSC::BlockDirectory::allocateSlowCase): Deleted. * heap/BlockDirectory.h: (JSC::BlockDirectory::cellKind const): (JSC::BlockDirectory::allocator const): (JSC::BlockDirectory::freeList const): Deleted. (JSC::BlockDirectory::offsetOfFreeList): Deleted. (JSC::BlockDirectory::offsetOfCellSize): Deleted. * heap/BlockDirectoryInlines.h: (JSC::BlockDirectory::isFreeListedCell const): Deleted. (JSC::BlockDirectory::allocate): Deleted. * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::CompleteSubspace): (JSC::CompleteSubspace::allocatorFor): (JSC::CompleteSubspace::allocate): (JSC::CompleteSubspace::allocateNonVirtual): (JSC::CompleteSubspace::allocatorForSlow): (JSC::CompleteSubspace::allocateSlow): (JSC::CompleteSubspace::tryAllocateSlow): * heap/CompleteSubspace.h: (JSC::CompleteSubspace::allocatorForSizeStep): (JSC::CompleteSubspace::allocatorForNonVirtual): * heap/FreeList.h: * heap/GCDeferralContext.h: * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::lastChanceToFinalize): * heap/Heap.h: (JSC::Heap::threadLocalCacheLayout): * heap/IsoCellSet.h: * heap/IsoSubspace.cpp: (JSC::IsoSubspace::IsoSubspace): (JSC::IsoSubspace::allocatorFor): (JSC::IsoSubspace::allocate): (JSC::IsoSubspace::allocateNonVirtual): * heap/IsoSubspace.h: (JSC::IsoSubspace::allocatorForNonVirtual): * heap/LocalAllocator.cpp: Added. (JSC::LocalAllocator::LocalAllocator): (JSC::LocalAllocator::reset): (JSC::LocalAllocator::~LocalAllocator): (JSC::LocalAllocator::stopAllocating): (JSC::LocalAllocator::resumeAllocating): (JSC::LocalAllocator::prepareForAllocation): (JSC::LocalAllocator::stopAllocatingForGood): (JSC::LocalAllocator::allocateSlowCase): (JSC::LocalAllocator::didConsumeFreeList): (JSC::LocalAllocator::tryAllocateWithoutCollecting): (JSC::LocalAllocator::allocateIn): (JSC::LocalAllocator::tryAllocateIn): (JSC::LocalAllocator::doTestCollectionsIfNeeded): (JSC::LocalAllocator::isFreeListedCell const): * heap/LocalAllocator.h: Added. (JSC::LocalAllocator::offsetOfFreeList): (JSC::LocalAllocator::offsetOfCellSize): * heap/LocalAllocatorInlines.h: Added. (JSC::LocalAllocator::allocate): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::stopAllocatingForGood): * heap/MarkedSpace.h: * heap/SlotVisitor.cpp: * heap/SlotVisitor.h: * heap/Subspace.h: * heap/ThreadLocalCache.cpp: Added. (JSC::ThreadLocalCache::create): (JSC::ThreadLocalCache::ThreadLocalCache): (JSC::ThreadLocalCache::~ThreadLocalCache): (JSC::ThreadLocalCache::allocateData): (JSC::ThreadLocalCache::destroyData): (JSC::ThreadLocalCache::installSlow): (JSC::ThreadLocalCache::installData): (JSC::ThreadLocalCache::allocatorSlow): (JSC::ThreadLocalCache::destructor): * heap/ThreadLocalCache.h: Added. (JSC::ThreadLocalCache::offsetOfSize): (JSC::ThreadLocalCache::offsetOfFirstAllocator): * heap/ThreadLocalCacheInlines.h: Added. (JSC::ThreadLocalCache::getImpl): (JSC::ThreadLocalCache::get): (JSC::ThreadLocalCache::install): (JSC::ThreadLocalCache::allocator): (JSC::ThreadLocalCache::tryGetAllocator): * heap/ThreadLocalCacheLayout.cpp: Added. (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout): (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout): (JSC::ThreadLocalCacheLayout::allocateOffset): (JSC::ThreadLocalCacheLayout::snapshot): (JSC::ThreadLocalCacheLayout::directory): * heap/ThreadLocalCacheLayout.h: Added. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): (JSC::AssemblyHelpers::emitAllocate): (JSC::AssemblyHelpers::emitAllocateVariableSized): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::vm): (JSC::AssemblyHelpers::emitAllocateJSCell): (JSC::AssemblyHelpers::emitAllocateJSObject): (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize): (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted. (JSC::AssemblyHelpers::emitAllocate): Deleted. (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_object): (JSC::JIT::emit_op_create_this): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_new_object): (JSC::JIT::emit_op_create_this): * runtime/ButterflyInlines.h: (JSC::Butterfly::createUninitialized): (JSC::Butterfly::tryCreate): (JSC::Butterfly::growArrayRight): * runtime/DirectArguments.cpp: (JSC::DirectArguments::overrideThings): * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): * runtime/HashMapImpl.h: (JSC::HashMapBuffer::create): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::JSArray::unshiftCountSlowCase): * runtime/JSArray.h: (JSC::JSArray::tryCreate): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSCellInlines.h: (JSC::tryAllocateCellHelper): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::threadLocalCache const): * runtime/JSLock.cpp: (JSC::JSLock::didAcquireLock): * runtime/Options.h: * runtime/RegExpMatchesArray.h: (JSC::tryCreateUninitializedRegExpMatchesArray): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): 2018-01-24 Joseph Pecoraro <pecoraro@apple.com> Web Inspector: Simplify update-LegacyInspectorBackendCommands.rb https://bugs.webkit.org/show_bug.cgi?id=182067 Reviewed by Brian Burg. * inspector/scripts/codegen/models.py: (Framework.fromString): (Frameworks): * inspector/scripts/generate-inspector-protocol-bindings.py: (generate_from_specification): Allow framework WebInspectorUI to generate just the backend commands files. 2018-01-23 Mark Lam <mark.lam@apple.com> Update Poisoned pointers to take a Poison class instead of a uintptr_t&. https://bugs.webkit.org/show_bug.cgi?id=182017 <rdar://problem/36795513> Reviewed by Filip Pizlo and JF Bastien. Removed the POISON() macro. Now that we have Poison types, we can just use the the Poison type instead and make the code a bit nicer to read. * API/JSAPIWrapperObject.h: * API/JSCallbackFunction.h: * API/JSCallbackObject.h: * b3/B3LowerMacros.cpp: * b3/testb3.cpp: (JSC::B3::testInterpreter): * bytecode/CodeBlock.h: (JSC::CodeBlock::instructions): (JSC::CodeBlock::instructions const): * dfg/DFGOSRExitCompilerCommon.h: (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCheckSubClass): (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): * jit/JIT.h: * jit/ThunkGenerators.cpp: (JSC::virtualThunkFor): (JSC::nativeForGenerator): (JSC::boundThisNoArgsFunctionCallGenerator): * parser/UnlinkedSourceCode.h: * runtime/ArrayPrototype.h: * runtime/CustomGetterSetter.h: * runtime/DateInstance.h: * runtime/InternalFunction.h: * runtime/JSArrayBuffer.h: * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGlobalObject.h: * runtime/JSScriptFetchParameters.h: * runtime/JSScriptFetcher.h: * runtime/NativeExecutable.h: * runtime/StructureTransitionTable.h: * runtime/WriteBarrier.h: (JSC::WriteBarrier::poison): Deleted. * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/JSWebAssemblyCodeBlock.cpp: (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): * wasm/js/JSWebAssemblyCodeBlock.h: * wasm/js/JSWebAssemblyInstance.h: (JSC::JSWebAssemblyInstance::poison): * wasm/js/JSWebAssemblyMemory.h: * wasm/js/JSWebAssemblyModule.h: * wasm/js/JSWebAssemblyTable.h: * wasm/js/WasmToJS.cpp: (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJS): * wasm/js/WebAssemblyFunctionBase.h: * wasm/js/WebAssemblyModuleRecord.h: * wasm/js/WebAssemblyToJSCallee.h: * wasm/js/WebAssemblyWrapperFunction.h: 2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, suppress GCC warnings https://bugs.webkit.org/show_bug.cgi?id=181976 * runtime/TypedArrayType.h: 2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com> [YARR] Add diagnosis for YarrJIT failures https://bugs.webkit.org/show_bug.cgi?id=181927 Reviewed by Sam Weinig. It is nice if we can see the reason why YarrJIT fails to compile a given pattern. This patch introduces Yarr::JITFailureReason and dumps messages if Options::dumpCompiledRegExpPatterns is specified. * runtime/RegExp.cpp: (JSC::RegExp::compile): (JSC::RegExp::compileMatchOnly): * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generateTerm): (JSC::Yarr::YarrGenerator::backtrackTerm): (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern): (JSC::Yarr::YarrGenerator::YarrGenerator): (JSC::Yarr::YarrGenerator::compile): (JSC::Yarr::dumpCompileFailure): (JSC::Yarr::jitCompile): * yarr/YarrJIT.h: (JSC::Yarr::YarrCodeBlock::setFallBack): (JSC::Yarr::YarrCodeBlock::fallBack): (JSC::Yarr::YarrCodeBlock::clear): (JSC::Yarr::YarrCodeBlock::YarrCodeBlock): Deleted. (JSC::Yarr::YarrCodeBlock::~YarrCodeBlock): Deleted. (JSC::Yarr::YarrCodeBlock::isFallBack): Deleted. 2018-01-23 Alex Christensen <achristensen@webkit.org> Remove pre-Sierra-OS-specific code in WTF and JavaScriptCore https://bugs.webkit.org/show_bug.cgi?id=182028 Reviewed by Keith Miller. * inspector/remote/cocoa/RemoteInspectorXPCConnection.h: * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: (Inspector::RemoteInspectorXPCConnection::handleEvent): 2018-01-23 Filip Pizlo <fpizlo@apple.com> Use precise index masking for FTL GetByArgumentByVal https://bugs.webkit.org/show_bug.cgi?id=182006 Reviewed by Keith Miller. This protects speculative out-of-bounds on arguments[index]. Making this work right involved fixing a possible overflow situation with numberOfArgumentsToSkip. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGNode.h: (JSC::DFG::Node::hasNumberOfArgumentsToSkip): (JSC::DFG::Node::numberOfArgumentsToSkip): * dfg/DFGStackLayoutPhase.cpp: (JSC::DFG::StackLayoutPhase::run): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal): 2018-01-23 David Kilzer <ddkilzer@apple.com> Follow-up for: oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found <https://webkit.org/b/181871> <rdar://problem/36669691> Address feedback for this change. * CMakeLists.txt: Change "SYSTEM PUBLIC" to "SYSTEM PRIVATE" per feedback from Konstantin Tokarev. 2018-01-23 Robin Morisset <rmorisset@apple.com> Rollout r219636 https://bugs.webkit.org/show_bug.cgi?id=181997 <rdar://problem/35883022> Unreviewed, as it is a rollout. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): * runtime/JSArray.h: (JSC::JSArray::tryCreate): * runtime/JSObject.cpp: (JSC::JSObject::ensureLengthSlow): 2018-01-23 Mark Lam <mark.lam@apple.com> Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list. https://bugs.webkit.org/show_bug.cgi?id=181976 <rdar://problem/36766936> Reviewed by Filip Pizlo. 1. The order of TypedArray JSTypes now matches the order the TypedArrayType enum list. I also added static asserts in TypedArrayType.h to enforce this. Also redefined FOR_EACH_TYPED_ARRAY_TYPE() in terms of 2. Define 4 new values: a. FirstTypedArrayType b. LastTypedArrayType c. NumberOfTypedArrayTypesExcludingDataView d. NumberOfTypedArrayTypes Use these everywhere where we iterate or bisect the TypedArray JSTypes. 3. Removed NUMBER_OF_TYPED_ARRAY_TYPES, and use NumberOfTypedArrayTypes instead. 4. Simplify the code that converts between TypedArrayType and JSType. Changed typedArrayTypeForType() to be the mirror image of typeForTypedArrayType(). Previously, typedArrayTypeForType() converts DataViewType to NotTypedArray instead of TypeDataView. Now, it converts to TypeDataView. This does not result in any change of behavior because typedArrayTypeForType() is only called in Structure::hasIndexingHeader(), and its result is passed to isTypedView(), which handles TypeDataView correctly. 5. Also fixed a bug in SpeculativeJIT::compileGetTypedArrayByteOffset(). If the vector is null, we can skip the rest of the checks. While the current code does not result in incorrect behavior, it is inefficient, and communicates wrong information to the reader i.e. implying that there's something in the dataGPR when there's not. The dataGPR should also be null in this case. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView): * ftl/FTLOSRExit.cpp: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::visitChildren): * runtime/JSType.h: * runtime/TypedArrayType.cpp: (JSC::typeForTypedArrayType): Deleted. * runtime/TypedArrayType.h: (JSC::typedArrayTypeForType): (JSC::typeForTypedArrayType): 2018-01-23 Filip Pizlo <fpizlo@apple.com> DFG should always flush `this` https://bugs.webkit.org/show_bug.cgi?id=181999 Reviewed by Saam Barati and Mark Lam. This is going to make it possible to use precise index masking for arguments-on-the-stack accesses with an index adjusted so that 0 is this. Without this change, we would have no way of masking when the argument count is 0, unless we padded the argument area so that there was always an argument slot after `this` and it was always initialized. This is neutral on all benchmarks. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::flushImpl): (JSC::DFG::ByteCodeParser::flushForTerminalImpl): (JSC::DFG::ByteCodeParser::flush): (JSC::DFG::ByteCodeParser::flushForTerminal): (JSC::DFG::ByteCodeParser::parse): (JSC::DFG::flushImpl): Deleted. (JSC::DFG::flushForTerminalImpl): Deleted. * dfg/DFGPreciseLocalClobberize.h: (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): 2018-01-23 Filip Pizlo <fpizlo@apple.com> JSC should use a speculation fence on VM entry/exit https://bugs.webkit.org/show_bug.cgi?id=181991 Reviewed by JF Bastien and Mark Lam. This adds a WTF::speculationFence on VM entry and exit. For a microbenchmark that just calls a native function (supplied via an Objective-C block) in a tight loop from JS is a 0% regression on x86 and a 11% regression on ARM64. * runtime/JSLock.cpp: (JSC::JSLock::didAcquireLock): (JSC::JSLock::willReleaseLock): 2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] JIT requires sizeof(bool) == 1 https://bugs.webkit.org/show_bug.cgi?id=181150 Reviewed by Saam Barati. LLInt and JIT assumes that sizeof(bool) == 1. But it is implementation-dependent in C++ spec. Since this is a mandatory requirement in JSC, we add a static_assert to ensure this. * runtime/InitializeThreading.cpp: 2018-01-23 Robin Morisset <rmorisset@apple.com> Update the argument count in DFGByteCodeParser::handleRecursiveCall https://bugs.webkit.org/show_bug.cgi?id=181739 <rdar://problem/36627662> Reviewed by Saam Barati. When calling a function, its number of arguments is set on the stack. When we turn a recursive tail call into a jump, we should update that stack slot as there is no guarantee that the function was originally called with the same number of arguments. Forgetting to do this is observable through 'arguments.length'. It required adding a new DFG node: 'SetArgumentCountIncludingThis', that takes an unsigned int as its first OpInfo field, and stores it to the stack at the right place. We must be a bit careful in where we put this new node, as it ClobbersExit. We must also fix DFGArgumentsEliminationPhase and DFGPutStackSinkingPhase as they assumed that any node that writes to the stack must write to either an argument or a local. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGMayExit.cpp: * dfg/DFGNode.h: (JSC::DFG::Node::argumentCountIncludingThis): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGPutStackSinkingPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis): 2018-01-22 Michael Saboff <msaboff@apple.com> DFG abstract interpreter needs to properly model effects of some Math ops https://bugs.webkit.org/show_bug.cgi?id=181886 Reviewed by Saam Barati. Reviewed the processing of the various ArithXXX and CompareXXX and found that several nodes don't handle UntypedUse. Added clobberWorld() for those cases. * dfg/DFGAbstractInterpreter.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects): 2018-01-21 Wenson Hsieh <wenson_hsieh@apple.com> Add a new feature flag for EXTRA_ZOOM_MODE and reintroduce AdditionalFeatureDefines.h https://bugs.webkit.org/show_bug.cgi?id=181918 Reviewed by Tim Horton. Add EXTRA_ZOOM_MODE to FeatureDefines.xconfig (off by default). * Configurations/FeatureDefines.xcconfig: 2018-01-20 Caio Lima <ticaiolima@gmail.com> [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t https://bugs.webkit.org/show_bug.cgi?id=181182 Reviewed by Darin Adler. Casting double to integer is undefined behavior when the truncation results into a value that doesn't fit into integer size, according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and numberProtoFuncToString to remove these source of undefined behavior. [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion * runtime/BigIntPrototype.cpp: (JSC::bigIntProtoFuncToString): * runtime/NumberPrototype.cpp: (JSC::numberProtoFuncToString): (JSC::extractToStringRadixArgument): (JSC::extractRadixFromArgs): Deleted. * runtime/NumberPrototype.h: 2018-01-19 Saam Barati <sbarati@apple.com> Kill ArithNegate's ArithProfile assert inside BytecodeParser https://bugs.webkit.org/show_bug.cgi?id=181877 <rdar://problem/36630552> Reviewed by Mark Lam. Before this patch, we used to assert that op_negate's result ArithProfile only produces number. It's logically true that negate only produces a number. However, the DFG may incorrectly pick this ArithProfile when doing OSR exit profiling. So we'll end up profiling something that's likely the input to negate. This patch removes the assert. We cede to the fact that Graph::methodOfGettingAValueProfileFor is entirely heuristic based, potentially leading to profiling results being imprecise. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::makeSafe): 2018-01-19 David Kilzer <ddkilzer@apple.com> oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found <https://webkit.org/b/181871> Rubber-stamped by JF Bastien. * CMakeLists.txt: Add ICU header search path to LLIntOffsetsExtractor target by reusing JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES. 2018-01-19 Saam Barati <sbarati@apple.com> Spread's effects are modeled incorrectly both in AI and in Clobberize https://bugs.webkit.org/show_bug.cgi?id=181867 <rdar://problem/36290415> Reviewed by Michael Saboff. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2018-01-19 Keith Miller <keith_miller@apple.com> HaveInternalSDK includes should be "#include?" https://bugs.webkit.org/show_bug.cgi?id=179670 Reviewed by Dan Bernstein. * Configurations/Base.xcconfig: 2018-01-18 JF Bastien <jfbastien@apple.com> Set the minimum executable allocator size properly https://bugs.webkit.org/show_bug.cgi?id=181816 <rdar://problem/36635533> Reviewed by Saam Barati. Executable allocator expects at least two page size's worth of allocation in certain conditions, and that causes some tests to now fail because they ask for less. Set that minimum correctly. We were already rounding up to a page size, so having a minimum of 2 page sizes is fine. * jit/ExecutableAllocator.cpp: (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): 2018-01-18 Michael Saboff <msaboff@apple.com> Unreviewed build fix for Windows * interpreter/FrameTracers.h: (JSC::assertStackPointerIsAligned): Can't use gcc style inlined assembly on Windows. 2018-01-18 Mark Lam <mark.lam@apple.com> Poisons should be initialized after Options are initialized. https://bugs.webkit.org/show_bug.cgi?id=181807 <rdar://problem/36629138> Reviewed by Keith Miller. This is because poison initialization may depend on options. * runtime/InitializeThreading.cpp: (JSC::initializeThreading): 2018-01-18 Dan Bernstein <mitz@apple.com> [Xcode] Streamline and future-proof target-macOS-version-dependent build setting definitions https://bugs.webkit.org/show_bug.cgi?id=181803 Reviewed by Tim Horton. * Configurations/Base.xcconfig: Updated. * Configurations/DebugRelease.xcconfig: Ditto. * Configurations/FeatureDefines.xcconfig: Adopted macOSTargetConditionals helpers. * Configurations/Version.xcconfig: Updated. * Configurations/macOSTargetConditionals.xcconfig: Added. Defines helper build settings useful for defining settings that depend on the target macOS version. 2018-01-18 Michael Saboff <msaboff@apple.com> REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions https://bugs.webkit.org/show_bug.cgi?id=181802 Reviewed by Filip Pizlo. There where a few places where the stack isn't properly aligned for X86 when we call into C++ code. Two places are where we call into exception handling code, the LLInt and from nativeForGenerator. The other place was when we call into the operationOSRWriteBarrier(). Added an assert check that the stack is aligned on X86 platforms in the native call tracing code. This helped find the other cases beyond the original problem. * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::osrWriteBarrier): * interpreter/FrameTracers.h: (JSC::assertStackPointerIsAligned): (JSC::NativeCallFrameTracer::NativeCallFrameTracer): (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): * jit/ThunkGenerators.cpp: (JSC::nativeForGenerator): * llint/LowLevelInterpreter32_64.asm: 2018-01-18 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r227096. https://bugs.webkit.org/show_bug.cgi?id=181788 "it caused a 15% octane regression" (Requested by saamyjoon on #webkit). Reverted changeset: "Support MultiGetByOffset in the DFG" https://bugs.webkit.org/show_bug.cgi?id=181466 https://trac.webkit.org/changeset/227096 2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com> [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky https://bugs.webkit.org/show_bug.cgi?id=181535 Reviewed by Saam Barati. When executing the code like `string.match(/regexp/)`, `/regexp/` object is created every time we execute this code. However, user rarely cares about this `/regexp/` object. Typically, it is soon discarded even if it has `lastIndex` information. So we should not create RegExpObject for this typical case. This patch introduces PhantomNewRegexp. We convert NewRegexp node to PhantomNewRegexp in Object Allocation Sinking (OAS) phase. We should do this analysis in OAS phase since we track modifications to `lastIndex` in the OAS phase. Even if `lastIndex` is modified, it may not be read by users. So we have a chance to drop this NewRegexp beacause we carefully model SetRegExpObjectLastIndex and GetRegExpObjectLastIndex in OAS phase. This patch is a first attempt to drop NewRegexp. So we start optimizing it with the simple step: we first drop RegExp with non-global and non-sticky one. We can later extend this optimization for RegExp with global flag. But this is not included in this patch. We convert RegExpExec to RegExpExecNonGlobalOrSticky if we find that the given RegExpObject's RegExp is not global/sticky flagged. Since we do not need to touch `lastIndex` property in this case, RegExpExecNonGlobalOrSticky just takes RegExp instead of RegExpObject. This offers the chance to make NewRegExp unused. We also convert RegExpMatchFast to RegExpExecNonGlobalOrSticky if its RegExpObject's RegExp is non-global and non-sticky, since they are the same behavior. The above optimization completely removes NewRegexp in SixSpeed's regexp-u.{es5,es6}. The resulted execution time is somewhat pure execution time of our Yarr implementation. baseline patched regex-u.es5 34.8557+-0.5963 ^ 6.1507+-0.5526 ^ definitely 5.6670x faster regex-u.es6 89.1919+-3.3851 ^ 32.0917+-0.4260 ^ definitely 2.7793x faster This patch does not change Octane/RegExp so much since it heavily uses String.prototype.replace, which is not handled in this patch right now. We should support StringReplace node in subsequent patches. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGClobbersExitState.cpp: (JSC::DFG::clobbersExitState): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGMayExit.cpp: * dfg/DFGNode.cpp: (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): * dfg/DFGNode.h: (JSC::DFG::Node::convertToPhantomNewRegexp): (JSC::DFG::Node::convertToSetRegExpObjectLastIndex): (JSC::DFG::Node::hasHeapPrediction): (JSC::DFG::Node::hasCellOperand): (JSC::DFG::Node::isPhantomAllocation): (JSC::DFG::Node::hasIgnoreLastIndexIsWritable): (JSC::DFG::Node::ignoreLastIndexIsWritable): * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGPromotedHeapLocation.cpp: (WTF::printInternal): * dfg/DFGPromotedHeapLocation.h: (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewRegexp): (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex): (JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * dfg/DFGValidate.cpp: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky): (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp): (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex): * ftl/FTLOperations.cpp: (JSC::FTL::operationPopulateObjectInOSR): (JSC::FTL::operationMaterializeObjectInOSR): * jit/JITOperations.h: * runtime/RegExpObject.h: (JSC::RegExpObject::create): 2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com> [FTL] Remove unused helper functions to convert node to PutHint https://bugs.webkit.org/show_bug.cgi?id=181775 Reviewed by Saam Barati. We are using PromotedHeapLocation::createHint. So they are not necessary. * dfg/DFGNode.cpp: (JSC::DFG::Node::convertToPutHint): Deleted. (JSC::DFG::Node::convertToPutStructureHint): Deleted. (JSC::DFG::Node::convertToPutByOffsetHint): Deleted. (JSC::DFG::Node::convertToPutClosureVarHint): Deleted. * dfg/DFGNode.h: 2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com> Unreviewed, suppress warnings on GCC Since `length` and `p` are always positive or zero, static_cast<unsigned>() does what we want. * runtime/JSBigInt.cpp: (JSC::JSBigInt::parseInt): 2018-01-17 Saam Barati <sbarati@apple.com> Disable Atomics when SharedArrayBuffer isn’t enabled https://bugs.webkit.org/show_bug.cgi?id=181572 <rdar://problem/36553206> Reviewed by Michael Saboff. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::createAtomicsProperty): Deleted. 2018-01-17 Saam Barati <sbarati@apple.com> Support MultiGetByOffset in the DFG https://bugs.webkit.org/show_bug.cgi?id=181466 Reviewed by Keith Miller. This seems to benefit Speedometer in my local testing. It seems like this might be around a 0.5% improvement. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleGetById): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGGraph.h: (JSC::DFG::Graph::supportsMultiGetByOffset): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2018-01-17 Saam Barati <sbarati@apple.com> DFG::Node::convertToConstant needs to clear the varargs flags https://bugs.webkit.org/show_bug.cgi?id=181697 <rdar://problem/36497332> Reviewed by Yusuke Suzuki. * dfg/DFGNode.h: (JSC::DFG::Node::convertToConstant): 2018-01-16 JF Bastien <jfbastien@apple.com> Allow dangerous disabling of poison https://bugs.webkit.org/show_bug.cgi?id=181685 <rdar://problem/36546265> Reviewed by Keith Miller. Some tools such as leak detectors and such like to look at real pointers, and poisoned ones confuse them. Add a JSC option to disable poisoning, but log to the console when this is done. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/Options.h: 2018-01-16 Ryan Haddad <ryanhaddad@apple.com> Unreviewed, rolling out r226937. Tests added with this change are failing due to a missing exception check. Reverted changeset: "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t" https://bugs.webkit.org/show_bug.cgi?id=181182 https://trac.webkit.org/changeset/226937 2018-01-16 Michael Catanzaro <mcatanzaro@igalia.com> Test programs should only be built in developer mode https://bugs.webkit.org/show_bug.cgi?id=181653 Reviewed by Carlos Garcia Campos. Build test programs only in developer mode, and fix code style. * shell/CMakeLists.txt: 2018-01-15 Michael Catanzaro <mcatanzaro@igalia.com> Improve use of ExportMacros https://bugs.webkit.org/show_bug.cgi?id=181652 Reviewed by Konstantin Tokarev. * API/JSBase.h: Update a comment. * inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro. * runtime/JSExportMacros.h: Simplify the #defines in this file. 2018-01-15 JF Bastien <jfbastien@apple.com> Remove makePoisonedUnique https://bugs.webkit.org/show_bug.cgi?id=181630 <rdar://problem/36498623> Reviewed by Mark Lam. I added a conversion from std::unique_ptr, so we can just use std::make_unique and it'll auto-poison when converted. * bytecode/CodeBlock.h: (JSC::CodeBlock::makePoisonedUnique): Deleted. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::makePoisonedUnique): Deleted. 2018-01-15 Michael Catanzaro <mcatanzaro@igalia.com> REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits https://bugs.webkit.org/show_bug.cgi?id=181438 <rdar://problem/36376724> Reviewed by Carlos Garcia Campos. Roll out the functional changes of r226266. We'll keep the minor CMake library type setting cleanup, but we have to switch back to building JSC only as a shared library, and we have to get rid of the version script. * PlatformGTK.cmake: * javascriptcoregtk-symbols.map: Removed. 2018-01-14 Saam Barati <sbarati@apple.com> Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build. * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFromLLInt): (JSC::CallLinkStatus::computeExitSiteData): 2018-01-13 Mark Lam <mark.lam@apple.com> Replace all use of ConstExprPoisoned with Poisoned. https://bugs.webkit.org/show_bug.cgi?id=181542 <rdar://problem/36442138> Reviewed by JF Bastien. 1. All JSC poisons are now defined in JSCPoison.h. 2. Change all clients to use the new poison values via the POISON() macro. 3. The LLInt code has been updated to handle CodeBlock poison. Some of this code uses the t5 temp register, which is not available on the Windows port. Fortunately, we don't currently do poisoning on the Windows port yet. So, it will just work for now. When poisoning is enabled for the Windows port, this LLInt code will need a Windows specific implementation to workaround its lack of a t5 register. * API/JSAPIWrapperObject.h: * API/JSCallbackFunction.h: * API/JSCallbackObject.h: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodePtr::emptyValue): (JSC::MacroAssemblerCodePtr::deletedValue): * b3/B3LowerMacros.cpp: * b3/testb3.cpp: (JSC::B3::testInterpreter): * bytecode/CodeBlock.h: (JSC::CodeBlock::instructions): (JSC::CodeBlock::instructions const): (JSC::CodeBlock::makePoisonedUnique): * dfg/DFGOSRExitCompilerCommon.h: (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCheckSubClass): (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): * jit/JIT.h: * jit/ThunkGenerators.cpp: (JSC::virtualThunkFor): (JSC::nativeForGenerator): (JSC::boundThisNoArgsFunctionCallGenerator): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * parser/UnlinkedSourceCode.h: * runtime/ArrayPrototype.h: * runtime/CustomGetterSetter.h: * runtime/DateInstance.h: * runtime/InternalFunction.h: * runtime/JSArrayBuffer.h: * runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp. (JSC::initializePoison): * runtime/JSCPoison.h: (): Deleted. * runtime/JSCPoisonedPtr.cpp: Removed. * runtime/JSCPoisonedPtr.h: Removed. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::makePoisonedUnique): * runtime/JSScriptFetchParameters.h: * runtime/JSScriptFetcher.h: * runtime/NativeExecutable.h: * runtime/StructureTransitionTable.h: (JSC::StructureTransitionTable::map const): (JSC::StructureTransitionTable::weakImpl const): * runtime/WriteBarrier.h: (JSC::WriteBarrier::poison): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/JSWebAssemblyCodeBlock.cpp: (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): * wasm/js/JSWebAssemblyCodeBlock.h: * wasm/js/JSWebAssemblyInstance.h: * wasm/js/JSWebAssemblyMemory.h: * wasm/js/JSWebAssemblyModule.h: * wasm/js/JSWebAssemblyTable.h: * wasm/js/WasmToJS.cpp: (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJS): * wasm/js/WebAssemblyFunctionBase.h: * wasm/js/WebAssemblyModuleRecord.h: * wasm/js/WebAssemblyToJSCallee.h: * wasm/js/WebAssemblyWrapperFunction.h: 2018-01-13 Caio Lima <ticaiolima@gmail.com> [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t https://bugs.webkit.org/show_bug.cgi?id=181182 Reviewed by Darin Adler. Casting double to integer is undefined behavior when the truncation results into a value that doesn't fit into integer size, according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and numberProtoFuncToString to remove these source of undefined behavior. [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion * runtime/BigIntPrototype.cpp: (JSC::bigIntProtoFuncToString): * runtime/NumberPrototype.cpp: (JSC::numberProtoFuncToString): (JSC::extractRadixFromArgs): Deleted. (JSC::extractToStringRadixArgument): Added. 2018-01-12 Saam Barati <sbarati@apple.com> Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock https://bugs.webkit.org/show_bug.cgi?id=181545 Reviewed by Michael Saboff. This patch follows the theme of putting optimization profiling information on UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data. This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock pulled from the code cache, making better compilation decisions, usually resulting in fewer exits, and fewer recompilations. This is a 1% Speedometer progression in my testing. * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset): * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFromLLInt): (JSC::CallLinkStatus::computeFor): (JSC::CallLinkStatus::computeExitSiteData): (JSC::CallLinkStatus::computeDFGStatuses): * bytecode/CallLinkStatus.h: * bytecode/CodeBlock.h: (JSC::CodeBlock::addFrequentExitSite): Deleted. (JSC::CodeBlock::hasExitSite const): Deleted. (JSC::CodeBlock::exitProfile): Deleted. * bytecode/DFGExitProfile.cpp: (JSC::DFG::ExitProfile::add): (JSC::DFG::QueryableExitProfile::initialize): * bytecode/DFGExitProfile.h: (JSC::DFG::ExitProfile::hasExitSite const): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::hasExitSite): (JSC::GetByIdStatus::computeFor): (JSC::GetByIdStatus::computeForStubInfo): * bytecode/GetByIdStatus.h: * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::hasExitSite): (JSC::PutByIdStatus::computeFor): (JSC::PutByIdStatus::computeForStubInfo): * bytecode/PutByIdStatus.h: * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::livenessAnalysisSlow): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::hasExitSite const): (JSC::UnlinkedCodeBlock::hasExitSite): (JSC::UnlinkedCodeBlock::exitProfile): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): * dfg/DFGGraph.h: (JSC::DFG::Graph::hasGlobalExitSite): (JSC::DFG::Graph::hasExitSite): * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGOSRExitBase.cpp: (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow): 2018-01-12 JF Bastien <jfbastien@apple.com> PoisonedWriteBarrier https://bugs.webkit.org/show_bug.cgi?id=181599 <rdar://problem/36474351> Reviewed by Mark Lam. Allow poisoning of WriteBarrier objects, and use this for WebAssembly because it is perf-neutral, at least on WasmBench on my MBP. If it indeed is perf-neutral according to the bots, start using it in more performance-sensitive places. * heap/HandleTypes.h: * heap/SlotVisitor.h: * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::append): (JSC::SlotVisitor::appendHidden): * runtime/JSCJSValue.h: * runtime/JSCPoison.h: * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::setPrototypeWithoutTransition): (JSC::Structure::setGlobalObject): (JSC::Structure::setPreviousID): * runtime/WriteBarrier.h: (JSC::WriteBarrierBase::copyFrom): (JSC::WriteBarrierBase::get const): (JSC::WriteBarrierBase::operator* const): (JSC::WriteBarrierBase::operator-> const): (JSC::WriteBarrierBase::clear): (JSC::WriteBarrierBase::slot): (JSC::WriteBarrierBase::operator bool const): (JSC::WriteBarrierBase::setWithoutWriteBarrier): (JSC::WriteBarrierBase::unvalidatedGet const): (JSC::operator==): * runtime/WriteBarrierInlines.h: (JSC::Traits>::set): (JSC::Traits>::setMayBeNull): (JSC::Traits>::setEarlyValue): (JSC::DumbValueTraits<Unknown>>::set): * wasm/WasmInstance.h: * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): (JSC::JSWebAssemblyInstance::finishCreation): (JSC::JSWebAssemblyInstance::visitChildren): (JSC::JSWebAssemblyInstance::create): * wasm/js/JSWebAssemblyInstance.h: (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): * wasm/js/JSWebAssemblyMemory.h: * wasm/js/JSWebAssemblyModule.h: * wasm/js/JSWebAssemblyTable.cpp: (JSC::JSWebAssemblyTable::JSWebAssemblyTable): (JSC::JSWebAssemblyTable::grow): (JSC::JSWebAssemblyTable::clearFunction): * wasm/js/JSWebAssemblyTable.h: * wasm/js/WasmToJS.cpp: (JSC::Wasm::materializeImportJSCell): (JSC::Wasm::handleBadI64Use): (JSC::Wasm::wasmToJS): * wasm/js/WebAssemblyFunctionBase.h: * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::link): (JSC::WebAssemblyModuleRecord::evaluate): * wasm/js/WebAssemblyModuleRecord.h: * wasm/js/WebAssemblyToJSCallee.h: * wasm/js/WebAssemblyWrapperFunction.h: 2018-01-12 Saam Barati <sbarati@apple.com> CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty https://bugs.webkit.org/show_bug.cgi?id=181177 <rdar://problem/36205704> Reviewed by Yusuke Suzuki. The semantics of CheckStructure are such that it does not allow the empty value to flow through it. However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't have semantic consequences when validation is turned off. However, with validation on, this trips up our OSR exit machinery that says when an exit is allowed to happen. Consider the following IR: a: GetClosureVar // Or any other node that produces BytecodeTop ... c: CheckStructure(Cell:@a, {s2}) d: PutByOffset(KnownCell:@a, KnownCell:@a, @value) In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this: a: GetClosureVar e: CheckStructureOrEmpty(@a, {s1}) ... f: CheckStructureOrEmpty(@a, {s2}) c: CheckStructure(Cell:@a, {s2}) d: PutByOffset(KnownCell:@a, KnownCell:@a, @value) This will cause constant folding to change the IR to: a: GetClosureVar e: CheckStructureOrEmpty(@a, {s1}) ... f: CheckStructureOrEmpty(@a, {s2}) d: PutByOffset(KnownCell:@a, KnownCell:@a, @value) Our mayExit analysis determines that the PutByOffset should not exit. Note that AI will determine the only value the PutByOffset can see in @a is the empty value. Because KnownCell filters SpecCell and not SpecCellCheck, when lowering the PutByOffset, we reach a contradiction in AI and emit an OSR exit. However, because mayExit said we couldn't exit, we assert. Note that if we did not run the TypeCheckHoistingPhase on this IR, AI would have determined we would OSR exit at the second CheckStructure. This patch makes it so constant folding produces the following IR: a: GetClosureVar e: CheckStructureOrEmpty(@a, {s1}) g: AssertNotEmpty(@a) ... f: CheckStructureOrEmpty(@a, {s2}) h: AssertNotEmpty(@a) d: PutByOffset(KnownCell:@a, KnownCell:@a, @value) This modification will cause AI to know we will OSR exit before even reaching the PutByOffset. Note that in the original IR, the GetClosureVar won't actually produce the TDZ value. If it did, bytecode would have caused us to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's why this bug is about IR bookkeeping and not an actual error in IR analysis. This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be more congruous with CheckStructure's semantics of crashing on the empty value as input (on 64 bit platforms). * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty): 2018-01-12 Joseph Pecoraro <pecoraro@apple.com> Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent https://bugs.webkit.org/show_bug.cgi?id=181579 <rdar://problem/36193759> Reviewed by Brian Burg. * inspector/agents/InspectorConsoleAgent.h: * inspector/agents/InspectorConsoleAgent.cpp: (Inspector::InspectorConsoleAgent::clearMessages): (Inspector::InspectorConsoleAgent::addConsoleMessage): Switch from a raw pointer to m_consoleMessages.last(). Also move the expiration check into the if block since it can only happen inside here when the number of console messages changes. (Inspector::InspectorConsoleAgent::discardValues): Also clear the expired message count when messages are cleared. 2018-01-12 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Create parallel SlotVisitors apriori https://bugs.webkit.org/show_bug.cgi?id=180907 Reviewed by Saam Barati. The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2. If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically. Then we do not need to grab locks while iterating all the SlotVisitors. In addition, we do not need to consider the case that the number of SlotVisitors increases after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors does not increase any more. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::runBeginPhase): * heap/Heap.h: * heap/HeapInlines.h: (JSC::Heap::forEachSlotVisitor): (JSC::Heap::numberOfSlotVisitors): Deleted. * heap/MarkingConstraintSolver.cpp: (JSC::MarkingConstraintSolver::didVisitSomething const): 2018-01-12 Saam Barati <sbarati@apple.com> Each variant of a polymorphic inlined call should be exitOK at the top of the block https://bugs.webkit.org/show_bug.cgi?id=181562 <rdar://problem/36445624> Reviewed by Yusuke Suzuki. Before this patch, the very first block in the switch for polymorphic call inlining will have exitOK at the top. The others are not guaranteed to. That was just a bug. They're all exitOK at the top. This will lead to crashes in FixupPhase because we won't have a node in a block that has ExitOK, so when we fixup various type checks, we assert out. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleInlining): 2018-01-11 Keith Miller <keith_miller@apple.com> Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION https://bugs.webkit.org/show_bug.cgi?id=181573 Reviewed by Simon Fraser. * Configurations/FeatureDefines.xcconfig: * runtime/Options.h: 2018-01-11 Michael Saboff <msaboff@apple.com> REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters https://bugs.webkit.org/show_bug.cgi?id=181570 Reviewed by Keith Miller. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::abortWithReason): Reverting these functions to use dataTempRegister and memoryTempRegister as they are JIT release asserts that will crash the program. (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters): Changed this so that it invalidates any cached dataTmpRegister contents if temp register caching is enabled. 2018-01-11 Filip Pizlo <fpizlo@apple.com> Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes https://bugs.webkit.org/show_bug.cgi?id=181543 Rubber stamped by Michael Saboff. In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't really have anything to do with allocation anymore. The allocation will be done by something in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a place to find blocks (a "block directory"). Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the attributes of the HeapCellType. So let's call them CellAttributes. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/ObjectAllocationProfile.h: * bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfile::initializeProfile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::compileMakeRope): (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileNewObject): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::emitAllocateJSCell): (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl): (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): (JSC::FTL::DFG::LowerDFGToB3::allocateObject): (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): * heap/AlignedMemoryAllocator.cpp: (JSC::AlignedMemoryAllocator::registerDirectory): (JSC::AlignedMemoryAllocator::registerAllocator): Deleted. * heap/AlignedMemoryAllocator.h: (JSC::AlignedMemoryAllocator::firstDirectory const): (JSC::AlignedMemoryAllocator::firstAllocator const): Deleted. * heap/AllocatorAttributes.cpp: Removed. * heap/AllocatorAttributes.h: Removed. * heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp. (JSC::BlockDirectory::BlockDirectory): (JSC::BlockDirectory::setSubspace): (JSC::BlockDirectory::isPagedOut): (JSC::BlockDirectory::findEmptyBlockToSteal): (JSC::BlockDirectory::didConsumeFreeList): (JSC::BlockDirectory::tryAllocateWithoutCollecting): (JSC::BlockDirectory::allocateIn): (JSC::BlockDirectory::tryAllocateIn): (JSC::BlockDirectory::doTestCollectionsIfNeeded): (JSC::BlockDirectory::allocateSlowCase): (JSC::BlockDirectory::blockSizeForBytes): (JSC::BlockDirectory::tryAllocateBlock): (JSC::BlockDirectory::addBlock): (JSC::BlockDirectory::removeBlock): (JSC::BlockDirectory::stopAllocating): (JSC::BlockDirectory::prepareForAllocation): (JSC::BlockDirectory::lastChanceToFinalize): (JSC::BlockDirectory::resumeAllocating): (JSC::BlockDirectory::beginMarkingForFullCollection): (JSC::BlockDirectory::endMarking): (JSC::BlockDirectory::snapshotUnsweptForEdenCollection): (JSC::BlockDirectory::snapshotUnsweptForFullCollection): (JSC::BlockDirectory::findBlockToSweep): (JSC::BlockDirectory::sweep): (JSC::BlockDirectory::shrink): (JSC::BlockDirectory::assertNoUnswept): (JSC::BlockDirectory::parallelNotEmptyBlockSource): (JSC::BlockDirectory::dump const): (JSC::BlockDirectory::dumpBits): (JSC::BlockDirectory::markedSpace const): (JSC::MarkedAllocator::MarkedAllocator): Deleted. (JSC::MarkedAllocator::setSubspace): Deleted. (JSC::MarkedAllocator::isPagedOut): Deleted. (JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted. (JSC::MarkedAllocator::didConsumeFreeList): Deleted. (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted. (JSC::MarkedAllocator::allocateIn): Deleted. (JSC::MarkedAllocator::tryAllocateIn): Deleted. (JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted. (JSC::MarkedAllocator::allocateSlowCase): Deleted. (JSC::MarkedAllocator::blockSizeForBytes): Deleted. (JSC::MarkedAllocator::tryAllocateBlock): Deleted. (JSC::MarkedAllocator::addBlock): Deleted. (JSC::MarkedAllocator::removeBlock): Deleted. (JSC::MarkedAllocator::stopAllocating): Deleted. (JSC::MarkedAllocator::prepareForAllocation): Deleted. (JSC::MarkedAllocator::lastChanceToFinalize): Deleted. (JSC::MarkedAllocator::resumeAllocating): Deleted. (JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted. (JSC::MarkedAllocator::endMarking): Deleted. (JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted. (JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted. (JSC::MarkedAllocator::findBlockToSweep): Deleted. (JSC::MarkedAllocator::sweep): Deleted. (JSC::MarkedAllocator::shrink): Deleted. (JSC::MarkedAllocator::assertNoUnswept): Deleted. (JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted. (JSC::MarkedAllocator::dump const): Deleted. (JSC::MarkedAllocator::dumpBits): Deleted. (JSC::MarkedAllocator::markedSpace const): Deleted. * heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h. (JSC::BlockDirectory::attributes const): (JSC::BlockDirectory::forEachBitVector): (JSC::BlockDirectory::forEachBitVectorWithName): (JSC::BlockDirectory::nextDirectory const): (JSC::BlockDirectory::nextDirectoryInSubspace const): (JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const): (JSC::BlockDirectory::setNextDirectory): (JSC::BlockDirectory::setNextDirectoryInSubspace): (JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator): (JSC::BlockDirectory::offsetOfFreeList): (JSC::BlockDirectory::offsetOfCellSize): (JSC::MarkedAllocator::cellSize const): Deleted. (JSC::MarkedAllocator::attributes const): Deleted. (JSC::MarkedAllocator::needsDestruction const): Deleted. (JSC::MarkedAllocator::destruction const): Deleted. (JSC::MarkedAllocator::cellKind const): Deleted. (JSC::MarkedAllocator::heap): Deleted. (JSC::MarkedAllocator::bitvectorLock): Deleted. (JSC::MarkedAllocator::forEachBitVector): Deleted. (JSC::MarkedAllocator::forEachBitVectorWithName): Deleted. (JSC::MarkedAllocator::nextAllocator const): Deleted. (JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted. (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted. (JSC::MarkedAllocator::setNextAllocator): Deleted. (JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted. (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted. (JSC::MarkedAllocator::subspace const): Deleted. (JSC::MarkedAllocator::freeList const): Deleted. (JSC::MarkedAllocator::offsetOfFreeList): Deleted. (JSC::MarkedAllocator::offsetOfCellSize): Deleted. * heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h. (JSC::BlockDirectory::isFreeListedCell const): (JSC::BlockDirectory::allocate): (JSC::BlockDirectory::forEachBlock): (JSC::BlockDirectory::forEachNotEmptyBlock): (JSC::MarkedAllocator::isFreeListedCell const): Deleted. (JSC::MarkedAllocator::allocate): Deleted. (JSC::MarkedAllocator::forEachBlock): Deleted. (JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted. * heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp. (JSC::CellAttributes::dump const): (JSC::AllocatorAttributes::dump const): Deleted. * heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h. (JSC::CellAttributes::CellAttributes): (JSC::AllocatorAttributes::AllocatorAttributes): Deleted. * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::allocatorFor): (JSC::CompleteSubspace::allocateNonVirtual): (JSC::CompleteSubspace::allocatorForSlow): (JSC::CompleteSubspace::tryAllocateSlow): * heap/CompleteSubspace.h: (JSC::CompleteSubspace::allocatorForSizeStep): (JSC::CompleteSubspace::allocatorForNonVirtual): * heap/GCDeferralContext.h: * heap/Heap.cpp: (JSC::Heap::updateAllocationLimits): * heap/Heap.h: * heap/HeapCell.h: * heap/HeapCellInlines.h: (JSC::HeapCell::cellAttributes const): (JSC::HeapCell::destructionMode const): (JSC::HeapCell::cellKind const): (JSC::HeapCell::allocatorAttributes const): Deleted. * heap/HeapCellType.cpp: (JSC::HeapCellType::HeapCellType): * heap/HeapCellType.h: (JSC::HeapCellType::attributes const): * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::IncrementalSweeper): (JSC::IncrementalSweeper::sweepNextBlock): (JSC::IncrementalSweeper::startSweeping): (JSC::IncrementalSweeper::stopSweeping): * heap/IncrementalSweeper.h: * heap/IsoCellSet.cpp: (JSC::IsoCellSet::IsoCellSet): (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource): (JSC::IsoCellSet::addSlow): (JSC::IsoCellSet::didRemoveBlock): (JSC::IsoCellSet::sweepToFreeList): * heap/IsoCellSetInlines.h: (JSC::IsoCellSet::forEachMarkedCell): (JSC::IsoCellSet::forEachLiveCell): * heap/IsoSubspace.cpp: (JSC::IsoSubspace::IsoSubspace): (JSC::IsoSubspace::allocatorFor): (JSC::IsoSubspace::allocateNonVirtual): * heap/IsoSubspace.h: (JSC::IsoSubspace::allocatorForNonVirtual): * heap/LargeAllocation.h: (JSC::LargeAllocation::attributes const): * heap/MarkedAllocator.cpp: Removed. * heap/MarkedAllocator.h: Removed. * heap/MarkedAllocatorInlines.h: Removed. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::~Handle): (JSC::MarkedBlock::Handle::setIsFreeListed): (JSC::MarkedBlock::Handle::stopAllocating): (JSC::MarkedBlock::Handle::lastChanceToFinalize): (JSC::MarkedBlock::Handle::resumeAllocating): (JSC::MarkedBlock::aboutToMarkSlow): (JSC::MarkedBlock::Handle::didConsumeFreeList): (JSC::MarkedBlock::noteMarkedSlow): (JSC::MarkedBlock::Handle::removeFromDirectory): (JSC::MarkedBlock::Handle::didAddToDirectory): (JSC::MarkedBlock::Handle::didRemoveFromDirectory): (JSC::MarkedBlock::Handle::dumpState): (JSC::MarkedBlock::Handle::subspace const): (JSC::MarkedBlock::Handle::sweep): (JSC::MarkedBlock::Handle::isFreeListedCell const): (JSC::MarkedBlock::Handle::removeFromAllocator): Deleted. (JSC::MarkedBlock::Handle::didAddToAllocator): Deleted. (JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted. * heap/MarkedBlock.h: (JSC::MarkedBlock::Handle::directory const): (JSC::MarkedBlock::Handle::attributes const): (JSC::MarkedBlock::attributes const): (JSC::MarkedBlock::Handle::allocator const): Deleted. * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::isAllocated): (JSC::MarkedBlock::Handle::isLive): (JSC::MarkedBlock::Handle::specializedSweep): (JSC::MarkedBlock::Handle::isEmpty): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::lastChanceToFinalize): (JSC::MarkedSpace::sweep): (JSC::MarkedSpace::stopAllocating): (JSC::MarkedSpace::resumeAllocating): (JSC::MarkedSpace::isPagedOut): (JSC::MarkedSpace::freeBlock): (JSC::MarkedSpace::shrink): (JSC::MarkedSpace::beginMarking): (JSC::MarkedSpace::endMarking): (JSC::MarkedSpace::snapshotUnswept): (JSC::MarkedSpace::assertNoUnswept): (JSC::MarkedSpace::dumpBits): (JSC::MarkedSpace::addBlockDirectory): (JSC::MarkedSpace::addMarkedAllocator): Deleted. * heap/MarkedSpace.h: (JSC::MarkedSpace::firstDirectory const): (JSC::MarkedSpace::directoryLock): (JSC::MarkedSpace::forEachBlock): (JSC::MarkedSpace::forEachDirectory): (JSC::MarkedSpace::firstAllocator const): Deleted. (JSC::MarkedSpace::allocatorLock): Deleted. (JSC::MarkedSpace::forEachAllocator): Deleted. * heap/MarkedSpaceInlines.h: * heap/Subspace.cpp: (JSC::Subspace::initialize): (JSC::Subspace::prepareForAllocation): (JSC::Subspace::findEmptyBlockToSteal): (JSC::Subspace::parallelDirectorySource): (JSC::Subspace::parallelNotEmptyMarkedBlockSource): (JSC::Subspace::sweep): (JSC::Subspace::parallelAllocatorSource): Deleted. * heap/Subspace.h: (JSC::Subspace::attributes const): (JSC::Subspace::didCreateFirstDirectory): (JSC::Subspace::didCreateFirstAllocator): Deleted. * heap/SubspaceInlines.h: (JSC::Subspace::forEachDirectory): (JSC::Subspace::forEachMarkedBlock): (JSC::Subspace::forEachNotEmptyMarkedBlock): (JSC::Subspace::forEachAllocator): Deleted. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): (JSC::AssemblyHelpers::emitAllocate): (JSC::AssemblyHelpers::emitAllocateJSCell): (JSC::AssemblyHelpers::emitAllocateJSObject): (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_object): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_new_object): * runtime/JSDestructibleObjectHeapCellType.cpp: (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType): * runtime/JSSegmentedVariableObjectHeapCellType.cpp: (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType): * runtime/JSStringHeapCellType.cpp: (JSC::JSStringHeapCellType::JSStringHeapCellType): * runtime/VM.cpp: (JSC::VM::VM): * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType): 2018-01-11 Saam Barati <sbarati@apple.com> When inserting Unreachable in byte code parser we need to flush all the right things https://bugs.webkit.org/show_bug.cgi?id=181509 <rdar://problem/36423110> Reviewed by Mark Lam. I added code in r226655 that had its own mechanism for preserving liveness when inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack. I got some of these values wrong, which was leading to a crash when recovering the callee value from an inlined frame. Instead of making the same mistake and repeating similar code again, this patch refactors this logic to be shared with the other liveness preservation code in the DFG bytecode parser. This is what I should have done in my initial patch. * bytecode/InlineCallFrame.h: (JSC::remapOperand): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::flushImpl): (JSC::DFG::flushForTerminalImpl): (JSC::DFG::ByteCodeParser::flush): (JSC::DFG::ByteCodeParser::flushForTerminal): (JSC::DFG::ByteCodeParser::parse): 2018-01-11 Saam Barati <sbarati@apple.com> JITMathIC code in the FTL is wrong when code gets duplicated https://bugs.webkit.org/show_bug.cgi?id=181525 <rdar://problem/36351993> Reviewed by Michael Saboff and Keith Miller. B3/Air may duplicate code for various reasons. Patchpoint generators inside FTLLower must be aware that they can be called multiple times because of this. The patchpoint for math ICs was not aware of this, and shared state amongst all invocations of the patchpoint's generator. This patch fixes this bug so that each invocation of the patchpoint's generator gets a unique math IC. * bytecode/CodeBlock.h: (JSC::CodeBlock::addMathIC): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC): (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): (JSC::FTL::DFG::LowerDFGToB3::compileArithMul): (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate): (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted. * jit/JITMathIC.h: (JSC::isProfileEmpty): 2018-01-11 Michael Saboff <msaboff@apple.com> Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister https://bugs.webkit.org/show_bug.cgi?id=181512 Reviewed by Saam Barati. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::abortWithReason): (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters): All current uses of dataTempRegister in these functions are safe, but it makes sense to fix them in case they might be used elsewhere. 2018-01-04 Filip Pizlo <fpizlo@apple.com> CodeBlocks should be in IsoSubspaces https://bugs.webkit.org/show_bug.cgi?id=180884 Reviewed by Saam Barati. This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use WeakReferenceHarvester or UnconditionalFinalizer. Instead: - Code block sweeping is now just eager sweeping. This means that it automatically takes advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use its eden set for. - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no longer has to clear the set of weakly visited code blocks. This also means that determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it has IsoCellSets to tell us which edges have output constraints (what we used to call CodeBlock's weak reference harvester) and which have unconditional finalizers. - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer. - CodeBlockSet still exists! It has one unified HashSet of CodeBlocks that we use to handle requests from the sampler, debugger, and other facilities. They may want to ask if some pointer corresponds to a CodeBlock during stages of execution during which the GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread. There is no way that the GC's isLive could tell us of a CodeBlock that had already been allocated has now been full constructed. Rolling this back in because it was rolled out by mistake. There was a flaky crash that was happening before and after this change, but we misread the revision numbers at first and thought that this was the cause. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::finishCreationCommon): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::visitChildren): (JSC::CodeBlock::propagateTransitions): (JSC::CodeBlock::determineLiveness): (JSC::CodeBlock::finalizeUnconditionally): (JSC::CodeBlock::stronglyVisitStrongReferences): (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const): (JSC::CodeBlock::installVMTrapBreakpoints): (JSC::CodeBlock::dumpMathICStats): (JSC::CodeBlock::visitWeakly): Deleted. (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted. (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted. * bytecode/CodeBlock.h: (JSC::CodeBlock::subspaceFor): (JSC::CodeBlock::ownerEdge const): (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted. * bytecode/EvalCodeBlock.h: (JSC::EvalCodeBlock::create): Deleted. (JSC::EvalCodeBlock::createStructure): Deleted. (JSC::EvalCodeBlock::variable): Deleted. (JSC::EvalCodeBlock::numVariables): Deleted. (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted. (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted. (JSC::EvalCodeBlock::EvalCodeBlock): Deleted. (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted. * bytecode/ExecutableToCodeBlockEdge.cpp: Added. (JSC::ExecutableToCodeBlockEdge::createStructure): (JSC::ExecutableToCodeBlockEdge::create): (JSC::ExecutableToCodeBlockEdge::visitChildren): (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints): (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally): (JSC::ExecutableToCodeBlockEdge::activate): (JSC::ExecutableToCodeBlockEdge::deactivate): (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap): (JSC::ExecutableToCodeBlockEdge::wrap): (JSC::ExecutableToCodeBlockEdge::wrapAndActivate): (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge): (JSC::ExecutableToCodeBlockEdge::runConstraint): * bytecode/ExecutableToCodeBlockEdge.h: Added. (JSC::ExecutableToCodeBlockEdge::subspaceFor): (JSC::ExecutableToCodeBlockEdge::codeBlock const): (JSC::ExecutableToCodeBlockEdge::unwrap): * bytecode/FunctionCodeBlock.h: (JSC::FunctionCodeBlock::subspaceFor): (JSC::FunctionCodeBlock::createStructure): * bytecode/ModuleProgramCodeBlock.h: (JSC::ModuleProgramCodeBlock::create): Deleted. (JSC::ModuleProgramCodeBlock::createStructure): Deleted. (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted. * bytecode/ProgramCodeBlock.h: (JSC::ProgramCodeBlock::create): Deleted. (JSC::ProgramCodeBlock::createStructure): Deleted. (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted. * debugger/Debugger.cpp: (JSC::Debugger::SetSteppingModeFunctor::operator() const): (JSC::Debugger::ToggleBreakpointFunctor::operator() const): (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const): (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const): * heap/CodeBlockSet.cpp: (JSC::CodeBlockSet::contains): (JSC::CodeBlockSet::dump const): (JSC::CodeBlockSet::add): (JSC::CodeBlockSet::remove): (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted. (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted. (JSC::CodeBlockSet::lastChanceToFinalize): Deleted. (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted. * heap/CodeBlockSet.h: * heap/CodeBlockSetInlines.h: (JSC::CodeBlockSet::iterate): (JSC::CodeBlockSet::iterateViaSubspaces): * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::genericAddPointer): (JSC::DummyMarkHook::markKnownJSCell): (JSC::CompositeMarkHook::mark): (JSC::CompositeMarkHook::markKnownJSCell): * heap/ConservativeRoots.h: * heap/Heap.cpp: (JSC::Heap::lastChanceToFinalize): (JSC::Heap::finalizeMarkedUnconditionalFinalizers): (JSC::Heap::finalizeUnconditionalFinalizers): (JSC::Heap::beginMarking): (JSC::Heap::deleteUnmarkedCompiledCode): (JSC::Heap::sweepInFinalize): (JSC::Heap::forEachCodeBlockImpl): (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl): (JSC::Heap::addCoreConstraints): (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted. * heap/Heap.h: * heap/HeapCell.h: * heap/HeapCellInlines.h: (JSC::HeapCell::subspace const): * heap/HeapInlines.h: (JSC::Heap::forEachCodeBlock): (JSC::Heap::forEachCodeBlockIgnoringJITPlans): * heap/HeapUtil.h: (JSC::HeapUtil::findGCObjectPointersForMarking): * heap/IsoCellSet.cpp: (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource): * heap/IsoCellSet.h: * heap/IsoCellSetInlines.h: (JSC::IsoCellSet::forEachMarkedCellInParallel): (JSC::IsoCellSet::forEachLiveCell): * heap/LargeAllocation.h: (JSC::LargeAllocation::subspace const): * heap/MarkStackMergingConstraint.cpp: (JSC::MarkStackMergingConstraint::executeImpl): * heap/MarkStackMergingConstraint.h: * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::parallelNotEmptyBlockSource): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::didAddToAllocator): (JSC::MarkedBlock::Handle::didRemoveFromAllocator): * heap/MarkedBlock.h: (JSC::MarkedBlock::subspace const): * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::forEachLiveCell): * heap/MarkedSpaceInlines.h: (JSC::MarkedSpace::forEachLiveCell): * heap/MarkingConstraint.cpp: (JSC::MarkingConstraint::execute): (JSC::MarkingConstraint::doParallelWork): (JSC::MarkingConstraint::finishParallelWork): Deleted. (JSC::MarkingConstraint::doParallelWorkImpl): Deleted. (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted. * heap/MarkingConstraint.h: * heap/MarkingConstraintSet.cpp: (JSC::MarkingConstraintSet::add): * heap/MarkingConstraintSet.h: (JSC::MarkingConstraintSet::add): * heap/MarkingConstraintSolver.cpp: (JSC::MarkingConstraintSolver::execute): (JSC::MarkingConstraintSolver::addParallelTask): (JSC::MarkingConstraintSolver::runExecutionThread): (JSC::MarkingConstraintSolver::didExecute): Deleted. * heap/MarkingConstraintSolver.h: (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint): (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const): * heap/SimpleMarkingConstraint.cpp: (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint): (JSC::SimpleMarkingConstraint::executeImpl): * heap/SimpleMarkingConstraint.h: (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint): * heap/SlotVisitor.cpp: (JSC::SlotVisitor::addParallelConstraintTask): * heap/SlotVisitor.h: * heap/Subspace.cpp: (JSC::Subspace::sweep): * heap/Subspace.h: * heap/SubspaceInlines.h: (JSC::Subspace::forEachLiveCell): * llint/LowLevelInterpreter.asm: * runtime/EvalExecutable.cpp: (JSC::EvalExecutable::visitChildren): * runtime/EvalExecutable.h: (JSC::EvalExecutable::codeBlock): * runtime/FunctionExecutable.cpp: (JSC::FunctionExecutable::baselineCodeBlockFor): (JSC::FunctionExecutable::visitChildren): * runtime/FunctionExecutable.h: * runtime/JSType.h: * runtime/ModuleProgramExecutable.cpp: (JSC::ModuleProgramExecutable::visitChildren): * runtime/ModuleProgramExecutable.h: * runtime/ProgramExecutable.cpp: (JSC::ProgramExecutable::visitChildren): * runtime/ProgramExecutable.h: * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::installCode): (JSC::ScriptExecutable::newReplacementCodeBlockFor): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): (JSC::VM::forEachCodeBlockSpace): * runtime/VMTraps.cpp: (JSC::VMTraps::handleTraps): * tools/VMInspector.cpp: (JSC::VMInspector::codeBlockForMachinePC): (JSC::VMInspector::isValidCodeBlock): 2018-01-11 Michael Saboff <msaboff@apple.com> Add a DOM gadget for Spectre testing https://bugs.webkit.org/show_bug.cgi?id=181351 Reviewed by Ryosuke Niwa. * runtime/Options.h: 2018-01-11 Yusuke Suzuki <utatane.tea@gmail.com> [DFG][FTL] regExpMatchFast should be handled https://bugs.webkit.org/show_bug.cgi?id=180988 Reviewed by Mark Lam. RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property. To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving slow path part to `@matchSlow()` private function. It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls this regExpMatchFast function. baseline patched regex-u.es5 55.3835+-6.3002 ^ 36.2431+-2.0797 ^ definitely 1.5281x faster regex-u.es6 110.4624+-6.2896 ^ 94.1012+-7.2433 ^ definitely 1.1739x faster * builtins/RegExpPrototype.js: (globalPrivate.matchSlow): (overriddenName.string_appeared_here.match): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileRegExpMatch): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch): * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/RegExpPrototype.cpp: (JSC::regExpProtoFuncMatchFast): 2018-01-11 Saam Barati <sbarati@apple.com> Our for-in caching is wrong when we add indexed properties on things in the prototype chain https://bugs.webkit.org/show_bug.cgi?id=181508 Reviewed by Yusuke Suzuki. Our for-in caching would cache structure chains that had prototypes with indexed properties. Clearly this is wrong. This caching breaks when a prototype adds new indexed properties. We would continue to enumerate the old cached state of properties, and not include the new indexed properties. The old code used to prevent caching only if the base structure had indexed properties. This patch extends it to prevent caching if the base, or any structure in the prototype chain, has indexed properties. * runtime/Structure.cpp: (JSC::Structure::canCachePropertyNameEnumerator const): 2018-01-10 JF Bastien <jfbastien@apple.com> Poison small JSObject derivatives which only contain pointers https://bugs.webkit.org/show_bug.cgi?id=181483 <rdar://problem/36407127> Reviewed by Mark Lam. I wrote a script that finds interesting things to poison or generally harden. These stood out because they derive from JSObject and only contain a few pointer or pointer-like fields, and could therefore just be poisoned. This also requires some template "improvements" to our poisoning machinery. Worth noting is that I'm making PoisonedUniquePtr move-assignable and move-constructible from unique_ptr, which makes it a better drop-in replacement because we don't need to use makePoisonedUniquePtr. This means function-locals can be unique_ptr and get the nice RAII pattern, and once the function is done you can just move to the class' PoisonedUniquePtr without worrying. * API/JSAPIWrapperObject.h: (JSC::JSAPIWrapperObject::wrappedObject): * API/JSAPIWrapperObject.mm: (JSC::JSAPIWrapperObject::JSAPIWrapperObject): * API/JSCallbackObject.h: * runtime/ArrayPrototype.h: * runtime/DateInstance.h: * runtime/JSArrayBuffer.cpp: (JSC::JSArrayBuffer::finishCreation): (JSC::JSArrayBuffer::isShared const): (JSC::JSArrayBuffer::sharingMode const): * runtime/JSArrayBuffer.h: * runtime/JSCPoison.h: 2018-01-10 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r226667 and r226673. https://bugs.webkit.org/show_bug.cgi?id=181488 This caused a flaky crash. (Requested by mlewis13 on #webkit). Reverted changesets: "CodeBlocks should be in IsoSubspaces" https://bugs.webkit.org/show_bug.cgi?id=180884 https://trac.webkit.org/changeset/226667 "REGRESSION (r226667): CodeBlocks should be in IsoSubspaces" https://bugs.webkit.org/show_bug.cgi?id=180884 https://trac.webkit.org/changeset/226673 2018-01-09 David Kilzer <ddkilzer@apple.com> REGRESSION (r226667): CodeBlocks should be in IsoSubspaces <https://bugs.webkit.org/show_bug.cgi?id=180884> Fixes the following build error: heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture] * heap/Heap.cpp: (JSC::Heap::addCoreConstraints): Remove 'this' from lambda to fix the build. 2018-01-09 Keith Miller <keith_miller@apple.com> and32 with an Address source on ARM64 did not invalidate dataTempRegister https://bugs.webkit.org/show_bug.cgi?id=181467 Reviewed by Michael Saboff. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::and32): 2018-01-04 Filip Pizlo <fpizlo@apple.com> CodeBlocks should be in IsoSubspaces https://bugs.webkit.org/show_bug.cgi?id=180884 Reviewed by Saam Barati. This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use WeakReferenceHarvester or UnconditionalFinalizer. Instead: - Code block sweeping is now just eager sweeping. This means that it automatically takes advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use its eden set for. - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no longer has to clear the set of weakly visited code blocks. This also means that determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it has IsoCellSets to tell us which edges have output constraints (what we used to call CodeBlock's weak reference harvester) and which have unconditional finalizers. - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer. - CodeBlockSet still exists! It has one unified HashSet of CodeBlocks that we use to handle requests from the sampler, debugger, and other facilities. They may want to ask if some pointer corresponds to a CodeBlock during stages of execution during which the GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread. There is no way that the GC's isLive could tell us of a CodeBlock that had already been allocated has now been full constructed. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::finishCreationCommon): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::visitChildren): (JSC::CodeBlock::propagateTransitions): (JSC::CodeBlock::determineLiveness): (JSC::CodeBlock::finalizeUnconditionally): (JSC::CodeBlock::stronglyVisitStrongReferences): (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const): (JSC::CodeBlock::installVMTrapBreakpoints): (JSC::CodeBlock::dumpMathICStats): (JSC::CodeBlock::visitWeakly): Deleted. (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted. (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted. * bytecode/CodeBlock.h: (JSC::CodeBlock::subspaceFor): (JSC::CodeBlock::ownerEdge const): (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted. * bytecode/EvalCodeBlock.h: (JSC::EvalCodeBlock::create): Deleted. (JSC::EvalCodeBlock::createStructure): Deleted. (JSC::EvalCodeBlock::variable): Deleted. (JSC::EvalCodeBlock::numVariables): Deleted. (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted. (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted. (JSC::EvalCodeBlock::EvalCodeBlock): Deleted. (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted. * bytecode/ExecutableToCodeBlockEdge.cpp: Added. (JSC::ExecutableToCodeBlockEdge::createStructure): (JSC::ExecutableToCodeBlockEdge::create): (JSC::ExecutableToCodeBlockEdge::visitChildren): (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints): (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally): (JSC::ExecutableToCodeBlockEdge::activate): (JSC::ExecutableToCodeBlockEdge::deactivate): (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap): (JSC::ExecutableToCodeBlockEdge::wrap): (JSC::ExecutableToCodeBlockEdge::wrapAndActivate): (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge): (JSC::ExecutableToCodeBlockEdge::runConstraint): * bytecode/ExecutableToCodeBlockEdge.h: Added. (JSC::ExecutableToCodeBlockEdge::subspaceFor): (JSC::ExecutableToCodeBlockEdge::codeBlock const): (JSC::ExecutableToCodeBlockEdge::unwrap): * bytecode/FunctionCodeBlock.h: (JSC::FunctionCodeBlock::subspaceFor): (JSC::FunctionCodeBlock::createStructure): * bytecode/ModuleProgramCodeBlock.h: (JSC::ModuleProgramCodeBlock::create): Deleted. (JSC::ModuleProgramCodeBlock::createStructure): Deleted. (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted. * bytecode/ProgramCodeBlock.h: (JSC::ProgramCodeBlock::create): Deleted. (JSC::ProgramCodeBlock::createStructure): Deleted. (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted. * debugger/Debugger.cpp: (JSC::Debugger::SetSteppingModeFunctor::operator() const): (JSC::Debugger::ToggleBreakpointFunctor::operator() const): (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const): (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const): * heap/CodeBlockSet.cpp: (JSC::CodeBlockSet::contains): (JSC::CodeBlockSet::dump const): (JSC::CodeBlockSet::add): (JSC::CodeBlockSet::remove): (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted. (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted. (JSC::CodeBlockSet::lastChanceToFinalize): Deleted. (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted. * heap/CodeBlockSet.h: * heap/CodeBlockSetInlines.h: (JSC::CodeBlockSet::iterate): (JSC::CodeBlockSet::iterateViaSubspaces): * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::genericAddPointer): (JSC::DummyMarkHook::markKnownJSCell): (JSC::CompositeMarkHook::mark): (JSC::CompositeMarkHook::markKnownJSCell): * heap/ConservativeRoots.h: * heap/Heap.cpp: (JSC::Heap::lastChanceToFinalize): (JSC::Heap::finalizeMarkedUnconditionalFinalizers): (JSC::Heap::finalizeUnconditionalFinalizers): (JSC::Heap::beginMarking): (JSC::Heap::deleteUnmarkedCompiledCode): (JSC::Heap::sweepInFinalize): (JSC::Heap::forEachCodeBlockImpl): (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl): (JSC::Heap::addCoreConstraints): (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted. * heap/Heap.h: * heap/HeapCell.h: * heap/HeapCellInlines.h: (JSC::HeapCell::subspace const): * heap/HeapInlines.h: (JSC::Heap::forEachCodeBlock): (JSC::Heap::forEachCodeBlockIgnoringJITPlans): * heap/HeapUtil.h: (JSC::HeapUtil::findGCObjectPointersForMarking): * heap/IsoCellSet.cpp: (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource): * heap/IsoCellSet.h: * heap/IsoCellSetInlines.h: (JSC::IsoCellSet::forEachMarkedCellInParallel): (JSC::IsoCellSet::forEachLiveCell): * heap/LargeAllocation.h: (JSC::LargeAllocation::subspace const): * heap/MarkStackMergingConstraint.cpp: (JSC::MarkStackMergingConstraint::executeImpl): * heap/MarkStackMergingConstraint.h: * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::parallelNotEmptyBlockSource): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::didAddToAllocator): (JSC::MarkedBlock::Handle::didRemoveFromAllocator): * heap/MarkedBlock.h: (JSC::MarkedBlock::subspace const): * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::forEachLiveCell): * heap/MarkedSpaceInlines.h: (JSC::MarkedSpace::forEachLiveCell): * heap/MarkingConstraint.cpp: (JSC::MarkingConstraint::execute): (JSC::MarkingConstraint::doParallelWork): (JSC::MarkingConstraint::finishParallelWork): Deleted. (JSC::MarkingConstraint::doParallelWorkImpl): Deleted. (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted. * heap/MarkingConstraint.h: * heap/MarkingConstraintSet.cpp: (JSC::MarkingConstraintSet::add): * heap/MarkingConstraintSet.h: (JSC::MarkingConstraintSet::add): * heap/MarkingConstraintSolver.cpp: (JSC::MarkingConstraintSolver::execute): (JSC::MarkingConstraintSolver::addParallelTask): (JSC::MarkingConstraintSolver::runExecutionThread): (JSC::MarkingConstraintSolver::didExecute): Deleted. * heap/MarkingConstraintSolver.h: (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint): (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const): * heap/SimpleMarkingConstraint.cpp: (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint): (JSC::SimpleMarkingConstraint::executeImpl): * heap/SimpleMarkingConstraint.h: (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint): * heap/SlotVisitor.cpp: (JSC::SlotVisitor::addParallelConstraintTask): * heap/SlotVisitor.h: * heap/Subspace.cpp: (JSC::Subspace::sweep): * heap/Subspace.h: * heap/SubspaceInlines.h: (JSC::Subspace::forEachLiveCell): * llint/LowLevelInterpreter.asm: * runtime/EvalExecutable.cpp: (JSC::EvalExecutable::visitChildren): * runtime/EvalExecutable.h: (JSC::EvalExecutable::codeBlock): * runtime/FunctionExecutable.cpp: (JSC::FunctionExecutable::baselineCodeBlockFor): (JSC::FunctionExecutable::visitChildren): * runtime/FunctionExecutable.h: * runtime/JSType.h: * runtime/ModuleProgramExecutable.cpp: (JSC::ModuleProgramExecutable::visitChildren): * runtime/ModuleProgramExecutable.h: * runtime/ProgramExecutable.cpp: (JSC::ProgramExecutable::visitChildren): * runtime/ProgramExecutable.h: * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::installCode): (JSC::ScriptExecutable::newReplacementCodeBlockFor): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): (JSC::VM::forEachCodeBlockSpace): * runtime/VMTraps.cpp: (JSC::VMTraps::handleTraps): * tools/VMInspector.cpp: (JSC::VMInspector::codeBlockForMachinePC): (JSC::VMInspector::isValidCodeBlock): 2018-01-09 Michael Saboff <msaboff@apple.com> Unreviewed, rolling out r226600 and r226603 https://bugs.webkit.org/show_bug.cgi?id=181351 Add a DOM gadget for Spectre testing * runtime/Options.h: 2018-01-09 Saam Barati <sbarati@apple.com> Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable https://bugs.webkit.org/show_bug.cgi?id=181409 Reviewed by Keith Miller. When I was looking at profiler data for Speedometer, I noticed that one of the hottest functions in Speedometer is around 1100 bytecode operations long. Only about 100 of those bytecode ops ever execute. However, we ended up spending a lot of time compiling basic blocks that never executed. We often plant ForceOSRExit nodes when we parse bytecodes that have a null value profile. This is the case when such a node never executes. This patch makes it so that anytime a block has a ForceOSRExit, we replace its terminal node with an Unreachable node (and remove all nodes after the ForceOSRExit). This will cut down on graph size when such a block dominates other blocks in the CFG. This allows us to get rid of huge chunks of the CFG in certain programs. When doing this transformation, we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode live-in to the ForceOSRExit. Using ForceOSRExit as the signal for this is a bit of a hack. It definitely does not get rid of all the CFG that it could. If we decide it's worth it, we could use additional inputs into this mechanism. For example, we could profile if a basic block ever executes inside the LLInt/Baseline, and remove parts of the CFG based on that. When running Speedometer with the concurrent JIT turned off, this patch improves DFG/FTL compile times by around 5%. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addToGraph): (JSC::DFG::ByteCodeParser::parse): 2018-01-09 Mark Lam <mark.lam@apple.com> ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter https://bugs.webkit.org/show_bug.cgi?id=181388 <rdar://problem/36349351> Reviewed by Saam Barati. When there are duplicate setters or getters, we may end up overwriting a getter with a setter, or vice versa. This patch adds tracking for getters/setters that have been overwritten with duplicates and ignore them. * bytecompiler/NodesCodegen.cpp: (JSC::PropertyListNode::emitBytecode): * parser/NodeConstructors.h: (JSC::PropertyNode::PropertyNode): * parser/Nodes.h: (JSC::PropertyNode::isOverriddenByDuplicate const): (JSC::PropertyNode::setIsOverriddenByDuplicate): 2018-01-08 Zan Dobersek <zdobersek@igalia.com> REGRESSION(r225913): about 30 JSC test failures on ARMv7 https://bugs.webkit.org/show_bug.cgi?id=181162 <rdar://problem/36261349> Unreviewed follow-up to r226298. Enable the fast case in DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform, assuming in good faith that enough GP registers are available on any such configuration. The accompanying comment is adjusted to describe this assumption. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArraySlice): 2018-01-08 JF Bastien <jfbastien@apple.com> WebAssembly: mask indexed accesses to Table https://bugs.webkit.org/show_bug.cgi?id=181412 <rdar://problem/36363236> Reviewed by Saam Barati. WebAssembly Table indexed accesses are user-controlled and bounds-checked. Force allocations of Table data to be a power-of-two, and explicitly mask accesses after bounds-check branches. Rename misleading usage of "size" when "length" of a Table was intended. Rename the Spectre option from "disable" to "enable". * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3): * jit/JIT.cpp: (JSC::JIT::JIT): * runtime/Options.h: * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmTable.cpp: (JSC::Wasm::Table::allocatedLength): (JSC::Wasm::Table::setLength): (JSC::Wasm::Table::create): (JSC::Wasm::Table::Table): (JSC::Wasm::Table::grow): (JSC::Wasm::Table::clearFunction): (JSC::Wasm::Table::setFunction): * wasm/WasmTable.h: (JSC::Wasm::Table::length const): (JSC::Wasm::Table::offsetOfLength): (JSC::Wasm::Table::offsetOfMask): (JSC::Wasm::Table::mask const): (JSC::Wasm::Table::isValidLength): * wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::create): * wasm/js/JSWebAssemblyTable.cpp: (JSC::JSWebAssemblyTable::JSWebAssemblyTable): (JSC::JSWebAssemblyTable::visitChildren): (JSC::JSWebAssemblyTable::grow): (JSC::JSWebAssemblyTable::getFunction): (JSC::JSWebAssemblyTable::clearFunction): (JSC::JSWebAssemblyTable::setFunction): * wasm/js/JSWebAssemblyTable.h: (JSC::JSWebAssemblyTable::isValidLength): (JSC::JSWebAssemblyTable::length const): (JSC::JSWebAssemblyTable::allocatedLength const): * wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::evaluate): * wasm/js/WebAssemblyTablePrototype.cpp: (JSC::webAssemblyTableProtoFuncLength): (JSC::webAssemblyTableProtoFuncGrow): (JSC::webAssemblyTableProtoFuncGet): (JSC::webAssemblyTableProtoFuncSet): 2018-01-08 Michael Saboff <msaboff@apple.com> Add a DOM gadget for Spectre testing https://bugs.webkit.org/show_bug.cgi?id=181351 Reviewed by Michael Saboff. Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test Spectre mitigations. * runtime/Options.h: 2018-01-08 Mark Lam <mark.lam@apple.com> Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM. https://bugs.webkit.org/show_bug.cgi?id=181403 <rdar://problem/36359789> Rubber-stamped by JF Bastien. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::setConstantRegisters): (JSC::CodeBlock::propagateTransitions): (JSC::CodeBlock::finalizeLLIntInlineCaches): (JSC::CodeBlock::jettison): (JSC::CodeBlock::predictedMachineCodeSize): * bytecode/CodeBlock.h: (JSC::CodeBlock::vm const): (JSC::CodeBlock::addConstant): (JSC::CodeBlock::heap const): (JSC::CodeBlock::replaceConstant): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2018-01-07 Mark Lam <mark.lam@apple.com> Apply poisoning to more pointers in JSC. https://bugs.webkit.org/show_bug.cgi?id=181096 <rdar://problem/36182970> Reviewed by JF Bastien. * assembler/MacroAssembler.h: (JSC::MacroAssembler::xorPtr): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::xor64): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::xor64): - Add xorPtr implementation. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::inferredName const): (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::setConstantRegisters): (JSC::CodeBlock::visitWeakly): (JSC::CodeBlock::visitChildren): (JSC::CodeBlock::propagateTransitions): (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): (JSC::CodeBlock::finalizeLLIntInlineCaches): (JSC::CodeBlock::finalizeBaselineJITInlineCaches): (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): (JSC::CodeBlock::jettison): (JSC::CodeBlock::predictedMachineCodeSize): (JSC::CodeBlock::findPC): * bytecode/CodeBlock.h: (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer): (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester): (JSC::CodeBlock::stubInfoBegin): (JSC::CodeBlock::stubInfoEnd): (JSC::CodeBlock::callLinkInfosBegin): (JSC::CodeBlock::callLinkInfosEnd): (JSC::CodeBlock::instructions): (JSC::CodeBlock::instructions const): (JSC::CodeBlock::vm const): * dfg/DFGOSRExitCompilerCommon.h: (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk): * jit/JIT.h: * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * parser/UnlinkedSourceCode.h: * runtime/JSCPoison.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: * runtime/JSScriptFetchParameters.h: * runtime/JSScriptFetcher.h: * runtime/StructureTransitionTable.h: * wasm/js/JSWebAssemblyCodeBlock.cpp: (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock): (JSC::JSWebAssemblyCodeBlock::visitChildren): (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): * wasm/js/JSWebAssemblyCodeBlock.h: 2018-01-06 Yusuke Suzuki <utatane.tea@gmail.com> Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions https://bugs.webkit.org/show_bug.cgi?id=181321 Reviewed by Saam Barati. According to ECMA262 16.2[1], functions created using the bind method must not have "caller" and "arguments" own properties. [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::finishCreation): 2018-01-05 JF Bastien <jfbastien@apple.com> WebAssembly: poison JS object's secrets https://bugs.webkit.org/show_bug.cgi?id=181339 <rdar://problem/36325001> Reviewed by Mark Lam. Separating WebAssembly's JS objects from their non-JS implementation means that all interesting information lives outside of the JS object itself. This patch poisons each JS object's pointer to non-JS implementation using the poisoning mechanism and a unique key per JS object type origin. * runtime/JSCPoison.h: * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS object in a stack slot when fast TLS is disabled. This requires that we unpoison the Wasm::Instance. * wasm/js/JSWebAssemblyCodeBlock.h: * wasm/js/JSWebAssemblyInstance.h: (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to be explicit that the pointer is poisoned. * wasm/js/JSWebAssemblyMemory.h: * wasm/js/JSWebAssemblyModule.h: * wasm/js/JSWebAssemblyTable.h: 2018-01-05 Michael Saboff <msaboff@apple.com> Add ability to disable indexed property masking for testing https://bugs.webkit.org/show_bug.cgi?id=181350 Reviewed by Keith Miller. Made the masking of indexed properties runtime controllable via a new JSC::Option named disableSpectreMitigations. This is done to test the efficacy of that mitigation. The new option has a generic name as it will probably be used to disable future mitigations. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3): (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray): * jit/JIT.cpp: (JSC::JIT::JIT): * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDoubleLoad): (JSC::JIT::emitContiguousLoad): (JSC::JIT::emitArrayStorageLoad): * runtime/Options.h: * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer): 2018-01-05 Michael Saboff <msaboff@apple.com> Allow JSC Config Files to set Restricted Options https://bugs.webkit.org/show_bug.cgi?id=181352 Reviewed by Mark Lam. * runtime/ConfigFile.cpp: (JSC::ConfigFile::parse): 2018-01-04 Keith Miller <keith_miller@apple.com> TypedArrays and Wasm should use index masking. https://bugs.webkit.org/show_bug.cgi?id=181313 Reviewed by Michael Saboff. We should have index masking for our TypedArray code in the DFG/FTL and for Wasm when doing bounds checking. Index masking for Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any WasmBoundsCheckValues we don't need to worry about combining a bounds check for a load and a store. I went with fusing the pointer masking in the WasmBoundsCheckValue since it should reduce additional compiler overhead. * b3/B3LowerToAir.cpp: * b3/B3Validate.cpp: * b3/B3WasmBoundsCheckValue.cpp: (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue): (JSC::B3::WasmBoundsCheckValue::dumpMeta const): * b3/B3WasmBoundsCheckValue.h: (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): * b3/air/AirCustom.h: (JSC::B3::Air::WasmBoundsCheckCustom::generate): * b3/testb3.cpp: (JSC::B3::testWasmBoundsCheck): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): * runtime/Butterfly.h: (JSC::Butterfly::computeIndexingMask const): (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted. * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::B3IRGenerator): (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer): (JSC::Wasm::B3IRGenerator::load): (JSC::Wasm::B3IRGenerator::store): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::Memory): (JSC::Wasm::Memory::grow): * wasm/WasmMemory.h: (JSC::Wasm::Memory::offsetOfIndexingMask): * wasm/WasmMemoryInformation.cpp: (JSC::Wasm::PinnedRegisterInfo::get): (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo): * wasm/WasmMemoryInformation.h: (JSC::Wasm::PinnedRegisterInfo::toSave const): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): 2018-01-05 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r226434. https://bugs.webkit.org/show_bug.cgi?id=181322 32bit JSC failure in x86 (Requested by yusukesuzuki on #webkit). Reverted changeset: "[DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag" https://bugs.webkit.org/show_bug.cgi?id=181134 https://trac.webkit.org/changeset/226434 2018-01-04 Devin Rousso <webkit@devinrousso.com> Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic https://bugs.webkit.org/show_bug.cgi?id=180770 Reviewed by Joseph Pecoraro. * inspector/protocol/Canvas.json: 2018-01-04 Commit Queue <commit-queue@webkit.org> Unreviewed, rolling out r226405. https://bugs.webkit.org/show_bug.cgi?id=181318 Speculative rollout due to Octane/SplayLatency,Octane/Splay regressions (Requested by yusukesuzuki on #webkit). Reverted changeset: "[JSC] Create parallel SlotVisitors apriori" https://bugs.webkit.org/show_bug.cgi?id=180907 https://trac.webkit.org/changeset/226405 2018-01-04 Saam Barati <sbarati@apple.com> Do value profiling in to_this https://bugs.webkit.org/show_bug.cgi?id=181299 Reviewed by Filip Pizlo. This patch adds value profiling to to_this. We use the result of the value profiling only for strict mode code when we don't predict that the input is of a specific type. This helps when the input is SpecCellOther. Such cells might implement a custom ToThis, which can produce an arbitrary result. Before this patch, in prediction propagation, we were saying that a ToThis with a SpecCellOther input also produced SpecCellOther. However, this is incorrect, given that the input may implement ToThis that produces an arbitrary result. This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer. Interestingly, this patch only does value profiling on the slow path. The fast path of to_this in the LLInt/baseline just perform a structure check. If it passes, the result is the same as the input. Therefore, doing value profiling from the fast path wouldn't actually produce new information for the ValueProfile. * bytecode/BytecodeDumper.cpp: (JSC::BytecodeDumper<Block>::dumpBytecode): * bytecode/BytecodeList.json: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::emitToThis): * bytecompiler/BytecodeGenerator.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGPredictionPropagationPhase.cpp: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag https://bugs.webkit.org/show_bug.cgi?id=181134 Reviewed by Mark Lam. We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires an additional scratch register. We do not want to allocate an unnecessary register in 64bit implementation. This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking `<= LowestTag(Int32Tag)`. We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`. We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueToInt32): (JSC::DFG::SpeculativeJIT::compileDoubleRep): (JSC::DFG::SpeculativeJIT::speculateNumber): (JSC::DFG::SpeculativeJIT::speculateMisc): (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey): (JSC::DFG::SpeculativeJIT::compileToNumber): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::branchIfNotType): (JSC::AssemblyHelpers::jitAssertIsJSNumber): (JSC::AssemblyHelpers::emitConvertValueToBoolean): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfMisc): (JSC::AssemblyHelpers::branchIfNotMisc): (JSC::AssemblyHelpers::branchIfNumber): (JSC::AssemblyHelpers::branchIfNotNumber): (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32): (JSC::AssemblyHelpers::emitTypeOf): * jit/JITAddGenerator.cpp: (JSC::JITAddGenerator::generateFastPath): * jit/JITArithmetic32_64.cpp: (JSC::JIT::emitBinaryDoubleOp): * jit/JITDivGenerator.cpp: (JSC::JITDivGenerator::loadOperand): * jit/JITMulGenerator.cpp: (JSC::JITMulGenerator::generateInline): (JSC::JITMulGenerator::generateFastPath): * jit/JITNegGenerator.cpp: (JSC::JITNegGenerator::generateInline): (JSC::JITNegGenerator::generateFastPath): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_is_number): (JSC::JIT::emit_op_jeq_null): (JSC::JIT::emit_op_jneq_null): (JSC::JIT::emit_op_to_number): (JSC::JIT::emit_op_profile_type): * jit/JITRightShiftGenerator.cpp: (JSC::JITRightShiftGenerator::generateFastPath): * jit/JITSubGenerator.cpp: (JSC::JITSubGenerator::generateInline): (JSC::JITSubGenerator::generateFastPath): * llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * runtime/JSCJSValue.h: 2018-01-04 JF Bastien <jfbastien@apple.com> Add assembler support for x86 lfence and sfence https://bugs.webkit.org/show_bug.cgi?id=181311 <rdar://problem/36301780> Reviewed by Michael Saboff. Useful for testing performance of serializing instructions (hint: it's not good). * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::lfence): (JSC::MacroAssemblerX86Common::sfence): * assembler/X86Assembler.h: (JSC::X86Assembler::lfence): (JSC::X86Assembler::sfence): 2018-01-04 Saam Barati <sbarati@apple.com> Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction) https://bugs.webkit.org/show_bug.cgi?id=181296 Reviewed by Filip Pizlo. Inside Speedometer's Ember test, there is a recompile loop like: a: GetByVal(..., semanticOriginX) b: SetLocal(Cell:@a, semanticOriginX) where the cell check always fails. For reasons I didn't investigate, the baseline JIT's value profiling doesn't accurately capture the GetByVal's result. However, when compiling this cell speculation check in the DFG, we get a null MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for this IR pattern because both @a and @b have the same semantic origin. We should not follow the same semantic origin heuristic when dealing with SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern. For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction). For this IR pattern, we will update the value profile for the semantic origin for @nodeWithHeapPrediction. So, for the Speedometer example above, we will correctly update the GetByVal's value profile, which will prevent an OSR exit loop. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::methodOfGettingAValueProfileFor): 2018-01-04 Keith Miller <keith_miller@apple.com> Array Storage operations sometimes did not update the indexing mask correctly. https://bugs.webkit.org/show_bug.cgi?id=181301 Reviewed by Mark Lam. I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303 * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithArrayStorage): * runtime/JSObject.cpp: (JSC::JSObject::increaseVectorLength): 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com> [DFG] Define defs for MapSet/SetAdd to participate in CSE https://bugs.webkit.org/show_bug.cgi?id=179911 Reviewed by Saam Barati. With this patch, our MapSet and SetAdd DFG nodes participate in CSE. To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd produce added bucket as its result. Subsequent GetMapBucket will be removed by CSE. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileSetAdd): (JSC::DFG::SpeculativeJIT::compileMapSet): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd): (JSC::FTL::DFG::LowerDFGToB3::compileMapSet): * jit/JITOperations.h: * runtime/HashMapImpl.h: (JSC::HashMapImpl::addNormalized): (JSC::HashMapImpl::addNormalizedInternal): 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Remove LocalScope https://bugs.webkit.org/show_bug.cgi?id=181206 Reviewed by Geoffrey Garen. The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use. This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack and LocalScope. We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold JSObject* directly in their fields. * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * heap/HandleStack.cpp: Removed. * heap/HandleStack.h: Removed. * heap/Heap.cpp: (JSC::Heap::addCoreConstraints): * heap/Heap.h: (JSC::Heap::handleSet): (JSC::Heap::handleStack): Deleted. * heap/Local.h: Removed. * heap/LocalScope.h: Removed. * runtime/JSONObject.cpp: (JSC::Stringifier::Holder::object const): (JSC::gap): (JSC::Stringifier::Stringifier): (JSC::Stringifier::stringify): (JSC::Stringifier::appendStringifiedValue): (JSC::Stringifier::Holder::Holder): (JSC::Stringifier::Holder::appendNextProperty): (JSC::Walker::Walker): (JSC::Walker::callReviver): (JSC::Walker::walk): (JSC::JSONProtoFuncParse): (JSC::JSONProtoFuncStringify): (JSC::JSONParse): (JSC::JSONStringify): 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com> [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf https://bugs.webkit.org/show_bug.cgi?id=180238 Reviewed by Saam Barati. We can optimize ObjectAllocationSinking a bit by using removeIf. * dfg/DFGObjectAllocationSinkingPhase.cpp: 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com> [JSC] Create parallel SlotVisitors apriori https://bugs.webkit.org/show_bug.cgi?id=180907 Reviewed by Saam Barati. The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2. If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically. Then we do not need to grab locks while iterating all the SlotVisitors. In addition, we do not need to consider the case that the number of SlotVisitors increases after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors does not increase any more. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::runBeginPhase): * heap/Heap.h: * heap/HeapInlines.h: (JSC::Heap::forEachSlotVisitor): (JSC::Heap::numberOfSlotVisitors): Deleted. * heap/MarkingConstraintSolver.cpp: (JSC::MarkingConstraintSolver::didVisitSomething const): 2018-01-03 Ting-Wei Lan <lantw44@gmail.com> Replace hard-coded paths in shebangs with #!/usr/bin/env https://bugs.webkit.org/show_bug.cgi?id=181040 Reviewed by Alex Christensen. * Scripts/UpdateContents.py: * Scripts/cssmin.py: * Scripts/generate-combined-inspector-json.py: * Scripts/xxd.pl: * create_hash_table: * generate-bytecode-files: * wasm/generateWasm.py: * wasm/generateWasmOpsHeader.py: * yarr/generateYarrCanonicalizeUnicode: 2018-01-03 Michael Saboff <msaboff@apple.com> Disable SharedArrayBuffers from Web API https://bugs.webkit.org/show_bug.cgi?id=181266 Reviewed by Saam Barati. Removed SharedArrayBuffer prototype and structure from GlobalObject creation to disable. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::arrayBufferPrototype const): (JSC::JSGlobalObject::arrayBufferStructure const): 2018-01-03 Michael Saboff <msaboff@apple.com> Add "noInline" to $vm https://bugs.webkit.org/show_bug.cgi?id=181265 Reviewed by Mark Lam. This would be useful for web based tests. * tools/JSDollarVM.cpp: (JSC::getExecutableForFunction): (JSC::functionNoInline): (JSC::JSDollarVM::finishCreation): 2018-01-03 Michael Saboff <msaboff@apple.com> Remove unnecessary flushing of Butterfly pointer in functionCpuClflush() https://bugs.webkit.org/show_bug.cgi?id=181263 Reviewed by Mark Lam. Flushing the butterfly pointer provides no benefit and slows this function. * tools/JSDollarVM.cpp: (JSC::functionCpuClflush): 2018-01-03 Saam Barati <sbarati@apple.com> Fix BytecodeParser op_catch assert to work with useProfiler=1 https://bugs.webkit.org/show_bug.cgi?id=181260 Reviewed by Keith Miller. op_catch was asserting that the current block was empty. This is only true if the profiler isn't enabled. When the profiler is enabled, we will insert a CountExecution node before each bytecode. This patch fixes the assert to work with the profiler. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): 2018-01-03 Per Arne Vollan <pvollan@apple.com> [Win][Debug] testapi link error. https://bugs.webkit.org/show_bug.cgi?id=181247 <rdar://problem/36166729> Reviewed by Brent Fulgham. Do not set the runtime library compile flag for C files, it is already set to the correct value. * shell/PlatformWin.cmake: 2018-01-03 Robin Morisset <rmorisset@apple.com> Inlining of a function that ends in op_unreachable crashes https://bugs.webkit.org/show_bug.cgi?id=181027 Reviewed by Filip Pizlo. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::allocateTargetableBlock): (JSC::DFG::ByteCodeParser::inlineCall): 2018-01-02 Saam Barati <sbarati@apple.com> Incorrect assertion inside AccessCase https://bugs.webkit.org/show_bug.cgi?id=181200 <rdar://problem/35494754> Reviewed by Yusuke Suzuki. Consider a PutById compiled to a setter in a function like so: ``` function foo(o) { o.f = o; } ``` The DFG will often assign the same registers to the baseGPR (o in o.f) and the valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned to the same register. However, we're asserting that they're not the same register. This patch just removes this invalid assertion. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): 2018-01-02 Caio Lima <ticaiolima@gmail.com> [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype https://bugs.webkit.org/show_bug.cgi?id=175359 Reviewed by Yusuke Suzuki. This patch is implementing BigIntConstructor and BigIntPrototype following spec[1, 2]. As addition, we are also implementing BigIntObject warapper to handle ToObject(v) abstract operation when "v" is a BigInt primitive. With these classes, now it's possible to syntetize BigInt.prototype and then call "toString", "valueOf" and "toLocaleString" when the primitive is a BigInt. BigIntConstructor exposes an API to parse other primitives such as Number, Boolean and String to BigInt. We decided to skip parseInt implementation, since it was removed from spec. [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object * CMakeLists.txt: * DerivedSources.make: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * jsc.cpp: * runtime/BigIntConstructor.cpp: Added. (JSC::BigIntConstructor::BigIntConstructor): (JSC::BigIntConstructor::finishCreation): (JSC::isSafeInteger): (JSC::toBigInt): (JSC::callBigIntConstructor): (JSC::bigIntConstructorFuncAsUintN): (JSC::bigIntConstructorFuncAsIntN): * runtime/BigIntConstructor.h: Added. (JSC::BigIntConstructor::create): (JSC::BigIntConstructor::createStructure): * runtime/BigIntObject.cpp: Added. (JSC::BigIntObject::BigIntObject): (JSC::BigIntObject::finishCreation): (JSC::BigIntObject::toStringName): (JSC::BigIntObject::defaultValue): * runtime/BigIntObject.h: Added. (JSC::BigIntObject::create): (JSC::BigIntObject::internalValue const): (JSC::BigIntObject::createStructure): * runtime/BigIntPrototype.cpp: Added. (JSC::BigIntPrototype::BigIntPrototype): (JSC::BigIntPrototype::finishCreation): (JSC::toThisBigIntValue): (JSC::bigIntProtoFuncToString): (JSC::bigIntProtoFuncToLocaleString): (JSC::bigIntProtoFuncValueOf): * runtime/BigIntPrototype.h: Added. (JSC::BigIntPrototype::create): (JSC::BigIntPrototype::createStructure): * runtime/IntlCollator.cpp: (JSC::IntlCollator::initializeCollator): * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): * runtime/JSBigInt.cpp: (JSC::JSBigInt::createFrom): (JSC::JSBigInt::parseInt): (JSC::JSBigInt::toObject const): * runtime/JSBigInt.h: * runtime/JSCJSValue.cpp: (JSC::JSValue::synthesizePrototype const): * runtime/JSCPoisonedPtr.cpp: * runtime/JSCell.cpp: (JSC::JSCell::toObjectSlow const): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::bigIntPrototype const): (JSC::JSGlobalObject::bigIntObjectStructure const): * runtime/StructureCache.h: * runtime/StructureInlines.h: (JSC::prototypeForLookupPrimitiveImpl): 2018-01-02 Tim Horton <timothy_horton@apple.com> Fix the MathCommon build with a recent compiler https://bugs.webkit.org/show_bug.cgi?id=181216 Reviewed by Sam Weinig. * runtime/MathCommon.cpp: (JSC::fdlibmPow): This cast drops the 'const' qualifier from the pointer to 'one', but it doesn't have to, and it makes the compiler sad. == Rolled over to ChangeLog-2018-01-01 ==