CFGSimplificationPhase should de-dupe jettisonedBlocks
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-06-13  Saam Barati  <sbarati@apple.com>
2
3         CFGSimplificationPhase should de-dupe jettisonedBlocks
4         https://bugs.webkit.org/show_bug.cgi?id=186583
5
6         Reviewed by Filip Pizlo.
7
8         When making the predecessors list unique in r232741, it revealed a bug inside
9         of CFG simplification, where we try to remove the same predecessor more than
10         once from a blocks predecessors list. We built the list of blocks to remove
11         from the list of successors, which is not unique, causing us to try to remove
12         the same predecessor more than once. The solution here is to just add to this
13         list of blocks to remove only if the block is not already in the list.
14
15         * dfg/DFGCFGSimplificationPhase.cpp:
16         (JSC::DFG::CFGSimplificationPhase::run):
17
18 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
19
20         [JSC] Always use Nuke & Set procedure for x86
21         https://bugs.webkit.org/show_bug.cgi?id=186592
22
23         Reviewed by Keith Miller.
24
25         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
26         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
27         threads.
28
29         * runtime/JSObject.cpp:
30         (JSC::JSObject::convertContiguousToArrayStorage):
31
32 2018-06-12  Saam Barati  <sbarati@apple.com>
33
34         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
35         https://bugs.webkit.org/show_bug.cgi?id=186071
36
37         Reviewed by Mark Lam.
38
39         * API/JSVirtualMachine.mm:
40         (-[JSVirtualMachine shrinkFootprint]): Deleted.
41         * API/JSVirtualMachinePrivate.h:
42
43 2018-06-11  Saam Barati  <sbarati@apple.com>
44
45         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
46         https://bugs.webkit.org/show_bug.cgi?id=181409
47         <rdar://problem/36383749>
48
49         Reviewed by Keith Miller.
50
51         This patch is me redoing r226655. This is a patch I wrote when
52         profiling Speedometer. Fil rolled this change out in r230928. He
53         showed this slowed down a sunspider tests by ~2x. This sunspider
54         regression revealed a real performance bug in the original change:
55         we would kill blocks that reached OSR entry targets, sometimes leading
56         us to not do OSR entry into the DFG, since we could end up deleting
57         entire loops from the CFG. The reason for this is that code that has run
58         ~once and that reaches loops often has ForceOSRExits inside of it. The
59         solution to this is to not perform this optimization on blocks that can
60         reach OSR entry targets.
61         
62         The reason I'm redoing this patch is that it turns out Fil rolling
63         out the change was a Speedometer 2 regression.
64         
65         This is a modified version of the original ChangeLog I wrote in r226655:
66         
67         When I was looking at profiler data for Speedometer, I noticed that one of
68         the hottest functions in Speedometer is around 1100 bytecode operations long.
69         Only about 100 of those bytecode ops ever execute. However, we ended up
70         spending a lot of time compiling basic blocks that never executed. We often
71         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
72         This is the case when such a node never executes.
73         
74         This patch makes it so that anytime a block has a ForceOSRExit, and that block
75         can not reach an OSR entry target, we replace its terminal node with an Unreachable
76         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
77         size since it removes control flow edges from the CFG. This allows us to get
78         rid of huge chunks of the CFG in certain programs. When doing this transformation,
79         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
80         live-in to the ForceOSRExit.
81         
82         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
83         does not get rid of all the CFG that it could. If we decide it's worth
84         it, we could use additional inputs into this mechanism. For example, we could
85         profile if a basic block ever executes inside the LLInt/Baseline, and
86         remove parts of the CFG based on that.
87         
88         When running Speedometer with the concurrent JIT turned off, this patch
89         improves DFG/FTL compile times by around 5%.
90
91         * dfg/DFGByteCodeParser.cpp:
92         (JSC::DFG::ByteCodeParser::addToGraph):
93         (JSC::DFG::ByteCodeParser::inlineCall):
94         (JSC::DFG::ByteCodeParser::parse):
95         * dfg/DFGGraph.cpp:
96         (JSC::DFG::Graph::blocksInPostOrder):
97
98 2018-06-11  Saam Barati  <sbarati@apple.com>
99
100         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
101         https://bugs.webkit.org/show_bug.cgi?id=184829
102
103         Reviewed by Michael Saboff.
104
105         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
106         In B3/Air, this just meant writing a validation rule. In DFG, this meant
107         ensuring this property when building up the predecessors list, and also adding
108         a validation rule. The NaturalLoops algorithm relies on this property.
109
110         * b3/B3Validate.cpp:
111         * b3/air/AirValidate.cpp:
112         * b3/testb3.cpp:
113         (JSC::B3::testLoopWithMultipleHeaderEdges):
114         (JSC::B3::run):
115         * dfg/DFGGraph.cpp:
116         (JSC::DFG::Graph::handleSuccessor):
117         * dfg/DFGValidate.cpp:
118
119 2018-06-11  Keith Miller  <keith_miller@apple.com>
120
121         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
122         https://bugs.webkit.org/show_bug.cgi?id=186467
123
124         Reviewed by Simon Fraser.
125
126         This patch adds a LazyFireDetail that wraps ScopedLambda so that
127         we don't actually malloc any strings for firing unless those
128         Strings are actually going to be printed.
129
130         * bytecode/Watchpoint.h:
131         (JSC::LazyFireDetail::LazyFireDetail):
132         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
133         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
134         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
135         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
136         * runtime/ArrayPrototype.cpp:
137         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
138
139 2018-06-11  Mark Lam  <mark.lam@apple.com>
140
141         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
142         https://bugs.webkit.org/show_bug.cgi?id=186451
143         <rdar://problem/40875792>
144
145         Reviewed by Tim Horton.
146
147         Enhance setOptions() to be able to take a comma separated options string in
148         addition to white space separated options strings.
149
150         * runtime/Options.cpp:
151         (JSC::isSeparator):
152         (JSC::Options::setOptions):
153
154 2018-06-11  Michael Saboff  <msaboff@apple.com>
155
156         JavaScriptCore: Disable 32-bit JIT on Windows
157         https://bugs.webkit.org/show_bug.cgi?id=185989
158
159         Reviewed by Mark Lam.
160
161         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
162
163         * llint/LLIntData.h:
164         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
165         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
166         have a case label because these aren't opcodes.
167         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
168         on the JIT being enabled.
169         (JSC::recomputeDependentOptions):
170
171 2018-06-11  Michael Saboff  <msaboff@apple.com>
172
173         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
174         https://bugs.webkit.org/show_bug.cgi?id=186477
175
176         Reviewed by Filip Pizlo.
177
178         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
179         YARR interpreter nodes.  This caused us to overwrite other frame information.
180
181         Added frame offset debugging code to YARR interpreter.
182
183         * yarr/YarrInterpreter.cpp:
184         (JSC::Yarr::ByteCompiler::emitDisjunction):
185         (JSC::Yarr::ByteCompiler::dumpDisjunction):
186
187 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
188
189         [JSC] Array.prototype.sort should rejects null comparator
190         https://bugs.webkit.org/show_bug.cgi?id=186458
191
192         Reviewed by Keith Miller.
193
194         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
195         the behavior to Chrome and Firefox.
196
197         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
198         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
199         the spec issue.
200
201         * builtins/ArrayPrototype.js:
202         (sort):
203
204 2018-06-09  Dan Bernstein  <mitz@apple.com>
205
206         [Xcode] Clean up and modernize some build setting definitions
207         https://bugs.webkit.org/show_bug.cgi?id=186463
208
209         Reviewed by Sam Weinig.
210
211         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
212           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
213           is true for all supported Xcode versions.
214         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
215         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
216           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
217         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
218         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
219
220 2018-06-09  Dan Bernstein  <mitz@apple.com>
221
222         Added missing file references to the Configuration group.
223
224         * JavaScriptCore.xcodeproj/project.pbxproj:
225
226 2018-06-08  Darin Adler  <darin@apple.com>
227
228         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
229         https://bugs.webkit.org/show_bug.cgi?id=186436
230
231         Reviewed by Anders Carlsson.
232
233         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
234         objc-internal.h and explicitly declaring the alternative.
235
236 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
237
238         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
239         https://bugs.webkit.org/show_bug.cgi?id=186442
240         <rdar://problem/40879364>
241
242         Reviewed by Tim Horton.
243
244         * Configurations/FeatureDefines.xcconfig:
245
246 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
247
248         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
249         https://bugs.webkit.org/show_bug.cgi?id=186446
250         <rdar://problem/40949995>
251
252         Reviewed by Mark Lam.
253
254         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
255         boolean literals, but it would only work for false. Change it so that it
256         takes the fast path for true, false, null and undefined.
257
258         * llint/LowLevelInterpreter.asm:
259         * llint/LowLevelInterpreter64.asm:
260
261 2018-06-08  Brian Burg  <bburg@apple.com>
262
263         [Cocoa] Web Automation: include browser name and version in listing for automation targets
264         https://bugs.webkit.org/show_bug.cgi?id=186204
265         <rdar://problem/36950423>
266
267         Reviewed by Darin Adler.
268
269         Ask the client what the reported browser name and version should be, then
270         send this as part of the listing for an automation target.
271
272         * inspector/remote/RemoteInspectorConstants.h:
273         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
274         (Inspector::RemoteInspector::listingForAutomationTarget const):
275
276 2018-06-07  Chris Dumez  <cdumez@apple.com>
277
278         Add base class to get WeakPtrFactory member and avoid some boilerplate code
279         https://bugs.webkit.org/show_bug.cgi?id=186407
280
281         Reviewed by Brent Fulgham.
282
283         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
284         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
285         This also gets rid of old-style createWeakPtr() methods in favor of the newer
286         makeWeakPtr().
287
288         * wasm/WasmInstance.h:
289         * wasm/WasmMemory.cpp:
290         (JSC::Wasm::Memory::registerInstance):
291
292 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
293
294         Don't try to allocate JIT memory if we don't have the JIT entitlement
295         https://bugs.webkit.org/show_bug.cgi?id=182605
296         <rdar://problem/38271229>
297
298         Reviewed by Mark Lam.
299
300         Check that the current process has the correct entitlements before
301         trying to allocate JIT memory to silence warnings.
302
303         * jit/ExecutableAllocator.cpp:
304         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
305         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
306
307 2018-06-07  Saam Barati  <sbarati@apple.com>
308
309         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
310         https://bugs.webkit.org/show_bug.cgi?id=186386
311
312         Reviewed by Filip Pizlo.
313
314         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
315
316         * dfg/DFGTierUpCheckInjectionPhase.cpp:
317         (JSC::DFG::TierUpCheckInjectionPhase::run):
318
319 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
320
321         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
322         https://bugs.webkit.org/show_bug.cgi?id=186237
323
324         Reviewed by Saam Barati.
325
326         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
327         that means that we never notice that it fired if it fires between when the DFG decides to
328         watch it and when it actually adds the watchpoint.
329         
330         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
331         reason for being initialized blind: that's how we knew to ignore changes to the prototype
332         before the first allocation. However, that functionality also arose out of the fact that the
333         rare data is created lazily and usually won't exist until the first allocation.
334         
335         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
336         object allocation profile.
337         
338         It's hard to repro this race, however it started causing spurious test failures for me after
339         bug 164904.
340
341         * runtime/FunctionRareData.cpp:
342         (JSC::FunctionRareData::FunctionRareData):
343         (JSC::FunctionRareData::initializeObjectAllocationProfile):
344
345 2018-06-07  Saam Barati  <sbarati@apple.com>
346
347         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
348         https://bugs.webkit.org/show_bug.cgi?id=186218
349         <rdar://problem/38449540>
350
351         Reviewed by Filip Pizlo.
352
353         This patch makes tierUpCommon a tad bit more sane. There are a few things
354         that I did:
355         - There were a few release asserts that were crashing. Those release asserts
356         were incorrect. They were making assumptions about how the code and data
357         structures were ordered that were wrong. This patch removes them. The code
358         was using the loop hierarchy vector to make assumptions about which loop we
359         were currently executing in, which is incorrect. The only information that
360         can be used about where we're currently executing is the bytecode index we're
361         at.
362         - This makes it so that we go back to trying to compile outer loops before
363         inner loops. JF accidentally reverted this behavior that Ben implemented.
364         JF made it so that we just compiled the inner most loop. I make this
365         functionality work by first triggering a compile for the outer most loop
366         that the code is currently executing in and that can perform OSR entry.
367         However, some programs can get stuck in inner loops. The code works by
368         progressively asking inner loops to compile if program execution has not
369         yet reached an outer loop.
370
371         * dfg/DFGOperations.cpp:
372
373 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
374
375         ArityFixup should adjust SP first on 32-bit platforms too
376         https://bugs.webkit.org/show_bug.cgi?id=186351
377
378         Reviewed by Yusuke Suzuki.
379
380         * jit/ThunkGenerators.cpp:
381         (JSC::arityFixupGenerator):
382
383 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
384
385         [DFG] Compare operations do not respect negative zeros
386         https://bugs.webkit.org/show_bug.cgi?id=183729
387
388         Reviewed by Saam Barati.
389
390         Compare operations do not respect negative zeros. So propagating this can
391         reduce the size of the produced code for negative zero case. This pattern
392         can be seen in Kraken stanford-crypto-aes.
393
394         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
395         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
396         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
397
398         * bytecode/SpeculatedType.cpp:
399         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
400         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
401         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
402         SpecDoubleReal.
403
404         * dfg/DFGBackwardsPropagationPhase.cpp:
405         (JSC::DFG::BackwardsPropagationPhase::propagate):
406
407 2018-06-06  Saam Barati  <sbarati@apple.com>
408
409         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
410         https://bugs.webkit.org/show_bug.cgi?id=186363
411
412         Rubber-stamped by Filip Pizlo.
413
414         The code was assuming that the object it was creating an OPC for always
415         had a non-poly-proto structure. However, this assumption was wrong. For
416         example, an object in the prototype chain could be poly proto. That type 
417         of object graph would cause a crash in this code. This patch makes it so
418         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
419         object as we traverse the prototype chain.
420
421         * bytecode/ObjectPropertyConditionSet.cpp:
422         (JSC::generateConditionsForInstanceOf):
423
424 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
425
426         Adjust compile and runtime flags to match shippable state of features
427         https://bugs.webkit.org/show_bug.cgi?id=186319
428         <rdar://problem/40352045>
429
430         Reviewed by Maciej Stachowiak, Jon Lee, and others.
431
432         This patch revises the compile time and runtime state for various features to match their
433         suitability for end-user releases.
434
435         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
436         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
437         Cocoa builds.
438         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
439         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
440         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
441         at runtime for non-production builds.
442
443 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
444
445         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
446         https://bugs.webkit.org/show_bug.cgi?id=186286
447         <rdar://problem/40782992>
448
449         Reviewed by Dan Bernstein.
450
451         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
452         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
453         change this flag when preparing for a production release.
454
455         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
456         whether experimental features should be enabled, and use it to properly define the
457         feature flag.
458
459 2018-06-05  Darin Adler  <darin@apple.com>
460
461         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
462         https://bugs.webkit.org/show_bug.cgi?id=186301
463
464         Reviewed by Anders Carlsson.
465
466         * API/JSContext.mm:
467         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
468         (-[JSContext setName:]): Removed unnecessary call to copy, since the
469         JSStringCreateWithCFString function already reads the characters out
470         of the string and does not retain the string, so there is no need to
471         make an immutable copy. And used __bridge for typecast.
472         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
473         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
474         Ditto.
475
476         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
477         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
478         Use CFBridgingRelease instead of autorelease for a CF dictionary that
479         we return as an NSDictionary.
480
481 2018-06-04  Keith Miller  <keith_miller@apple.com>
482
483         Remove missing files from JavaScriptCore Xcode project
484         https://bugs.webkit.org/show_bug.cgi?id=186297
485
486         Reviewed by Saam Barati.
487
488         * JavaScriptCore.xcodeproj/project.pbxproj:
489
490 2018-06-04  Keith Miller  <keith_miller@apple.com>
491
492         Add test for CoW conversions in the DFG/FTL
493         https://bugs.webkit.org/show_bug.cgi?id=186295
494
495         Reviewed by Saam Barati.
496
497         Add a function to $vm that returns a JSString containing the
498         dataLog dump of the indexingMode of an Object.
499
500         * tools/JSDollarVM.cpp:
501         (JSC::functionIndexingMode):
502         (JSC::JSDollarVM::finishCreation):
503
504 2018-06-04  Saam Barati  <sbarati@apple.com>
505
506         Set the activeLength of all ScratchBuffers to zero when exiting the VM
507         https://bugs.webkit.org/show_bug.cgi?id=186284
508         <rdar://problem/40780738>
509
510         Reviewed by Keith Miller.
511
512         Simon recently found instances where we leak global objects from the
513         ScratchBuffer. Yusuke found that we forgot to set the active length
514         back to zero when doing catch OSR entry in the DFG/FTL. His solution
515         to this was adding a node that cleared the active length. This is
516         a good node to have, but it's not a complete solution: the DFG/FTL
517         could OSR exit before that node executes, which would cause us to leak
518         the data in it.
519         
520         This patch makes it so that we set each scratch buffer's active length
521         to zero on VM exit. This helps prevent leaks for JS code that eventually
522         exits the VM (which is essentially all code on the web and all API users).
523
524         * runtime/VM.cpp:
525         (JSC::VM::clearScratchBuffers):
526         * runtime/VM.h:
527         * runtime/VMEntryScope.cpp:
528         (JSC::VMEntryScope::~VMEntryScope):
529
530 2018-06-04  Keith Miller  <keith_miller@apple.com>
531
532         JSLock should clear last exception when releasing the lock
533         https://bugs.webkit.org/show_bug.cgi?id=186277
534
535         Reviewed by Mark Lam.
536
537         If we don't clear the last exception we essentially leak the
538         object and everything referenced by it until another exception is
539         thrown.
540
541         * runtime/JSLock.cpp:
542         (JSC::JSLock::willReleaseLock):
543
544 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
545
546         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
547         https://bugs.webkit.org/show_bug.cgi?id=180248
548
549         Reviewed by Sam Weinig.
550
551         As a final step, this patch removes ListableHandler from JSC.
552         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
553
554         * CMakeLists.txt:
555         * JavaScriptCore.xcodeproj/project.pbxproj:
556         * heap/Heap.h:
557         * heap/ListableHandler.h: Removed.
558
559 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
560
561         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
562         https://bugs.webkit.org/show_bug.cgi?id=186223
563
564         Reviewed by Keith Miller.
565
566         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
567         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
568
569         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
570         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
571         this ClearCatchLocals valid.
572
573         The existing tests for ExtractCatchLocal just pass.
574
575         * dfg/DFGAbstractHeap.h:
576         * dfg/DFGAbstractInterpreterInlines.h:
577         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
578         * dfg/DFGByteCodeParser.cpp:
579         (JSC::DFG::ByteCodeParser::parseBlock):
580         * dfg/DFGClobberize.h:
581         (JSC::DFG::clobberize):
582         * dfg/DFGDoesGC.cpp:
583         (JSC::DFG::doesGC):
584         * dfg/DFGFixupPhase.cpp:
585         (JSC::DFG::FixupPhase::fixupNode):
586         * dfg/DFGMayExit.cpp:
587         * dfg/DFGNodeType.h:
588         * dfg/DFGOSREntry.cpp:
589         (JSC::DFG::prepareCatchOSREntry):
590         * dfg/DFGPredictionPropagationPhase.cpp:
591         * dfg/DFGSafeToExecute.h:
592         (JSC::DFG::safeToExecute):
593         * dfg/DFGSpeculativeJIT.cpp:
594         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
595         * dfg/DFGSpeculativeJIT.h:
596         * dfg/DFGSpeculativeJIT32_64.cpp:
597         (JSC::DFG::SpeculativeJIT::compile):
598         * dfg/DFGSpeculativeJIT64.cpp:
599         (JSC::DFG::SpeculativeJIT::compile):
600         * ftl/FTLCapabilities.cpp:
601         (JSC::FTL::canCompile):
602         * ftl/FTLLowerDFGToB3.cpp:
603         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
604         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
605
606 2018-06-02  Darin Adler  <darin@apple.com>
607
608         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
609         https://bugs.webkit.org/show_bug.cgi?id=186227
610
611         Reviewed by Dan Bernstein.
612
613         * API/JSContext.mm:
614         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
615         * API/JSValue.mm:
616         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
617         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
618         ARC-compatible, but more efficient.
619         (valueToString): Use CFBridgingRelease instead of autorelease.
620
621 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
622
623         [ESNext][BigInt] Implement support for addition operations
624         https://bugs.webkit.org/show_bug.cgi?id=179002
625
626         Reviewed by Yusuke Suzuki.
627
628         This patch is implementing support to BigInt Operands into binary "+"
629         and binary "-" operators. Right now, we have limited support to DFG
630         and FTL JIT layers, but we plan to fix this support in future
631         patches.
632
633         * jit/JITOperations.cpp:
634         * runtime/CommonSlowPaths.cpp:
635         (JSC::SLOW_PATH_DECL):
636         * runtime/JSBigInt.cpp:
637         (JSC::JSBigInt::parseInt):
638         (JSC::JSBigInt::stringToBigInt):
639         (JSC::JSBigInt::toString):
640         (JSC::JSBigInt::multiply):
641         (JSC::JSBigInt::divide):
642         (JSC::JSBigInt::remainder):
643         (JSC::JSBigInt::add):
644         (JSC::JSBigInt::sub):
645         (JSC::JSBigInt::absoluteAdd):
646         (JSC::JSBigInt::absoluteSub):
647         (JSC::JSBigInt::toStringGeneric):
648         (JSC::JSBigInt::allocateFor):
649         (JSC::JSBigInt::toNumber const):
650         (JSC::JSBigInt::getPrimitiveNumber const):
651         * runtime/JSBigInt.h:
652         * runtime/JSCJSValueInlines.h:
653         * runtime/Operations.cpp:
654         (JSC::jsAddSlowCase):
655         * runtime/Operations.h:
656         (JSC::jsSub):
657
658 2018-06-02  Commit Queue  <commit-queue@webkit.org>
659
660         Unreviewed, rolling out r232439.
661         https://bugs.webkit.org/show_bug.cgi?id=186238
662
663         It breaks gtk-linux-32-release (Requested by caiolima on
664         #webkit).
665
666         Reverted changeset:
667
668         "[ESNext][BigInt] Implement support for addition operations"
669         https://bugs.webkit.org/show_bug.cgi?id=179002
670         https://trac.webkit.org/changeset/232439
671
672 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
673
674         Baseline op_jtrue emits an insane amount of code
675         https://bugs.webkit.org/show_bug.cgi?id=185708
676
677         Reviewed by Filip Pizlo.
678
679         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
680
681         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
682            to jump directly. This tightens the code.
683
684         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
685
686         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
687
688         [  12] jtrue             arg1, 6(->18)
689               0x7f233170162c: mov 0x30(%rbp), %rax
690               0x7f2331701630: mov %rax, %rsi
691               0x7f2331701633: xor $0x6, %rsi
692               0x7f2331701637: test $0xfffffffffffffffe, %rsi
693               0x7f233170163e: jnz 0x7f2331701654
694               0x7f2331701644: cmp $0x7, %eax
695               0x7f2331701647: setz %sil
696               0x7f233170164b: movzx %sil, %esi
697               0x7f233170164f: jmp 0x7f2331701705
698               0x7f2331701654: test %rax, %r14
699               0x7f2331701657: jz 0x7f233170169c
700               0x7f233170165d: cmp %r14, %rax
701               0x7f2331701660: jb 0x7f2331701675
702               0x7f2331701666: test %eax, %eax
703               0x7f2331701668: setnz %sil
704               0x7f233170166c: movzx %sil, %esi
705               0x7f2331701670: jmp 0x7f2331701705
706               0x7f2331701675: lea (%r14,%rax), %rsi
707               0x7f2331701679: movq %rsi, %xmm0
708               0x7f233170167e: xorps %xmm1, %xmm1
709               0x7f2331701681: ucomisd %xmm1, %xmm0
710               0x7f2331701685: jz 0x7f2331701695
711               0x7f233170168b: mov $0x1, %esi
712               0x7f2331701690: jmp 0x7f2331701705
713               0x7f2331701695: xor %esi, %esi
714               0x7f2331701697: jmp 0x7f2331701705
715               0x7f233170169c: test %rax, %r15
716               0x7f233170169f: jnz 0x7f2331701703
717               0x7f23317016a5: cmp $0x1, 0x5(%rax)
718               0x7f23317016a9: jnz 0x7f23317016c1
719               0x7f23317016af: mov 0x8(%rax), %esi
720               0x7f23317016b2: test %esi, %esi
721               0x7f23317016b4: setnz %sil
722               0x7f23317016b8: movzx %sil, %esi
723               0x7f23317016bc: jmp 0x7f2331701705
724               0x7f23317016c1: test $0x1, 0x6(%rax)
725               0x7f23317016c5: jz 0x7f23317016f9
726               0x7f23317016cb: mov (%rax), %esi
727               0x7f23317016cd: mov $0x7f23315000c8, %rdx
728               0x7f23317016d7: mov (%rdx), %rdx
729               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
730               0x7f23317016de: mov $0x7f2330de0000, %rdx
731               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
732               0x7f23317016ec: jnz 0x7f23317016f9
733               0x7f23317016f2: xor %esi, %esi
734               0x7f23317016f4: jmp 0x7f2331701705
735               0x7f23317016f9: mov $0x1, %esi
736               0x7f23317016fe: jmp 0x7f2331701705
737               0x7f2331701703: xor %esi, %esi
738               0x7f2331701705: test %esi, %esi
739               0x7f2331701707: jnz 0x7f233170171b
740
741         [  12] jtrue             arg1, 6(->18)
742               0x7f6c8710156c: mov 0x30(%rbp), %rax
743               0x7f6c87101570: test %rax, %r15
744               0x7f6c87101573: jnz 0x7f6c871015c8
745               0x7f6c87101579: cmp $0x1, 0x5(%rax)
746               0x7f6c8710157d: jnz 0x7f6c87101592
747               0x7f6c87101583: cmp $0x0, 0x8(%rax)
748               0x7f6c87101587: jnz 0x7f6c87101623
749               0x7f6c8710158d: jmp 0x7f6c87101615
750               0x7f6c87101592: test $0x1, 0x6(%rax)
751               0x7f6c87101596: jz 0x7f6c87101623
752               0x7f6c8710159c: mov (%rax), %esi
753               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
754               0x7f6c871015a8: mov (%rdx), %rdx
755               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
756               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
757               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
758               0x7f6c871015bd: jnz 0x7f6c87101623
759               0x7f6c871015c3: jmp 0x7f6c87101615
760               0x7f6c871015c8: cmp %r14, %rax
761               0x7f6c871015cb: jb 0x7f6c871015de
762               0x7f6c871015d1: test %eax, %eax
763               0x7f6c871015d3: jnz 0x7f6c87101623
764               0x7f6c871015d9: jmp 0x7f6c87101615
765               0x7f6c871015de: test %rax, %r14
766               0x7f6c871015e1: jz 0x7f6c87101602
767               0x7f6c871015e7: lea (%r14,%rax), %rsi
768               0x7f6c871015eb: movq %rsi, %xmm0
769               0x7f6c871015f0: xorps %xmm1, %xmm1
770               0x7f6c871015f3: ucomisd %xmm1, %xmm0
771               0x7f6c871015f7: jz 0x7f6c87101615
772               0x7f6c871015fd: jmp 0x7f6c87101623
773               0x7f6c87101602: mov $0x7, %r11
774               0x7f6c8710160c: cmp %r11, %rax
775               0x7f6c8710160f: jz 0x7f6c87101623
776
777         * dfg/DFGSpeculativeJIT32_64.cpp:
778         (JSC::DFG::SpeculativeJIT::emitBranch):
779         * dfg/DFGSpeculativeJIT64.cpp:
780         (JSC::DFG::SpeculativeJIT::emitBranch):
781         * jit/AssemblyHelpers.cpp:
782         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
783         (JSC::AssemblyHelpers::branchIfValue):
784         * jit/AssemblyHelpers.h:
785         (JSC::AssemblyHelpers::branchIfTruthy):
786         (JSC::AssemblyHelpers::branchIfFalsey):
787         * jit/JIT.h:
788         * jit/JITInlines.h:
789         (JSC::JIT::addJump):
790         * jit/JITOpcodes.cpp:
791         (JSC::JIT::emit_op_jfalse):
792         (JSC::JIT::emit_op_jtrue):
793         * jit/JITOpcodes32_64.cpp:
794         (JSC::JIT::emit_op_jfalse):
795         (JSC::JIT::emit_op_jtrue):
796
797 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
798
799         [JSC] Remove WeakReferenceHarvester
800         https://bugs.webkit.org/show_bug.cgi?id=186102
801
802         Reviewed by Filip Pizlo.
803
804         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
805         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
806         by using output constraints & Subspace iteration.
807
808         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
809         output constraint set iterates marked JSWeakMap by using Subspace.
810
811         And we also add locking for JSWeakMap's rehash and output constraint visiting.
812
813         Attached microbenchmark does not show any regression.
814
815         * API/JSAPIWrapperObject.h:
816         * CMakeLists.txt:
817         * JavaScriptCore.xcodeproj/project.pbxproj:
818         * heap/Heap.cpp:
819         (JSC::Heap::endMarking):
820         (JSC::Heap::addCoreConstraints):
821         * heap/Heap.h:
822         * heap/SlotVisitor.cpp:
823         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
824         * heap/SlotVisitor.h:
825         * heap/WeakReferenceHarvester.h: Removed.
826         * runtime/WeakMapImpl.cpp:
827         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
828         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
829         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
830         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
831         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
832         * runtime/WeakMapImpl.h:
833         (JSC::WeakMapImpl::WeakMapImpl):
834         (JSC::WeakMapImpl::finishCreation):
835         (JSC::WeakMapImpl::rehash):
836         (JSC::WeakMapImpl::makeAndSetNewBuffer):
837         (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
838
839 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
840
841         [JSC] Object.create should have intrinsic
842         https://bugs.webkit.org/show_bug.cgi?id=186200
843
844         Reviewed by Filip Pizlo.
845
846         Object.create is used in various JS code. `Object.create(null)` is particularly used
847         to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
848         call in ARES-6/Babylon code.
849
850         This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
851         DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
852         object is null. It offers significant performance boost for `Object.create(null)`.
853
854                                                          baseline                  patched
855
856         object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
857         object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
858         object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
859
860         * dfg/DFGAbstractInterpreterInlines.h:
861         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
862         * dfg/DFGByteCodeParser.cpp:
863         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
864         * dfg/DFGClobberize.h:
865         (JSC::DFG::clobberize):
866         * dfg/DFGConstantFoldingPhase.cpp:
867         (JSC::DFG::ConstantFoldingPhase::foldConstants):
868         * dfg/DFGDoesGC.cpp:
869         (JSC::DFG::doesGC):
870         * dfg/DFGFixupPhase.cpp:
871         (JSC::DFG::FixupPhase::fixupNode):
872         * dfg/DFGNode.h:
873         (JSC::DFG::Node::convertToNewObject):
874         * dfg/DFGNodeType.h:
875         * dfg/DFGOperations.cpp:
876         * dfg/DFGOperations.h:
877         * dfg/DFGPredictionPropagationPhase.cpp:
878         * dfg/DFGSafeToExecute.h:
879         (JSC::DFG::safeToExecute):
880         * dfg/DFGSpeculativeJIT.cpp:
881         (JSC::DFG::SpeculativeJIT::compileObjectCreate):
882         * dfg/DFGSpeculativeJIT.h:
883         * dfg/DFGSpeculativeJIT32_64.cpp:
884         (JSC::DFG::SpeculativeJIT::compile):
885         * dfg/DFGSpeculativeJIT64.cpp:
886         (JSC::DFG::SpeculativeJIT::compile):
887         * ftl/FTLCapabilities.cpp:
888         (JSC::FTL::canCompile):
889         * ftl/FTLLowerDFGToB3.cpp:
890         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
891         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
892         * runtime/Intrinsic.cpp:
893         (JSC::intrinsicName):
894         * runtime/Intrinsic.h:
895         * runtime/JSGlobalObject.cpp:
896         (JSC::JSGlobalObject::init):
897         (JSC::JSGlobalObject::visitChildren):
898         * runtime/JSGlobalObject.h:
899         (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
900         * runtime/ObjectConstructor.cpp:
901
902 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
903
904         [ESNext][BigInt] Implement support for addition operations
905         https://bugs.webkit.org/show_bug.cgi?id=179002
906
907         Reviewed by Yusuke Suzuki.
908
909         This patch is implementing support to BigInt Operands into binary "+"
910         and binary "-" operators. Right now, we have limited support to DFG
911         and FTL JIT layers, but we plan to fix this support in future
912         patches.
913
914         * jit/JITOperations.cpp:
915         * runtime/CommonSlowPaths.cpp:
916         (JSC::SLOW_PATH_DECL):
917         * runtime/JSBigInt.cpp:
918         (JSC::JSBigInt::parseInt):
919         (JSC::JSBigInt::stringToBigInt):
920         (JSC::JSBigInt::toString):
921         (JSC::JSBigInt::multiply):
922         (JSC::JSBigInt::divide):
923         (JSC::JSBigInt::remainder):
924         (JSC::JSBigInt::add):
925         (JSC::JSBigInt::sub):
926         (JSC::JSBigInt::absoluteAdd):
927         (JSC::JSBigInt::absoluteSub):
928         (JSC::JSBigInt::toStringGeneric):
929         (JSC::JSBigInt::allocateFor):
930         (JSC::JSBigInt::toNumber const):
931         (JSC::JSBigInt::getPrimitiveNumber const):
932         * runtime/JSBigInt.h:
933         * runtime/JSCJSValueInlines.h:
934         * runtime/Operations.cpp:
935         (JSC::jsAddSlowCase):
936         * runtime/Operations.h:
937         (JSC::jsSub):
938
939 2018-06-01  Wenson Hsieh  <wenson_hsieh@apple.com>
940
941         Fix the watchOS build after r232385
942         https://bugs.webkit.org/show_bug.cgi?id=186203
943
944         Reviewed by Keith Miller.
945
946         Add a missing header include for JSImmutableButterfly.
947
948         * runtime/ArrayPrototype.cpp:
949
950 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
951
952         [JSC] Add Symbol.prototype.description getter
953         https://bugs.webkit.org/show_bug.cgi?id=186053
954
955         Reviewed by Keith Miller.
956
957         Symbol.prototype.description accessor  is now stage 3[1].
958         This adds a getter to retrieve [[Description]] value from Symbol.
959         Previously, Symbol#toString() returns `Symbol(${description})` value.
960         So users need to extract `description` part if they want it.
961
962         [1]: https://tc39.github.io/proposal-Symbol-description/
963
964         * runtime/Symbol.cpp:
965         (JSC::Symbol::description const):
966         * runtime/Symbol.h:
967         * runtime/SymbolPrototype.cpp:
968         (JSC::tryExtractSymbol):
969         (JSC::symbolProtoGetterDescription):
970         (JSC::symbolProtoFuncToString):
971         (JSC::symbolProtoFuncValueOf):
972
973 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
974
975         [JSC] Correct values and members of JSBigInt appropriately
976         https://bugs.webkit.org/show_bug.cgi?id=186196
977
978         Reviewed by Darin Adler.
979
980         This patch cleans up a bit to select more appropriate values and members of JSBigInt.
981
982         1. JSBigInt's structure should be StructureIsImmortal.
983         2. JSBigInt::allocationSize should be annotated with `inline`.
984         3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
985         4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
986
987         * runtime/JSBigInt.cpp:
988         (JSC::JSBigInt::allocationSize):
989         (JSC::JSBigInt::allocateFor):
990         (JSC::JSBigInt::compareToDouble):
991         (JSC::JSBigInt::visitChildren): Deleted.
992         (JSC::JSBigInt::finishCreation): Deleted.
993         * runtime/JSBigInt.h:
994
995 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
996
997         [DFG] InById should be converted to MatchStructure
998         https://bugs.webkit.org/show_bug.cgi?id=185803
999
1000         Reviewed by Keith Miller.
1001
1002         MatchStructure is introduced for instanceof optimization. But this node
1003         is also useful for InById node. This patch converts InById to MatchStructure
1004         node with CheckStructures if possible by using InByIdStatus.
1005
1006         Added microbenchmarks show improvements.
1007
1008                                    baseline                  patched
1009
1010         in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
1011         in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
1012
1013         * JavaScriptCore.xcodeproj/project.pbxproj:
1014         * Sources.txt:
1015         * bytecode/InByIdStatus.cpp: Added.
1016         (JSC::InByIdStatus::appendVariant):
1017         (JSC::InByIdStatus::computeFor):
1018         (JSC::InByIdStatus::hasExitSite):
1019         (JSC::InByIdStatus::computeForStubInfo):
1020         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1021         (JSC::InByIdStatus::filter):
1022         (JSC::InByIdStatus::dump const):
1023         * bytecode/InByIdStatus.h: Added.
1024         (JSC::InByIdStatus::InByIdStatus):
1025         (JSC::InByIdStatus::state const):
1026         (JSC::InByIdStatus::isSet const):
1027         (JSC::InByIdStatus::operator bool const):
1028         (JSC::InByIdStatus::isSimple const):
1029         (JSC::InByIdStatus::numVariants const):
1030         (JSC::InByIdStatus::variants const):
1031         (JSC::InByIdStatus::at const):
1032         (JSC::InByIdStatus::operator[] const):
1033         (JSC::InByIdStatus::takesSlowPath const):
1034         * bytecode/InByIdVariant.cpp: Added.
1035         (JSC::InByIdVariant::InByIdVariant):
1036         (JSC::InByIdVariant::attemptToMerge):
1037         (JSC::InByIdVariant::dump const):
1038         (JSC::InByIdVariant::dumpInContext const):
1039         * bytecode/InByIdVariant.h: Added.
1040         (JSC::InByIdVariant::isSet const):
1041         (JSC::InByIdVariant::operator bool const):
1042         (JSC::InByIdVariant::structureSet const):
1043         (JSC::InByIdVariant::structureSet):
1044         (JSC::InByIdVariant::conditionSet const):
1045         (JSC::InByIdVariant::offset const):
1046         (JSC::InByIdVariant::isHit const):
1047         * bytecode/PolyProtoAccessChain.h:
1048         * dfg/DFGByteCodeParser.cpp:
1049         (JSC::DFG::ByteCodeParser::parseBlock):
1050
1051 2018-06-01  Keith Miller  <keith_miller@apple.com>
1052
1053         move should only emit the move if it's actually needed
1054         https://bugs.webkit.org/show_bug.cgi?id=186123
1055
1056         Reviewed by Saam Barati.
1057
1058         This patch relpaces move with moveToDestinationIfNeeded. This
1059         will prevent us from emiting moves to the same location. The old
1060         move, has been renamed to emitMove and made private.
1061
1062         * bytecompiler/BytecodeGenerator.cpp:
1063         (JSC::BytecodeGenerator::BytecodeGenerator):
1064         (JSC::BytecodeGenerator::emitMove):
1065         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
1066         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1067         (JSC::BytecodeGenerator::move): Deleted.
1068         * bytecompiler/BytecodeGenerator.h:
1069         (JSC::BytecodeGenerator::move):
1070         (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
1071         * bytecompiler/NodesCodegen.cpp:
1072         (JSC::ThisNode::emitBytecode):
1073         (JSC::SuperNode::emitBytecode):
1074         (JSC::NewTargetNode::emitBytecode):
1075         (JSC::ResolveNode::emitBytecode):
1076         (JSC::TaggedTemplateNode::emitBytecode):
1077         (JSC::ArrayNode::emitBytecode):
1078         (JSC::ObjectLiteralNode::emitBytecode):
1079         (JSC::EvalFunctionCallNode::emitBytecode):
1080         (JSC::FunctionCallResolveNode::emitBytecode):
1081         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
1082         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1083         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
1084         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
1085         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
1086         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
1087         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1088         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
1089         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
1090         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
1091         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
1092         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
1093         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
1094         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
1095         (JSC::CallFunctionCallDotNode::emitBytecode):
1096         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1097         (JSC::emitPostIncOrDec):
1098         (JSC::PostfixNode::emitBracket):
1099         (JSC::PostfixNode::emitDot):
1100         (JSC::PrefixNode::emitResolve):
1101         (JSC::PrefixNode::emitBracket):
1102         (JSC::PrefixNode::emitDot):
1103         (JSC::LogicalOpNode::emitBytecode):
1104         (JSC::ReadModifyResolveNode::emitBytecode):
1105         (JSC::AssignResolveNode::emitBytecode):
1106         (JSC::AssignDotNode::emitBytecode):
1107         (JSC::AssignBracketNode::emitBytecode):
1108         (JSC::FunctionNode::emitBytecode):
1109         (JSC::ClassExprNode::emitBytecode):
1110         (JSC::DestructuringAssignmentNode::emitBytecode):
1111         (JSC::ArrayPatternNode::emitDirectBinding):
1112         (JSC::ObjectPatternNode::bindValue const):
1113         (JSC::AssignmentElementNode::bindValue const):
1114         (JSC::ObjectSpreadExpressionNode::emitBytecode):
1115
1116 2018-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1117
1118         [Baseline] Store constant directly in emit_op_mov
1119         https://bugs.webkit.org/show_bug.cgi?id=186182
1120
1121         Reviewed by Saam Barati.
1122
1123         In the old code, we first move a constant to a register and store it to the specified address.
1124         But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
1125         generated code size. Since the old code was emitting a constant in a code anyway, this change
1126         never increases the size of the generated code.
1127
1128         * jit/JITInlines.h:
1129         (JSC::JIT::emitGetVirtualRegister):
1130         We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
1131         from the stack. If we transfer values in registers without loading values from the stack, it
1132         breaks this assumption.
1133
1134         * jit/JITOpcodes.cpp:
1135         (JSC::JIT::emit_op_mov):
1136
1137 2018-05-31  Caio Lima  <ticaiolima@gmail.com>
1138
1139         [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
1140         https://bugs.webkit.org/show_bug.cgi?id=185929
1141
1142         Reviewed by Yusuke Suzuki.
1143
1144         This patch is introducing support to BigInt operands into ">=" and
1145         "<=" operators.
1146         Here we introduce ```bigIntCompareResult``` that is a helper function
1147         to reuse code between "less than" and "less than or equal" operators.
1148
1149         * runtime/JSBigInt.h:
1150         * runtime/Operations.h:
1151         (JSC::bigIntCompareResult):
1152         (JSC::bigIntCompare):
1153         (JSC::jsLess):
1154         (JSC::jsLessEq):
1155         (JSC::bigIntCompareLess): Deleted.
1156
1157 2018-05-31  Saam Barati  <sbarati@apple.com>
1158
1159         Cache toString results for CoW arrays
1160         https://bugs.webkit.org/show_bug.cgi?id=186160
1161
1162         Reviewed by Keith Miller.
1163
1164         This patch makes it so that we cache the result of toString on
1165         arrays with a CoW butterfly. This cache lives on Heap and is
1166         cleared after every GC. We only cache the toString result when
1167         the CoW butterfly doesn't have a hole (currently, all CoW arrays
1168         have a hole, but this isn't an invariant we want to rely on). The
1169         reason for this is that if there is a hole, the value may be loaded
1170         from the prototype, and the cache may produce a stale result.
1171         
1172         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
1173         progression on ARES.
1174
1175         * heap/Heap.cpp:
1176         (JSC::Heap::finalize):
1177         (JSC::Heap::addCoreConstraints):
1178         * heap/Heap.h:
1179         * runtime/ArrayPrototype.cpp:
1180         (JSC::canUseFastJoin):
1181         (JSC::holesMustForwardToPrototype):
1182         (JSC::isHole):
1183         (JSC::containsHole):
1184         (JSC::fastJoin):
1185         (JSC::arrayProtoFuncToString):
1186
1187 2018-05-31  Saam Barati  <sbarati@apple.com>
1188
1189         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
1190         https://bugs.webkit.org/show_bug.cgi?id=186169
1191
1192         Reviewed by Mark Lam.
1193
1194         If we don't do this, the CFA validation rule about StructureID being
1195         clobbered but AI not clobbering or folding a clobber will cause us
1196         to crash. Simon was running into this yesterday on arstechnica.com.
1197         I couldn't come up with a test case for this, but it's obvious
1198         what the issue is by looking at the IR dump at the time of the crash.
1199
1200         * dfg/DFGAbstractInterpreterInlines.h:
1201         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1202
1203 2018-05-31  Saam Barati  <sbarati@apple.com>
1204
1205         JSImmutableButterfly should align its variable storage
1206         https://bugs.webkit.org/show_bug.cgi?id=186159
1207
1208         Reviewed by Mark Lam.
1209
1210         I'm also making the use of reinterpret_cast and bitwise_cast consistent
1211         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
1212
1213         * runtime/JSImmutableButterfly.h:
1214         (JSC::JSImmutableButterfly::toButterfly const):
1215         (JSC::JSImmutableButterfly::fromButterfly):
1216         (JSC::JSImmutableButterfly::offsetOfData):
1217         (JSC::JSImmutableButterfly::allocationSize):
1218
1219 2018-05-31  Keith Miller  <keith_miller@apple.com>
1220
1221         DFGArrayModes needs to know more about CoW arrays
1222         https://bugs.webkit.org/show_bug.cgi?id=186162
1223
1224         Reviewed by Filip Pizlo.
1225
1226         This patch fixes two issues in DFGArrayMode.
1227
1228         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
1229         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
1230         to vend an accurate original structure.
1231
1232         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
1233         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
1234         action it is expecting when being dumped.
1235
1236         * bytecode/ArrayProfile.h:
1237         (JSC::hasSeenWritableArray):
1238         * dfg/DFGArrayMode.cpp:
1239         (JSC::DFG::ArrayMode::fromObserved):
1240         (JSC::DFG::ArrayMode::refine const):
1241         (JSC::DFG::ArrayMode::originalArrayStructure const):
1242         (JSC::DFG::arrayActionToString):
1243         (JSC::DFG::arrayClassToString):
1244         (JSC::DFG::ArrayMode::dump const):
1245         (WTF::printInternal):
1246         * dfg/DFGArrayMode.h:
1247         (JSC::DFG::ArrayMode::withProfile const):
1248         (JSC::DFG::ArrayMode::isJSArray const):
1249         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
1250         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
1251         * dfg/DFGByteCodeParser.cpp:
1252         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1253         (JSC::DFG::ByteCodeParser::parseBlock):
1254         * dfg/DFGFixupPhase.cpp:
1255         (JSC::DFG::FixupPhase::fixupNode):
1256         * dfg/DFGSpeculativeJIT.cpp:
1257         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1258         * ftl/FTLLowerDFGToB3.cpp:
1259         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
1260
1261 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1262
1263         [JSC] Pass VM& parameter as much as possible
1264         https://bugs.webkit.org/show_bug.cgi?id=186085
1265
1266         Reviewed by Saam Barati.
1267
1268         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
1269         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
1270         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
1271         This patch attempts to pass VM& parameter to such functions as much as possible.
1272
1273         * API/APICast.h:
1274         (toJS):
1275         (toJSForGC):
1276         * API/JSCallbackObjectFunctions.h:
1277         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
1278         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
1279         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1280         * API/JSObjectRef.cpp:
1281         (JSObjectIsConstructor):
1282         * API/JSTypedArray.cpp:
1283         (JSObjectGetTypedArrayBuffer):
1284         * API/JSValueRef.cpp:
1285         (JSValueIsInstanceOfConstructor):
1286         * bindings/ScriptFunctionCall.cpp:
1287         (Deprecated::ScriptFunctionCall::call):
1288         * bindings/ScriptValue.cpp:
1289         (Inspector::jsToInspectorValue):
1290         * bytecode/AccessCase.cpp:
1291         (JSC::AccessCase::generateImpl):
1292         * bytecode/CodeBlock.cpp:
1293         (JSC::CodeBlock::CodeBlock):
1294         * bytecode/ObjectAllocationProfileInlines.h:
1295         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1296         * bytecode/ObjectPropertyConditionSet.cpp:
1297         (JSC::generateConditionsForInstanceOf):
1298         * bytecode/PropertyCondition.cpp:
1299         (JSC::PropertyCondition::isWatchableWhenValid const):
1300         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
1301         * bytecode/StructureStubClearingWatchpoint.cpp:
1302         (JSC::StructureStubClearingWatchpoint::fireInternal):
1303         * debugger/Debugger.cpp:
1304         (JSC::Debugger::detach):
1305         * debugger/DebuggerScope.cpp:
1306         (JSC::DebuggerScope::create):
1307         (JSC::DebuggerScope::put):
1308         (JSC::DebuggerScope::deleteProperty):
1309         (JSC::DebuggerScope::getOwnPropertyNames):
1310         (JSC::DebuggerScope::defineOwnProperty):
1311         * dfg/DFGAbstractInterpreterInlines.h:
1312         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1313         * dfg/DFGAbstractValue.cpp:
1314         (JSC::DFG::AbstractValue::mergeOSREntryValue):
1315         * dfg/DFGArgumentsEliminationPhase.cpp:
1316         * dfg/DFGArrayMode.cpp:
1317         (JSC::DFG::ArrayMode::refine const):
1318         * dfg/DFGByteCodeParser.cpp:
1319         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1320         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1321         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1322         (JSC::DFG::ByteCodeParser::check):
1323         * dfg/DFGConstantFoldingPhase.cpp:
1324         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1325         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1326         * dfg/DFGFixupPhase.cpp:
1327         (JSC::DFG::FixupPhase::fixupNode):
1328         * dfg/DFGGraph.cpp:
1329         (JSC::DFG::Graph::tryGetConstantProperty):
1330         * dfg/DFGOperations.cpp:
1331         * dfg/DFGSpeculativeJIT.cpp:
1332         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1333         * dfg/DFGStrengthReductionPhase.cpp:
1334         (JSC::DFG::StrengthReductionPhase::handleNode):
1335         * ftl/FTLLowerDFGToB3.cpp:
1336         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1337         * ftl/FTLOperations.cpp:
1338         (JSC::FTL::operationPopulateObjectInOSR):
1339         * inspector/InjectedScriptManager.cpp:
1340         (Inspector::InjectedScriptManager::createInjectedScript):
1341         * inspector/JSJavaScriptCallFrame.cpp:
1342         (Inspector::JSJavaScriptCallFrame::caller const):
1343         (Inspector::JSJavaScriptCallFrame::scopeChain const):
1344         * interpreter/CallFrame.cpp:
1345         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
1346         * interpreter/Interpreter.cpp:
1347         (JSC::Interpreter::executeProgram):
1348         (JSC::Interpreter::executeCall):
1349         (JSC::Interpreter::executeConstruct):
1350         (JSC::Interpreter::execute):
1351         (JSC::Interpreter::executeModuleProgram):
1352         * jit/JITOperations.cpp:
1353         (JSC::getByVal):
1354         * jit/Repatch.cpp:
1355         (JSC::tryCacheInByID):
1356         * jsc.cpp:
1357         (functionDollarAgentReceiveBroadcast):
1358         (functionHasCustomProperties):
1359         * llint/LLIntSlowPaths.cpp:
1360         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1361         (JSC::LLInt::setupGetByIdPrototypeCache):
1362         (JSC::LLInt::getByVal):
1363         (JSC::LLInt::handleHostCall):
1364         (JSC::LLInt::llint_throw_stack_overflow_error):
1365         * runtime/AbstractModuleRecord.cpp:
1366         (JSC::AbstractModuleRecord::finishCreation):
1367         * runtime/ArrayConstructor.cpp:
1368         (JSC::constructArrayWithSizeQuirk):
1369         * runtime/ArrayPrototype.cpp:
1370         (JSC::speciesWatchpointIsValid):
1371         (JSC::arrayProtoFuncToString):
1372         (JSC::arrayProtoFuncToLocaleString):
1373         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1374         * runtime/AsyncFunctionConstructor.cpp:
1375         (JSC::callAsyncFunctionConstructor):
1376         (JSC::constructAsyncFunctionConstructor):
1377         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1378         (JSC::callAsyncGeneratorFunctionConstructor):
1379         (JSC::constructAsyncGeneratorFunctionConstructor):
1380         * runtime/BooleanConstructor.cpp:
1381         (JSC::constructWithBooleanConstructor):
1382         * runtime/ClonedArguments.cpp:
1383         (JSC::ClonedArguments::createEmpty):
1384         (JSC::ClonedArguments::createWithInlineFrame):
1385         (JSC::ClonedArguments::createWithMachineFrame):
1386         (JSC::ClonedArguments::createByCopyingFrom):
1387         (JSC::ClonedArguments::getOwnPropertySlot):
1388         (JSC::ClonedArguments::materializeSpecials):
1389         * runtime/CommonSlowPaths.cpp:
1390         (JSC::SLOW_PATH_DECL):
1391         * runtime/CommonSlowPaths.h:
1392         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1393         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1394         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
1395         * runtime/ConstructData.cpp:
1396         (JSC::construct):
1397         * runtime/DateConstructor.cpp:
1398         (JSC::constructWithDateConstructor):
1399         * runtime/DatePrototype.cpp:
1400         (JSC::dateProtoFuncToJSON):
1401         * runtime/DirectArguments.cpp:
1402         (JSC::DirectArguments::overrideThings):
1403         * runtime/Error.cpp:
1404         (JSC::getStackTrace):
1405         * runtime/ErrorConstructor.cpp:
1406         (JSC::Interpreter::constructWithErrorConstructor):
1407         (JSC::Interpreter::callErrorConstructor):
1408         * runtime/FunctionConstructor.cpp:
1409         (JSC::constructWithFunctionConstructor):
1410         (JSC::callFunctionConstructor):
1411         * runtime/GeneratorFunctionConstructor.cpp:
1412         (JSC::callGeneratorFunctionConstructor):
1413         (JSC::constructGeneratorFunctionConstructor):
1414         * runtime/GenericArgumentsInlines.h:
1415         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1416         * runtime/InferredStructureWatchpoint.cpp:
1417         (JSC::InferredStructureWatchpoint::fireInternal):
1418         * runtime/InferredType.cpp:
1419         (JSC::InferredType::removeStructure):
1420         * runtime/InferredType.h:
1421         * runtime/InferredTypeInlines.h:
1422         (JSC::InferredType::finalizeUnconditionally):
1423         * runtime/IntlCollator.cpp:
1424         (JSC::IntlCollator::initializeCollator):
1425         * runtime/IntlCollatorConstructor.cpp:
1426         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1427         * runtime/IntlCollatorPrototype.cpp:
1428         (JSC::IntlCollatorPrototypeGetterCompare):
1429         * runtime/IntlDateTimeFormat.cpp:
1430         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1431         (JSC::IntlDateTimeFormat::formatToParts):
1432         * runtime/IntlDateTimeFormatConstructor.cpp:
1433         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1434         * runtime/IntlDateTimeFormatPrototype.cpp:
1435         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1436         * runtime/IntlNumberFormat.cpp:
1437         (JSC::IntlNumberFormat::initializeNumberFormat):
1438         (JSC::IntlNumberFormat::formatToParts):
1439         * runtime/IntlNumberFormatConstructor.cpp:
1440         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1441         * runtime/IntlNumberFormatPrototype.cpp:
1442         (JSC::IntlNumberFormatPrototypeGetterFormat):
1443         * runtime/IntlObject.cpp:
1444         (JSC::canonicalizeLocaleList):
1445         (JSC::defaultLocale):
1446         (JSC::lookupSupportedLocales):
1447         (JSC::intlObjectFuncGetCanonicalLocales):
1448         * runtime/IntlPluralRules.cpp:
1449         (JSC::IntlPluralRules::initializePluralRules):
1450         (JSC::IntlPluralRules::resolvedOptions):
1451         * runtime/IntlPluralRulesConstructor.cpp:
1452         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1453         * runtime/IteratorOperations.cpp:
1454         (JSC::iteratorNext):
1455         (JSC::iteratorClose):
1456         (JSC::iteratorForIterable):
1457         * runtime/JSArray.cpp:
1458         (JSC::JSArray::shiftCountWithArrayStorage):
1459         (JSC::JSArray::unshiftCountWithArrayStorage):
1460         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
1461         * runtime/JSArrayBufferConstructor.cpp:
1462         (JSC::JSArrayBufferConstructor::finishCreation):
1463         (JSC::constructArrayBuffer):
1464         * runtime/JSArrayBufferPrototype.cpp:
1465         (JSC::arrayBufferProtoFuncSlice):
1466         * runtime/JSArrayBufferView.cpp:
1467         (JSC::JSArrayBufferView::unsharedJSBuffer):
1468         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
1469         * runtime/JSAsyncFunction.cpp:
1470         (JSC::JSAsyncFunction::createImpl):
1471         (JSC::JSAsyncFunction::create):
1472         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
1473         * runtime/JSAsyncGeneratorFunction.cpp:
1474         (JSC::JSAsyncGeneratorFunction::createImpl):
1475         (JSC::JSAsyncGeneratorFunction::create):
1476         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1477         * runtime/JSBoundFunction.cpp:
1478         (JSC::boundThisNoArgsFunctionCall):
1479         (JSC::boundFunctionCall):
1480         (JSC::boundThisNoArgsFunctionConstruct):
1481         (JSC::boundFunctionConstruct):
1482         (JSC::getBoundFunctionStructure):
1483         (JSC::JSBoundFunction::create):
1484         (JSC::JSBoundFunction::boundArgsCopy):
1485         * runtime/JSCJSValue.cpp:
1486         (JSC::JSValue::putToPrimitive):
1487         * runtime/JSCellInlines.h:
1488         (JSC::JSCell::setStructure):
1489         (JSC::JSCell::methodTable const):
1490         (JSC::JSCell::toBoolean const):
1491         * runtime/JSFunction.h:
1492         (JSC::JSFunction::createImpl):
1493         * runtime/JSGeneratorFunction.cpp:
1494         (JSC::JSGeneratorFunction::createImpl):
1495         (JSC::JSGeneratorFunction::create):
1496         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1497         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1498         (JSC::constructGenericTypedArrayViewWithArguments):
1499         (JSC::constructGenericTypedArrayView):
1500         * runtime/JSGenericTypedArrayViewInlines.h:
1501         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1502         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
1503         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
1504         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1505         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1506         (JSC::genericTypedArrayViewProtoFuncSlice):
1507         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1508         * runtime/JSGlobalObject.cpp:
1509         (JSC::JSGlobalObject::init):
1510         (JSC::JSGlobalObject::exposeDollarVM):
1511         (JSC::JSGlobalObject::finishCreation):
1512         * runtime/JSGlobalObject.h:
1513         * runtime/JSGlobalObjectFunctions.cpp:
1514         (JSC::globalFuncEval):
1515         * runtime/JSInternalPromise.cpp:
1516         (JSC::JSInternalPromise::then):
1517         * runtime/JSInternalPromiseConstructor.cpp:
1518         (JSC::constructPromise):
1519         * runtime/JSJob.cpp:
1520         (JSC::JSJobMicrotask::run):
1521         * runtime/JSLexicalEnvironment.cpp:
1522         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1523         (JSC::JSLexicalEnvironment::put):
1524         * runtime/JSMap.cpp:
1525         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1526         * runtime/JSMapIterator.cpp:
1527         (JSC::JSMapIterator::createPair):
1528         * runtime/JSModuleLoader.cpp:
1529         (JSC::JSModuleLoader::provideFetch):
1530         (JSC::JSModuleLoader::loadAndEvaluateModule):
1531         (JSC::JSModuleLoader::loadModule):
1532         (JSC::JSModuleLoader::linkAndEvaluateModule):
1533         (JSC::JSModuleLoader::requestImportModule):
1534         * runtime/JSONObject.cpp:
1535         (JSC::JSONProtoFuncParse):
1536         * runtime/JSObject.cpp:
1537         (JSC::JSObject::putInlineSlow):
1538         (JSC::JSObject::putByIndex):
1539         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1540         (JSC::JSObject::createInitialIndexedStorage):
1541         (JSC::JSObject::createArrayStorage):
1542         (JSC::JSObject::convertUndecidedToArrayStorage):
1543         (JSC::JSObject::convertInt32ToArrayStorage):
1544         (JSC::JSObject::convertDoubleToArrayStorage):
1545         (JSC::JSObject::convertContiguousToArrayStorage):
1546         (JSC::JSObject::convertFromCopyOnWrite):
1547         (JSC::JSObject::ensureWritableInt32Slow):
1548         (JSC::JSObject::ensureWritableDoubleSlow):
1549         (JSC::JSObject::ensureWritableContiguousSlow):
1550         (JSC::JSObject::ensureArrayStorageSlow):
1551         (JSC::JSObject::setPrototypeDirect):
1552         (JSC::JSObject::deleteProperty):
1553         (JSC::callToPrimitiveFunction):
1554         (JSC::JSObject::hasInstance):
1555         (JSC::JSObject::getOwnNonIndexPropertyNames):
1556         (JSC::JSObject::preventExtensions):
1557         (JSC::JSObject::isExtensible):
1558         (JSC::JSObject::reifyAllStaticProperties):
1559         (JSC::JSObject::fillGetterPropertySlot):
1560         (JSC::JSObject::defineOwnIndexedProperty):
1561         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1562         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1563         (JSC::JSObject::putByIndexBeyondVectorLength):
1564         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1565         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1566         (JSC::JSObject::getNewVectorLength):
1567         (JSC::JSObject::increaseVectorLength):
1568         (JSC::JSObject::reallocateAndShrinkButterfly):
1569         (JSC::JSObject::shiftButterflyAfterFlattening):
1570         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
1571         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
1572         (JSC::JSObject::needsSlowPutIndexing const):
1573         (JSC::JSObject::suggestedArrayStorageTransition const):
1574         * runtime/JSObject.h:
1575         (JSC::JSObject::mayInterceptIndexedAccesses):
1576         (JSC::JSObject::hasIndexingHeader const):
1577         (JSC::JSObject::hasCustomProperties):
1578         (JSC::JSObject::hasGetterSetterProperties):
1579         (JSC::JSObject::hasCustomGetterSetterProperties):
1580         (JSC::JSObject::isExtensibleImpl):
1581         (JSC::JSObject::isStructureExtensible):
1582         (JSC::JSObject::indexingShouldBeSparse):
1583         (JSC::JSObject::staticPropertiesReified):
1584         (JSC::JSObject::globalObject const):
1585         (JSC::JSObject::finishCreation):
1586         (JSC::JSNonFinalObject::finishCreation):
1587         (JSC::getCallData):
1588         (JSC::getConstructData):
1589         (JSC::JSObject::getOwnNonIndexPropertySlot):
1590         (JSC::JSObject::putOwnDataProperty):
1591         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
1592         (JSC::JSObject::butterflyPreCapacity):
1593         (JSC::JSObject::butterflyTotalSize):
1594         * runtime/JSObjectInlines.h:
1595         (JSC::JSObject::putDirectInternal):
1596         * runtime/JSPromise.cpp:
1597         (JSC::JSPromise::initialize):
1598         (JSC::JSPromise::resolve):
1599         * runtime/JSPromiseConstructor.cpp:
1600         (JSC::constructPromise):
1601         * runtime/JSPromiseDeferred.cpp:
1602         (JSC::newPromiseCapability):
1603         (JSC::callFunction):
1604         * runtime/JSScope.cpp:
1605         (JSC::abstractAccess):
1606         * runtime/JSScope.h:
1607         (JSC::JSScope::globalObject): Deleted.
1608         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
1609
1610         * runtime/JSSet.cpp:
1611         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
1612         * runtime/JSSetIterator.cpp:
1613         (JSC::JSSetIterator::createPair):
1614         * runtime/JSStringIterator.cpp:
1615         (JSC::JSStringIterator::clone):
1616         * runtime/Lookup.cpp:
1617         (JSC::reifyStaticAccessor):
1618         (JSC::setUpStaticFunctionSlot):
1619         * runtime/Lookup.h:
1620         (JSC::getStaticPropertySlotFromTable):
1621         (JSC::replaceStaticPropertySlot):
1622         (JSC::reifyStaticProperty):
1623         * runtime/MapConstructor.cpp:
1624         (JSC::constructMap):
1625         * runtime/NumberConstructor.cpp:
1626         (JSC::NumberConstructor::finishCreation):
1627         * runtime/ObjectConstructor.cpp:
1628         (JSC::constructObject):
1629         (JSC::objectConstructorAssign):
1630         (JSC::toPropertyDescriptor):
1631         * runtime/ObjectPrototype.cpp:
1632         (JSC::objectProtoFuncDefineGetter):
1633         (JSC::objectProtoFuncDefineSetter):
1634         (JSC::objectProtoFuncToLocaleString):
1635         * runtime/Operations.cpp:
1636         (JSC::jsIsFunctionType): Deleted.
1637         Replace it with JSValue::isFunction(VM&).
1638
1639         * runtime/Operations.h:
1640         * runtime/ProgramExecutable.cpp:
1641         (JSC::ProgramExecutable::initializeGlobalProperties):
1642         * runtime/RegExpConstructor.cpp:
1643         (JSC::constructWithRegExpConstructor):
1644         (JSC::callRegExpConstructor):
1645         * runtime/SamplingProfiler.cpp:
1646         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1647         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
1648         * runtime/ScopedArguments.cpp:
1649         (JSC::ScopedArguments::overrideThings):
1650         * runtime/ScriptExecutable.cpp:
1651         (JSC::ScriptExecutable::newCodeBlockFor):
1652         (JSC::ScriptExecutable::prepareForExecutionImpl):
1653         * runtime/SetConstructor.cpp:
1654         (JSC::constructSet):
1655         * runtime/SparseArrayValueMap.cpp:
1656         (JSC::SparseArrayValueMap::putEntry):
1657         (JSC::SparseArrayValueMap::putDirect):
1658         * runtime/StringConstructor.cpp:
1659         (JSC::constructWithStringConstructor):
1660         * runtime/StringPrototype.cpp:
1661         (JSC::replaceUsingRegExpSearch):
1662         (JSC::replaceUsingStringSearch):
1663         (JSC::stringProtoFuncIterator):
1664         * runtime/Structure.cpp:
1665         (JSC::Structure::materializePropertyTable):
1666         (JSC::Structure::willStoreValueSlow):
1667         * runtime/StructureCache.cpp:
1668         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
1669         * runtime/StructureInlines.h:
1670         (JSC::Structure::get):
1671         * runtime/WeakMapConstructor.cpp:
1672         (JSC::constructWeakMap):
1673         * runtime/WeakSetConstructor.cpp:
1674         (JSC::constructWeakSet):
1675         * tools/HeapVerifier.cpp:
1676         (JSC::HeapVerifier::reportCell):
1677         * tools/JSDollarVM.cpp:
1678         (JSC::functionGlobalObjectForObject):
1679         (JSC::JSDollarVM::finishCreation):
1680         * wasm/js/JSWebAssemblyInstance.cpp:
1681         (JSC::JSWebAssemblyInstance::finalizeCreation):
1682         * wasm/js/WasmToJS.cpp:
1683         (JSC::Wasm::handleBadI64Use):
1684         (JSC::Wasm::wasmToJSException):
1685         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1686         (JSC::constructJSWebAssemblyCompileError):
1687         (JSC::callJSWebAssemblyCompileError):
1688         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1689         (JSC::constructJSWebAssemblyLinkError):
1690         (JSC::callJSWebAssemblyLinkError):
1691         * wasm/js/WebAssemblyModuleRecord.cpp:
1692         (JSC::WebAssemblyModuleRecord::evaluate):
1693         * wasm/js/WebAssemblyPrototype.cpp:
1694         (JSC::instantiate):
1695         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1696         (JSC::constructJSWebAssemblyRuntimeError):
1697         (JSC::callJSWebAssemblyRuntimeError):
1698         * wasm/js/WebAssemblyToJSCallee.cpp:
1699         (JSC::WebAssemblyToJSCallee::create):
1700
1701 2018-05-30  Saam Barati  <sbarati@apple.com>
1702
1703         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
1704         https://bugs.webkit.org/show_bug.cgi?id=186121
1705         <rdar://problem/39377796>
1706
1707         Reviewed by Keith Miller.
1708
1709         DFG's combined liveness was reporting that the machine CodeBlock's |this|
1710         argument was dead at certain points in the program. However, a CodeBlock's
1711         arguments are considered live for the entire function. This fixes a bug
1712         where object allocation sinking phase skipped materializing an allocation
1713         because it thought that the argument it was associated with, |this|, was dead.
1714
1715         * dfg/DFGCombinedLiveness.cpp:
1716         (JSC::DFG::liveNodesAtHead):
1717
1718 2018-05-30  Daniel Bates  <dabates@apple.com>
1719
1720         Web Inspector: Annotate Same-Site cookies
1721         https://bugs.webkit.org/show_bug.cgi?id=184897
1722         <rdar://problem/35178209>
1723
1724         Reviewed by Brian Burg.
1725
1726         Update protocol to include cookie Same-Site policy.
1727
1728         * inspector/protocol/Page.json:
1729
1730 2018-05-29  Keith Miller  <keith_miller@apple.com>
1731
1732         Error instances should not strongly hold onto StackFrames
1733         https://bugs.webkit.org/show_bug.cgi?id=185996
1734
1735         Reviewed by Mark Lam.
1736
1737         Previously, we would hold onto all the StackFrames until the the user
1738         looked at one of the properties on the Error object. This patch makes us
1739         only weakly retain the StackFrames and collect all the information
1740         if we are about to collect any frame.
1741
1742         This patch also adds a method to $vm that returns the heaps count
1743         of live global objects.
1744
1745         * heap/Heap.cpp:
1746         (JSC::Heap::finalizeUnconditionalFinalizers):
1747         * interpreter/Interpreter.cpp:
1748         (JSC::Interpreter::stackTraceAsString):
1749         * interpreter/Interpreter.h:
1750         * runtime/Error.cpp:
1751         (JSC::addErrorInfo):
1752         * runtime/ErrorInstance.cpp:
1753         (JSC::ErrorInstance::finalizeUnconditionally):
1754         (JSC::ErrorInstance::computeErrorInfo):
1755         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1756         (JSC::ErrorInstance::visitChildren): Deleted.
1757         * runtime/ErrorInstance.h:
1758         (JSC::ErrorInstance::subspaceFor):
1759         * runtime/JSFunction.cpp:
1760         (JSC::getCalculatedDisplayName):
1761         * runtime/StackFrame.h:
1762         (JSC::StackFrame::isMarked const):
1763         * runtime/VM.cpp:
1764         (JSC::VM::VM):
1765         * runtime/VM.h:
1766         * tools/JSDollarVM.cpp:
1767         (JSC::functionGlobalObjectCount):
1768         (JSC::JSDollarVM::finishCreation):
1769
1770 2018-05-30  Keith Miller  <keith_miller@apple.com>
1771
1772         LLInt get_by_id prototype caching doesn't properly handle changes
1773         https://bugs.webkit.org/show_bug.cgi?id=186112
1774
1775         Reviewed by Filip Pizlo.
1776
1777         The caching would sometimes fail to track that a prototype had changed
1778         and wouldn't update its set of watchpoints.
1779
1780         * bytecode/CodeBlock.cpp:
1781         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1782         * bytecode/CodeBlock.h:
1783         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
1784         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
1785         * bytecode/ObjectPropertyConditionSet.h:
1786         (JSC::ObjectPropertyConditionSet::size const):
1787         * bytecode/Watchpoint.h:
1788         (JSC::Watchpoint::Watchpoint): Deleted.
1789         * llint/LLIntSlowPaths.cpp:
1790         (JSC::LLInt::setupGetByIdPrototypeCache):
1791
1792 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
1793
1794         [ESNext][BigInt] Implement support for "%" operation
1795         https://bugs.webkit.org/show_bug.cgi?id=184327
1796
1797         Reviewed by Yusuke Suzuki.
1798
1799         We are introducing the support of BigInt into remainder (a.k.a mod)
1800         operation.
1801
1802         * runtime/CommonSlowPaths.cpp:
1803         (JSC::SLOW_PATH_DECL):
1804         * runtime/JSBigInt.cpp:
1805         (JSC::JSBigInt::remainder):
1806         (JSC::JSBigInt::rightTrim):
1807         * runtime/JSBigInt.h:
1808
1809 2018-05-30  Saam Barati  <sbarati@apple.com>
1810
1811         AI for Atomics.load() is too conservative in always clobbering world
1812         https://bugs.webkit.org/show_bug.cgi?id=185738
1813         <rdar://problem/40342214>
1814
1815         Reviewed by Yusuke Suzuki.
1816
1817         It fails the assertion that Fil added for catching disagreements between
1818         AI and clobberize. This patch fixes that. You'd run into this if you
1819         manually enabled SAB in a build and ran any SAB tests.
1820
1821         * dfg/DFGAbstractInterpreterInlines.h:
1822         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1823
1824 2018-05-30  Michael Saboff  <msaboff@apple.com>
1825
1826         REGRESSION(r232212): Broke Win32 Builds
1827         https://bugs.webkit.org/show_bug.cgi?id=186061
1828
1829         Reviewed by Yusuke Suzuki.
1830
1831         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
1832         instead of LowLevelInterpreterWin.asm.
1833
1834         * CMakeLists.txt:
1835
1836 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
1837
1838         [MIPS] Fix build on MIPS32r1
1839         https://bugs.webkit.org/show_bug.cgi?id=185944
1840
1841         Reviewed by Yusuke Suzuki.
1842
1843         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
1844         on MIPS32r1.
1845
1846         * offlineasm/mips.rb:
1847
1848 2018-05-29  Saam Barati  <sbarati@apple.com>
1849
1850         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
1851         https://bugs.webkit.org/show_bug.cgi?id=186064
1852
1853         Reviewed by Mark Lam.
1854
1855         shrinkFootprint was implemented as:
1856         ```
1857         sanitizeStackForVM(this);
1858         deleteAllCode(DeleteAllCodeIfNotCollecting);
1859         heap.collectNow(Synchronousness::Sync);
1860         WTF::releaseFastMallocFreeMemory();
1861         ```
1862         
1863         However, for correctness reasons, deleteAllCode is implemented to do
1864         work when the VM is idle: no JS is running on the stack. This means
1865         that if shrinkFootprint is called when JS is running on the stack, it
1866         ends up freeing less memory than it could have if it waited to run until
1867         the VM goes idle.
1868         
1869         This patch makes it so we wait until idle before doing work. I'm seeing a
1870         10% footprint progression when testing this against a client of the JSC SPI.
1871         
1872         Because this is a semantic change in how the SPI works, this patch
1873         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
1874         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
1875         Once that happens, we will delete shrinkFootprint. Until then,
1876         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
1877
1878         * API/JSVirtualMachine.mm:
1879         (-[JSVirtualMachine shrinkFootprint]):
1880         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
1881         * API/JSVirtualMachinePrivate.h:
1882         * runtime/VM.cpp:
1883         (JSC::VM::shrinkFootprintWhenIdle):
1884         (JSC::VM::shrinkFootprint): Deleted.
1885         * runtime/VM.h:
1886
1887 2018-05-29  Saam Barati  <sbarati@apple.com>
1888
1889         shrinkFootprint needs to request a full collection
1890         https://bugs.webkit.org/show_bug.cgi?id=186069
1891
1892         Reviewed by Mark Lam.
1893
1894         * runtime/VM.cpp:
1895         (JSC::VM::shrinkFootprint):
1896
1897 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
1898
1899         [ESNext][BigInt] Implement support for "<" and ">" relational operation
1900         https://bugs.webkit.org/show_bug.cgi?id=185379
1901
1902         Reviewed by Yusuke Suzuki.
1903
1904         This patch is changing the ``jsLess``` operation to follow the
1905         semantics of Abstract Relational Comparison[1] that supports BigInt.
1906         For that, we create 2 new helper functions ```bigIntCompareLess``` and
1907         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
1908         compared.
1909
1910         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
1911
1912         * runtime/JSBigInt.cpp:
1913         (JSC::JSBigInt::unequalSign):
1914         (JSC::JSBigInt::absoluteGreater):
1915         (JSC::JSBigInt::absoluteLess):
1916         (JSC::JSBigInt::compare):
1917         (JSC::JSBigInt::absoluteCompare):
1918         * runtime/JSBigInt.h:
1919         * runtime/JSCJSValueInlines.h:
1920         (JSC::JSValue::isPrimitive const):
1921         * runtime/Operations.h:
1922         (JSC::bigIntCompareLess):
1923         (JSC::toPrimitiveNumeric):
1924         (JSC::jsLess):
1925
1926 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1927
1928         [Baseline] Merge loading functionalities
1929         https://bugs.webkit.org/show_bug.cgi?id=185907
1930
1931         Reviewed by Saam Barati.
1932
1933         This patch unifies emitXXXLoad functions in 32bit and 64bit.
1934
1935         * jit/JITInlines.h:
1936         (JSC::JIT::emitDoubleGetByVal):
1937         * jit/JITPropertyAccess.cpp:
1938         (JSC::JIT::emitDoubleLoad):
1939         (JSC::JIT::emitContiguousLoad):
1940         (JSC::JIT::emitArrayStorageLoad):
1941         (JSC::JIT::emitIntTypedArrayGetByVal):
1942         (JSC::JIT::emitFloatTypedArrayGetByVal):
1943         Define register usage first, and share the same code in 32bit and 64bit.
1944
1945         * jit/JITPropertyAccess32_64.cpp:
1946         (JSC::JIT::emitSlow_op_put_by_val):
1947         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
1948         We can remove this special handling.
1949
1950         (JSC::JIT::emitContiguousLoad): Deleted.
1951         (JSC::JIT::emitDoubleLoad): Deleted.
1952         (JSC::JIT::emitArrayStorageLoad): Deleted.
1953
1954 2018-05-29  Saam Barati  <sbarati@apple.com>
1955
1956         JSC should put bmalloc's scavenger into mini mode
1957         https://bugs.webkit.org/show_bug.cgi?id=185988
1958
1959         Reviewed by Michael Saboff.
1960
1961         When we InitializeThreading, we'll now enable bmalloc's mini mode
1962         if the VM is in mini mode. This is an 8-10% progression on the footprint
1963         at end score in run-testmem, making it a 4-5% memory score progression.
1964         It's between a 0-1% regression in its time score.
1965
1966         * runtime/InitializeThreading.cpp:
1967         (JSC::initializeThreading):
1968
1969 2018-05-29  Caitlin Potter  <caitp@igalia.com>
1970
1971         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
1972         https://bugs.webkit.org/show_bug.cgi?id=184267
1973
1974         Reviewed by Saam Barati.
1975
1976         Before this patch, the fast case for Array.prototype.concat was taken if
1977         there was a single argument passed to the function, which is either a
1978         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
1979         This incorrectly prevented Proxy objects from being spread when
1980         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
1981
1982         * builtins/ArrayPrototype.js:
1983         (concat):
1984
1985 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1986
1987         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
1988         https://bugs.webkit.org/show_bug.cgi?id=186022
1989
1990         Reviewed by Darin Adler.
1991
1992         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
1993         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
1994         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
1995         in asm.
1996
1997         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
1998         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
1999         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
2000         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
2001         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
2002         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
2003
2004         This patch also fixes naming convention for constant values.
2005
2006         * runtime/JSBigInt.cpp:
2007         (JSC::JSBigInt::digitMul):
2008         (JSC::JSBigInt::digitDiv):
2009         * runtime/JSBigInt.h:
2010
2011 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2012
2013         [WTF] Add clz32 / clz64 for MSVC
2014         https://bugs.webkit.org/show_bug.cgi?id=186023
2015
2016         Reviewed by Daniel Bates.
2017
2018         Move clz32 and clz64 to WTF.
2019
2020         * runtime/MathCommon.h:
2021         (JSC::clz32): Deleted.
2022         (JSC::clz64): Deleted.
2023
2024 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
2025
2026         [ESNext][BigInt] Implement "+" and "-" unary operation
2027         https://bugs.webkit.org/show_bug.cgi?id=182214
2028
2029         Reviewed by Yusuke Suzuki.
2030
2031         This Patch is implementing support to "-" unary operation on BigInt.
2032         It is also changing the logic of ASTBuilder::makeNegateNode to
2033         calculate BigInt literals with properly sign, avoiding
2034         unecessary operation. It required a refactoring into
2035         JSBigInt::parseInt to consider the sign as parameter.
2036
2037         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
2038         operations. With the introduction of BigInt, it is not true
2039         that every negate operation returns a Number. As ArithNegate is a
2040         node that considers its result is always a Number, like all other
2041         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
2042         speculation indicates that the operand is a BigInt.
2043         This design is following the same distinction between ArithAdd and
2044         ValueAdd. Also, this new node will make simpler the introduction of
2045         optimizations when we create speculation paths for BigInt in future
2046         patches.
2047
2048         In the case of "+" unary operation on BigInt, the current semantic we already have
2049         is correctly, since it needs to throw TypeError because of ToNumber call[1].
2050         In such case, we are adding tests to verify other edge cases.
2051
2052         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
2053
2054         * bytecompiler/BytecodeGenerator.cpp:
2055         (JSC::BytecodeGenerator::addBigIntConstant):
2056         * bytecompiler/BytecodeGenerator.h:
2057         * bytecompiler/NodesCodegen.cpp:
2058         (JSC::BigIntNode::jsValue const):
2059         * dfg/DFGAbstractInterpreterInlines.h:
2060         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2061         * dfg/DFGByteCodeParser.cpp:
2062         (JSC::DFG::ByteCodeParser::makeSafe):
2063         (JSC::DFG::ByteCodeParser::parseBlock):
2064         * dfg/DFGClobberize.h:
2065         (JSC::DFG::clobberize):
2066         * dfg/DFGDoesGC.cpp:
2067         (JSC::DFG::doesGC):
2068         * dfg/DFGFixupPhase.cpp:
2069         (JSC::DFG::FixupPhase::fixupNode):
2070         * dfg/DFGNode.h:
2071         (JSC::DFG::Node::arithNodeFlags):
2072         * dfg/DFGNodeType.h:
2073         * dfg/DFGPredictionPropagationPhase.cpp:
2074         * dfg/DFGSafeToExecute.h:
2075         (JSC::DFG::safeToExecute):
2076         * dfg/DFGSpeculativeJIT.cpp:
2077         (JSC::DFG::SpeculativeJIT::compileValueNegate):
2078         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2079         * dfg/DFGSpeculativeJIT.h:
2080         * dfg/DFGSpeculativeJIT32_64.cpp:
2081         (JSC::DFG::SpeculativeJIT::compile):
2082         * dfg/DFGSpeculativeJIT64.cpp:
2083         (JSC::DFG::SpeculativeJIT::compile):
2084         * ftl/FTLCapabilities.cpp:
2085         (JSC::FTL::canCompile):
2086         * ftl/FTLLowerDFGToB3.cpp:
2087         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2088         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
2089         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2090         * jit/JITOperations.cpp:
2091         * parser/ASTBuilder.h:
2092         (JSC::ASTBuilder::createBigIntWithSign):
2093         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
2094         (JSC::ASTBuilder::makeNegateNode):
2095         * parser/NodeConstructors.h:
2096         (JSC::BigIntNode::BigIntNode):
2097         * parser/Nodes.h:
2098         * runtime/CommonSlowPaths.cpp:
2099         (JSC::updateArithProfileForUnaryArithOp):
2100         (JSC::SLOW_PATH_DECL):
2101         * runtime/JSBigInt.cpp:
2102         (JSC::JSBigInt::parseInt):
2103         * runtime/JSBigInt.h:
2104         * runtime/JSCJSValueInlines.h:
2105         (JSC::JSValue::strictEqualSlowCaseInline):
2106
2107 2018-05-27  Dan Bernstein  <mitz@apple.com>
2108
2109         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
2110
2111         * jit/JITOperations.cpp:
2112
2113 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2114
2115         [JSC] Rename Array#flatten to flat
2116         https://bugs.webkit.org/show_bug.cgi?id=186012
2117
2118         Reviewed by Saam Barati.
2119
2120         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
2121         conflicts with the mootools' function name.
2122
2123         * builtins/ArrayPrototype.js:
2124         (globalPrivate.flatIntoArray):
2125         (flat):
2126         (globalPrivate.flatIntoArrayWithCallback):
2127         (flatMap):
2128         (globalPrivate.flattenIntoArray): Deleted.
2129         (flatten): Deleted.
2130         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
2131         * runtime/ArrayPrototype.cpp:
2132         (JSC::ArrayPrototype::finishCreation):
2133
2134 2018-05-25  Mark Lam  <mark.lam@apple.com>
2135
2136         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
2137         https://bugs.webkit.org/show_bug.cgi?id=185995
2138         <rdar://problem/40173142>
2139
2140         Reviewed by Saam Barati.
2141
2142         This is because there's no guarantee that any of the loop bodies will be
2143         executed.  Hence, there's no guarantee that the TDZ variables will have been
2144         initialized after each loop body.
2145
2146         * bytecompiler/BytecodeGenerator.cpp:
2147         (JSC::BytecodeGenerator::preserveTDZStack):
2148         (JSC::BytecodeGenerator::restoreTDZStack):
2149         * bytecompiler/BytecodeGenerator.h:
2150         * bytecompiler/NodesCodegen.cpp:
2151         (JSC::ForInNode::emitBytecode):
2152
2153 2018-05-25  Mark Lam  <mark.lam@apple.com>
2154
2155         MachineContext's instructionPointer() should handle null PCs correctly.
2156         https://bugs.webkit.org/show_bug.cgi?id=186004
2157         <rdar://problem/40570067>
2158
2159         Reviewed by Saam Barati.
2160
2161         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
2162         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
2163         assert accordingly with a debug ASSERT.  This is inconsequential for release
2164         builds, but to avoid this assertion failure, we should check for a null PC and
2165         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
2166         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
2167
2168         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
2169         for null pointers, but I rather not do that yet.  In general,
2170         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
2171         leave it that way for now.
2172
2173         Note: this assertion failure only manifests when we have signal traps enabled,
2174         and encounter a null pointer deref.
2175
2176         * runtime/MachineContext.h:
2177         (JSC::MachineContext::instructionPointer):
2178
2179 2018-05-25  Mark Lam  <mark.lam@apple.com>
2180
2181         Enforce invariant that GetterSetter objects are invariant.
2182         https://bugs.webkit.org/show_bug.cgi?id=185968
2183         <rdar://problem/40541416>
2184
2185         Reviewed by Saam Barati.
2186
2187         The code already assumes the invariant that GetterSetter objects are immutable.
2188         For example, the use of @tryGetById in builtins expect this invariant to be true.
2189         The existing code mostly enforces this except for one case: JSObject's
2190         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
2191         object.
2192
2193         This patch enforces this invariant by removing the setGetter and setSetter methods
2194         of GetterSetter, and requiring the getter/setter callback functions to be
2195         specified at construction time.
2196
2197         * jit/JITOperations.cpp:
2198         * llint/LLIntSlowPaths.cpp:
2199         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2200         * runtime/GetterSetter.cpp:
2201         (JSC::GetterSetter::withGetter): Deleted.
2202         (JSC::GetterSetter::withSetter): Deleted.
2203         * runtime/GetterSetter.h:
2204         * runtime/JSGlobalObject.cpp:
2205         (JSC::JSGlobalObject::init):
2206         * runtime/JSObject.cpp:
2207         (JSC::JSObject::putIndexedDescriptor):
2208         (JSC::JSObject::putDirectNativeIntrinsicGetter):
2209         (JSC::putDescriptor):
2210         (JSC::validateAndApplyPropertyDescriptor):
2211         * runtime/JSTypedArrayViewPrototype.cpp:
2212         (JSC::JSTypedArrayViewPrototype::finishCreation):
2213         * runtime/Lookup.cpp:
2214         (JSC::reifyStaticAccessor):
2215         * runtime/PropertyDescriptor.cpp:
2216         (JSC::PropertyDescriptor::slowGetterSetter):
2217
2218 2018-05-25  Saam Barati  <sbarati@apple.com>
2219
2220         Make JSC have a mini mode that kicks in when the JIT is disabled
2221         https://bugs.webkit.org/show_bug.cgi?id=185931
2222
2223         Reviewed by Mark Lam.
2224
2225         This patch makes JSC have a mini VM mode. This currently only kicks in
2226         when the process can't JIT. Mini VM now means a few things:
2227         - We always use a 1.27x heap growth factor. This number was the best tradeoff
2228           between memory use progression and time regression in run-testmem. We may
2229           want to tune this more in the future as we make other mini VM changes.
2230         - We always sweep synchronously.
2231         - We disable generational GC.
2232         
2233         I'm going to continue to extend what mini VM mode means in future changes.
2234         
2235         This patch is a 50% memory progression and an ~8-9% time regression
2236         on run-testmem when running in mini VM mode with the JIT disabled.
2237
2238         * heap/Heap.cpp:
2239         (JSC::Heap::collectNow):
2240         (JSC::Heap::finalize):
2241         (JSC::Heap::useGenerationalGC):
2242         (JSC::Heap::shouldSweepSynchronously):
2243         (JSC::Heap::shouldDoFullCollection):
2244         * heap/Heap.h:
2245         * runtime/Options.h:
2246         * runtime/VM.cpp:
2247         (JSC::VM::isInMiniMode):
2248         * runtime/VM.h:
2249
2250 2018-05-25  Saam Barati  <sbarati@apple.com>
2251
2252         Have a memory test where we can validate JSCs mini memory mode
2253         https://bugs.webkit.org/show_bug.cgi?id=185932
2254
2255         Reviewed by Mark Lam.
2256
2257         This patch adds the testmem CLI. It takes as input a file to run
2258         and the number of iterations to run it (by default it runs it
2259         20 times). Each iteration runs in a new JSContext. Each JSContext
2260         belongs to a VM that is created once. When finished, the CLI dumps
2261         out the peak memory usage of the process, the memory usage at the end
2262         of running all the iterations of the process, and the total time it
2263         took to run all the iterations.
2264
2265         * JavaScriptCore.xcodeproj/project.pbxproj:
2266         * testmem: Added.
2267         * testmem/testmem.mm: Added.
2268         (description):
2269         (Footprint::now):
2270         (main):
2271
2272 2018-05-25  David Kilzer  <ddkilzer@apple.com>
2273
2274         Fix issues with -dealloc methods found by clang static analyzer
2275         <https://webkit.org/b/185887>
2276
2277         Reviewed by Joseph Pecoraro.
2278
2279         * API/JSValue.mm:
2280         (-[JSValue dealloc]):
2281         (-[JSValue description]):
2282         - Move method implementations from (Internal) category to the
2283           main category since these are public API.  This fixes the
2284           false positive warning about a missing -dealloc method.
2285
2286 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2287
2288         [Baseline] Remove a hack for DCE removal of NewFunction
2289         https://bugs.webkit.org/show_bug.cgi?id=185945
2290
2291         Reviewed by Saam Barati.
2292
2293         This `undefined` check in baseline is originally introduced in r177871. The problem was,
2294         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
2295         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
2296         retrieve this into the stack since the scope is not referenced from anywhere.
2297
2298         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
2299         implementation. But rather than that, just emitting `Phantom` for this scope is clean
2300         and consistent to the other DFG nodes like GetClosureVar.
2301
2302         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
2303         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
2304         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
2305         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
2306         since it conservatively guards the scope, and it does not introduce any additional overhead
2307         compared to the current status.
2308
2309         * dfg/DFGByteCodeParser.cpp:
2310         (JSC::DFG::ByteCodeParser::parseBlock):
2311         * jit/JITOpcodes.cpp:
2312         (JSC::JIT::emitNewFuncExprCommon):
2313
2314 2018-05-23  Keith Miller  <keith_miller@apple.com>
2315
2316         Expose $vm if window.internals is exposed
2317         https://bugs.webkit.org/show_bug.cgi?id=185900
2318
2319         Reviewed by Mark Lam.
2320
2321         This is useful for testing vm internals when running LayoutTests.
2322
2323         * runtime/JSGlobalObject.cpp:
2324         (JSC::JSGlobalObject::init):
2325         (JSC::JSGlobalObject::visitChildren):
2326         (JSC::JSGlobalObject::exposeDollarVM):
2327         * runtime/JSGlobalObject.h:
2328
2329 2018-05-23  Keith Miller  <keith_miller@apple.com>
2330
2331         Define length on CoW array should properly convert to writable
2332         https://bugs.webkit.org/show_bug.cgi?id=185927
2333
2334         Reviewed by Yusuke Suzuki.
2335
2336         * runtime/JSArray.cpp:
2337         (JSC::JSArray::setLength):
2338
2339 2018-05-23  Keith Miller  <keith_miller@apple.com>
2340
2341         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
2342         https://bugs.webkit.org/show_bug.cgi?id=185923
2343
2344         Reviewed by Saam Barati.
2345
2346         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
2347         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
2348
2349         Block 1:
2350         @1: GetLocal(loc42, FlushedInt32);
2351         @2: PutStructure(Check: Cell: @1);
2352         @3: Jump(Block 1);
2353
2354         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
2355         the type of an local cannot change without writing to it.
2356
2357         This fixes a crash in destructuring-rest-element.js
2358
2359         * dfg/DFGInPlaceAbstractState.cpp:
2360         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2361
2362 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
2363
2364         Speed up JetStream/base64
2365         https://bugs.webkit.org/show_bug.cgi?id=185914
2366
2367         Reviewed by Michael Saboff.
2368         
2369         Make allocation fast paths ALWAYS_INLINE.
2370         
2371         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
2372         ~6%.
2373
2374         * CMakeLists.txt:
2375         * JavaScriptCore.xcodeproj/project.pbxproj:
2376         * heap/AllocatorInlines.h:
2377         (JSC::Allocator::allocate const):
2378         * heap/CompleteSubspace.cpp:
2379         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
2380         * heap/CompleteSubspace.h:
2381         * heap/CompleteSubspaceInlines.h: Added.
2382         (JSC::CompleteSubspace::allocateNonVirtual):
2383         * heap/FreeListInlines.h:
2384         (JSC::FreeList::allocate):
2385         * heap/IsoSubspace.cpp:
2386         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
2387         * heap/IsoSubspace.h:
2388         (JSC::IsoSubspace::allocatorForNonVirtual):
2389         * heap/IsoSubspaceInlines.h: Added.
2390         (JSC::IsoSubspace::allocateNonVirtual):
2391         * runtime/JSCellInlines.h:
2392         * runtime/VM.h:
2393
2394 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
2395
2396         Conversion misspelled "Convertion" in error message string
2397         https://bugs.webkit.org/show_bug.cgi?id=185436
2398
2399         Reviewed by Saam Barati, Michael Saboff
2400
2401         * runtime/JSBigInt.cpp:
2402         (JSC::JSBigInt::toNumber const):
2403
2404 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2405
2406         [JSC] Clean up stringGetByValStubGenerator
2407         https://bugs.webkit.org/show_bug.cgi?id=185864
2408
2409         Reviewed by Saam Barati.
2410
2411         We clean up stringGetByValStubGenerator.
2412
2413         1. Unify 32bit and 64bit implementations.
2414         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
2415         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
2416         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
2417         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
2418
2419         * jit/JIT.h:
2420         * jit/JITPropertyAccess.cpp:
2421         (JSC::JIT::emitSlow_op_get_by_val):
2422         (JSC::JIT::stringGetByValStubGenerator): Deleted.
2423         * jit/JITPropertyAccess32_64.cpp:
2424         (JSC::JIT::emit_op_get_by_val):
2425         (JSC::JIT::emitSlow_op_get_by_val):
2426         (JSC::JIT::stringGetByValStubGenerator): Deleted.
2427         * jit/ThunkGenerators.cpp:
2428         (JSC::stringGetByValGenerator):
2429         * jit/ThunkGenerators.h:
2430
2431 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2432
2433         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
2434         https://bugs.webkit.org/show_bug.cgi?id=185810
2435
2436         Reviewed by Saam Barati.
2437
2438         Let's use branchIfString/branchIfNotString helper functions instead of
2439         checking structure with jsString's structure. It's easy to read. And
2440         it emits less code since we do not need to embed string structure's
2441         raw pointer in 32bit environment.
2442
2443         * jit/JIT.h:
2444         * jit/JITInlines.h:
2445         (JSC::JIT::emitLoadCharacterString):
2446         (JSC::JIT::checkStructure): Deleted.
2447         * jit/JITOpcodes32_64.cpp:
2448         (JSC::JIT::emitSlow_op_eq):
2449         (JSC::JIT::compileOpEqJumpSlow):
2450         (JSC::JIT::emitSlow_op_neq):
2451         * jit/JITPropertyAccess.cpp:
2452         (JSC::JIT::stringGetByValStubGenerator):
2453         (JSC::JIT::emitSlow_op_get_by_val):
2454         (JSC::JIT::emitByValIdentifierCheck):
2455         * jit/JITPropertyAccess32_64.cpp:
2456         (JSC::JIT::stringGetByValStubGenerator):
2457         (JSC::JIT::emitSlow_op_get_by_val):
2458         * jit/JSInterfaceJIT.h:
2459         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
2460         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
2461         * jit/SpecializedThunkJIT.h:
2462         (JSC::SpecializedThunkJIT::loadJSStringArgument):
2463         * jit/ThunkGenerators.cpp:
2464         (JSC::stringCharLoad):
2465         (JSC::charCodeAtThunkGenerator):
2466         (JSC::charAtThunkGenerator):
2467         * runtime/JSString.h:
2468
2469 2018-05-22  Mark Lam  <mark.lam@apple.com>
2470
2471         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
2472         https://bugs.webkit.org/show_bug.cgi?id=185896
2473         <rdar://problem/40471403>
2474
2475         Reviewed by Saam Barati.
2476
2477         * bytecode/BytecodeGeneratorification.cpp:
2478         (JSC::BytecodeGeneratorification::run):
2479
2480 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2481
2482         [JSC] Fix CachedCall's argument count if RegExp has named captures
2483         https://bugs.webkit.org/show_bug.cgi?id=185587
2484
2485         Reviewed by Mark Lam.
2486
2487         If the given RegExp has named captures, the argument count of CachedCall in String#replace
2488         should be increased by one. This causes crash with assertion in test262. This patch corrects
2489         the argument count.
2490
2491         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
2492         the same.
2493
2494         * runtime/StringPrototype.cpp:
2495         (JSC::replaceUsingRegExpSearch):
2496
2497 2018-05-22  Mark Lam  <mark.lam@apple.com>
2498
2499         StringImpl utf8 conversion should not fail silently.
2500         https://bugs.webkit.org/show_bug.cgi?id=185888
2501         <rdar://problem/40464506>
2502
2503         Reviewed by Filip Pizlo.
2504
2505         * dfg/DFGLazyJSValue.cpp:
2506         (JSC::DFG::LazyJSValue::dumpInContext const):
2507         * runtime/DateConstructor.cpp:
2508         (JSC::constructDate):
2509         (JSC::dateParse):
2510         * runtime/JSDateMath.cpp:
2511         (JSC::parseDate):
2512         * runtime/JSDateMath.h:
2513
2514 2018-05-22  Keith Miller  <keith_miller@apple.com>
2515
2516         Remove the UnconditionalFinalizer class
2517         https://bugs.webkit.org/show_bug.cgi?id=185881
2518
2519         Reviewed by Filip Pizlo.
2520
2521         The only remaining user of this API is
2522         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
2523         to use the newer template based API and removes the old class.
2524
2525         * JavaScriptCore.xcodeproj/project.pbxproj:
2526         * bytecode/CodeBlock.h:
2527         * heap/Heap.cpp:
2528         (JSC::Heap::finalizeUnconditionalFinalizers):
2529         * heap/Heap.h:
2530         * heap/SlotVisitor.cpp:
2531         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
2532         * heap/SlotVisitor.h:
2533         * heap/UnconditionalFinalizer.h: Removed.
2534         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2535         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2536         (JSC::JSWebAssemblyCodeBlock::visitChildren):
2537         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
2538         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
2539         * wasm/js/JSWebAssemblyCodeBlock.h:
2540         * wasm/js/JSWebAssemblyModule.h:
2541
2542         * CMakeLists.txt:
2543         * JavaScriptCore.xcodeproj/project.pbxproj:
2544         * bytecode/CodeBlock.h:
2545         * heap/Heap.cpp:
2546         (JSC::Heap::finalizeUnconditionalFinalizers):
2547         * heap/Heap.h:
2548         * heap/SlotVisitor.cpp:
2549         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
2550         * heap/SlotVisitor.h:
2551         * heap/UnconditionalFinalizer.h: Removed.
2552         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2553         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2554         (JSC::JSWebAssemblyCodeBlock::visitChildren):
2555         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
2556         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
2557         * wasm/js/JSWebAssemblyCodeBlock.h:
2558         * wasm/js/JSWebAssemblyModule.h:
2559
2560 2018-05-22  Keith Miller  <keith_miller@apple.com>
2561
2562         Unreviewed, fix internal build.
2563
2564         * runtime/JSImmutableButterfly.cpp:
2565
2566 2018-05-22  Saam Barati  <sbarati@apple.com>
2567
2568         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
2569         https://bugs.webkit.org/show_bug.cgi?id=144525
2570
2571         Reviewed by Filip Pizlo.
2572
2573         This patch teaches LICM to fall back to hoisting a node's type checks when
2574         hoisting the entire node fails.
2575         
2576         This patch follow the same principles we use when deciding to hoist nodes in general:
2577         - If the pre header is control equivalent to where the current check is, we
2578         go ahead and hoist the check.
2579         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
2580         hoist the check. If hoisting failed in the past, we will not hoist the check.
2581
2582         * dfg/DFGLICMPhase.cpp:
2583         (JSC::DFG::LICMPhase::attemptHoist):
2584         * dfg/DFGUseKind.h:
2585         (JSC::DFG::checkMayCrashIfInputIsEmpty):
2586
2587 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
2588
2589         Get rid of TLCs
2590         https://bugs.webkit.org/show_bug.cgi?id=185846
2591
2592         Rubber stamped by Geoffrey Garen.
2593         
2594         This removes support for thread-local caches from the GC in order to speed up allocation a
2595         bit.
2596         
2597         We added TLCs as part of Spectre mitigations, which we have since removed.
2598         
2599         We will want some kind of TLCs eventually, since they allow us to:
2600         
2601         - have a global GC, which may be a perf optimization at some point.
2602         - allocate objects from JIT threads, which we've been wanting to do for a while.
2603         
2604         This change keeps the most interesting aspect of TLCs, which is the
2605         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
2606         TLCs again in the future if we wanted this feature.
2607         
2608         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
2609         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
2610         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
2611         you can directly use it to allocate. This removes two loads and a check from the allocation
2612         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
2613         allowed us to have a statically known set of LocalAllocators. This would have removed the
2614         bounds check (one load and one branch) and it would have made it possible to CSE the load of
2615         the TLC data structure, since that would no longer resize. But that's a harder change that
2616         this patch, and we don't need it right now.
2617         
2618         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
2619         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
2620         that check already. Previously, the TLC bounds check doubled as this check.
2621         
2622         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
2623         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
2624         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
2625         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
2626
2627         * JavaScriptCore.xcodeproj/project.pbxproj:
2628         * Sources.txt:
2629         * bytecode/ObjectAllocationProfileInlines.h:
2630         (JSC::ObjectAllocationProfile::initializeProfile):
2631         * dfg/DFGSpeculativeJIT.cpp:
2632         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2633         * ftl/FTLLowerDFGToB3.cpp:
2634         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2635         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2636         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2637         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2638         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2639         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2640         * heap/Allocator.cpp:
2641         (JSC::Allocator::cellSize const):
2642         * heap/Allocator.h:
2643         (JSC::Allocator::Allocator):
2644         (JSC::Allocator::localAllocator const):
2645         (JSC::Allocator::operator== const):
2646         (JSC::Allocator::offset const): Deleted.
2647         * heap/AllocatorInlines.h:
2648         (JSC::Allocator::allocate const):
2649         (JSC::Allocator::tryAllocate const): Deleted.
2650         * heap/BlockDirectory.cpp:
2651         (JSC::BlockDirectory::BlockDirectory):
2652         (JSC::BlockDirectory::~BlockDirectory):
2653         * heap/BlockDirectory.h:
2654         (JSC::BlockDirectory::allocator const): Deleted.
2655         * heap/CompleteSubspace.cpp:
2656         (JSC::CompleteSubspace::allocateNonVirtual):
2657         (JSC::CompleteSubspace::allocatorForSlow):
2658         (JSC::CompleteSubspace::tryAllocateSlow):
2659         * heap/CompleteSubspace.h:
2660         * heap/Heap.cpp:
2661         (JSC::Heap::Heap):
2662         * heap/Heap.h:
2663         (JSC::Heap::threadLocalCacheLayout): Deleted.
2664         * heap/IsoSubspace.cpp:
2665         (JSC::IsoSubspace::IsoSubspace):
2666         (JSC::IsoSubspace::allocateNonVirtual):
2667         * heap/IsoSubspace.h:
2668         (JSC::IsoSubspace::allocatorForNonVirtual):
2669         * heap/LocalAllocator.cpp:
2670         (JSC::LocalAllocator::LocalAllocator):
2671         (JSC::LocalAllocator::~LocalAllocator):
2672         * heap/LocalAllocator.h:
2673         (JSC::LocalAllocator::cellSize const):
2674         (JSC::LocalAllocator::tlc const): Deleted.
2675         * heap/ThreadLocalCache.cpp: Removed.
2676         * heap/ThreadLocalCache.h: Removed.
2677         * heap/ThreadLocalCacheInlines.h: Removed.
2678         * heap/ThreadLocalCacheLayout.cpp: Removed.
2679         * heap/ThreadLocalCacheLayout.h: Removed.
2680         * jit/AssemblyHelpers.cpp:
2681         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2682         (JSC::AssemblyHelpers::emitAllocate):
2683         (JSC::AssemblyHelpers::emitAllocateVariableSized):
2684         * jit/JITOpcodes.cpp:
2685         (JSC::JIT::emit_op_create_this):
2686         * runtime/JSLock.cpp:
2687         (JSC::JSLock::didAcquireLock):
2688         * runtime/VM.cpp:
2689         (JSC::VM::VM):
2690         (JSC::VM::~VM):
2691         * runtime/VM.h:
2692         * runtime/VMEntryScope.cpp:
2693         (JSC::VMEntryScope::~VMEntryScope):
2694         * runtime/VMEntryScope.h:
2695
2696 2018-05-22  Keith Miller  <keith_miller@apple.com>
2697
2698         We should have a CoW storage for NewArrayBuffer arrays.
2699         https://bugs.webkit.org/show_bug.cgi?id=185003
2700
2701         Reviewed by Filip Pizlo.
2702
2703         This patch adds copy on write storage for new array buffers. In
2704         order to do this there needed to be significant changes to the
2705         layout of IndexingType. The new indexing type has the following
2706         shape:
2707
2708         struct IndexingTypeAndMisc {
2709             struct IndexingModeIncludingHistory {
2710                 struct IndexingMode {
2711                     struct IndexingType {
2712                         uint8_t isArray:1;          // bit 0
2713                         uint8_t shape:3;            // bit 1 - 3
2714                     };
2715                     uint8_t copyOnWrite:1;          // bit 4
2716                 };
2717                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
2718             };
2719             uint8_t cellLockBits:2;                 // bit 6 - 7
2720         };
2721
2722         For simplicity ArrayStorage shapes cannot be CoW. So the only
2723         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
2724         ArrayWithContiguous.
2725
2726         The backing store for a CoW array is a new class
2727         JSImmutableButterfly, which looks exactly the same as a normal
2728         butterfly except that it has a JSCell header. Like other
2729         butterflies, JSImmutableButterfies are allocated out of the
2730         Auxiliary Gigacage and are pointed to by JSCells in the same
2731         way. However, when marking JSImmutableButterflies they are marked
2732         as if they were a property.
2733
2734         With CoW arrays, the new_array_buffer bytecode will reallocate the
2735         shared JSImmutableButterfly if it sees from the allocation profile
2736         that the last array it allocated has transitioned to a different
2737         indexing type. From then on, all arrays created by that
2738         new_array_buffer bytecode will have the promoted indexing
2739         type. This is more or less the same as what we used to do. The
2740         only difference is that we don't promote all the way to array
2741         storage even if we have seen it before.
2742
2743         Transitioning from a CoW indexing mode occurs whenever someone
2744         tries to store to an element, grow the array, or add properties.
2745         Storing or growing the array will call into code that does the
2746         stupid thing of copying the butterfly then continue into the old
2747         code. This doesn't end up costing us as future allocations will
2748         use any upgraded indexing shape.  We get adding properties for
2749         free by just changing the indexing mode on transition (our C++
2750         code always updates the indexing mode).
2751
2752         * JavaScriptCore.xcodeproj/project.pbxproj:
2753         * Sources.txt:
2754         * bytecode/ArrayAllocationProfile.cpp:
2755         (JSC::ArrayAllocationProfile::updateProfile):
2756         * bytecode/ArrayAllocationProfile.h:
2757         (JSC::ArrayAllocationProfile::initializeIndexingMode):
2758         * bytecode/ArrayProfile.cpp:
2759         (JSC::dumpArrayModes):
2760         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2761         * bytecode/ArrayProfile.h:
2762         (JSC::asArrayModes):
2763         (JSC::arrayModeFromStructure):
2764         (JSC::arrayModesInclude):
2765         (JSC::hasSeenCopyOnWriteArray):
2766         * bytecode/BytecodeList.json:
2767         * bytecode/CodeBlock.cpp:
2768         (JSC::CodeBlock::finishCreation):
2769         * bytecode/InlineAccess.cpp:
2770         (JSC::InlineAccess::generateArrayLength):
2771         * bytecode/UnlinkedCodeBlock.h:
2772         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
2773         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2774         * bytecompiler/BytecodeGenerator.cpp:
2775         (JSC::BytecodeGenerator::newArrayAllocationProfile):
2776         (JSC::BytecodeGenerator::emitNewArrayBuffer):
2777         (JSC::BytecodeGenerator::emitNewArray):
2778         (JSC::BytecodeGenerator::emitNewArrayWithSize):
2779         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
2780         * bytecompiler/BytecodeGenerator.h:
2781         * bytecompiler/NodesCodegen.cpp:
2782         (JSC::ArrayNode::emitBytecode):
2783         (JSC::ArrayPatternNode::bindValue const):
2784         (JSC::ArrayPatternNode::emitDirectBinding):
2785         * dfg/DFGAbstractInterpreterInlines.h:
2786         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2787         * dfg/DFGArgumentsEliminationPhase.cpp:
2788         * dfg/DFGArgumentsUtilities.cpp:
2789         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2790         * dfg/DFGArrayMode.cpp:
2791         (JSC::DFG::ArrayMode::fromObserved):
2792         (JSC::DFG::ArrayMode::refine const):
2793         (JSC::DFG::ArrayMode::alreadyChecked const):
2794         * dfg/DFGArrayMode.h:
2795         (JSC::DFG::ArrayMode::ArrayMode):
2796         (JSC::DFG::ArrayMode::action const):
2797         (JSC::DFG::ArrayMode::withSpeculation const):
2798         (JSC::DFG::ArrayMode::withArrayClass const):
2799         (JSC::DFG::ArrayMode::withType const):
2800         (JSC::DFG::ArrayMode::withConversion const):
2801         (JSC::DFG::ArrayMode::withTypeAndConversion const):
2802         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
2803         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
2804         * dfg/DFGByteCodeParser.cpp:
2805         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2806         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
2807         (JSC::DFG::ByteCodeParser::parseBlock):
2808         * dfg/DFGClobberize.h:
2809         (JSC::DFG::clobberize):
2810         * dfg/DFGConstantFoldingPhase.cpp:
2811         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2812         * dfg/DFGFixupPhase.cpp:
2813         (JSC::DFG::FixupPhase::fixupNode):
2814         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
2815         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2816         * dfg/DFGGraph.cpp:
2817         (JSC::DFG::Graph::dump):
2818         * dfg/DFGNode.h:
2819         (JSC::DFG::Node::indexingType):
2820         (JSC::DFG::Node::indexingMode):
2821         * dfg/DFGOSRExit.cpp:
2822         (JSC::DFG::OSRExit::compileExit):
2823         * dfg/DFGOperations.cpp:
2824         * dfg/DFGOperations.h:
2825         * dfg/DFGSpeculativeJIT.cpp:
2826         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2827         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2828         (JSC::DFG::SpeculativeJIT::arrayify):
2829         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2830         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2831         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2832         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2833         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2834         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2835         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
2836         * dfg/DFGSpeculativeJIT32_64.cpp:
2837         (JSC::DFG::SpeculativeJIT::compile):
2838         * dfg/DFGSpeculativeJIT64.cpp:
2839         (JSC::DFG::SpeculativeJIT::compile):
2840         * dfg/DFGValidate.cpp:
2841         * ftl/FTLAbstractHeapRepository.h:
2842         * ftl/FTLLowerDFGToB3.cpp:
2843         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
2844         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2845         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2846         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2847         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2848         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
2849         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
2850         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2851         * ftl/FTLOperations.cpp:
2852         (JSC::FTL::operationMaterializeObjectInOSR):
2853         * generate-bytecode-files:
2854         * interpreter/Interpreter.cpp:
2855         (JSC::sizeOfVarargs):
2856         (JSC::loadVarargs):
2857         * jit/AssemblyHelpers.cpp:
2858         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2859         * jit/AssemblyHelpers.h:
2860         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2861         * jit/JITOperations.cpp:
2862         * jit/JITPropertyAccess.cpp:
2863         (JSC::JIT::emit_op_put_by_val):
2864         (JSC::JIT::emitSlow_op_put_by_val):
2865         * jit/Repatch.cpp:
2866         (JSC::tryCachePutByID):
2867         * llint/LowLevelInterpreter.asm:
2868         * llint/LowLevelInterpreter32_64.asm:
2869         * llint/LowLevelInterpreter64.asm:
2870         * runtime/Butterfly.h:
2871         (JSC::ContiguousData::Data::Data):
2872         (JSC::ContiguousData::Data::operator bool const):
2873         (JSC::ContiguousData::Data::operator=):
2874         (JSC::ContiguousData::Data::operator const T& const):
2875         (JSC::ContiguousData::Data::set):
2876         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
2877         (JSC::ContiguousData::Data::clear):
2878         (JSC::ContiguousData::Data::get const):
2879         (JSC::ContiguousData::atUnsafe):
2880         (JSC::ContiguousData::at const): Deleted.
2881         (JSC::ContiguousData::at): Deleted.
2882         * runtime/ButterflyInlines.h:
2883         (JSC::ContiguousData<T>::at const):
2884         (JSC::ContiguousData<T>::at):
2885         * runtime/ClonedArguments.cpp:
2886         (JSC::ClonedArguments::createEmpty):
2887         * runtime/CommonSlowPaths.cpp:
2888         (JSC::SLOW_PATH_DECL):
2889         * runtime/CommonSlowPaths.h:
2890         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
2891         * runtime/IndexingType.cpp:
2892         (JSC::leastUpperBoundOfIndexingTypeAndType):
2893         (JSC::leastUpperBoundOfIndexingTypeAndValue):
2894         (JSC::dumpIndexingType):
2895         * runtime/IndexingType.h:
2896         (JSC::hasIndexedProperties):
2897         (JSC::hasUndecided):
2898         (JSC::hasInt32):
2899         (JSC::hasDouble):
2900         (JSC::hasContiguous):
2901         (JSC::hasArrayStorage):
2902         (JSC::hasAnyArrayStorage):
2903         (JSC::hasSlowPutArrayStorage):
2904         (JSC::shouldUseSlowPut):
2905         (JSC::isCopyOnWrite):
2906         (JSC::arrayIndexFromIndexingType):
2907         * runtime/JSArray.cpp:
2908         (JSC::JSArray::tryCreateUninitializedRestricted):
2909         (JSC::JSArray::put):
2910         (JSC::JSArray::appendMemcpy):
2911         (JSC::JSArray::setLength):
2912         (JSC::JSArray::pop):
2913         (JSC::JSArray::fastSlice):
2914         (JSC::JSArray::shiftCountWithAnyIndexingType):
2915         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2916         (JSC::JSArray::fillArgList):
2917         (JSC::JSArray::copyToArguments):
2918         * runtime/JSArrayInlines.h:
2919         (JSC::JSArray::pushInline):
2920         * runtime/JSCell.h:
2921         * runtime/JSCellInlines.h:
2922         (JSC::JSCell::JSCell):
2923         (JSC::JSCell::finishCreation):
2924         (JSC::JSCell::indexingType const):
2925         (JSC::JSCell::indexingMode const):
2926         (JSC::JSCell::setStructure):
2927         * runtime/JSFixedArray.h:
2928         * runtime/JSGlobalObject.cpp:
2929         (JSC::JSGlobalObject::init):
2930         (JSC::JSGlobalObject::haveABadTime):
2931         (JSC::JSGlobalObject::visitChildren):
2932         * runtime/JSGlobalObject.h:
2933         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
2934         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
2935         (JSC::JSGlobalObject::isOriginalArrayStructure):
2936         * runtime/JSImmutableButterfly.cpp: Added.
2937         (JSC::JSImmutableButterfly::visitChildren):
2938         (JSC::JSImmutableButterfly::copyToArguments):
2939         * runtime/JSImmutableButterfly.h: Added.
2940         (JSC::JSImmutableButterfly::createStructure):
2941         (JSC::JSImmutableButterfly::tryCreate):
2942         (JSC::JSImmutableButterfly::create):
2943         (JSC::JSImmutableButterfly::publicLength const):
2944         (JSC::JSImmutableButterfly::vectorLength const):
2945         (JSC::JSImmutableButterfly::length const):
2946         (JSC::JSImmutableButterfly::toButterfly const):
2947         (JSC::JSImmutableButterfly::fromButterfly):
2948         (JSC::JSImmutableButterfly::get const):
2949         (JSC::JSImmutableButterfly::subspaceFor):
2950         (JSC::JSImmutableButterfly::setIndex):
2951         (JSC::JSImmutableButterfly::allocationSize):
2952         (JSC::JSImmutableButterfly::JSImmutableButterfly):
2953         * runtime/JSObject.cpp:
2954         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
2955         (JSC::JSObject::visitButterflyImpl):
2956         (JSC::JSObject::getOwnPropertySlotByIndex):
2957         (JSC::JSObject::putByIndex):
2958         (JSC::JSObject::createInitialInt32):
2959         (JSC::JSObject::createInitialDouble):
2960         (JSC::JSObject::createInitialContiguous):
2961         (JSC::JSObject::convertUndecidedToInt32):
2962         (JSC::JSObject::convertUndecidedToDouble):
2963         (JSC::JSObject::convertUndecidedToContiguous):
2964         (JSC::JSObject::convertInt32ToDouble):
2965         (JSC::JSObject::convertInt32ToArrayStorage):
2966         (JSC::JSObject::convertDoubleToContiguous):
2967         (JSC::JSObject::convertDoubleToArrayStorage):
2968         (JSC::JSObject::convertContiguousToArrayStorage):
2969         (JSC::JSObject::createInitialForValueAndSet):
2970         (JSC::JSObject::convertInt32ForValue):
2971         (JSC::JSObject::convertFromCopyOnWrite):
2972         (JSC::JSObject::ensureWritableInt32Slow):
2973         (JSC::JSObject::ensureWritableDoubleSlow):
2974         (JSC::JSObject::ensureWritableContiguousSlow):
2975         (JSC::JSObject::ensureArrayStorageSlow):
2976         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2977         (JSC::JSObject::switchToSlowPutArrayStorage):
2978         (JSC::JSObject::deletePropertyByIndex):
2979         (JSC::JSObject::getOwnPropertyNames):
2980         (JSC::canDoFastPutDirectIndex):
2981         (JSC::JSObject::defineOwnIndexedProperty):
2982         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2983         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2984         (JSC::JSObject::putByIndexBeyondVectorLength):
2985         (JSC::JSObject::countElements):
2986         (JSC::JSObject::ensureLengthSlow):
2987         (JSC::JSObject::getEnumerableLength):
2988         (JSC::JSObject::ensureInt32Slow): Deleted.
2989         (JSC::JSObject::ensureDoubleSlow): Deleted.
2990         (JSC::JSObject::ensureContiguousSlow): Deleted.
2991         * runtime/JSObject.h:
2992         (JSC::JSObject::putDirectIndex):
2993         (JSC::JSObject::canGetIndexQuickly):
2994         (JSC::JSObject::getIndexQuickly):
2995         (JSC::JSObject::tryGetIndexQuickly const):
2996         (JSC::JSObject::canSetIndexQuickly):
2997         (JSC::JSObject::setIndexQuickly):
2998         (JSC::JSObject::initializeIndex):
2999         (JSC::JSObject::initializeIndexWithoutBarrier):
3000         (JSC::JSObject::ensureWritableInt32):
3001         (JSC::JSObject::ensureWritableDouble):
3002         (JSC::JSObject::ensureWritableContiguous):
3003         (JSC::JSObject::ensureLength):
3004         (JSC::JSObject::ensureInt32): Deleted.
3005         (JSC::JSObject::ensureDouble): Deleted.
3006         (JSC::JSObject::ensureContiguous): Deleted.
3007         * runtime/JSObjectInlines.h:
3008         (JSC::JSObject::putDirectInternal):
3009         * runtime/JSType.h:
3010         * runtime/RegExpMatchesArray.h:
3011         (JSC::tryCreateUninitializedRegExpMatchesArray):
3012         * runtime/Structure.cpp:
3013         (JSC::Structure::Structure):
3014         (JSC::Structure::addNewPropertyTransition):
3015         (JSC::Structure::nonPropertyTransition):
3016         * runtime/Structure.h:
3017         * runtime/StructureIDBlob.h:
3018         (JSC::StructureIDBlob::StructureIDBlob):
3019         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
3020         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
3021         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
3022         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
3023         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
3024         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
3025         * runtime/StructureTransitionTable.h:
3026         (JSC::newIndexingType):
3027         * runtime/VM.cpp:
3028         (JSC::VM::VM):
3029         * runtime/VM.h:
3030
3031 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
3032
3033         Unreviewed, rolling out r232052.
3034
3035         Breaks internal builds.
3036
3037         Reverted changeset:
3038
3039         "Use more C++17"
3040         https://bugs.webkit.org/show_bug.cgi?id=185176
3041         https://trac.webkit.org/changeset/232052
3042
3043 2018-05-22  Alberto Garcia  <berto@igalia.com>
3044
3045         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
3046         https://bugs.webkit.org/show_bug.cgi?id=182622
3047         <rdar://problem/40292317>
3048
3049         Reviewed by Michael Catanzaro.
3050
3051         We were linking JavaScriptCore against libatomic in MIPS because
3052         in that architecture __atomic_fetch_add_8() is not a compiler
3053         intrinsic and is provided by that library instead. However other
3054         architectures (e.g armel) are in the same situation, so we need a
3055         generic test.
3056
3057         That test already exists in WebKit/CMakeLists.txt, so we just have
3058         to move it to a common file (WebKitCompilerFlags.cmake) and use
3059         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
3060
3061         * CMakeLists.txt:
3062
3063 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
3064
3065         Unreviewed, rolling out r231843.
3066
3067         Broke cross build
3068
3069         Reverted changeset:
3070
3071         "[CMake] Properly detect compiler flags, needed libs, and
3072         fallbacks for usage of 64-bit atomic operations"
3073         https://bugs.webkit.org/show_bug.cgi?id=182622
3074         https://trac.webkit.org/changeset/231843
3075
3076 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3077
3078         Use more C++17
3079         https://bugs.webkit.org/show_bug.cgi?id=185176
3080
3081         Reviewed by JF Bastien.
3082
3083         * Configurations/Base.xcconfig:
3084
3085 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3086
3087         [JSC] Remove duplicate methods in JSInterfaceJIT
3088         https://bugs.webkit.org/show_bug.cgi?id=185813
3089
3090         Reviewed by Saam Barati.
3091
3092         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
3093         This patch removes these ones and use AssemblyHelpers' ones instead.
3094
3095         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
3096
3097         * jit/AssemblyHelpers.h:
3098         (JSC::AssemblyHelpers::tagFor):
3099         (JSC::AssemblyHelpers::payloadFor):
3100         * jit/JIT.h:
3101         * jit/JITArithmetic.cpp:
3102         (JSC::JIT::emit_op_unsigned):
3103         (JSC::JIT::emit_compareUnsigned):
3104         (JSC::JIT::emit_op_inc):
3105         (JSC::JIT::emit_op_dec):
3106         (JSC::JIT::emit_op_mod):
3107         * jit/JITCall32_64.cpp:
3108         (JSC::JIT::compileOpCall):
3109         * jit/JITInlines.h:
3110         (JSC::JIT::emitPutIntToCallFrameHeader):
3111         (JSC::JIT::updateTopCallFrame):
3112         (JSC::JIT::emitInitRegister):
3113         (JSC::JIT::emitLoad):
3114         (JSC::JIT::emitStore):
3115         (JSC::JIT::emitStoreInt32):
3116         (JSC::JIT::emitStoreCell):
3117         (JSC::JIT::emitStoreBool):
3118         (JSC::JIT::emitGetVirtualRegister):
3119         (JSC::JIT::emitPutVirtualRegister):
3120         (JSC::JIT::emitTagBool): Deleted.
3121         * jit/JITOpcodes.cpp:
3122         (JSC::JIT::emit_op_overrides_has_instance):
3123         (JSC::JIT::emit_op_is_empty):
3124         (JSC::JIT::emit_op_is_undefined):
3125         (JSC::JIT::emit_op_is_boolean):
3126         (JSC::JIT::emit_op_is_number):
3127         (JSC::JIT::emit_op_is_cell_with_type):
3128         (JSC::JIT::emit_op_is_object):
3129         (JSC::JIT::emit_op_eq):
3130         (JSC::JIT::emit_op_neq):
3131         (JSC::JIT::compileOpStrictEq):
3132         (JSC::JIT::emit_op_eq_null):
3133         (JSC::JIT::emit_op_neq_null):
3134         (JSC::JIT::emitSlow_op_eq):
3135         (JSC::JIT::emitSlow_op_neq):
3136         (JSC::JIT::emitSlow_op_instanceof_custom):
3137         (JSC::JIT::emitNewFuncExprCommon):
3138         * jit/JSInterfaceJIT.h:
3139         (JSC::JSInterfaceJIT::emitLoadInt32):
3140         (JSC::JSInterfaceJIT::emitLoadDouble):
3141         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
3142         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
3143         (JSC::JSInterfaceJIT::tagFor): Deleted.
3144         (JSC::JSInterfaceJIT::payloadFor): Deleted.
3145         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
3146         (JSC::JSInterfaceJIT::intTagFor): Deleted.
3147         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
3148         (JSC::JSInterfaceJIT::addressFor): Deleted.
3149         * jit/SpecializedThunkJIT.h:
3150         (JSC::SpecializedThunkJIT::returnDouble):
3151         * jit/ThunkGenerators.cpp:
3152         (JSC::nativeForGenerator):
3153         (JSC::arityFixupGenerator):
3154
3155 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3156
3157         Unreviewed, reland InById cache
3158         https://bugs.webkit.org/show_bug.cgi?id=185682
3159
3160         Includes Dominik's 32bit fix.
3161
3162         * bytecode/AccessCase.cpp:
3163         (JSC::AccessCase::fromStructureStubInfo):
3164         (JSC::AccessCase::generateWithGuard):
3165         (JSC::AccessCase::generateImpl):
3166         * bytecode/BytecodeDumper.cpp:
3167         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
3168         (JSC::BytecodeDumper<Block>::dumpBytecode):
3169         * bytecode/BytecodeDumper.h:
3170         * bytecode/BytecodeList.json:
3171         * bytecode/BytecodeUseDef.h:
3172         (JSC::computeUsesForBytecodeOffset):
3173         (JSC::computeDefsForBytecodeOffset):
3174         * bytecode/CodeBlock.cpp:
3175         (JSC::CodeBlock::finishCreation):
3176         * bytecode/InlineAccess.cpp:
3177         (JSC::InlineAccess::generateSelfInAccess):
3178         * bytecode/InlineAccess.h:
3179         * bytecode/StructureStubInfo.cpp:
3180         (JSC::StructureStubInfo::initInByIdSelf):
3181         (JSC::StructureStubInfo::deref):
3182         (JSC::StructureStubInfo::aboutToDie):
3183         (JSC::StructureStubInfo::reset):
3184         (JSC::StructureStubInfo::visitWeakReferences):
3185         (JSC::StructureStubInfo::propagateTransitions):
3186         * bytecode/StructureStubInfo.h:
3187         (JSC::StructureStubInfo::patchableJump):
3188         * bytecompiler/BytecodeGenerator.cpp:
3189         (JSC::BytecodeGenerator::emitInByVal):
3190         (JSC::BytecodeGenerator::emitInById):
3191         (JSC::BytecodeGenerator::emitIn): Deleted.
3192         * bytecompiler/BytecodeGenerator.h:
3193         * bytecompiler/NodesCodegen.cpp:
3194         (JSC::InNode::emitBytecode):
3195         * dfg/DFGAbstractInterpreterInlines.h:
3196         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3197         * dfg/DFGByteCodeParser.cpp:
3198         (JSC::DFG::ByteCodeParser::parseBlock):
3199         * dfg/DFGCapabilities.cpp:
3200         (JSC::DFG::capabilityLevel):
3201         * dfg/DFGClobberize.h:
3202         (JSC::DFG::clobberize):
3203         * dfg/DFGConstantFoldingPhase.cpp:
3204         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3205         * dfg/DFGDoesGC.cpp:
3206         (JSC::DFG::doesGC):
3207         * dfg/DFGFixupPhase.cpp:
3208         (JSC::DFG::FixupPhase::fixupNode):
3209         * dfg/DFGJITCompiler.cpp:
3210         (JSC::DFG::JITCompiler::link):
3211         * dfg/DFGJITCompiler.h:
3212         (JSC::DFG::JITCompiler::addInById):
3213         (JSC::DFG::InRecord::InRecord): Deleted.
3214         (JSC::DFG::JITCompiler::addIn): Deleted.
3215         * dfg/DFGNode.h:
3216         (JSC::DFG::Node::convertToInById):
3217         (JSC::DFG::Node::hasIdentifier):
3218         (JSC::DFG::Node::hasArrayMode):
3219         * dfg/DFGNodeType.h:
3220         * dfg/DFGPredictionPropagationPhase.cpp:
3221         * dfg/DFGSafeToExecute.h:
3222         (JSC::DFG::safeToExecute):
3223         * dfg/DFGSpeculativeJIT.cpp:
3224         (JSC::DFG::SpeculativeJIT::compileInById):
3225         (JSC::DFG::SpeculativeJIT::compileInByVal):
3226         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
3227         * dfg/DFGSpeculativeJIT.h:
3228         * dfg/DFGSpeculativeJIT32_64.cpp:
3229         (JSC::DFG::SpeculativeJIT::compile):
3230         * dfg/DFGSpeculativeJIT64.cpp:
3231         (JSC::DFG::SpeculativeJIT::compile):
3232         * ftl/FTLCapabilities.cpp:
3233         (JSC::FTL::canCompile):
3234         * ftl/FTLLowerDFGToB3.cpp:
3235         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3236         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
3237         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
3238         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
3239         * jit/AssemblyHelpers.h:
3240         (JSC::AssemblyHelpers::boxBoolean):
3241         * jit/ICStats.h:
3242         * jit/JIT.cpp:
3243         (JSC::JIT::JIT):
3244         (JSC::JIT::privateCompileMainPass):
3245         (JSC::JIT::privateCompileSlowCases):
3246         (JSC::JIT::link):
3247         * jit/JIT.h:
3248         * jit/JITInlineCacheGenerator.cpp:
3249         (JSC::JITInByIdGenerator::JITInByIdGenerator):
3250         (JSC::JITInByIdGenerator::generateFastPath):
3251         * jit/JITInlineCacheGenerator.h:
3252         (JSC::JITInByIdGenerator::JITInByIdGenerator):
3253         * jit/JITOperations.cpp:
3254         * jit/JITOperations.h:
3255         * jit/JITPropertyAccess.cpp:
3256         (JSC::JIT::emit_op_in_by_id):
3257         (JSC::JIT::emitSlow_op_in_by_id):
3258         * jit/JITPropertyAccess32_64.cpp:
3259         (JSC::JIT::emit_op_in_by_id):
3260         (JSC::JIT::emitSlow_op_in_by_id):
3261         * jit/Repatch.cpp:
3262         (JSC::tryCacheInByID):
3263         (JSC::repatchInByID):
3264         (JSC::resetInByID):
3265         (JSC::tryCacheIn): Deleted.
3266         (JSC::repatchIn): Deleted.
3267         (JSC::resetIn): Deleted.
3268         * jit/Repatch.h:
3269         * llint/LowLevelInterpreter.asm:
3270         * llint/LowLevelInterpreter64.asm:
3271         * parser/NodeConstructors.h:
3272         (JSC::InNode::InNode):
3273         * runtime/CommonSlowPaths.cpp:
3274         (JSC::SLOW_PATH_DECL):
3275         * runtime/CommonSlowPaths.h:
3276         (JSC::CommonSlowPaths::opInByVal):
3277         (JSC::CommonSlowPaths::opIn): Deleted.
3278
3279 2018-05-21  Commit Queue  <commit-queue@webkit.org>
3280
3281         Unreviewed, rolling out r231998 and r232017.
3282         https://bugs.webkit.org/show_bug.cgi?id=185842
3283
3284         causes crashes on 32 JSC bot (Requested by realdawei on
3285         #webkit).
3286
3287         Reverted changesets:
3288
3289         "[JSC] JSC should have consistent InById IC"
3290         https://bugs.webkit.org/show_bug.cgi?id=185682
3291         https://trac.webkit.org/changeset/231998
3292
3293         "Unreviewed, fix 32bit and scope release"
3294         https://bugs.webkit.org/show_bug.cgi?id=185682
3295         https://trac.webkit.org/changeset/232017
3296
3297 2018-05-21  Jer Noble  <jer.noble@apple.com>
3298
3299         Complete fix for enabling modern EME by default
3300         https://bugs.webkit.org/show_bug.cgi?id=185770
3301         <rdar://problem/40368220>
3302
3303         Reviewed by Eric Carlson.
3304
3305         * Configurations/FeatureDefines.xcconfig:
3306
3307 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3308
3309         Unreviewed, fix 32bit and scope release
3310         https://bugs.webkit.org/show_bug.cgi?id=185682
3311
3312         * jit/JITOperations.cpp:
3313         * jit/JITPropertyAccess32_64.cpp:
3314         (JSC::JIT::emitSlow_op_in_by_id):
3315
3316 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
3317
3318         Revert the B3 compiler pipeline's treatment of taildup
3319         https://bugs.webkit.org/show_bug.cgi?id=185808
3320
3321         Reviewed by Yusuke Suzuki.
3322         
3323         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
3324         But then path specialization turned out to be a negative result. This reverts the pipeline to the
3325         way it was before that work.
3326         
3327         1.5% progression on V8Spider-CompileTime.
3328
3329         * b3/B3Generate.cpp:
3330         (JSC::B3::generateToAir):
3331
3332 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3333
3334         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
3335         https://bugs.webkit.org/show_bug.cgi?id=185802
3336
3337         Reviewed by Saam Barati.
3338
3339         * dfg/DFGConstantFoldingPhase.cpp:
3340         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3341
3342 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
3343
3344         DFG should inline InstanceOf ICs
3345         https://bugs.webkit.org/show_bug.cgi?id=185695
3346
3347         Reviewed by Yusuke Suzuki.
3348         
3349         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
3350         be folded to a CheckStructure + JSConstant.
3351         
3352         In the process of testing this, I found a bug where LICM was not hoisting things that
3353         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
3354         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
3355         
3356         This is a ~5% speed-up on boyer.
3357         
3358         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
3359         instanceof-sometimes-hit microbenchmarks.
3360
3361         * JavaScriptCore.xcodeproj/project.pbxproj:
3362         * Sources.txt:
3363         * bytecode/GetByIdStatus.cpp:
3364         (JSC::GetByIdStatus::appendVariant):
3365         (JSC::GetByIdStatus::filter):