<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[237470] branches/safari-606-branch</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/237470">237470</a></dd>
<dt>Author</dt> <dd>alancoon@apple.com</dd>
<dt>Date</dt> <dd>2018-10-26 11:51:19 -0700 (Fri, 26 Oct 2018)</dd>
</dl>

<h3>Log Message</h3>
<pre>Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/236589">r236589</a>. rdar://problem/45285669

    Verify the contents of AssemblerBuffer on arm64e
    https://bugs.webkit.org/show_bug.cgi?id=190057
    <rdar://problem/38916630>

    Reviewed by Mark Lam.

    JSTests:

    * stress/regress-189132.js:

    Source/JavaScriptCore:

    * assembler/ARM64Assembler.h:
    (JSC::ARM64Assembler::ARM64Assembler):
    (JSC::ARM64Assembler::fillNops):
    (JSC::ARM64Assembler::link):
    (JSC::ARM64Assembler::linkJumpOrCall):
    (JSC::ARM64Assembler::linkCompareAndBranch):
    (JSC::ARM64Assembler::linkConditionalBranch):
    (JSC::ARM64Assembler::linkTestAndBranch):
    (JSC::ARM64Assembler::unlinkedCode): Deleted.
    * assembler/ARMAssembler.h:
    (JSC::ARMAssembler::fillNops):
    * assembler/ARMv7Assembler.h:
    (JSC::ARMv7Assembler::unlinkedCode): Deleted.
    * assembler/AbstractMacroAssembler.h:
    (JSC::AbstractMacroAssembler::emitNops):
    (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
    * assembler/AssemblerBuffer.h:
    (JSC::ARM64EHash::ARM64EHash):
    (JSC::ARM64EHash::update):
    (JSC::ARM64EHash::hash const):
    (JSC::ARM64EHash::randomSeed const):
    (JSC::AssemblerBuffer::AssemblerBuffer):
    (JSC::AssemblerBuffer::putShort):
    (JSC::AssemblerBuffer::putIntUnchecked):
    (JSC::AssemblerBuffer::putInt):
    (JSC::AssemblerBuffer::hash const):
    (JSC::AssemblerBuffer::data const):
    (JSC::AssemblerBuffer::putIntegralUnchecked):
    (JSC::AssemblerBuffer::append): Deleted.
    * assembler/LinkBuffer.cpp:
    (JSC::LinkBuffer::copyCompactAndLinkCode):
    * assembler/MIPSAssembler.h:
    (JSC::MIPSAssembler::fillNops):
    * assembler/MacroAssemblerARM64.h:
    (JSC::MacroAssemblerARM64::jumpsToLink):
    (JSC::MacroAssemblerARM64::link):
    (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
    * assembler/MacroAssemblerARMv7.h:
    (JSC::MacroAssemblerARMv7::jumpsToLink):
    (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
    * assembler/X86Assembler.h:
    (JSC::X86Assembler::fillNops):

    Source/WTF:

    * wtf/PtrTag.h:
    (WTF::tagInt):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236589 268f45cc-cd09-0410-ab3c-d52691b4dbfc</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari606branchJSTestsChangeLog">branches/safari-606-branch/JSTests/ChangeLog</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreChangeLog">branches/safari-606-branch/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreassemblerARM64Assemblerh">branches/safari-606-branch/Source/JavaScriptCore/assembler/ARM64Assembler.h</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreassemblerARMAssemblerh">branches/safari-606-branch/Source/JavaScriptCore/assembler/ARMAssembler.h</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreassemblerARMv7Assemblerh">branches/safari-606-branch/Source/JavaScriptCore/assembler/ARMv7Assembler.h</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreassemblerAbstractMacroAssemblerh">branches/safari-606-branch/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreassemblerAssemblerBufferh">branches/safari-606-branch/Source/JavaScriptCore/assembler/AssemblerBuffer.h</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreassemblerLinkBuffercpp">branches/safari-606-branch/Source/JavaScriptCore/assembler/LinkBuffer.cpp</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreassemblerMIPSAssemblerh">branches/safari-606-branch/Source/JavaScriptCore/assembler/MIPSAssembler.h</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreassemblerMacroAssemblerARM64h">branches/safari-606-branch/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreassemblerMacroAssemblerARMv7h">branches/safari-606-branch/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h</a></li>
<li><a href="#branchessafari606branchSourceJavaScriptCoreassemblerX86Assemblerh">branches/safari-606-branch/Source/JavaScriptCore/assembler/X86Assembler.h</a></li>
<li><a href="#branchessafari606branchSourceWTFChangeLog">branches/safari-606-branch/Source/WTF/ChangeLog</a></li>
<li><a href="#branchessafari606branchSourceWTFwtfPtrTagh">branches/safari-606-branch/Source/WTF/wtf/PtrTag.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari606branchJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/JSTests/ChangeLog (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/JSTests/ChangeLog     2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/JSTests/ChangeLog        2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -1,3 +1,79 @@
</span><ins>+2018-10-23  Kocsen Chung  <kocsen_chung@apple.com>
+
+        Cherry-pick r236589. rdar://problem/45285669
+
+    Verify the contents of AssemblerBuffer on arm64e
+    https://bugs.webkit.org/show_bug.cgi?id=190057
+    <rdar://problem/38916630>
+    
+    Reviewed by Mark Lam.
+    
+    JSTests:
+    
+    * stress/regress-189132.js:
+    
+    Source/JavaScriptCore:
+    
+    * assembler/ARM64Assembler.h:
+    (JSC::ARM64Assembler::ARM64Assembler):
+    (JSC::ARM64Assembler::fillNops):
+    (JSC::ARM64Assembler::link):
+    (JSC::ARM64Assembler::linkJumpOrCall):
+    (JSC::ARM64Assembler::linkCompareAndBranch):
+    (JSC::ARM64Assembler::linkConditionalBranch):
+    (JSC::ARM64Assembler::linkTestAndBranch):
+    (JSC::ARM64Assembler::unlinkedCode): Deleted.
+    * assembler/ARMAssembler.h:
+    (JSC::ARMAssembler::fillNops):
+    * assembler/ARMv7Assembler.h:
+    (JSC::ARMv7Assembler::unlinkedCode): Deleted.
+    * assembler/AbstractMacroAssembler.h:
+    (JSC::AbstractMacroAssembler::emitNops):
+    (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
+    * assembler/AssemblerBuffer.h:
+    (JSC::ARM64EHash::ARM64EHash):
+    (JSC::ARM64EHash::update):
+    (JSC::ARM64EHash::hash const):
+    (JSC::ARM64EHash::randomSeed const):
+    (JSC::AssemblerBuffer::AssemblerBuffer):
+    (JSC::AssemblerBuffer::putShort):
+    (JSC::AssemblerBuffer::putIntUnchecked):
+    (JSC::AssemblerBuffer::putInt):
+    (JSC::AssemblerBuffer::hash const):
+    (JSC::AssemblerBuffer::data const):
+    (JSC::AssemblerBuffer::putIntegralUnchecked):
+    (JSC::AssemblerBuffer::append): Deleted.
+    * assembler/LinkBuffer.cpp:
+    (JSC::LinkBuffer::copyCompactAndLinkCode):
+    * assembler/MIPSAssembler.h:
+    (JSC::MIPSAssembler::fillNops):
+    * assembler/MacroAssemblerARM64.h:
+    (JSC::MacroAssemblerARM64::jumpsToLink):
+    (JSC::MacroAssemblerARM64::link):
+    (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
+    * assembler/MacroAssemblerARMv7.h:
+    (JSC::MacroAssemblerARMv7::jumpsToLink):
+    (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
+    * assembler/X86Assembler.h:
+    (JSC::X86Assembler::fillNops):
+    
+    Source/WTF:
+    
+    * wtf/PtrTag.h:
+    (WTF::tagInt):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236589 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-09-27  Saam barati  <sbarati@apple.com>
+
+            Verify the contents of AssemblerBuffer on arm64e
+            https://bugs.webkit.org/show_bug.cgi?id=190057
+            <rdar://problem/38916630>
+
+            Reviewed by Mark Lam.
+
+            * stress/regress-189132.js:
+
</ins><span class="cx"> 2018-10-25  Kocsen Chung  <kocsen_chung@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Revert r237373. rdar://problem/45285669
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/ChangeLog (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/ChangeLog       2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/ChangeLog  2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -1,3 +1,120 @@
</span><ins>+2018-10-23  Kocsen Chung  <kocsen_chung@apple.com>
+
+        Cherry-pick r236589. rdar://problem/45285669
+
+    Verify the contents of AssemblerBuffer on arm64e
+    https://bugs.webkit.org/show_bug.cgi?id=190057
+    <rdar://problem/38916630>
+    
+    Reviewed by Mark Lam.
+    
+    JSTests:
+    
+    * stress/regress-189132.js:
+    
+    Source/JavaScriptCore:
+    
+    * assembler/ARM64Assembler.h:
+    (JSC::ARM64Assembler::ARM64Assembler):
+    (JSC::ARM64Assembler::fillNops):
+    (JSC::ARM64Assembler::link):
+    (JSC::ARM64Assembler::linkJumpOrCall):
+    (JSC::ARM64Assembler::linkCompareAndBranch):
+    (JSC::ARM64Assembler::linkConditionalBranch):
+    (JSC::ARM64Assembler::linkTestAndBranch):
+    (JSC::ARM64Assembler::unlinkedCode): Deleted.
+    * assembler/ARMAssembler.h:
+    (JSC::ARMAssembler::fillNops):
+    * assembler/ARMv7Assembler.h:
+    (JSC::ARMv7Assembler::unlinkedCode): Deleted.
+    * assembler/AbstractMacroAssembler.h:
+    (JSC::AbstractMacroAssembler::emitNops):
+    (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
+    * assembler/AssemblerBuffer.h:
+    (JSC::ARM64EHash::ARM64EHash):
+    (JSC::ARM64EHash::update):
+    (JSC::ARM64EHash::hash const):
+    (JSC::ARM64EHash::randomSeed const):
+    (JSC::AssemblerBuffer::AssemblerBuffer):
+    (JSC::AssemblerBuffer::putShort):
+    (JSC::AssemblerBuffer::putIntUnchecked):
+    (JSC::AssemblerBuffer::putInt):
+    (JSC::AssemblerBuffer::hash const):
+    (JSC::AssemblerBuffer::data const):
+    (JSC::AssemblerBuffer::putIntegralUnchecked):
+    (JSC::AssemblerBuffer::append): Deleted.
+    * assembler/LinkBuffer.cpp:
+    (JSC::LinkBuffer::copyCompactAndLinkCode):
+    * assembler/MIPSAssembler.h:
+    (JSC::MIPSAssembler::fillNops):
+    * assembler/MacroAssemblerARM64.h:
+    (JSC::MacroAssemblerARM64::jumpsToLink):
+    (JSC::MacroAssemblerARM64::link):
+    (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
+    * assembler/MacroAssemblerARMv7.h:
+    (JSC::MacroAssemblerARMv7::jumpsToLink):
+    (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
+    * assembler/X86Assembler.h:
+    (JSC::X86Assembler::fillNops):
+    
+    Source/WTF:
+    
+    * wtf/PtrTag.h:
+    (WTF::tagInt):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236589 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-09-27  Saam barati  <sbarati@apple.com>
+
+            Verify the contents of AssemblerBuffer on arm64e
+            https://bugs.webkit.org/show_bug.cgi?id=190057
+            <rdar://problem/38916630>
+
+            Reviewed by Mark Lam.
+
+            * assembler/ARM64Assembler.h:
+            (JSC::ARM64Assembler::ARM64Assembler):
+            (JSC::ARM64Assembler::fillNops):
+            (JSC::ARM64Assembler::link):
+            (JSC::ARM64Assembler::linkJumpOrCall):
+            (JSC::ARM64Assembler::linkCompareAndBranch):
+            (JSC::ARM64Assembler::linkConditionalBranch):
+            (JSC::ARM64Assembler::linkTestAndBranch):
+            (JSC::ARM64Assembler::unlinkedCode): Deleted.
+            * assembler/ARMAssembler.h:
+            (JSC::ARMAssembler::fillNops):
+            * assembler/ARMv7Assembler.h:
+            (JSC::ARMv7Assembler::unlinkedCode): Deleted.
+            * assembler/AbstractMacroAssembler.h:
+            (JSC::AbstractMacroAssembler::emitNops):
+            (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
+            * assembler/AssemblerBuffer.h:
+            (JSC::ARM64EHash::ARM64EHash):
+            (JSC::ARM64EHash::update):
+            (JSC::ARM64EHash::hash const):
+            (JSC::ARM64EHash::randomSeed const):
+            (JSC::AssemblerBuffer::AssemblerBuffer):
+            (JSC::AssemblerBuffer::putShort):
+            (JSC::AssemblerBuffer::putIntUnchecked):
+            (JSC::AssemblerBuffer::putInt):
+            (JSC::AssemblerBuffer::hash const):
+            (JSC::AssemblerBuffer::data const):
+            (JSC::AssemblerBuffer::putIntegralUnchecked):
+            (JSC::AssemblerBuffer::append): Deleted.
+            * assembler/LinkBuffer.cpp:
+            (JSC::LinkBuffer::copyCompactAndLinkCode):
+            * assembler/MIPSAssembler.h:
+            (JSC::MIPSAssembler::fillNops):
+            * assembler/MacroAssemblerARM64.h:
+            (JSC::MacroAssemblerARM64::jumpsToLink):
+            (JSC::MacroAssemblerARM64::link):
+            (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
+            * assembler/MacroAssemblerARMv7.h:
+            (JSC::MacroAssemblerARMv7::jumpsToLink):
+            (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
+            * assembler/X86Assembler.h:
+            (JSC::X86Assembler::fillNops):
+
</ins><span class="cx"> 2018-10-25  Kocsen Chung  <kocsen_chung@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Revert r237373. rdar://problem/45285669
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreassemblerARM64Assemblerh"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/assembler/ARM64Assembler.h (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/assembler/ARM64Assembler.h      2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/assembler/ARM64Assembler.h 2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -318,9 +318,17 @@
</span><span class="cx">     static constexpr bool isZr(RegisterID reg) { return ARM64Registers::isZr(reg); }
</span><span class="cx"> 
</span><span class="cx"> public:
</span><del>-    ARM64Assembler()
</del><ins>+    ARM64Assembler(
+#if CPU(ARM64E)
+        unsigned randomNumber
+#endif 
+        )
</ins><span class="cx">         : m_indexOfLastWatchpoint(INT_MIN)
</span><span class="cx">         , m_indexOfTailOfLastWatchpoint(INT_MIN)
</span><ins>+#if CPU(ARM64E)
+        , m_buffer(randomNumber)
+#endif
+        
</ins><span class="cx">     {
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1554,16 +1562,14 @@
</span><span class="cx">         insn(nopPseudo());
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    static void fillNops(void* base, size_t size, bool isCopyingToExecutableMemory)
</del><ins>+    template <typename CopyFunction>
+    static void fillNops(void* base, size_t size, CopyFunction copy)
</ins><span class="cx">     {
</span><span class="cx">         RELEASE_ASSERT(!(size % sizeof(int32_t)));
</span><span class="cx">         size_t n = size / sizeof(int32_t);
</span><span class="cx">         for (int32_t* ptr = static_cast<int32_t*>(base); n--;) {
</span><span class="cx">             int insn = nopPseudo();
</span><del>-            if (isCopyingToExecutableMemory)
-                performJITMemcpy(ptr++, &insn, sizeof(int));
-            else
-                memcpy(ptr++, &insn, sizeof(int));
</del><ins>+            copy(ptr++, &insn, sizeof(int));
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -2568,7 +2574,6 @@
</span><span class="cx">         return b.m_offset - a.m_offset;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void* unlinkedCode() { return m_buffer.data(); }
</del><span class="cx">     size_t codeSize() const { return m_buffer.codeSize(); }
</span><span class="cx"> 
</span><span class="cx">     static unsigned getCallReturnOffset(AssemblerLabel call)
</span><span class="lines">@@ -2606,13 +2611,6 @@
</span><span class="cx">         m_jumpsToLink.append(LinkRecord(from.m_offset, to.m_offset, type, condition, bitNumber, compareRegister));
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void linkJump(AssemblerLabel from, void* executableCode, AssemblerLabel to)
-    {
-        ASSERT(from.isSet());
-        ASSERT(to.isSet());
-        relinkJumpOrCall<false>(addressOf(from), addressOf(executableCode, from), addressOf(to));
-    }
-    
</del><span class="cx">     static void linkJump(void* code, AssemblerLabel from, void* to)
</span><span class="cx">     {
</span><span class="cx">         ASSERT(from.isSet());
</span><span class="lines">@@ -2965,30 +2963,32 @@
</span><span class="cx">         return m_jumpsToLink;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    static void ALWAYS_INLINE link(LinkRecord& record, uint8_t* from, const uint8_t* fromInstruction8, uint8_t* to)
</del><ins>+    typedef void* (*CopyFunction)(void*, const void*, size_t);
+
+    static void ALWAYS_INLINE link(LinkRecord& record, uint8_t* from, const uint8_t* fromInstruction8, uint8_t* to, CopyFunction copy)
</ins><span class="cx">     {
</span><span class="cx">         const int* fromInstruction = reinterpret_cast<const int*>(fromInstruction8);
</span><span class="cx">         switch (record.linkType()) {
</span><span class="cx">         case LinkJumpNoCondition:
</span><del>-            linkJumpOrCall<false>(reinterpret_cast<int*>(from), fromInstruction, to);
</del><ins>+            linkJumpOrCall<false>(reinterpret_cast<int*>(from), fromInstruction, to, copy);
</ins><span class="cx">             break;
</span><span class="cx">         case LinkJumpConditionDirect:
</span><del>-            linkConditionalBranch<true>(record.condition(), reinterpret_cast<int*>(from), fromInstruction, to);
</del><ins>+            linkConditionalBranch<true>(record.condition(), reinterpret_cast<int*>(from), fromInstruction, to, copy);
</ins><span class="cx">             break;
</span><span class="cx">         case LinkJumpCondition:
</span><del>-            linkConditionalBranch<false>(record.condition(), reinterpret_cast<int*>(from) - 1, fromInstruction - 1, to);
</del><ins>+            linkConditionalBranch<false>(record.condition(), reinterpret_cast<int*>(from) - 1, fromInstruction - 1, to, copy);
</ins><span class="cx">             break;
</span><span class="cx">         case LinkJumpCompareAndBranchDirect:
</span><del>-            linkCompareAndBranch<true>(record.condition(), record.is64Bit(), record.compareRegister(), reinterpret_cast<int*>(from), fromInstruction, to);
</del><ins>+            linkCompareAndBranch<true>(record.condition(), record.is64Bit(), record.compareRegister(), reinterpret_cast<int*>(from), fromInstruction, to, copy);
</ins><span class="cx">             break;
</span><span class="cx">         case LinkJumpCompareAndBranch:
</span><del>-            linkCompareAndBranch<false>(record.condition(), record.is64Bit(), record.compareRegister(), reinterpret_cast<int*>(from) - 1, fromInstruction - 1, to);
</del><ins>+            linkCompareAndBranch<false>(record.condition(), record.is64Bit(), record.compareRegister(), reinterpret_cast<int*>(from) - 1, fromInstruction - 1, to, copy);
</ins><span class="cx">             break;
</span><span class="cx">         case LinkJumpTestBitDirect:
</span><del>-            linkTestAndBranch<true>(record.condition(), record.bitNumber(), record.compareRegister(), reinterpret_cast<int*>(from), fromInstruction, to);
</del><ins>+            linkTestAndBranch<true>(record.condition(), record.bitNumber(), record.compareRegister(), reinterpret_cast<int*>(from), fromInstruction, to, copy);
</ins><span class="cx">             break;
</span><span class="cx">         case LinkJumpTestBit:
</span><del>-            linkTestAndBranch<false>(record.condition(), record.bitNumber(), record.compareRegister(), reinterpret_cast<int*>(from) - 1, fromInstruction - 1, to);
</del><ins>+            linkTestAndBranch<false>(record.condition(), record.bitNumber(), record.compareRegister(), reinterpret_cast<int*>(from) - 1, fromInstruction - 1, to, copy);
</ins><span class="cx">             break;
</span><span class="cx">         default:
</span><span class="cx">             ASSERT_NOT_REACHED();
</span><span class="lines">@@ -3030,7 +3030,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     template<bool isCall>
</span><del>-    static void linkJumpOrCall(int* from, const int* fromInstruction, void* to)
</del><ins>+    static void linkJumpOrCall(int* from, const int* fromInstruction, void* to, CopyFunction copy = performJITMemcpy)
</ins><span class="cx">     {
</span><span class="cx">         bool link;
</span><span class="cx">         int imm26;
</span><span class="lines">@@ -3046,11 +3046,11 @@
</span><span class="cx">         ASSERT(static_cast<int>(offset) == offset);
</span><span class="cx"> 
</span><span class="cx">         int insn = unconditionalBranchImmediate(isCall, static_cast<int>(offset));
</span><del>-        performJITMemcpy(from, &insn, sizeof(int));
</del><ins>+        copy(from, &insn, sizeof(int));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     template<bool isDirect>
</span><del>-    static void linkCompareAndBranch(Condition condition, bool is64Bit, RegisterID rt, int* from, const int* fromInstruction, void* to)
</del><ins>+    static void linkCompareAndBranch(Condition condition, bool is64Bit, RegisterID rt, int* from, const int* fromInstruction, void* to, CopyFunction copy = performJITMemcpy)
</ins><span class="cx">     {
</span><span class="cx">         ASSERT(!(reinterpret_cast<intptr_t>(from) & 3));
</span><span class="cx">         ASSERT(!(reinterpret_cast<intptr_t>(to) & 3));
</span><span class="lines">@@ -3062,20 +3062,20 @@
</span><span class="cx"> 
</span><span class="cx">         if (useDirect || isDirect) {
</span><span class="cx">             int insn = compareAndBranchImmediate(is64Bit ? Datasize_64 : Datasize_32, condition == ConditionNE, static_cast<int>(offset), rt);
</span><del>-            performJITMemcpy(from, &insn, sizeof(int));
</del><ins>+            copy(from, &insn, sizeof(int));
</ins><span class="cx">             if (!isDirect) {
</span><span class="cx">                 insn = nopPseudo();
</span><del>-                performJITMemcpy(from + 1, &insn, sizeof(int));
</del><ins>+                copy(from + 1, &insn, sizeof(int));
</ins><span class="cx">             }
</span><span class="cx">         } else {
</span><span class="cx">             int insn = compareAndBranchImmediate(is64Bit ? Datasize_64 : Datasize_32, invert(condition) == ConditionNE, 2, rt);
</span><del>-            performJITMemcpy(from, &insn, sizeof(int));
-            linkJumpOrCall<false>(from + 1, fromInstruction + 1, to);
</del><ins>+            copy(from, &insn, sizeof(int));
+            linkJumpOrCall<false>(from + 1, fromInstruction + 1, to, copy);
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     template<bool isDirect>
</span><del>-    static void linkConditionalBranch(Condition condition, int* from, const int* fromInstruction, void* to)
</del><ins>+    static void linkConditionalBranch(Condition condition, int* from, const int* fromInstruction, void* to, CopyFunction copy = performJITMemcpy)
</ins><span class="cx">     {
</span><span class="cx">         ASSERT(!(reinterpret_cast<intptr_t>(from) & 3));
</span><span class="cx">         ASSERT(!(reinterpret_cast<intptr_t>(to) & 3));
</span><span class="lines">@@ -3087,20 +3087,20 @@
</span><span class="cx"> 
</span><span class="cx">         if (useDirect || isDirect) {
</span><span class="cx">             int insn = conditionalBranchImmediate(static_cast<int>(offset), condition);
</span><del>-            performJITMemcpy(from, &insn, sizeof(int));
</del><ins>+            copy(from, &insn, sizeof(int));
</ins><span class="cx">             if (!isDirect) {
</span><span class="cx">                 insn = nopPseudo();
</span><del>-                performJITMemcpy(from + 1, &insn, sizeof(int));
</del><ins>+                copy(from + 1, &insn, sizeof(int));
</ins><span class="cx">             }
</span><span class="cx">         } else {
</span><span class="cx">             int insn = conditionalBranchImmediate(2, invert(condition));
</span><del>-            performJITMemcpy(from, &insn, sizeof(int));
-            linkJumpOrCall<false>(from + 1, fromInstruction + 1, to);
</del><ins>+            copy(from, &insn, sizeof(int));
+            linkJumpOrCall<false>(from + 1, fromInstruction + 1, to, copy);
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     template<bool isDirect>
</span><del>-    static void linkTestAndBranch(Condition condition, unsigned bitNumber, RegisterID rt, int* from, const int* fromInstruction, void* to)
</del><ins>+    static void linkTestAndBranch(Condition condition, unsigned bitNumber, RegisterID rt, int* from, const int* fromInstruction, void* to, CopyFunction copy = performJITMemcpy)
</ins><span class="cx">     {
</span><span class="cx">         ASSERT(!(reinterpret_cast<intptr_t>(from) & 3));
</span><span class="cx">         ASSERT(!(reinterpret_cast<intptr_t>(to) & 3));
</span><span class="lines">@@ -3113,15 +3113,15 @@
</span><span class="cx"> 
</span><span class="cx">         if (useDirect || isDirect) {
</span><span class="cx">             int insn = testAndBranchImmediate(condition == ConditionNE, static_cast<int>(bitNumber), static_cast<int>(offset), rt);
</span><del>-            performJITMemcpy(from, &insn, sizeof(int));
</del><ins>+            copy(from, &insn, sizeof(int));
</ins><span class="cx">             if (!isDirect) {
</span><span class="cx">                 insn = nopPseudo();
</span><del>-                performJITMemcpy(from + 1, &insn, sizeof(int));
</del><ins>+                copy(from + 1, &insn, sizeof(int));
</ins><span class="cx">             }
</span><span class="cx">         } else {
</span><span class="cx">             int insn = testAndBranchImmediate(invert(condition) == ConditionNE, static_cast<int>(bitNumber), 2, rt);
</span><del>-            performJITMemcpy(from, &insn, sizeof(int));
-            linkJumpOrCall<false>(from + 1, fromInstruction + 1, to);
</del><ins>+            copy(from, &insn, sizeof(int));
+            linkJumpOrCall<false>(from + 1, fromInstruction + 1, to, copy);
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -3179,11 +3179,6 @@
</span><span class="cx">         return reinterpret_cast<int*>(static_cast<char*>(code) + label.m_offset);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    int* addressOf(AssemblerLabel label)
-    {
-        return addressOf(m_buffer.data(), label);
-    }
-
</del><span class="cx">     static RegisterID disassembleXOrSp(int reg) { return reg == 31 ? ARM64Registers::sp : static_cast<RegisterID>(reg); }
</span><span class="cx">     static RegisterID disassembleXOrZr(int reg) { return reg == 31 ? ARM64Registers::zr : static_cast<RegisterID>(reg); }
</span><span class="cx">     static RegisterID disassembleXOrZrOrSp(bool useZr, int reg) { return reg == 31 ? (useZr ? ARM64Registers::zr : ARM64Registers::sp) : static_cast<RegisterID>(reg); }
</span><span class="lines">@@ -3759,10 +3754,10 @@
</span><span class="cx"> #endif
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    AssemblerBuffer m_buffer;
</del><span class="cx">     Vector<LinkRecord, 0, UnsafeVectorOverflow> m_jumpsToLink;
</span><span class="cx">     int m_indexOfLastWatchpoint;
</span><span class="cx">     int m_indexOfTailOfLastWatchpoint;
</span><ins>+    AssemblerBuffer m_buffer;
</ins><span class="cx"> 
</span><span class="cx"> public:
</span><span class="cx">     static constexpr ptrdiff_t MAX_POINTER_BITS = 48;
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreassemblerARMAssemblerh"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/assembler/ARMAssembler.h (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/assembler/ARMAssembler.h        2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/assembler/ARMAssembler.h   2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -750,9 +750,10 @@
</span><span class="cx">             m_buffer.putInt(NOP);
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        static void fillNops(void* base, size_t size, bool isCopyingToExecutableMemory)
</del><ins>+        template <typename CopyFunction>
+        static void fillNops(void* base, size_t size, CopyFunction copy)
</ins><span class="cx">         {
</span><del>-            UNUSED_PARAM(isCopyingToExecutableMemory);
</del><ins>+            UNUSED_PARAM(copy);
</ins><span class="cx">             RELEASE_ASSERT(!(size % sizeof(int32_t)));
</span><span class="cx"> 
</span><span class="cx">             int32_t* ptr = static_cast<int32_t*>(base);
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreassemblerARMv7Assemblerh"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/assembler/ARMv7Assembler.h (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/assembler/ARMv7Assembler.h      2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/assembler/ARMv7Assembler.h 2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -2055,7 +2055,8 @@
</span><span class="cx">         return OP_NOP_T2a | (OP_NOP_T2b << 16);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    static void fillNops(void* base, size_t size, bool isCopyingToExecutableMemory)
</del><ins>+    template <typename CopyFunction>
+    static void fillNops(void* base, size_t size, CopyFunction copy)
</ins><span class="cx">     {
</span><span class="cx">         RELEASE_ASSERT(!(size % sizeof(int16_t)));
</span><span class="cx"> 
</span><span class="lines">@@ -2063,10 +2064,7 @@
</span><span class="cx">         const size_t num32s = size / sizeof(int32_t);
</span><span class="cx">         for (size_t i = 0; i < num32s; i++) {
</span><span class="cx">             const int32_t insn = nopPseudo32();
</span><del>-            if (isCopyingToExecutableMemory)
-                performJITMemcpy(ptr, &insn, sizeof(int32_t));
-            else
-                memcpy(ptr, &insn, sizeof(int32_t));
</del><ins>+            copy(ptr, &insn, sizeof(int32_t));
</ins><span class="cx">             ptr += sizeof(int32_t);
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="lines">@@ -2075,10 +2073,7 @@
</span><span class="cx">         ASSERT(num16s * sizeof(int16_t) + num32s * sizeof(int32_t) == size);
</span><span class="cx">         if (num16s) {
</span><span class="cx">             const int16_t insn = nopPseudo16();
</span><del>-            if (isCopyingToExecutableMemory)
-                performJITMemcpy(ptr, &insn, sizeof(int16_t));
-            else
-                memcpy(ptr, &insn, sizeof(int16_t));
</del><ins>+            copy(ptr, &insn, sizeof(int16_t));
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -2245,7 +2240,6 @@
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void* unlinkedCode() { return m_formatter.data(); }
</del><span class="cx">     size_t codeSize() const { return m_formatter.codeSize(); }
</span><span class="cx"> 
</span><span class="cx">     static unsigned getCallReturnOffset(AssemblerLabel call)
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreassemblerAbstractMacroAssemblerh"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h      2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h 2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -862,8 +862,6 @@
</span><span class="cx">         AssemblerType::cacheFlush(code, size);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    AssemblerType m_assembler;
-    
</del><span class="cx">     template<PtrTag tag>
</span><span class="cx">     static void linkJump(void* code, Jump jump, CodeLocationLabel<tag> target)
</span><span class="cx">     {
</span><span class="lines">@@ -962,13 +960,18 @@
</span><span class="cx"> 
</span><span class="cx">     void emitNops(size_t memoryToFillWithNopsInBytes)
</span><span class="cx">     {
</span><ins>+#if CPU(ARM64)
+        RELEASE_ASSERT(memoryToFillWithNopsInBytes % 4 == 0);
+        for (unsigned i = 0; i < memoryToFillWithNopsInBytes / 4; ++i)
+            m_assembler.nop();
+#else
</ins><span class="cx">         AssemblerBuffer& buffer = m_assembler.buffer();
</span><span class="cx">         size_t startCodeSize = buffer.codeSize();
</span><span class="cx">         size_t targetCodeSize = startCodeSize + memoryToFillWithNopsInBytes;
</span><span class="cx">         buffer.ensureSpace(memoryToFillWithNopsInBytes);
</span><del>-        bool isCopyingToExecutableMemory = false;
-        AssemblerType::fillNops(static_cast<char*>(buffer.data()) + startCodeSize, memoryToFillWithNopsInBytes, isCopyingToExecutableMemory);
</del><ins>+        AssemblerType::fillNops(static_cast<char*>(buffer.data()) + startCodeSize, memoryToFillWithNopsInBytes, memcpy);
</ins><span class="cx">         buffer.setCodeSize(targetCodeSize);
</span><ins>+#endif
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     ALWAYS_INLINE void tagReturnAddress() { }
</span><span class="lines">@@ -983,6 +986,11 @@
</span><span class="cx"> protected:
</span><span class="cx">     AbstractMacroAssembler()
</span><span class="cx">         : m_randomSource(0)
</span><ins>+#if CPU(ARM64E)
+        , m_assembler(random())
+#else
+        , m_assembler()
+#endif
</ins><span class="cx">     {
</span><span class="cx">         invalidateAllTempRegisters();
</span><span class="cx">     }
</span><span class="lines">@@ -998,6 +1006,9 @@
</span><span class="cx"> 
</span><span class="cx">     bool m_randomSourceIsInitialized { false };
</span><span class="cx">     WeakRandom m_randomSource;
</span><ins>+public:
+    AssemblerType m_assembler;
+protected:
</ins><span class="cx"> 
</span><span class="cx"> #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
</span><span class="cx">     Vector<RegisterAllocationOffset, 10> m_registerAllocationForOffsets;
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreassemblerAssemblerBufferh"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/assembler/AssemblerBuffer.h (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/assembler/AssemblerBuffer.h     2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/assembler/AssemblerBuffer.h        2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -33,10 +33,15 @@
</span><span class="cx"> #include <string.h>
</span><span class="cx"> #include <wtf/Assertions.h>
</span><span class="cx"> #include <wtf/FastMalloc.h>
</span><ins>+#if CPU(ARM64E)
+#include <wtf/PtrTag.h>
+#endif
</ins><span class="cx"> #include <wtf/StdLibExtras.h>
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><ins>+    class LinkBuffer;
+
</ins><span class="cx">     struct AssemblerLabel {
</span><span class="cx">         AssemblerLabel()
</span><span class="cx">             : m_offset(std::numeric_limits<uint32_t>::max())
</span><span class="lines">@@ -140,11 +145,37 @@
</span><span class="cx">         unsigned m_capacity;
</span><span class="cx">     };
</span><span class="cx"> 
</span><ins>+#if CPU(ARM64E)
+    class ARM64EHash {
+    public:
+        ARM64EHash(unsigned randomNumber)
+            : m_hash(randomNumber)
+            , m_randomSeed(randomNumber)
+        { }
+        ALWAYS_INLINE void update(unsigned value, uintptr_t index)
+        {
+            m_hash = tagInt((static_cast<uintptr_t>(value) + m_hash) ^ (m_hash >> 32), static_cast<PtrTag>(index));
+        }
+        uintptr_t hash() const { return m_hash; }
+        unsigned randomSeed() const { return m_randomSeed; }
+    private:
+        uintptr_t m_hash;
+        unsigned m_randomSeed;
+    };
+#endif
+
</ins><span class="cx">     class AssemblerBuffer {
</span><span class="cx">     public:
</span><del>-        AssemblerBuffer()
</del><ins>+        AssemblerBuffer(
+#if CPU(ARM64E)
+            unsigned randomNumber
+#endif
+        )
</ins><span class="cx">             : m_storage()
</span><span class="cx">             , m_index(0)
</span><ins>+#if CPU(ARM64E)
+            , m_hash(randomNumber)
+#endif
</ins><span class="cx">         {
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="lines">@@ -164,25 +195,23 @@
</span><span class="cx">             return !(m_index & (alignment - 1));
</span><span class="cx">         }
</span><span class="cx"> 
</span><ins>+#if !CPU(ARM64)
</ins><span class="cx">         void putByteUnchecked(int8_t value) { putIntegralUnchecked(value); }
</span><span class="cx">         void putByte(int8_t value) { putIntegral(value); }
</span><span class="cx">         void putShortUnchecked(int16_t value) { putIntegralUnchecked(value); }
</span><span class="cx">         void putShort(int16_t value) { putIntegral(value); }
</span><ins>+        void putInt64Unchecked(int64_t value) { putIntegralUnchecked(value); }
+        void putInt64(int64_t value) { putIntegral(value); }
+#endif
</ins><span class="cx">         void putIntUnchecked(int32_t value) { putIntegralUnchecked(value); }
</span><span class="cx">         void putInt(int32_t value) { putIntegral(value); }
</span><del>-        void putInt64Unchecked(int64_t value) { putIntegralUnchecked(value); }
-        void putInt64(int64_t value) { putIntegral(value); }
</del><span class="cx"> 
</span><del>-        void* data() const
-        {
-            return m_storage.buffer();
-        }
-
</del><span class="cx">         size_t codeSize() const
</span><span class="cx">         {
</span><span class="cx">             return m_index;
</span><span class="cx">         }
</span><span class="cx"> 
</span><ins>+#if !CPU(ARM64)
</ins><span class="cx">         void setCodeSize(size_t index)
</span><span class="cx">         {
</span><span class="cx">             // Warning: Only use this if you know exactly what you are doing.
</span><span class="lines">@@ -191,6 +220,7 @@
</span><span class="cx">             m_index = index;
</span><span class="cx">             ASSERT(m_index <= m_storage.capacity());
</span><span class="cx">         }
</span><ins>+#endif
</ins><span class="cx"> 
</span><span class="cx">         AssemblerLabel label() const
</span><span class="cx">         {
</span><span class="lines">@@ -208,6 +238,7 @@
</span><span class="cx">         //
</span><span class="cx">         // LocalWriter *CANNOT* be mixed with other types of access to AssemblerBuffer.
</span><span class="cx">         // AssemblerBuffer cannot be used until its LocalWriter goes out of scope.
</span><ins>+#if !CPU(ARM64) // If we ever need to use this on arm64e, we would need to make the checksum aware of this.
</ins><span class="cx">         class LocalWriter {
</span><span class="cx">         public:
</span><span class="cx">             LocalWriter(AssemblerBuffer& buffer, unsigned requiredSpace)
</span><span class="lines">@@ -250,7 +281,17 @@
</span><span class="cx">             unsigned m_requiredSpace;
</span><span class="cx"> #endif
</span><span class="cx">         };
</span><ins>+#endif // !CPU(ARM64)
</ins><span class="cx"> 
</span><ins>+#if CPU(ARM64E)
+        ARM64EHash hash() const { return m_hash; }
+#endif
+
+#if !CPU(ARM64) // If we were to define this on arm64e, we'd need a way to update the hash as we write directly into the buffer.
+        void* data() const { return m_storage.buffer(); }
+#endif
+
+
</ins><span class="cx">     protected:
</span><span class="cx">         template<typename IntegralType>
</span><span class="cx">         void putIntegral(IntegralType value)
</span><span class="lines">@@ -266,35 +307,38 @@
</span><span class="cx">         template<typename IntegralType>
</span><span class="cx">         void putIntegralUnchecked(IntegralType value)
</span><span class="cx">         {
</span><ins>+#if CPU(ARM64)
+            static_assert(sizeof(value) == 4, "");
+#if CPU(ARM64E)
+            m_hash.update(value, m_index);
+#endif
+#endif
</ins><span class="cx">             ASSERT(isAvailable(sizeof(IntegralType)));
</span><span class="cx">             *reinterpret_cast_ptr<IntegralType*>(m_storage.buffer() + m_index) = value;
</span><span class="cx">             m_index += sizeof(IntegralType);
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        void append(const char* data, int size)
-        {
-            if (!isAvailable(size))
-                grow(size);
-
-            memcpy(m_storage.buffer() + m_index, data, size);
-            m_index += size;
-        }
-
</del><ins>+    private:
</ins><span class="cx">         void grow(int extraCapacity = 0)
</span><span class="cx">         {
</span><span class="cx">             m_storage.grow(extraCapacity);
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-    private:
</del><span class="cx">         NEVER_INLINE void outOfLineGrow()
</span><span class="cx">         {
</span><span class="cx">             m_storage.grow();
</span><span class="cx">         }
</span><span class="cx"> 
</span><ins>+#if !CPU(ARM64)
</ins><span class="cx">         friend LocalWriter;
</span><ins>+#endif
+        friend LinkBuffer;
</ins><span class="cx"> 
</span><span class="cx">         AssemblerData m_storage;
</span><span class="cx">         unsigned m_index;
</span><ins>+#if CPU(ARM64E)
+        ARM64EHash m_hash;
+#endif
</ins><span class="cx">     };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreassemblerLinkBuffercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/assembler/LinkBuffer.cpp (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/assembler/LinkBuffer.cpp        2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/assembler/LinkBuffer.cpp   2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -109,14 +109,24 @@
</span><span class="cx">     m_assemblerStorage = macroAssembler.m_assembler.buffer().releaseAssemblerData();
</span><span class="cx">     uint8_t* inData = reinterpret_cast<uint8_t*>(m_assemblerStorage.buffer());
</span><span class="cx"> 
</span><ins>+    uint8_t* codeOutData = m_code.dataLocation<uint8_t*>();
+#if CPU(ARM64E)
+    const ARM64EHash assemblerBufferHash = macroAssembler.m_assembler.buffer().hash();
+    ARM64EHash verifyUncompactedHash(assemblerBufferHash.randomSeed());
+    uint8_t* outData = codeOutData;
+#else
</ins><span class="cx">     AssemblerData outBuffer(m_size);
</span><del>-
</del><span class="cx">     uint8_t* outData = reinterpret_cast<uint8_t*>(outBuffer.buffer());
</span><del>-    uint8_t* codeOutData = m_code.dataLocation<uint8_t*>();
</del><ins>+#endif
</ins><span class="cx"> 
</span><span class="cx">     int readPtr = 0;
</span><span class="cx">     int writePtr = 0;
</span><span class="cx">     unsigned jumpCount = jumpsToLink.size();
</span><ins>+
+#if CPU(ARM64E)
+    os_thread_self_restrict_rwx_to_rw();
+#endif
+
</ins><span class="cx">     if (m_shouldPerformBranchCompaction) {
</span><span class="cx">         for (unsigned i = 0; i < jumpCount; ++i) {
</span><span class="cx">             int offset = readPtr - writePtr;
</span><span class="lines">@@ -130,8 +140,18 @@
</span><span class="cx">             ASSERT(!(regionSize % 2));
</span><span class="cx">             ASSERT(!(readPtr % 2));
</span><span class="cx">             ASSERT(!(writePtr % 2));
</span><del>-            while (copySource != copyEnd)
-                *copyDst++ = *copySource++;
</del><ins>+#if CPU(ARM64E)
+            unsigned index = readPtr;
+#endif
+            while (copySource != copyEnd) {
+                InstructionType insn = *copySource++;
+#if CPU(ARM64E)
+                static_assert(sizeof(InstructionType) == 4, "");
+                verifyUncompactedHash.update(insn, index);
+                index += sizeof(InstructionType);
+#endif
+                *copyDst++ = insn;
+            }
</ins><span class="cx">             recordLinkOffsets(m_assemblerStorage, readPtr, jumpsToLink[i].from(), offset);
</span><span class="cx">             readPtr += regionSize;
</span><span class="cx">             writePtr += regionSize;
</span><span class="lines">@@ -162,30 +182,77 @@
</span><span class="cx">                 ASSERT(!MacroAssembler::canCompact(jumpsToLink[i].type()));
</span><span class="cx">         }
</span><span class="cx">     }
</span><ins>+
</ins><span class="cx">     // Copy everything after the last jump
</span><del>-    memcpy(outData + writePtr, inData + readPtr, initialSize - readPtr);
</del><ins>+    {
+        InstructionType* dst = bitwise_cast<InstructionType*>(outData + writePtr);
+        InstructionType* src = bitwise_cast<InstructionType*>(inData + readPtr);
+        size_t bytes = initialSize - readPtr;
+
+        RELEASE_ASSERT(bitwise_cast<uintptr_t>(dst) % sizeof(InstructionType) == 0);
+        RELEASE_ASSERT(bitwise_cast<uintptr_t>(src) % sizeof(InstructionType) == 0);
+        RELEASE_ASSERT(bytes % sizeof(InstructionType) == 0);
+
+#if CPU(ARM64E)
+        unsigned index = readPtr;
+#endif
+
+        for (size_t i = 0; i < bytes; i += sizeof(InstructionType)) {
+            InstructionType insn = *src++;
+#if CPU(ARM64E)
+            verifyUncompactedHash.update(insn, index);
+            index += sizeof(InstructionType);
+#endif
+            *dst++ = insn;
+        }
+    }
+
+#if CPU(ARM64E)
+    if (verifyUncompactedHash.hash() != assemblerBufferHash.hash()) {
+        dataLogLn("Hashes don't match: ", RawPointer(bitwise_cast<void*>(verifyUncompactedHash.hash())), " ", RawPointer(bitwise_cast<void*>(assemblerBufferHash.hash())));
+        dataLogLn("Crashing!");
+        CRASH();
+    }
+#endif
+
</ins><span class="cx">     recordLinkOffsets(m_assemblerStorage, readPtr, initialSize, readPtr - writePtr);
</span><span class="cx">         
</span><span class="cx">     for (unsigned i = 0; i < jumpCount; ++i) {
</span><ins>+#if CPU(ARM64E)
+        auto memcpyFunction = memcpy;
+#else
+        auto memcpyFunction = performJITMemcpy;
+#endif
+
</ins><span class="cx">         uint8_t* location = codeOutData + jumpsToLink[i].from();
</span><span class="cx">         uint8_t* target = codeOutData + jumpsToLink[i].to() - executableOffsetFor(jumpsToLink[i].to());
</span><del>-        MacroAssembler::link(jumpsToLink[i], outData + jumpsToLink[i].from(), location, target);
</del><ins>+        MacroAssembler::link(jumpsToLink[i], outData + jumpsToLink[i].from(), location, target, memcpyFunction);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><del>-    jumpsToLink.clear();
</del><ins>+    size_t compactSize = writePtr + initialSize - readPtr;
+    if (!m_executableMemory) {
+        size_t nopSizeInBytes = initialSize - compactSize;
+        MacroAssembler::AssemblerType_T::fillNops(outData + compactSize, nopSizeInBytes, memcpy);
+    }
</ins><span class="cx"> 
</span><del>-    size_t compactSize = writePtr + initialSize - readPtr;
</del><ins>+#if CPU(ARM64E)
+    os_thread_self_restrict_rwx_to_rx();
+#endif
+
</ins><span class="cx">     if (m_executableMemory) {
</span><span class="cx">         m_size = compactSize;
</span><span class="cx">         m_executableMemory->shrink(m_size);
</span><del>-    } else {
-        size_t nopSizeInBytes = initialSize - compactSize;
-        bool isCopyingToExecutableMemory = false;
-        MacroAssembler::AssemblerType_T::fillNops(outData + compactSize, nopSizeInBytes, isCopyingToExecutableMemory);
</del><span class="cx">     }
</span><span class="cx"> 
</span><ins>+#if !CPU(ARM64E)
+    ASSERT(codeOutData != outData);
</ins><span class="cx">     performJITMemcpy(codeOutData, outData, m_size);
</span><ins>+#else
+    ASSERT(codeOutData == outData);
+#endif
</ins><span class="cx"> 
</span><ins>+    jumpsToLink.clear();
+
</ins><span class="cx"> #if DUMP_LINK_STATISTICS
</span><span class="cx">     dumpLinkStatistics(codeOutData, initialSize, m_size);
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreassemblerMIPSAssemblerh"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/assembler/MIPSAssembler.h (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/assembler/MIPSAssembler.h       2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/assembler/MIPSAssembler.h  2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -264,9 +264,10 @@
</span><span class="cx">         emitInst(0x00000000);
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    static void fillNops(void* base, size_t size, bool isCopyingToExecutableMemory)
</del><ins>+    template <typename CopyFunction>
+    static void fillNops(void* base, size_t size, CopyFunction copy)
</ins><span class="cx">     {
</span><del>-        UNUSED_PARAM(isCopyingToExecutableMemory);
</del><ins>+        UNUSED_PARAM(copy);
</ins><span class="cx">         RELEASE_ASSERT(!(size % sizeof(int32_t)));
</span><span class="cx"> 
</span><span class="cx">         int32_t* ptr = static_cast<int32_t*>(base);
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreassemblerMacroAssemblerARM64h"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h 2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h    2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -79,12 +79,12 @@
</span><span class="cx">     static const Assembler::JumpType DefaultJump = Assembler::JumpNoConditionFixedSize;
</span><span class="cx"> 
</span><span class="cx">     Vector<LinkRecord, 0, UnsafeVectorOverflow>& jumpsToLink() { return m_assembler.jumpsToLink(); }
</span><del>-    void* unlinkedCode() { return m_assembler.unlinkedCode(); }
</del><span class="cx">     static bool canCompact(JumpType jumpType) { return Assembler::canCompact(jumpType); }
</span><span class="cx">     static JumpLinkType computeJumpType(JumpType jumpType, const uint8_t* from, const uint8_t* to) { return Assembler::computeJumpType(jumpType, from, to); }
</span><span class="cx">     static JumpLinkType computeJumpType(LinkRecord& record, const uint8_t* from, const uint8_t* to) { return Assembler::computeJumpType(record, from, to); }
</span><span class="cx">     static int jumpSizeDelta(JumpType jumpType, JumpLinkType jumpLinkType) { return Assembler::jumpSizeDelta(jumpType, jumpLinkType); }
</span><del>-    static void link(LinkRecord& record, uint8_t* from, const uint8_t* fromInstruction, uint8_t* to) { return Assembler::link(record, from, fromInstruction, to); }
</del><ins>+    template <typename CopyFunction>
+    static void link(LinkRecord& record, uint8_t* from, const uint8_t* fromInstruction, uint8_t* to, CopyFunction copy) { return Assembler::link(record, from, fromInstruction, to, copy); }
</ins><span class="cx"> 
</span><span class="cx">     static const Scale ScalePtr = TimesEight;
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreassemblerMacroAssemblerARMv7h"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h 2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h    2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -65,7 +65,6 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     Vector<LinkRecord, 0, UnsafeVectorOverflow>& jumpsToLink() { return m_assembler.jumpsToLink(); }
</span><del>-    void* unlinkedCode() { return m_assembler.unlinkedCode(); }
</del><span class="cx">     static bool canCompact(JumpType jumpType) { return ARMv7Assembler::canCompact(jumpType); }
</span><span class="cx">     static JumpLinkType computeJumpType(JumpType jumpType, const uint8_t* from, const uint8_t* to) { return ARMv7Assembler::computeJumpType(jumpType, from, to); }
</span><span class="cx">     static JumpLinkType computeJumpType(LinkRecord& record, const uint8_t* from, const uint8_t* to) { return ARMv7Assembler::computeJumpType(record, from, to); }
</span></span></pre></div>
<a id="branchessafari606branchSourceJavaScriptCoreassemblerX86Assemblerh"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/JavaScriptCore/assembler/X86Assembler.h (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/JavaScriptCore/assembler/X86Assembler.h        2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/JavaScriptCore/assembler/X86Assembler.h   2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -3902,9 +3902,10 @@
</span><span class="cx">         m_formatter.oneByteOp(OP_NOP);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    static void fillNops(void* base, size_t size, bool isCopyingToExecutableMemory)
</del><ins>+    template <typename CopyFunction>
+    static void fillNops(void* base, size_t size, CopyFunction copy)
</ins><span class="cx">     {
</span><del>-        UNUSED_PARAM(isCopyingToExecutableMemory);
</del><ins>+        UNUSED_PARAM(copy);
</ins><span class="cx"> #if CPU(X86_64)
</span><span class="cx">         static const uint8_t nops[10][10] = {
</span><span class="cx">             // nop
</span></span></pre></div>
<a id="branchessafari606branchSourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/WTF/ChangeLog (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/WTF/ChangeLog  2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/WTF/ChangeLog     2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -1,3 +1,80 @@
</span><ins>+2018-10-23  Kocsen Chung  <kocsen_chung@apple.com>
+
+        Cherry-pick r236589. rdar://problem/45285669
+
+    Verify the contents of AssemblerBuffer on arm64e
+    https://bugs.webkit.org/show_bug.cgi?id=190057
+    <rdar://problem/38916630>
+    
+    Reviewed by Mark Lam.
+    
+    JSTests:
+    
+    * stress/regress-189132.js:
+    
+    Source/JavaScriptCore:
+    
+    * assembler/ARM64Assembler.h:
+    (JSC::ARM64Assembler::ARM64Assembler):
+    (JSC::ARM64Assembler::fillNops):
+    (JSC::ARM64Assembler::link):
+    (JSC::ARM64Assembler::linkJumpOrCall):
+    (JSC::ARM64Assembler::linkCompareAndBranch):
+    (JSC::ARM64Assembler::linkConditionalBranch):
+    (JSC::ARM64Assembler::linkTestAndBranch):
+    (JSC::ARM64Assembler::unlinkedCode): Deleted.
+    * assembler/ARMAssembler.h:
+    (JSC::ARMAssembler::fillNops):
+    * assembler/ARMv7Assembler.h:
+    (JSC::ARMv7Assembler::unlinkedCode): Deleted.
+    * assembler/AbstractMacroAssembler.h:
+    (JSC::AbstractMacroAssembler::emitNops):
+    (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
+    * assembler/AssemblerBuffer.h:
+    (JSC::ARM64EHash::ARM64EHash):
+    (JSC::ARM64EHash::update):
+    (JSC::ARM64EHash::hash const):
+    (JSC::ARM64EHash::randomSeed const):
+    (JSC::AssemblerBuffer::AssemblerBuffer):
+    (JSC::AssemblerBuffer::putShort):
+    (JSC::AssemblerBuffer::putIntUnchecked):
+    (JSC::AssemblerBuffer::putInt):
+    (JSC::AssemblerBuffer::hash const):
+    (JSC::AssemblerBuffer::data const):
+    (JSC::AssemblerBuffer::putIntegralUnchecked):
+    (JSC::AssemblerBuffer::append): Deleted.
+    * assembler/LinkBuffer.cpp:
+    (JSC::LinkBuffer::copyCompactAndLinkCode):
+    * assembler/MIPSAssembler.h:
+    (JSC::MIPSAssembler::fillNops):
+    * assembler/MacroAssemblerARM64.h:
+    (JSC::MacroAssemblerARM64::jumpsToLink):
+    (JSC::MacroAssemblerARM64::link):
+    (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
+    * assembler/MacroAssemblerARMv7.h:
+    (JSC::MacroAssemblerARMv7::jumpsToLink):
+    (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
+    * assembler/X86Assembler.h:
+    (JSC::X86Assembler::fillNops):
+    
+    Source/WTF:
+    
+    * wtf/PtrTag.h:
+    (WTF::tagInt):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236589 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-09-27  Saam barati  <sbarati@apple.com>
+
+            Verify the contents of AssemblerBuffer on arm64e
+            https://bugs.webkit.org/show_bug.cgi?id=190057
+            <rdar://problem/38916630>
+
+            Reviewed by Mark Lam.
+
+            * wtf/PtrTag.h:
+            (WTF::tagInt):
+
</ins><span class="cx"> 2018-10-25  Kocsen Chung  <kocsen_chung@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Revert r237373. rdar://problem/45285669
</span></span></pre></div>
<a id="branchessafari606branchSourceWTFwtfPtrTagh"></a>
<div class="modfile"><h4>Modified: branches/safari-606-branch/Source/WTF/wtf/PtrTag.h (237469 => 237470)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606-branch/Source/WTF/wtf/PtrTag.h       2018-10-26 18:30:13 UTC (rev 237469)
+++ branches/safari-606-branch/Source/WTF/wtf/PtrTag.h  2018-10-26 18:51:19 UTC (rev 237470)
</span><span class="lines">@@ -147,6 +147,13 @@
</span><span class="cx"> template<PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
</span><span class="cx"> inline PtrType untagCFunctionPtr(PtrType ptr) { return ptr; }
</span><span class="cx"> 
</span><ins>+template <typename IntType>
+inline IntType tagInt(IntType ptrInt, PtrTag)
+{
+    static_assert(sizeof(IntType) == sizeof(uintptr_t), "");
+    return ptrInt;
+}
+
</ins><span class="cx"> template<typename PtrType> void assertIsCFunctionPtr(PtrType) { }
</span><span class="cx"> template<typename PtrType> void assertIsNullOrCFunctionPtr(PtrType) { }
</span><span class="cx"> 
</span><span class="lines">@@ -184,6 +191,7 @@
</span><span class="cx"> using WTF::removeCodePtrTag;
</span><span class="cx"> using WTF::tagCFunctionPtr;
</span><span class="cx"> using WTF::untagCFunctionPtr;
</span><ins>+using WTF::tagInt;
</ins><span class="cx"> 
</span><span class="cx"> using WTF::assertIsCFunctionPtr;
</span><span class="cx"> using WTF::assertIsNullOrCFunctionPtr;
</span></span></pre>
</div>
</div>

</body>
</html>