<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[237937] tags/Safari-607.1.13/Source/JavaScriptCore</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/237937">237937</a></dd>
<dt>Author</dt> <dd>alancoon@apple.com</dd>
<dt>Date</dt> <dd>2018-11-07 12:55:45 -0800 (Wed, 07 Nov 2018)</dd>
</dl>

<h3>Log Message</h3>
<pre>Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/237933">r237933</a>. rdar://problem/45739094

    Align wide opcodes in the instruction stream
    https://bugs.webkit.org/show_bug.cgi?id=191254

    Reviewed by Keith Miller.

    Pad the bytecode with nops to ensure that wide opcodes are 4-byte
    aligned on platforms that don't like unaligned memory access.

    For that, add a new type to represent jump targets, BoundLabel, which
    delays computing the offset in case we need to emit nops for padding.
    Extra padding is also emitted before op_yield and at the of each
    BytecodeWriter fragment, to ensure that the bytecode remains aligned
    after the rewriting.

    As a side effect, we can longer guarantee that the point immediately
    before emitting an opcode is the start of that opcode, since nops
    might be emitted in between if the opcode needs to be wide. To fix
    that, we only take the offset of opcodes after they have been emitted,
    using `m_lastInstruction.offset()`.

    * bytecode/BytecodeDumper.h:
    (JSC::BytecodeDumper::dumpValue):
    * bytecode/BytecodeGeneratorification.cpp:
    (JSC::BytecodeGeneratorification::run):
    * bytecode/BytecodeList.rb:
    * bytecode/BytecodeRewriter.h:
    (JSC::BytecodeRewriter::Fragment::align):
    (JSC::BytecodeRewriter::insertFragmentBefore):
    (JSC::BytecodeRewriter::insertFragmentAfter):
    * bytecode/Fits.h:
    * bytecode/InstructionStream.h:
    (JSC::InstructionStreamWriter::ref):
    * bytecode/PreciseJumpTargetsInlines.h:
    (JSC::updateStoredJumpTargetsForInstruction):
    * bytecompiler/BytecodeGenerator.cpp:
    (JSC::Label::setLocation):
    (JSC::BoundLabel::target):
    (JSC::BoundLabel::saveTarget):
    (JSC::BoundLabel::commitTarget):
    (JSC::BytecodeGenerator::generate):
    (JSC::BytecodeGenerator::recordOpcode):
    (JSC::BytecodeGenerator::alignWideOpcode):
    (JSC::BytecodeGenerator::emitProfileControlFlow):
    (JSC::BytecodeGenerator::emitResolveScope):
    (JSC::BytecodeGenerator::emitGetFromScope):
    (JSC::BytecodeGenerator::emitPutToScope):
    (JSC::BytecodeGenerator::emitGetById):
    (JSC::BytecodeGenerator::emitDirectGetById):
    (JSC::BytecodeGenerator::emitPutById):
    (JSC::BytecodeGenerator::emitDirectPutById):
    (JSC::BytecodeGenerator::emitGetByVal):
    (JSC::BytecodeGenerator::emitCreateThis):
    (JSC::BytecodeGenerator::beginSwitch):
    (JSC::BytecodeGenerator::endSwitch):
    (JSC::BytecodeGenerator::emitRequireObjectCoercible):
    (JSC::BytecodeGenerator::emitYieldPoint):
    (JSC::BytecodeGenerator::emitToThis):
    (JSC::Label::bind): Deleted.
    * bytecompiler/BytecodeGenerator.h:
    (JSC::BytecodeGenerator::recordOpcode): Deleted.
    * bytecompiler/Label.h:
    (JSC::BoundLabel::BoundLabel):
    (JSC::BoundLabel::operator int):
    (JSC::Label::bind):
    * generator/Opcode.rb:

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237933 268f45cc-cd09-0410-ab3c-d52691b4dbfc</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#tagsSafari607113SourceJavaScriptCoreChangeLog">tags/Safari-607.1.13/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCorebytecodeBytecodeDumperh">tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeDumper.h</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCorebytecodeBytecodeGeneratorificationcpp">tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeGeneratorification.cpp</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCorebytecodeBytecodeListrb">tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeList.rb</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCorebytecodeBytecodeRewriterh">tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeRewriter.h</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCorebytecodeFitsh">tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/Fits.h</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCorebytecodeInstructionStreamh">tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/InstructionStream.h</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCorebytecodePreciseJumpTargetsInlinesh">tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/PreciseJumpTargetsInlines.h</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCorebytecompilerBytecodeGeneratorh">tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCorebytecompilerLabelh">tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/Label.h</a></li>
<li><a href="#tagsSafari607113SourceJavaScriptCoregeneratorOpcoderb">tags/Safari-607.1.13/Source/JavaScriptCore/generator/Opcode.rb</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="tagsSafari607113SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/ChangeLog (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/ChangeLog     2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/ChangeLog        2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -1,3 +1,144 @@
</span><ins>+2018-11-07  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r237933. rdar://problem/45739094
+
+    Align wide opcodes in the instruction stream
+    https://bugs.webkit.org/show_bug.cgi?id=191254
+    
+    Reviewed by Keith Miller.
+    
+    Pad the bytecode with nops to ensure that wide opcodes are 4-byte
+    aligned on platforms that don't like unaligned memory access.
+    
+    For that, add a new type to represent jump targets, BoundLabel, which
+    delays computing the offset in case we need to emit nops for padding.
+    Extra padding is also emitted before op_yield and at the of each
+    BytecodeWriter fragment, to ensure that the bytecode remains aligned
+    after the rewriting.
+    
+    As a side effect, we can longer guarantee that the point immediately
+    before emitting an opcode is the start of that opcode, since nops
+    might be emitted in between if the opcode needs to be wide. To fix
+    that, we only take the offset of opcodes after they have been emitted,
+    using `m_lastInstruction.offset()`.
+    
+    * bytecode/BytecodeDumper.h:
+    (JSC::BytecodeDumper::dumpValue):
+    * bytecode/BytecodeGeneratorification.cpp:
+    (JSC::BytecodeGeneratorification::run):
+    * bytecode/BytecodeList.rb:
+    * bytecode/BytecodeRewriter.h:
+    (JSC::BytecodeRewriter::Fragment::align):
+    (JSC::BytecodeRewriter::insertFragmentBefore):
+    (JSC::BytecodeRewriter::insertFragmentAfter):
+    * bytecode/Fits.h:
+    * bytecode/InstructionStream.h:
+    (JSC::InstructionStreamWriter::ref):
+    * bytecode/PreciseJumpTargetsInlines.h:
+    (JSC::updateStoredJumpTargetsForInstruction):
+    * bytecompiler/BytecodeGenerator.cpp:
+    (JSC::Label::setLocation):
+    (JSC::BoundLabel::target):
+    (JSC::BoundLabel::saveTarget):
+    (JSC::BoundLabel::commitTarget):
+    (JSC::BytecodeGenerator::generate):
+    (JSC::BytecodeGenerator::recordOpcode):
+    (JSC::BytecodeGenerator::alignWideOpcode):
+    (JSC::BytecodeGenerator::emitProfileControlFlow):
+    (JSC::BytecodeGenerator::emitResolveScope):
+    (JSC::BytecodeGenerator::emitGetFromScope):
+    (JSC::BytecodeGenerator::emitPutToScope):
+    (JSC::BytecodeGenerator::emitGetById):
+    (JSC::BytecodeGenerator::emitDirectGetById):
+    (JSC::BytecodeGenerator::emitPutById):
+    (JSC::BytecodeGenerator::emitDirectPutById):
+    (JSC::BytecodeGenerator::emitGetByVal):
+    (JSC::BytecodeGenerator::emitCreateThis):
+    (JSC::BytecodeGenerator::beginSwitch):
+    (JSC::BytecodeGenerator::endSwitch):
+    (JSC::BytecodeGenerator::emitRequireObjectCoercible):
+    (JSC::BytecodeGenerator::emitYieldPoint):
+    (JSC::BytecodeGenerator::emitToThis):
+    (JSC::Label::bind): Deleted.
+    * bytecompiler/BytecodeGenerator.h:
+    (JSC::BytecodeGenerator::recordOpcode): Deleted.
+    * bytecompiler/Label.h:
+    (JSC::BoundLabel::BoundLabel):
+    (JSC::BoundLabel::operator int):
+    (JSC::Label::bind):
+    * generator/Opcode.rb:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237933 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
+
+            Align wide opcodes in the instruction stream
+            https://bugs.webkit.org/show_bug.cgi?id=191254
+
+            Reviewed by Keith Miller.
+
+            Pad the bytecode with nops to ensure that wide opcodes are 4-byte
+            aligned on platforms that don't like unaligned memory access.
+
+            For that, add a new type to represent jump targets, BoundLabel, which
+            delays computing the offset in case we need to emit nops for padding.
+            Extra padding is also emitted before op_yield and at the of each
+            BytecodeWriter fragment, to ensure that the bytecode remains aligned
+            after the rewriting.
+
+            As a side effect, we can longer guarantee that the point immediately
+            before emitting an opcode is the start of that opcode, since nops
+            might be emitted in between if the opcode needs to be wide. To fix
+            that, we only take the offset of opcodes after they have been emitted,
+            using `m_lastInstruction.offset()`.
+
+            * bytecode/BytecodeDumper.h:
+            (JSC::BytecodeDumper::dumpValue):
+            * bytecode/BytecodeGeneratorification.cpp:
+            (JSC::BytecodeGeneratorification::run):
+            * bytecode/BytecodeList.rb:
+            * bytecode/BytecodeRewriter.h:
+            (JSC::BytecodeRewriter::Fragment::align):
+            (JSC::BytecodeRewriter::insertFragmentBefore):
+            (JSC::BytecodeRewriter::insertFragmentAfter):
+            * bytecode/Fits.h:
+            * bytecode/InstructionStream.h:
+            (JSC::InstructionStreamWriter::ref):
+            * bytecode/PreciseJumpTargetsInlines.h:
+            (JSC::updateStoredJumpTargetsForInstruction):
+            * bytecompiler/BytecodeGenerator.cpp:
+            (JSC::Label::setLocation):
+            (JSC::BoundLabel::target):
+            (JSC::BoundLabel::saveTarget):
+            (JSC::BoundLabel::commitTarget):
+            (JSC::BytecodeGenerator::generate):
+            (JSC::BytecodeGenerator::recordOpcode):
+            (JSC::BytecodeGenerator::alignWideOpcode):
+            (JSC::BytecodeGenerator::emitProfileControlFlow):
+            (JSC::BytecodeGenerator::emitResolveScope):
+            (JSC::BytecodeGenerator::emitGetFromScope):
+            (JSC::BytecodeGenerator::emitPutToScope):
+            (JSC::BytecodeGenerator::emitGetById):
+            (JSC::BytecodeGenerator::emitDirectGetById):
+            (JSC::BytecodeGenerator::emitPutById):
+            (JSC::BytecodeGenerator::emitDirectPutById):
+            (JSC::BytecodeGenerator::emitGetByVal):
+            (JSC::BytecodeGenerator::emitCreateThis):
+            (JSC::BytecodeGenerator::beginSwitch):
+            (JSC::BytecodeGenerator::endSwitch):
+            (JSC::BytecodeGenerator::emitRequireObjectCoercible):
+            (JSC::BytecodeGenerator::emitYieldPoint):
+            (JSC::BytecodeGenerator::emitToThis):
+            (JSC::Label::bind): Deleted.
+            * bytecompiler/BytecodeGenerator.h:
+            (JSC::BytecodeGenerator::recordOpcode): Deleted.
+            * bytecompiler/Label.h:
+            (JSC::BoundLabel::BoundLabel):
+            (JSC::BoundLabel::operator int):
+            (JSC::Label::bind):
+            * generator/Opcode.rb:
+
</ins><span class="cx"> 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
</span><span class="cx"> 
</span><span class="cx">         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCorebytecodeBytecodeDumperh"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeDumper.h (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeDumper.h     2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeDumper.h        2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #include "CallLinkInfo.h"
</span><span class="cx"> #include "ICStatusMap.h"
</span><span class="cx"> #include "InstructionStream.h"
</span><ins>+#include "Label.h"
</ins><span class="cx"> #include "StructureStubInfo.h"
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="lines">@@ -52,6 +53,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     void dumpValue(VirtualRegister reg) { m_out.printf("%s", registerName(reg.offset()).data()); }
</span><ins>+    void dumpValue(BoundLabel label) { m_out.print(label.target()); }
</ins><span class="cx">     template<typename T>
</span><span class="cx">     void dumpValue(T v) { m_out.print(v); }
</span><span class="cx"> 
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCorebytecodeBytecodeGeneratorificationcpp"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeGeneratorification.cpp (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeGeneratorification.cpp       2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeGeneratorification.cpp  2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -37,6 +37,7 @@
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "JSCJSValueInlines.h"
</span><span class="cx"> #include "JSGeneratorFunction.h"
</span><ins>+#include "Label.h"
</ins><span class="cx"> #include "StrongInlines.h"
</span><span class="cx"> #include "UnlinkedCodeBlock.h"
</span><span class="cx"> #include "UnlinkedMetadataTableInlines.h"
</span><span class="lines">@@ -205,7 +206,7 @@
</span><span class="cx">             jumpTable.add(i + 1, m_yields[i].point);
</span><span class="cx"> 
</span><span class="cx">         rewriter.insertFragmentBefore(nextToEnterPoint, [&](BytecodeRewriter::Fragment& fragment) {
</span><del>-            fragment.appendInstruction<OpSwitchImm>(switchTableIndex, nextToEnterPoint.offset(), state);
</del><ins>+            fragment.appendInstruction<OpSwitchImm>(switchTableIndex, BoundLabel(nextToEnterPoint.offset()), state);
</ins><span class="cx">         });
</span><span class="cx">     }
</span><span class="cx"> 
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCorebytecodeBytecodeListrb"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeList.rb (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeList.rb      2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeList.rb 2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -25,6 +25,7 @@
</span><span class="cx">     :VirtualRegister,
</span><span class="cx"> 
</span><span class="cx">     :BasicBlockLocation,
</span><ins>+    :BoundLabel,
</ins><span class="cx">     :DebugHookType,
</span><span class="cx">     :ErrorType,
</span><span class="cx">     :GetByIdMode,
</span><span class="lines">@@ -591,31 +592,31 @@
</span><span class="cx"> 
</span><span class="cx"> op :jmp,
</span><span class="cx">     args: {
</span><del>-        target: int,
</del><ins>+        target: BoundLabel,
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> op :jtrue,
</span><span class="cx">     args: {
</span><span class="cx">         condition: VirtualRegister,
</span><del>-        target: int,
</del><ins>+        target: BoundLabel,
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> op :jfalse,
</span><span class="cx">     args: {
</span><span class="cx">         condition: VirtualRegister,
</span><del>-        target: int,
</del><ins>+        target: BoundLabel,
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> op :jeq_null,
</span><span class="cx">     args: {
</span><span class="cx">         value: VirtualRegister,
</span><del>-        target: int,
</del><ins>+        target: BoundLabel,
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> op :jneq_null,
</span><span class="cx">     args: {
</span><span class="cx">         value: VirtualRegister,
</span><del>-        target: int,
</del><ins>+        target: BoundLabel,
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> op :jneq_ptr,
</span><span class="lines">@@ -622,7 +623,7 @@
</span><span class="cx">     args: {
</span><span class="cx">         value: VirtualRegister,
</span><span class="cx">         specialPointer: Special::Pointer,
</span><del>-        target: int,
</del><ins>+        target: BoundLabel,
</ins><span class="cx">     },
</span><span class="cx">     metadata: {
</span><span class="cx">         hasJumped: bool,
</span><span class="lines">@@ -648,7 +649,7 @@
</span><span class="cx">     args: {
</span><span class="cx">         lhs: VirtualRegister,
</span><span class="cx">         rhs: VirtualRegister,
</span><del>-        target: int,
</del><ins>+        target: BoundLabel,
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> op :loop_hint
</span><span class="lines">@@ -661,7 +662,7 @@
</span><span class="cx">     ],
</span><span class="cx">     args: {
</span><span class="cx">         tableIndex: unsigned,
</span><del>-        defaultOffset: int,
</del><ins>+        defaultOffset: BoundLabel,
</ins><span class="cx">         scrutinee: VirtualRegister,
</span><span class="cx">     }
</span><span class="cx"> 
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCorebytecodeBytecodeRewriterh"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeRewriter.h (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeRewriter.h   2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/BytecodeRewriter.h      2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -28,6 +28,7 @@
</span><span class="cx"> 
</span><span class="cx"> #include "BytecodeGenerator.h"
</span><span class="cx"> #include "BytecodeGraph.h"
</span><ins>+#include "BytecodeStructs.h"
</ins><span class="cx"> #include "Bytecodes.h"
</span><span class="cx"> #include "Opcode.h"
</span><span class="cx"> #include "UnlinkedCodeBlock.h"
</span><span class="lines">@@ -156,6 +157,16 @@
</span><span class="cx">             });
</span><span class="cx">         }
</span><span class="cx"> 
</span><ins>+        void align()
+        {
+#if CPU(NEEDS_ALIGNED_ACCESS)
+            m_bytecodeGenerator.withWriter(m_writer, [&] {
+                while (m_bytecodeGenerator.instructions().size() % OpcodeSize::Wide)
+                    OpNop::emit<OpcodeSize::Narrow>(&m_bytecodeGenerator);
+            });
+#endif
+        }
+
</ins><span class="cx">     private:
</span><span class="cx">         BytecodeGenerator& m_bytecodeGenerator;
</span><span class="cx">         InstructionStreamWriter& m_writer;
</span><span class="lines">@@ -177,6 +188,7 @@
</span><span class="cx">         InstructionStreamWriter writer;
</span><span class="cx">         Fragment fragment(m_bytecodeGenerator, writer, includeBranch);
</span><span class="cx">         function(fragment);
</span><ins>+        fragment.align();
</ins><span class="cx">         insertImpl(InsertionPoint(instruction.offset(), Position::Before), includeBranch, WTFMove(writer));
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -187,6 +199,7 @@
</span><span class="cx">         InstructionStreamWriter writer;
</span><span class="cx">         Fragment fragment(m_bytecodeGenerator, writer, includeBranch);
</span><span class="cx">         function(fragment);
</span><ins>+        fragment.align();
</ins><span class="cx">         insertImpl(InsertionPoint(instruction.offset(), Position::After), includeBranch, WTFMove(writer));
</span><span class="cx">     }
</span><span class="cx"> 
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCorebytecodeFitsh"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/Fits.h (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/Fits.h       2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/Fits.h  2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> 
</span><span class="cx"> #include "GetPutInfo.h"
</span><span class="cx"> #include "Interpreter.h"
</span><ins>+#include "Label.h"
</ins><span class="cx"> #include "OpcodeSize.h"
</span><span class="cx"> #include "ProfileTypeBytecodeFlag.h"
</span><span class="cx"> #include "ResultType.h"
</span><span class="lines">@@ -293,4 +294,30 @@
</span><span class="cx">     }
</span><span class="cx"> };
</span><span class="cx"> 
</span><ins>+template<OpcodeSize size>
+struct Fits<BoundLabel, size> : Fits<int, size> {
+    // This is a bit hacky: we need to delay computing jump targets, since we
+    // might have to emit `nop`s to align the instructions stream. Additionally,
+    // we have to compute the target before we start writing to the instruction
+    // stream, since the offset is computed from the start of the bytecode. We
+    // achieve this by computing the target when we `check` and saving it, then
+    // later we use the saved target when we call convert.
+
+    using Base = Fits<int, size>;
+    static bool check(BoundLabel& label)
+    {
+        return Base::check(label.saveTarget());
+    }
+
+    static typename TypeBySize<size>::type convert(BoundLabel& label)
+    {
+        return Base::convert(label.commitTarget());
+    }
+
+    static BoundLabel convert(typename TypeBySize<size>::type target)
+    {
+        return BoundLabel(Base::convert(target));
+    }
+};
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCorebytecodeInstructionStreamh"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/InstructionStream.h (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/InstructionStream.h  2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/InstructionStream.h     2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -238,7 +238,7 @@
</span><span class="cx"> 
</span><span class="cx">     MutableRef ref()
</span><span class="cx">     {
</span><del>-        return MutableRef { m_instructions, m_instructions.size() };
</del><ins>+        return MutableRef { m_instructions, m_position };
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     void swap(InstructionStreamWriter& other)
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCorebytecodePreciseJumpTargetsInlinesh"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/PreciseJumpTargetsInlines.h (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/PreciseJumpTargetsInlines.h  2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/bytecode/PreciseJumpTargetsInlines.h     2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -140,9 +140,9 @@
</span><span class="cx">         int32_t target = jumpTargetForInstruction<__op>(codeBlockOrHashMap, instruction); \
</span><span class="cx">         int32_t newTarget = function(target); \
</span><span class="cx">         if (newTarget != target || finalOffset) { \
</span><del>-            instruction->cast<__op>()->setTarget(newTarget, [&]() { \
</del><ins>+            instruction->cast<__op>()->setTarget(BoundLabel(newTarget), [&]() { \
</ins><span class="cx">                 codeBlock->addOutOfLineJumpTarget(finalOffset + instruction.offset(), newTarget); \
</span><del>-                return 0; \
</del><ins>+                return BoundLabel(); \
</ins><span class="cx">             }); \
</span><span class="cx">         } \
</span><span class="cx">         break; \
</span><span class="lines">@@ -161,9 +161,9 @@
</span><span class="cx">         int32_t target = jumpTargetForInstruction(codeBlockOrHashMap, instruction, bytecode.defaultOffset); \
</span><span class="cx">         int32_t newTarget = function(target); \
</span><span class="cx">         if (newTarget != target || finalOffset) { \
</span><del>-            instruction->cast<__op>()->setDefaultOffset(newTarget, [&]() { \
</del><ins>+            instruction->cast<__op>()->setDefaultOffset(BoundLabel(newTarget), [&]() { \
</ins><span class="cx">                 codeBlock->addOutOfLineJumpTarget(finalOffset + instruction.offset(), newTarget); \
</span><del>-                return 0; \
</del><ins>+                return BoundLabel(); \
</ins><span class="cx">             }); \
</span><span class="cx">         } \
</span><span class="cx">     } while (false)
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp    2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp       2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -102,9 +102,9 @@
</span><span class="cx"> 
</span><span class="cx"> #define CASE(__op) \
</span><span class="cx">     case __op::opcodeID:  \
</span><del>-        instruction->cast<__op>()->setTarget(target, [&]() { \
</del><ins>+        instruction->cast<__op>()->setTarget(BoundLabel(target), [&]() { \
</ins><span class="cx">             generator.m_codeBlock->addOutOfLineJumpTarget(instruction.offset(), target); \
</span><del>-            return 0; \
</del><ins>+            return BoundLabel(); \
</ins><span class="cx">         }); \
</span><span class="cx">         break;
</span><span class="cx"> 
</span><span class="lines">@@ -136,11 +136,41 @@
</span><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-int Label::bind(BytecodeGenerator* generator)
</del><ins>+int BoundLabel::target()
</ins><span class="cx"> {
</span><del>-    return bind(generator->instructions().size());
</del><ins>+    switch (m_type) {
+    case Offset:
+        return m_target;
+    case GeneratorBackward:
+        return m_target - m_generator->m_writer.position();
+    case GeneratorForward:
+        return 0;
+    default:
+        RELEASE_ASSERT_NOT_REACHED();
+    }
</ins><span class="cx"> }
</span><span class="cx"> 
</span><ins>+int BoundLabel::saveTarget()
+{
+    if (m_type == GeneratorForward) {
+        m_savedTarget = m_generator->m_writer.position();
+        return 0;
+    }
+
+    m_savedTarget = target();
+    return m_savedTarget;
+}
+
+int BoundLabel::commitTarget()
+{
+    if (m_type == GeneratorForward) {
+        m_label->m_unresolvedJumps.append(m_savedTarget);
+        return 0;
+    }
+
+    return m_savedTarget;
+}
+
</ins><span class="cx"> void Variable::dump(PrintStream& out) const
</span><span class="cx"> {
</span><span class="cx">     out.print(
</span><span class="lines">@@ -216,9 +246,12 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     for (auto& tuple : m_catchesToEmit) {
</span><del>-        Ref<Label> realCatchTarget = newEmittedLabel();
</del><ins>+        Ref<Label> realCatchTarget = newLabel();
</ins><span class="cx">         OpCatch::emit(this, std::get<1>(tuple), std::get<2>(tuple));
</span><ins>+        realCatchTarget->setLocation(*this, m_lastInstruction.offset());
+        m_codeBlock->addJumpTarget(m_lastInstruction.offset());
</ins><span class="cx"> 
</span><ins>+
</ins><span class="cx">         TryData* tryData = std::get<0>(tuple);
</span><span class="cx">         emitJump(tryData->target.get());
</span><span class="cx">         tryData->target = WTFMove(realCatchTarget);
</span><span class="lines">@@ -1280,6 +1313,24 @@
</span><span class="cx">     return label;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void BytecodeGenerator::recordOpcode(OpcodeID opcodeID)
+{
+    ASSERT(m_lastOpcodeID == op_end || (m_lastOpcodeID == m_lastInstruction->opcodeID() && m_writer.position() == m_lastInstruction.offset() + m_lastInstruction->size()));
+    m_lastInstruction = m_writer.ref();
+    m_lastOpcodeID = opcodeID;
+}
+
+void BytecodeGenerator::alignWideOpcode()
+{
+#if CPU(NEEDS_ALIGNED_ACCESS)
+    OpcodeID lastOpcodeID = m_lastOpcodeID;
+    m_lastOpcodeID = op_end;
+    while ((m_writer.position() + 1) % OpcodeSize::Wide)
+        OpNop::emit<OpcodeSize::Narrow>(this);
+    recordOpcode(lastOpcodeID);
+#endif
+}
+
</ins><span class="cx"> void BytecodeGenerator::emitLabel(Label& l0)
</span><span class="cx"> {
</span><span class="cx">     unsigned newLabelIndex = instructions().size();
</span><span class="lines">@@ -1778,10 +1829,9 @@
</span><span class="cx"> {
</span><span class="cx">     if (vm()->controlFlowProfiler()) {
</span><span class="cx">         RELEASE_ASSERT(textOffset >= 0);
</span><del>-        size_t bytecodeOffset = instructions().size();
-        m_codeBlock->addOpProfileControlFlowBytecodeOffset(bytecodeOffset);
</del><span class="cx"> 
</span><span class="cx">         OpProfileControlFlow::emit(this, textOffset);
</span><ins>+        m_codeBlock->addOpProfileControlFlowBytecodeOffset(m_lastInstruction.offset());
</ins><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -2395,11 +2445,9 @@
</span><span class="cx">     case VarKind::Invalid:
</span><span class="cx">         // Indicates non-local resolution.
</span><span class="cx">         
</span><del>-        m_codeBlock->addPropertyAccessInstruction(instructions().size());
-        
-        // resolve_scope dst, id, ResolveType, depth
</del><span class="cx">         dst = tempDestination(dst);
</span><span class="cx">         OpResolveScope::emit(this, kill(dst), scopeRegister(), addConstant(variable.ident()), resolveType(), localScopeDepth());
</span><ins>+        m_codeBlock->addPropertyAccessInstruction(m_lastInstruction.offset());
</ins><span class="cx">         return dst;
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -2420,9 +2468,6 @@
</span><span class="cx">         
</span><span class="cx">     case VarKind::Scope:
</span><span class="cx">     case VarKind::Invalid: {
</span><del>-        m_codeBlock->addPropertyAccessInstruction(instructions().size());
-        
-        // get_from_scope dst, scope, id, GetPutInfo, Structure, Operand
</del><span class="cx">         OpGetFromScope::emit(
</span><span class="cx">             this,
</span><span class="cx">             kill(dst),
</span><span class="lines">@@ -2431,6 +2476,7 @@
</span><span class="cx">             GetPutInfo(resolveMode, variable.offset().isScope() ? LocalClosureVar : resolveType(), InitializationMode::NotInitialization),
</span><span class="cx">             localScopeDepth(),
</span><span class="cx">             variable.offset().isScope() ? variable.offset().scopeOffset().offset() : 0);
</span><ins>+        m_codeBlock->addPropertyAccessInstruction(m_lastInstruction.offset());
</ins><span class="cx">         return dst;
</span><span class="cx">     } }
</span><span class="cx">     
</span><span class="lines">@@ -2450,9 +2496,6 @@
</span><span class="cx">         
</span><span class="cx">     case VarKind::Scope:
</span><span class="cx">     case VarKind::Invalid: {
</span><del>-        m_codeBlock->addPropertyAccessInstruction(instructions().size());
-        
-        // put_to_scope scope, id, value, GetPutInfo, Structure, Operand
</del><span class="cx">         GetPutInfo getPutInfo(0);
</span><span class="cx">         int scopeDepth;
</span><span class="cx">         ScopeOffset offset;
</span><span class="lines">@@ -2466,6 +2509,7 @@
</span><span class="cx">             scopeDepth = localScopeDepth();
</span><span class="cx">         }
</span><span class="cx">         OpPutToScope::emit(this, scope, addConstant(variable.ident()), value, getPutInfo, scopeDepth, !!offset ? offset.offset() : 0);
</span><ins>+        m_codeBlock->addPropertyAccessInstruction(m_lastInstruction.offset());
</ins><span class="cx">         return value;
</span><span class="cx">     } }
</span><span class="cx">     
</span><span class="lines">@@ -2515,9 +2559,8 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT_WITH_MESSAGE(!parseIndex(property), "Indexed properties should be handled with get_by_val.");
</span><span class="cx"> 
</span><del>-    m_codeBlock->addPropertyAccessInstruction(instructions().size());
-
</del><span class="cx">     OpGetById::emit(this, kill(dst), base, addConstant(property));
</span><ins>+    m_codeBlock->addPropertyAccessInstruction(m_lastInstruction.offset());
</ins><span class="cx">     return dst;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -2533,9 +2576,8 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT_WITH_MESSAGE(!parseIndex(property), "Indexed properties should be handled with get_by_val_direct.");
</span><span class="cx"> 
</span><del>-    m_codeBlock->addPropertyAccessInstruction(instructions().size());
-
</del><span class="cx">     OpGetByIdDirect::emit(this, kill(dst), base, addConstant(property));
</span><ins>+    m_codeBlock->addPropertyAccessInstruction(m_lastInstruction.offset());
</ins><span class="cx">     return dst;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -2547,9 +2589,8 @@
</span><span class="cx"> 
</span><span class="cx">     m_staticPropertyAnalyzer.putById(base, propertyIndex);
</span><span class="cx"> 
</span><del>-    m_codeBlock->addPropertyAccessInstruction(instructions().size());
-
</del><span class="cx">     OpPutById::emit(this, base, propertyIndex, value, PutByIdNone); // is not direct
</span><ins>+    m_codeBlock->addPropertyAccessInstruction(m_lastInstruction.offset());
</ins><span class="cx"> 
</span><span class="cx">     return value;
</span><span class="cx"> }
</span><span class="lines">@@ -2573,10 +2614,9 @@
</span><span class="cx"> 
</span><span class="cx">     m_staticPropertyAnalyzer.putById(base, propertyIndex);
</span><span class="cx"> 
</span><del>-    m_codeBlock->addPropertyAccessInstruction(instructions().size());
-    
</del><span class="cx">     PutByIdFlags type = (putType == PropertyNode::KnownDirect || property != m_vm->propertyNames->underscoreProto) ? PutByIdIsDirect : PutByIdNone;
</span><span class="cx">     OpPutById::emit(this, base, propertyIndex, value, type);
</span><ins>+    m_codeBlock->addPropertyAccessInstruction(m_lastInstruction.offset());
</ins><span class="cx">     return value;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -2659,33 +2699,26 @@
</span><span class="cx"> 
</span><span class="cx"> RegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)
</span><span class="cx"> {
</span><del>-    bool forceWide = false;
</del><span class="cx">     for (size_t i = m_forInContextStack.size(); i--; ) {
</span><span class="cx">         ForInContext& context = m_forInContextStack[i].get();
</span><span class="cx">         if (context.local() != property)
</span><span class="cx">             continue;
</span><span class="cx"> 
</span><del>-        unsigned instIndex = instructions().size();
-
</del><span class="cx">         if (context.isIndexedForInContext()) {
</span><span class="cx">             auto& indexedContext = context.asIndexedForInContext();
</span><del>-            indexedContext.addGetInst(instIndex, property->index());
-            property = indexedContext.index();
-            forceWide = true;
-            break;
</del><ins>+            OpGetByVal::emit<OpcodeSize::Wide>(this, kill(dst), base, indexedContext.index());
+            indexedContext.addGetInst(m_lastInstruction.offset(), property->index());
+            return dst;
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         StructureForInContext& structureContext = context.asStructureForInContext();
</span><span class="cx">         OpGetDirectPname::emit<OpcodeSize::Wide>(this, kill(dst), base, property, structureContext.index(), structureContext.enumerator());
</span><span class="cx"> 
</span><del>-        structureContext.addGetInst(instIndex, property->index());
</del><ins>+        structureContext.addGetInst(m_lastInstruction.offset(), property->index());
</ins><span class="cx">         return dst;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    if (forceWide)
-        OpGetByVal::emit<OpcodeSize::Wide>(this, kill(dst), base, property);
-    else
-        OpGetByVal::emit(this, kill(dst), base, property);
</del><ins>+    OpGetByVal::emit(this, kill(dst), base, property);
</ins><span class="cx">     return dst;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -2750,8 +2783,8 @@
</span><span class="cx"> {
</span><span class="cx">     m_staticPropertyAnalyzer.createThis(dst, m_writer.ref());
</span><span class="cx"> 
</span><del>-    m_codeBlock->addPropertyAccessInstruction(instructions().size());
</del><span class="cx">     OpCreateThis::emit(this, dst, dst, 0);
</span><ins>+    m_codeBlock->addPropertyAccessInstruction(m_lastInstruction.offset());
</ins><span class="cx">     return dst;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -3762,24 +3795,23 @@
</span><span class="cx"> 
</span><span class="cx"> void BytecodeGenerator::beginSwitch(RegisterID* scrutineeRegister, SwitchInfo::SwitchType type)
</span><span class="cx"> {
</span><del>-    SwitchInfo info = { static_cast<uint32_t>(instructions().size()), type };
</del><span class="cx">     switch (type) {
</span><span class="cx">     case SwitchInfo::SwitchImmediate: {
</span><span class="cx">         size_t tableIndex = m_codeBlock->numberOfSwitchJumpTables();
</span><span class="cx">         m_codeBlock->addSwitchJumpTable();
</span><del>-        OpSwitchImm::emit(this, tableIndex, 0, scrutineeRegister);
</del><ins>+        OpSwitchImm::emit(this, tableIndex, BoundLabel(), scrutineeRegister);
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">     case SwitchInfo::SwitchCharacter: {
</span><span class="cx">         size_t tableIndex = m_codeBlock->numberOfSwitchJumpTables();
</span><span class="cx">         m_codeBlock->addSwitchJumpTable();
</span><del>-        OpSwitchChar::emit(this, tableIndex, 0, scrutineeRegister);
</del><ins>+        OpSwitchChar::emit(this, tableIndex, BoundLabel(), scrutineeRegister);
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">     case SwitchInfo::SwitchString: {
</span><span class="cx">         size_t tableIndex = m_codeBlock->numberOfStringSwitchJumpTables();
</span><span class="cx">         m_codeBlock->addStringSwitchJumpTable();
</span><del>-        OpSwitchString::emit(this, tableIndex, 0, scrutineeRegister);
</del><ins>+        OpSwitchString::emit(this, tableIndex, BoundLabel(), scrutineeRegister);
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">     default:
</span><span class="lines">@@ -3786,6 +3818,7 @@
</span><span class="cx">         RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    SwitchInfo info = { m_lastInstruction.offset(), type };
</ins><span class="cx">     m_switchContextStack.append(info);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -3848,11 +3881,11 @@
</span><span class="cx">     SwitchInfo switchInfo = m_switchContextStack.last();
</span><span class="cx">     m_switchContextStack.removeLast();
</span><span class="cx"> 
</span><del>-    int defaultTarget = defaultLabel.bind(switchInfo.bytecodeOffset);
</del><ins>+    BoundLabel defaultTarget = defaultLabel.bind(switchInfo.bytecodeOffset);
</ins><span class="cx">     auto handleSwitch = [&](auto* op, auto bytecode) {
</span><span class="cx">         op->setDefaultOffset(defaultTarget, [&]() {
</span><span class="cx">             m_codeBlock->addOutOfLineJumpTarget(switchInfo.bytecodeOffset, defaultTarget);
</span><del>-            return 0;
</del><ins>+            return BoundLabel();
</ins><span class="cx">         });
</span><span class="cx"> 
</span><span class="cx">         UnlinkedSimpleJumpTable& jumpTable = m_codeBlock->switchJumpTable(bytecode.tableIndex);
</span><span class="lines">@@ -3877,7 +3910,7 @@
</span><span class="cx">     case SwitchInfo::SwitchString: {
</span><span class="cx">         ref->cast<OpSwitchString>()->setDefaultOffset(defaultTarget, [&]() {
</span><span class="cx">             m_codeBlock->addOutOfLineJumpTarget(switchInfo.bytecodeOffset, defaultTarget);
</span><del>-            return 0;
</del><ins>+            return BoundLabel();
</ins><span class="cx">         });
</span><span class="cx"> 
</span><span class="cx">         UnlinkedStringJumpTable& jumpTable = m_codeBlock->stringSwitchJumpTable(ref->as<OpSwitchString>().tableIndex);
</span><span class="lines">@@ -4360,8 +4393,7 @@
</span><span class="cx">     // FIXME: op_jneq_null treats "undetectable" objects as null/undefined. RequireObjectCoercible
</span><span class="cx">     // thus incorrectly throws a TypeError for interfaces like HTMLAllCollection.
</span><span class="cx">     Ref<Label> target = newLabel();
</span><del>-    size_t begin = instructions().size();
-    OpJneqNull::emit(this, value, target->bind(begin));
</del><ins>+    OpJneqNull::emit(this, value, target->bind(this));
</ins><span class="cx">     emitThrowTypeError(error);
</span><span class="cx">     emitLabel(target.get());
</span><span class="cx"> }
</span><span class="lines">@@ -4392,6 +4424,13 @@
</span><span class="cx">     Vector<TryContext> savedTryContextStack;
</span><span class="cx">     m_tryContextStack.swap(savedTryContextStack);
</span><span class="cx"> 
</span><ins>+
+#if CPU(NEEDS_ALIGNED_ACCESS)
+    // conservatively align for the bytecode rewriter: it will delete this yield and
+    // append a fragment, so we make sure that the start of the fragments is aligned
+    while (m_writer.position() % OpcodeSize::Wide)
+        OpNop::emit<OpcodeSize::Narrow>(this);
+#endif
</ins><span class="cx">     OpYield::emit(this, generatorFrameRegister(), yieldPointIndex, argument);
</span><span class="cx"> 
</span><span class="cx">     // Restore the try contexts, which start offset is updated to the merge point.
</span><span class="lines">@@ -4863,8 +4902,8 @@
</span><span class="cx"> 
</span><span class="cx"> void BytecodeGenerator::emitToThis()
</span><span class="cx"> {
</span><del>-    m_codeBlock->addPropertyAccessInstruction(instructions().size());
</del><span class="cx">     OpToThis::emit(this, kill(&m_thisRegister));
</span><ins>+    m_codeBlock->addPropertyAccessInstruction(m_lastInstruction.offset());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCorebytecompilerBytecodeGeneratorh"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h      2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -363,6 +363,7 @@
</span><span class="cx">         WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx">         WTF_MAKE_NONCOPYABLE(BytecodeGenerator);
</span><span class="cx"> 
</span><ins>+        friend class BoundLabel;
</ins><span class="cx">         friend class Label;
</span><span class="cx">         friend class IndexedForInContext;
</span><span class="cx">         friend class StructureForInContext;
</span><span class="lines">@@ -506,12 +507,7 @@
</span><span class="cx">             n->emitBytecode(*this, dst);
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        void recordOpcode(OpcodeID opcodeID)
-        {
-            ASSERT(m_lastOpcodeID == op_end || m_writer.size() == m_lastInstruction.offset() + m_lastInstruction->size());
-            m_lastInstruction = m_writer.ref();
-            m_lastOpcodeID = opcodeID;
-        }
</del><ins>+        void recordOpcode(OpcodeID);
</ins><span class="cx"> 
</span><span class="cx">         ALWAYS_INLINE unsigned addMetadataFor(OpcodeID opcodeID)
</span><span class="cx">         {
</span><span class="lines">@@ -1185,6 +1181,7 @@
</span><span class="cx"> 
</span><span class="cx">         void write(uint8_t byte) { m_writer.write(byte); }
</span><span class="cx">         void write(uint32_t i) { m_writer.write(i); }
</span><ins>+        void alignWideOpcode();
</ins><span class="cx"> 
</span><span class="cx">         class PreservedTDZStack {
</span><span class="cx">         private:
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCorebytecompilerLabelh"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/Label.h (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/Label.h  2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/bytecompiler/Label.h     2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -35,7 +35,56 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx">     class BytecodeGenerator;
</span><ins>+    class Label;
</ins><span class="cx"> 
</span><ins>+    class BoundLabel {
+    public:
+        BoundLabel()
+            : m_type(Offset)
+            , m_generator(nullptr)
+            , m_target(0)
+        { }
+
+        explicit BoundLabel(int target)
+            : m_type(Offset)
+            , m_generator(nullptr)
+            , m_target(target)
+        { }
+
+        BoundLabel(BytecodeGenerator* generator, Label* label)
+            : m_type(GeneratorForward)
+            , m_generator(generator)
+            , m_label(label)
+        { }
+
+        BoundLabel(BytecodeGenerator* generator, int offset)
+            : m_type(GeneratorBackward)
+            , m_generator(generator)
+            , m_target(offset)
+        { }
+
+        int target();
+        int saveTarget();
+        int commitTarget();
+
+        operator int() { return target(); }
+
+    private:
+        enum Type : uint8_t {
+            Offset,
+            GeneratorForward,
+            GeneratorBackward,
+        };
+
+        Type m_type;
+        int m_savedTarget { 0 };
+        BytecodeGenerator* m_generator;
+        union {
+            Label* m_label;
+            int m_target;
+        };
+    };
+
</ins><span class="cx">     class Label {
</span><span class="cx">     WTF_MAKE_NONCOPYABLE(Label);
</span><span class="cx">     public:
</span><span class="lines">@@ -43,18 +92,24 @@
</span><span class="cx"> 
</span><span class="cx">         void setLocation(BytecodeGenerator&, unsigned);
</span><span class="cx"> 
</span><del>-        int bind(BytecodeGenerator*);
</del><ins>+        BoundLabel bind(BytecodeGenerator* generator)
+        {
+            m_bound = true;
+            if (!isForward())
+                return BoundLabel(generator, m_location);
+            return BoundLabel(generator, this);
+        }
</ins><span class="cx"> 
</span><del>-        int bind(unsigned offset)
</del><ins>+        BoundLabel bind(unsigned offset)
</ins><span class="cx">         {
</span><span class="cx">             m_bound = true;
</span><span class="cx">             if (!isForward())
</span><del>-                return m_location - offset;
</del><ins>+                return BoundLabel(m_location - offset);
</ins><span class="cx">             m_unresolvedJumps.append(offset);
</span><del>-            return 0;
</del><ins>+            return BoundLabel();
</ins><span class="cx">         }
</span><span class="cx"> 
</span><del>-        int bind()
</del><ins>+        BoundLabel bind()
</ins><span class="cx">         {
</span><span class="cx">             ASSERT(!isForward());
</span><span class="cx">             return bind(0u);
</span><span class="lines">@@ -74,6 +129,8 @@
</span><span class="cx">         bool isBound() const { return m_bound; }
</span><span class="cx"> 
</span><span class="cx">     private:
</span><ins>+        friend class BoundLabel;
+
</ins><span class="cx">         typedef Vector<int, 8> JumpVector;
</span><span class="cx"> 
</span><span class="cx">         static const unsigned invalidLocation = UINT_MAX;
</span></span></pre></div>
<a id="tagsSafari607113SourceJavaScriptCoregeneratorOpcoderb"></a>
<div class="modfile"><h4>Modified: tags/Safari-607.1.13/Source/JavaScriptCore/generator/Opcode.rb (237936 => 237937)</h4>
<pre class="diff"><span>
<span class="info">--- tags/Safari-607.1.13/Source/JavaScriptCore/generator/Opcode.rb   2018-11-07 20:50:05 UTC (rev 237936)
+++ tags/Safari-607.1.13/Source/JavaScriptCore/generator/Opcode.rb      2018-11-07 20:55:45 UTC (rev 237937)
</span><span class="lines">@@ -118,7 +118,7 @@
</span><span class="cx">         {
</span><span class="cx">             __generator->recordOpcode(opcodeID);
</span><span class="cx">             #{@metadata.create_emitter_local}
</span><del>-            emit<OpcodeSize::Narrow, NoAssert>(__generator#{untyped_args}#{metadata_arg}) || emit<OpcodeSize::Wide>(__generator#{untyped_args}#{metadata_arg});
</del><ins>+            emit<OpcodeSize::Narrow, NoAssert, false>(__generator#{untyped_args}#{metadata_arg}) || emit<OpcodeSize::Wide, Assert, false>(__generator#{untyped_args}#{metadata_arg});
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         #{%{
</span><span class="lines">@@ -125,15 +125,16 @@
</span><span class="cx">         template<OpcodeSize size, FitsAssertion shouldAssert = Assert>
</span><span class="cx">         static bool emit(BytecodeGenerator* __generator#{typed_args})
</span><span class="cx">         {
</span><del>-            __generator->recordOpcode(opcodeID);
</del><span class="cx">             #{@metadata.create_emitter_local}
</span><span class="cx">             return emit<size, shouldAssert>(__generator#{untyped_args}#{metadata_arg});
</span><span class="cx">         }
</span><span class="cx">         } unless @metadata.empty?}
</span><span class="cx"> 
</span><del>-        template<OpcodeSize size, FitsAssertion shouldAssert = Assert>
</del><ins>+        template<OpcodeSize size, FitsAssertion shouldAssert = Assert, bool recordOpcode = true>
</ins><span class="cx">         static bool emit(BytecodeGenerator* __generator#{typed_args}#{metadata_param})
</span><span class="cx">         {
</span><ins>+            if (recordOpcode)
+                __generator->recordOpcode(opcodeID);
</ins><span class="cx">             bool didEmit = emitImpl<size>(__generator#{untyped_args}#{metadata_arg});
</span><span class="cx">             if (shouldAssert == Assert)
</span><span class="cx">                 ASSERT(didEmit);
</span><span class="lines">@@ -144,10 +145,11 @@
</span><span class="cx">         template<OpcodeSize size>
</span><span class="cx">         static bool emitImpl(BytecodeGenerator* __generator#{typed_args}#{metadata_param})
</span><span class="cx">         {
</span><ins>+            if (size == OpcodeSize::Wide)
+                __generator->alignWideOpcode();
</ins><span class="cx">             if (#{map_fields_with_size("size", &:fits_check).join " && "} && (size == OpcodeSize::Wide ? #{op_wide.fits_check(Size::Narrow)} : true)) {
</span><del>-                if (size == OpcodeSize::Wide) {
</del><ins>+                if (size == OpcodeSize::Wide)
</ins><span class="cx">                     #{op_wide.fits_write Size::Narrow}
</span><del>-                }
</del><span class="cx">                 #{map_fields_with_size("size", &:fits_write).join "\n"}
</span><span class="cx">                 return true;
</span><span class="cx">             }
</span></span></pre>
</div>
</div>

</body>
</html>