[CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-16  Alberto Garcia  <berto@igalia.com>
2
3         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
4         https://bugs.webkit.org/show_bug.cgi?id=182622
5
6         Reviewed by Michael Catanzaro.
7
8         We were linking JavaScriptCore against libatomic in MIPS because
9         in that architecture __atomic_fetch_add_8() is not a compiler
10         intrinsic and is provided by that library instead. However other
11         architectures (e.g armel) are in the same situation, so we need a
12         generic test.
13
14         That test already exists in WebKit/CMakeLists.txt, so we just have
15         to move it to a common file (WebKitCompilerFlags.cmake) and use
16         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
17
18         * CMakeLists.txt:
19
20 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
21
22         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
23         https://bugs.webkit.org/show_bug.cgi?id=185601
24
25         Reviewed by Saam Barati.
26
27         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
28         before calling getCallData when we would like to check whether a given object is callable
29         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
30         is fine. But if we would like to check whether the object is callable, we can have non
31         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
32
33         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
34         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
35         OverridesGetCallData checking before calling getCallData.
36
37         We found that this virtual call exists in JSON.stringify's critial path. Checking
38         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
39
40                                                baseline                  patched
41
42             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
43
44         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
45         since major cases are covered by this fast JSFunctionType checking.
46
47         * API/JSCallbackObject.h:
48         * dfg/DFGAbstractInterpreterInlines.h:
49         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
50         * dfg/DFGOperations.cpp:
51         * dfg/DFGSpeculativeJIT.cpp:
52         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
53         (JSC::DFG::SpeculativeJIT::compileIsFunction):
54         * ftl/FTLLowerDFGToB3.cpp:
55         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
56         * jit/AssemblyHelpers.h:
57         (JSC::AssemblyHelpers::emitTypeOf):
58         * runtime/ExceptionHelpers.cpp:
59         (JSC::createError):
60         (JSC::createInvalidFunctionApplyParameterError):
61         * runtime/FunctionPrototype.cpp:
62         (JSC::functionProtoFuncToString):
63         * runtime/InternalFunction.h:
64         * runtime/JSCJSValue.h:
65         * runtime/JSCJSValueInlines.h:
66         (JSC::JSValue::isFunction const):
67         (JSC::JSValue::isCallable const):
68         * runtime/JSCell.h:
69         * runtime/JSCellInlines.h:
70         (JSC::JSCell::isFunction):
71         ALWAYS_INLINE works well for my environment.
72         (JSC::JSCell::isCallable):
73         * runtime/JSFunction.h:
74         * runtime/JSONObject.cpp:
75         (JSC::Stringifier::toJSON):
76         (JSC::Stringifier::toJSONImpl):
77         (JSC::Stringifier::appendStringifiedValue):
78         * runtime/JSObjectInlines.h:
79         (JSC::createListFromArrayLike):
80         * runtime/JSTypeInfo.h:
81         (JSC::TypeInfo::overridesGetCallData const):
82         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
83         * runtime/Operations.cpp:
84         (JSC::jsTypeStringForValue):
85         (JSC::jsIsObjectTypeOrNull):
86         * runtime/ProxyObject.h:
87         * runtime/RuntimeType.cpp:
88         (JSC::runtimeTypeForValue):
89         * runtime/RuntimeType.h:
90         * runtime/Structure.cpp:
91         (JSC::Structure::Structure):
92         * runtime/TypeProfilerLog.cpp:
93         (JSC::TypeProfilerLog::TypeProfilerLog):
94         (JSC::TypeProfilerLog::processLogEntries):
95         * runtime/TypeProfilerLog.h:
96         * runtime/VM.cpp:
97         (JSC::VM::enableTypeProfiler):
98         * tools/JSDollarVM.cpp:
99         (JSC::functionFindTypeForExpression):
100         (JSC::functionReturnTypeFor):
101         (JSC::functionHasBasicBlockExecuted):
102         (JSC::functionBasicBlockExecutionCount):
103         * wasm/js/JSWebAssemblyHelpers.h:
104         (JSC::getWasmBufferFromValue):
105         * wasm/js/JSWebAssemblyInstance.cpp:
106         (JSC::JSWebAssemblyInstance::create):
107         * wasm/js/WebAssemblyFunction.cpp:
108         (JSC::callWebAssemblyFunction):
109         * wasm/js/WebAssemblyInstanceConstructor.cpp:
110         (JSC::constructJSWebAssemblyInstance):
111         * wasm/js/WebAssemblyModuleRecord.cpp:
112         (JSC::WebAssemblyModuleRecord::link):
113         * wasm/js/WebAssemblyPrototype.cpp:
114         (JSC::webAssemblyInstantiateFunc):
115         (JSC::webAssemblyInstantiateStreamingInternal):
116         * wasm/js/WebAssemblyWrapperFunction.cpp:
117         (JSC::WebAssemblyWrapperFunction::finishCreation):
118
119 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
120
121         Web Inspector: Add rulers and guides
122         https://bugs.webkit.org/show_bug.cgi?id=32263
123         <rdar://problem/19281564>
124
125         Reviewed by Matt Baker.
126
127         * inspector/protocol/OverlayTypes.json:
128
129 2018-05-14  Keith Miller  <keith_miller@apple.com>
130
131         Remove butterflyMask from DFGAbstractHeap
132         https://bugs.webkit.org/show_bug.cgi?id=185640
133
134         Reviewed by Saam Barati.
135
136         We don't have a butterfly indexing mask anymore so we don't need
137         the abstract heap information for it anymore.
138
139         * dfg/DFGAbstractHeap.h:
140         * dfg/DFGClobberize.h:
141         (JSC::DFG::clobberize):
142
143 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
144
145         [INTL] Handle error in defineProperty for supported locales length
146         https://bugs.webkit.org/show_bug.cgi?id=185623
147
148         Reviewed by Saam Barati.
149
150         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
151         length of the supported locales array.
152
153         * runtime/IntlObject.cpp:
154         (JSC::supportedLocales):
155
156 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
157
158         [JSC] Tweak LiteralParser to improve lexing performance
159         https://bugs.webkit.org/show_bug.cgi?id=185541
160
161         Reviewed by Saam Barati.
162
163         This patch attemps to improve LiteralParser performance.
164
165         This patch improves Kraken/json-parse-financial by roughly ~10%.
166                                            baseline                  patched
167
168             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
169
170         * parser/Lexer.cpp:
171         (JSC::Lexer<T>::Lexer):
172         * runtime/ArgList.h:
173         (JSC::MarkedArgumentBuffer::takeLast):
174         Add takeLast() for idiomatic last() + removeLast() calls.
175
176         * runtime/LiteralParser.cpp:
177         (JSC::LiteralParser<CharType>::Lexer::lex):
178         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
179         We should not include this mode in its template parameter to reduce the code size.
180         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
181         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
182
183         (JSC::LiteralParser<CharType>::Lexer::next):
184         (JSC::isSafeStringCharacter):
185         Take mode in its template parameter. But do not take terminator character in its template parameter.
186
187         (JSC::LiteralParser<CharType>::Lexer::lexString):
188         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
189         Duplicate while statements manually since this is a critical path.
190
191         (JSC::LiteralParser<CharType>::parse):
192         Use takeLast().
193
194         * runtime/LiteralParser.h:
195
196 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
197
198         [MIPS] Use btpz to compare against 0 instead of bpeq
199         https://bugs.webkit.org/show_bug.cgi?id=185607
200
201         Reviewed by Yusuke Suzuki.
202
203         Fixes build on MIPS since MIPS doesn't have an instruction to
204         compare a register against an immediate. Since the immediate is just 0
205         in this case the simplest solution is just to use btpz instead of bpeq
206         to compare to 0.
207
208         * llint/LowLevelInterpreter.asm:
209
210 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
211
212         CachedCall::call() should be faster
213         https://bugs.webkit.org/show_bug.cgi?id=185583
214
215         Reviewed by Yusuke Suzuki.
216         
217         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
218         Unfortunately, because of a combination of abstraction and assertions, this code path had a
219         lot of overhead. This patch reduces this overhead by:
220         
221         - Turning off some assertions. These assertions don't look to have security value; they're
222           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
223           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
224           call, considering that the caller would have already been strongly assuming that the JSLock
225           is held.
226         
227         - Making more things inlineable.
228         
229         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
230
231         * JavaScriptCore.xcodeproj/project.pbxproj:
232         * interpreter/CachedCall.h:
233         (JSC::CachedCall::call):
234         * interpreter/Interpreter.cpp:
235         (JSC::checkedReturn): Deleted.
236         * interpreter/Interpreter.h:
237         (JSC::Interpreter::checkedReturn):
238         * interpreter/InterpreterInlines.h:
239         (JSC::Interpreter::execute):
240         * jit/JITCode.cpp:
241         (JSC::JITCode::execute): Deleted.
242         * jit/JITCodeInlines.h: Added.
243         (JSC::JITCode::execute):
244         * llint/LowLevelInterpreter.asm:
245         * runtime/StringPrototype.cpp:
246
247 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
248
249         [INTL] Improve spec & test262 compliance for Intl APIs
250         https://bugs.webkit.org/show_bug.cgi?id=185578
251
252         Reviewed by Yusuke Suzuki.
253
254         Use putDirectIndex over push for lists to arrays.
255         Update default options to construct with a null prototype.
256         Define constructor and toStringTag on prototypes.
257         Add proper time clipping.
258         Remove some outdated comment spec text, use url instead.
259
260         * runtime/IntlCollator.cpp:
261         (JSC::IntlCollator::initializeCollator):
262         * runtime/IntlCollatorConstructor.cpp:
263         (JSC::IntlCollatorConstructor::finishCreation):
264         * runtime/IntlCollatorPrototype.cpp:
265         (JSC::IntlCollatorPrototype::finishCreation):
266         * runtime/IntlDateTimeFormatConstructor.cpp:
267         (JSC::IntlDateTimeFormatConstructor::finishCreation):
268         * runtime/IntlDateTimeFormatPrototype.cpp:
269         (JSC::IntlDateTimeFormatPrototype::finishCreation):
270         (JSC::IntlDateTimeFormatFuncFormatDateTime):
271         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
272         * runtime/IntlNumberFormat.cpp:
273         (JSC::IntlNumberFormat::initializeNumberFormat):
274         * runtime/IntlNumberFormatConstructor.cpp:
275         (JSC::IntlNumberFormatConstructor::finishCreation):
276         * runtime/IntlNumberFormatPrototype.cpp:
277         (JSC::IntlNumberFormatPrototype::finishCreation):
278         * runtime/IntlObject.cpp:
279         (JSC::lookupSupportedLocales):
280         (JSC::supportedLocales):
281         (JSC::intlObjectFuncGetCanonicalLocales):
282         * runtime/IntlPluralRules.cpp:
283         (JSC::IntlPluralRules::resolvedOptions):
284         * runtime/IntlPluralRulesConstructor.cpp:
285         (JSC::IntlPluralRulesConstructor::finishCreation):
286
287 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
288
289         [ESNext][BigInt] Implement support for "*" operation
290         https://bugs.webkit.org/show_bug.cgi?id=183721
291
292         Reviewed by Yusuke Suzuki.
293
294         Added BigInt support into times binary operator into LLInt and on
295         JITOperations profiledMul and unprofiledMul. We are also replacing all
296         uses of int to unsigned when there is no negative values for
297         variables.
298
299         * dfg/DFGConstantFoldingPhase.cpp:
300         (JSC::DFG::ConstantFoldingPhase::foldConstants):
301         * jit/JITOperations.cpp:
302         * runtime/CommonSlowPaths.cpp:
303         (JSC::SLOW_PATH_DECL):
304         * runtime/JSBigInt.cpp:
305         (JSC::JSBigInt::JSBigInt):
306         (JSC::JSBigInt::allocationSize):
307         (JSC::JSBigInt::createWithLength):
308         (JSC::JSBigInt::toString):
309         (JSC::JSBigInt::multiply):
310         (JSC::JSBigInt::digitDiv):
311         (JSC::JSBigInt::internalMultiplyAdd):
312         (JSC::JSBigInt::multiplyAccumulate):
313         (JSC::JSBigInt::equals):
314         (JSC::JSBigInt::absoluteDivSmall):
315         (JSC::JSBigInt::calculateMaximumCharactersRequired):
316         (JSC::JSBigInt::toStringGeneric):
317         (JSC::JSBigInt::rightTrim):
318         (JSC::JSBigInt::allocateFor):
319         (JSC::JSBigInt::parseInt):
320         (JSC::JSBigInt::digit):
321         (JSC::JSBigInt::setDigit):
322         * runtime/JSBigInt.h:
323         * runtime/JSCJSValue.h:
324         * runtime/JSCJSValueInlines.h:
325         (JSC::JSValue::toNumeric const):
326         * runtime/Operations.h:
327         (JSC::jsMul):
328
329 2018-05-11  Commit Queue  <commit-queue@webkit.org>
330
331         Unreviewed, rolling out r231316 and r231332.
332         https://bugs.webkit.org/show_bug.cgi?id=185564
333
334         Appears to be a Speedometer2/MotionMark regression (Requested
335         by keith_miller on #webkit).
336
337         Reverted changesets:
338
339         "Remove the prototype caching for get_by_id in the LLInt"
340         https://bugs.webkit.org/show_bug.cgi?id=185226
341         https://trac.webkit.org/changeset/231316
342
343         "Unreviewed, fix 32-bit profile offset for change in bytecode"
344         https://trac.webkit.org/changeset/231332
345
346 2018-05-11  Michael Saboff  <msaboff@apple.com>
347
348         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
349         https://bugs.webkit.org/show_bug.cgi?id=185328
350
351         Reviewed by Keith Miller.
352
353         Fixed a typo from when this code was added in r228968 where resultGPR
354         was assigned the input register instead of the result.gpr().
355
356         * dfg/DFGSpeculativeJIT64.cpp:
357         (JSC::DFG::SpeculativeJIT::compile):
358
359 2018-05-11  Saam Barati  <sbarati@apple.com>
360
361         Don't use inferred types when the JIT is disabled
362         https://bugs.webkit.org/show_bug.cgi?id=185539
363
364         Reviewed by Yusuke Suzuki.
365
366         There are many JSC API clients that run with the JIT disabled. They were
367         all allocating and tracking inferred types for no benefit. Inferred types
368         only benefit programs when they make it to the DFG/FTL. I was seeing cases
369         where the inferred type machinery used ~0.5MB. This patch makes is so we
370         don't allocate that machinery when the JIT is disabled.
371
372         * runtime/Structure.cpp:
373         (JSC::Structure::willStoreValueSlow):
374         * runtime/Structure.h:
375
376 2018-05-11  Saam Barati  <sbarati@apple.com>
377
378         Don't allocate value profiles when the JIT is disabled
379         https://bugs.webkit.org/show_bug.cgi?id=185525
380
381         Reviewed by Michael Saboff.
382
383         There are many JSC API clients that run with the JIT disabled. We were
384         still allocating a ton of value profiles in this use case even though
385         these clients get no benefit from doing value profiling. This patch makes
386         it so that we don't allocate value profiles or argument value profiles
387         when we're not using the JIT. We now just make all value profiles in
388         the instruction stream point to a global value profile that the VM owns.
389         And we make the argument value profile array have zero length and teach
390         the LLInt how to handle that. Heap clears the global value profile on each GC.
391
392         In an app that I'm testing this against, this saves ~1MB of memory.
393
394         * bytecode/CodeBlock.cpp:
395         (JSC::CodeBlock::finishCreation):
396         (JSC::CodeBlock::setNumParameters):
397         * bytecode/CodeBlock.h:
398         (JSC::CodeBlock::numberOfArgumentValueProfiles):
399         (JSC::CodeBlock::valueProfileForArgument):
400         * bytecompiler/BytecodeGenerator.cpp:
401         (JSC::BytecodeGenerator::emitProfiledOpcode):
402         * heap/Heap.cpp:
403         (JSC::Heap::runEndPhase):
404         * llint/LowLevelInterpreter.asm:
405         * runtime/VM.cpp:
406         (JSC::VM::VM):
407         * runtime/VM.h:
408
409 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
410
411         [JSC][GLIB] Add introspectable alternatives to functions using vargars
412         https://bugs.webkit.org/show_bug.cgi?id=185508
413
414         Reviewed by Michael Catanzaro.
415
416         * API/glib/JSCClass.cpp:
417         (jscClassCreateConstructor):
418         (jsc_class_add_constructor):
419         (jsc_class_add_constructorv):
420         (jscClassAddMethod):
421         (jsc_class_add_method):
422         (jsc_class_add_methodv):
423         * API/glib/JSCClass.h:
424         * API/glib/JSCValue.cpp:
425         (jsObjectCall):
426         (jscValueCallFunction):
427         (jsc_value_object_invoke_methodv):
428         (jscValueFunctionCreate):
429         (jsc_value_new_function):
430         (jsc_value_new_functionv):
431         (jsc_value_function_callv):
432         (jsc_value_constructor_callv):
433         * API/glib/JSCValue.h:
434         * API/glib/docs/jsc-glib-4.0-sections.txt:
435
436 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
437
438         [JSC] Make return types of construction functions tight
439         https://bugs.webkit.org/show_bug.cgi?id=185509
440
441         Reviewed by Saam Barati.
442
443         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
444
445         * runtime/ArrayConstructor.cpp:
446         (JSC::constructArrayWithSizeQuirk):
447         * runtime/ArrayConstructor.h:
448         * runtime/ObjectConstructor.h:
449         (JSC::constructEmptyObject):
450
451 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
452
453         [JSC] Object.assign for final objects should be faster
454         https://bugs.webkit.org/show_bug.cgi?id=185348
455
456         Reviewed by Saam Barati.
457
458         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
459         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
460
461         If enumerating properties of source objects and putting properties to target object are non observable,
462         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
463         and put them to target object. This patch adds this fast path to Object.assign implementation.
464
465         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
466         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
467         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
468
469         This improves object-assign.es6 by 1.85x.
470
471                                         baseline                  patched
472
473             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
474
475         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
476
477         * runtime/JSObject.h:
478         * runtime/JSObjectInlines.h:
479         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
480         (JSC::JSObject::canPerformFastPutInline):
481         * runtime/ObjectConstructor.cpp:
482         (JSC::objectConstructorAssign):
483         * runtime/Structure.cpp:
484         (JSC::Structure::Structure):
485         * runtime/Structure.h:
486         * runtime/StructureInlines.h:
487         (JSC::Structure::forEachProperty):
488         (JSC::Structure::add):
489
490 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
491
492         DFG CFA should pick the right time to inject OSR entry data
493         https://bugs.webkit.org/show_bug.cgi?id=185530
494
495         Reviewed by Saam Barati.
496         
497         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
498         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
499         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
500         would eventually LUB to non-constant.
501         
502         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
503         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
504         useless regexp/string execution in the compiler.
505
506         * dfg/DFGBlockSet.h:
507         (JSC::DFG::BlockSet::remove):
508         * dfg/DFGCFAPhase.cpp:
509         (JSC::DFG::CFAPhase::run):
510         (JSC::DFG::CFAPhase::injectOSR):
511         (JSC::DFG::CFAPhase::performBlockCFA):
512
513 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
514
515         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
516         https://bugs.webkit.org/show_bug.cgi?id=185452
517
518         Reviewed by Michael Saboff.
519         
520         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
521         from the block head to InPlaceAbstractState::m_variables. It is necessary for
522         InPlaceAbstractState to have its own copy since we need to mutate it separately from
523         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
524         of superfluous work.
525         
526         This change adds a bitvector called m_activeVariables that tracks which variables have been
527         copied. We lazily copy the variables on first use. Variables that were never copied also have
528         a simplified merging path, which just needs to consider if the variable got clobbered between
529         head and tail.
530         
531         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
532
533         * bytecode/Operands.h:
534         (JSC::Operands::argumentIndex const):
535         (JSC::Operands::localIndex const):
536         (JSC::Operands::argument):
537         (JSC::Operands::argument const):
538         (JSC::Operands::local):
539         (JSC::Operands::local const):
540         (JSC::Operands::operandIndex const):
541         * dfg/DFGAbstractValue.h:
542         (JSC::DFG::AbstractValue::fastForwardFromTo):
543         * dfg/DFGCFAPhase.cpp:
544         (JSC::DFG::CFAPhase::performForwardCFA):
545         * dfg/DFGInPlaceAbstractState.cpp:
546         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
547         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
548         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
549         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
550         (JSC::DFG::InPlaceAbstractState::activateVariable):
551         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
552         * dfg/DFGInPlaceAbstractState.h:
553         (JSC::DFG::InPlaceAbstractState::variableAt):
554         (JSC::DFG::InPlaceAbstractState::operand):
555         (JSC::DFG::InPlaceAbstractState::local):
556         (JSC::DFG::InPlaceAbstractState::argument):
557         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
558         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
559
560 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
561
562         [ESNext][BigInt] Implement support for "==" operation
563         https://bugs.webkit.org/show_bug.cgi?id=184474
564
565         Reviewed by Yusuke Suzuki.
566
567         This patch is implementing support of BigInt for equals operator
568         following the spec semantics[1].
569
570         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
571
572         * runtime/JSBigInt.cpp:
573         (JSC::JSBigInt::parseInt):
574         (JSC::JSBigInt::stringToBigInt):
575         (JSC::JSBigInt::toString):
576         (JSC::JSBigInt::setDigit):
577         (JSC::JSBigInt::equalsToNumber):
578         (JSC::JSBigInt::compareToDouble):
579         * runtime/JSBigInt.h:
580         * runtime/JSCJSValueInlines.h:
581         (JSC::JSValue::equalSlowCaseInline):
582
583 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
584
585         Speed up AbstractInterpreter::executeEdges
586         https://bugs.webkit.org/show_bug.cgi?id=185457
587
588         Reviewed by Saam Barati.
589
590         This patch started out with the desire to make executeEdges() faster by making filtering faster.
591         However, when I studied the disassembly, I found that there are many opportunities for
592         improvement and I implemented all of them:
593         
594         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
595           for non-cells.
596         
597         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
598           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
599         
600         - Similarly, edge verification doesn't need to fast-forward in the common case.
601         
602         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
603         
604         - The edge doesn't even have to be considered for execution if it's UntypedUse.
605         
606         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
607         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
608         it means proving that the value could either be formatted as a double (with impure NaN values),
609         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
610         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
611         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
612         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
613         SpecBytecodeNumber (if returning a JSValueRep).
614         
615         But that fix revealed an amazing timeout in
616         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
617         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
618         ever realizing that we should jettison something. The problem was with how
619         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
620         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
621         
622         This is a 1% improvement in V8Spider-CompileTime.
623
624         * bytecode/ExitKind.cpp:
625         (JSC::exitKindMayJettison):
626         * dfg/DFGAbstractInterpreter.h:
627         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
628         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
629         * dfg/DFGAbstractInterpreterInlines.h:
630         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
631         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
632         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
633         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
634         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
635         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
636         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
637         * dfg/DFGAbstractValue.cpp:
638         (JSC::DFG::AbstractValue::filterSlow):
639         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
640         * dfg/DFGAbstractValue.h:
641         (JSC::DFG::AbstractValue::filter):
642         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
643         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
644         (JSC::DFG::AbstractValue::makeTop):
645         * dfg/DFGAtTailAbstractState.h:
646         (JSC::DFG::AtTailAbstractState::fastForward):
647         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
648         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
649         * dfg/DFGGraph.h:
650         (JSC::DFG::Graph::doToChildren):
651         * dfg/DFGInPlaceAbstractState.h:
652         (JSC::DFG::InPlaceAbstractState::fastForward):
653         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
654         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
655         * dfg/DFGOSRExit.cpp:
656         (JSC::DFG::OSRExit::executeOSRExit):
657         * dfg/DFGOSRExitCompilerCommon.cpp:
658         (JSC::DFG::handleExitCounts):
659         * dfg/DFGOperations.cpp:
660         * dfg/DFGOperations.h:
661
662 2018-05-09  Saam Barati  <sbarati@apple.com>
663
664         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
665         https://bugs.webkit.org/show_bug.cgi?id=185441
666         <rdar://problem/39999414>
667
668         Reviewed by Keith Miller.
669
670         This patch adds JSVirtualMachine SPI to release as much memory as possible.
671         The SPI does:
672         - Deletes all code caches.
673         - Synchronous GC.
674         - Run the scavenger.
675
676         * API/JSVirtualMachine.mm:
677         (-[JSVirtualMachine shrinkFootprint]):
678         * API/JSVirtualMachinePrivate.h: Added.
679         * API/tests/testapi.mm:
680         (testObjectiveCAPIMain):
681         * JavaScriptCore.xcodeproj/project.pbxproj:
682         * runtime/VM.cpp:
683         (JSC::VM::shrinkFootprint):
684         * runtime/VM.h:
685
686 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
687
688         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
689         Error found in the following Test262 tests:
690
691         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
692         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
693         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
694
695         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
696         presenting a length > 2**32-1
697         https://bugs.webkit.org/show_bug.cgi?id=185476
698
699         Reviewed by Yusuke Suzuki.
700
701         * runtime/ArrayPrototype.cpp:
702
703 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
704
705         [WPE] Build cleanly with GCC 8 and ICU 60
706         https://bugs.webkit.org/show_bug.cgi?id=185462
707
708         Reviewed by Carlos Alberto Lopez Perez.
709
710         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
711         (jsc_class_add_constructor):
712         (jsc_class_add_method):
713         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
714         (jsc_value_object_define_property_accessor):
715         (jsc_value_new_function):
716         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
717         problem with GCC 7 too, but might as well fix it now.
718         * assembler/ProbeContext.h:
719         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
720         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
721         * b3/air/AirArg.h:
722         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
723         * builtins/BuiltinNames.cpp:
724         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
725         * builtins/BuiltinNames.h:
726         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
727         * dfg/DFGDoubleFormatState.h:
728         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
729         * heap/MarkedBlockInlines.h:
730         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
731         * runtime/ConfigFile.cpp:
732         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
733         with the wrong length parameter and the result is not null-terminated. Also, silence a
734         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
735         * runtime/IntlDateTimeFormat.cpp:
736         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
737         * runtime/JSGlobalObject.cpp:
738         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
739         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
740
741 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
742
743         [ARMv7] Drop ARMv7 disassembler in favor of capstone
744         https://bugs.webkit.org/show_bug.cgi?id=185423
745
746         Reviewed by Michael Catanzaro.
747
748         This patch removes ARMv7Disassembler in our tree.
749         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
750
751         * CMakeLists.txt:
752         * JavaScriptCore.xcodeproj/project.pbxproj:
753         * Sources.txt:
754         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
755         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
756         * disassembler/ARMv7Disassembler.cpp: Removed.
757
758 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
759
760         [MIPS] Optimize generated JIT code using r2
761         https://bugs.webkit.org/show_bug.cgi?id=184584
762
763         Reviewed by Yusuke Suzuki.
764
765         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
766         Also, done some code size optimizations that were discovered in meantime.
767
768         * assembler/MIPSAssembler.h:
769         (JSC::MIPSAssembler::ext):
770         (JSC::MIPSAssembler::mfhc1):
771         * assembler/MacroAssemblerMIPS.cpp:
772         * assembler/MacroAssemblerMIPS.h:
773         (JSC::MacroAssemblerMIPS::isPowerOf2):
774         (JSC::MacroAssemblerMIPS::bitPosition):
775         (JSC::MacroAssemblerMIPS::loadAddress):
776         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
777         (JSC::MacroAssemblerMIPS::load8):
778         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
779         (JSC::MacroAssemblerMIPS::load32):
780         (JSC::MacroAssemblerMIPS::load16Unaligned):
781         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
782         (JSC::MacroAssemblerMIPS::load16):
783         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
784         (JSC::MacroAssemblerMIPS::store8):
785         (JSC::MacroAssemblerMIPS::store16):
786         (JSC::MacroAssemblerMIPS::store32):
787         (JSC::MacroAssemblerMIPS::branchTest32):
788         (JSC::MacroAssemblerMIPS::loadFloat):
789         (JSC::MacroAssemblerMIPS::loadDouble):
790         (JSC::MacroAssemblerMIPS::storeFloat):
791         (JSC::MacroAssemblerMIPS::storeDouble):
792
793 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
794
795         [JSC][GTK][JSCONLY] Use capstone disassembler
796         https://bugs.webkit.org/show_bug.cgi?id=185283
797
798         Reviewed by Michael Catanzaro.
799
800         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
801         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
802
803         And we remove ARM LLVM disassembler.
804
805         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
806
807         * CMakeLists.txt:
808         * Sources.txt:
809         * disassembler/ARMLLVMDisassembler.cpp: Removed.
810         * disassembler/CapstoneDisassembler.cpp: Added.
811         (JSC::tryToDisassemble):
812
813 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
814
815         [MIPS] Use mfhc1 and mthc1 to fix assembler error
816         https://bugs.webkit.org/show_bug.cgi?id=185464
817
818         Reviewed by Yusuke Suzuki.
819
820         The binutils-assembler started to report failures for copying words between
821         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
822         of mfc1 and mtc1 for conversion.
823
824         * offlineasm/mips.rb:
825
826 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
827
828         [MIPS] Collect callee-saved register using inline assembly
829         https://bugs.webkit.org/show_bug.cgi?id=185428
830
831         Reviewed by Yusuke Suzuki.
832
833         MIPS used setjmp instead of collecting registers with inline assembly like
834         other architectures.
835
836         * heap/RegisterState.h:
837
838 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
839
840         [BigInt] Simplifying JSBigInt by using bool addition
841         https://bugs.webkit.org/show_bug.cgi?id=185374
842
843         Reviewed by Alex Christensen.
844
845         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
846         Just adding overflow flag to carry/borrow produces setb + add in x86.
847
848         Also we annotate small helper functions and accessors with `inline` not to call these functions
849         inside internalMultiplyAdd loop.
850
851         * runtime/JSBigInt.cpp:
852         (JSC::JSBigInt::isZero):
853         (JSC::JSBigInt::inplaceMultiplyAdd):
854         (JSC::JSBigInt::digitAdd):
855         (JSC::JSBigInt::digitSub):
856         (JSC::JSBigInt::digitMul):
857         (JSC::JSBigInt::digitPow):
858         (JSC::JSBigInt::digitDiv):
859         (JSC::JSBigInt::offsetOfData):
860         (JSC::JSBigInt::dataStorage):
861         (JSC::JSBigInt::digit):
862         (JSC::JSBigInt::setDigit):
863
864 2018-05-08  Michael Saboff  <msaboff@apple.com>
865
866         Replace multiple Watchpoint Set fireAll() methods with templates
867         https://bugs.webkit.org/show_bug.cgi?id=185456
868
869         Reviewed by Saam Barati.
870
871         Refactored to minimize duplicate code.
872
873         * bytecode/Watchpoint.h:
874         (JSC::WatchpointSet::fireAll):
875         (JSC::InlineWatchpointSet::fireAll):
876
877 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
878
879         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
880         https://bugs.webkit.org/show_bug.cgi?id=185453
881
882         Reviewed by Michael Saboff.
883         
884         Tiny improvement for compile times.
885
886         * dfg/DFGFlowMap.h:
887         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
888         * dfg/DFGInPlaceAbstractState.cpp:
889         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
890
891 2018-05-08  Michael Saboff  <msaboff@apple.com>
892
893         Deferred firing of structure transition watchpoints is racy
894         https://bugs.webkit.org/show_bug.cgi?id=185438
895
896         Reviewed by Saam Barati.
897
898         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
899         and fire them in the destructor.  When the watchpoints are taken from the
900         original WatchpointSet, that WatchpointSet if marked invalid.
901
902         * bytecode/Watchpoint.cpp:
903         (JSC::WatchpointSet::fireAllSlow):
904         (JSC::WatchpointSet::take):
905         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
906         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
907         (JSC::DeferredWatchpointFire::fireAll):
908         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
909         * bytecode/Watchpoint.h:
910         (JSC::WatchpointSet::fireAll):
911         (JSC::InlineWatchpointSet::fireAll):
912         * runtime/JSObject.cpp:
913         (JSC::JSObject::setPrototypeDirect):
914         (JSC::JSObject::convertToDictionary):
915         * runtime/JSObjectInlines.h:
916         (JSC::JSObject::putDirectInternal):
917         * runtime/Structure.cpp:
918         (JSC::Structure::Structure):
919         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
920         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
921         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
922         (JSC::Structure::didTransitionFromThisStructure const):
923         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
924         * runtime/Structure.h:
925         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
926
927 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
928
929         Consecutive messages logged as JSON are coalesced
930         https://bugs.webkit.org/show_bug.cgi?id=185432
931
932         Reviewed by Joseph Pecoraro.
933
934         * inspector/ConsoleMessage.cpp:
935         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
936
937 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
938
939         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
940         https://bugs.webkit.org/show_bug.cgi?id=185365
941
942         Reviewed by Saam Barati.
943         
944         This patch does three things to improve compile times:
945         
946         - Fixes some inlining goofs.
947         
948         - Adds the ability to measure compile times with run-jsc-benchmarks.
949         
950         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
951           code that clears abstract values. It turns out that on constant folding "needed" this, in the
952           sense that this was the only thing protecting it from loading the abstract value of a no-result
953           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
954           Any node that produces a result will explicitly set its abstract value, so this problem can
955           also be guarded by just having constant folding check if the node it wants to fold returns any
956           result.
957         
958         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
959         
960         Rolling back in after fixing cloop build.
961
962         * dfg/DFGAbstractInterpreterInlines.h:
963         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
964         * dfg/DFGAbstractValue.cpp:
965         (JSC::DFG::AbstractValue::set):
966         * dfg/DFGAbstractValue.h:
967         (JSC::DFG::AbstractValue::merge):
968         * dfg/DFGConstantFoldingPhase.cpp:
969         (JSC::DFG::ConstantFoldingPhase::foldConstants):
970         * dfg/DFGGraph.h:
971         (JSC::DFG::Graph::doToChildrenWithNode):
972         (JSC::DFG::Graph::doToChildren):
973         * dfg/DFGInPlaceAbstractState.cpp:
974         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
975         * jit/JIT.cpp:
976         (JSC::JIT::totalCompileTime):
977         * jit/JIT.h:
978         * jsc.cpp:
979         (GlobalObject::finishCreation):
980         (functionTotalCompileTime):
981
982 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
983
984         Unreviewed, rolling out r231468.
985
986         Broke the CLoop build
987
988         Reverted changeset:
989
990         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
991         any abstract values"
992         https://bugs.webkit.org/show_bug.cgi?id=185365
993         https://trac.webkit.org/changeset/231468
994
995 2018-05-07  Daniel Bates  <dabates@apple.com>
996
997         Check X-Frame-Options and CSP frame-ancestors in network process
998         https://bugs.webkit.org/show_bug.cgi?id=185410
999         <rdar://problem/37733934>
1000
1001         Reviewed by Ryosuke Niwa.
1002
1003         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
1004
1005         * runtime/ConsoleTypes.h:
1006
1007 2018-05-07  Saam Barati  <sbarati@apple.com>
1008
1009         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
1010         https://bugs.webkit.org/show_bug.cgi?id=185329
1011         <rdar://problem/39961536>
1012
1013         Reviewed by Michael Saboff.
1014
1015         I was made aware of a memory goof inside of JSC where we would inefficiently
1016         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
1017         
1018         We did two things badly:
1019         1. We used a HashMap instead of a Vector to represent the environment. Having
1020         a HashMap is useful when looking things up when generating bytecode, but it's
1021         space inefficient. Because UnlinkedFunctionExecutables live a long time because
1022         of the code cache, we should have them store this information efficiently
1023         inside of a Vector.
1024         
1025         2. We didn't hash-cons these environments together. If you think about how
1026         some programs are structured, hash-consing these together is hugely profitable.
1027         Consider some code like this:
1028         ```
1029         const/let V_1 = ...;
1030         const/let V_2 = ...;
1031         ...
1032         const/let V_n = ...;
1033         
1034         function f_1() { ... };
1035         function f_2() { ... };
1036         ...
1037         function f_n() { ... };
1038         ```
1039         
1040         Each f_i would store an identical hash map for its parent TDZ variables
1041         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
1042         each f_i just holds onto a reference to the environment.
1043         
1044         I benchmarked this change against an app that made heavy use of the
1045         above code pattern and it reduced its peak memory footprint from ~220MB
1046         to ~160MB.
1047
1048         * bytecode/UnlinkedFunctionExecutable.cpp:
1049         (JSC::generateUnlinkedFunctionCodeBlock):
1050         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1051         * bytecode/UnlinkedFunctionExecutable.h:
1052         * parser/VariableEnvironment.cpp:
1053         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
1054         (JSC::CompactVariableEnvironment::operator== const):
1055         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
1056         (JSC::CompactVariableMap::get):
1057         (JSC::CompactVariableMap::Handle::~Handle):
1058         * parser/VariableEnvironment.h:
1059         (JSC::VariableEnvironmentEntry::bits const):
1060         (JSC::VariableEnvironmentEntry::operator== const):
1061         (JSC::VariableEnvironment::isEverythingCaptured const):
1062         (JSC::CompactVariableEnvironment::hash const):
1063         (JSC::CompactVariableMapKey::CompactVariableMapKey):
1064         (JSC::CompactVariableMapKey::hash):
1065         (JSC::CompactVariableMapKey::equal):
1066         (JSC::CompactVariableMapKey::makeDeletedValue):
1067         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
1068         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
1069         (JSC::CompactVariableMapKey::environment):
1070         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
1071         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
1072         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
1073         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
1074         (JSC::CompactVariableMap::Handle::Handle):
1075         (JSC::CompactVariableMap::Handle::environment const):
1076         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
1077         * runtime/VM.cpp:
1078         (JSC::VM::VM):
1079         * runtime/VM.h:
1080
1081 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1082
1083         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
1084         https://bugs.webkit.org/show_bug.cgi?id=185371
1085
1086         Reviewed by Mark Lam.
1087
1088         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
1089         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
1090         but actually MIPS have much more registers.
1091
1092         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
1093         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
1094         have extra mechanism.
1095
1096         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
1097
1098         * dfg/DFGByteCodeParser.cpp:
1099         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1100         * dfg/DFGFixupPhase.cpp:
1101         (JSC::DFG::FixupPhase::fixupNode):
1102         * dfg/DFGSpeculativeJIT32_64.cpp:
1103         (JSC::DFG::SpeculativeJIT::compile):
1104         * jit/CCallHelpers.h:
1105         * jit/GPRInfo.h:
1106         (JSC::GPRInfo::toRegister):
1107         (JSC::GPRInfo::toIndex):
1108         * offlineasm/mips.rb:
1109
1110 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1111
1112         DFG AI should have O(1) clobbering
1113         https://bugs.webkit.org/show_bug.cgi?id=185287
1114
1115         Reviewed by Saam Barati.
1116         
1117         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
1118         would traverse all of the state available to the AI at that time and clobber it.
1119         
1120         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
1121         
1122         This is a ~1% speed-up for compile times.
1123
1124         * JavaScriptCore.xcodeproj/project.pbxproj:
1125         * Sources.txt:
1126         * dfg/DFGAbstractInterpreter.h:
1127         (JSC::DFG::AbstractInterpreter::forNode):
1128         (JSC::DFG::AbstractInterpreter::setForNode):
1129         (JSC::DFG::AbstractInterpreter::clearForNode):
1130         (JSC::DFG::AbstractInterpreter::variables): Deleted.
1131         * dfg/DFGAbstractInterpreterInlines.h:
1132         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1133         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1134         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
1135         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
1136         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1137         * dfg/DFGAbstractValue.cpp:
1138         (JSC::DFG::AbstractValue::fastForwardToSlow):
1139         * dfg/DFGAbstractValue.h:
1140         (JSC::DFG::AbstractValue::fastForwardTo):
1141         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
1142         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
1143         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
1144         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
1145         (JSC::DFG::AbstractValueClobberEpoch::dump const):
1146         * dfg/DFGAbstractValueClobberEpoch.h: Added.
1147         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
1148         (JSC::DFG::AbstractValueClobberEpoch::first):
1149         (JSC::DFG::AbstractValueClobberEpoch::clobber):
1150         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
1151         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
1152         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
1153         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
1154         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
1155         * dfg/DFGAtTailAbstractState.h:
1156         (JSC::DFG::AtTailAbstractState::setForNode):
1157         (JSC::DFG::AtTailAbstractState::clearForNode):
1158         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
1159         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
1160         (JSC::DFG::AtTailAbstractState::operand):
1161         (JSC::DFG::AtTailAbstractState::local):
1162         (JSC::DFG::AtTailAbstractState::argument):
1163         (JSC::DFG::AtTailAbstractState::clobberStructures):
1164         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
1165         (JSC::DFG::AtTailAbstractState::variables): Deleted.
1166         * dfg/DFGCFAPhase.cpp:
1167         (JSC::DFG::CFAPhase::performBlockCFA):
1168         * dfg/DFGConstantFoldingPhase.cpp:
1169         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1170         * dfg/DFGFlowMap.h:
1171         (JSC::DFG::FlowMap::at):
1172         (JSC::DFG::FlowMap::atShadow):
1173         (JSC::DFG::FlowMap::at const):
1174         (JSC::DFG::FlowMap::atShadow const):
1175         * dfg/DFGInPlaceAbstractState.cpp:
1176         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1177         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1178         * dfg/DFGInPlaceAbstractState.h:
1179         (JSC::DFG::InPlaceAbstractState::forNode):
1180         (JSC::DFG::InPlaceAbstractState::setForNode):
1181         (JSC::DFG::InPlaceAbstractState::clearForNode):
1182         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1183         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
1184         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
1185         (JSC::DFG::InPlaceAbstractState::operand):
1186         (JSC::DFG::InPlaceAbstractState::local):
1187         (JSC::DFG::InPlaceAbstractState::argument):
1188         (JSC::DFG::InPlaceAbstractState::variableAt):
1189         (JSC::DFG::InPlaceAbstractState::clobberStructures):
1190         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
1191         (JSC::DFG::InPlaceAbstractState::fastForward):
1192         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
1193         * dfg/DFGSpeculativeJIT64.cpp:
1194         (JSC::DFG::SpeculativeJIT::compile):
1195         * ftl/FTLLowerDFGToB3.cpp:
1196         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
1197
1198 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1199
1200         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1201         https://bugs.webkit.org/show_bug.cgi?id=185365
1202
1203         Reviewed by Saam Barati.
1204         
1205         This patch does three things to improve compile times:
1206         
1207         - Fixes some inlining goofs.
1208         
1209         - Adds the ability to measure compile times with run-jsc-benchmarks.
1210         
1211         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1212           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1213           sense that this was the only thing protecting it from loading the abstract value of a no-result
1214           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1215           Any node that produces a result will explicitly set its abstract value, so this problem can
1216           also be guarded by just having constant folding check if the node it wants to fold returns any
1217           result.
1218         
1219         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1220
1221         * dfg/DFGAbstractInterpreterInlines.h:
1222         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1223         * dfg/DFGAbstractValue.cpp:
1224         (JSC::DFG::AbstractValue::set):
1225         * dfg/DFGAbstractValue.h:
1226         (JSC::DFG::AbstractValue::merge):
1227         * dfg/DFGConstantFoldingPhase.cpp:
1228         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1229         * dfg/DFGGraph.h:
1230         (JSC::DFG::Graph::doToChildrenWithNode):
1231         (JSC::DFG::Graph::doToChildren):
1232         * dfg/DFGInPlaceAbstractState.cpp:
1233         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1234         * jit/JIT.cpp:
1235         (JSC::JIT::totalCompileTime):
1236         * jit/JIT.h:
1237         * jsc.cpp:
1238         (GlobalObject::finishCreation):
1239         (functionTotalCompileTime):
1240
1241 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1242
1243         DFG AI doesn't need to merge valuesAtTail - it can just assign them
1244         https://bugs.webkit.org/show_bug.cgi?id=185355
1245
1246         Reviewed by Mark Lam.
1247         
1248         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
1249         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
1250         merging will get the same answer because the value computed this time will be either the same
1251         as or more general than the value computed last time. If the value does change for some
1252         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
1253         changes, then we have no reason to believe that this new value is less right than the last
1254         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
1255         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
1256
1257         * dfg/DFGInPlaceAbstractState.cpp:
1258         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1259
1260 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
1261
1262         Remove defunct email address
1263         https://bugs.webkit.org/show_bug.cgi?id=185396
1264
1265         Reviewed by Mark Lam.
1266
1267         The email address thetalecrafter@gmail.com is no longer valid, as the
1268         associated google account has been closed. This updates the email
1269         address so questions about these Intl contributions go to the right
1270         place.
1271
1272         * builtins/DatePrototype.js:
1273         * builtins/NumberPrototype.js:
1274         * builtins/StringPrototype.js:
1275         * runtime/IntlCollator.cpp:
1276         * runtime/IntlCollator.h:
1277         * runtime/IntlCollatorConstructor.cpp:
1278         * runtime/IntlCollatorConstructor.h:
1279         * runtime/IntlCollatorPrototype.cpp:
1280         * runtime/IntlCollatorPrototype.h:
1281         * runtime/IntlDateTimeFormat.cpp:
1282         * runtime/IntlDateTimeFormat.h:
1283         * runtime/IntlDateTimeFormatConstructor.cpp:
1284         * runtime/IntlDateTimeFormatConstructor.h:
1285         * runtime/IntlDateTimeFormatPrototype.cpp:
1286         * runtime/IntlDateTimeFormatPrototype.h:
1287         * runtime/IntlNumberFormat.cpp:
1288         * runtime/IntlNumberFormat.h:
1289         * runtime/IntlNumberFormatConstructor.cpp:
1290         * runtime/IntlNumberFormatConstructor.h:
1291         * runtime/IntlNumberFormatPrototype.cpp:
1292         * runtime/IntlNumberFormatPrototype.h:
1293         * runtime/IntlObject.cpp:
1294         * runtime/IntlObject.h:
1295         * runtime/IntlPluralRules.cpp:
1296         * runtime/IntlPluralRules.h:
1297         * runtime/IntlPluralRulesConstructor.cpp:
1298         * runtime/IntlPluralRulesConstructor.h:
1299         * runtime/IntlPluralRulesPrototype.cpp:
1300         * runtime/IntlPluralRulesPrototype.h:
1301
1302 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1303
1304         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
1305         https://bugs.webkit.org/show_bug.cgi?id=185362
1306
1307         Reviewed by Sam Weinig.
1308
1309         "namespace std" may include many names. It can conflict with names defined by our code,
1310         and the other platform provided headers. For example, std::byte conflicts with Windows'
1311         ::byte.
1312         This patch removes "using namespace std;" from JSC and bmalloc.
1313
1314         * API/JSClassRef.cpp:
1315         (OpaqueJSClass::create):
1316         * bytecode/Opcode.cpp:
1317         * bytecompiler/BytecodeGenerator.cpp:
1318         (JSC::BytecodeGenerator::newRegister):
1319         * heap/Heap.cpp:
1320         (JSC::Heap::updateAllocationLimits):
1321         * interpreter/Interpreter.cpp:
1322         * jit/JIT.cpp:
1323         * parser/Parser.cpp:
1324         * runtime/JSArray.cpp:
1325         * runtime/JSLexicalEnvironment.cpp:
1326         * runtime/JSModuleEnvironment.cpp:
1327         * runtime/Structure.cpp:
1328         * shell/DLLLauncherMain.cpp:
1329         (getStringValue):
1330         (applePathFromRegistry):
1331         (appleApplicationSupportDirectory):
1332         (copyEnvironmentVariable):
1333         (prependPath):
1334         (fatalError):
1335         (directoryExists):
1336         (modifyPath):
1337         (getLastErrorString):
1338         (wWinMain):
1339
1340 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1341
1342         DFG CFA phase should only do clobber asserts in debug
1343         https://bugs.webkit.org/show_bug.cgi?id=185354
1344
1345         Reviewed by Saam Barati.
1346         
1347         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
1348         unless asserts are enabled.
1349
1350         * dfg/DFGCFAPhase.cpp:
1351         (JSC::DFG::CFAPhase::performBlockCFA):
1352
1353 2018-05-04  Keith Miller  <keith_miller@apple.com>
1354
1355         isCacheableArrayLength should return true for undecided arrays
1356         https://bugs.webkit.org/show_bug.cgi?id=185309
1357
1358         Reviewed by Michael Saboff.
1359
1360         Undecided arrays have butterflies so there is no reason why we
1361         should not be able to cache their length.
1362
1363         * bytecode/InlineAccess.cpp:
1364         (JSC::InlineAccess::isCacheableArrayLength):
1365
1366 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1367
1368         Remove std::random_shuffle
1369         https://bugs.webkit.org/show_bug.cgi?id=185292
1370
1371         Reviewed by Darin Adler.
1372
1373         std::random_shuffle is deprecated in C++14 and removed in C++17,
1374         since std::random_shuffle relies on rand and srand.
1375         Use std::shuffle instead.
1376
1377         * jit/BinarySwitch.cpp:
1378         (JSC::RandomNumberGenerator::RandomNumberGenerator):
1379         (JSC::RandomNumberGenerator::operator()):
1380         (JSC::RandomNumberGenerator::min):
1381         (JSC::RandomNumberGenerator::max):
1382         (JSC::BinarySwitch::build):
1383
1384 2018-05-03  Saam Barati  <sbarati@apple.com>
1385
1386         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
1387         https://bugs.webkit.org/show_bug.cgi?id=185177
1388
1389         Reviewed by Filip Pizlo.
1390
1391         This patch teaches the DFG/FTL how to constant fold CreateThis with
1392         a known poly proto Structure to NewObject. We do it by emitting a NewObject
1393         followed by a PutByOffset for the prototype value.
1394         
1395         We make it so that ObjectAllocationProfile holds the prototype value.
1396         This is sound because JSFunction clears that profile when its 'prototype'
1397         field changes.
1398         
1399         This patch also renames underscoreProtoPrivateName to polyProtoName since
1400         that name was nonsensical: it was only used for poly proto.
1401         
1402         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
1403         regressed that benchmark when I first introduced poly proto.
1404
1405         * builtins/BuiltinNames.cpp:
1406         * builtins/BuiltinNames.h:
1407         (JSC::BuiltinNames::BuiltinNames):
1408         (JSC::BuiltinNames::polyProtoName const):
1409         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
1410         * bytecode/ObjectAllocationProfile.h:
1411         (JSC::ObjectAllocationProfile::prototype):
1412         (JSC::ObjectAllocationProfile::clear):
1413         (JSC::ObjectAllocationProfile::visitAggregate):
1414         * bytecode/ObjectAllocationProfileInlines.h:
1415         (JSC::ObjectAllocationProfile::initializeProfile):
1416         * dfg/DFGAbstractInterpreterInlines.h:
1417         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1418         * dfg/DFGByteCodeParser.cpp:
1419         (JSC::DFG::ByteCodeParser::parseBlock):
1420         * dfg/DFGConstantFoldingPhase.cpp:
1421         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1422         * dfg/DFGOperations.cpp:
1423         * runtime/CommonSlowPaths.cpp:
1424         (JSC::SLOW_PATH_DECL):
1425         * runtime/FunctionRareData.h:
1426         * runtime/Structure.cpp:
1427         (JSC::Structure::create):
1428
1429 2018-05-03  Michael Saboff  <msaboff@apple.com>
1430
1431         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
1432         https://bugs.webkit.org/show_bug.cgi?id=185281
1433
1434         Reviewed by Saam Barati.
1435
1436         When we compute bytecode block reachability, we need to take into account blocks
1437         containing try/catch.
1438
1439         * jit/JIT.cpp:
1440         (JSC::JIT::privateCompileMainPass):
1441
1442 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1443
1444         ARM: Wrong offset for operand rt in disassembler
1445         https://bugs.webkit.org/show_bug.cgi?id=184083
1446
1447         Reviewed by Yusuke Suzuki.
1448
1449         * disassembler/ARMv7/ARMv7DOpcode.h:
1450         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
1451         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
1452
1453 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1454
1455         ARM: Support vstr in disassembler
1456         https://bugs.webkit.org/show_bug.cgi?id=184084
1457
1458         Reviewed by Yusuke Suzuki.
1459
1460         * disassembler/ARMv7/ARMv7DOpcode.cpp:
1461         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
1462         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
1463         * disassembler/ARMv7/ARMv7DOpcode.h:
1464         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
1465         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
1466         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
1467         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
1468         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
1469         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
1470         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
1471
1472 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1473
1474         Invoke ensureArrayStorage for all arguments
1475         https://bugs.webkit.org/show_bug.cgi?id=185247
1476
1477         Reviewed by Yusuke Suzuki.
1478
1479         ensureArrayStorage was only invoked for first argument in each loop iteration.
1480
1481         * jsc.cpp:
1482         (functionEnsureArrayStorage):
1483
1484 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
1485
1486         Make it easy to log compile times for all optimizing tiers
1487         https://bugs.webkit.org/show_bug.cgi?id=185270
1488
1489         Reviewed by Keith Miller.
1490         
1491         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
1492         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
1493         it.
1494         
1495         This should help us reduce compile times by telling us where to look. So, far, it looks like
1496         CFA is the worst.
1497
1498         * JavaScriptCore.xcodeproj/project.pbxproj:
1499         * Sources.txt:
1500         * b3/B3Common.cpp:
1501         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
1502         * b3/B3Common.h:
1503         * b3/B3TimingScope.cpp: Removed.
1504         * b3/B3TimingScope.h:
1505         (JSC::B3::TimingScope::TimingScope):
1506         * dfg/DFGPhase.h:
1507         (JSC::DFG::runAndLog):
1508         * dfg/DFGPlan.cpp:
1509         (JSC::DFG::Plan::compileInThread):
1510         * tools/CompilerTimingScope.cpp: Added.
1511         (JSC::CompilerTimingScope::CompilerTimingScope):
1512         (JSC::CompilerTimingScope::~CompilerTimingScope):
1513         * tools/CompilerTimingScope.h: Added.
1514         * runtime/Options.cpp:
1515         (JSC::recomputeDependentOptions):
1516         * runtime/Options.h:
1517
1518 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
1519
1520         Strings should not be allocated in a gigacage
1521         https://bugs.webkit.org/show_bug.cgi?id=185218
1522
1523         Reviewed by Saam Barati.
1524
1525         * runtime/JSBigInt.cpp:
1526         (JSC::JSBigInt::toStringGeneric):
1527         * runtime/JSString.cpp:
1528         (JSC::JSRopeString::resolveRopeToAtomicString const):
1529         (JSC::JSRopeString::resolveRope const):
1530         * runtime/JSString.h:
1531         (JSC::JSString::create):
1532         (JSC::JSString::createHasOtherOwner):
1533         * runtime/VM.h:
1534         (JSC::VM::gigacageAuxiliarySpace):
1535
1536 2018-05-03  Keith Miller  <keith_miller@apple.com>
1537
1538         Unreviewed, fix 32-bit profile offset for change in bytecode
1539         length of the get_by_id and get_array_length opcodes.
1540
1541         * llint/LowLevelInterpreter32_64.asm:
1542
1543 2018-05-03  Michael Saboff  <msaboff@apple.com>
1544
1545         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
1546         https://bugs.webkit.org/show_bug.cgi?id=185231
1547
1548         Reviewed by Saam Barati.
1549
1550         We weren't clearing the scratch register cache when switching back and forth between 
1551         allowing scratch register usage.  We disallow scratch register usage when we are in
1552         code that will freely allocate and use any register.  Such usage can change the
1553         contents of scratch registers.  For ARM64, where we cache the contents of scratch
1554         registers to reuse some or all of the contained values, we need to invalidate these
1555         caches.  We do this when re-enabling scratch register usage, that is when we transition
1556         from disallow to allow scratch register usage.
1557
1558         Added a new Air regression test.
1559
1560         * assembler/AllowMacroScratchRegisterUsage.h:
1561         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
1562         * assembler/AllowMacroScratchRegisterUsageIf.h:
1563         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
1564         * assembler/DisallowMacroScratchRegisterUsage.h:
1565         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
1566         * b3/air/testair.cpp:
1567
1568 2018-05-03  Keith Miller  <keith_miller@apple.com>
1569
1570         Remove the prototype caching for get_by_id in the LLInt
1571         https://bugs.webkit.org/show_bug.cgi?id=185226
1572
1573         Reviewed by Michael Saboff.
1574
1575         There is no evidence that this is actually a speedup and we keep
1576         getting bugs with it. At this point it seems like we should just
1577         remove this code.
1578
1579         * CMakeLists.txt:
1580         * JavaScriptCore.xcodeproj/project.pbxproj:
1581         * Sources.txt:
1582         * bytecode/BytecodeDumper.cpp:
1583         (JSC::BytecodeDumper<Block>::printGetByIdOp):
1584         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1585         (JSC::BytecodeDumper<Block>::dumpBytecode):
1586         * bytecode/BytecodeList.json:
1587         * bytecode/BytecodeUseDef.h:
1588         (JSC::computeUsesForBytecodeOffset):
1589         (JSC::computeDefsForBytecodeOffset):
1590         * bytecode/CodeBlock.cpp:
1591         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1592         * bytecode/CodeBlock.h:
1593         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
1594         * bytecode/GetByIdStatus.cpp:
1595         (JSC::GetByIdStatus::computeFromLLInt):
1596         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
1597         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
1598         * bytecompiler/BytecodeGenerator.cpp:
1599         (JSC::BytecodeGenerator::emitGetById):
1600         * dfg/DFGByteCodeParser.cpp:
1601         (JSC::DFG::ByteCodeParser::parseBlock):
1602         * dfg/DFGCapabilities.cpp:
1603         (JSC::DFG::capabilityLevel):
1604         * jit/JIT.cpp:
1605         (JSC::JIT::privateCompileMainPass):
1606         (JSC::JIT::privateCompileSlowCases):
1607         * llint/LLIntSlowPaths.cpp:
1608         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1609         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
1610         * llint/LowLevelInterpreter32_64.asm:
1611         * llint/LowLevelInterpreter64.asm:
1612         * runtime/Options.h:
1613
1614 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
1615
1616         Unreviewed, rolling out r231197.
1617
1618         The test added with this change crashes on the 32-bit JSC bot.
1619
1620         Reverted changeset:
1621
1622         "Correctly detect string overflow when using the 'Function'
1623         constructor"
1624         https://bugs.webkit.org/show_bug.cgi?id=184883
1625         https://trac.webkit.org/changeset/231197
1626
1627 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1628
1629         Disable usage of fused multiply-add instructions for JSC with compiler flag
1630         https://bugs.webkit.org/show_bug.cgi?id=184909
1631
1632         Reviewed by Yusuke Suzuki.
1633
1634         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
1635         like parseInt() do not return slightly different results depending on whether the
1636         compiler was able to use fused multiply-add instructions or not.
1637
1638         * CMakeLists.txt:
1639
1640 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1641
1642         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
1643         https://bugs.webkit.org/show_bug.cgi?id=185192
1644
1645         compareDouble relies on MacroAssembler::invert function.
1646
1647         * assembler/MacroAssembler.h:
1648         (JSC::MacroAssembler::compareDouble):
1649         * assembler/MacroAssemblerARM.h:
1650         (JSC::MacroAssemblerARM::compareDouble): Deleted.
1651         * assembler/MacroAssemblerARMv7.h:
1652         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
1653         * assembler/MacroAssemblerMIPS.h:
1654         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
1655
1656 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1657
1658         [JSC] Add MacroAssembler::and16 and store16
1659         https://bugs.webkit.org/show_bug.cgi?id=185188
1660
1661         Reviewed by Mark Lam.
1662
1663         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
1664         This patch adds these methods for ARM.
1665
1666         * assembler/MacroAssemblerARM.h:
1667         (JSC::MacroAssemblerARM::and16):
1668         (JSC::MacroAssemblerARM::store16):
1669
1670 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1671
1672         [DFG] Unify compare related code in 32bit and 64bit
1673         https://bugs.webkit.org/show_bug.cgi?id=185189
1674
1675         Reviewed by Mark Lam.
1676
1677         This patch unifies some part of compare related code in 32bit and 64bit
1678         to reduce the size of 32bit specific DFG code.
1679
1680         * dfg/DFGSpeculativeJIT.cpp:
1681         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
1682         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
1683         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1684         * dfg/DFGSpeculativeJIT32_64.cpp:
1685         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
1686         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
1687         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
1688         * dfg/DFGSpeculativeJIT64.cpp:
1689         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
1690         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
1691         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
1692
1693 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1694
1695         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
1696         https://bugs.webkit.org/show_bug.cgi?id=185192
1697
1698         Reviewed by Mark Lam.
1699
1700         Now Object.is starts using compareDouble. So we would like to have
1701         efficient implementation for compareDouble and compareFloat for
1702         major architectures, ARM64, X86, and X86_64.
1703
1704         This patch adds compareDouble and compareFloat implementations for
1705         these architectures. And generic implementation is moved to each
1706         architecture's MacroAssembler implementation.
1707
1708         We also add tests for them in testmasm. To implement this test
1709         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
1710         major architectures.
1711
1712         * assembler/MacroAssembler.h:
1713         (JSC::MacroAssembler::compareDouble): Deleted.
1714         (JSC::MacroAssembler::compareFloat): Deleted.
1715         * assembler/MacroAssemblerARM.h:
1716         (JSC::MacroAssemblerARM::compareDouble):
1717         * assembler/MacroAssemblerARM64.h:
1718         (JSC::MacroAssemblerARM64::compareDouble):
1719         (JSC::MacroAssemblerARM64::compareFloat):
1720         (JSC::MacroAssemblerARM64::loadFloat):
1721         (JSC::MacroAssemblerARM64::floatingPointCompare):
1722         * assembler/MacroAssemblerARMv7.h:
1723         (JSC::MacroAssemblerARMv7::compareDouble):
1724         * assembler/MacroAssemblerMIPS.h:
1725         (JSC::MacroAssemblerMIPS::compareDouble):
1726         * assembler/MacroAssemblerX86Common.h:
1727         (JSC::MacroAssemblerX86Common::loadFloat):
1728         (JSC::MacroAssemblerX86Common::compareDouble):
1729         (JSC::MacroAssemblerX86Common::compareFloat):
1730         (JSC::MacroAssemblerX86Common::floatingPointCompare):
1731         * assembler/X86Assembler.h:
1732         (JSC::X86Assembler::movss_mr):
1733         (JSC::X86Assembler::movss_rm):
1734         * assembler/testmasm.cpp:
1735         (JSC::floatOperands):
1736         (JSC::testCompareFloat):
1737         (JSC::run):
1738
1739 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1740
1741         Unreviewed, fix 32bit DFG code
1742         https://bugs.webkit.org/show_bug.cgi?id=185065
1743
1744         * dfg/DFGSpeculativeJIT.cpp:
1745         (JSC::DFG::SpeculativeJIT::compileSameValue):
1746
1747 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
1748
1749         JSC should know how to cache custom getter accesses on the prototype chain
1750         https://bugs.webkit.org/show_bug.cgi?id=185213
1751
1752         Reviewed by Keith Miller.
1753
1754         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
1755
1756         * jit/Repatch.cpp:
1757         (JSC::tryCacheGetByID):
1758
1759 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
1760
1761         JSC should be able to cache custom setter calls on the prototype chain
1762         https://bugs.webkit.org/show_bug.cgi?id=185174
1763
1764         Reviewed by Saam Barati.
1765
1766         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
1767         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
1768         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
1769         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
1770         custom accessors because it won't find the custom property in the structure.
1771
1772         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
1773
1774         This is a 4x speed-up on assign-custom-setter.js.
1775
1776         * bytecode/AccessCase.cpp:
1777         (JSC::AccessCase::hasAlternateBase const):
1778         (JSC::AccessCase::alternateBase const):
1779         (JSC::AccessCase::generateImpl):
1780         * bytecode/AccessCase.h:
1781         (JSC::AccessCase::alternateBase const): Deleted.
1782         * bytecode/GetterSetterAccessCase.cpp:
1783         (JSC::GetterSetterAccessCase::hasAlternateBase const):
1784         (JSC::GetterSetterAccessCase::alternateBase const):
1785         * bytecode/GetterSetterAccessCase.h:
1786         * bytecode/ObjectPropertyConditionSet.cpp:
1787         (JSC::generateConditionsForPrototypePropertyHitCustom):
1788         * bytecode/ObjectPropertyConditionSet.h:
1789         * jit/Repatch.cpp:
1790         (JSC::tryCacheGetByID):
1791         (JSC::tryCachePutByID):
1792
1793 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
1794
1795         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
1796         https://bugs.webkit.org/show_bug.cgi?id=185195
1797
1798         Reviewed by Mark Lam.
1799
1800         This implements the given function for MIPS, such that it builds again.
1801
1802         * assembler/MacroAssemblerMIPS.h:
1803         (JSC::MacroAssemblerMIPS::and16):
1804         (JSC::MacroAssemblerMIPS::store16):
1805
1806 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
1807
1808         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
1809         https://bugs.webkit.org/show_bug.cgi?id=185043
1810
1811         Reviewed by Filip Pizlo.
1812
1813         * jsc.cpp:
1814         (GlobalObject::finishCreation):
1815         (functionDollarAgentMonotonicNow):
1816
1817 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
1818
1819         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
1820         https://bugs.webkit.org/show_bug.cgi?id=185196
1821
1822         Reviewed by Mark Lam.
1823
1824         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
1825
1826         * assembler/MacroAssemblerARMv7.h:
1827         (JSC::MacroAssemblerARMv7::and16):
1828         (JSC::MacroAssemblerARMv7::store16):
1829
1830 2018-05-02  Robin Morisset  <rmorisset@apple.com>
1831
1832         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
1833         https://bugs.webkit.org/show_bug.cgi?id=183172
1834
1835         Reviewed by Filip Pizlo.
1836
1837         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
1838         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
1839
1840         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
1841         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
1842         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
1843
1844         * dfg/DFGArgumentsEliminationPhase.cpp:
1845         * dfg/DFGArgumentsUtilities.cpp:
1846         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1847
1848 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1849
1850         Unreviewed, stackPointer signature is different from declaration
1851         https://bugs.webkit.org/show_bug.cgi?id=184790
1852
1853         * runtime/MachineContext.h:
1854         (JSC::MachineContext::stackPointer):
1855
1856 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1857
1858         [JSC] Add SameValue DFG node
1859         https://bugs.webkit.org/show_bug.cgi?id=185065
1860
1861         Reviewed by Saam Barati.
1862
1863         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
1864         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
1865         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
1866         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
1867         implementations for these SameValue nodes.
1868
1869         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
1870         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
1871         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
1872         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
1873         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
1874         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
1875
1876         Added microbenchmark shows performance improvement.
1877
1878             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
1879
1880         * assembler/MacroAssembler.h:
1881         * assembler/MacroAssemblerX86Common.h:
1882         (JSC::MacroAssemblerX86Common::compareDouble):
1883         * assembler/MacroAssemblerX86_64.h:
1884         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
1885         * assembler/testmasm.cpp:
1886         (JSC::doubleOperands):
1887         (JSC::testCompareDouble):
1888         (JSC::run):
1889         * dfg/DFGAbstractInterpreterInlines.h:
1890         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1891         * dfg/DFGByteCodeParser.cpp:
1892         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1893         * dfg/DFGClobberize.h:
1894         (JSC::DFG::clobberize):
1895         * dfg/DFGConstantFoldingPhase.cpp:
1896         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1897         * dfg/DFGDoesGC.cpp:
1898         (JSC::DFG::doesGC):
1899         * dfg/DFGFixupPhase.cpp:
1900         (JSC::DFG::FixupPhase::fixupNode):
1901         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
1902         * dfg/DFGNodeType.h:
1903         * dfg/DFGOperations.cpp:
1904         * dfg/DFGOperations.h:
1905         * dfg/DFGPredictionPropagationPhase.cpp:
1906         * dfg/DFGSafeToExecute.h:
1907         (JSC::DFG::safeToExecute):
1908         * dfg/DFGSpeculativeJIT.cpp:
1909         (JSC::DFG::SpeculativeJIT::compileSameValue):
1910         * dfg/DFGSpeculativeJIT.h:
1911         * dfg/DFGSpeculativeJIT32_64.cpp:
1912         (JSC::DFG::SpeculativeJIT::compile):
1913         * dfg/DFGSpeculativeJIT64.cpp:
1914         (JSC::DFG::SpeculativeJIT::compile):
1915         * dfg/DFGValidate.cpp:
1916         * ftl/FTLCapabilities.cpp:
1917         (JSC::FTL::canCompile):
1918         * ftl/FTLLowerDFGToB3.cpp:
1919         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1920         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
1921         * runtime/Intrinsic.cpp:
1922         (JSC::intrinsicName):
1923         * runtime/Intrinsic.h:
1924         * runtime/ObjectConstructor.cpp:
1925
1926 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
1927
1928         B3::demoteValues should be able to handle patchpoint terminals
1929         https://bugs.webkit.org/show_bug.cgi?id=185151
1930
1931         Reviewed by Saam Barati.
1932         
1933         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
1934         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
1935         longer the last thing in the block.
1936         
1937         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
1938         really do that because demotion happens as a prerequisite to other transformations.
1939         
1940         One solution might have been to make demoteValues insert a basic block whenever it encounters
1941         this problem. But that would break clients that do CFG analysis before demoteValues and use
1942         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
1943         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
1944         so it's not bad to introduce that requirement.
1945         
1946         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
1947         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
1948         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
1949         successors of the patchpoint terminal.
1950         
1951         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
1952         a unit test in testb3.
1953
1954         * b3/B3BreakCriticalEdges.cpp:
1955         (JSC::B3::breakCriticalEdges):
1956         * b3/B3BreakCriticalEdges.h:
1957         * b3/B3FixSSA.cpp:
1958         (JSC::B3::demoteValues):
1959         (JSC::B3::fixSSA):
1960         * b3/B3FixSSA.h:
1961         * b3/B3Value.cpp:
1962         (JSC::B3::Value::foldIdentity const):
1963         (JSC::B3::Value::performSubstitution):
1964         * b3/B3Value.h:
1965         * b3/testb3.cpp:
1966         (JSC::B3::testDemotePatchpointTerminal):
1967         (JSC::B3::run):
1968
1969 2018-05-01  Robin Morisset  <rmorisset@apple.com>
1970
1971         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
1972         https://bugs.webkit.org/show_bug.cgi?id=184772
1973         <rdar://problem/39146327>
1974
1975         Reviewed by Filip Pizlo.
1976
1977         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
1978         This patch now makes sure that the check correctly detects if there is an integer overflow.
1979
1980         * runtime/JSArray.cpp:
1981         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1982
1983 2018-05-01  Robin Morisset  <rmorisset@apple.com>
1984
1985         Correctly detect string overflow when using the 'Function' constructor
1986         https://bugs.webkit.org/show_bug.cgi?id=184883
1987         <rdar://problem/36320331>
1988
1989         Reviewed by Filip Pizlo.
1990
1991         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
1992         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
1993
1994         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
1995         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
1996         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
1997
1998         * runtime/FunctionConstructor.cpp:
1999         (JSC::constructFunctionSkippingEvalEnabledCheck):
2000         * runtime/JSONObject.cpp:
2001         (JSC::Stringifier::appendStringifiedValue):
2002
2003 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2004
2005         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
2006         https://bugs.webkit.org/show_bug.cgi?id=185162
2007
2008         Reviewed by Filip Pizlo.
2009
2010         * runtime/IntlObject.cpp:
2011         (JSC::removeUnicodeLocaleExtension):
2012
2013 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
2014
2015         Add SetCallee as DFG-Operation
2016         https://bugs.webkit.org/show_bug.cgi?id=184582
2017
2018         Reviewed by Filip Pizlo.
2019
2020         For recursive tail calls not only the argument count can change but also the
2021         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
2022         Also update the callee when optimizing a recursive tail call.
2023         Enable recursive tail call optimization also for closures.
2024
2025         * dfg/DFGAbstractInterpreterInlines.h:
2026         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2027         * dfg/DFGByteCodeParser.cpp:
2028         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2029         (JSC::DFG::ByteCodeParser::handleCallVariant):
2030         * dfg/DFGClobberize.h:
2031         (JSC::DFG::clobberize):
2032         * dfg/DFGDoesGC.cpp:
2033         (JSC::DFG::doesGC):
2034         * dfg/DFGFixupPhase.cpp:
2035         (JSC::DFG::FixupPhase::fixupNode):
2036         * dfg/DFGMayExit.cpp:
2037         * dfg/DFGNodeType.h:
2038         * dfg/DFGPredictionPropagationPhase.cpp:
2039         * dfg/DFGSafeToExecute.h:
2040         (JSC::DFG::safeToExecute):
2041         * dfg/DFGSpeculativeJIT.cpp:
2042         (JSC::DFG::SpeculativeJIT::compileSetCallee):
2043         * dfg/DFGSpeculativeJIT.h:
2044         * dfg/DFGSpeculativeJIT32_64.cpp:
2045         (JSC::DFG::SpeculativeJIT::compile):
2046         * dfg/DFGSpeculativeJIT64.cpp:
2047         (JSC::DFG::SpeculativeJIT::compile):
2048         * ftl/FTLCapabilities.cpp:
2049         (JSC::FTL::canCompile):
2050         * ftl/FTLLowerDFGToB3.cpp:
2051         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2052         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
2053
2054 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
2055
2056         WebAssembly: add support for stream APIs - JavaScript API
2057         https://bugs.webkit.org/show_bug.cgi?id=183442
2058
2059         Reviewed by Yusuke Suzuki and JF Bastien.
2060
2061         Add WebAssembly stream API. Current patch only add functions
2062         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
2063         does not add streaming way of the implementation. So in current version it
2064         only wait for load whole module, than start to parse.
2065
2066         * CMakeLists.txt:
2067         * Configurations/FeatureDefines.xcconfig:
2068         * DerivedSources.make:
2069         * JavaScriptCore.xcodeproj/project.pbxproj:
2070         * builtins/BuiltinNames.h:
2071         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
2072         (compileStreaming):
2073         (instantiateStreaming):
2074         * jsc.cpp:
2075         * runtime/JSGlobalObject.cpp:
2076         (JSC::JSGlobalObject::init):
2077         * runtime/JSGlobalObject.h:
2078         * runtime/Options.h:
2079         * runtime/PromiseDeferredTimer.cpp:
2080         (JSC::PromiseDeferredTimer::hasPendingPromise):
2081         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
2082         * runtime/PromiseDeferredTimer.h:
2083         * wasm/js/WebAssemblyPrototype.cpp:
2084         (JSC::webAssemblyModuleValidateAsyncInternal):
2085         (JSC::webAssemblyCompileFunc):
2086         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
2087         (JSC::webAssemblyModuleInstantinateAsyncInternal):
2088         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
2089         (JSC::webAssemblyCompileStreamingInternal):
2090         (JSC::webAssemblyInstantiateStreamingInternal):
2091         (JSC::WebAssemblyPrototype::create):
2092         (JSC::WebAssemblyPrototype::finishCreation):
2093         * wasm/js/WebAssemblyPrototype.h:
2094
2095 2018-04-30  Saam Barati  <sbarati@apple.com>
2096
2097         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
2098         https://bugs.webkit.org/show_bug.cgi?id=185149
2099         <rdar://problem/39455917>
2100
2101         Reviewed by Filip Pizlo.
2102
2103         The bug was that we were deleting checks that we shouldn't have deleted.
2104         This patch makes a helper inside strength reduction that converts to
2105         a LazyJSConstant while maintaining checks, and switches users of the
2106         node API inside strength reduction to instead call the helper function.
2107         
2108         This patch also fixes a potential bug where StringReplace and
2109         StringReplaceRegExp may not preserve all their checks.
2110
2111
2112         * dfg/DFGStrengthReductionPhase.cpp:
2113         (JSC::DFG::StrengthReductionPhase::handleNode):
2114         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
2115
2116 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2117
2118         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
2119         https://bugs.webkit.org/show_bug.cgi?id=185126
2120
2121         Reviewed by Saam Barati.
2122         
2123         This change is just restoring functionality that we've already had for a while. It had been
2124         accidentally broken due to an unrelated CodeBlock refactoring.
2125
2126         * dfg/DFGLICMPhase.cpp:
2127         (JSC::DFG::LICMPhase::attemptHoist):
2128
2129 2018-04-30  Mark Lam  <mark.lam@apple.com>
2130
2131         Apply PtrTags to the MetaAllocator and friends.
2132         https://bugs.webkit.org/show_bug.cgi?id=185110
2133         <rdar://problem/39533895>
2134
2135         Reviewed by Saam Barati.
2136
2137         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
2138         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
2139            and add a sanity check to verify that allocated code buffers are within those
2140            bounds.
2141
2142         * assembler/LinkBuffer.cpp:
2143         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
2144         (JSC::LinkBuffer::copyCompactAndLinkCode):
2145         (JSC::LinkBuffer::linkCode):
2146         (JSC::LinkBuffer::allocate):
2147         * assembler/LinkBuffer.h:
2148         (JSC::LinkBuffer::LinkBuffer):
2149         (JSC::LinkBuffer::debugAddress):
2150         (JSC::LinkBuffer::code):
2151         * assembler/MacroAssemblerCodeRef.h:
2152         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2153         * bytecode/InlineAccess.cpp:
2154         (JSC::linkCodeInline):
2155         (JSC::InlineAccess::rewireStubAsJump):
2156         * dfg/DFGJITCode.cpp:
2157         (JSC::DFG::JITCode::findPC):
2158         * ftl/FTLJITCode.cpp:
2159         (JSC::FTL::JITCode::findPC):
2160         * jit/ExecutableAllocator.cpp:
2161         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2162         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2163         (JSC::ExecutableAllocator::allocate):
2164         * jit/ExecutableAllocator.h:
2165         (JSC::isJITPC):
2166         (JSC::performJITMemcpy):
2167         * jit/JIT.cpp:
2168         (JSC::JIT::link):
2169         * jit/JITMathIC.h:
2170         (JSC::isProfileEmpty):
2171         * runtime/JSCPtrTag.h:
2172         * wasm/WasmCallee.cpp:
2173         (JSC::Wasm::Callee::Callee):
2174         * wasm/WasmFaultSignalHandler.cpp:
2175         (JSC::Wasm::trapHandler):
2176
2177 2018-04-30  Keith Miller  <keith_miller@apple.com>
2178
2179         Move the MayBePrototype JSCell header bit to InlineTypeFlags
2180         https://bugs.webkit.org/show_bug.cgi?id=185143
2181
2182         Reviewed by Mark Lam.
2183
2184         * runtime/IndexingType.h:
2185         * runtime/JSCellInlines.h:
2186         (JSC::JSCell::setStructure):
2187         (JSC::JSCell::mayBePrototype const):
2188         (JSC::JSCell::didBecomePrototype):
2189         * runtime/JSTypeInfo.h:
2190         (JSC::TypeInfo::mayBePrototype):
2191         (JSC::TypeInfo::mergeInlineTypeFlags):
2192
2193 2018-04-30  Keith Miller  <keith_miller@apple.com>
2194
2195         Remove unneeded exception check from String.fromCharCode
2196         https://bugs.webkit.org/show_bug.cgi?id=185083
2197
2198         Reviewed by Mark Lam.
2199
2200         * runtime/StringConstructor.cpp:
2201         (JSC::stringFromCharCode):
2202
2203 2018-04-30  Keith Miller  <keith_miller@apple.com>
2204
2205         Move StructureIsImmortal to out of line flags.
2206         https://bugs.webkit.org/show_bug.cgi?id=185101
2207
2208         Reviewed by Saam Barati.
2209
2210         This will free up a bit in the inline flags where we can move the
2211         isPrototype bit to. This will, in turn, free a bit for use in
2212         implementing copy on write butterflies.
2213
2214         Also, this patch removes an assertion from Structure::typeInfo()
2215         that inadvertently makes the function invalid to call while
2216         cleaning up the vm.
2217
2218         * heap/HeapCellType.cpp:
2219         (JSC::DefaultDestroyFunc::operator() const):
2220         * runtime/JSCell.h:
2221         * runtime/JSCellInlines.h:
2222         (JSC::JSCell::callDestructor): Deleted.
2223         * runtime/JSTypeInfo.h:
2224         (JSC::TypeInfo::hasStaticPropertyTable):
2225         (JSC::TypeInfo::structureIsImmortal const):
2226         * runtime/Structure.h:
2227
2228 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2229
2230         [JSC] Remove arity fixup check if the number of parameters is 1
2231         https://bugs.webkit.org/show_bug.cgi?id=183984
2232
2233         Reviewed by Mark Lam.
2234
2235         If the number of parameters is one (|this|), we never hit arity fixup check.
2236         We do not need to emit arity fixup check code.
2237
2238         * dfg/DFGDriver.cpp:
2239         (JSC::DFG::compileImpl):
2240         * dfg/DFGJITCompiler.cpp:
2241         (JSC::DFG::JITCompiler::compileFunction):
2242         * dfg/DFGJITCompiler.h:
2243         * ftl/FTLLink.cpp:
2244         (JSC::FTL::link):
2245         * jit/JIT.cpp:
2246         (JSC::JIT::compileWithoutLinking):
2247
2248 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2249
2250         Use WordLock instead of std::mutex for Threading
2251         https://bugs.webkit.org/show_bug.cgi?id=185121
2252
2253         Reviewed by Geoffrey Garen.
2254
2255         ThreadGroup starts using WordLock.
2256
2257         * heap/MachineStackMarker.h:
2258         (JSC::MachineThreads::getLock):
2259
2260 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2261
2262         B3 should run tail duplication at the bitter end
2263         https://bugs.webkit.org/show_bug.cgi?id=185123
2264
2265         Reviewed by Geoffrey Garen.
2266         
2267         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
2268         everywhere else.
2269         
2270         The goal of this change is to allow us to run path specialization after switch lowering but
2271         before tail duplication.
2272
2273         * b3/B3Generate.cpp:
2274         (JSC::B3::generateToAir):
2275         * runtime/Options.h:
2276
2277 2018-04-29  Commit Queue  <commit-queue@webkit.org>
2278
2279         Unreviewed, rolling out r231137.
2280         https://bugs.webkit.org/show_bug.cgi?id=185118
2281
2282         It is breaking Test262 language/expressions/multiplication
2283         /order-of-evaluation.js (Requested by caiolima on #webkit).
2284
2285         Reverted changeset:
2286
2287         "[ESNext][BigInt] Implement support for "*" operation"
2288         https://bugs.webkit.org/show_bug.cgi?id=183721
2289         https://trac.webkit.org/changeset/231137
2290
2291 2018-04-28  Saam Barati  <sbarati@apple.com>
2292
2293         We don't model regexp effects properly
2294         https://bugs.webkit.org/show_bug.cgi?id=185059
2295         <rdar://problem/39736150>
2296
2297         Reviewed by Filip Pizlo.
2298
2299         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
2300         the regexp is global.
2301
2302         * dfg/DFGAbstractInterpreterInlines.h:
2303         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2304         * dfg/DFGClobberize.h:
2305         (JSC::DFG::clobberize):
2306
2307 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
2308
2309         Token misspelled "tocken" in error message string
2310         https://bugs.webkit.org/show_bug.cgi?id=185030
2311
2312         Reviewed by Saam Barati.
2313
2314         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
2315         (JSC::Parser<LexerType>::Parser):
2316         (JSC::Parser<LexerType>::didFinishParsing):
2317         (JSC::Parser<LexerType>::parseSourceElements):
2318         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2319         (JSC::Parser<LexerType>::parseVariableDeclaration):
2320         (JSC::Parser<LexerType>::parseWhileStatement):
2321         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2322         (JSC::Parser<LexerType>::createBindingPattern):
2323         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2324         (JSC::Parser<LexerType>::parseObjectRestElement):
2325         (JSC::Parser<LexerType>::parseDestructuringPattern):
2326         (JSC::Parser<LexerType>::parseForStatement):
2327         (JSC::Parser<LexerType>::parseBreakStatement):
2328         (JSC::Parser<LexerType>::parseContinueStatement):
2329         (JSC::Parser<LexerType>::parseThrowStatement):
2330         (JSC::Parser<LexerType>::parseWithStatement):
2331         (JSC::Parser<LexerType>::parseSwitchStatement):
2332         (JSC::Parser<LexerType>::parseSwitchClauses):
2333         (JSC::Parser<LexerType>::parseTryStatement):
2334         (JSC::Parser<LexerType>::parseBlockStatement):
2335         (JSC::Parser<LexerType>::parseFormalParameters):
2336         (JSC::Parser<LexerType>::parseFunctionParameters):
2337         (JSC::Parser<LexerType>::parseFunctionInfo):
2338         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2339         (JSC::Parser<LexerType>::parseExpressionStatement):
2340         (JSC::Parser<LexerType>::parseIfStatement):
2341         (JSC::Parser<LexerType>::parseAssignmentExpression):
2342         (JSC::Parser<LexerType>::parseConditionalExpression):
2343         (JSC::Parser<LexerType>::parseBinaryExpression):
2344         (JSC::Parser<LexerType>::parseObjectLiteral):
2345         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
2346         (JSC::Parser<LexerType>::parseArrayLiteral):
2347         (JSC::Parser<LexerType>::parseArguments):
2348         (JSC::Parser<LexerType>::parseMemberExpression):
2349         (JSC::operatorString):
2350         (JSC::Parser<LexerType>::parseUnaryExpression):
2351         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2352
2353 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
2354
2355         [ESNext][BigInt] Implement support for "*" operation
2356         https://bugs.webkit.org/show_bug.cgi?id=183721
2357
2358         Reviewed by Saam Barati.
2359
2360         Added BigInt support into times binary operator into LLInt and on
2361         JITOperations profiledMul and unprofiledMul. We are also replacing all
2362         uses of int to unsigned when there is no negative values for
2363         variables.
2364
2365         * dfg/DFGConstantFoldingPhase.cpp:
2366         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2367         * jit/JITOperations.cpp:
2368         * runtime/CommonSlowPaths.cpp:
2369         (JSC::SLOW_PATH_DECL):
2370         * runtime/JSBigInt.cpp:
2371         (JSC::JSBigInt::JSBigInt):
2372         (JSC::JSBigInt::allocationSize):
2373         (JSC::JSBigInt::createWithLength):
2374         (JSC::JSBigInt::toString):
2375         (JSC::JSBigInt::multiply):
2376         (JSC::JSBigInt::digitDiv):
2377         (JSC::JSBigInt::internalMultiplyAdd):
2378         (JSC::JSBigInt::multiplyAccumulate):
2379         (JSC::JSBigInt::equals):
2380         (JSC::JSBigInt::absoluteDivSmall):
2381         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2382         (JSC::JSBigInt::toStringGeneric):
2383         (JSC::JSBigInt::rightTrim):
2384         (JSC::JSBigInt::allocateFor):
2385         (JSC::JSBigInt::parseInt):
2386         (JSC::JSBigInt::digit):
2387         (JSC::JSBigInt::setDigit):
2388         * runtime/JSBigInt.h:
2389         * runtime/Operations.h:
2390         (JSC::jsMul):
2391
2392 2018-04-28  Commit Queue  <commit-queue@webkit.org>
2393
2394         Unreviewed, rolling out r231131.
2395         https://bugs.webkit.org/show_bug.cgi?id=185112
2396
2397         It is breaking Debug build due to unchecked exception
2398         (Requested by caiolima on #webkit).
2399
2400         Reverted changeset:
2401
2402         "[ESNext][BigInt] Implement support for "*" operation"
2403         https://bugs.webkit.org/show_bug.cgi?id=183721
2404         https://trac.webkit.org/changeset/231131
2405
2406 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
2407
2408         [ESNext][BigInt] Implement support for "*" operation
2409         https://bugs.webkit.org/show_bug.cgi?id=183721
2410
2411         Reviewed by Saam Barati.
2412
2413         Added BigInt support into times binary operator into LLInt and on
2414         JITOperations profiledMul and unprofiledMul. We are also replacing all
2415         uses of int to unsigned when there is no negative values for
2416         variables.
2417
2418         * dfg/DFGConstantFoldingPhase.cpp:
2419         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2420         * jit/JITOperations.cpp:
2421         * runtime/CommonSlowPaths.cpp:
2422         (JSC::SLOW_PATH_DECL):
2423         * runtime/JSBigInt.cpp:
2424         (JSC::JSBigInt::JSBigInt):
2425         (JSC::JSBigInt::allocationSize):
2426         (JSC::JSBigInt::createWithLength):
2427         (JSC::JSBigInt::toString):
2428         (JSC::JSBigInt::multiply):
2429         (JSC::JSBigInt::digitDiv):
2430         (JSC::JSBigInt::internalMultiplyAdd):
2431         (JSC::JSBigInt::multiplyAccumulate):
2432         (JSC::JSBigInt::equals):
2433         (JSC::JSBigInt::absoluteDivSmall):
2434         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2435         (JSC::JSBigInt::toStringGeneric):
2436         (JSC::JSBigInt::rightTrim):
2437         (JSC::JSBigInt::allocateFor):
2438         (JSC::JSBigInt::parseInt):
2439         (JSC::JSBigInt::digit):
2440         (JSC::JSBigInt::setDigit):
2441         * runtime/JSBigInt.h:
2442         * runtime/Operations.h:
2443         (JSC::jsMul):
2444
2445 2018-04-27  JF Bastien  <jfbastien@apple.com>
2446
2447         Make the first 64 bits of JSString look like a double JSValue
2448         https://bugs.webkit.org/show_bug.cgi?id=185081
2449
2450         Reviewed by Filip Pizlo.
2451
2452         We can be clever about how we lay out JSString so that, were it
2453         reinterpreted as a JSValue, it would look like a double.
2454
2455         * assembler/MacroAssemblerX86Common.h:
2456         (JSC::MacroAssemblerX86Common::and16):
2457         * assembler/X86Assembler.h:
2458         (JSC::X86Assembler::andw_mr):
2459         * dfg/DFGSpeculativeJIT.cpp:
2460         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2461         * ftl/FTLLowerDFGToB3.cpp:
2462         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2463         * ftl/FTLOutput.h:
2464         (JSC::FTL::Output::store32As8):
2465         (JSC::FTL::Output::store32As16):
2466         * runtime/JSString.h:
2467         (JSC::JSString::JSString):
2468
2469 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2470
2471         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
2472         https://bugs.webkit.org/show_bug.cgi?id=185055
2473
2474         Reviewed by JF Bastien.
2475
2476         This patch is paving the way to emitting jscvt instruction if possible.
2477         To do that, we need to determine jscvt instruction is supported in the
2478         given CPU.
2479
2480         We add a function collectCPUFeatures, which is responsible to collect
2481         CPU features if necessary. In Linux, we can use auxiliary vector to get
2482         the information without parsing /proc/cpuinfo.
2483
2484         Currently, nobody calls this function. It is later called when we emit
2485         jscvt instruction. To make it possible, we also need to add disassembler
2486         support too.
2487
2488         * assembler/AbstractMacroAssembler.h:
2489         * assembler/MacroAssemblerARM64.cpp:
2490         (JSC::MacroAssemblerARM64::collectCPUFeatures):
2491         * assembler/MacroAssemblerARM64.h:
2492         * assembler/MacroAssemblerX86Common.h:
2493
2494 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
2495
2496         Also run foldPathConstants before mussing up SSA
2497         https://bugs.webkit.org/show_bug.cgi?id=185069
2498
2499         Reviewed by Saam Barati.
2500         
2501         This isn't needed now, but will be once I implement the phase in bug 185060.
2502         
2503         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
2504         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
2505         be landed separately and measured separately from that phase.
2506         
2507         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
2508         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
2509         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
2510         neutral. It all depends on what programs typically look like.
2511
2512         * b3/B3Generate.cpp:
2513         (JSC::B3::generateToAir):
2514
2515 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
2516
2517         Unreviewed, rolling out r231086.
2518
2519         Caused JSC test failures due to an unchecked exception.
2520
2521         Reverted changeset:
2522
2523         "[ESNext][BigInt] Implement support for "*" operation"
2524         https://bugs.webkit.org/show_bug.cgi?id=183721
2525         https://trac.webkit.org/changeset/231086
2526
2527 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
2528
2529         [ESNext][BigInt] Implement support for "*" operation
2530         https://bugs.webkit.org/show_bug.cgi?id=183721
2531
2532         Reviewed by Saam Barati.
2533
2534         Added BigInt support into times binary operator into LLInt and on
2535         JITOperations profiledMul and unprofiledMul. We are also replacing all
2536         uses of int to unsigned when there is no negative values for
2537         variables.
2538
2539         * dfg/DFGConstantFoldingPhase.cpp:
2540         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2541         * jit/JITOperations.cpp:
2542         * runtime/CommonSlowPaths.cpp:
2543         (JSC::SLOW_PATH_DECL):
2544         * runtime/JSBigInt.cpp:
2545         (JSC::JSBigInt::JSBigInt):
2546         (JSC::JSBigInt::allocationSize):
2547         (JSC::JSBigInt::createWithLength):
2548         (JSC::JSBigInt::toString):
2549         (JSC::JSBigInt::multiply):
2550         (JSC::JSBigInt::digitDiv):
2551         (JSC::JSBigInt::internalMultiplyAdd):
2552         (JSC::JSBigInt::multiplyAccumulate):
2553         (JSC::JSBigInt::equals):
2554         (JSC::JSBigInt::absoluteDivSmall):
2555         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2556         (JSC::JSBigInt::toStringGeneric):
2557         (JSC::JSBigInt::rightTrim):
2558         (JSC::JSBigInt::allocateFor):
2559         (JSC::JSBigInt::parseInt):
2560         (JSC::JSBigInt::digit):
2561         (JSC::JSBigInt::setDigit):
2562         * runtime/JSBigInt.h:
2563         * runtime/Operations.h:
2564         (JSC::jsMul):
2565
2566 2018-04-26  Mark Lam  <mark.lam@apple.com>
2567
2568         Gardening: Speculative build fix for Windows.
2569         https://bugs.webkit.org/show_bug.cgi?id=184976
2570         <rdar://problem/39723901>
2571
2572         Not reviewed.
2573
2574         * runtime/JSCPtrTag.h:
2575
2576 2018-04-26  Mark Lam  <mark.lam@apple.com>
2577
2578         Gardening: Windows build fix.
2579
2580         Not reviewed.
2581
2582         * runtime/Options.cpp:
2583
2584 2018-04-26  Jer Noble  <jer.noble@apple.com>
2585
2586         WK_COCOA_TOUCH all the things.
2587         https://bugs.webkit.org/show_bug.cgi?id=185006
2588         <rdar://problem/39736025>
2589
2590         Reviewed by Tim Horton.
2591
2592         * Configurations/Base.xcconfig:
2593
2594 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
2595
2596         Disable content filtering in minimal simulator mode
2597         https://bugs.webkit.org/show_bug.cgi?id=185027
2598         <rdar://problem/39736091>
2599
2600         Reviewed by Jer Noble.
2601
2602         * Configurations/FeatureDefines.xcconfig:
2603
2604 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
2605
2606         [INTL] Implement Intl.PluralRules
2607         https://bugs.webkit.org/show_bug.cgi?id=184312
2608
2609         Reviewed by JF Bastien.
2610
2611         Use UNumberFormat to enforce formatting, and then UPluralRules to find
2612         the correct plural rule for the given number. Relies on ICU v59+ for
2613         resolvedOptions().pluralCategories and trailing 0 detection.
2614         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
2615
2616         * CMakeLists.txt:
2617         * Configurations/FeatureDefines.xcconfig:
2618         * DerivedSources.make:
2619         * JavaScriptCore.xcodeproj/project.pbxproj:
2620         * Sources.txt:
2621         * builtins/BuiltinNames.h:
2622         * runtime/BigIntObject.cpp:
2623         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
2624         * runtime/BigIntObject.h:
2625         * runtime/CommonIdentifiers.h:
2626         * runtime/IntlObject.cpp:
2627         (JSC::IntlObject::finishCreation):
2628         * runtime/IntlObject.h:
2629         * runtime/IntlPluralRules.cpp: Added.
2630         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
2631         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
2632         (JSC::UEnumerationDeleter::operator() const):
2633         (JSC::IntlPluralRules::create):
2634         (JSC::IntlPluralRules::createStructure):
2635         (JSC::IntlPluralRules::IntlPluralRules):
2636         (JSC::IntlPluralRules::finishCreation):
2637         (JSC::IntlPluralRules::destroy):
2638         (JSC::IntlPluralRules::visitChildren):
2639         (JSC::IntlPRInternal::localeData):
2640         (JSC::IntlPluralRules::initializePluralRules):
2641         (JSC::IntlPluralRules::resolvedOptions):
2642         (JSC::IntlPluralRules::select):
2643         * runtime/IntlPluralRules.h: Added.
2644         * runtime/IntlPluralRulesConstructor.cpp: Added.
2645         (JSC::IntlPluralRulesConstructor::create):
2646         (JSC::IntlPluralRulesConstructor::createStructure):
2647         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
2648         (JSC::IntlPluralRulesConstructor::finishCreation):
2649         (JSC::constructIntlPluralRules):
2650         (JSC::callIntlPluralRules):
2651         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
2652         (JSC::IntlPluralRulesConstructor::visitChildren):
2653         * runtime/IntlPluralRulesConstructor.h: Added.
2654         * runtime/IntlPluralRulesPrototype.cpp: Added.
2655         (JSC::IntlPluralRulesPrototype::create):
2656         (JSC::IntlPluralRulesPrototype::createStructure):
2657         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
2658         (JSC::IntlPluralRulesPrototype::finishCreation):
2659         (JSC::IntlPluralRulesPrototypeFuncSelect):
2660         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
2661         * runtime/IntlPluralRulesPrototype.h: Added.
2662         * runtime/JSGlobalObject.cpp:
2663         (JSC::JSGlobalObject::init):
2664         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2665         * runtime/JSGlobalObject.h:
2666         * runtime/Options.h:
2667         * runtime/RegExpPrototype.cpp: Added inlines header.
2668         * runtime/VM.cpp:
2669         (JSC::VM::VM):
2670         * runtime/VM.h:
2671
2672 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
2673
2674         [MIPS] Fix branch offsets in branchNeg32
2675         https://bugs.webkit.org/show_bug.cgi?id=185025
2676
2677         Reviewed by Yusuke Suzuki.
2678
2679         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
2680
2681         * assembler/MacroAssemblerMIPS.h:
2682         (JSC::MacroAssemblerMIPS::branchNeg32):
2683
2684 2018-04-25  Robin Morisset  <rmorisset@apple.com>
2685
2686         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
2687         https://bugs.webkit.org/show_bug.cgi?id=184773
2688         <rdar://problem/37773612>
2689
2690         Reviewed by Filip Pizlo.
2691
2692         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
2693         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
2694         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
2695         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
2696         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
2697
2698         * ftl/FTLLowerDFGToB3.cpp:
2699         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2700
2701 2018-04-25  Mark Lam  <mark.lam@apple.com>
2702
2703         Push the definition of PtrTag down to the WTF layer.
2704         https://bugs.webkit.org/show_bug.cgi?id=184976
2705         <rdar://problem/39723901>
2706
2707         Reviewed by Saam Barati.
2708
2709         * CMakeLists.txt:
2710         * JavaScriptCore.xcodeproj/project.pbxproj:
2711         * assembler/ARM64Assembler.h:
2712         * assembler/AbstractMacroAssembler.h:
2713         * assembler/MacroAssemblerCodeRef.cpp:
2714         * assembler/MacroAssemblerCodeRef.h:
2715         * b3/B3MathExtras.cpp:
2716         * bytecode/LLIntCallLinkInfo.h:
2717         * disassembler/Disassembler.h:
2718         * ftl/FTLJITCode.cpp:
2719         * interpreter/InterpreterInlines.h:
2720         * jit/ExecutableAllocator.h:
2721         * jit/JITOperations.cpp:
2722         * jit/ThunkGenerator.h:
2723         * jit/ThunkGenerators.h:
2724         * llint/LLIntOffsetsExtractor.cpp:
2725         * llint/LLIntPCRanges.h:
2726         * runtime/JSCPtrTag.h: Added.
2727         * runtime/NativeFunction.h:
2728         * runtime/PtrTag.h: Removed.
2729         * runtime/VMTraps.cpp:
2730
2731 2018-04-25  Keith Miller  <keith_miller@apple.com>
2732
2733         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
2734         https://bugs.webkit.org/show_bug.cgi?id=184998
2735
2736         Reviewed by Saam Barati.
2737
2738         * runtime/CodeCache.cpp:
2739         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2740
2741 2018-04-25  Keith Miller  <keith_miller@apple.com>
2742
2743         Add missing scope release to functionProtoFuncToString
2744         https://bugs.webkit.org/show_bug.cgi?id=184995
2745
2746         Reviewed by Saam Barati.
2747
2748         * runtime/FunctionPrototype.cpp:
2749         (JSC::functionProtoFuncToString):
2750
2751 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2752
2753         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
2754         https://bugs.webkit.org/show_bug.cgi?id=184730
2755
2756         Reviewed by Mark Lam.
2757
2758         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
2759         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
2760
2761         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
2762         ARMv7 implementation.
2763
2764         * assembler/ARMAssembler.h:
2765         * assembler/MacroAssemblerARM.h:
2766         (JSC::MacroAssemblerARM::add32):
2767         (JSC::MacroAssemblerARM::and32):
2768         (JSC::MacroAssemblerARM::lshift32):
2769         (JSC::MacroAssemblerARM::mul32):
2770         (JSC::MacroAssemblerARM::or32):
2771         (JSC::MacroAssemblerARM::rshift32):
2772         (JSC::MacroAssemblerARM::urshift32):
2773         (JSC::MacroAssemblerARM::sub32):
2774         (JSC::MacroAssemblerARM::xor32):
2775         (JSC::MacroAssemblerARM::load8):
2776         (JSC::MacroAssemblerARM::abortWithReason):
2777         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
2778         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
2779         (JSC::MacroAssemblerARM::store8):
2780         (JSC::MacroAssemblerARM::store32):
2781         (JSC::MacroAssemblerARM::push):
2782         (JSC::MacroAssemblerARM::swap):
2783         (JSC::MacroAssemblerARM::branch8):
2784         (JSC::MacroAssemblerARM::branchPtr):
2785         (JSC::MacroAssemblerARM::branch32):
2786         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
2787         (JSC::MacroAssemblerARM::branchTest8):
2788         (JSC::MacroAssemblerARM::branchTest32):
2789         (JSC::MacroAssemblerARM::jump):
2790         (JSC::MacroAssemblerARM::branchAdd32):
2791         (JSC::MacroAssemblerARM::mull32):
2792         (JSC::MacroAssemblerARM::branchMul32):
2793         (JSC::MacroAssemblerARM::patchableBranch32):
2794         (JSC::MacroAssemblerARM::nearCall):
2795         (JSC::MacroAssemblerARM::compare32):
2796         (JSC::MacroAssemblerARM::compare8):
2797         (JSC::MacroAssemblerARM::test32):
2798         (JSC::MacroAssemblerARM::test8):
2799         (JSC::MacroAssemblerARM::add64):
2800         (JSC::MacroAssemblerARM::load32):
2801         (JSC::MacroAssemblerARM::call):
2802         (JSC::MacroAssemblerARM::branchPtrWithPatch):
2803         (JSC::MacroAssemblerARM::branch32WithPatch):
2804         (JSC::MacroAssemblerARM::storePtrWithPatch):
2805         (JSC::MacroAssemblerARM::loadDouble):
2806         (JSC::MacroAssemblerARM::storeDouble):
2807         (JSC::MacroAssemblerARM::addDouble):
2808         (JSC::MacroAssemblerARM::divDouble):
2809         (JSC::MacroAssemblerARM::subDouble):
2810         (JSC::MacroAssemblerARM::mulDouble):
2811         (JSC::MacroAssemblerARM::convertInt32ToDouble):
2812         (JSC::MacroAssemblerARM::branchDouble):
2813         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
2814         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
2815         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
2816         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
2817         (JSC::MacroAssemblerARM::branchDoubleNonZero):
2818         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
2819         (JSC::MacroAssemblerARM::call32):
2820         (JSC::MacroAssemblerARM::internalCompare32):
2821
2822 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
2823
2824         [WinCairo] Fix js/regexp-unicode.html crash.
2825         https://bugs.webkit.org/show_bug.cgi?id=184891
2826
2827         Reviewed by Yusuke Suzuki.
2828
2829         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
2830         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
2831
2832         * yarr/YarrJIT.cpp:
2833         (JSC::Yarr::YarrGenerator::generateEnter):
2834         (JSC::Yarr::YarrGenerator::generateReturn):
2835         Unconditionally save and restore RDI on 64-bit Windows.
2836
2837 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
2838
2839         [GTK] Miscellaneous build cleanups
2840         https://bugs.webkit.org/show_bug.cgi?id=184399
2841
2842         Reviewed by Žan Doberšek.
2843
2844         * PlatformGTK.cmake:
2845
2846 2018-04-24  Keith Miller  <keith_miller@apple.com>
2847
2848         fromCharCode is missing some exception checks
2849         https://bugs.webkit.org/show_bug.cgi?id=184952
2850
2851         Reviewed by Saam Barati.
2852
2853         I also removed the pointless slow path function and moved it into the
2854         main function.
2855
2856         * runtime/StringConstructor.cpp:
2857         (JSC::stringFromCharCode):
2858         (JSC::stringFromCharCodeSlowCase): Deleted.
2859
2860 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2861
2862         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
2863         https://bugs.webkit.org/show_bug.cgi?id=184923
2864
2865         Reviewed by Saam Barati.
2866         
2867         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
2868         (i.e. we know that the object has one of those structures), then previously we would still emit a
2869         switch with a case per structure along with a default case. That would mean one extra redundant
2870         branch to check that whatever structure we wound up with belongs to the set. In that case, we
2871         were already making the default case be an Oops.
2872         
2873         One possible solution would be to say that the default case being Oops means that B3 doesn't need
2874         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
2875         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
2876         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
2877         trap.
2878         
2879         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
2880         extra branch.
2881         
2882         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
2883         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
2884         read.
2885
2886         * ftl/FTLLowerDFGToB3.cpp:
2887         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2888         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2889         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
2890
2891 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2892
2893         DFG CSE should know how to decay a MultiGetByOffset
2894         https://bugs.webkit.org/show_bug.cgi?id=159859
2895
2896         Reviewed by Keith Miller.
2897         
2898         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
2899         clobberize() can report a def() for MultiGetByOffset.
2900         
2901         This is a slight improvement to codegen in splay because splay is a heavy user of
2902         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
2903         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
2904         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
2905         splay's time.
2906
2907         * dfg/DFGClobberize.h:
2908         (JSC::DFG::clobberize):
2909         * dfg/DFGNode.cpp:
2910         (JSC::DFG::Node::remove):
2911         (JSC::DFG::Node::removeWithoutChecks):
2912         (JSC::DFG::Node::replaceWith):
2913         (JSC::DFG::Node::replaceWithWithoutChecks):
2914         * dfg/DFGNode.h:
2915         (JSC::DFG::Node::convertToMultiGetByOffset):
2916         (JSC::DFG::Node::replaceWith): Deleted.
2917         * dfg/DFGNodeType.h:
2918         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2919
2920 2018-04-24  Keith Miller  <keith_miller@apple.com>
2921
2922         Update API docs with information on which run loop the VM will use
2923         https://bugs.webkit.org/show_bug.cgi?id=184900
2924         <rdar://problem/39166054>
2925
2926         Reviewed by Mark Lam.
2927
2928         * API/JSContextRef.h:
2929         * API/JSVirtualMachine.h:
2930
2931 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
2932
2933         $vm.totalGCTime() should be a thing
2934         https://bugs.webkit.org/show_bug.cgi?id=184916
2935
2936         Reviewed by Sam Weinig.
2937         
2938         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
2939         time spent in GC to determine if the regression is because the GC got slower.
2940         
2941         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
2942
2943         * heap/Heap.cpp:
2944         (JSC::Heap::runEndPhase):
2945         * heap/Heap.h:
2946         (JSC::Heap::totalGCTime const):
2947         * tools/JSDollarVM.cpp:
2948         (JSC::functionTotalGCTime):
2949         (JSC::JSDollarVM::finishCreation):
2950
2951 2018-04-23  Zalan Bujtas  <zalan@apple.com>
2952
2953         [LayoutFormattingContext] Initial commit.
2954         https://bugs.webkit.org/show_bug.cgi?id=184896
2955
2956         Reviewed by Antti Koivisto.
2957
2958         * Configurations/FeatureDefines.xcconfig:
2959
2960 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
2961
2962         Unreviewed, revert accidental change to verbose flag.
2963
2964         * dfg/DFGByteCodeParser.cpp:
2965
2966 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
2967
2968         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
2969
2970         Rubber stamped by Saam Barati.
2971         
2972         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
2973         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
2974         Seems sensible to just roll it out.
2975
2976         * dfg/DFGByteCodeParser.cpp:
2977         (JSC::DFG::ByteCodeParser::addToGraph):
2978         (JSC::DFG::ByteCodeParser::parse):
2979
2980 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2981
2982         [JSC] Remove ModuleLoaderPrototype
2983         https://bugs.webkit.org/show_bug.cgi?id=184784
2984
2985         Reviewed by Mark Lam.
2986
2987         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
2988         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
2989         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
2990
2991         * CMakeLists.txt:
2992         * DerivedSources.make:
2993         * JavaScriptCore.xcodeproj/project.pbxproj:
2994         * Sources.txt:
2995         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
2996         * runtime/JSGlobalObject.cpp:
2997         (JSC::JSGlobalObject::init):
2998         (JSC::JSGlobalObject::visitChildren):
2999         * runtime/JSGlobalObject.h:
3000         (JSC::JSGlobalObject::proxyRevokeStructure const):
3001         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
3002         * runtime/JSModuleLoader.cpp:
3003         (JSC::moduleLoaderParseModule):
3004         (JSC::moduleLoaderRequestedModules):
3005         (JSC::moduleLoaderModuleDeclarationInstantiation):
3006         (JSC::moduleLoaderResolve):
3007         (JSC::moduleLoaderResolveSync):
3008         (JSC::moduleLoaderFetch):
3009         (JSC::moduleLoaderGetModuleNamespaceObject):
3010         (JSC::moduleLoaderEvaluate):
3011         * runtime/JSModuleLoader.h:
3012         * runtime/ModuleLoaderPrototype.cpp: Removed.
3013         * runtime/ModuleLoaderPrototype.h: Removed.
3014
3015 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
3016
3017         [GLIB] All API tests fail in debug builds
3018         https://bugs.webkit.org/show_bug.cgi?id=184813
3019
3020         Reviewed by Mark Lam.
3021
3022         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
3023         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
3024
3025         * API/glib/JSCContext.cpp:
3026         (JSCContextExceptionHandler::JSCContextExceptionHandler):
3027         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
3028         (jscContextConstructed):
3029         (ExceptionHandler::ExceptionHandler): Deleted.
3030         (ExceptionHandler::~ExceptionHandler): Deleted.
3031
3032 2018-04-20  Tim Horton  <timothy_horton@apple.com>
3033
3034         Adjust geolocation feature flag
3035         https://bugs.webkit.org/show_bug.cgi?id=184856
3036
3037         Reviewed by Wenson Hsieh.
3038
3039         * Configurations/FeatureDefines.xcconfig:
3040
3041 2018-04-20  Brian Burg  <bburg@apple.com>
3042
3043         Web Inspector: remove some dead code in IdentifiersFactory
3044         https://bugs.webkit.org/show_bug.cgi?id=184839
3045
3046         Reviewed by Timothy Hatcher.
3047
3048         This was never used on non-Chrome ports, so the identifier always has a
3049         prefix of '0.'. We may change this in the future, but for now remove this.
3050         Using a PID for this purpose is problematic anyway.
3051
3052         * inspector/IdentifiersFactory.cpp:
3053         (Inspector::addPrefixToIdentifier):
3054         (Inspector::IdentifiersFactory::createIdentifier):
3055         (Inspector::IdentifiersFactory::requestId):
3056         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
3057         * inspector/IdentifiersFactory.h:
3058
3059 2018-04-20  Mark Lam  <mark.lam@apple.com>
3060
3061         Add the ability to use a hash for setting PtrTag enum values.
3062         https://bugs.webkit.org/show_bug.cgi?id=184852
3063         <rdar://problem/39613891>
3064
3065         Reviewed by Saam Barati.
3066
3067         * runtime/PtrTag.h:
3068
3069 2018-04-20  Mark Lam  <mark.lam@apple.com>
3070
3071         Some JSEntryPtrTags should actually be JSInternalPtrTags.
3072         https://bugs.webkit.org/show_bug.cgi?id=184712
3073         <rdar://problem/39507381>
3074
3075         Reviewed by Michael Saboff.
3076
3077         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
3078         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
3079            only when needed.
3080
3081         * bytecode/AccessCase.cpp:
3082         (JSC::AccessCase::generateImpl):
3083         * bytecode/ByValInfo.h:
3084         (JSC::ByValInfo::ByValInfo):
3085         * bytecode/CallLinkInfo.cpp:
3086         (JSC::CallLinkInfo::callReturnLocation):
3087         (JSC::CallLinkInfo::patchableJump):
3088         (JSC::CallLinkInfo::hotPathBegin):
3089         (JSC::CallLinkInfo::slowPathStart):
3090         * bytecode/CallLinkInfo.h:
3091         (JSC::CallLinkInfo::setCallLocations):
3092         (JSC::CallLinkInfo::hotPathOther):
3093         * bytecode/PolymorphicAccess.cpp:
3094         (JSC::PolymorphicAccess::regenerate):
3095         * bytecode/StructureStubInfo.h:
3096         (JSC::StructureStubInfo::doneLocation):
3097         * dfg/DFGJITCompiler.cpp:
3098         (JSC::DFG::JITCompiler::link):
3099         * dfg/DFGOSRExit.cpp:
3100         (JSC::DFG::reifyInlinedCallFrames):
3101         * ftl/FTLLazySlowPath.cpp:
3102         (JSC::FTL::LazySlowPath::initialize):
3103         * ftl/FTLLazySlowPath.h:
3104         (JSC::FTL::LazySlowPath::done const):
3105         * ftl/FTLLowerDFGToB3.cpp:
3106         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3107         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3108         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3109         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3110         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3111         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3112         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3113         * jit/JIT.cpp:
3114         (JSC::JIT::link):
3115         * jit/JITExceptions.cpp:
3116         (JSC::genericUnwind):
3117         * jit/JITMathIC.h:
3118         (JSC::isProfileEmpty):
3119         * llint/LLIntData.cpp:
3120         (JSC::LLInt::initialize):
3121         * llint/LLIntData.h:
3122         (JSC::LLInt::getCodePtr):
3123         (JSC::LLInt::getExecutableAddress): Deleted.
3124         * llint/LLIntExceptions.cpp:
3125         (JSC::LLInt::callToThrow):
3126         * llint/LLIntSlowPaths.cpp:
3127         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3128         * wasm/js/WasmToJS.cpp:
3129         (JSC::Wasm::wasmToJS):
3130
3131 2018-04-18  Jer Noble  <jer.noble@apple.com>
3132
3133         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
3134         https://bugs.webkit.org/show_bug.cgi?id=184762
3135
3136         Reviewed by Dan Bernstein.
3137
3138         * Configurations/Base.xcconfig:
3139         * JavaScriptCore.xcodeproj/project.pbxproj:
3140
3141 2018-04-20  Daniel Bates  <dabates@apple.com>
3142
3143         Remove code for compilers that did not support NSDMI for aggregates
3144         https://bugs.webkit.org/show_bug.cgi?id=184599
3145
3146         Reviewed by Per Arne Vollan.
3147
3148         Remove workaround for earlier Visual Studio versions that did not support non-static data
3149         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
3150         and EWS bots to a newer version that supports this feature.
3151
3152         * domjit/DOMJITEffect.h:
3153         (JSC::DOMJIT::Effect::Effect): Deleted.
3154         * runtime/HasOwnPropertyCache.h:
3155         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
3156         * wasm/WasmFormat.h:
3157         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
3158
3159 2018-04-20  Mark Lam  <mark.lam@apple.com>
3160
3161         Build fix for internal builds after r230826.
3162         https://bugs.webkit.org/show_bug.cgi?id=184790
3163         <rdar://problem/39301369>
3164
3165         Not reviewed.
3166
3167         * runtime/Options.cpp:
3168         (JSC::overrideDefaults):
3169         * tools/SigillCrashAnalyzer.cpp:
3170         (JSC::SignalContext::dump):
3171
3172 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
3173
3174         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
3175         https://bugs.webkit.org/show_bug.cgi?id=184254
3176         <rdar://problem/39140200>
3177
3178         Reviewed by Daniel Bates.
3179
3180         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
3181
3182         * runtime/ArrayBuffer.h:
3183         (JSC::ArrayBufferContents::ArrayBufferContents):
3184
3185 2018-04-19  Mark Lam  <mark.lam@apple.com>
3186
3187         Apply pointer profiling to Signal pointers.
3188         https://bugs.webkit.org/show_bug.cgi?id=184790
3189         <rdar://problem/39301369>
3190
3191         Reviewed by Michael Saboff.
3192
3193         1. Change stackPointer, framePointer, and instructionPointer accessors to
3194            be a pair of getter/setter functions.
3195         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
3196            a pointer profiling variants of these accessors.
3197         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
3198
3199         * JavaScriptCorePrefix.h:
3200         * runtime/MachineContext.h:
3201         (JSC::MachineContext::stackPointerImpl):
3202         (JSC::MachineContext::stackPointer):
3203         (JSC::MachineContext::setStackPointer):
3204         (JSC::MachineContext::framePointerImpl):
3205         (JSC::MachineContext::framePointer):
3206         (JSC::MachineContext::setFramePointer):
3207         (JSC::MachineContext::instructionPointerImpl):
3208         (JSC::MachineContext::instructionPointer):
3209         (JSC::MachineContext::setInstructionPointer):
3210         (JSC::MachineContext::linkRegisterImpl):
3211         (JSC::MachineContext::linkRegister):
3212         (JSC::MachineContext::setLinkRegister):
3213         * runtime/SamplingProfiler.cpp:
3214         (JSC::SamplingProfiler::takeSample):
3215         * runtime/VMTraps.cpp:
3216         (JSC::SignalContext::SignalContext):
3217         (JSC::VMTraps::tryInstallTrapBreakpoints):
3218         * tools/CodeProfiling.cpp:
3219         (JSC::profilingTimer):
3220         * tools/SigillCrashAnalyzer.cpp:
3221         (JSC::SignalContext::dump):
3222         (JSC::installCrashHandler):
3223         (JSC::SigillCrashAnalyzer::analyze):
3224         * wasm/WasmFaultSignalHandler.cpp:
3225         (JSC::Wasm::trapHandler):
3226
3227 2018-04-19  David Kilzer  <ddkilzer@apple.com>
3228
3229         Enable Objective-C weak references
3230         <https://webkit.org/b/184789>
3231         <rdar://problem/39571716>
3232
3233         Reviewed by Dan Bernstein.
3234
3235         * Configurations/Base.xcconfig:
3236         (CLANG_ENABLE_OBJC_WEAK): Enable.
3237         * Configurations/ToolExecutable.xcconfig:
3238         (CLANG_ENABLE_OBJC_ARC): Simplify.
3239
3240 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
3241
3242         The InternalFunction hierarchy should be in IsoSubspaces
3243         https://bugs.webkit.org/show_bug.cgi?id=184721
3244
3245         Reviewed by Saam Barati.
3246         
3247         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
3248         but subclasses that are the same size as InternalFunction share its subspace. I did this
3249         because the subclasses appear to just override methods, which are called dynamically via the
3250         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
3251         allocate one kind of InternalFunction over another.
3252
3253         * API/JSBase.h:
3254         * API/JSCallbackFunction.h:
3255         * API/ObjCCallbackFunction.h:
3256         (JSC::ObjCCallbackFunction::subspaceFor):
3257         * CMakeLists.txt:
3258         * JavaScriptCore.xcodeproj/project.pbxproj:
3259         * Sources.txt:
3260         * heap/IsoSubspacePerVM.cpp: Added.
3261         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
3262         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
3263         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
3264         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
3265         (JSC::IsoSubspacePerVM::forVM):
3266         * heap/IsoSubspacePerVM.h: Added.
3267         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
3268         * runtime/Error.h:
3269         * runtime/ErrorConstructor.h:
3270         * runtime/InternalFunction.h:
3271         (JSC::InternalFunction::subspaceFor):
3272         * runtime/IntlCollatorConstructor.h:
3273         * runtime/IntlDateTimeFormatConstructor.h:
3274         * runtime/IntlNumberFormatConstructor.h:
3275         * runtime/JSArrayBufferConstructor.h:
3276         * runtime/NativeErrorConstructor.h:
3277         * runtime/ProxyRevoke.h:
3278         * runtime/RegExpConstructor.h:
3279         * runtime/VM.cpp:
3280         (JSC::VM::VM):
3281         * runtime/VM.h:
3282
3283 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3284
3285         Unreviewed, Fix jsc shell
3286         https://bugs.webkit.org/show_bug.cgi?id=184600
3287
3288         WebAssembly module loading does not finish with drainMicrotasks().
3289         So JSNativeStdFunction's capturing variables become invalid.
3290         This patch fixes this issue.
3291
3292         * jsc.cpp:
3293         (functionDollarAgentStart):
3294         (runWithOptions):
3295         (runJSC):
3296         (jscmain):
3297
3298 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
3299
3300         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
3301         https://bugs.webkit.org/show_bug.cgi?id=184725
3302
3303         Reviewed by Mark Lam.
3304
3305         * jit/JIT.h:
3306
3307 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3308
3309         [WebAssembly][Modules] Import tables in wasm modules
3310         https://bugs.webkit.org/show_bug.cgi?id=184738
3311
3312         Reviewed by JF Bastien.
3313
3314         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
3315         Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
3316         just works.
3317
3318         * wasm/js/JSWebAssemblyInstance.cpp:
3319         (JSC::JSWebAssemblyInstance::create):
3320         * wasm/js/WebAssemblyModuleRecord.cpp:
3321         (JSC::WebAssemblyModuleRecord::link):
3322
3323 2018-04-18  Dominik Infuehr  <dinfuehr@igalia.com>
3324
3325         [ARM] Fix build error and crash after PtrTag change
3326         https://bugs.webkit.org/show_bug.cgi?id=184732
3327
3328         Reviewed by Mark Lam.
3329
3330         Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
3331         MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
3332         twice with ARM-Thumb2.
3333
3334         * assembler/MacroAssemblerCodeRef.h:
3335         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3336         * jit/JITPropertyAccess32_64.cpp:
3337         (JSC::JIT::emitSlow_op_put_by_val):
3338         * jit/Repatch.cpp:
3339         (JSC::linkPolymorphicCall):
3340
3341 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3342
3343         [WebAssembly][Modules] Import globals from wasm modules
3344         https://bugs.webkit.org/show_bug.cgi?id=184736
3345
3346         Reviewed by JF Bastien.
3347
3348         This patch implements a feature importing globals to/from wasm modules.
3349         Since we are not supporting mutable globals now, we can just copy the
3350         global data when importing. Currently we do not support importing/exporting
3351         i64 globals. This will be supported once (1) mutable global bindings are
3352         specified and (2) BigInt based i64 importing/exporting is specified.
3353
3354         * wasm/js/JSWebAssemblyInstance.cpp:
3355         (JSC::JSWebAssemblyInstance::create):
3356         * wasm/js/WebAssemblyModuleRecord.cpp:
3357         (JSC::WebAssemblyModuleRecord::link):
3358
3359 2018-04-18  Tomas Popela  <tpopela@redhat.com>
3360
3361         Unreviewed, fix build on ARM
3362
3363         * assembler/MacroAssemblerARM.h:
3364         (JSC::MacroAssemblerARM::readCallTarget):
3365
3366 2018-04-18  Tomas Popela  <tpopela@redhat.com>
3367
3368         Unreviewed, fix build with GCC
3369
3370         * assembler/LinkBuffer.h:
3371         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3372
3373 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3374
3375         Unreviewed, reland r230697, r230720, and r230724.
3376         https://bugs.webkit.org/show_bug.cgi?id=184600
3377
3378         With CatchScope check.
3379
3380         * JavaScriptCore.xcodeproj/project.pbxproj:
3381         * builtins/ModuleLoaderPrototype.js:
3382         (globalPrivate.newRegistryEntry):
3383         (requestInstantiate):
3384         (link):
3385         * jsc.cpp:
3386         (convertShebangToJSComment):
3387         (fillBufferWithContentsOfFile):
3388         (fetchModuleFromLocalFileSystem):
3389         (GlobalObject::moduleLoaderFetch):
3390         (functionDollarAgentStart):
3391         (checkException):
3392         (runWithOptions):
3393         * parser/NodesAnalyzeModule.cpp:
3394         (JSC::ImportDeclarationNode::analyzeModule):
3395         * parser/SourceProvider.h:
3396         (JSC::WebAssemblySourceProvider::create):
3397         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
3398         * runtime/AbstractModuleRecord.cpp:
3399         (JSC::AbstractModuleRecord::hostResolveImportedModule):
3400         (JSC::AbstractModuleRecord::resolveImport):
3401         (JSC::AbstractModuleRecord::link):