Complete fix for enabling modern EME by default
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-18  Jer Noble  <jer.noble@apple.com>
2
3         Complete fix for enabling modern EME by default
4         https://bugs.webkit.org/show_bug.cgi?id=185770
5         <rdar://problem/40368220>
6
7         Reviewed by Eric Carlson.
8
9         * Configurations/FeatureDefines.xcconfig:
10
11 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
12
13         Unreviewed, fix exception checking, part 2
14         https://bugs.webkit.org/show_bug.cgi?id=185350
15
16         * dfg/DFGOperations.cpp:
17         (JSC::DFG::putByValInternal):
18         * jit/JITOperations.cpp:
19         * runtime/CommonSlowPaths.h:
20         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
21
22 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
23
24         JSC should have InstanceOf inline caching
25         https://bugs.webkit.org/show_bug.cgi?id=185652
26
27         Reviewed by Saam Barati.
28         
29         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
30         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
31         too many cases, we emit the generic instanceof implementation instead.
32         
33         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
34         abstraction.
35         
36         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
37         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
38
39         * API/tests/testapi.mm:
40         (testObjectiveCAPIMain):
41         * JavaScriptCore.xcodeproj/project.pbxproj:
42         * Sources.txt:
43         * b3/B3Effects.h:
44         (JSC::B3::Effects::forReadOnlyCall):
45         * bytecode/AccessCase.cpp:
46         (JSC::AccessCase::guardedByStructureCheck const):
47         (JSC::AccessCase::canReplace const):
48         (JSC::AccessCase::visitWeak const):
49         (JSC::AccessCase::generateWithGuard):
50         (JSC::AccessCase::generateImpl):
51         * bytecode/AccessCase.h:
52         * bytecode/InstanceOfAccessCase.cpp: Added.
53         (JSC::InstanceOfAccessCase::create):
54         (JSC::InstanceOfAccessCase::dumpImpl const):
55         (JSC::InstanceOfAccessCase::clone const):
56         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
57         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
58         * bytecode/InstanceOfAccessCase.h: Added.
59         (JSC::InstanceOfAccessCase::prototype const):
60         * bytecode/ObjectPropertyCondition.h:
61         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
62         (JSC::ObjectPropertyCondition::hasPrototype):
63         * bytecode/ObjectPropertyConditionSet.cpp:
64         (JSC::generateConditionsForInstanceOf):
65         * bytecode/ObjectPropertyConditionSet.h:
66         * bytecode/PolymorphicAccess.cpp:
67         (JSC::PolymorphicAccess::addCases):
68         (JSC::PolymorphicAccess::regenerate):
69         (WTF::printInternal):
70         * bytecode/PropertyCondition.cpp:
71         (JSC::PropertyCondition::dumpInContext const):
72         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
73         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
74         (WTF::printInternal):
75         * bytecode/PropertyCondition.h:
76         (JSC::PropertyCondition::absenceWithoutBarrier):
77         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
78         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
79         (JSC::PropertyCondition::hasPrototype):
80         (JSC::PropertyCondition::hasPrototype const):
81         (JSC::PropertyCondition::prototype const):
82         (JSC::PropertyCondition::hash const):
83         (JSC::PropertyCondition::operator== const):
84         * bytecode/StructureStubInfo.cpp:
85         (JSC::StructureStubInfo::StructureStubInfo):
86         (JSC::StructureStubInfo::reset):
87         * bytecode/StructureStubInfo.h:
88         (JSC::StructureStubInfo::considerCaching):
89         * dfg/DFGByteCodeParser.cpp:
90         (JSC::DFG::ByteCodeParser::parseBlock):
91         * dfg/DFGFixupPhase.cpp:
92         (JSC::DFG::FixupPhase::fixupNode):
93         * dfg/DFGInlineCacheWrapper.h:
94         * dfg/DFGInlineCacheWrapperInlines.h:
95         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
96         * dfg/DFGJITCompiler.cpp:
97         (JSC::DFG::JITCompiler::link):
98         * dfg/DFGJITCompiler.h:
99         (JSC::DFG::JITCompiler::addInstanceOf):
100         * dfg/DFGOperations.cpp:
101         * dfg/DFGSpeculativeJIT.cpp:
102         (JSC::DFG::SpeculativeJIT::usedRegisters):
103         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
104         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
105         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
106         * dfg/DFGSpeculativeJIT.h:
107         * dfg/DFGSpeculativeJIT64.cpp:
108         (JSC::DFG::SpeculativeJIT::cachedGetById):
109         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
110         * ftl/FTLLowerDFGToB3.cpp:
111         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
112         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
113         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
114         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
115         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
116         (JSC::FTL::DFG::LowerDFGToB3::getById):
117         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
118         * jit/ICStats.h:
119         * jit/JIT.cpp:
120         (JSC::JIT::privateCompileSlowCases):
121         (JSC::JIT::link):
122         * jit/JIT.h:
123         * jit/JITInlineCacheGenerator.cpp:
124         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
125         (JSC::JITInlineCacheGenerator::finalize):
126         (JSC::JITByIdGenerator::JITByIdGenerator):
127         (JSC::JITByIdGenerator::finalize):
128         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
129         (JSC::JITInstanceOfGenerator::generateFastPath):
130         (JSC::JITInstanceOfGenerator::finalize):
131         * jit/JITInlineCacheGenerator.h:
132         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
133         (JSC::JITInlineCacheGenerator::slowPathBegin const):
134         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
135         (JSC::finalizeInlineCaches):
136         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
137         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
138         * jit/JITOpcodes.cpp:
139         (JSC::JIT::emit_op_instanceof):
140         (JSC::JIT::emitSlow_op_instanceof):
141         * jit/JITOperations.cpp:
142         * jit/JITOperations.h:
143         * jit/JITPropertyAccess.cpp:
144         (JSC::JIT::privateCompileGetByValWithCachedId):
145         (JSC::JIT::privateCompilePutByValWithCachedId):
146         * jit/RegisterSet.cpp:
147         (JSC::RegisterSet::stubUnavailableRegisters):
148         * jit/Repatch.cpp:
149         (JSC::tryCacheIn):
150         (JSC::tryCacheInstanceOf):
151         (JSC::repatchInstanceOf):
152         (JSC::resetPatchableJump):
153         (JSC::resetIn):
154         (JSC::resetInstanceOf):
155         * jit/Repatch.h:
156         * runtime/Options.h:
157         * runtime/Structure.h:
158
159 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
160
161         Unreviewed, fix exception checking
162         https://bugs.webkit.org/show_bug.cgi?id=185350
163
164         * runtime/CommonSlowPaths.h:
165         (JSC::CommonSlowPaths::putDirectWithReify):
166         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
167
168 2018-05-17  Michael Saboff  <msaboff@apple.com>
169
170         We don't throw SyntaxErrors for runtime generated regular expressions with errors
171         https://bugs.webkit.org/show_bug.cgi?id=185755
172
173         Reviewed by Keith Miller.
174
175         Added a new helper that creates the correct exception to throw for each type of error when
176         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
177         where we create a new RegExp from an existing one.  Also refactored other places that we
178         throw SyntaxErrors after a failed RegExp compile to use the new helper.
179
180         * runtime/RegExp.h:
181         * runtime/RegExpConstructor.cpp:
182         (JSC::regExpCreate):
183         (JSC::constructRegExp):
184         * runtime/RegExpPrototype.cpp:
185         (JSC::regExpProtoFuncCompile):
186         * yarr/YarrErrorCode.cpp:
187         (JSC::Yarr::errorToThrow):
188         * yarr/YarrErrorCode.h:
189
190 2018-05-17  Saam Barati  <sbarati@apple.com>
191
192         Remove shrinkFootprint test from apitests since it's flaky
193         https://bugs.webkit.org/show_bug.cgi?id=185754
194
195         Reviewed by Mark Lam.
196
197         This test is flaky as it keeps failing on certain people's machines.
198         Having a test about OS footprint seems like it'll forever be doomed
199         to being flaky.
200
201         * API/tests/testapi.mm:
202         (testObjectiveCAPIMain):
203
204 2018-05-17  Saam Barati  <sbarati@apple.com>
205
206         defaultConstructorSourceCode needs to makeSource every time it's called
207         https://bugs.webkit.org/show_bug.cgi?id=185753
208
209         Rubber-stamped by Mark Lam.
210
211         The bug here is multiple VMs can be running concurrently to one another
212         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
213         if we copy a static SourceCode. instead, we create a new one each time
214         this function is called.
215
216         * builtins/BuiltinExecutables.cpp:
217         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
218
219 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
220
221         [JSC] Use AssemblyHelpers' type checking functions as much as possible
222         https://bugs.webkit.org/show_bug.cgi?id=185730
223
224         Reviewed by Saam Barati.
225
226         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
227         bit and register operations for type tagging of JSValue. It is really useful when we would like
228         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
229         the named function is more readable than some branching operations.
230
231         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
232         to AssemblyHelpers' one.
233
234         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
235         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
236         semantics is aligned to the existing branchIfCell / branchIfNotCell.
237
238         * bytecode/AccessCase.cpp:
239         (JSC::AccessCase::generateWithGuard):
240         * dfg/DFGSpeculativeJIT.cpp:
241         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
242         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
243         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
244         (JSC::DFG::SpeculativeJIT::compileSpread):
245         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
246         (JSC::DFG::SpeculativeJIT::speculateCellType):
247         (JSC::DFG::SpeculativeJIT::speculateNumber):
248         (JSC::DFG::SpeculativeJIT::speculateMisc):
249         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
250         (JSC::DFG::SpeculativeJIT::compileCreateThis):
251         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
252         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
253         * dfg/DFGSpeculativeJIT32_64.cpp:
254         (JSC::DFG::SpeculativeJIT::emitCall):
255         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
256         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
257         (JSC::DFG::SpeculativeJIT::compile):
258         * dfg/DFGSpeculativeJIT64.cpp:
259         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
260         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
261         (JSC::DFG::SpeculativeJIT::emitCall):
262         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
263         (JSC::DFG::SpeculativeJIT::compile):
264         (JSC::DFG::SpeculativeJIT::convertAnyInt):
265         * ftl/FTLLowerDFGToB3.cpp:
266         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
267         * jit/AssemblyHelpers.h:
268         (JSC::AssemblyHelpers::branchIfInt32):
269         (JSC::AssemblyHelpers::branchIfNotInt32):
270         (JSC::AssemblyHelpers::branchIfNumber):
271         (JSC::AssemblyHelpers::branchIfNotNumber):
272         (JSC::AssemblyHelpers::branchIfBoolean):
273         (JSC::AssemblyHelpers::branchIfNotBoolean):
274         (JSC::AssemblyHelpers::branchIfEmpty):
275         (JSC::AssemblyHelpers::branchIfNotEmpty):
276         (JSC::AssemblyHelpers::branchIfUndefined):
277         (JSC::AssemblyHelpers::branchIfNotUndefined):
278         (JSC::AssemblyHelpers::branchIfNull):
279         (JSC::AssemblyHelpers::branchIfNotNull):
280         * jit/JIT.h:
281         * jit/JITArithmetic.cpp:
282         (JSC::JIT::emit_compareAndJump):
283         (JSC::JIT::emit_compareAndJumpSlow):
284         * jit/JITArithmetic32_64.cpp:
285         (JSC::JIT::emit_compareAndJump):
286         (JSC::JIT::emit_op_unsigned):
287         (JSC::JIT::emit_op_inc):
288         (JSC::JIT::emit_op_dec):
289         (JSC::JIT::emitBinaryDoubleOp):
290         (JSC::JIT::emit_op_mod):
291         * jit/JITCall.cpp:
292         (JSC::JIT::compileCallEval):
293         (JSC::JIT::compileOpCall):
294         * jit/JITCall32_64.cpp:
295         (JSC::JIT::compileCallEval):
296         (JSC::JIT::compileOpCall):
297         * jit/JITInlines.h:
298         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
299         (JSC::JIT::emitJumpIfBothJSCells):
300         (JSC::JIT::emitJumpSlowCaseIfJSCell):
301         (JSC::JIT::emitJumpIfNotInt):
302         (JSC::JIT::emitJumpSlowCaseIfNotInt):
303         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
304         (JSC::JIT::emitJumpIfCellObject): Deleted.
305         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
306         (JSC::JIT::emitJumpIfJSCell): Deleted.
307         (JSC::JIT::emitJumpIfInt): Deleted.
308         * jit/JITOpcodes.cpp:
309         (JSC::JIT::emit_op_instanceof):
310         (JSC::JIT::emit_op_is_undefined):
311         (JSC::JIT::emit_op_is_cell_with_type):
312         (JSC::JIT::emit_op_is_object):
313         (JSC::JIT::emit_op_to_primitive):
314         (JSC::JIT::emit_op_jeq_null):
315         (JSC::JIT::emit_op_jneq_null):
316         (JSC::JIT::compileOpStrictEq):
317         (JSC::JIT::compileOpStrictEqJump):
318         (JSC::JIT::emit_op_to_number):
319         (JSC::JIT::emit_op_to_string):
320         (JSC::JIT::emit_op_to_object):
321         (JSC::JIT::emit_op_eq_null):
322         (JSC::JIT::emit_op_neq_null):
323         (JSC::JIT::emit_op_to_this):
324         (JSC::JIT::emit_op_create_this):
325         (JSC::JIT::emit_op_check_tdz):
326         (JSC::JIT::emitNewFuncExprCommon):
327         (JSC::JIT::emit_op_profile_type):
328         * jit/JITOpcodes32_64.cpp:
329         (JSC::JIT::emit_op_instanceof):
330         (JSC::JIT::emit_op_is_undefined):
331         (JSC::JIT::emit_op_is_cell_with_type):
332         (JSC::JIT::emit_op_is_object):
333         (JSC::JIT::emit_op_to_primitive):
334         (JSC::JIT::emit_op_not):
335         (JSC::JIT::emit_op_jeq_null):
336         (JSC::JIT::emit_op_jneq_null):
337         (JSC::JIT::emit_op_jneq_ptr):
338         (JSC::JIT::emit_op_eq):
339         (JSC::JIT::emit_op_jeq):
340         (JSC::JIT::emit_op_neq):
341         (JSC::JIT::emit_op_jneq):
342         (JSC::JIT::compileOpStrictEq):
343         (JSC::JIT::compileOpStrictEqJump):
344         (JSC::JIT::emit_op_eq_null):
345         (JSC::JIT::emit_op_neq_null):
346         (JSC::JIT::emit_op_to_number):
347         (JSC::JIT::emit_op_to_string):
348         (JSC::JIT::emit_op_to_object):
349         (JSC::JIT::emit_op_create_this):
350         (JSC::JIT::emit_op_to_this):
351         (JSC::JIT::emit_op_check_tdz):
352         (JSC::JIT::emit_op_profile_type):
353         * jit/JITPropertyAccess.cpp:
354         (JSC::JIT::emit_op_get_by_val):
355         (JSC::JIT::emitGetByValWithCachedId):
356         (JSC::JIT::emitGenericContiguousPutByVal):
357         (JSC::JIT::emitPutByValWithCachedId):
358         (JSC::JIT::emit_op_get_from_scope):
359         (JSC::JIT::emit_op_put_to_scope):
360         (JSC::JIT::emitWriteBarrier):
361         (JSC::JIT::emitIntTypedArrayPutByVal):
362         (JSC::JIT::emitFloatTypedArrayPutByVal):
363         * jit/JITPropertyAccess32_64.cpp:
364         (JSC::JIT::emit_op_get_by_val):
365         (JSC::JIT::emitContiguousLoad):
366         (JSC::JIT::emitArrayStorageLoad):
367         (JSC::JIT::emitGetByValWithCachedId):
368         (JSC::JIT::emitGenericContiguousPutByVal):
369         (JSC::JIT::emitPutByValWithCachedId):
370         (JSC::JIT::emit_op_get_from_scope):
371         (JSC::JIT::emit_op_put_to_scope):
372         * jit/JSInterfaceJIT.h:
373         (JSC::JSInterfaceJIT::emitLoadJSCell):
374         (JSC::JSInterfaceJIT::emitLoadInt32):
375         (JSC::JSInterfaceJIT::emitLoadDouble):
376         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
377         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
378         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
379         * jit/Repatch.cpp:
380         (JSC::linkPolymorphicCall):
381         * jit/ThunkGenerators.cpp:
382         (JSC::virtualThunkFor):
383         (JSC::absThunkGenerator):
384         * tools/JSDollarVM.cpp:
385         (WTF::DOMJITNode::checkSubClassSnippet):
386         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
387
388 2018-05-17  Saam Barati  <sbarati@apple.com>
389
390         Unreviewed. Fix the build after my attempted build fix broke the build.
391
392         * builtins/BuiltinExecutables.cpp:
393         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
394         (JSC::BuiltinExecutables::createDefaultConstructor):
395         * builtins/BuiltinExecutables.h:
396
397 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
398
399         [JSC] Remove reifyPropertyNameIfNeeded
400         https://bugs.webkit.org/show_bug.cgi?id=185350
401
402         Reviewed by Saam Barati.
403
404         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
405         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
406         cost, we should remove this from the critical path.
407
408         This patch removes this function call from the critical path. And in our slow paths, we call
409         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
410         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
411         and care the edge cases. The other callsites of putDirect should know the type of the given
412         object and the name of the property (And avoid these edge cases).
413
414         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
415         regressions of the existing tests.
416
417                                            baseline                  patched
418         Kraken:
419             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
420
421         SixSpeed:
422             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
423
424         * dfg/DFGOperations.cpp:
425         (JSC::DFG::putByValInternal):
426         (JSC::DFG::putByValCellInternal):
427         * jit/JITOperations.cpp:
428         * llint/LLIntSlowPaths.cpp:
429         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
430         * runtime/ClassInfo.h:
431         * runtime/CommonSlowPaths.h:
432         (JSC::CommonSlowPaths::putDirectWithReify):
433         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
434         * runtime/JSCell.cpp:
435         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
436         * runtime/JSCell.h:
437         * runtime/JSFunction.cpp:
438         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
439         * runtime/JSFunction.h:
440         * runtime/JSObject.cpp:
441         (JSC::JSObject::putDirectAccessor):
442         (JSC::JSObject::putDirectNonIndexAccessor):
443         * runtime/JSObject.h:
444         * runtime/JSObjectInlines.h:
445         (JSC::JSObject::putDirectInternal):
446
447 2018-05-17  Saam Barati  <sbarati@apple.com>
448
449         Unreviewed. Try to fix windows build.
450
451         * builtins/BuiltinExecutables.cpp:
452         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
453
454 2018-05-16  Saam Barati  <sbarati@apple.com>
455
456         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
457         https://bugs.webkit.org/show_bug.cgi?id=185637
458
459         Reviewed by Keith Miller.
460
461         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
462         source code. However, we were only using this for default class constructors. There
463         are only two types of default class constructors. This patch makes it so that
464         we just store this information inside of a single bit, and ask for the source
465         code as needed instead of holding it in a nullable field that is 24 bytes in size.
466         
467         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
468         This has the consequence of making it allocated out of a 160 byte size class
469         instead of a 224 byte size class. This should bring down its memory footprint
470         by ~40%.
471
472         * builtins/BuiltinExecutables.cpp:
473         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
474         (JSC::BuiltinExecutables::createDefaultConstructor):
475         (JSC::BuiltinExecutables::createExecutable):
476         * builtins/BuiltinExecutables.h:
477         * bytecode/UnlinkedFunctionExecutable.cpp:
478         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
479         (JSC::UnlinkedFunctionExecutable::link):
480         * bytecode/UnlinkedFunctionExecutable.h:
481         * runtime/CodeCache.cpp:
482         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
483
484 2018-05-16  Saam Barati  <sbarati@apple.com>
485
486         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
487         https://bugs.webkit.org/show_bug.cgi?id=185707
488
489         Reviewed by Mark Lam.
490
491         * runtime/VM.cpp:
492         (JSC::VM::shrinkFootprint):
493
494 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
495
496         [ESNext][BigInt] Implement support for "/" operation
497         https://bugs.webkit.org/show_bug.cgi?id=183996
498
499         Reviewed by Yusuke Suzuki.
500
501         This patch is introducing the support for BigInt into divide
502         operation int LLInt and JIT layers.
503
504         * dfg/DFGOperations.cpp:
505         * runtime/CommonSlowPaths.cpp:
506         (JSC::SLOW_PATH_DECL):
507         * runtime/JSBigInt.cpp:
508         (JSC::JSBigInt::divide):
509         (JSC::JSBigInt::copy):
510         (JSC::JSBigInt::unaryMinus):
511         (JSC::JSBigInt::absoluteCompare):
512         (JSC::JSBigInt::absoluteDivLarge):
513         (JSC::JSBigInt::productGreaterThan):
514         (JSC::JSBigInt::inplaceAdd):
515         (JSC::JSBigInt::inplaceSub):
516         (JSC::JSBigInt::inplaceRightShift):
517         (JSC::JSBigInt::specialLeftShift):
518         (JSC::JSBigInt::digit):
519         (JSC::JSBigInt::setDigit):
520         * runtime/JSBigInt.h:
521
522 2018-05-16  Saam Barati  <sbarati@apple.com>
523
524         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
525         https://bugs.webkit.org/show_bug.cgi?id=185670
526
527         Reviewed by Yusuke Suzuki.
528
529         This patch makes it so that we constant fold CheckTypeInfoFlags for
530         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
531         fold in three ways:
532         - When the incoming value is a constant, we just look at its inline type
533         flags. Since those flags never change after an object is created, this
534         is sound.
535         - Based on the incoming value having a finite structure set. We just iterate
536         all structures and ensure they have the bit set.
537         - Based on speculated type. To do this, I split up SpecFunction into two
538         subheaps where one is for functions that have the bit set, and one for
539         functions that don't have the bit set. The latter is currently only comprised
540         of JSBoundFunctions. To constant fold, we check that the incoming
541         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
542
543         * bytecode/SpeculatedType.cpp:
544         (JSC::speculationFromClassInfo):
545         * bytecode/SpeculatedType.h:
546         * dfg/DFGAbstractInterpreterInlines.h:
547         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
548         * dfg/DFGConstantFoldingPhase.cpp:
549         (JSC::DFG::ConstantFoldingPhase::foldConstants):
550         * dfg/DFGSpeculativeJIT.cpp:
551         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
552         * dfg/DFGStrengthReductionPhase.cpp:
553         (JSC::DFG::StrengthReductionPhase::handleNode):
554         * runtime/JSFunction.cpp:
555         (JSC::JSFunction::JSFunction):
556         (JSC::JSFunction::assertTypeInfoFlagInvariants):
557         * runtime/JSFunction.h:
558         (JSC::JSFunction::assertTypeInfoFlagInvariants):
559         * runtime/JSFunctionInlines.h:
560         (JSC::JSFunction::JSFunction):
561
562 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
563
564         Web Inspector: create a navigation item for toggling the overlay rulers/guides
565         https://bugs.webkit.org/show_bug.cgi?id=185644
566
567         Reviewed by Matt Baker.
568
569         * inspector/protocol/OverlayTypes.json:
570         * inspector/protocol/Page.json:
571
572 2018-05-16  Commit Queue  <commit-queue@webkit.org>
573
574         Unreviewed, rolling out r231845.
575         https://bugs.webkit.org/show_bug.cgi?id=185702
576
577         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
578         caiolima on #webkit).
579
580         Reverted changeset:
581
582         "[ESNext][BigInt] Implement support for "/" operation"
583         https://bugs.webkit.org/show_bug.cgi?id=183996
584         https://trac.webkit.org/changeset/231845
585
586 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
587
588         DFG models InstanceOf incorrectly
589         https://bugs.webkit.org/show_bug.cgi?id=185694
590
591         Reviewed by Keith Miller.
592         
593         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
594         hoist it.
595
596         * dfg/DFGAbstractInterpreterInlines.h:
597         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
598         * dfg/DFGClobberize.h:
599         (JSC::DFG::clobberize):
600         * dfg/DFGHeapLocation.cpp:
601         (WTF::printInternal):
602         * dfg/DFGHeapLocation.h:
603         * dfg/DFGNodeType.h:
604
605 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
606
607         Add support for Intl NumberFormat formatToParts
608         https://bugs.webkit.org/show_bug.cgi?id=185375
609
610         Reviewed by Yusuke Suzuki.
611
612         Add flag for NumberFormat formatToParts. Implement formatToParts using
613         unum_formatDoubleForFields. Because the fields are nested and come back
614         in no guaranteed order, the simple algorithm to convert them to the
615         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
616         it appears to perform well enough for the initial implementation. Another
617         issue has been created to improve this algorithm.
618
619         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
620         on macOS, since only v57 is available.
621
622         * Configurations/FeatureDefines.xcconfig:
623         * runtime/IntlNumberFormat.cpp:
624         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
625         (JSC::IntlNumberFormat::partTypeString):
626         (JSC::IntlNumberFormat::formatToParts):
627         * runtime/IntlNumberFormat.h:
628         * runtime/IntlNumberFormatPrototype.cpp:
629         (JSC::IntlNumberFormatPrototype::create):
630         (JSC::IntlNumberFormatPrototype::finishCreation):
631         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
632         * runtime/IntlNumberFormatPrototype.h:
633         * runtime/Options.h:
634
635 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
636
637         [ESNext][BigInt] Implement support for "/" operation
638         https://bugs.webkit.org/show_bug.cgi?id=183996
639
640         Reviewed by Yusuke Suzuki.
641
642         This patch is introducing the support for BigInt into divide
643         operation int LLInt and JIT layers.
644
645         * dfg/DFGOperations.cpp:
646         * runtime/CommonSlowPaths.cpp:
647         (JSC::SLOW_PATH_DECL):
648         * runtime/JSBigInt.cpp:
649         (JSC::JSBigInt::divide):
650         (JSC::JSBigInt::copy):
651         (JSC::JSBigInt::unaryMinus):
652         (JSC::JSBigInt::absoluteCompare):
653         (JSC::JSBigInt::absoluteDivLarge):
654         (JSC::JSBigInt::productGreaterThan):
655         (JSC::JSBigInt::inplaceAdd):
656         (JSC::JSBigInt::inplaceSub):
657         (JSC::JSBigInt::inplaceRightShift):
658         (JSC::JSBigInt::specialLeftShift):
659         (JSC::JSBigInt::digit):
660         (JSC::JSBigInt::setDigit):
661         * runtime/JSBigInt.h:
662
663 2018-05-16  Alberto Garcia  <berto@igalia.com>
664
665         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
666         https://bugs.webkit.org/show_bug.cgi?id=182622
667
668         Reviewed by Michael Catanzaro.
669
670         We were linking JavaScriptCore against libatomic in MIPS because
671         in that architecture __atomic_fetch_add_8() is not a compiler
672         intrinsic and is provided by that library instead. However other
673         architectures (e.g armel) are in the same situation, so we need a
674         generic test.
675
676         That test already exists in WebKit/CMakeLists.txt, so we just have
677         to move it to a common file (WebKitCompilerFlags.cmake) and use
678         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
679
680         * CMakeLists.txt:
681
682 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
683
684         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
685         https://bugs.webkit.org/show_bug.cgi?id=185601
686
687         Reviewed by Saam Barati.
688
689         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
690         before calling getCallData when we would like to check whether a given object is callable
691         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
692         is fine. But if we would like to check whether the object is callable, we can have non
693         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
694
695         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
696         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
697         OverridesGetCallData checking before calling getCallData.
698
699         We found that this virtual call exists in JSON.stringify's critial path. Checking
700         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
701
702                                                baseline                  patched
703
704             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
705
706         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
707         since major cases are covered by this fast JSFunctionType checking.
708
709         * API/JSCallbackObject.h:
710         * dfg/DFGAbstractInterpreterInlines.h:
711         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
712         * dfg/DFGOperations.cpp:
713         * dfg/DFGSpeculativeJIT.cpp:
714         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
715         (JSC::DFG::SpeculativeJIT::compileIsFunction):
716         * ftl/FTLLowerDFGToB3.cpp:
717         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
718         * jit/AssemblyHelpers.h:
719         (JSC::AssemblyHelpers::emitTypeOf):
720         * runtime/ExceptionHelpers.cpp:
721         (JSC::createError):
722         (JSC::createInvalidFunctionApplyParameterError):
723         * runtime/FunctionPrototype.cpp:
724         (JSC::functionProtoFuncToString):
725         * runtime/InternalFunction.h:
726         * runtime/JSCJSValue.h:
727         * runtime/JSCJSValueInlines.h:
728         (JSC::JSValue::isFunction const):
729         (JSC::JSValue::isCallable const):
730         * runtime/JSCell.h:
731         * runtime/JSCellInlines.h:
732         (JSC::JSCell::isFunction):
733         ALWAYS_INLINE works well for my environment.
734         (JSC::JSCell::isCallable):
735         * runtime/JSFunction.h:
736         * runtime/JSONObject.cpp:
737         (JSC::Stringifier::toJSON):
738         (JSC::Stringifier::toJSONImpl):
739         (JSC::Stringifier::appendStringifiedValue):
740         * runtime/JSObjectInlines.h:
741         (JSC::createListFromArrayLike):
742         * runtime/JSTypeInfo.h:
743         (JSC::TypeInfo::overridesGetCallData const):
744         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
745         * runtime/Operations.cpp:
746         (JSC::jsTypeStringForValue):
747         (JSC::jsIsObjectTypeOrNull):
748         * runtime/ProxyObject.h:
749         * runtime/RuntimeType.cpp:
750         (JSC::runtimeTypeForValue):
751         * runtime/RuntimeType.h:
752         * runtime/Structure.cpp:
753         (JSC::Structure::Structure):
754         * runtime/TypeProfilerLog.cpp:
755         (JSC::TypeProfilerLog::TypeProfilerLog):
756         (JSC::TypeProfilerLog::processLogEntries):
757         * runtime/TypeProfilerLog.h:
758         * runtime/VM.cpp:
759         (JSC::VM::enableTypeProfiler):
760         * tools/JSDollarVM.cpp:
761         (JSC::functionFindTypeForExpression):
762         (JSC::functionReturnTypeFor):
763         (JSC::functionHasBasicBlockExecuted):
764         (JSC::functionBasicBlockExecutionCount):
765         * wasm/js/JSWebAssemblyHelpers.h:
766         (JSC::getWasmBufferFromValue):
767         * wasm/js/JSWebAssemblyInstance.cpp:
768         (JSC::JSWebAssemblyInstance::create):
769         * wasm/js/WebAssemblyFunction.cpp:
770         (JSC::callWebAssemblyFunction):
771         * wasm/js/WebAssemblyInstanceConstructor.cpp:
772         (JSC::constructJSWebAssemblyInstance):
773         * wasm/js/WebAssemblyModuleRecord.cpp:
774         (JSC::WebAssemblyModuleRecord::link):
775         * wasm/js/WebAssemblyPrototype.cpp:
776         (JSC::webAssemblyInstantiateFunc):
777         (JSC::webAssemblyInstantiateStreamingInternal):
778         * wasm/js/WebAssemblyWrapperFunction.cpp:
779         (JSC::WebAssemblyWrapperFunction::finishCreation):
780
781 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
782
783         Web Inspector: Add rulers and guides
784         https://bugs.webkit.org/show_bug.cgi?id=32263
785         <rdar://problem/19281564>
786
787         Reviewed by Matt Baker.
788
789         * inspector/protocol/OverlayTypes.json:
790
791 2018-05-14  Keith Miller  <keith_miller@apple.com>
792
793         Remove butterflyMask from DFGAbstractHeap
794         https://bugs.webkit.org/show_bug.cgi?id=185640
795
796         Reviewed by Saam Barati.
797
798         We don't have a butterfly indexing mask anymore so we don't need
799         the abstract heap information for it anymore.
800
801         * dfg/DFGAbstractHeap.h:
802         * dfg/DFGClobberize.h:
803         (JSC::DFG::clobberize):
804
805 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
806
807         [INTL] Handle error in defineProperty for supported locales length
808         https://bugs.webkit.org/show_bug.cgi?id=185623
809
810         Reviewed by Saam Barati.
811
812         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
813         length of the supported locales array.
814
815         * runtime/IntlObject.cpp:
816         (JSC::supportedLocales):
817
818 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
819
820         [JSC] Tweak LiteralParser to improve lexing performance
821         https://bugs.webkit.org/show_bug.cgi?id=185541
822
823         Reviewed by Saam Barati.
824
825         This patch attemps to improve LiteralParser performance.
826
827         This patch improves Kraken/json-parse-financial by roughly ~10%.
828                                            baseline                  patched
829
830             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
831
832         * parser/Lexer.cpp:
833         (JSC::Lexer<T>::Lexer):
834         * runtime/ArgList.h:
835         (JSC::MarkedArgumentBuffer::takeLast):
836         Add takeLast() for idiomatic last() + removeLast() calls.
837
838         * runtime/LiteralParser.cpp:
839         (JSC::LiteralParser<CharType>::Lexer::lex):
840         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
841         We should not include this mode in its template parameter to reduce the code size.
842         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
843         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
844
845         (JSC::LiteralParser<CharType>::Lexer::next):
846         (JSC::isSafeStringCharacter):
847         Take mode in its template parameter. But do not take terminator character in its template parameter.
848
849         (JSC::LiteralParser<CharType>::Lexer::lexString):
850         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
851         Duplicate while statements manually since this is a critical path.
852
853         (JSC::LiteralParser<CharType>::parse):
854         Use takeLast().
855
856         * runtime/LiteralParser.h:
857
858 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
859
860         [MIPS] Use btpz to compare against 0 instead of bpeq
861         https://bugs.webkit.org/show_bug.cgi?id=185607
862
863         Reviewed by Yusuke Suzuki.
864
865         Fixes build on MIPS since MIPS doesn't have an instruction to
866         compare a register against an immediate. Since the immediate is just 0
867         in this case the simplest solution is just to use btpz instead of bpeq
868         to compare to 0.
869
870         * llint/LowLevelInterpreter.asm:
871
872 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
873
874         CachedCall::call() should be faster
875         https://bugs.webkit.org/show_bug.cgi?id=185583
876
877         Reviewed by Yusuke Suzuki.
878         
879         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
880         Unfortunately, because of a combination of abstraction and assertions, this code path had a
881         lot of overhead. This patch reduces this overhead by:
882         
883         - Turning off some assertions. These assertions don't look to have security value; they're
884           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
885           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
886           call, considering that the caller would have already been strongly assuming that the JSLock
887           is held.
888         
889         - Making more things inlineable.
890         
891         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
892
893         * JavaScriptCore.xcodeproj/project.pbxproj:
894         * interpreter/CachedCall.h:
895         (JSC::CachedCall::call):
896         * interpreter/Interpreter.cpp:
897         (JSC::checkedReturn): Deleted.
898         * interpreter/Interpreter.h:
899         (JSC::Interpreter::checkedReturn):
900         * interpreter/InterpreterInlines.h:
901         (JSC::Interpreter::execute):
902         * jit/JITCode.cpp:
903         (JSC::JITCode::execute): Deleted.
904         * jit/JITCodeInlines.h: Added.
905         (JSC::JITCode::execute):
906         * llint/LowLevelInterpreter.asm:
907         * runtime/StringPrototype.cpp:
908
909 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
910
911         [INTL] Improve spec & test262 compliance for Intl APIs
912         https://bugs.webkit.org/show_bug.cgi?id=185578
913
914         Reviewed by Yusuke Suzuki.
915
916         Use putDirectIndex over push for lists to arrays.
917         Update default options to construct with a null prototype.
918         Define constructor and toStringTag on prototypes.
919         Add proper time clipping.
920         Remove some outdated comment spec text, use url instead.
921
922         * runtime/IntlCollator.cpp:
923         (JSC::IntlCollator::initializeCollator):
924         * runtime/IntlCollatorConstructor.cpp:
925         (JSC::IntlCollatorConstructor::finishCreation):
926         * runtime/IntlCollatorPrototype.cpp:
927         (JSC::IntlCollatorPrototype::finishCreation):
928         * runtime/IntlDateTimeFormatConstructor.cpp:
929         (JSC::IntlDateTimeFormatConstructor::finishCreation):
930         * runtime/IntlDateTimeFormatPrototype.cpp:
931         (JSC::IntlDateTimeFormatPrototype::finishCreation):
932         (JSC::IntlDateTimeFormatFuncFormatDateTime):
933         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
934         * runtime/IntlNumberFormat.cpp:
935         (JSC::IntlNumberFormat::initializeNumberFormat):
936         * runtime/IntlNumberFormatConstructor.cpp:
937         (JSC::IntlNumberFormatConstructor::finishCreation):
938         * runtime/IntlNumberFormatPrototype.cpp:
939         (JSC::IntlNumberFormatPrototype::finishCreation):
940         * runtime/IntlObject.cpp:
941         (JSC::lookupSupportedLocales):
942         (JSC::supportedLocales):
943         (JSC::intlObjectFuncGetCanonicalLocales):
944         * runtime/IntlPluralRules.cpp:
945         (JSC::IntlPluralRules::resolvedOptions):
946         * runtime/IntlPluralRulesConstructor.cpp:
947         (JSC::IntlPluralRulesConstructor::finishCreation):
948
949 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
950
951         [ESNext][BigInt] Implement support for "*" operation
952         https://bugs.webkit.org/show_bug.cgi?id=183721
953
954         Reviewed by Yusuke Suzuki.
955
956         Added BigInt support into times binary operator into LLInt and on
957         JITOperations profiledMul and unprofiledMul. We are also replacing all
958         uses of int to unsigned when there is no negative values for
959         variables.
960
961         * dfg/DFGConstantFoldingPhase.cpp:
962         (JSC::DFG::ConstantFoldingPhase::foldConstants):
963         * jit/JITOperations.cpp:
964         * runtime/CommonSlowPaths.cpp:
965         (JSC::SLOW_PATH_DECL):
966         * runtime/JSBigInt.cpp:
967         (JSC::JSBigInt::JSBigInt):
968         (JSC::JSBigInt::allocationSize):
969         (JSC::JSBigInt::createWithLength):
970         (JSC::JSBigInt::toString):
971         (JSC::JSBigInt::multiply):
972         (JSC::JSBigInt::digitDiv):
973         (JSC::JSBigInt::internalMultiplyAdd):
974         (JSC::JSBigInt::multiplyAccumulate):
975         (JSC::JSBigInt::equals):
976         (JSC::JSBigInt::absoluteDivSmall):
977         (JSC::JSBigInt::calculateMaximumCharactersRequired):
978         (JSC::JSBigInt::toStringGeneric):
979         (JSC::JSBigInt::rightTrim):
980         (JSC::JSBigInt::allocateFor):
981         (JSC::JSBigInt::parseInt):
982         (JSC::JSBigInt::digit):
983         (JSC::JSBigInt::setDigit):
984         * runtime/JSBigInt.h:
985         * runtime/JSCJSValue.h:
986         * runtime/JSCJSValueInlines.h:
987         (JSC::JSValue::toNumeric const):
988         * runtime/Operations.h:
989         (JSC::jsMul):
990
991 2018-05-11  Commit Queue  <commit-queue@webkit.org>
992
993         Unreviewed, rolling out r231316 and r231332.
994         https://bugs.webkit.org/show_bug.cgi?id=185564
995
996         Appears to be a Speedometer2/MotionMark regression (Requested
997         by keith_miller on #webkit).
998
999         Reverted changesets:
1000
1001         "Remove the prototype caching for get_by_id in the LLInt"
1002         https://bugs.webkit.org/show_bug.cgi?id=185226
1003         https://trac.webkit.org/changeset/231316
1004
1005         "Unreviewed, fix 32-bit profile offset for change in bytecode"
1006         https://trac.webkit.org/changeset/231332
1007
1008 2018-05-11  Michael Saboff  <msaboff@apple.com>
1009
1010         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
1011         https://bugs.webkit.org/show_bug.cgi?id=185328
1012
1013         Reviewed by Keith Miller.
1014
1015         Fixed a typo from when this code was added in r228968 where resultGPR
1016         was assigned the input register instead of the result.gpr().
1017
1018         * dfg/DFGSpeculativeJIT64.cpp:
1019         (JSC::DFG::SpeculativeJIT::compile):
1020
1021 2018-05-11  Saam Barati  <sbarati@apple.com>
1022
1023         Don't use inferred types when the JIT is disabled
1024         https://bugs.webkit.org/show_bug.cgi?id=185539
1025
1026         Reviewed by Yusuke Suzuki.
1027
1028         There are many JSC API clients that run with the JIT disabled. They were
1029         all allocating and tracking inferred types for no benefit. Inferred types
1030         only benefit programs when they make it to the DFG/FTL. I was seeing cases
1031         where the inferred type machinery used ~0.5MB. This patch makes is so we
1032         don't allocate that machinery when the JIT is disabled.
1033
1034         * runtime/Structure.cpp:
1035         (JSC::Structure::willStoreValueSlow):
1036         * runtime/Structure.h:
1037
1038 2018-05-11  Saam Barati  <sbarati@apple.com>
1039
1040         Don't allocate value profiles when the JIT is disabled
1041         https://bugs.webkit.org/show_bug.cgi?id=185525
1042
1043         Reviewed by Michael Saboff.
1044
1045         There are many JSC API clients that run with the JIT disabled. We were
1046         still allocating a ton of value profiles in this use case even though
1047         these clients get no benefit from doing value profiling. This patch makes
1048         it so that we don't allocate value profiles or argument value profiles
1049         when we're not using the JIT. We now just make all value profiles in
1050         the instruction stream point to a global value profile that the VM owns.
1051         And we make the argument value profile array have zero length and teach
1052         the LLInt how to handle that. Heap clears the global value profile on each GC.
1053
1054         In an app that I'm testing this against, this saves ~1MB of memory.
1055
1056         * bytecode/CodeBlock.cpp:
1057         (JSC::CodeBlock::finishCreation):
1058         (JSC::CodeBlock::setNumParameters):
1059         * bytecode/CodeBlock.h:
1060         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1061         (JSC::CodeBlock::valueProfileForArgument):
1062         * bytecompiler/BytecodeGenerator.cpp:
1063         (JSC::BytecodeGenerator::emitProfiledOpcode):
1064         * heap/Heap.cpp:
1065         (JSC::Heap::runEndPhase):
1066         * llint/LowLevelInterpreter.asm:
1067         * runtime/VM.cpp:
1068         (JSC::VM::VM):
1069         * runtime/VM.h:
1070
1071 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1072
1073         [JSC][GLIB] Add introspectable alternatives to functions using vargars
1074         https://bugs.webkit.org/show_bug.cgi?id=185508
1075
1076         Reviewed by Michael Catanzaro.
1077
1078         * API/glib/JSCClass.cpp:
1079         (jscClassCreateConstructor):
1080         (jsc_class_add_constructor):
1081         (jsc_class_add_constructorv):
1082         (jscClassAddMethod):
1083         (jsc_class_add_method):
1084         (jsc_class_add_methodv):
1085         * API/glib/JSCClass.h:
1086         * API/glib/JSCValue.cpp:
1087         (jsObjectCall):
1088         (jscValueCallFunction):
1089         (jsc_value_object_invoke_methodv):
1090         (jscValueFunctionCreate):
1091         (jsc_value_new_function):
1092         (jsc_value_new_functionv):
1093         (jsc_value_function_callv):
1094         (jsc_value_constructor_callv):
1095         * API/glib/JSCValue.h:
1096         * API/glib/docs/jsc-glib-4.0-sections.txt:
1097
1098 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1099
1100         [JSC] Make return types of construction functions tight
1101         https://bugs.webkit.org/show_bug.cgi?id=185509
1102
1103         Reviewed by Saam Barati.
1104
1105         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
1106
1107         * runtime/ArrayConstructor.cpp:
1108         (JSC::constructArrayWithSizeQuirk):
1109         * runtime/ArrayConstructor.h:
1110         * runtime/ObjectConstructor.h:
1111         (JSC::constructEmptyObject):
1112
1113 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1114
1115         [JSC] Object.assign for final objects should be faster
1116         https://bugs.webkit.org/show_bug.cgi?id=185348
1117
1118         Reviewed by Saam Barati.
1119
1120         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
1121         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
1122
1123         If enumerating properties of source objects and putting properties to target object are non observable,
1124         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
1125         and put them to target object. This patch adds this fast path to Object.assign implementation.
1126
1127         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
1128         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
1129         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
1130
1131         This improves object-assign.es6 by 1.85x.
1132
1133                                         baseline                  patched
1134
1135             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
1136
1137         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
1138
1139         * runtime/JSObject.h:
1140         * runtime/JSObjectInlines.h:
1141         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
1142         (JSC::JSObject::canPerformFastPutInline):
1143         * runtime/ObjectConstructor.cpp:
1144         (JSC::objectConstructorAssign):
1145         * runtime/Structure.cpp:
1146         (JSC::Structure::Structure):
1147         * runtime/Structure.h:
1148         * runtime/StructureInlines.h:
1149         (JSC::Structure::forEachProperty):
1150         (JSC::Structure::add):
1151
1152 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
1153
1154         DFG CFA should pick the right time to inject OSR entry data
1155         https://bugs.webkit.org/show_bug.cgi?id=185530
1156
1157         Reviewed by Saam Barati.
1158         
1159         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
1160         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
1161         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
1162         would eventually LUB to non-constant.
1163         
1164         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
1165         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
1166         useless regexp/string execution in the compiler.
1167
1168         * dfg/DFGBlockSet.h:
1169         (JSC::DFG::BlockSet::remove):
1170         * dfg/DFGCFAPhase.cpp:
1171         (JSC::DFG::CFAPhase::run):
1172         (JSC::DFG::CFAPhase::injectOSR):
1173         (JSC::DFG::CFAPhase::performBlockCFA):
1174
1175 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1176
1177         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
1178         https://bugs.webkit.org/show_bug.cgi?id=185452
1179
1180         Reviewed by Michael Saboff.
1181         
1182         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
1183         from the block head to InPlaceAbstractState::m_variables. It is necessary for
1184         InPlaceAbstractState to have its own copy since we need to mutate it separately from
1185         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
1186         of superfluous work.
1187         
1188         This change adds a bitvector called m_activeVariables that tracks which variables have been
1189         copied. We lazily copy the variables on first use. Variables that were never copied also have
1190         a simplified merging path, which just needs to consider if the variable got clobbered between
1191         head and tail.
1192         
1193         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
1194
1195         * bytecode/Operands.h:
1196         (JSC::Operands::argumentIndex const):
1197         (JSC::Operands::localIndex const):
1198         (JSC::Operands::argument):
1199         (JSC::Operands::argument const):
1200         (JSC::Operands::local):
1201         (JSC::Operands::local const):
1202         (JSC::Operands::operandIndex const):
1203         * dfg/DFGAbstractValue.h:
1204         (JSC::DFG::AbstractValue::fastForwardFromTo):
1205         * dfg/DFGCFAPhase.cpp:
1206         (JSC::DFG::CFAPhase::performForwardCFA):
1207         * dfg/DFGInPlaceAbstractState.cpp:
1208         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1209         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1210         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
1211         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1212         (JSC::DFG::InPlaceAbstractState::activateVariable):
1213         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
1214         * dfg/DFGInPlaceAbstractState.h:
1215         (JSC::DFG::InPlaceAbstractState::variableAt):
1216         (JSC::DFG::InPlaceAbstractState::operand):
1217         (JSC::DFG::InPlaceAbstractState::local):
1218         (JSC::DFG::InPlaceAbstractState::argument):
1219         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
1220         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
1221
1222 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
1223
1224         [ESNext][BigInt] Implement support for "==" operation
1225         https://bugs.webkit.org/show_bug.cgi?id=184474
1226
1227         Reviewed by Yusuke Suzuki.
1228
1229         This patch is implementing support of BigInt for equals operator
1230         following the spec semantics[1].
1231
1232         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
1233
1234         * runtime/JSBigInt.cpp:
1235         (JSC::JSBigInt::parseInt):
1236         (JSC::JSBigInt::stringToBigInt):
1237         (JSC::JSBigInt::toString):
1238         (JSC::JSBigInt::setDigit):
1239         (JSC::JSBigInt::equalsToNumber):
1240         (JSC::JSBigInt::compareToDouble):
1241         * runtime/JSBigInt.h:
1242         * runtime/JSCJSValueInlines.h:
1243         (JSC::JSValue::equalSlowCaseInline):
1244
1245 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1246
1247         Speed up AbstractInterpreter::executeEdges
1248         https://bugs.webkit.org/show_bug.cgi?id=185457
1249
1250         Reviewed by Saam Barati.
1251
1252         This patch started out with the desire to make executeEdges() faster by making filtering faster.
1253         However, when I studied the disassembly, I found that there are many opportunities for
1254         improvement and I implemented all of them:
1255         
1256         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
1257           for non-cells.
1258         
1259         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
1260           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
1261         
1262         - Similarly, edge verification doesn't need to fast-forward in the common case.
1263         
1264         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
1265         
1266         - The edge doesn't even have to be considered for execution if it's UntypedUse.
1267         
1268         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
1269         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
1270         it means proving that the value could either be formatted as a double (with impure NaN values),
1271         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
1272         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
1273         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
1274         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
1275         SpecBytecodeNumber (if returning a JSValueRep).
1276         
1277         But that fix revealed an amazing timeout in
1278         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
1279         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
1280         ever realizing that we should jettison something. The problem was with how
1281         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
1282         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
1283         
1284         This is a 1% improvement in V8Spider-CompileTime.
1285
1286         * bytecode/ExitKind.cpp:
1287         (JSC::exitKindMayJettison):
1288         * dfg/DFGAbstractInterpreter.h:
1289         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
1290         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
1291         * dfg/DFGAbstractInterpreterInlines.h:
1292         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
1293         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
1294         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
1295         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
1296         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1297         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1298         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1299         * dfg/DFGAbstractValue.cpp:
1300         (JSC::DFG::AbstractValue::filterSlow):
1301         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
1302         * dfg/DFGAbstractValue.h:
1303         (JSC::DFG::AbstractValue::filter):
1304         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
1305         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
1306         (JSC::DFG::AbstractValue::makeTop):
1307         * dfg/DFGAtTailAbstractState.h:
1308         (JSC::DFG::AtTailAbstractState::fastForward):
1309         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
1310         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
1311         * dfg/DFGGraph.h:
1312         (JSC::DFG::Graph::doToChildren):
1313         * dfg/DFGInPlaceAbstractState.h:
1314         (JSC::DFG::InPlaceAbstractState::fastForward):
1315         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
1316         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
1317         * dfg/DFGOSRExit.cpp:
1318         (JSC::DFG::OSRExit::executeOSRExit):
1319         * dfg/DFGOSRExitCompilerCommon.cpp:
1320         (JSC::DFG::handleExitCounts):
1321         * dfg/DFGOperations.cpp:
1322         * dfg/DFGOperations.h:
1323
1324 2018-05-09  Saam Barati  <sbarati@apple.com>
1325
1326         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
1327         https://bugs.webkit.org/show_bug.cgi?id=185441
1328         <rdar://problem/39999414>
1329
1330         Reviewed by Keith Miller.
1331
1332         This patch adds JSVirtualMachine SPI to release as much memory as possible.
1333         The SPI does:
1334         - Deletes all code caches.
1335         - Synchronous GC.
1336         - Run the scavenger.
1337
1338         * API/JSVirtualMachine.mm:
1339         (-[JSVirtualMachine shrinkFootprint]):
1340         * API/JSVirtualMachinePrivate.h: Added.
1341         * API/tests/testapi.mm:
1342         (testObjectiveCAPIMain):
1343         * JavaScriptCore.xcodeproj/project.pbxproj:
1344         * runtime/VM.cpp:
1345         (JSC::VM::shrinkFootprint):
1346         * runtime/VM.h:
1347
1348 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
1349
1350         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
1351         Error found in the following Test262 tests:
1352
1353         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
1354         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
1355         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
1356
1357         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
1358         presenting a length > 2**32-1
1359         https://bugs.webkit.org/show_bug.cgi?id=185476
1360
1361         Reviewed by Yusuke Suzuki.
1362
1363         * runtime/ArrayPrototype.cpp:
1364
1365 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
1366
1367         [WPE] Build cleanly with GCC 8 and ICU 60
1368         https://bugs.webkit.org/show_bug.cgi?id=185462
1369
1370         Reviewed by Carlos Alberto Lopez Perez.
1371
1372         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
1373         (jsc_class_add_constructor):
1374         (jsc_class_add_method):
1375         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
1376         (jsc_value_object_define_property_accessor):
1377         (jsc_value_new_function):
1378         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
1379         problem with GCC 7 too, but might as well fix it now.
1380         * assembler/ProbeContext.h:
1381         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
1382         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
1383         * b3/air/AirArg.h:
1384         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
1385         * builtins/BuiltinNames.cpp:
1386         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
1387         * builtins/BuiltinNames.h:
1388         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
1389         * dfg/DFGDoubleFormatState.h:
1390         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
1391         * heap/MarkedBlockInlines.h:
1392         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
1393         * runtime/ConfigFile.cpp:
1394         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
1395         with the wrong length parameter and the result is not null-terminated. Also, silence a
1396         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
1397         * runtime/IntlDateTimeFormat.cpp:
1398         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
1399         * runtime/JSGlobalObject.cpp:
1400         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
1401         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
1402
1403 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1404
1405         [ARMv7] Drop ARMv7 disassembler in favor of capstone
1406         https://bugs.webkit.org/show_bug.cgi?id=185423
1407
1408         Reviewed by Michael Catanzaro.
1409
1410         This patch removes ARMv7Disassembler in our tree.
1411         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
1412
1413         * CMakeLists.txt:
1414         * JavaScriptCore.xcodeproj/project.pbxproj:
1415         * Sources.txt:
1416         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
1417         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
1418         * disassembler/ARMv7Disassembler.cpp: Removed.
1419
1420 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
1421
1422         [MIPS] Optimize generated JIT code using r2
1423         https://bugs.webkit.org/show_bug.cgi?id=184584
1424
1425         Reviewed by Yusuke Suzuki.
1426
1427         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
1428         Also, done some code size optimizations that were discovered in meantime.
1429
1430         * assembler/MIPSAssembler.h:
1431         (JSC::MIPSAssembler::ext):
1432         (JSC::MIPSAssembler::mfhc1):
1433         * assembler/MacroAssemblerMIPS.cpp:
1434         * assembler/MacroAssemblerMIPS.h:
1435         (JSC::MacroAssemblerMIPS::isPowerOf2):
1436         (JSC::MacroAssemblerMIPS::bitPosition):
1437         (JSC::MacroAssemblerMIPS::loadAddress):
1438         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1439         (JSC::MacroAssemblerMIPS::load8):
1440         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1441         (JSC::MacroAssemblerMIPS::load32):
1442         (JSC::MacroAssemblerMIPS::load16Unaligned):
1443         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
1444         (JSC::MacroAssemblerMIPS::load16):
1445         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1446         (JSC::MacroAssemblerMIPS::store8):
1447         (JSC::MacroAssemblerMIPS::store16):
1448         (JSC::MacroAssemblerMIPS::store32):
1449         (JSC::MacroAssemblerMIPS::branchTest32):
1450         (JSC::MacroAssemblerMIPS::loadFloat):
1451         (JSC::MacroAssemblerMIPS::loadDouble):
1452         (JSC::MacroAssemblerMIPS::storeFloat):
1453         (JSC::MacroAssemblerMIPS::storeDouble):
1454
1455 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1456
1457         [JSC][GTK][JSCONLY] Use capstone disassembler
1458         https://bugs.webkit.org/show_bug.cgi?id=185283
1459
1460         Reviewed by Michael Catanzaro.
1461
1462         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
1463         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
1464
1465         And we remove ARM LLVM disassembler.
1466
1467         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
1468
1469         * CMakeLists.txt:
1470         * Sources.txt:
1471         * disassembler/ARMLLVMDisassembler.cpp: Removed.
1472         * disassembler/CapstoneDisassembler.cpp: Added.
1473         (JSC::tryToDisassemble):
1474
1475 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
1476
1477         [MIPS] Use mfhc1 and mthc1 to fix assembler error
1478         https://bugs.webkit.org/show_bug.cgi?id=185464
1479
1480         Reviewed by Yusuke Suzuki.
1481
1482         The binutils-assembler started to report failures for copying words between
1483         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
1484         of mfc1 and mtc1 for conversion.
1485
1486         * offlineasm/mips.rb:
1487
1488 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
1489
1490         [MIPS] Collect callee-saved register using inline assembly
1491         https://bugs.webkit.org/show_bug.cgi?id=185428
1492
1493         Reviewed by Yusuke Suzuki.
1494
1495         MIPS used setjmp instead of collecting registers with inline assembly like
1496         other architectures.
1497
1498         * heap/RegisterState.h:
1499
1500 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1501
1502         [BigInt] Simplifying JSBigInt by using bool addition
1503         https://bugs.webkit.org/show_bug.cgi?id=185374
1504
1505         Reviewed by Alex Christensen.
1506
1507         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
1508         Just adding overflow flag to carry/borrow produces setb + add in x86.
1509
1510         Also we annotate small helper functions and accessors with `inline` not to call these functions
1511         inside internalMultiplyAdd loop.
1512
1513         * runtime/JSBigInt.cpp:
1514         (JSC::JSBigInt::isZero):
1515         (JSC::JSBigInt::inplaceMultiplyAdd):
1516         (JSC::JSBigInt::digitAdd):
1517         (JSC::JSBigInt::digitSub):
1518         (JSC::JSBigInt::digitMul):
1519         (JSC::JSBigInt::digitPow):
1520         (JSC::JSBigInt::digitDiv):
1521         (JSC::JSBigInt::offsetOfData):
1522         (JSC::JSBigInt::dataStorage):
1523         (JSC::JSBigInt::digit):
1524         (JSC::JSBigInt::setDigit):
1525
1526 2018-05-08  Michael Saboff  <msaboff@apple.com>
1527
1528         Replace multiple Watchpoint Set fireAll() methods with templates
1529         https://bugs.webkit.org/show_bug.cgi?id=185456
1530
1531         Reviewed by Saam Barati.
1532
1533         Refactored to minimize duplicate code.
1534
1535         * bytecode/Watchpoint.h:
1536         (JSC::WatchpointSet::fireAll):
1537         (JSC::InlineWatchpointSet::fireAll):
1538
1539 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
1540
1541         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
1542         https://bugs.webkit.org/show_bug.cgi?id=185453
1543
1544         Reviewed by Michael Saboff.
1545         
1546         Tiny improvement for compile times.
1547
1548         * dfg/DFGFlowMap.h:
1549         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
1550         * dfg/DFGInPlaceAbstractState.cpp:
1551         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
1552
1553 2018-05-08  Michael Saboff  <msaboff@apple.com>
1554
1555         Deferred firing of structure transition watchpoints is racy
1556         https://bugs.webkit.org/show_bug.cgi?id=185438
1557
1558         Reviewed by Saam Barati.
1559
1560         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
1561         and fire them in the destructor.  When the watchpoints are taken from the
1562         original WatchpointSet, that WatchpointSet if marked invalid.
1563
1564         * bytecode/Watchpoint.cpp:
1565         (JSC::WatchpointSet::fireAllSlow):
1566         (JSC::WatchpointSet::take):
1567         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
1568         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
1569         (JSC::DeferredWatchpointFire::fireAll):
1570         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
1571         * bytecode/Watchpoint.h:
1572         (JSC::WatchpointSet::fireAll):
1573         (JSC::InlineWatchpointSet::fireAll):
1574         * runtime/JSObject.cpp:
1575         (JSC::JSObject::setPrototypeDirect):
1576         (JSC::JSObject::convertToDictionary):
1577         * runtime/JSObjectInlines.h:
1578         (JSC::JSObject::putDirectInternal):
1579         * runtime/Structure.cpp:
1580         (JSC::Structure::Structure):
1581         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
1582         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
1583         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
1584         (JSC::Structure::didTransitionFromThisStructure const):
1585         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
1586         * runtime/Structure.h:
1587         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
1588
1589 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
1590
1591         Consecutive messages logged as JSON are coalesced
1592         https://bugs.webkit.org/show_bug.cgi?id=185432
1593
1594         Reviewed by Joseph Pecoraro.
1595
1596         * inspector/ConsoleMessage.cpp:
1597         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
1598
1599 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1600
1601         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1602         https://bugs.webkit.org/show_bug.cgi?id=185365
1603
1604         Reviewed by Saam Barati.
1605         
1606         This patch does three things to improve compile times:
1607         
1608         - Fixes some inlining goofs.
1609         
1610         - Adds the ability to measure compile times with run-jsc-benchmarks.
1611         
1612         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1613           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1614           sense that this was the only thing protecting it from loading the abstract value of a no-result
1615           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1616           Any node that produces a result will explicitly set its abstract value, so this problem can
1617           also be guarded by just having constant folding check if the node it wants to fold returns any
1618           result.
1619         
1620         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1621         
1622         Rolling back in after fixing cloop build.
1623
1624         * dfg/DFGAbstractInterpreterInlines.h:
1625         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1626         * dfg/DFGAbstractValue.cpp:
1627         (JSC::DFG::AbstractValue::set):
1628         * dfg/DFGAbstractValue.h:
1629         (JSC::DFG::AbstractValue::merge):
1630         * dfg/DFGConstantFoldingPhase.cpp:
1631         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1632         * dfg/DFGGraph.h:
1633         (JSC::DFG::Graph::doToChildrenWithNode):
1634         (JSC::DFG::Graph::doToChildren):
1635         * dfg/DFGInPlaceAbstractState.cpp:
1636         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1637         * jit/JIT.cpp:
1638         (JSC::JIT::totalCompileTime):
1639         * jit/JIT.h:
1640         * jsc.cpp:
1641         (GlobalObject::finishCreation):
1642         (functionTotalCompileTime):
1643
1644 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
1645
1646         Unreviewed, rolling out r231468.
1647
1648         Broke the CLoop build
1649
1650         Reverted changeset:
1651
1652         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
1653         any abstract values"
1654         https://bugs.webkit.org/show_bug.cgi?id=185365
1655         https://trac.webkit.org/changeset/231468
1656
1657 2018-05-07  Daniel Bates  <dabates@apple.com>
1658
1659         Check X-Frame-Options and CSP frame-ancestors in network process
1660         https://bugs.webkit.org/show_bug.cgi?id=185410
1661         <rdar://problem/37733934>
1662
1663         Reviewed by Ryosuke Niwa.
1664
1665         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
1666
1667         * runtime/ConsoleTypes.h:
1668
1669 2018-05-07  Saam Barati  <sbarati@apple.com>
1670
1671         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
1672         https://bugs.webkit.org/show_bug.cgi?id=185329
1673         <rdar://problem/39961536>
1674
1675         Reviewed by Michael Saboff.
1676
1677         I was made aware of a memory goof inside of JSC where we would inefficiently
1678         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
1679         
1680         We did two things badly:
1681         1. We used a HashMap instead of a Vector to represent the environment. Having
1682         a HashMap is useful when looking things up when generating bytecode, but it's
1683         space inefficient. Because UnlinkedFunctionExecutables live a long time because
1684         of the code cache, we should have them store this information efficiently
1685         inside of a Vector.
1686         
1687         2. We didn't hash-cons these environments together. If you think about how
1688         some programs are structured, hash-consing these together is hugely profitable.
1689         Consider some code like this:
1690         ```
1691         const/let V_1 = ...;
1692         const/let V_2 = ...;
1693         ...
1694         const/let V_n = ...;
1695         
1696         function f_1() { ... };
1697         function f_2() { ... };
1698         ...
1699         function f_n() { ... };
1700         ```
1701         
1702         Each f_i would store an identical hash map for its parent TDZ variables
1703         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
1704         each f_i just holds onto a reference to the environment.
1705         
1706         I benchmarked this change against an app that made heavy use of the
1707         above code pattern and it reduced its peak memory footprint from ~220MB
1708         to ~160MB.
1709
1710         * bytecode/UnlinkedFunctionExecutable.cpp:
1711         (JSC::generateUnlinkedFunctionCodeBlock):
1712         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1713         * bytecode/UnlinkedFunctionExecutable.h:
1714         * parser/VariableEnvironment.cpp:
1715         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
1716         (JSC::CompactVariableEnvironment::operator== const):
1717         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
1718         (JSC::CompactVariableMap::get):
1719         (JSC::CompactVariableMap::Handle::~Handle):
1720         * parser/VariableEnvironment.h:
1721         (JSC::VariableEnvironmentEntry::bits const):
1722         (JSC::VariableEnvironmentEntry::operator== const):
1723         (JSC::VariableEnvironment::isEverythingCaptured const):
1724         (JSC::CompactVariableEnvironment::hash const):
1725         (JSC::CompactVariableMapKey::CompactVariableMapKey):
1726         (JSC::CompactVariableMapKey::hash):
1727         (JSC::CompactVariableMapKey::equal):
1728         (JSC::CompactVariableMapKey::makeDeletedValue):
1729         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
1730         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
1731         (JSC::CompactVariableMapKey::environment):
1732         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
1733         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
1734         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
1735         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
1736         (JSC::CompactVariableMap::Handle::Handle):
1737         (JSC::CompactVariableMap::Handle::environment const):
1738         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
1739         * runtime/VM.cpp:
1740         (JSC::VM::VM):
1741         * runtime/VM.h:
1742
1743 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1744
1745         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
1746         https://bugs.webkit.org/show_bug.cgi?id=185371
1747
1748         Reviewed by Mark Lam.
1749
1750         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
1751         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
1752         but actually MIPS have much more registers.
1753
1754         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
1755         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
1756         have extra mechanism.
1757
1758         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
1759
1760         * dfg/DFGByteCodeParser.cpp:
1761         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1762         * dfg/DFGFixupPhase.cpp:
1763         (JSC::DFG::FixupPhase::fixupNode):
1764         * dfg/DFGSpeculativeJIT32_64.cpp:
1765         (JSC::DFG::SpeculativeJIT::compile):
1766         * jit/CCallHelpers.h:
1767         * jit/GPRInfo.h:
1768         (JSC::GPRInfo::toRegister):
1769         (JSC::GPRInfo::toIndex):
1770         * offlineasm/mips.rb:
1771
1772 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1773
1774         DFG AI should have O(1) clobbering
1775         https://bugs.webkit.org/show_bug.cgi?id=185287
1776
1777         Reviewed by Saam Barati.
1778         
1779         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
1780         would traverse all of the state available to the AI at that time and clobber it.
1781         
1782         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
1783         
1784         This is a ~1% speed-up for compile times.
1785
1786         * JavaScriptCore.xcodeproj/project.pbxproj:
1787         * Sources.txt:
1788         * dfg/DFGAbstractInterpreter.h:
1789         (JSC::DFG::AbstractInterpreter::forNode):
1790         (JSC::DFG::AbstractInterpreter::setForNode):
1791         (JSC::DFG::AbstractInterpreter::clearForNode):
1792         (JSC::DFG::AbstractInterpreter::variables): Deleted.
1793         * dfg/DFGAbstractInterpreterInlines.h:
1794         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1795         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1796         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
1797         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
1798         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1799         * dfg/DFGAbstractValue.cpp:
1800         (JSC::DFG::AbstractValue::fastForwardToSlow):
1801         * dfg/DFGAbstractValue.h:
1802         (JSC::DFG::AbstractValue::fastForwardTo):
1803         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
1804         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
1805         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
1806         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
1807         (JSC::DFG::AbstractValueClobberEpoch::dump const):
1808         * dfg/DFGAbstractValueClobberEpoch.h: Added.
1809         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
1810         (JSC::DFG::AbstractValueClobberEpoch::first):
1811         (JSC::DFG::AbstractValueClobberEpoch::clobber):
1812         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
1813         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
1814         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
1815         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
1816         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
1817         * dfg/DFGAtTailAbstractState.h:
1818         (JSC::DFG::AtTailAbstractState::setForNode):
1819         (JSC::DFG::AtTailAbstractState::clearForNode):
1820         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
1821         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
1822         (JSC::DFG::AtTailAbstractState::operand):
1823         (JSC::DFG::AtTailAbstractState::local):
1824         (JSC::DFG::AtTailAbstractState::argument):
1825         (JSC::DFG::AtTailAbstractState::clobberStructures):
1826         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
1827         (JSC::DFG::AtTailAbstractState::variables): Deleted.
1828         * dfg/DFGCFAPhase.cpp:
1829         (JSC::DFG::CFAPhase::performBlockCFA):
1830         * dfg/DFGConstantFoldingPhase.cpp:
1831         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1832         * dfg/DFGFlowMap.h:
1833         (JSC::DFG::FlowMap::at):
1834         (JSC::DFG::FlowMap::atShadow):
1835         (JSC::DFG::FlowMap::at const):
1836         (JSC::DFG::FlowMap::atShadow const):
1837         * dfg/DFGInPlaceAbstractState.cpp:
1838         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1839         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1840         * dfg/DFGInPlaceAbstractState.h:
1841         (JSC::DFG::InPlaceAbstractState::forNode):
1842         (JSC::DFG::InPlaceAbstractState::setForNode):
1843         (JSC::DFG::InPlaceAbstractState::clearForNode):
1844         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1845         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
1846         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
1847         (JSC::DFG::InPlaceAbstractState::operand):
1848         (JSC::DFG::InPlaceAbstractState::local):
1849         (JSC::DFG::InPlaceAbstractState::argument):
1850         (JSC::DFG::InPlaceAbstractState::variableAt):
1851         (JSC::DFG::InPlaceAbstractState::clobberStructures):
1852         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
1853         (JSC::DFG::InPlaceAbstractState::fastForward):
1854         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
1855         * dfg/DFGSpeculativeJIT64.cpp:
1856         (JSC::DFG::SpeculativeJIT::compile):
1857         * ftl/FTLLowerDFGToB3.cpp:
1858         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
1859
1860 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1861
1862         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1863         https://bugs.webkit.org/show_bug.cgi?id=185365
1864
1865         Reviewed by Saam Barati.
1866         
1867         This patch does three things to improve compile times:
1868         
1869         - Fixes some inlining goofs.
1870         
1871         - Adds the ability to measure compile times with run-jsc-benchmarks.
1872         
1873         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1874           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1875           sense that this was the only thing protecting it from loading the abstract value of a no-result
1876           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1877           Any node that produces a result will explicitly set its abstract value, so this problem can
1878           also be guarded by just having constant folding check if the node it wants to fold returns any
1879           result.
1880         
1881         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1882
1883         * dfg/DFGAbstractInterpreterInlines.h:
1884         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1885         * dfg/DFGAbstractValue.cpp:
1886         (JSC::DFG::AbstractValue::set):
1887         * dfg/DFGAbstractValue.h:
1888         (JSC::DFG::AbstractValue::merge):
1889         * dfg/DFGConstantFoldingPhase.cpp:
1890         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1891         * dfg/DFGGraph.h:
1892         (JSC::DFG::Graph::doToChildrenWithNode):
1893         (JSC::DFG::Graph::doToChildren):
1894         * dfg/DFGInPlaceAbstractState.cpp:
1895         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1896         * jit/JIT.cpp:
1897         (JSC::JIT::totalCompileTime):
1898         * jit/JIT.h:
1899         * jsc.cpp:
1900         (GlobalObject::finishCreation):
1901         (functionTotalCompileTime):
1902
1903 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1904
1905         DFG AI doesn't need to merge valuesAtTail - it can just assign them
1906         https://bugs.webkit.org/show_bug.cgi?id=185355
1907
1908         Reviewed by Mark Lam.
1909         
1910         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
1911         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
1912         merging will get the same answer because the value computed this time will be either the same
1913         as or more general than the value computed last time. If the value does change for some
1914         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
1915         changes, then we have no reason to believe that this new value is less right than the last
1916         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
1917         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
1918
1919         * dfg/DFGInPlaceAbstractState.cpp:
1920         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1921
1922 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
1923
1924         Remove defunct email address
1925         https://bugs.webkit.org/show_bug.cgi?id=185396
1926
1927         Reviewed by Mark Lam.
1928
1929         The email address thetalecrafter@gmail.com is no longer valid, as the
1930         associated google account has been closed. This updates the email
1931         address so questions about these Intl contributions go to the right
1932         place.
1933
1934         * builtins/DatePrototype.js:
1935         * builtins/NumberPrototype.js:
1936         * builtins/StringPrototype.js:
1937         * runtime/IntlCollator.cpp:
1938         * runtime/IntlCollator.h:
1939         * runtime/IntlCollatorConstructor.cpp:
1940         * runtime/IntlCollatorConstructor.h:
1941         * runtime/IntlCollatorPrototype.cpp:
1942         * runtime/IntlCollatorPrototype.h:
1943         * runtime/IntlDateTimeFormat.cpp:
1944         * runtime/IntlDateTimeFormat.h:
1945         * runtime/IntlDateTimeFormatConstructor.cpp:
1946         * runtime/IntlDateTimeFormatConstructor.h:
1947         * runtime/IntlDateTimeFormatPrototype.cpp:
1948         * runtime/IntlDateTimeFormatPrototype.h:
1949         * runtime/IntlNumberFormat.cpp:
1950         * runtime/IntlNumberFormat.h:
1951         * runtime/IntlNumberFormatConstructor.cpp:
1952         * runtime/IntlNumberFormatConstructor.h:
1953         * runtime/IntlNumberFormatPrototype.cpp:
1954         * runtime/IntlNumberFormatPrototype.h:
1955         * runtime/IntlObject.cpp:
1956         * runtime/IntlObject.h:
1957         * runtime/IntlPluralRules.cpp:
1958         * runtime/IntlPluralRules.h:
1959         * runtime/IntlPluralRulesConstructor.cpp:
1960         * runtime/IntlPluralRulesConstructor.h:
1961         * runtime/IntlPluralRulesPrototype.cpp:
1962         * runtime/IntlPluralRulesPrototype.h:
1963
1964 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1965
1966         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
1967         https://bugs.webkit.org/show_bug.cgi?id=185362
1968
1969         Reviewed by Sam Weinig.
1970
1971         "namespace std" may include many names. It can conflict with names defined by our code,
1972         and the other platform provided headers. For example, std::byte conflicts with Windows'
1973         ::byte.
1974         This patch removes "using namespace std;" from JSC and bmalloc.
1975
1976         * API/JSClassRef.cpp:
1977         (OpaqueJSClass::create):
1978         * bytecode/Opcode.cpp:
1979         * bytecompiler/BytecodeGenerator.cpp:
1980         (JSC::BytecodeGenerator::newRegister):
1981         * heap/Heap.cpp:
1982         (JSC::Heap::updateAllocationLimits):
1983         * interpreter/Interpreter.cpp:
1984         * jit/JIT.cpp:
1985         * parser/Parser.cpp:
1986         * runtime/JSArray.cpp:
1987         * runtime/JSLexicalEnvironment.cpp:
1988         * runtime/JSModuleEnvironment.cpp:
1989         * runtime/Structure.cpp:
1990         * shell/DLLLauncherMain.cpp:
1991         (getStringValue):
1992         (applePathFromRegistry):
1993         (appleApplicationSupportDirectory):
1994         (copyEnvironmentVariable):
1995         (prependPath):
1996         (fatalError):
1997         (directoryExists):
1998         (modifyPath):
1999         (getLastErrorString):
2000         (wWinMain):
2001
2002 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2003
2004         DFG CFA phase should only do clobber asserts in debug
2005         https://bugs.webkit.org/show_bug.cgi?id=185354
2006
2007         Reviewed by Saam Barati.
2008         
2009         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
2010         unless asserts are enabled.
2011
2012         * dfg/DFGCFAPhase.cpp:
2013         (JSC::DFG::CFAPhase::performBlockCFA):
2014
2015 2018-05-04  Keith Miller  <keith_miller@apple.com>
2016
2017         isCacheableArrayLength should return true for undecided arrays
2018         https://bugs.webkit.org/show_bug.cgi?id=185309
2019
2020         Reviewed by Michael Saboff.
2021
2022         Undecided arrays have butterflies so there is no reason why we
2023         should not be able to cache their length.
2024
2025         * bytecode/InlineAccess.cpp:
2026         (JSC::InlineAccess::isCacheableArrayLength):
2027
2028 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2029
2030         Remove std::random_shuffle
2031         https://bugs.webkit.org/show_bug.cgi?id=185292
2032
2033         Reviewed by Darin Adler.
2034
2035         std::random_shuffle is deprecated in C++14 and removed in C++17,
2036         since std::random_shuffle relies on rand and srand.
2037         Use std::shuffle instead.
2038
2039         * jit/BinarySwitch.cpp:
2040         (JSC::RandomNumberGenerator::RandomNumberGenerator):
2041         (JSC::RandomNumberGenerator::operator()):
2042         (JSC::RandomNumberGenerator::min):
2043         (JSC::RandomNumberGenerator::max):
2044         (JSC::BinarySwitch::build):
2045
2046 2018-05-03  Saam Barati  <sbarati@apple.com>
2047
2048         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
2049         https://bugs.webkit.org/show_bug.cgi?id=185177
2050
2051         Reviewed by Filip Pizlo.
2052
2053         This patch teaches the DFG/FTL how to constant fold CreateThis with
2054         a known poly proto Structure to NewObject. We do it by emitting a NewObject
2055         followed by a PutByOffset for the prototype value.
2056         
2057         We make it so that ObjectAllocationProfile holds the prototype value.
2058         This is sound because JSFunction clears that profile when its 'prototype'
2059         field changes.
2060         
2061         This patch also renames underscoreProtoPrivateName to polyProtoName since
2062         that name was nonsensical: it was only used for poly proto.
2063         
2064         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
2065         regressed that benchmark when I first introduced poly proto.
2066
2067         * builtins/BuiltinNames.cpp:
2068         * builtins/BuiltinNames.h:
2069         (JSC::BuiltinNames::BuiltinNames):
2070         (JSC::BuiltinNames::polyProtoName const):
2071         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
2072         * bytecode/ObjectAllocationProfile.h:
2073         (JSC::ObjectAllocationProfile::prototype):
2074         (JSC::ObjectAllocationProfile::clear):
2075         (JSC::ObjectAllocationProfile::visitAggregate):
2076         * bytecode/ObjectAllocationProfileInlines.h:
2077         (JSC::ObjectAllocationProfile::initializeProfile):
2078         * dfg/DFGAbstractInterpreterInlines.h:
2079         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2080         * dfg/DFGByteCodeParser.cpp:
2081         (JSC::DFG::ByteCodeParser::parseBlock):
2082         * dfg/DFGConstantFoldingPhase.cpp:
2083         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2084         * dfg/DFGOperations.cpp:
2085         * runtime/CommonSlowPaths.cpp:
2086         (JSC::SLOW_PATH_DECL):
2087         * runtime/FunctionRareData.h:
2088         * runtime/Structure.cpp:
2089         (JSC::Structure::create):
2090
2091 2018-05-03  Michael Saboff  <msaboff@apple.com>
2092
2093         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
2094         https://bugs.webkit.org/show_bug.cgi?id=185281
2095
2096         Reviewed by Saam Barati.
2097
2098         When we compute bytecode block reachability, we need to take into account blocks
2099         containing try/catch.
2100
2101         * jit/JIT.cpp:
2102         (JSC::JIT::privateCompileMainPass):
2103
2104 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2105
2106         ARM: Wrong offset for operand rt in disassembler
2107         https://bugs.webkit.org/show_bug.cgi?id=184083
2108
2109         Reviewed by Yusuke Suzuki.
2110
2111         * disassembler/ARMv7/ARMv7DOpcode.h:
2112         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
2113         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
2114
2115 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2116
2117         ARM: Support vstr in disassembler
2118         https://bugs.webkit.org/show_bug.cgi?id=184084
2119
2120         Reviewed by Yusuke Suzuki.
2121
2122         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2123         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
2124         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
2125         * disassembler/ARMv7/ARMv7DOpcode.h:
2126         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
2127         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
2128         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
2129         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
2130         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
2131         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
2132         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
2133
2134 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2135
2136         Invoke ensureArrayStorage for all arguments
2137         https://bugs.webkit.org/show_bug.cgi?id=185247
2138
2139         Reviewed by Yusuke Suzuki.
2140
2141         ensureArrayStorage was only invoked for first argument in each loop iteration.
2142
2143         * jsc.cpp:
2144         (functionEnsureArrayStorage):
2145
2146 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2147
2148         Make it easy to log compile times for all optimizing tiers
2149         https://bugs.webkit.org/show_bug.cgi?id=185270
2150
2151         Reviewed by Keith Miller.
2152         
2153         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
2154         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
2155         it.
2156         
2157         This should help us reduce compile times by telling us where to look. So, far, it looks like
2158         CFA is the worst.
2159
2160         * JavaScriptCore.xcodeproj/project.pbxproj:
2161         * Sources.txt:
2162         * b3/B3Common.cpp:
2163         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
2164         * b3/B3Common.h:
2165         * b3/B3TimingScope.cpp: Removed.
2166         * b3/B3TimingScope.h:
2167         (JSC::B3::TimingScope::TimingScope):
2168         * dfg/DFGPhase.h:
2169         (JSC::DFG::runAndLog):
2170         * dfg/DFGPlan.cpp:
2171         (JSC::DFG::Plan::compileInThread):
2172         * tools/CompilerTimingScope.cpp: Added.
2173         (JSC::CompilerTimingScope::CompilerTimingScope):
2174         (JSC::CompilerTimingScope::~CompilerTimingScope):
2175         * tools/CompilerTimingScope.h: Added.
2176         * runtime/Options.cpp:
2177         (JSC::recomputeDependentOptions):
2178         * runtime/Options.h:
2179
2180 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2181
2182         Strings should not be allocated in a gigacage
2183         https://bugs.webkit.org/show_bug.cgi?id=185218
2184
2185         Reviewed by Saam Barati.
2186
2187         * runtime/JSBigInt.cpp:
2188         (JSC::JSBigInt::toStringGeneric):
2189         * runtime/JSString.cpp:
2190         (JSC::JSRopeString::resolveRopeToAtomicString const):
2191         (JSC::JSRopeString::resolveRope const):
2192         * runtime/JSString.h:
2193         (JSC::JSString::create):
2194         (JSC::JSString::createHasOtherOwner):
2195         * runtime/VM.h:
2196         (JSC::VM::gigacageAuxiliarySpace):
2197
2198 2018-05-03  Keith Miller  <keith_miller@apple.com>
2199
2200         Unreviewed, fix 32-bit profile offset for change in bytecode
2201         length of the get_by_id and get_array_length opcodes.
2202
2203         * llint/LowLevelInterpreter32_64.asm:
2204
2205 2018-05-03  Michael Saboff  <msaboff@apple.com>
2206
2207         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
2208         https://bugs.webkit.org/show_bug.cgi?id=185231
2209
2210         Reviewed by Saam Barati.
2211
2212         We weren't clearing the scratch register cache when switching back and forth between 
2213         allowing scratch register usage.  We disallow scratch register usage when we are in
2214         code that will freely allocate and use any register.  Such usage can change the
2215         contents of scratch registers.  For ARM64, where we cache the contents of scratch
2216         registers to reuse some or all of the contained values, we need to invalidate these
2217         caches.  We do this when re-enabling scratch register usage, that is when we transition
2218         from disallow to allow scratch register usage.
2219
2220         Added a new Air regression test.
2221
2222         * assembler/AllowMacroScratchRegisterUsage.h:
2223         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
2224         * assembler/AllowMacroScratchRegisterUsageIf.h:
2225         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
2226         * assembler/DisallowMacroScratchRegisterUsage.h:
2227         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
2228         * b3/air/testair.cpp:
2229
2230 2018-05-03  Keith Miller  <keith_miller@apple.com>
2231
2232         Remove the prototype caching for get_by_id in the LLInt
2233         https://bugs.webkit.org/show_bug.cgi?id=185226
2234
2235         Reviewed by Michael Saboff.
2236
2237         There is no evidence that this is actually a speedup and we keep
2238         getting bugs with it. At this point it seems like we should just
2239         remove this code.
2240
2241         * CMakeLists.txt:
2242         * JavaScriptCore.xcodeproj/project.pbxproj:
2243         * Sources.txt:
2244         * bytecode/BytecodeDumper.cpp:
2245         (JSC::BytecodeDumper<Block>::printGetByIdOp):
2246         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
2247         (JSC::BytecodeDumper<Block>::dumpBytecode):
2248         * bytecode/BytecodeList.json:
2249         * bytecode/BytecodeUseDef.h:
2250         (JSC::computeUsesForBytecodeOffset):
2251         (JSC::computeDefsForBytecodeOffset):
2252         * bytecode/CodeBlock.cpp:
2253         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2254         * bytecode/CodeBlock.h:
2255         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
2256         * bytecode/GetByIdStatus.cpp:
2257         (JSC::GetByIdStatus::computeFromLLInt):
2258         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
2259         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
2260         * bytecompiler/BytecodeGenerator.cpp:
2261         (JSC::BytecodeGenerator::emitGetById):
2262         * dfg/DFGByteCodeParser.cpp:
2263         (JSC::DFG::ByteCodeParser::parseBlock):
2264         * dfg/DFGCapabilities.cpp:
2265         (JSC::DFG::capabilityLevel):
2266         * jit/JIT.cpp:
2267         (JSC::JIT::privateCompileMainPass):
2268         (JSC::JIT::privateCompileSlowCases):
2269         * llint/LLIntSlowPaths.cpp:
2270         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2271         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
2272         * llint/LowLevelInterpreter32_64.asm:
2273         * llint/LowLevelInterpreter64.asm:
2274         * runtime/Options.h:
2275
2276 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
2277
2278         Unreviewed, rolling out r231197.
2279
2280         The test added with this change crashes on the 32-bit JSC bot.
2281
2282         Reverted changeset:
2283
2284         "Correctly detect string overflow when using the 'Function'
2285         constructor"
2286         https://bugs.webkit.org/show_bug.cgi?id=184883
2287         https://trac.webkit.org/changeset/231197
2288
2289 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2290
2291         Disable usage of fused multiply-add instructions for JSC with compiler flag
2292         https://bugs.webkit.org/show_bug.cgi?id=184909
2293
2294         Reviewed by Yusuke Suzuki.
2295
2296         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
2297         like parseInt() do not return slightly different results depending on whether the
2298         compiler was able to use fused multiply-add instructions or not.
2299
2300         * CMakeLists.txt:
2301
2302 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2303
2304         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
2305         https://bugs.webkit.org/show_bug.cgi?id=185192
2306
2307         compareDouble relies on MacroAssembler::invert function.
2308
2309         * assembler/MacroAssembler.h:
2310         (JSC::MacroAssembler::compareDouble):
2311         * assembler/MacroAssemblerARM.h:
2312         (JSC::MacroAssemblerARM::compareDouble): Deleted.
2313         * assembler/MacroAssemblerARMv7.h:
2314         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
2315         * assembler/MacroAssemblerMIPS.h:
2316         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
2317
2318 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2319
2320         [JSC] Add MacroAssembler::and16 and store16
2321         https://bugs.webkit.org/show_bug.cgi?id=185188
2322
2323         Reviewed by Mark Lam.
2324
2325         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
2326         This patch adds these methods for ARM.
2327
2328         * assembler/MacroAssemblerARM.h:
2329         (JSC::MacroAssemblerARM::and16):
2330         (JSC::MacroAssemblerARM::store16):
2331
2332 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2333
2334         [DFG] Unify compare related code in 32bit and 64bit
2335         https://bugs.webkit.org/show_bug.cgi?id=185189
2336
2337         Reviewed by Mark Lam.
2338
2339         This patch unifies some part of compare related code in 32bit and 64bit
2340         to reduce the size of 32bit specific DFG code.
2341
2342         * dfg/DFGSpeculativeJIT.cpp:
2343         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
2344         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
2345         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2346         * dfg/DFGSpeculativeJIT32_64.cpp:
2347         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2348         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2349         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2350         * dfg/DFGSpeculativeJIT64.cpp:
2351         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2352         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2353         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2354
2355 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2356
2357         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
2358         https://bugs.webkit.org/show_bug.cgi?id=185192
2359
2360         Reviewed by Mark Lam.
2361
2362         Now Object.is starts using compareDouble. So we would like to have
2363         efficient implementation for compareDouble and compareFloat for
2364         major architectures, ARM64, X86, and X86_64.
2365
2366         This patch adds compareDouble and compareFloat implementations for
2367         these architectures. And generic implementation is moved to each
2368         architecture's MacroAssembler implementation.
2369
2370         We also add tests for them in testmasm. To implement this test
2371         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
2372         major architectures.
2373
2374         * assembler/MacroAssembler.h:
2375         (JSC::MacroAssembler::compareDouble): Deleted.
2376         (JSC::MacroAssembler::compareFloat): Deleted.
2377         * assembler/MacroAssemblerARM.h:
2378         (JSC::MacroAssemblerARM::compareDouble):
2379         * assembler/MacroAssemblerARM64.h:
2380         (JSC::MacroAssemblerARM64::compareDouble):
2381         (JSC::MacroAssemblerARM64::compareFloat):
2382         (JSC::MacroAssemblerARM64::loadFloat):
2383         (JSC::MacroAssemblerARM64::floatingPointCompare):
2384         * assembler/MacroAssemblerARMv7.h:
2385         (JSC::MacroAssemblerARMv7::compareDouble):
2386         * assembler/MacroAssemblerMIPS.h:
2387         (JSC::MacroAssemblerMIPS::compareDouble):
2388         * assembler/MacroAssemblerX86Common.h:
2389         (JSC::MacroAssemblerX86Common::loadFloat):
2390         (JSC::MacroAssemblerX86Common::compareDouble):
2391         (JSC::MacroAssemblerX86Common::compareFloat):
2392         (JSC::MacroAssemblerX86Common::floatingPointCompare):
2393         * assembler/X86Assembler.h:
2394         (JSC::X86Assembler::movss_mr):
2395         (JSC::X86Assembler::movss_rm):
2396         * assembler/testmasm.cpp:
2397         (JSC::floatOperands):
2398         (JSC::testCompareFloat):
2399         (JSC::run):
2400
2401 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2402
2403         Unreviewed, fix 32bit DFG code
2404         https://bugs.webkit.org/show_bug.cgi?id=185065
2405
2406         * dfg/DFGSpeculativeJIT.cpp:
2407         (JSC::DFG::SpeculativeJIT::compileSameValue):
2408
2409 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
2410
2411         JSC should know how to cache custom getter accesses on the prototype chain
2412         https://bugs.webkit.org/show_bug.cgi?id=185213
2413
2414         Reviewed by Keith Miller.
2415
2416         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
2417
2418         * jit/Repatch.cpp:
2419         (JSC::tryCacheGetByID):
2420
2421 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
2422
2423         JSC should be able to cache custom setter calls on the prototype chain
2424         https://bugs.webkit.org/show_bug.cgi?id=185174
2425
2426         Reviewed by Saam Barati.
2427
2428         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
2429         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
2430         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
2431         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
2432         custom accessors because it won't find the custom property in the structure.
2433
2434         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
2435
2436         This is a 4x speed-up on assign-custom-setter.js.
2437
2438         * bytecode/AccessCase.cpp:
2439         (JSC::AccessCase::hasAlternateBase const):
2440         (JSC::AccessCase::alternateBase const):
2441         (JSC::AccessCase::generateImpl):
2442         * bytecode/AccessCase.h:
2443         (JSC::AccessCase::alternateBase const): Deleted.
2444         * bytecode/GetterSetterAccessCase.cpp:
2445         (JSC::GetterSetterAccessCase::hasAlternateBase const):
2446         (JSC::GetterSetterAccessCase::alternateBase const):
2447         * bytecode/GetterSetterAccessCase.h:
2448         * bytecode/ObjectPropertyConditionSet.cpp:
2449         (JSC::generateConditionsForPrototypePropertyHitCustom):
2450         * bytecode/ObjectPropertyConditionSet.h:
2451         * jit/Repatch.cpp:
2452         (JSC::tryCacheGetByID):
2453         (JSC::tryCachePutByID):
2454
2455 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
2456
2457         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
2458         https://bugs.webkit.org/show_bug.cgi?id=185195
2459
2460         Reviewed by Mark Lam.
2461
2462         This implements the given function for MIPS, such that it builds again.
2463
2464         * assembler/MacroAssemblerMIPS.h:
2465         (JSC::MacroAssemblerMIPS::and16):
2466         (JSC::MacroAssemblerMIPS::store16):
2467
2468 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
2469
2470         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
2471         https://bugs.webkit.org/show_bug.cgi?id=185043
2472
2473         Reviewed by Filip Pizlo.
2474
2475         * jsc.cpp:
2476         (GlobalObject::finishCreation):
2477         (functionDollarAgentMonotonicNow):
2478
2479 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
2480
2481         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
2482         https://bugs.webkit.org/show_bug.cgi?id=185196
2483
2484         Reviewed by Mark Lam.
2485
2486         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
2487
2488         * assembler/MacroAssemblerARMv7.h:
2489         (JSC::MacroAssemblerARMv7::and16):
2490         (JSC::MacroAssemblerARMv7::store16):
2491
2492 2018-05-02  Robin Morisset  <rmorisset@apple.com>
2493
2494         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
2495         https://bugs.webkit.org/show_bug.cgi?id=183172
2496
2497         Reviewed by Filip Pizlo.
2498
2499         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
2500         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
2501
2502         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
2503         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
2504         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
2505
2506         * dfg/DFGArgumentsEliminationPhase.cpp:
2507         * dfg/DFGArgumentsUtilities.cpp:
2508         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2509
2510 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2511
2512         Unreviewed, stackPointer signature is different from declaration
2513         https://bugs.webkit.org/show_bug.cgi?id=184790
2514
2515         * runtime/MachineContext.h:
2516         (JSC::MachineContext::stackPointer):
2517
2518 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2519
2520         [JSC] Add SameValue DFG node
2521         https://bugs.webkit.org/show_bug.cgi?id=185065
2522
2523         Reviewed by Saam Barati.
2524
2525         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
2526         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
2527         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
2528         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
2529         implementations for these SameValue nodes.
2530
2531         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
2532         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
2533         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
2534         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
2535         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
2536         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
2537
2538         Added microbenchmark shows performance improvement.
2539
2540             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
2541
2542         * assembler/MacroAssembler.h:
2543         * assembler/MacroAssemblerX86Common.h:
2544         (JSC::MacroAssemblerX86Common::compareDouble):
2545         * assembler/MacroAssemblerX86_64.h:
2546         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
2547         * assembler/testmasm.cpp:
2548         (JSC::doubleOperands):
2549         (JSC::testCompareDouble):
2550         (JSC::run):
2551         * dfg/DFGAbstractInterpreterInlines.h:
2552         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2553         * dfg/DFGByteCodeParser.cpp:
2554         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2555         * dfg/DFGClobberize.h:
2556         (JSC::DFG::clobberize):
2557         * dfg/DFGConstantFoldingPhase.cpp:
2558         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2559         * dfg/DFGDoesGC.cpp:
2560         (JSC::DFG::doesGC):
2561         * dfg/DFGFixupPhase.cpp:
2562         (JSC::DFG::FixupPhase::fixupNode):
2563         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2564         * dfg/DFGNodeType.h:
2565         * dfg/DFGOperations.cpp:
2566         * dfg/DFGOperations.h:
2567         * dfg/DFGPredictionPropagationPhase.cpp:
2568         * dfg/DFGSafeToExecute.h:
2569         (JSC::DFG::safeToExecute):
2570         * dfg/DFGSpeculativeJIT.cpp:
2571         (JSC::DFG::SpeculativeJIT::compileSameValue):
2572         * dfg/DFGSpeculativeJIT.h:
2573         * dfg/DFGSpeculativeJIT32_64.cpp:
2574         (JSC::DFG::SpeculativeJIT::compile):
2575         * dfg/DFGSpeculativeJIT64.cpp:
2576         (JSC::DFG::SpeculativeJIT::compile):
2577         * dfg/DFGValidate.cpp:
2578         * ftl/FTLCapabilities.cpp:
2579         (JSC::FTL::canCompile):
2580         * ftl/FTLLowerDFGToB3.cpp:
2581         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2582         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
2583         * runtime/Intrinsic.cpp:
2584         (JSC::intrinsicName):
2585         * runtime/Intrinsic.h:
2586         * runtime/ObjectConstructor.cpp:
2587
2588 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
2589
2590         B3::demoteValues should be able to handle patchpoint terminals
2591         https://bugs.webkit.org/show_bug.cgi?id=185151
2592
2593         Reviewed by Saam Barati.
2594         
2595         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
2596         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
2597         longer the last thing in the block.
2598         
2599         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
2600         really do that because demotion happens as a prerequisite to other transformations.
2601         
2602         One solution might have been to make demoteValues insert a basic block whenever it encounters
2603         this problem. But that would break clients that do CFG analysis before demoteValues and use
2604         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
2605         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
2606         so it's not bad to introduce that requirement.
2607         
2608         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
2609         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
2610         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
2611         successors of the patchpoint terminal.
2612         
2613         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
2614         a unit test in testb3.
2615
2616         * b3/B3BreakCriticalEdges.cpp:
2617         (JSC::B3::breakCriticalEdges):
2618         * b3/B3BreakCriticalEdges.h:
2619         * b3/B3FixSSA.cpp:
2620         (JSC::B3::demoteValues):
2621         (JSC::B3::fixSSA):
2622         * b3/B3FixSSA.h:
2623         * b3/B3Value.cpp:
2624         (JSC::B3::Value::foldIdentity const):
2625         (JSC::B3::Value::performSubstitution):
2626         * b3/B3Value.h:
2627         * b3/testb3.cpp:
2628         (JSC::B3::testDemotePatchpointTerminal):
2629         (JSC::B3::run):
2630
2631 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2632
2633         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
2634         https://bugs.webkit.org/show_bug.cgi?id=184772
2635         <rdar://problem/39146327>
2636
2637         Reviewed by Filip Pizlo.
2638
2639         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
2640         This patch now makes sure that the check correctly detects if there is an integer overflow.
2641
2642         * runtime/JSArray.cpp:
2643         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2644
2645 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2646
2647         Correctly detect string overflow when using the 'Function' constructor
2648         https://bugs.webkit.org/show_bug.cgi?id=184883
2649         <rdar://problem/36320331>
2650
2651         Reviewed by Filip Pizlo.
2652
2653         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
2654         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
2655
2656         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
2657         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
2658         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
2659
2660         * runtime/FunctionConstructor.cpp:
2661         (JSC::constructFunctionSkippingEvalEnabledCheck):
2662         * runtime/JSONObject.cpp:
2663         (JSC::Stringifier::appendStringifiedValue):
2664
2665 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2666
2667         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
2668         https://bugs.webkit.org/show_bug.cgi?id=185162
2669
2670         Reviewed by Filip Pizlo.
2671
2672         * runtime/IntlObject.cpp:
2673         (JSC::removeUnicodeLocaleExtension):
2674
2675 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
2676
2677         Add SetCallee as DFG-Operation
2678         https://bugs.webkit.org/show_bug.cgi?id=184582
2679
2680         Reviewed by Filip Pizlo.
2681
2682         For recursive tail calls not only the argument count can change but also the
2683         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
2684         Also update the callee when optimizing a recursive tail call.
2685         Enable recursive tail call optimization also for closures.
2686
2687         * dfg/DFGAbstractInterpreterInlines.h:
2688         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2689         * dfg/DFGByteCodeParser.cpp:
2690         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2691         (JSC::DFG::ByteCodeParser::handleCallVariant):
2692         * dfg/DFGClobberize.h:
2693         (JSC::DFG::clobberize):
2694         * dfg/DFGDoesGC.cpp:
2695         (JSC::DFG::doesGC):
2696         * dfg/DFGFixupPhase.cpp:
2697         (JSC::DFG::FixupPhase::fixupNode):
2698         * dfg/DFGMayExit.cpp:
2699         * dfg/DFGNodeType.h:
2700         * dfg/DFGPredictionPropagationPhase.cpp:
2701         * dfg/DFGSafeToExecute.h:
2702         (JSC::DFG::safeToExecute):
2703         * dfg/DFGSpeculativeJIT.cpp:
2704         (JSC::DFG::SpeculativeJIT::compileSetCallee):
2705         * dfg/DFGSpeculativeJIT.h:
2706         * dfg/DFGSpeculativeJIT32_64.cpp:
2707         (JSC::DFG::SpeculativeJIT::compile):
2708         * dfg/DFGSpeculativeJIT64.cpp:
2709         (JSC::DFG::SpeculativeJIT::compile):
2710         * ftl/FTLCapabilities.cpp:
2711         (JSC::FTL::canCompile):
2712         * ftl/FTLLowerDFGToB3.cpp:
2713         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2714         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
2715
2716 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
2717
2718         WebAssembly: add support for stream APIs - JavaScript API
2719         https://bugs.webkit.org/show_bug.cgi?id=183442
2720
2721         Reviewed by Yusuke Suzuki and JF Bastien.
2722
2723         Add WebAssembly stream API. Current patch only add functions
2724         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
2725         does not add streaming way of the implementation. So in current version it
2726         only wait for load whole module, than start to parse.
2727
2728         * CMakeLists.txt:
2729         * Configurations/FeatureDefines.xcconfig:
2730         * DerivedSources.make:
2731         * JavaScriptCore.xcodeproj/project.pbxproj:
2732         * builtins/BuiltinNames.h:
2733         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
2734         (compileStreaming):
2735         (instantiateStreaming):
2736         * jsc.cpp:
2737         * runtime/JSGlobalObject.cpp:
2738         (JSC::JSGlobalObject::init):
2739         * runtime/JSGlobalObject.h:
2740         * runtime/Options.h:
2741         * runtime/PromiseDeferredTimer.cpp:
2742         (JSC::PromiseDeferredTimer::hasPendingPromise):
2743         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
2744         * runtime/PromiseDeferredTimer.h:
2745         * wasm/js/WebAssemblyPrototype.cpp:
2746         (JSC::webAssemblyModuleValidateAsyncInternal):
2747         (JSC::webAssemblyCompileFunc):
2748         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
2749         (JSC::webAssemblyModuleInstantinateAsyncInternal):
2750         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
2751         (JSC::webAssemblyCompileStreamingInternal):
2752         (JSC::webAssemblyInstantiateStreamingInternal):
2753         (JSC::WebAssemblyPrototype::create):
2754         (JSC::WebAssemblyPrototype::finishCreation):
2755         * wasm/js/WebAssemblyPrototype.h:
2756
2757 2018-04-30  Saam Barati  <sbarati@apple.com>
2758
2759         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
2760         https://bugs.webkit.org/show_bug.cgi?id=185149
2761         <rdar://problem/39455917>
2762
2763         Reviewed by Filip Pizlo.
2764
2765         The bug was that we were deleting checks that we shouldn't have deleted.
2766         This patch makes a helper inside strength reduction that converts to
2767         a LazyJSConstant while maintaining checks, and switches users of the
2768         node API inside strength reduction to instead call the helper function.
2769         
2770         This patch also fixes a potential bug where StringReplace and
2771         StringReplaceRegExp may not preserve all their checks.
2772
2773
2774         * dfg/DFGStrengthReductionPhase.cpp:
2775         (JSC::DFG::StrengthReductionPhase::handleNode):
2776         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
2777
2778 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2779
2780         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
2781         https://bugs.webkit.org/show_bug.cgi?id=185126
2782
2783         Reviewed by Saam Barati.
2784         
2785         This change is just restoring functionality that we've already had for a while. It had been
2786         accidentally broken due to an unrelated CodeBlock refactoring.
2787
2788         * dfg/DFGLICMPhase.cpp:
2789         (JSC::DFG::LICMPhase::attemptHoist):
2790
2791 2018-04-30  Mark Lam  <mark.lam@apple.com>
2792
2793         Apply PtrTags to the MetaAllocator and friends.
2794         https://bugs.webkit.org/show_bug.cgi?id=185110
2795         <rdar://problem/39533895>
2796
2797         Reviewed by Saam Barati.
2798
2799         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
2800         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
2801            and add a sanity check to verify that allocated code buffers are within those
2802            bounds.
2803
2804         * assembler/LinkBuffer.cpp:
2805         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
2806         (JSC::LinkBuffer::copyCompactAndLinkCode):
2807         (JSC::LinkBuffer::linkCode):
2808         (JSC::LinkBuffer::allocate):
2809         * assembler/LinkBuffer.h:
2810         (JSC::LinkBuffer::LinkBuffer):
2811         (JSC::LinkBuffer::debugAddress):
2812         (JSC::LinkBuffer::code):
2813         * assembler/MacroAssemblerCodeRef.h:
2814         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2815         * bytecode/InlineAccess.cpp:
2816         (JSC::linkCodeInline):
2817         (JSC::InlineAccess::rewireStubAsJump):
2818         * dfg/DFGJITCode.cpp:
2819         (JSC::DFG::JITCode::findPC):
2820         * ftl/FTLJITCode.cpp:
2821         (JSC::FTL::JITCode::findPC):
2822         * jit/ExecutableAllocator.cpp:
2823         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2824         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2825         (JSC::ExecutableAllocator::allocate):
2826         * jit/ExecutableAllocator.h:
2827         (JSC::isJITPC):
2828         (JSC::performJITMemcpy):
2829         * jit/JIT.cpp:
2830         (JSC::JIT::link):
2831         * jit/JITMathIC.h:
2832         (JSC::isProfileEmpty):
2833         * runtime/JSCPtrTag.h:
2834         * wasm/WasmCallee.cpp:
2835         (JSC::Wasm::Callee::Callee):
2836         * wasm/WasmFaultSignalHandler.cpp:
2837         (JSC::Wasm::trapHandler):
2838
2839 2018-04-30  Keith Miller  <keith_miller@apple.com>
2840
2841         Move the MayBePrototype JSCell header bit to InlineTypeFlags
2842         https://bugs.webkit.org/show_bug.cgi?id=185143
2843
2844         Reviewed by Mark Lam.
2845
2846         * runtime/IndexingType.h:
2847         * runtime/JSCellInlines.h:
2848         (JSC::JSCell::setStructure):
2849         (JSC::JSCell::mayBePrototype const):
2850         (JSC::JSCell::didBecomePrototype):
2851         * runtime/JSTypeInfo.h:
2852         (JSC::TypeInfo::mayBePrototype):
2853         (JSC::TypeInfo::mergeInlineTypeFlags):
2854
2855 2018-04-30  Keith Miller  <keith_miller@apple.com>
2856
2857         Remove unneeded exception check from String.fromCharCode
2858         https://bugs.webkit.org/show_bug.cgi?id=185083
2859
2860         Reviewed by Mark Lam.
2861
2862         * runtime/StringConstructor.cpp:
2863         (JSC::stringFromCharCode):
2864
2865 2018-04-30  Keith Miller  <keith_miller@apple.com>
2866
2867         Move StructureIsImmortal to out of line flags.
2868         https://bugs.webkit.org/show_bug.cgi?id=185101
2869
2870         Reviewed by Saam Barati.
2871
2872         This will free up a bit in the inline flags where we can move the
2873         isPrototype bit to. This will, in turn, free a bit for use in
2874         implementing copy on write butterflies.
2875
2876         Also, this patch removes an assertion from Structure::typeInfo()
2877         that inadvertently makes the function invalid to call while
2878         cleaning up the vm.
2879
2880         * heap/HeapCellType.cpp:
2881         (JSC::DefaultDestroyFunc::operator() const):
2882         * runtime/JSCell.h:
2883         * runtime/JSCellInlines.h:
2884         (JSC::JSCell::callDestructor): Deleted.
2885         * runtime/JSTypeInfo.h:
2886         (JSC::TypeInfo::hasStaticPropertyTable):
2887         (JSC::TypeInfo::structureIsImmortal const):
2888         * runtime/Structure.h:
2889
2890 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2891
2892         [JSC] Remove arity fixup check if the number of parameters is 1
2893         https://bugs.webkit.org/show_bug.cgi?id=183984
2894
2895         Reviewed by Mark Lam.
2896
2897         If the number of parameters is one (|this|), we never hit arity fixup check.
2898         We do not need to emit arity fixup check code.
2899
2900         * dfg/DFGDriver.cpp:
2901         (JSC::DFG::compileImpl):
2902         * dfg/DFGJITCompiler.cpp:
2903         (JSC::DFG::JITCompiler::compileFunction):
2904         * dfg/DFGJITCompiler.h:
2905         * ftl/FTLLink.cpp:
2906         (JSC::FTL::link):
2907         * jit/JIT.cpp:
2908         (JSC::JIT::compileWithoutLinking):
2909
2910 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2911
2912         Use WordLock instead of std::mutex for Threading
2913         https://bugs.webkit.org/show_bug.cgi?id=185121
2914
2915         Reviewed by Geoffrey Garen.
2916
2917         ThreadGroup starts using WordLock.
2918
2919         * heap/MachineStackMarker.h:
2920         (JSC::MachineThreads::getLock):
2921
2922 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2923
2924         B3 should run tail duplication at the bitter end
2925         https://bugs.webkit.org/show_bug.cgi?id=185123
2926
2927         Reviewed by Geoffrey Garen.
2928         
2929         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
2930         everywhere else.
2931         
2932         The goal of this change is to allow us to run path specialization after switch lowering but
2933         before tail duplication.
2934
2935         * b3/B3Generate.cpp:
2936         (JSC::B3::generateToAir):
2937         * runtime/Options.h:
2938
2939 2018-04-29  Commit Queue  <commit-queue@webkit.org>
2940
2941         Unreviewed, rolling out r231137.
2942         https://bugs.webkit.org/show_bug.cgi?id=185118
2943
2944         It is breaking Test262 language/expressions/multiplication
2945         /order-of-evaluation.js (Requested by caiolima on #webkit).
2946
2947         Reverted changeset:
2948
2949         "[ESNext][BigInt] Implement support for "*" operation"
2950         https://bugs.webkit.org/show_bug.cgi?id=183721
2951         https://trac.webkit.org/changeset/231137
2952
2953 2018-04-28  Saam Barati  <sbarati@apple.com>
2954
2955         We don't model regexp effects properly
2956         https://bugs.webkit.org/show_bug.cgi?id=185059
2957         <rdar://problem/39736150>
2958
2959         Reviewed by Filip Pizlo.
2960
2961         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
2962         the regexp is global.
2963
2964         * dfg/DFGAbstractInterpreterInlines.h:
2965         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2966         * dfg/DFGClobberize.h:
2967         (JSC::DFG::clobberize):
2968
2969 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
2970
2971         Token misspelled "tocken" in error message string
2972         https://bugs.webkit.org/show_bug.cgi?id=185030
2973
2974         Reviewed by Saam Barati.
2975
2976         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
2977         (JSC::Parser<LexerType>::Parser):
2978         (JSC::Parser<LexerType>::didFinishParsing):
2979         (JSC::Parser<LexerType>::parseSourceElements):
2980         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2981         (JSC::Parser<LexerType>::parseVariableDeclaration):
2982         (JSC::Parser<LexerType>::parseWhileStatement):
2983         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2984         (JSC::Parser<LexerType>::createBindingPattern):
2985         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2986         (JSC::Parser<LexerType>::parseObjectRestElement):
2987         (JSC::Parser<LexerType>::parseDestructuringPattern):
2988         (JSC::Parser<LexerType>::parseForStatement):
2989         (JSC::Parser<LexerType>::parseBreakStatement):
2990         (JSC::Parser<LexerType>::parseContinueStatement):
2991         (JSC::Parser<LexerType>::parseThrowStatement):
2992         (JSC::Parser<LexerType>::parseWithStatement):
2993         (JSC::Parser<LexerType>::parseSwitchStatement):
2994         (JSC::Parser<LexerType>::parseSwitchClauses):
2995         (JSC::Parser<LexerType>::parseTryStatement):
2996         (JSC::Parser<LexerType>::parseBlockStatement):
2997         (JSC::Parser<LexerType>::parseFormalParameters):
2998         (JSC::Parser<LexerType>::parseFunctionParameters):
2999         (JSC::Parser<LexerType>::parseFunctionInfo):
3000         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
3001         (JSC::Parser<LexerType>::parseExpressionStatement):
3002         (JSC::Parser<LexerType>::parseIfStatement):
3003         (JSC::Parser<LexerType>::parseAssignmentExpression):
3004         (JSC::Parser<LexerType>::parseConditionalExpression):
3005         (JSC::Parser<LexerType>::parseBinaryExpression):
3006         (JSC::Parser<LexerType>::parseObjectLiteral):
3007         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
3008         (JSC::Parser<LexerType>::parseArrayLiteral):
3009         (JSC::Parser<LexerType>::parseArguments):
3010         (JSC::Parser<LexerType>::parseMemberExpression):
3011         (JSC::operatorString):
3012         (JSC::Parser<LexerType>::parseUnaryExpression):
3013         (JSC::Parser<LexerType>::printUnexpectedTokenText):
3014
3015 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
3016
3017         [ESNext][BigInt] Implement support for "*" operation
3018         https://bugs.webkit.org/show_bug.cgi?id=183721
3019
3020         Reviewed by Saam Barati.
3021
3022         Added BigInt support into times binary operator into LLInt and on
3023         JITOperations profiledMul and unprofiledMul. We are also replacing all
3024         uses of int to unsigned when there is no negative values for
3025         variables.
3026
3027         * dfg/DFGConstantFoldingPhase.cpp:
3028         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3029         * jit/JITOperations.cpp:
3030         * runtime/CommonSlowPaths.cpp:
3031         (JSC::SLOW_PATH_DECL):
3032         * runtime/JSBigInt.cpp:
3033         (JSC::JSBigInt::JSBigInt):
3034         (JSC::JSBigInt::allocationSize):
3035         (JSC::JSBigInt::createWithLength):
3036         (JSC::JSBigInt::toString):
3037         (JSC::JSBigInt::multiply):
3038         (JSC::JSBigInt::digitDiv):
3039         (JSC::JSBigInt::internalMultiplyAdd):
3040         (JSC::JSBigInt::multiplyAccumulate):
3041         (JSC::JSBigInt::equals):
3042         (JSC::JSBigInt::absoluteDivSmall):
3043         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3044         (JSC::JSBigInt::toStringGeneric):
3045         (JSC::JSBigInt::rightTrim):
3046         (JSC::JSBigInt::allocateFor):
3047         (JSC::JSBigInt::parseInt):
3048         (JSC::JSBigInt::digit):
3049         (JSC::JSBigInt::setDigit):
3050         * runtime/JSBigInt.h:
3051         * runtime/Operations.h:
3052         (JSC::jsMul):
3053
3054 2018-04-28  Commit Queue  <commit-queue@webkit.org>
3055
3056         Unreviewed, rolling out r231131.
3057         https://bugs.webkit.org/show_bug.cgi?id=185112
3058
3059         It is breaking Debug build due to unchecked exception
3060         (Requested by caiolima on #webkit).
3061
3062         Reverted changeset:
3063
3064         "[ESNext][BigInt] Implement support for "*" operation"
3065         https://bugs.webkit.org/show_bug.cgi?id=183721
3066         https://trac.webkit.org/changeset/231131
3067
3068 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
3069
3070         [ESNext][BigInt] Implement support for "*" operation
3071         https://bugs.webkit.org/show_bug.cgi?id=183721
3072
3073         Reviewed by Saam Barati.
3074
3075         Added BigInt support into times binary operator into LLInt and on
3076         JITOperations profiledMul and unprofiledMul. We are also replacing all
3077         uses of int to unsigned when there is no negative values for
3078         variables.
3079
3080         * dfg/DFGConstantFoldingPhase.cpp:
3081         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3082         * jit/JITOperations.cpp:
3083         * runtime/CommonSlowPaths.cpp:
3084         (JSC::SLOW_PATH_DECL):
3085         * runtime/JSBigInt.cpp:
3086         (JSC::JSBigInt::JSBigInt):
3087         (JSC::JSBigInt::allocationSize):
3088         (JSC::JSBigInt::createWithLength):
3089         (JSC::JSBigInt::toString):
3090         (JSC::JSBigInt::multiply):
3091         (JSC::JSBigInt::digitDiv):
3092         (JSC::JSBigInt::internalMultiplyAdd):
3093         (JSC::JSBigInt::multiplyAccumulate):
3094         (JSC::JSBigInt::equals):
3095         (JSC::JSBigInt::absoluteDivSmall):
3096         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3097         (JSC::JSBigInt::toStringGeneric):
3098         (JSC::JSBigInt::rightTrim):
3099         (JSC::JSBigInt::allocateFor):
3100         (JSC::JSBigInt::parseInt):
3101         (JSC::JSBigInt::digit):
3102         (JSC::JSBigInt::setDigit):
3103         * runtime/JSBigInt.h:
3104         * runtime/Operations.h:
3105         (JSC::jsMul):
3106
3107 2018-04-27  JF Bastien  <jfbastien@apple.com>
3108
3109         Make the first 64 bits of JSString look like a double JSValue
3110         https://bugs.webkit.org/show_bug.cgi?id=185081
3111
3112         Reviewed by Filip Pizlo.
3113
3114         We can be clever about how we lay out JSString so that, were it
3115         reinterpreted as a JSValue, it would look like a double.
3116
3117         * assembler/MacroAssemblerX86Common.h:
3118         (JSC::MacroAssemblerX86Common::and16):
3119         * assembler/X86Assembler.h:
3120         (JSC::X86Assembler::andw_mr):
3121         * dfg/DFGSpeculativeJIT.cpp:
3122         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3123         * ftl/FTLLowerDFGToB3.cpp:
3124         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3125         * ftl/FTLOutput.h:
3126         (JSC::FTL::Output::store32As8):
3127         (JSC::FTL::Output::store32As16):
3128         * runtime/JSString.h:
3129         (JSC::JSString::JSString):
3130
3131 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3132
3133         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
3134         https://bugs.webkit.org/show_bug.cgi?id=185055
3135
3136         Reviewed by JF Bastien.
3137
3138         This patch is paving the way to emitting jscvt instruction if possible.
3139         To do that, we need to determine jscvt instruction is supported in the
3140         given CPU.
3141
3142         We add a function collectCPUFeatures, which is responsible to collect
3143         CPU features if necessary. In Linux, we can use auxiliary vector to get
3144         the information without parsing /proc/cpuinfo.
3145
3146         Currently, nobody calls this function. It is later called when we emit
3147         jscvt instruction. To make it possible, we also need to add disassembler
3148         support too.
3149
3150         * assembler/AbstractMacroAssembler.h:
3151         * assembler/MacroAssemblerARM64.cpp:
3152         (JSC::MacroAssemblerARM64::collectCPUFeatures):
3153         * assembler/MacroAssemblerARM64.h:
3154         * assembler/MacroAssemblerX86Common.h:
3155
3156 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
3157
3158         Also run foldPathConstants before mussing up SSA
3159         https://bugs.webkit.org/show_bug.cgi?id=185069
3160
3161         Reviewed by Saam Barati.
3162         
3163         This isn't needed now, but will be once I implement the phase in bug 185060.
3164         
3165         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
3166         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
3167         be landed separately and measured separately from that phase.
3168         
3169         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
3170         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
3171         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
3172         neutral. It all depends on what programs typically look like.
3173
3174         * b3/B3Generate.cpp:
3175         (JSC::B3::generateToAir):
3176
3177 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
3178
3179         Unreviewed, rolling out r231086.
3180
3181         Caused JSC test failures due to an unchecked exception.
3182
3183         Reverted changeset:
3184
3185         "[ESNext][BigInt] Implement support for "*" operation"
3186         https://bugs.webkit.org/show_bug.cgi?id=183721
3187         https://trac.webkit.org/changeset/231086
3188
3189 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
3190
3191         [ESNext][BigInt] Implement support for "*" operation
3192         https://bugs.webkit.org/show_bug.cgi?id=183721
3193
3194         Reviewed by Saam Barati.
3195
3196         Added BigInt support into times binary operator into LLInt and on
3197         JITOperations profiledMul and unprofiledMul. We are also replacing all
3198         uses of int to unsigned when there is no negative values for
3199         variables.
3200
3201         * dfg/DFGConstantFoldingPhase.cpp:
3202         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3203         * jit/JITOperations.cpp:
3204         * runtime/CommonSlowPaths.cpp:
3205         (JSC::SLOW_PATH_DECL):
3206         * runtime/JSBigInt.cpp:
3207         (JSC::JSBigInt::JSBigInt):
3208         (JSC::JSBigInt::allocationSize):
3209         (JSC::JSBigInt::createWithLength):
3210         (JSC::JSBigInt::toString):
3211         (JSC::JSBigInt::multiply):
3212         (JSC::JSBigInt::digitDiv):
3213         (JSC::JSBigInt::internalMultiplyAdd):
3214         (JSC::JSBigInt::multiplyAccumulate):
3215         (JSC::JSBigInt::equals):
3216         (JSC::JSBigInt::absoluteDivSmall):
3217         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3218         (JSC::JSBigInt::toStringGeneric):
3219         (JSC::JSBigInt::rightTrim):
3220         (JSC::JSBigInt::allocateFor):
3221         (JSC::JSBigInt::parseInt):
3222         (JSC::JSBigInt::digit):
3223         (JSC::JSBigInt::setDigit):
3224         * runtime/JSBigInt.h:
3225         * runtime/Operations.h:
3226         (JSC::jsMul):
3227
3228 2018-04-26  Mark Lam  <mark.lam@apple.com>
3229
3230         Gardening: Speculative build fix for Windows.
3231         https://bugs.webkit.org/show_bug.cgi?id=184976
3232         <rdar://problem/39723901>
3233
3234         Not reviewed.
3235
3236         * runtime/JSCPtrTag.h:
3237
3238 2018-04-26  Mark Lam  <mark.lam@apple.com>
3239
3240         Gardening: Windows build fix.
3241
3242         Not reviewed.
3243
3244         * runtime/Options.cpp:
3245
3246 2018-04-26  Jer Noble  <jer.noble@apple.com>
3247
3248         WK_COCOA_TOUCH all the things.
3249         https://bugs.webkit.org/show_bug.cgi?id=185006
3250         <rdar://problem/39736025>
3251
3252         Reviewed by Tim Horton.
3253
3254         * Configurations/Base.xcconfig:
3255
3256 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
3257
3258         Disable content filtering in minimal simulator mode
3259         https://bugs.webkit.org/show_bug.cgi?id=185027
3260         <rdar://problem/39736091>
3261
3262         Reviewed by Jer Noble.
3263
3264         * Configurations/FeatureDefines.xcconfig:
3265
3266 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
3267
3268         [INTL] Implement Intl.PluralRules
3269         https://bugs.webkit.org/show_bug.cgi?id=184312
3270
3271         Reviewed by JF Bastien.
3272
3273         Use UNumberFormat to enforce formatting, and then UPluralRules to find
3274         the correct plural rule for the given number. Relies on ICU v59+ for
3275         resolvedOptions().pluralCategories and trailing 0 detection.
3276         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
3277
3278         * CMakeLists.txt:
3279         * Configurations/FeatureDefines.xcconfig:
3280         * DerivedSources.make:
3281         * JavaScriptCore.xcodeproj/project.pbxproj:
3282         * Sources.txt:
3283         * builtins/BuiltinNames.h:
3284         * runtime/BigIntObject.cpp:
3285         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
3286         * runtime/BigIntObject.h:
3287         * runtime/CommonIdentifiers.h:
3288         * runtime/IntlObject.cpp:
3289         (JSC::IntlObject::finishCreation):
3290         * runtime/IntlObject.h:
3291         * runtime/IntlPluralRules.cpp: Added.
3292         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
3293         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
3294         (JSC::UEnumerationDeleter::operator() const):
3295         (JSC::IntlPluralRules::create):
3296         (JSC::IntlPluralRules::createStructure):
3297         (JSC::IntlPluralRules::IntlPluralRules):
3298         (JSC::IntlPluralRules::finishCreation):
3299         (JSC::IntlPluralRules::destroy):
3300         (JSC::IntlPluralRules::visitChildren):
3301         (JSC::IntlPRInternal::localeData):
3302         (JSC::IntlPluralRules::initializePluralRules):
3303         (JSC::IntlPluralRules::resolvedOptions):
3304         (JSC::IntlPluralRules::select):
3305         * runtime/IntlPluralRules.h: Added.
3306         * runtime/IntlPluralRulesConstructor.cpp: Added.
3307         (JSC::IntlPluralRulesConstructor::create):
3308         (JSC::IntlPluralRulesConstructor::createStructure):
3309         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
3310         (JSC::IntlPluralRulesConstructor::finishCreation):
3311         (JSC::constructIntlPluralRules):
3312         (JSC::callIntlPluralRules):
3313         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
3314         (JSC::IntlPluralRulesConstructor::visitChildren):
3315         * runtime/IntlPluralRulesConstructor.h: Added.
3316         * runtime/IntlPluralRulesPrototype.cpp: Added.
3317         (JSC::IntlPluralRulesPrototype::create):
3318         (JSC::IntlPluralRulesPrototype::createStructure):
3319         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
3320         (JSC::IntlPluralRulesPrototype::finishCreation):
3321         (JSC::IntlPluralRulesPrototypeFuncSelect):
3322         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
3323         * runtime/IntlPluralRulesPrototype.h: Added.
3324         * runtime/JSGlobalObject.cpp:
3325         (JSC::JSGlobalObject::init):
3326         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3327         * runtime/JSGlobalObject.h:
3328         * runtime/Options.h:
3329         * runtime/RegExpPrototype.cpp: Added inlines header.
3330         * runtime/VM.cpp:
3331         (JSC::VM::VM):
3332         * runtime/VM.h:
3333
3334 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
3335
3336         [MIPS] Fix branch offsets in branchNeg32
3337         https://bugs.webkit.org/show_bug.cgi?id=185025
3338
3339         Reviewed by Yusuke Suzuki.
3340
3341         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
3342
3343         * assembler/MacroAssemblerMIPS.h:
3344         (JSC::MacroAssemblerMIPS::branchNeg32):
3345
3346 2018-04-25  Robin Morisset  <rmorisset@apple.com>
3347
3348         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
3349         https://bugs.webkit.org/show_bug.cgi?id=184773
3350         <rdar://problem/37773612>
3351
3352         Reviewed by Filip Pizlo.
3353
3354         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
3355         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
3356         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
3357         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
3358         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
3359
3360         * ftl/FTLLowerDFGToB3.cpp:
3361         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3362
3363 2018-04-25  Mark Lam  <mark.lam@apple.com>
3364
3365         Push the definition of PtrTag down to the WTF layer.
3366         https://bugs.webkit.org/show_bug.cgi?id=184976
3367         <rdar://problem/39723901>
3368
3369         Reviewed by Saam Barati.
3370
3371         * CMakeLists.txt:
3372         * JavaScriptCore.xcodeproj/project.pbxproj:
3373         * assembler/ARM64Assembler.h:
3374         * assembler/AbstractMacroAssembler.h:
3375         * assembler/MacroAssemblerCodeRef.cpp:
3376         * assembler/MacroAssemblerCodeRef.h:
3377         * b3/B3MathExtras.cpp:
3378         * bytecode/LLIntCallLinkInfo.h:
3379         * disassembler/Disassembler.h:
3380         * ftl/FTLJITCode.cpp:
3381         * interpreter/InterpreterInlines.h:
3382         * jit/ExecutableAllocator.h:
3383         * jit/JITOperations.cpp:
3384         * jit/ThunkGenerator.h:
3385         * jit/ThunkGenerators.h:
3386         * llint/LLIntOffsetsExtractor.cpp:
3387         * llint/LLIntPCRanges.h: