[JSC] Add Symbol.prototype.description getter
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Add Symbol.prototype.description getter
4         https://bugs.webkit.org/show_bug.cgi?id=186053
5
6         Reviewed by Keith Miller.
7
8         Symbol.prototype.description accessor  is now stage 3[1].
9         This adds a getter to retrieve [[Description]] value from Symbol.
10         Previously, Symbol#toString() returns `Symbol(${description})` value.
11         So users need to extract `description` part if they want it.
12
13         [1]: https://tc39.github.io/proposal-Symbol-description/
14
15         * runtime/Symbol.cpp:
16         (JSC::Symbol::description const):
17         * runtime/Symbol.h:
18         * runtime/SymbolPrototype.cpp:
19         (JSC::tryExtractSymbol):
20         (JSC::symbolProtoGetterDescription):
21         (JSC::symbolProtoFuncToString):
22         (JSC::symbolProtoFuncValueOf):
23
24 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
25
26         [JSC] Correct values and members of JSBigInt appropriately
27         https://bugs.webkit.org/show_bug.cgi?id=186196
28
29         Reviewed by Darin Adler.
30
31         This patch cleans up a bit to select more appropriate values and members of JSBigInt.
32
33         1. JSBigInt's structure should be StructureIsImmortal.
34         2. JSBigInt::allocationSize should be annotated with `inline`.
35         3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
36         4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
37
38         * runtime/JSBigInt.cpp:
39         (JSC::JSBigInt::allocationSize):
40         (JSC::JSBigInt::allocateFor):
41         (JSC::JSBigInt::compareToDouble):
42         (JSC::JSBigInt::visitChildren): Deleted.
43         (JSC::JSBigInt::finishCreation): Deleted.
44         * runtime/JSBigInt.h:
45
46 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
47
48         [DFG] InById should be converted to MatchStructure
49         https://bugs.webkit.org/show_bug.cgi?id=185803
50
51         Reviewed by Keith Miller.
52
53         MatchStructure is introduced for instanceof optimization. But this node
54         is also useful for InById node. This patch converts InById to MatchStructure
55         node with CheckStructures if possible by using InByIdStatus.
56
57         Added microbenchmarks show improvements.
58
59                                    baseline                  patched
60
61         in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
62         in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
63
64         * JavaScriptCore.xcodeproj/project.pbxproj:
65         * Sources.txt:
66         * bytecode/InByIdStatus.cpp: Added.
67         (JSC::InByIdStatus::appendVariant):
68         (JSC::InByIdStatus::computeFor):
69         (JSC::InByIdStatus::hasExitSite):
70         (JSC::InByIdStatus::computeForStubInfo):
71         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
72         (JSC::InByIdStatus::filter):
73         (JSC::InByIdStatus::dump const):
74         * bytecode/InByIdStatus.h: Added.
75         (JSC::InByIdStatus::InByIdStatus):
76         (JSC::InByIdStatus::state const):
77         (JSC::InByIdStatus::isSet const):
78         (JSC::InByIdStatus::operator bool const):
79         (JSC::InByIdStatus::isSimple const):
80         (JSC::InByIdStatus::numVariants const):
81         (JSC::InByIdStatus::variants const):
82         (JSC::InByIdStatus::at const):
83         (JSC::InByIdStatus::operator[] const):
84         (JSC::InByIdStatus::takesSlowPath const):
85         * bytecode/InByIdVariant.cpp: Added.
86         (JSC::InByIdVariant::InByIdVariant):
87         (JSC::InByIdVariant::attemptToMerge):
88         (JSC::InByIdVariant::dump const):
89         (JSC::InByIdVariant::dumpInContext const):
90         * bytecode/InByIdVariant.h: Added.
91         (JSC::InByIdVariant::isSet const):
92         (JSC::InByIdVariant::operator bool const):
93         (JSC::InByIdVariant::structureSet const):
94         (JSC::InByIdVariant::structureSet):
95         (JSC::InByIdVariant::conditionSet const):
96         (JSC::InByIdVariant::offset const):
97         (JSC::InByIdVariant::isHit const):
98         * bytecode/PolyProtoAccessChain.h:
99         * dfg/DFGByteCodeParser.cpp:
100         (JSC::DFG::ByteCodeParser::parseBlock):
101
102 2018-06-01  Keith Miller  <keith_miller@apple.com>
103
104         move should only emit the move if it's actually needed
105         https://bugs.webkit.org/show_bug.cgi?id=186123
106
107         Reviewed by Saam Barati.
108
109         This patch relpaces move with moveToDestinationIfNeeded. This
110         will prevent us from emiting moves to the same location. The old
111         move, has been renamed to emitMove and made private.
112
113         * bytecompiler/BytecodeGenerator.cpp:
114         (JSC::BytecodeGenerator::BytecodeGenerator):
115         (JSC::BytecodeGenerator::emitMove):
116         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
117         (JSC::BytecodeGenerator::emitGetAsyncIterator):
118         (JSC::BytecodeGenerator::move): Deleted.
119         * bytecompiler/BytecodeGenerator.h:
120         (JSC::BytecodeGenerator::move):
121         (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
122         * bytecompiler/NodesCodegen.cpp:
123         (JSC::ThisNode::emitBytecode):
124         (JSC::SuperNode::emitBytecode):
125         (JSC::NewTargetNode::emitBytecode):
126         (JSC::ResolveNode::emitBytecode):
127         (JSC::TaggedTemplateNode::emitBytecode):
128         (JSC::ArrayNode::emitBytecode):
129         (JSC::ObjectLiteralNode::emitBytecode):
130         (JSC::EvalFunctionCallNode::emitBytecode):
131         (JSC::FunctionCallResolveNode::emitBytecode):
132         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
133         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
134         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
135         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
136         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
137         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
138         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
139         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
140         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
141         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
142         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
143         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
144         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
145         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
146         (JSC::CallFunctionCallDotNode::emitBytecode):
147         (JSC::ApplyFunctionCallDotNode::emitBytecode):
148         (JSC::emitPostIncOrDec):
149         (JSC::PostfixNode::emitBracket):
150         (JSC::PostfixNode::emitDot):
151         (JSC::PrefixNode::emitResolve):
152         (JSC::PrefixNode::emitBracket):
153         (JSC::PrefixNode::emitDot):
154         (JSC::LogicalOpNode::emitBytecode):
155         (JSC::ReadModifyResolveNode::emitBytecode):
156         (JSC::AssignResolveNode::emitBytecode):
157         (JSC::AssignDotNode::emitBytecode):
158         (JSC::AssignBracketNode::emitBytecode):
159         (JSC::FunctionNode::emitBytecode):
160         (JSC::ClassExprNode::emitBytecode):
161         (JSC::DestructuringAssignmentNode::emitBytecode):
162         (JSC::ArrayPatternNode::emitDirectBinding):
163         (JSC::ObjectPatternNode::bindValue const):
164         (JSC::AssignmentElementNode::bindValue const):
165         (JSC::ObjectSpreadExpressionNode::emitBytecode):
166
167 2018-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
168
169         [Baseline] Store constant directly in emit_op_mov
170         https://bugs.webkit.org/show_bug.cgi?id=186182
171
172         Reviewed by Saam Barati.
173
174         In the old code, we first move a constant to a register and store it to the specified address.
175         But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
176         generated code size. Since the old code was emitting a constant in a code anyway, this change
177         never increases the size of the generated code.
178
179         * jit/JITInlines.h:
180         (JSC::JIT::emitGetVirtualRegister):
181         We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
182         from the stack. If we transfer values in registers without loading values from the stack, it
183         breaks this assumption.
184
185         * jit/JITOpcodes.cpp:
186         (JSC::JIT::emit_op_mov):
187
188 2018-05-31  Caio Lima  <ticaiolima@gmail.com>
189
190         [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
191         https://bugs.webkit.org/show_bug.cgi?id=185929
192
193         Reviewed by Yusuke Suzuki.
194
195         This patch is introducing support to BigInt operands into ">=" and
196         "<=" operators.
197         Here we introduce ```bigIntCompareResult``` that is a helper function
198         to reuse code between "less than" and "less than or equal" operators.
199
200         * runtime/JSBigInt.h:
201         * runtime/Operations.h:
202         (JSC::bigIntCompareResult):
203         (JSC::bigIntCompare):
204         (JSC::jsLess):
205         (JSC::jsLessEq):
206         (JSC::bigIntCompareLess): Deleted.
207
208 2018-05-31  Saam Barati  <sbarati@apple.com>
209
210         Cache toString results for CoW arrays
211         https://bugs.webkit.org/show_bug.cgi?id=186160
212
213         Reviewed by Keith Miller.
214
215         This patch makes it so that we cache the result of toString on
216         arrays with a CoW butterfly. This cache lives on Heap and is
217         cleared after every GC. We only cache the toString result when
218         the CoW butterfly doesn't have a hole (currently, all CoW arrays
219         have a hole, but this isn't an invariant we want to rely on). The
220         reason for this is that if there is a hole, the value may be loaded
221         from the prototype, and the cache may produce a stale result.
222         
223         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
224         progression on ARES.
225
226         * heap/Heap.cpp:
227         (JSC::Heap::finalize):
228         (JSC::Heap::addCoreConstraints):
229         * heap/Heap.h:
230         * runtime/ArrayPrototype.cpp:
231         (JSC::canUseFastJoin):
232         (JSC::holesMustForwardToPrototype):
233         (JSC::isHole):
234         (JSC::containsHole):
235         (JSC::fastJoin):
236         (JSC::arrayProtoFuncToString):
237
238 2018-05-31  Saam Barati  <sbarati@apple.com>
239
240         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
241         https://bugs.webkit.org/show_bug.cgi?id=186169
242
243         Reviewed by Mark Lam.
244
245         If we don't do this, the CFA validation rule about StructureID being
246         clobbered but AI not clobbering or folding a clobber will cause us
247         to crash. Simon was running into this yesterday on arstechnica.com.
248         I couldn't come up with a test case for this, but it's obvious
249         what the issue is by looking at the IR dump at the time of the crash.
250
251         * dfg/DFGAbstractInterpreterInlines.h:
252         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
253
254 2018-05-31  Saam Barati  <sbarati@apple.com>
255
256         JSImmutableButterfly should align its variable storage
257         https://bugs.webkit.org/show_bug.cgi?id=186159
258
259         Reviewed by Mark Lam.
260
261         I'm also making the use of reinterpret_cast and bitwise_cast consistent
262         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
263
264         * runtime/JSImmutableButterfly.h:
265         (JSC::JSImmutableButterfly::toButterfly const):
266         (JSC::JSImmutableButterfly::fromButterfly):
267         (JSC::JSImmutableButterfly::offsetOfData):
268         (JSC::JSImmutableButterfly::allocationSize):
269
270 2018-05-31  Keith Miller  <keith_miller@apple.com>
271
272         DFGArrayModes needs to know more about CoW arrays
273         https://bugs.webkit.org/show_bug.cgi?id=186162
274
275         Reviewed by Filip Pizlo.
276
277         This patch fixes two issues in DFGArrayMode.
278
279         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
280         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
281         to vend an accurate original structure.
282
283         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
284         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
285         action it is expecting when being dumped.
286
287         * bytecode/ArrayProfile.h:
288         (JSC::hasSeenWritableArray):
289         * dfg/DFGArrayMode.cpp:
290         (JSC::DFG::ArrayMode::fromObserved):
291         (JSC::DFG::ArrayMode::refine const):
292         (JSC::DFG::ArrayMode::originalArrayStructure const):
293         (JSC::DFG::arrayActionToString):
294         (JSC::DFG::arrayClassToString):
295         (JSC::DFG::ArrayMode::dump const):
296         (WTF::printInternal):
297         * dfg/DFGArrayMode.h:
298         (JSC::DFG::ArrayMode::withProfile const):
299         (JSC::DFG::ArrayMode::isJSArray const):
300         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
301         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
302         * dfg/DFGByteCodeParser.cpp:
303         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
304         (JSC::DFG::ByteCodeParser::parseBlock):
305         * dfg/DFGFixupPhase.cpp:
306         (JSC::DFG::FixupPhase::fixupNode):
307         * dfg/DFGSpeculativeJIT.cpp:
308         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
309         * ftl/FTLLowerDFGToB3.cpp:
310         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
311
312 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
313
314         [JSC] Pass VM& parameter as much as possible
315         https://bugs.webkit.org/show_bug.cgi?id=186085
316
317         Reviewed by Saam Barati.
318
319         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
320         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
321         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
322         This patch attempts to pass VM& parameter to such functions as much as possible.
323
324         * API/APICast.h:
325         (toJS):
326         (toJSForGC):
327         * API/JSCallbackObjectFunctions.h:
328         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
329         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
330         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
331         * API/JSObjectRef.cpp:
332         (JSObjectIsConstructor):
333         * API/JSTypedArray.cpp:
334         (JSObjectGetTypedArrayBuffer):
335         * API/JSValueRef.cpp:
336         (JSValueIsInstanceOfConstructor):
337         * bindings/ScriptFunctionCall.cpp:
338         (Deprecated::ScriptFunctionCall::call):
339         * bindings/ScriptValue.cpp:
340         (Inspector::jsToInspectorValue):
341         * bytecode/AccessCase.cpp:
342         (JSC::AccessCase::generateImpl):
343         * bytecode/CodeBlock.cpp:
344         (JSC::CodeBlock::CodeBlock):
345         * bytecode/ObjectAllocationProfileInlines.h:
346         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
347         * bytecode/ObjectPropertyConditionSet.cpp:
348         (JSC::generateConditionsForInstanceOf):
349         * bytecode/PropertyCondition.cpp:
350         (JSC::PropertyCondition::isWatchableWhenValid const):
351         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
352         * bytecode/StructureStubClearingWatchpoint.cpp:
353         (JSC::StructureStubClearingWatchpoint::fireInternal):
354         * debugger/Debugger.cpp:
355         (JSC::Debugger::detach):
356         * debugger/DebuggerScope.cpp:
357         (JSC::DebuggerScope::create):
358         (JSC::DebuggerScope::put):
359         (JSC::DebuggerScope::deleteProperty):
360         (JSC::DebuggerScope::getOwnPropertyNames):
361         (JSC::DebuggerScope::defineOwnProperty):
362         * dfg/DFGAbstractInterpreterInlines.h:
363         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
364         * dfg/DFGAbstractValue.cpp:
365         (JSC::DFG::AbstractValue::mergeOSREntryValue):
366         * dfg/DFGArgumentsEliminationPhase.cpp:
367         * dfg/DFGArrayMode.cpp:
368         (JSC::DFG::ArrayMode::refine const):
369         * dfg/DFGByteCodeParser.cpp:
370         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
371         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
372         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
373         (JSC::DFG::ByteCodeParser::check):
374         * dfg/DFGConstantFoldingPhase.cpp:
375         (JSC::DFG::ConstantFoldingPhase::foldConstants):
376         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
377         * dfg/DFGFixupPhase.cpp:
378         (JSC::DFG::FixupPhase::fixupNode):
379         * dfg/DFGGraph.cpp:
380         (JSC::DFG::Graph::tryGetConstantProperty):
381         * dfg/DFGOperations.cpp:
382         * dfg/DFGSpeculativeJIT.cpp:
383         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
384         * dfg/DFGStrengthReductionPhase.cpp:
385         (JSC::DFG::StrengthReductionPhase::handleNode):
386         * ftl/FTLLowerDFGToB3.cpp:
387         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
388         * ftl/FTLOperations.cpp:
389         (JSC::FTL::operationPopulateObjectInOSR):
390         * inspector/InjectedScriptManager.cpp:
391         (Inspector::InjectedScriptManager::createInjectedScript):
392         * inspector/JSJavaScriptCallFrame.cpp:
393         (Inspector::JSJavaScriptCallFrame::caller const):
394         (Inspector::JSJavaScriptCallFrame::scopeChain const):
395         * interpreter/CallFrame.cpp:
396         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
397         * interpreter/Interpreter.cpp:
398         (JSC::Interpreter::executeProgram):
399         (JSC::Interpreter::executeCall):
400         (JSC::Interpreter::executeConstruct):
401         (JSC::Interpreter::execute):
402         (JSC::Interpreter::executeModuleProgram):
403         * jit/JITOperations.cpp:
404         (JSC::getByVal):
405         * jit/Repatch.cpp:
406         (JSC::tryCacheInByID):
407         * jsc.cpp:
408         (functionDollarAgentReceiveBroadcast):
409         (functionHasCustomProperties):
410         * llint/LLIntSlowPaths.cpp:
411         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
412         (JSC::LLInt::setupGetByIdPrototypeCache):
413         (JSC::LLInt::getByVal):
414         (JSC::LLInt::handleHostCall):
415         (JSC::LLInt::llint_throw_stack_overflow_error):
416         * runtime/AbstractModuleRecord.cpp:
417         (JSC::AbstractModuleRecord::finishCreation):
418         * runtime/ArrayConstructor.cpp:
419         (JSC::constructArrayWithSizeQuirk):
420         * runtime/ArrayPrototype.cpp:
421         (JSC::speciesWatchpointIsValid):
422         (JSC::arrayProtoFuncToString):
423         (JSC::arrayProtoFuncToLocaleString):
424         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
425         * runtime/AsyncFunctionConstructor.cpp:
426         (JSC::callAsyncFunctionConstructor):
427         (JSC::constructAsyncFunctionConstructor):
428         * runtime/AsyncGeneratorFunctionConstructor.cpp:
429         (JSC::callAsyncGeneratorFunctionConstructor):
430         (JSC::constructAsyncGeneratorFunctionConstructor):
431         * runtime/BooleanConstructor.cpp:
432         (JSC::constructWithBooleanConstructor):
433         * runtime/ClonedArguments.cpp:
434         (JSC::ClonedArguments::createEmpty):
435         (JSC::ClonedArguments::createWithInlineFrame):
436         (JSC::ClonedArguments::createWithMachineFrame):
437         (JSC::ClonedArguments::createByCopyingFrom):
438         (JSC::ClonedArguments::getOwnPropertySlot):
439         (JSC::ClonedArguments::materializeSpecials):
440         * runtime/CommonSlowPaths.cpp:
441         (JSC::SLOW_PATH_DECL):
442         * runtime/CommonSlowPaths.h:
443         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
444         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
445         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
446         * runtime/ConstructData.cpp:
447         (JSC::construct):
448         * runtime/DateConstructor.cpp:
449         (JSC::constructWithDateConstructor):
450         * runtime/DatePrototype.cpp:
451         (JSC::dateProtoFuncToJSON):
452         * runtime/DirectArguments.cpp:
453         (JSC::DirectArguments::overrideThings):
454         * runtime/Error.cpp:
455         (JSC::getStackTrace):
456         * runtime/ErrorConstructor.cpp:
457         (JSC::Interpreter::constructWithErrorConstructor):
458         (JSC::Interpreter::callErrorConstructor):
459         * runtime/FunctionConstructor.cpp:
460         (JSC::constructWithFunctionConstructor):
461         (JSC::callFunctionConstructor):
462         * runtime/GeneratorFunctionConstructor.cpp:
463         (JSC::callGeneratorFunctionConstructor):
464         (JSC::constructGeneratorFunctionConstructor):
465         * runtime/GenericArgumentsInlines.h:
466         (JSC::GenericArguments<Type>::getOwnPropertySlot):
467         * runtime/InferredStructureWatchpoint.cpp:
468         (JSC::InferredStructureWatchpoint::fireInternal):
469         * runtime/InferredType.cpp:
470         (JSC::InferredType::removeStructure):
471         * runtime/InferredType.h:
472         * runtime/InferredTypeInlines.h:
473         (JSC::InferredType::finalizeUnconditionally):
474         * runtime/IntlCollator.cpp:
475         (JSC::IntlCollator::initializeCollator):
476         * runtime/IntlCollatorConstructor.cpp:
477         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
478         * runtime/IntlCollatorPrototype.cpp:
479         (JSC::IntlCollatorPrototypeGetterCompare):
480         * runtime/IntlDateTimeFormat.cpp:
481         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
482         (JSC::IntlDateTimeFormat::formatToParts):
483         * runtime/IntlDateTimeFormatConstructor.cpp:
484         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
485         * runtime/IntlDateTimeFormatPrototype.cpp:
486         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
487         * runtime/IntlNumberFormat.cpp:
488         (JSC::IntlNumberFormat::initializeNumberFormat):
489         (JSC::IntlNumberFormat::formatToParts):
490         * runtime/IntlNumberFormatConstructor.cpp:
491         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
492         * runtime/IntlNumberFormatPrototype.cpp:
493         (JSC::IntlNumberFormatPrototypeGetterFormat):
494         * runtime/IntlObject.cpp:
495         (JSC::canonicalizeLocaleList):
496         (JSC::defaultLocale):
497         (JSC::lookupSupportedLocales):
498         (JSC::intlObjectFuncGetCanonicalLocales):
499         * runtime/IntlPluralRules.cpp:
500         (JSC::IntlPluralRules::initializePluralRules):
501         (JSC::IntlPluralRules::resolvedOptions):
502         * runtime/IntlPluralRulesConstructor.cpp:
503         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
504         * runtime/IteratorOperations.cpp:
505         (JSC::iteratorNext):
506         (JSC::iteratorClose):
507         (JSC::iteratorForIterable):
508         * runtime/JSArray.cpp:
509         (JSC::JSArray::shiftCountWithArrayStorage):
510         (JSC::JSArray::unshiftCountWithArrayStorage):
511         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
512         * runtime/JSArrayBufferConstructor.cpp:
513         (JSC::JSArrayBufferConstructor::finishCreation):
514         (JSC::constructArrayBuffer):
515         * runtime/JSArrayBufferPrototype.cpp:
516         (JSC::arrayBufferProtoFuncSlice):
517         * runtime/JSArrayBufferView.cpp:
518         (JSC::JSArrayBufferView::unsharedJSBuffer):
519         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
520         * runtime/JSAsyncFunction.cpp:
521         (JSC::JSAsyncFunction::createImpl):
522         (JSC::JSAsyncFunction::create):
523         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
524         * runtime/JSAsyncGeneratorFunction.cpp:
525         (JSC::JSAsyncGeneratorFunction::createImpl):
526         (JSC::JSAsyncGeneratorFunction::create):
527         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
528         * runtime/JSBoundFunction.cpp:
529         (JSC::boundThisNoArgsFunctionCall):
530         (JSC::boundFunctionCall):
531         (JSC::boundThisNoArgsFunctionConstruct):
532         (JSC::boundFunctionConstruct):
533         (JSC::getBoundFunctionStructure):
534         (JSC::JSBoundFunction::create):
535         (JSC::JSBoundFunction::boundArgsCopy):
536         * runtime/JSCJSValue.cpp:
537         (JSC::JSValue::putToPrimitive):
538         * runtime/JSCellInlines.h:
539         (JSC::JSCell::setStructure):
540         (JSC::JSCell::methodTable const):
541         (JSC::JSCell::toBoolean const):
542         * runtime/JSFunction.h:
543         (JSC::JSFunction::createImpl):
544         * runtime/JSGeneratorFunction.cpp:
545         (JSC::JSGeneratorFunction::createImpl):
546         (JSC::JSGeneratorFunction::create):
547         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
548         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
549         (JSC::constructGenericTypedArrayViewWithArguments):
550         (JSC::constructGenericTypedArrayView):
551         * runtime/JSGenericTypedArrayViewInlines.h:
552         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
553         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
554         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
555         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
556         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
557         (JSC::genericTypedArrayViewProtoFuncSlice):
558         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
559         * runtime/JSGlobalObject.cpp:
560         (JSC::JSGlobalObject::init):
561         (JSC::JSGlobalObject::exposeDollarVM):
562         (JSC::JSGlobalObject::finishCreation):
563         * runtime/JSGlobalObject.h:
564         * runtime/JSGlobalObjectFunctions.cpp:
565         (JSC::globalFuncEval):
566         * runtime/JSInternalPromise.cpp:
567         (JSC::JSInternalPromise::then):
568         * runtime/JSInternalPromiseConstructor.cpp:
569         (JSC::constructPromise):
570         * runtime/JSJob.cpp:
571         (JSC::JSJobMicrotask::run):
572         * runtime/JSLexicalEnvironment.cpp:
573         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
574         (JSC::JSLexicalEnvironment::put):
575         * runtime/JSMap.cpp:
576         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
577         * runtime/JSMapIterator.cpp:
578         (JSC::JSMapIterator::createPair):
579         * runtime/JSModuleLoader.cpp:
580         (JSC::JSModuleLoader::provideFetch):
581         (JSC::JSModuleLoader::loadAndEvaluateModule):
582         (JSC::JSModuleLoader::loadModule):
583         (JSC::JSModuleLoader::linkAndEvaluateModule):
584         (JSC::JSModuleLoader::requestImportModule):
585         * runtime/JSONObject.cpp:
586         (JSC::JSONProtoFuncParse):
587         * runtime/JSObject.cpp:
588         (JSC::JSObject::putInlineSlow):
589         (JSC::JSObject::putByIndex):
590         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
591         (JSC::JSObject::createInitialIndexedStorage):
592         (JSC::JSObject::createArrayStorage):
593         (JSC::JSObject::convertUndecidedToArrayStorage):
594         (JSC::JSObject::convertInt32ToArrayStorage):
595         (JSC::JSObject::convertDoubleToArrayStorage):
596         (JSC::JSObject::convertContiguousToArrayStorage):
597         (JSC::JSObject::convertFromCopyOnWrite):
598         (JSC::JSObject::ensureWritableInt32Slow):
599         (JSC::JSObject::ensureWritableDoubleSlow):
600         (JSC::JSObject::ensureWritableContiguousSlow):
601         (JSC::JSObject::ensureArrayStorageSlow):
602         (JSC::JSObject::setPrototypeDirect):
603         (JSC::JSObject::deleteProperty):
604         (JSC::callToPrimitiveFunction):
605         (JSC::JSObject::hasInstance):
606         (JSC::JSObject::getOwnNonIndexPropertyNames):
607         (JSC::JSObject::preventExtensions):
608         (JSC::JSObject::isExtensible):
609         (JSC::JSObject::reifyAllStaticProperties):
610         (JSC::JSObject::fillGetterPropertySlot):
611         (JSC::JSObject::defineOwnIndexedProperty):
612         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
613         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
614         (JSC::JSObject::putByIndexBeyondVectorLength):
615         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
616         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
617         (JSC::JSObject::getNewVectorLength):
618         (JSC::JSObject::increaseVectorLength):
619         (JSC::JSObject::reallocateAndShrinkButterfly):
620         (JSC::JSObject::shiftButterflyAfterFlattening):
621         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
622         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
623         (JSC::JSObject::needsSlowPutIndexing const):
624         (JSC::JSObject::suggestedArrayStorageTransition const):
625         * runtime/JSObject.h:
626         (JSC::JSObject::mayInterceptIndexedAccesses):
627         (JSC::JSObject::hasIndexingHeader const):
628         (JSC::JSObject::hasCustomProperties):
629         (JSC::JSObject::hasGetterSetterProperties):
630         (JSC::JSObject::hasCustomGetterSetterProperties):
631         (JSC::JSObject::isExtensibleImpl):
632         (JSC::JSObject::isStructureExtensible):
633         (JSC::JSObject::indexingShouldBeSparse):
634         (JSC::JSObject::staticPropertiesReified):
635         (JSC::JSObject::globalObject const):
636         (JSC::JSObject::finishCreation):
637         (JSC::JSNonFinalObject::finishCreation):
638         (JSC::getCallData):
639         (JSC::getConstructData):
640         (JSC::JSObject::getOwnNonIndexPropertySlot):
641         (JSC::JSObject::putOwnDataProperty):
642         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
643         (JSC::JSObject::butterflyPreCapacity):
644         (JSC::JSObject::butterflyTotalSize):
645         * runtime/JSObjectInlines.h:
646         (JSC::JSObject::putDirectInternal):
647         * runtime/JSPromise.cpp:
648         (JSC::JSPromise::initialize):
649         (JSC::JSPromise::resolve):
650         * runtime/JSPromiseConstructor.cpp:
651         (JSC::constructPromise):
652         * runtime/JSPromiseDeferred.cpp:
653         (JSC::newPromiseCapability):
654         (JSC::callFunction):
655         * runtime/JSScope.cpp:
656         (JSC::abstractAccess):
657         * runtime/JSScope.h:
658         (JSC::JSScope::globalObject): Deleted.
659         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
660
661         * runtime/JSSet.cpp:
662         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
663         * runtime/JSSetIterator.cpp:
664         (JSC::JSSetIterator::createPair):
665         * runtime/JSStringIterator.cpp:
666         (JSC::JSStringIterator::clone):
667         * runtime/Lookup.cpp:
668         (JSC::reifyStaticAccessor):
669         (JSC::setUpStaticFunctionSlot):
670         * runtime/Lookup.h:
671         (JSC::getStaticPropertySlotFromTable):
672         (JSC::replaceStaticPropertySlot):
673         (JSC::reifyStaticProperty):
674         * runtime/MapConstructor.cpp:
675         (JSC::constructMap):
676         * runtime/NumberConstructor.cpp:
677         (JSC::NumberConstructor::finishCreation):
678         * runtime/ObjectConstructor.cpp:
679         (JSC::constructObject):
680         (JSC::objectConstructorAssign):
681         (JSC::toPropertyDescriptor):
682         * runtime/ObjectPrototype.cpp:
683         (JSC::objectProtoFuncDefineGetter):
684         (JSC::objectProtoFuncDefineSetter):
685         (JSC::objectProtoFuncToLocaleString):
686         * runtime/Operations.cpp:
687         (JSC::jsIsFunctionType): Deleted.
688         Replace it with JSValue::isFunction(VM&).
689
690         * runtime/Operations.h:
691         * runtime/ProgramExecutable.cpp:
692         (JSC::ProgramExecutable::initializeGlobalProperties):
693         * runtime/RegExpConstructor.cpp:
694         (JSC::constructWithRegExpConstructor):
695         (JSC::callRegExpConstructor):
696         * runtime/SamplingProfiler.cpp:
697         (JSC::SamplingProfiler::processUnverifiedStackTraces):
698         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
699         * runtime/ScopedArguments.cpp:
700         (JSC::ScopedArguments::overrideThings):
701         * runtime/ScriptExecutable.cpp:
702         (JSC::ScriptExecutable::newCodeBlockFor):
703         (JSC::ScriptExecutable::prepareForExecutionImpl):
704         * runtime/SetConstructor.cpp:
705         (JSC::constructSet):
706         * runtime/SparseArrayValueMap.cpp:
707         (JSC::SparseArrayValueMap::putEntry):
708         (JSC::SparseArrayValueMap::putDirect):
709         * runtime/StringConstructor.cpp:
710         (JSC::constructWithStringConstructor):
711         * runtime/StringPrototype.cpp:
712         (JSC::replaceUsingRegExpSearch):
713         (JSC::replaceUsingStringSearch):
714         (JSC::stringProtoFuncIterator):
715         * runtime/Structure.cpp:
716         (JSC::Structure::materializePropertyTable):
717         (JSC::Structure::willStoreValueSlow):
718         * runtime/StructureCache.cpp:
719         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
720         * runtime/StructureInlines.h:
721         (JSC::Structure::get):
722         * runtime/WeakMapConstructor.cpp:
723         (JSC::constructWeakMap):
724         * runtime/WeakSetConstructor.cpp:
725         (JSC::constructWeakSet):
726         * tools/HeapVerifier.cpp:
727         (JSC::HeapVerifier::reportCell):
728         * tools/JSDollarVM.cpp:
729         (JSC::functionGlobalObjectForObject):
730         (JSC::JSDollarVM::finishCreation):
731         * wasm/js/JSWebAssemblyInstance.cpp:
732         (JSC::JSWebAssemblyInstance::finalizeCreation):
733         * wasm/js/WasmToJS.cpp:
734         (JSC::Wasm::handleBadI64Use):
735         (JSC::Wasm::wasmToJSException):
736         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
737         (JSC::constructJSWebAssemblyCompileError):
738         (JSC::callJSWebAssemblyCompileError):
739         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
740         (JSC::constructJSWebAssemblyLinkError):
741         (JSC::callJSWebAssemblyLinkError):
742         * wasm/js/WebAssemblyModuleRecord.cpp:
743         (JSC::WebAssemblyModuleRecord::evaluate):
744         * wasm/js/WebAssemblyPrototype.cpp:
745         (JSC::instantiate):
746         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
747         (JSC::constructJSWebAssemblyRuntimeError):
748         (JSC::callJSWebAssemblyRuntimeError):
749         * wasm/js/WebAssemblyToJSCallee.cpp:
750         (JSC::WebAssemblyToJSCallee::create):
751
752 2018-05-30  Saam Barati  <sbarati@apple.com>
753
754         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
755         https://bugs.webkit.org/show_bug.cgi?id=186121
756         <rdar://problem/39377796>
757
758         Reviewed by Keith Miller.
759
760         DFG's combined liveness was reporting that the machine CodeBlock's |this|
761         argument was dead at certain points in the program. However, a CodeBlock's
762         arguments are considered live for the entire function. This fixes a bug
763         where object allocation sinking phase skipped materializing an allocation
764         because it thought that the argument it was associated with, |this|, was dead.
765
766         * dfg/DFGCombinedLiveness.cpp:
767         (JSC::DFG::liveNodesAtHead):
768
769 2018-05-30  Daniel Bates  <dabates@apple.com>
770
771         Web Inspector: Annotate Same-Site cookies
772         https://bugs.webkit.org/show_bug.cgi?id=184897
773         <rdar://problem/35178209>
774
775         Reviewed by Brian Burg.
776
777         Update protocol to include cookie Same-Site policy.
778
779         * inspector/protocol/Page.json:
780
781 2018-05-29  Keith Miller  <keith_miller@apple.com>
782
783         Error instances should not strongly hold onto StackFrames
784         https://bugs.webkit.org/show_bug.cgi?id=185996
785
786         Reviewed by Mark Lam.
787
788         Previously, we would hold onto all the StackFrames until the the user
789         looked at one of the properties on the Error object. This patch makes us
790         only weakly retain the StackFrames and collect all the information
791         if we are about to collect any frame.
792
793         This patch also adds a method to $vm that returns the heaps count
794         of live global objects.
795
796         * heap/Heap.cpp:
797         (JSC::Heap::finalizeUnconditionalFinalizers):
798         * interpreter/Interpreter.cpp:
799         (JSC::Interpreter::stackTraceAsString):
800         * interpreter/Interpreter.h:
801         * runtime/Error.cpp:
802         (JSC::addErrorInfo):
803         * runtime/ErrorInstance.cpp:
804         (JSC::ErrorInstance::finalizeUnconditionally):
805         (JSC::ErrorInstance::computeErrorInfo):
806         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
807         (JSC::ErrorInstance::visitChildren): Deleted.
808         * runtime/ErrorInstance.h:
809         (JSC::ErrorInstance::subspaceFor):
810         * runtime/JSFunction.cpp:
811         (JSC::getCalculatedDisplayName):
812         * runtime/StackFrame.h:
813         (JSC::StackFrame::isMarked const):
814         * runtime/VM.cpp:
815         (JSC::VM::VM):
816         * runtime/VM.h:
817         * tools/JSDollarVM.cpp:
818         (JSC::functionGlobalObjectCount):
819         (JSC::JSDollarVM::finishCreation):
820
821 2018-05-30  Keith Miller  <keith_miller@apple.com>
822
823         LLInt get_by_id prototype caching doesn't properly handle changes
824         https://bugs.webkit.org/show_bug.cgi?id=186112
825
826         Reviewed by Filip Pizlo.
827
828         The caching would sometimes fail to track that a prototype had changed
829         and wouldn't update its set of watchpoints.
830
831         * bytecode/CodeBlock.cpp:
832         (JSC::CodeBlock::finalizeLLIntInlineCaches):
833         * bytecode/CodeBlock.h:
834         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
835         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
836         * bytecode/ObjectPropertyConditionSet.h:
837         (JSC::ObjectPropertyConditionSet::size const):
838         * bytecode/Watchpoint.h:
839         (JSC::Watchpoint::Watchpoint): Deleted.
840         * llint/LLIntSlowPaths.cpp:
841         (JSC::LLInt::setupGetByIdPrototypeCache):
842
843 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
844
845         [ESNext][BigInt] Implement support for "%" operation
846         https://bugs.webkit.org/show_bug.cgi?id=184327
847
848         Reviewed by Yusuke Suzuki.
849
850         We are introducing the support of BigInt into remainder (a.k.a mod)
851         operation.
852
853         * runtime/CommonSlowPaths.cpp:
854         (JSC::SLOW_PATH_DECL):
855         * runtime/JSBigInt.cpp:
856         (JSC::JSBigInt::remainder):
857         (JSC::JSBigInt::rightTrim):
858         * runtime/JSBigInt.h:
859
860 2018-05-30  Saam Barati  <sbarati@apple.com>
861
862         AI for Atomics.load() is too conservative in always clobbering world
863         https://bugs.webkit.org/show_bug.cgi?id=185738
864         <rdar://problem/40342214>
865
866         Reviewed by Yusuke Suzuki.
867
868         It fails the assertion that Fil added for catching disagreements between
869         AI and clobberize. This patch fixes that. You'd run into this if you
870         manually enabled SAB in a build and ran any SAB tests.
871
872         * dfg/DFGAbstractInterpreterInlines.h:
873         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
874
875 2018-05-30  Michael Saboff  <msaboff@apple.com>
876
877         REGRESSION(r232212): Broke Win32 Builds
878         https://bugs.webkit.org/show_bug.cgi?id=186061
879
880         Reviewed by Yusuke Suzuki.
881
882         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
883         instead of LowLevelInterpreterWin.asm.
884
885         * CMakeLists.txt:
886
887 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
888
889         [MIPS] Fix build on MIPS32r1
890         https://bugs.webkit.org/show_bug.cgi?id=185944
891
892         Reviewed by Yusuke Suzuki.
893
894         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
895         on MIPS32r1.
896
897         * offlineasm/mips.rb:
898
899 2018-05-29  Saam Barati  <sbarati@apple.com>
900
901         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
902         https://bugs.webkit.org/show_bug.cgi?id=186064
903
904         Reviewed by Mark Lam.
905
906         shrinkFootprint was implemented as:
907         ```
908         sanitizeStackForVM(this);
909         deleteAllCode(DeleteAllCodeIfNotCollecting);
910         heap.collectNow(Synchronousness::Sync);
911         WTF::releaseFastMallocFreeMemory();
912         ```
913         
914         However, for correctness reasons, deleteAllCode is implemented to do
915         work when the VM is idle: no JS is running on the stack. This means
916         that if shrinkFootprint is called when JS is running on the stack, it
917         ends up freeing less memory than it could have if it waited to run until
918         the VM goes idle.
919         
920         This patch makes it so we wait until idle before doing work. I'm seeing a
921         10% footprint progression when testing this against a client of the JSC SPI.
922         
923         Because this is a semantic change in how the SPI works, this patch
924         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
925         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
926         Once that happens, we will delete shrinkFootprint. Until then,
927         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
928
929         * API/JSVirtualMachine.mm:
930         (-[JSVirtualMachine shrinkFootprint]):
931         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
932         * API/JSVirtualMachinePrivate.h:
933         * runtime/VM.cpp:
934         (JSC::VM::shrinkFootprintWhenIdle):
935         (JSC::VM::shrinkFootprint): Deleted.
936         * runtime/VM.h:
937
938 2018-05-29  Saam Barati  <sbarati@apple.com>
939
940         shrinkFootprint needs to request a full collection
941         https://bugs.webkit.org/show_bug.cgi?id=186069
942
943         Reviewed by Mark Lam.
944
945         * runtime/VM.cpp:
946         (JSC::VM::shrinkFootprint):
947
948 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
949
950         [ESNext][BigInt] Implement support for "<" and ">" relational operation
951         https://bugs.webkit.org/show_bug.cgi?id=185379
952
953         Reviewed by Yusuke Suzuki.
954
955         This patch is changing the ``jsLess``` operation to follow the
956         semantics of Abstract Relational Comparison[1] that supports BigInt.
957         For that, we create 2 new helper functions ```bigIntCompareLess``` and
958         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
959         compared.
960
961         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
962
963         * runtime/JSBigInt.cpp:
964         (JSC::JSBigInt::unequalSign):
965         (JSC::JSBigInt::absoluteGreater):
966         (JSC::JSBigInt::absoluteLess):
967         (JSC::JSBigInt::compare):
968         (JSC::JSBigInt::absoluteCompare):
969         * runtime/JSBigInt.h:
970         * runtime/JSCJSValueInlines.h:
971         (JSC::JSValue::isPrimitive const):
972         * runtime/Operations.h:
973         (JSC::bigIntCompareLess):
974         (JSC::toPrimitiveNumeric):
975         (JSC::jsLess):
976
977 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
978
979         [Baseline] Merge loading functionalities
980         https://bugs.webkit.org/show_bug.cgi?id=185907
981
982         Reviewed by Saam Barati.
983
984         This patch unifies emitXXXLoad functions in 32bit and 64bit.
985
986         * jit/JITInlines.h:
987         (JSC::JIT::emitDoubleGetByVal):
988         * jit/JITPropertyAccess.cpp:
989         (JSC::JIT::emitDoubleLoad):
990         (JSC::JIT::emitContiguousLoad):
991         (JSC::JIT::emitArrayStorageLoad):
992         (JSC::JIT::emitIntTypedArrayGetByVal):
993         (JSC::JIT::emitFloatTypedArrayGetByVal):
994         Define register usage first, and share the same code in 32bit and 64bit.
995
996         * jit/JITPropertyAccess32_64.cpp:
997         (JSC::JIT::emitSlow_op_put_by_val):
998         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
999         We can remove this special handling.
1000
1001         (JSC::JIT::emitContiguousLoad): Deleted.
1002         (JSC::JIT::emitDoubleLoad): Deleted.
1003         (JSC::JIT::emitArrayStorageLoad): Deleted.
1004
1005 2018-05-29  Saam Barati  <sbarati@apple.com>
1006
1007         JSC should put bmalloc's scavenger into mini mode
1008         https://bugs.webkit.org/show_bug.cgi?id=185988
1009
1010         Reviewed by Michael Saboff.
1011
1012         When we InitializeThreading, we'll now enable bmalloc's mini mode
1013         if the VM is in mini mode. This is an 8-10% progression on the footprint
1014         at end score in run-testmem, making it a 4-5% memory score progression.
1015         It's between a 0-1% regression in its time score.
1016
1017         * runtime/InitializeThreading.cpp:
1018         (JSC::initializeThreading):
1019
1020 2018-05-29  Caitlin Potter  <caitp@igalia.com>
1021
1022         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
1023         https://bugs.webkit.org/show_bug.cgi?id=184267
1024
1025         Reviewed by Saam Barati.
1026
1027         Before this patch, the fast case for Array.prototype.concat was taken if
1028         there was a single argument passed to the function, which is either a
1029         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
1030         This incorrectly prevented Proxy objects from being spread when
1031         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
1032
1033         * builtins/ArrayPrototype.js:
1034         (concat):
1035
1036 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1037
1038         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
1039         https://bugs.webkit.org/show_bug.cgi?id=186022
1040
1041         Reviewed by Darin Adler.
1042
1043         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
1044         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
1045         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
1046         in asm.
1047
1048         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
1049         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
1050         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
1051         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
1052         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
1053         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
1054
1055         This patch also fixes naming convention for constant values.
1056
1057         * runtime/JSBigInt.cpp:
1058         (JSC::JSBigInt::digitMul):
1059         (JSC::JSBigInt::digitDiv):
1060         * runtime/JSBigInt.h:
1061
1062 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1063
1064         [WTF] Add clz32 / clz64 for MSVC
1065         https://bugs.webkit.org/show_bug.cgi?id=186023
1066
1067         Reviewed by Daniel Bates.
1068
1069         Move clz32 and clz64 to WTF.
1070
1071         * runtime/MathCommon.h:
1072         (JSC::clz32): Deleted.
1073         (JSC::clz64): Deleted.
1074
1075 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
1076
1077         [ESNext][BigInt] Implement "+" and "-" unary operation
1078         https://bugs.webkit.org/show_bug.cgi?id=182214
1079
1080         Reviewed by Yusuke Suzuki.
1081
1082         This Patch is implementing support to "-" unary operation on BigInt.
1083         It is also changing the logic of ASTBuilder::makeNegateNode to
1084         calculate BigInt literals with properly sign, avoiding
1085         unecessary operation. It required a refactoring into
1086         JSBigInt::parseInt to consider the sign as parameter.
1087
1088         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
1089         operations. With the introduction of BigInt, it is not true
1090         that every negate operation returns a Number. As ArithNegate is a
1091         node that considers its result is always a Number, like all other
1092         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
1093         speculation indicates that the operand is a BigInt.
1094         This design is following the same distinction between ArithAdd and
1095         ValueAdd. Also, this new node will make simpler the introduction of
1096         optimizations when we create speculation paths for BigInt in future
1097         patches.
1098
1099         In the case of "+" unary operation on BigInt, the current semantic we already have
1100         is correctly, since it needs to throw TypeError because of ToNumber call[1].
1101         In such case, we are adding tests to verify other edge cases.
1102
1103         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
1104
1105         * bytecompiler/BytecodeGenerator.cpp:
1106         (JSC::BytecodeGenerator::addBigIntConstant):
1107         * bytecompiler/BytecodeGenerator.h:
1108         * bytecompiler/NodesCodegen.cpp:
1109         (JSC::BigIntNode::jsValue const):
1110         * dfg/DFGAbstractInterpreterInlines.h:
1111         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1112         * dfg/DFGByteCodeParser.cpp:
1113         (JSC::DFG::ByteCodeParser::makeSafe):
1114         (JSC::DFG::ByteCodeParser::parseBlock):
1115         * dfg/DFGClobberize.h:
1116         (JSC::DFG::clobberize):
1117         * dfg/DFGDoesGC.cpp:
1118         (JSC::DFG::doesGC):
1119         * dfg/DFGFixupPhase.cpp:
1120         (JSC::DFG::FixupPhase::fixupNode):
1121         * dfg/DFGNode.h:
1122         (JSC::DFG::Node::arithNodeFlags):
1123         * dfg/DFGNodeType.h:
1124         * dfg/DFGPredictionPropagationPhase.cpp:
1125         * dfg/DFGSafeToExecute.h:
1126         (JSC::DFG::safeToExecute):
1127         * dfg/DFGSpeculativeJIT.cpp:
1128         (JSC::DFG::SpeculativeJIT::compileValueNegate):
1129         (JSC::DFG::SpeculativeJIT::compileArithNegate):
1130         * dfg/DFGSpeculativeJIT.h:
1131         * dfg/DFGSpeculativeJIT32_64.cpp:
1132         (JSC::DFG::SpeculativeJIT::compile):
1133         * dfg/DFGSpeculativeJIT64.cpp:
1134         (JSC::DFG::SpeculativeJIT::compile):
1135         * ftl/FTLCapabilities.cpp:
1136         (JSC::FTL::canCompile):
1137         * ftl/FTLLowerDFGToB3.cpp:
1138         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1139         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
1140         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
1141         * jit/JITOperations.cpp:
1142         * parser/ASTBuilder.h:
1143         (JSC::ASTBuilder::createBigIntWithSign):
1144         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
1145         (JSC::ASTBuilder::makeNegateNode):
1146         * parser/NodeConstructors.h:
1147         (JSC::BigIntNode::BigIntNode):
1148         * parser/Nodes.h:
1149         * runtime/CommonSlowPaths.cpp:
1150         (JSC::updateArithProfileForUnaryArithOp):
1151         (JSC::SLOW_PATH_DECL):
1152         * runtime/JSBigInt.cpp:
1153         (JSC::JSBigInt::parseInt):
1154         * runtime/JSBigInt.h:
1155         * runtime/JSCJSValueInlines.h:
1156         (JSC::JSValue::strictEqualSlowCaseInline):
1157
1158 2018-05-27  Dan Bernstein  <mitz@apple.com>
1159
1160         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
1161
1162         * jit/JITOperations.cpp:
1163
1164 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1165
1166         [JSC] Rename Array#flatten to flat
1167         https://bugs.webkit.org/show_bug.cgi?id=186012
1168
1169         Reviewed by Saam Barati.
1170
1171         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
1172         conflicts with the mootools' function name.
1173
1174         * builtins/ArrayPrototype.js:
1175         (globalPrivate.flatIntoArray):
1176         (flat):
1177         (globalPrivate.flatIntoArrayWithCallback):
1178         (flatMap):
1179         (globalPrivate.flattenIntoArray): Deleted.
1180         (flatten): Deleted.
1181         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
1182         * runtime/ArrayPrototype.cpp:
1183         (JSC::ArrayPrototype::finishCreation):
1184
1185 2018-05-25  Mark Lam  <mark.lam@apple.com>
1186
1187         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
1188         https://bugs.webkit.org/show_bug.cgi?id=185995
1189         <rdar://problem/40173142>
1190
1191         Reviewed by Saam Barati.
1192
1193         This is because there's no guarantee that any of the loop bodies will be
1194         executed.  Hence, there's no guarantee that the TDZ variables will have been
1195         initialized after each loop body.
1196
1197         * bytecompiler/BytecodeGenerator.cpp:
1198         (JSC::BytecodeGenerator::preserveTDZStack):
1199         (JSC::BytecodeGenerator::restoreTDZStack):
1200         * bytecompiler/BytecodeGenerator.h:
1201         * bytecompiler/NodesCodegen.cpp:
1202         (JSC::ForInNode::emitBytecode):
1203
1204 2018-05-25  Mark Lam  <mark.lam@apple.com>
1205
1206         MachineContext's instructionPointer() should handle null PCs correctly.
1207         https://bugs.webkit.org/show_bug.cgi?id=186004
1208         <rdar://problem/40570067>
1209
1210         Reviewed by Saam Barati.
1211
1212         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
1213         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
1214         assert accordingly with a debug ASSERT.  This is inconsequential for release
1215         builds, but to avoid this assertion failure, we should check for a null PC and
1216         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
1217         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
1218
1219         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
1220         for null pointers, but I rather not do that yet.  In general,
1221         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
1222         leave it that way for now.
1223
1224         Note: this assertion failure only manifests when we have signal traps enabled,
1225         and encounter a null pointer deref.
1226
1227         * runtime/MachineContext.h:
1228         (JSC::MachineContext::instructionPointer):
1229
1230 2018-05-25  Mark Lam  <mark.lam@apple.com>
1231
1232         Enforce invariant that GetterSetter objects are invariant.
1233         https://bugs.webkit.org/show_bug.cgi?id=185968
1234         <rdar://problem/40541416>
1235
1236         Reviewed by Saam Barati.
1237
1238         The code already assumes the invariant that GetterSetter objects are immutable.
1239         For example, the use of @tryGetById in builtins expect this invariant to be true.
1240         The existing code mostly enforces this except for one case: JSObject's
1241         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
1242         object.
1243
1244         This patch enforces this invariant by removing the setGetter and setSetter methods
1245         of GetterSetter, and requiring the getter/setter callback functions to be
1246         specified at construction time.
1247
1248         * jit/JITOperations.cpp:
1249         * llint/LLIntSlowPaths.cpp:
1250         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1251         * runtime/GetterSetter.cpp:
1252         (JSC::GetterSetter::withGetter): Deleted.
1253         (JSC::GetterSetter::withSetter): Deleted.
1254         * runtime/GetterSetter.h:
1255         * runtime/JSGlobalObject.cpp:
1256         (JSC::JSGlobalObject::init):
1257         * runtime/JSObject.cpp:
1258         (JSC::JSObject::putIndexedDescriptor):
1259         (JSC::JSObject::putDirectNativeIntrinsicGetter):
1260         (JSC::putDescriptor):
1261         (JSC::validateAndApplyPropertyDescriptor):
1262         * runtime/JSTypedArrayViewPrototype.cpp:
1263         (JSC::JSTypedArrayViewPrototype::finishCreation):
1264         * runtime/Lookup.cpp:
1265         (JSC::reifyStaticAccessor):
1266         * runtime/PropertyDescriptor.cpp:
1267         (JSC::PropertyDescriptor::slowGetterSetter):
1268
1269 2018-05-25  Saam Barati  <sbarati@apple.com>
1270
1271         Make JSC have a mini mode that kicks in when the JIT is disabled
1272         https://bugs.webkit.org/show_bug.cgi?id=185931
1273
1274         Reviewed by Mark Lam.
1275
1276         This patch makes JSC have a mini VM mode. This currently only kicks in
1277         when the process can't JIT. Mini VM now means a few things:
1278         - We always use a 1.27x heap growth factor. This number was the best tradeoff
1279           between memory use progression and time regression in run-testmem. We may
1280           want to tune this more in the future as we make other mini VM changes.
1281         - We always sweep synchronously.
1282         - We disable generational GC.
1283         
1284         I'm going to continue to extend what mini VM mode means in future changes.
1285         
1286         This patch is a 50% memory progression and an ~8-9% time regression
1287         on run-testmem when running in mini VM mode with the JIT disabled.
1288
1289         * heap/Heap.cpp:
1290         (JSC::Heap::collectNow):
1291         (JSC::Heap::finalize):
1292         (JSC::Heap::useGenerationalGC):
1293         (JSC::Heap::shouldSweepSynchronously):
1294         (JSC::Heap::shouldDoFullCollection):
1295         * heap/Heap.h:
1296         * runtime/Options.h:
1297         * runtime/VM.cpp:
1298         (JSC::VM::isInMiniMode):
1299         * runtime/VM.h:
1300
1301 2018-05-25  Saam Barati  <sbarati@apple.com>
1302
1303         Have a memory test where we can validate JSCs mini memory mode
1304         https://bugs.webkit.org/show_bug.cgi?id=185932
1305
1306         Reviewed by Mark Lam.
1307
1308         This patch adds the testmem CLI. It takes as input a file to run
1309         and the number of iterations to run it (by default it runs it
1310         20 times). Each iteration runs in a new JSContext. Each JSContext
1311         belongs to a VM that is created once. When finished, the CLI dumps
1312         out the peak memory usage of the process, the memory usage at the end
1313         of running all the iterations of the process, and the total time it
1314         took to run all the iterations.
1315
1316         * JavaScriptCore.xcodeproj/project.pbxproj:
1317         * testmem: Added.
1318         * testmem/testmem.mm: Added.
1319         (description):
1320         (Footprint::now):
1321         (main):
1322
1323 2018-05-25  David Kilzer  <ddkilzer@apple.com>
1324
1325         Fix issues with -dealloc methods found by clang static analyzer
1326         <https://webkit.org/b/185887>
1327
1328         Reviewed by Joseph Pecoraro.
1329
1330         * API/JSValue.mm:
1331         (-[JSValue dealloc]):
1332         (-[JSValue description]):
1333         - Move method implementations from (Internal) category to the
1334           main category since these are public API.  This fixes the
1335           false positive warning about a missing -dealloc method.
1336
1337 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1338
1339         [Baseline] Remove a hack for DCE removal of NewFunction
1340         https://bugs.webkit.org/show_bug.cgi?id=185945
1341
1342         Reviewed by Saam Barati.
1343
1344         This `undefined` check in baseline is originally introduced in r177871. The problem was,
1345         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
1346         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
1347         retrieve this into the stack since the scope is not referenced from anywhere.
1348
1349         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
1350         implementation. But rather than that, just emitting `Phantom` for this scope is clean
1351         and consistent to the other DFG nodes like GetClosureVar.
1352
1353         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
1354         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
1355         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
1356         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
1357         since it conservatively guards the scope, and it does not introduce any additional overhead
1358         compared to the current status.
1359
1360         * dfg/DFGByteCodeParser.cpp:
1361         (JSC::DFG::ByteCodeParser::parseBlock):
1362         * jit/JITOpcodes.cpp:
1363         (JSC::JIT::emitNewFuncExprCommon):
1364
1365 2018-05-23  Keith Miller  <keith_miller@apple.com>
1366
1367         Expose $vm if window.internals is exposed
1368         https://bugs.webkit.org/show_bug.cgi?id=185900
1369
1370         Reviewed by Mark Lam.
1371
1372         This is useful for testing vm internals when running LayoutTests.
1373
1374         * runtime/JSGlobalObject.cpp:
1375         (JSC::JSGlobalObject::init):
1376         (JSC::JSGlobalObject::visitChildren):
1377         (JSC::JSGlobalObject::exposeDollarVM):
1378         * runtime/JSGlobalObject.h:
1379
1380 2018-05-23  Keith Miller  <keith_miller@apple.com>
1381
1382         Define length on CoW array should properly convert to writable
1383         https://bugs.webkit.org/show_bug.cgi?id=185927
1384
1385         Reviewed by Yusuke Suzuki.
1386
1387         * runtime/JSArray.cpp:
1388         (JSC::JSArray::setLength):
1389
1390 2018-05-23  Keith Miller  <keith_miller@apple.com>
1391
1392         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
1393         https://bugs.webkit.org/show_bug.cgi?id=185923
1394
1395         Reviewed by Saam Barati.
1396
1397         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
1398         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
1399
1400         Block 1:
1401         @1: GetLocal(loc42, FlushedInt32);
1402         @2: PutStructure(Check: Cell: @1);
1403         @3: Jump(Block 1);
1404
1405         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
1406         the type of an local cannot change without writing to it.
1407
1408         This fixes a crash in destructuring-rest-element.js
1409
1410         * dfg/DFGInPlaceAbstractState.cpp:
1411         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1412
1413 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
1414
1415         Speed up JetStream/base64
1416         https://bugs.webkit.org/show_bug.cgi?id=185914
1417
1418         Reviewed by Michael Saboff.
1419         
1420         Make allocation fast paths ALWAYS_INLINE.
1421         
1422         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
1423         ~6%.
1424
1425         * CMakeLists.txt:
1426         * JavaScriptCore.xcodeproj/project.pbxproj:
1427         * heap/AllocatorInlines.h:
1428         (JSC::Allocator::allocate const):
1429         * heap/CompleteSubspace.cpp:
1430         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
1431         * heap/CompleteSubspace.h:
1432         * heap/CompleteSubspaceInlines.h: Added.
1433         (JSC::CompleteSubspace::allocateNonVirtual):
1434         * heap/FreeListInlines.h:
1435         (JSC::FreeList::allocate):
1436         * heap/IsoSubspace.cpp:
1437         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
1438         * heap/IsoSubspace.h:
1439         (JSC::IsoSubspace::allocatorForNonVirtual):
1440         * heap/IsoSubspaceInlines.h: Added.
1441         (JSC::IsoSubspace::allocateNonVirtual):
1442         * runtime/JSCellInlines.h:
1443         * runtime/VM.h:
1444
1445 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
1446
1447         Conversion misspelled "Convertion" in error message string
1448         https://bugs.webkit.org/show_bug.cgi?id=185436
1449
1450         Reviewed by Saam Barati, Michael Saboff
1451
1452         * runtime/JSBigInt.cpp:
1453         (JSC::JSBigInt::toNumber const):
1454
1455 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1456
1457         [JSC] Clean up stringGetByValStubGenerator
1458         https://bugs.webkit.org/show_bug.cgi?id=185864
1459
1460         Reviewed by Saam Barati.
1461
1462         We clean up stringGetByValStubGenerator.
1463
1464         1. Unify 32bit and 64bit implementations.
1465         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
1466         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
1467         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
1468         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
1469
1470         * jit/JIT.h:
1471         * jit/JITPropertyAccess.cpp:
1472         (JSC::JIT::emitSlow_op_get_by_val):
1473         (JSC::JIT::stringGetByValStubGenerator): Deleted.
1474         * jit/JITPropertyAccess32_64.cpp:
1475         (JSC::JIT::emit_op_get_by_val):
1476         (JSC::JIT::emitSlow_op_get_by_val):
1477         (JSC::JIT::stringGetByValStubGenerator): Deleted.
1478         * jit/ThunkGenerators.cpp:
1479         (JSC::stringGetByValGenerator):
1480         * jit/ThunkGenerators.h:
1481
1482 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1483
1484         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
1485         https://bugs.webkit.org/show_bug.cgi?id=185810
1486
1487         Reviewed by Saam Barati.
1488
1489         Let's use branchIfString/branchIfNotString helper functions instead of
1490         checking structure with jsString's structure. It's easy to read. And
1491         it emits less code since we do not need to embed string structure's
1492         raw pointer in 32bit environment.
1493
1494         * jit/JIT.h:
1495         * jit/JITInlines.h:
1496         (JSC::JIT::emitLoadCharacterString):
1497         (JSC::JIT::checkStructure): Deleted.
1498         * jit/JITOpcodes32_64.cpp:
1499         (JSC::JIT::emitSlow_op_eq):
1500         (JSC::JIT::compileOpEqJumpSlow):
1501         (JSC::JIT::emitSlow_op_neq):
1502         * jit/JITPropertyAccess.cpp:
1503         (JSC::JIT::stringGetByValStubGenerator):
1504         (JSC::JIT::emitSlow_op_get_by_val):
1505         (JSC::JIT::emitByValIdentifierCheck):
1506         * jit/JITPropertyAccess32_64.cpp:
1507         (JSC::JIT::stringGetByValStubGenerator):
1508         (JSC::JIT::emitSlow_op_get_by_val):
1509         * jit/JSInterfaceJIT.h:
1510         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
1511         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
1512         * jit/SpecializedThunkJIT.h:
1513         (JSC::SpecializedThunkJIT::loadJSStringArgument):
1514         * jit/ThunkGenerators.cpp:
1515         (JSC::stringCharLoad):
1516         (JSC::charCodeAtThunkGenerator):
1517         (JSC::charAtThunkGenerator):
1518         * runtime/JSString.h:
1519
1520 2018-05-22  Mark Lam  <mark.lam@apple.com>
1521
1522         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
1523         https://bugs.webkit.org/show_bug.cgi?id=185896
1524         <rdar://problem/40471403>
1525
1526         Reviewed by Saam Barati.
1527
1528         * bytecode/BytecodeGeneratorification.cpp:
1529         (JSC::BytecodeGeneratorification::run):
1530
1531 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1532
1533         [JSC] Fix CachedCall's argument count if RegExp has named captures
1534         https://bugs.webkit.org/show_bug.cgi?id=185587
1535
1536         Reviewed by Mark Lam.
1537
1538         If the given RegExp has named captures, the argument count of CachedCall in String#replace
1539         should be increased by one. This causes crash with assertion in test262. This patch corrects
1540         the argument count.
1541
1542         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
1543         the same.
1544
1545         * runtime/StringPrototype.cpp:
1546         (JSC::replaceUsingRegExpSearch):
1547
1548 2018-05-22  Mark Lam  <mark.lam@apple.com>
1549
1550         StringImpl utf8 conversion should not fail silently.
1551         https://bugs.webkit.org/show_bug.cgi?id=185888
1552         <rdar://problem/40464506>
1553
1554         Reviewed by Filip Pizlo.
1555
1556         * dfg/DFGLazyJSValue.cpp:
1557         (JSC::DFG::LazyJSValue::dumpInContext const):
1558         * runtime/DateConstructor.cpp:
1559         (JSC::constructDate):
1560         (JSC::dateParse):
1561         * runtime/JSDateMath.cpp:
1562         (JSC::parseDate):
1563         * runtime/JSDateMath.h:
1564
1565 2018-05-22  Keith Miller  <keith_miller@apple.com>
1566
1567         Remove the UnconditionalFinalizer class
1568         https://bugs.webkit.org/show_bug.cgi?id=185881
1569
1570         Reviewed by Filip Pizlo.
1571
1572         The only remaining user of this API is
1573         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
1574         to use the newer template based API and removes the old class.
1575
1576         * JavaScriptCore.xcodeproj/project.pbxproj:
1577         * bytecode/CodeBlock.h:
1578         * heap/Heap.cpp:
1579         (JSC::Heap::finalizeUnconditionalFinalizers):
1580         * heap/Heap.h:
1581         * heap/SlotVisitor.cpp:
1582         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
1583         * heap/SlotVisitor.h:
1584         * heap/UnconditionalFinalizer.h: Removed.
1585         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1586         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1587         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1588         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
1589         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1590         * wasm/js/JSWebAssemblyCodeBlock.h:
1591         * wasm/js/JSWebAssemblyModule.h:
1592
1593         * CMakeLists.txt:
1594         * JavaScriptCore.xcodeproj/project.pbxproj:
1595         * bytecode/CodeBlock.h:
1596         * heap/Heap.cpp:
1597         (JSC::Heap::finalizeUnconditionalFinalizers):
1598         * heap/Heap.h:
1599         * heap/SlotVisitor.cpp:
1600         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
1601         * heap/SlotVisitor.h:
1602         * heap/UnconditionalFinalizer.h: Removed.
1603         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1604         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1605         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1606         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
1607         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1608         * wasm/js/JSWebAssemblyCodeBlock.h:
1609         * wasm/js/JSWebAssemblyModule.h:
1610
1611 2018-05-22  Keith Miller  <keith_miller@apple.com>
1612
1613         Unreviewed, fix internal build.
1614
1615         * runtime/JSImmutableButterfly.cpp:
1616
1617 2018-05-22  Saam Barati  <sbarati@apple.com>
1618
1619         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
1620         https://bugs.webkit.org/show_bug.cgi?id=144525
1621
1622         Reviewed by Filip Pizlo.
1623
1624         This patch teaches LICM to fall back to hoisting a node's type checks when
1625         hoisting the entire node fails.
1626         
1627         This patch follow the same principles we use when deciding to hoist nodes in general:
1628         - If the pre header is control equivalent to where the current check is, we
1629         go ahead and hoist the check.
1630         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
1631         hoist the check. If hoisting failed in the past, we will not hoist the check.
1632
1633         * dfg/DFGLICMPhase.cpp:
1634         (JSC::DFG::LICMPhase::attemptHoist):
1635         * dfg/DFGUseKind.h:
1636         (JSC::DFG::checkMayCrashIfInputIsEmpty):
1637
1638 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
1639
1640         Get rid of TLCs
1641         https://bugs.webkit.org/show_bug.cgi?id=185846
1642
1643         Rubber stamped by Geoffrey Garen.
1644         
1645         This removes support for thread-local caches from the GC in order to speed up allocation a
1646         bit.
1647         
1648         We added TLCs as part of Spectre mitigations, which we have since removed.
1649         
1650         We will want some kind of TLCs eventually, since they allow us to:
1651         
1652         - have a global GC, which may be a perf optimization at some point.
1653         - allocate objects from JIT threads, which we've been wanting to do for a while.
1654         
1655         This change keeps the most interesting aspect of TLCs, which is the
1656         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
1657         TLCs again in the future if we wanted this feature.
1658         
1659         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
1660         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
1661         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
1662         you can directly use it to allocate. This removes two loads and a check from the allocation
1663         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
1664         allowed us to have a statically known set of LocalAllocators. This would have removed the
1665         bounds check (one load and one branch) and it would have made it possible to CSE the load of
1666         the TLC data structure, since that would no longer resize. But that's a harder change that
1667         this patch, and we don't need it right now.
1668         
1669         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
1670         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
1671         that check already. Previously, the TLC bounds check doubled as this check.
1672         
1673         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
1674         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
1675         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
1676         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
1677
1678         * JavaScriptCore.xcodeproj/project.pbxproj:
1679         * Sources.txt:
1680         * bytecode/ObjectAllocationProfileInlines.h:
1681         (JSC::ObjectAllocationProfile::initializeProfile):
1682         * dfg/DFGSpeculativeJIT.cpp:
1683         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1684         * ftl/FTLLowerDFGToB3.cpp:
1685         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1686         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1687         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1688         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1689         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1690         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1691         * heap/Allocator.cpp:
1692         (JSC::Allocator::cellSize const):
1693         * heap/Allocator.h:
1694         (JSC::Allocator::Allocator):
1695         (JSC::Allocator::localAllocator const):
1696         (JSC::Allocator::operator== const):
1697         (JSC::Allocator::offset const): Deleted.
1698         * heap/AllocatorInlines.h:
1699         (JSC::Allocator::allocate const):
1700         (JSC::Allocator::tryAllocate const): Deleted.
1701         * heap/BlockDirectory.cpp:
1702         (JSC::BlockDirectory::BlockDirectory):
1703         (JSC::BlockDirectory::~BlockDirectory):
1704         * heap/BlockDirectory.h:
1705         (JSC::BlockDirectory::allocator const): Deleted.
1706         * heap/CompleteSubspace.cpp:
1707         (JSC::CompleteSubspace::allocateNonVirtual):
1708         (JSC::CompleteSubspace::allocatorForSlow):
1709         (JSC::CompleteSubspace::tryAllocateSlow):
1710         * heap/CompleteSubspace.h:
1711         * heap/Heap.cpp:
1712         (JSC::Heap::Heap):
1713         * heap/Heap.h:
1714         (JSC::Heap::threadLocalCacheLayout): Deleted.
1715         * heap/IsoSubspace.cpp:
1716         (JSC::IsoSubspace::IsoSubspace):
1717         (JSC::IsoSubspace::allocateNonVirtual):
1718         * heap/IsoSubspace.h:
1719         (JSC::IsoSubspace::allocatorForNonVirtual):
1720         * heap/LocalAllocator.cpp:
1721         (JSC::LocalAllocator::LocalAllocator):
1722         (JSC::LocalAllocator::~LocalAllocator):
1723         * heap/LocalAllocator.h:
1724         (JSC::LocalAllocator::cellSize const):
1725         (JSC::LocalAllocator::tlc const): Deleted.
1726         * heap/ThreadLocalCache.cpp: Removed.
1727         * heap/ThreadLocalCache.h: Removed.
1728         * heap/ThreadLocalCacheInlines.h: Removed.
1729         * heap/ThreadLocalCacheLayout.cpp: Removed.
1730         * heap/ThreadLocalCacheLayout.h: Removed.
1731         * jit/AssemblyHelpers.cpp:
1732         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1733         (JSC::AssemblyHelpers::emitAllocate):
1734         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1735         * jit/JITOpcodes.cpp:
1736         (JSC::JIT::emit_op_create_this):
1737         * runtime/JSLock.cpp:
1738         (JSC::JSLock::didAcquireLock):
1739         * runtime/VM.cpp:
1740         (JSC::VM::VM):
1741         (JSC::VM::~VM):
1742         * runtime/VM.h:
1743         * runtime/VMEntryScope.cpp:
1744         (JSC::VMEntryScope::~VMEntryScope):
1745         * runtime/VMEntryScope.h:
1746
1747 2018-05-22  Keith Miller  <keith_miller@apple.com>
1748
1749         We should have a CoW storage for NewArrayBuffer arrays.
1750         https://bugs.webkit.org/show_bug.cgi?id=185003
1751
1752         Reviewed by Filip Pizlo.
1753
1754         This patch adds copy on write storage for new array buffers. In
1755         order to do this there needed to be significant changes to the
1756         layout of IndexingType. The new indexing type has the following
1757         shape:
1758
1759         struct IndexingTypeAndMisc {
1760             struct IndexingModeIncludingHistory {
1761                 struct IndexingMode {
1762                     struct IndexingType {
1763                         uint8_t isArray:1;          // bit 0
1764                         uint8_t shape:3;            // bit 1 - 3
1765                     };
1766                     uint8_t copyOnWrite:1;          // bit 4
1767                 };
1768                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
1769             };
1770             uint8_t cellLockBits:2;                 // bit 6 - 7
1771         };
1772
1773         For simplicity ArrayStorage shapes cannot be CoW. So the only
1774         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
1775         ArrayWithContiguous.
1776
1777         The backing store for a CoW array is a new class
1778         JSImmutableButterfly, which looks exactly the same as a normal
1779         butterfly except that it has a JSCell header. Like other
1780         butterflies, JSImmutableButterfies are allocated out of the
1781         Auxiliary Gigacage and are pointed to by JSCells in the same
1782         way. However, when marking JSImmutableButterflies they are marked
1783         as if they were a property.
1784
1785         With CoW arrays, the new_array_buffer bytecode will reallocate the
1786         shared JSImmutableButterfly if it sees from the allocation profile
1787         that the last array it allocated has transitioned to a different
1788         indexing type. From then on, all arrays created by that
1789         new_array_buffer bytecode will have the promoted indexing
1790         type. This is more or less the same as what we used to do. The
1791         only difference is that we don't promote all the way to array
1792         storage even if we have seen it before.
1793
1794         Transitioning from a CoW indexing mode occurs whenever someone
1795         tries to store to an element, grow the array, or add properties.
1796         Storing or growing the array will call into code that does the
1797         stupid thing of copying the butterfly then continue into the old
1798         code. This doesn't end up costing us as future allocations will
1799         use any upgraded indexing shape.  We get adding properties for
1800         free by just changing the indexing mode on transition (our C++
1801         code always updates the indexing mode).
1802
1803         * JavaScriptCore.xcodeproj/project.pbxproj:
1804         * Sources.txt:
1805         * bytecode/ArrayAllocationProfile.cpp:
1806         (JSC::ArrayAllocationProfile::updateProfile):
1807         * bytecode/ArrayAllocationProfile.h:
1808         (JSC::ArrayAllocationProfile::initializeIndexingMode):
1809         * bytecode/ArrayProfile.cpp:
1810         (JSC::dumpArrayModes):
1811         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
1812         * bytecode/ArrayProfile.h:
1813         (JSC::asArrayModes):
1814         (JSC::arrayModeFromStructure):
1815         (JSC::arrayModesInclude):
1816         (JSC::hasSeenCopyOnWriteArray):
1817         * bytecode/BytecodeList.json:
1818         * bytecode/CodeBlock.cpp:
1819         (JSC::CodeBlock::finishCreation):
1820         * bytecode/InlineAccess.cpp:
1821         (JSC::InlineAccess::generateArrayLength):
1822         * bytecode/UnlinkedCodeBlock.h:
1823         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
1824         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1825         * bytecompiler/BytecodeGenerator.cpp:
1826         (JSC::BytecodeGenerator::newArrayAllocationProfile):
1827         (JSC::BytecodeGenerator::emitNewArrayBuffer):
1828         (JSC::BytecodeGenerator::emitNewArray):
1829         (JSC::BytecodeGenerator::emitNewArrayWithSize):
1830         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
1831         * bytecompiler/BytecodeGenerator.h:
1832         * bytecompiler/NodesCodegen.cpp:
1833         (JSC::ArrayNode::emitBytecode):
1834         (JSC::ArrayPatternNode::bindValue const):
1835         (JSC::ArrayPatternNode::emitDirectBinding):
1836         * dfg/DFGAbstractInterpreterInlines.h:
1837         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1838         * dfg/DFGArgumentsEliminationPhase.cpp:
1839         * dfg/DFGArgumentsUtilities.cpp:
1840         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1841         * dfg/DFGArrayMode.cpp:
1842         (JSC::DFG::ArrayMode::fromObserved):
1843         (JSC::DFG::ArrayMode::refine const):
1844         (JSC::DFG::ArrayMode::alreadyChecked const):
1845         * dfg/DFGArrayMode.h:
1846         (JSC::DFG::ArrayMode::ArrayMode):
1847         (JSC::DFG::ArrayMode::action const):
1848         (JSC::DFG::ArrayMode::withSpeculation const):
1849         (JSC::DFG::ArrayMode::withArrayClass const):
1850         (JSC::DFG::ArrayMode::withType const):
1851         (JSC::DFG::ArrayMode::withConversion const):
1852         (JSC::DFG::ArrayMode::withTypeAndConversion const):
1853         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1854         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
1855         * dfg/DFGByteCodeParser.cpp:
1856         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1857         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
1858         (JSC::DFG::ByteCodeParser::parseBlock):
1859         * dfg/DFGClobberize.h:
1860         (JSC::DFG::clobberize):
1861         * dfg/DFGConstantFoldingPhase.cpp:
1862         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1863         * dfg/DFGFixupPhase.cpp:
1864         (JSC::DFG::FixupPhase::fixupNode):
1865         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
1866         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1867         * dfg/DFGGraph.cpp:
1868         (JSC::DFG::Graph::dump):
1869         * dfg/DFGNode.h:
1870         (JSC::DFG::Node::indexingType):
1871         (JSC::DFG::Node::indexingMode):
1872         * dfg/DFGOSRExit.cpp:
1873         (JSC::DFG::OSRExit::compileExit):
1874         * dfg/DFGOperations.cpp:
1875         * dfg/DFGOperations.h:
1876         * dfg/DFGSpeculativeJIT.cpp:
1877         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1878         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1879         (JSC::DFG::SpeculativeJIT::arrayify):
1880         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1881         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1882         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1883         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1884         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1885         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1886         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
1887         * dfg/DFGSpeculativeJIT32_64.cpp:
1888         (JSC::DFG::SpeculativeJIT::compile):
1889         * dfg/DFGSpeculativeJIT64.cpp:
1890         (JSC::DFG::SpeculativeJIT::compile):
1891         * dfg/DFGValidate.cpp:
1892         * ftl/FTLAbstractHeapRepository.h:
1893         * ftl/FTLLowerDFGToB3.cpp:
1894         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
1895         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1896         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1897         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1898         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1899         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
1900         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1901         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
1902         * ftl/FTLOperations.cpp:
1903         (JSC::FTL::operationMaterializeObjectInOSR):
1904         * generate-bytecode-files:
1905         * interpreter/Interpreter.cpp:
1906         (JSC::sizeOfVarargs):
1907         (JSC::loadVarargs):
1908         * jit/AssemblyHelpers.cpp:
1909         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1910         * jit/AssemblyHelpers.h:
1911         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1912         * jit/JITOperations.cpp:
1913         * jit/JITPropertyAccess.cpp:
1914         (JSC::JIT::emit_op_put_by_val):
1915         (JSC::JIT::emitSlow_op_put_by_val):
1916         * jit/Repatch.cpp:
1917         (JSC::tryCachePutByID):
1918         * llint/LowLevelInterpreter.asm:
1919         * llint/LowLevelInterpreter32_64.asm:
1920         * llint/LowLevelInterpreter64.asm:
1921         * runtime/Butterfly.h:
1922         (JSC::ContiguousData::Data::Data):
1923         (JSC::ContiguousData::Data::operator bool const):
1924         (JSC::ContiguousData::Data::operator=):
1925         (JSC::ContiguousData::Data::operator const T& const):
1926         (JSC::ContiguousData::Data::set):
1927         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
1928         (JSC::ContiguousData::Data::clear):
1929         (JSC::ContiguousData::Data::get const):
1930         (JSC::ContiguousData::atUnsafe):
1931         (JSC::ContiguousData::at const): Deleted.
1932         (JSC::ContiguousData::at): Deleted.
1933         * runtime/ButterflyInlines.h:
1934         (JSC::ContiguousData<T>::at const):
1935         (JSC::ContiguousData<T>::at):
1936         * runtime/ClonedArguments.cpp:
1937         (JSC::ClonedArguments::createEmpty):
1938         * runtime/CommonSlowPaths.cpp:
1939         (JSC::SLOW_PATH_DECL):
1940         * runtime/CommonSlowPaths.h:
1941         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
1942         * runtime/IndexingType.cpp:
1943         (JSC::leastUpperBoundOfIndexingTypeAndType):
1944         (JSC::leastUpperBoundOfIndexingTypeAndValue):
1945         (JSC::dumpIndexingType):
1946         * runtime/IndexingType.h:
1947         (JSC::hasIndexedProperties):
1948         (JSC::hasUndecided):
1949         (JSC::hasInt32):
1950         (JSC::hasDouble):
1951         (JSC::hasContiguous):
1952         (JSC::hasArrayStorage):
1953         (JSC::hasAnyArrayStorage):
1954         (JSC::hasSlowPutArrayStorage):
1955         (JSC::shouldUseSlowPut):
1956         (JSC::isCopyOnWrite):
1957         (JSC::arrayIndexFromIndexingType):
1958         * runtime/JSArray.cpp:
1959         (JSC::JSArray::tryCreateUninitializedRestricted):
1960         (JSC::JSArray::put):
1961         (JSC::JSArray::appendMemcpy):
1962         (JSC::JSArray::setLength):
1963         (JSC::JSArray::pop):
1964         (JSC::JSArray::fastSlice):
1965         (JSC::JSArray::shiftCountWithAnyIndexingType):
1966         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1967         (JSC::JSArray::fillArgList):
1968         (JSC::JSArray::copyToArguments):
1969         * runtime/JSArrayInlines.h:
1970         (JSC::JSArray::pushInline):
1971         * runtime/JSCell.h:
1972         * runtime/JSCellInlines.h:
1973         (JSC::JSCell::JSCell):
1974         (JSC::JSCell::finishCreation):
1975         (JSC::JSCell::indexingType const):
1976         (JSC::JSCell::indexingMode const):
1977         (JSC::JSCell::setStructure):
1978         * runtime/JSFixedArray.h:
1979         * runtime/JSGlobalObject.cpp:
1980         (JSC::JSGlobalObject::init):
1981         (JSC::JSGlobalObject::haveABadTime):
1982         (JSC::JSGlobalObject::visitChildren):
1983         * runtime/JSGlobalObject.h:
1984         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
1985         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
1986         (JSC::JSGlobalObject::isOriginalArrayStructure):
1987         * runtime/JSImmutableButterfly.cpp: Added.
1988         (JSC::JSImmutableButterfly::visitChildren):
1989         (JSC::JSImmutableButterfly::copyToArguments):
1990         * runtime/JSImmutableButterfly.h: Added.
1991         (JSC::JSImmutableButterfly::createStructure):
1992         (JSC::JSImmutableButterfly::tryCreate):
1993         (JSC::JSImmutableButterfly::create):
1994         (JSC::JSImmutableButterfly::publicLength const):
1995         (JSC::JSImmutableButterfly::vectorLength const):
1996         (JSC::JSImmutableButterfly::length const):
1997         (JSC::JSImmutableButterfly::toButterfly const):
1998         (JSC::JSImmutableButterfly::fromButterfly):
1999         (JSC::JSImmutableButterfly::get const):
2000         (JSC::JSImmutableButterfly::subspaceFor):
2001         (JSC::JSImmutableButterfly::setIndex):
2002         (JSC::JSImmutableButterfly::allocationSize):
2003         (JSC::JSImmutableButterfly::JSImmutableButterfly):
2004         * runtime/JSObject.cpp:
2005         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
2006         (JSC::JSObject::visitButterflyImpl):
2007         (JSC::JSObject::getOwnPropertySlotByIndex):
2008         (JSC::JSObject::putByIndex):
2009         (JSC::JSObject::createInitialInt32):
2010         (JSC::JSObject::createInitialDouble):
2011         (JSC::JSObject::createInitialContiguous):
2012         (JSC::JSObject::convertUndecidedToInt32):
2013         (JSC::JSObject::convertUndecidedToDouble):
2014         (JSC::JSObject::convertUndecidedToContiguous):
2015         (JSC::JSObject::convertInt32ToDouble):
2016         (JSC::JSObject::convertInt32ToArrayStorage):
2017         (JSC::JSObject::convertDoubleToContiguous):
2018         (JSC::JSObject::convertDoubleToArrayStorage):
2019         (JSC::JSObject::convertContiguousToArrayStorage):
2020         (JSC::JSObject::createInitialForValueAndSet):
2021         (JSC::JSObject::convertInt32ForValue):
2022         (JSC::JSObject::convertFromCopyOnWrite):
2023         (JSC::JSObject::ensureWritableInt32Slow):
2024         (JSC::JSObject::ensureWritableDoubleSlow):
2025         (JSC::JSObject::ensureWritableContiguousSlow):
2026         (JSC::JSObject::ensureArrayStorageSlow):
2027         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2028         (JSC::JSObject::switchToSlowPutArrayStorage):
2029         (JSC::JSObject::deletePropertyByIndex):
2030         (JSC::JSObject::getOwnPropertyNames):
2031         (JSC::canDoFastPutDirectIndex):
2032         (JSC::JSObject::defineOwnIndexedProperty):
2033         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2034         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2035         (JSC::JSObject::putByIndexBeyondVectorLength):
2036         (JSC::JSObject::countElements):
2037         (JSC::JSObject::ensureLengthSlow):
2038         (JSC::JSObject::getEnumerableLength):
2039         (JSC::JSObject::ensureInt32Slow): Deleted.
2040         (JSC::JSObject::ensureDoubleSlow): Deleted.
2041         (JSC::JSObject::ensureContiguousSlow): Deleted.
2042         * runtime/JSObject.h:
2043         (JSC::JSObject::putDirectIndex):
2044         (JSC::JSObject::canGetIndexQuickly):
2045         (JSC::JSObject::getIndexQuickly):
2046         (JSC::JSObject::tryGetIndexQuickly const):
2047         (JSC::JSObject::canSetIndexQuickly):
2048         (JSC::JSObject::setIndexQuickly):
2049         (JSC::JSObject::initializeIndex):
2050         (JSC::JSObject::initializeIndexWithoutBarrier):
2051         (JSC::JSObject::ensureWritableInt32):
2052         (JSC::JSObject::ensureWritableDouble):
2053         (JSC::JSObject::ensureWritableContiguous):
2054         (JSC::JSObject::ensureLength):
2055         (JSC::JSObject::ensureInt32): Deleted.
2056         (JSC::JSObject::ensureDouble): Deleted.
2057         (JSC::JSObject::ensureContiguous): Deleted.
2058         * runtime/JSObjectInlines.h:
2059         (JSC::JSObject::putDirectInternal):
2060         * runtime/JSType.h:
2061         * runtime/RegExpMatchesArray.h:
2062         (JSC::tryCreateUninitializedRegExpMatchesArray):
2063         * runtime/Structure.cpp:
2064         (JSC::Structure::Structure):
2065         (JSC::Structure::addNewPropertyTransition):
2066         (JSC::Structure::nonPropertyTransition):
2067         * runtime/Structure.h:
2068         * runtime/StructureIDBlob.h:
2069         (JSC::StructureIDBlob::StructureIDBlob):
2070         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
2071         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
2072         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
2073         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
2074         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
2075         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
2076         * runtime/StructureTransitionTable.h:
2077         (JSC::newIndexingType):
2078         * runtime/VM.cpp:
2079         (JSC::VM::VM):
2080         * runtime/VM.h:
2081
2082 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
2083
2084         Unreviewed, rolling out r232052.
2085
2086         Breaks internal builds.
2087
2088         Reverted changeset:
2089
2090         "Use more C++17"
2091         https://bugs.webkit.org/show_bug.cgi?id=185176
2092         https://trac.webkit.org/changeset/232052
2093
2094 2018-05-22  Alberto Garcia  <berto@igalia.com>
2095
2096         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
2097         https://bugs.webkit.org/show_bug.cgi?id=182622
2098         <rdar://problem/40292317>
2099
2100         Reviewed by Michael Catanzaro.
2101
2102         We were linking JavaScriptCore against libatomic in MIPS because
2103         in that architecture __atomic_fetch_add_8() is not a compiler
2104         intrinsic and is provided by that library instead. However other
2105         architectures (e.g armel) are in the same situation, so we need a
2106         generic test.
2107
2108         That test already exists in WebKit/CMakeLists.txt, so we just have
2109         to move it to a common file (WebKitCompilerFlags.cmake) and use
2110         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
2111
2112         * CMakeLists.txt:
2113
2114 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
2115
2116         Unreviewed, rolling out r231843.
2117
2118         Broke cross build
2119
2120         Reverted changeset:
2121
2122         "[CMake] Properly detect compiler flags, needed libs, and
2123         fallbacks for usage of 64-bit atomic operations"
2124         https://bugs.webkit.org/show_bug.cgi?id=182622
2125         https://trac.webkit.org/changeset/231843
2126
2127 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2128
2129         Use more C++17
2130         https://bugs.webkit.org/show_bug.cgi?id=185176
2131
2132         Reviewed by JF Bastien.
2133
2134         * Configurations/Base.xcconfig:
2135
2136 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2137
2138         [JSC] Remove duplicate methods in JSInterfaceJIT
2139         https://bugs.webkit.org/show_bug.cgi?id=185813
2140
2141         Reviewed by Saam Barati.
2142
2143         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
2144         This patch removes these ones and use AssemblyHelpers' ones instead.
2145
2146         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
2147
2148         * jit/AssemblyHelpers.h:
2149         (JSC::AssemblyHelpers::tagFor):
2150         (JSC::AssemblyHelpers::payloadFor):
2151         * jit/JIT.h:
2152         * jit/JITArithmetic.cpp:
2153         (JSC::JIT::emit_op_unsigned):
2154         (JSC::JIT::emit_compareUnsigned):
2155         (JSC::JIT::emit_op_inc):
2156         (JSC::JIT::emit_op_dec):
2157         (JSC::JIT::emit_op_mod):
2158         * jit/JITCall32_64.cpp:
2159         (JSC::JIT::compileOpCall):
2160         * jit/JITInlines.h:
2161         (JSC::JIT::emitPutIntToCallFrameHeader):
2162         (JSC::JIT::updateTopCallFrame):
2163         (JSC::JIT::emitInitRegister):
2164         (JSC::JIT::emitLoad):
2165         (JSC::JIT::emitStore):
2166         (JSC::JIT::emitStoreInt32):
2167         (JSC::JIT::emitStoreCell):
2168         (JSC::JIT::emitStoreBool):
2169         (JSC::JIT::emitGetVirtualRegister):
2170         (JSC::JIT::emitPutVirtualRegister):
2171         (JSC::JIT::emitTagBool): Deleted.
2172         * jit/JITOpcodes.cpp:
2173         (JSC::JIT::emit_op_overrides_has_instance):
2174         (JSC::JIT::emit_op_is_empty):
2175         (JSC::JIT::emit_op_is_undefined):
2176         (JSC::JIT::emit_op_is_boolean):
2177         (JSC::JIT::emit_op_is_number):
2178         (JSC::JIT::emit_op_is_cell_with_type):
2179         (JSC::JIT::emit_op_is_object):
2180         (JSC::JIT::emit_op_eq):
2181         (JSC::JIT::emit_op_neq):
2182         (JSC::JIT::compileOpStrictEq):
2183         (JSC::JIT::emit_op_eq_null):
2184         (JSC::JIT::emit_op_neq_null):
2185         (JSC::JIT::emitSlow_op_eq):
2186         (JSC::JIT::emitSlow_op_neq):
2187         (JSC::JIT::emitSlow_op_instanceof_custom):
2188         (JSC::JIT::emitNewFuncExprCommon):
2189         * jit/JSInterfaceJIT.h:
2190         (JSC::JSInterfaceJIT::emitLoadInt32):
2191         (JSC::JSInterfaceJIT::emitLoadDouble):
2192         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
2193         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
2194         (JSC::JSInterfaceJIT::tagFor): Deleted.
2195         (JSC::JSInterfaceJIT::payloadFor): Deleted.
2196         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
2197         (JSC::JSInterfaceJIT::intTagFor): Deleted.
2198         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
2199         (JSC::JSInterfaceJIT::addressFor): Deleted.
2200         * jit/SpecializedThunkJIT.h:
2201         (JSC::SpecializedThunkJIT::returnDouble):
2202         * jit/ThunkGenerators.cpp:
2203         (JSC::nativeForGenerator):
2204         (JSC::arityFixupGenerator):
2205
2206 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2207
2208         Unreviewed, reland InById cache
2209         https://bugs.webkit.org/show_bug.cgi?id=185682
2210
2211         Includes Dominik's 32bit fix.
2212
2213         * bytecode/AccessCase.cpp:
2214         (JSC::AccessCase::fromStructureStubInfo):
2215         (JSC::AccessCase::generateWithGuard):
2216         (JSC::AccessCase::generateImpl):
2217         * bytecode/BytecodeDumper.cpp:
2218         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
2219         (JSC::BytecodeDumper<Block>::dumpBytecode):
2220         * bytecode/BytecodeDumper.h:
2221         * bytecode/BytecodeList.json:
2222         * bytecode/BytecodeUseDef.h:
2223         (JSC::computeUsesForBytecodeOffset):
2224         (JSC::computeDefsForBytecodeOffset):
2225         * bytecode/CodeBlock.cpp:
2226         (JSC::CodeBlock::finishCreation):
2227         * bytecode/InlineAccess.cpp:
2228         (JSC::InlineAccess::generateSelfInAccess):
2229         * bytecode/InlineAccess.h:
2230         * bytecode/StructureStubInfo.cpp:
2231         (JSC::StructureStubInfo::initInByIdSelf):
2232         (JSC::StructureStubInfo::deref):
2233         (JSC::StructureStubInfo::aboutToDie):
2234         (JSC::StructureStubInfo::reset):
2235         (JSC::StructureStubInfo::visitWeakReferences):
2236         (JSC::StructureStubInfo::propagateTransitions):
2237         * bytecode/StructureStubInfo.h:
2238         (JSC::StructureStubInfo::patchableJump):
2239         * bytecompiler/BytecodeGenerator.cpp:
2240         (JSC::BytecodeGenerator::emitInByVal):
2241         (JSC::BytecodeGenerator::emitInById):
2242         (JSC::BytecodeGenerator::emitIn): Deleted.
2243         * bytecompiler/BytecodeGenerator.h:
2244         * bytecompiler/NodesCodegen.cpp:
2245         (JSC::InNode::emitBytecode):
2246         * dfg/DFGAbstractInterpreterInlines.h:
2247         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2248         * dfg/DFGByteCodeParser.cpp:
2249         (JSC::DFG::ByteCodeParser::parseBlock):
2250         * dfg/DFGCapabilities.cpp:
2251         (JSC::DFG::capabilityLevel):
2252         * dfg/DFGClobberize.h:
2253         (JSC::DFG::clobberize):
2254         * dfg/DFGConstantFoldingPhase.cpp:
2255         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2256         * dfg/DFGDoesGC.cpp:
2257         (JSC::DFG::doesGC):
2258         * dfg/DFGFixupPhase.cpp:
2259         (JSC::DFG::FixupPhase::fixupNode):
2260         * dfg/DFGJITCompiler.cpp:
2261         (JSC::DFG::JITCompiler::link):
2262         * dfg/DFGJITCompiler.h:
2263         (JSC::DFG::JITCompiler::addInById):
2264         (JSC::DFG::InRecord::InRecord): Deleted.
2265         (JSC::DFG::JITCompiler::addIn): Deleted.
2266         * dfg/DFGNode.h:
2267         (JSC::DFG::Node::convertToInById):
2268         (JSC::DFG::Node::hasIdentifier):
2269         (JSC::DFG::Node::hasArrayMode):
2270         * dfg/DFGNodeType.h:
2271         * dfg/DFGPredictionPropagationPhase.cpp:
2272         * dfg/DFGSafeToExecute.h:
2273         (JSC::DFG::safeToExecute):
2274         * dfg/DFGSpeculativeJIT.cpp:
2275         (JSC::DFG::SpeculativeJIT::compileInById):
2276         (JSC::DFG::SpeculativeJIT::compileInByVal):
2277         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
2278         * dfg/DFGSpeculativeJIT.h:
2279         * dfg/DFGSpeculativeJIT32_64.cpp:
2280         (JSC::DFG::SpeculativeJIT::compile):
2281         * dfg/DFGSpeculativeJIT64.cpp:
2282         (JSC::DFG::SpeculativeJIT::compile):
2283         * ftl/FTLCapabilities.cpp:
2284         (JSC::FTL::canCompile):
2285         * ftl/FTLLowerDFGToB3.cpp:
2286         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2287         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
2288         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
2289         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
2290         * jit/AssemblyHelpers.h:
2291         (JSC::AssemblyHelpers::boxBoolean):
2292         * jit/ICStats.h:
2293         * jit/JIT.cpp:
2294         (JSC::JIT::JIT):
2295         (JSC::JIT::privateCompileMainPass):
2296         (JSC::JIT::privateCompileSlowCases):
2297         (JSC::JIT::link):
2298         * jit/JIT.h:
2299         * jit/JITInlineCacheGenerator.cpp:
2300         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2301         (JSC::JITInByIdGenerator::generateFastPath):
2302         * jit/JITInlineCacheGenerator.h:
2303         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2304         * jit/JITOperations.cpp:
2305         * jit/JITOperations.h:
2306         * jit/JITPropertyAccess.cpp:
2307         (JSC::JIT::emit_op_in_by_id):
2308         (JSC::JIT::emitSlow_op_in_by_id):
2309         * jit/JITPropertyAccess32_64.cpp:
2310         (JSC::JIT::emit_op_in_by_id):
2311         (JSC::JIT::emitSlow_op_in_by_id):
2312         * jit/Repatch.cpp:
2313         (JSC::tryCacheInByID):
2314         (JSC::repatchInByID):
2315         (JSC::resetInByID):
2316         (JSC::tryCacheIn): Deleted.
2317         (JSC::repatchIn): Deleted.
2318         (JSC::resetIn): Deleted.
2319         * jit/Repatch.h:
2320         * llint/LowLevelInterpreter.asm:
2321         * llint/LowLevelInterpreter64.asm:
2322         * parser/NodeConstructors.h:
2323         (JSC::InNode::InNode):
2324         * runtime/CommonSlowPaths.cpp:
2325         (JSC::SLOW_PATH_DECL):
2326         * runtime/CommonSlowPaths.h:
2327         (JSC::CommonSlowPaths::opInByVal):
2328         (JSC::CommonSlowPaths::opIn): Deleted.
2329
2330 2018-05-21  Commit Queue  <commit-queue@webkit.org>
2331
2332         Unreviewed, rolling out r231998 and r232017.
2333         https://bugs.webkit.org/show_bug.cgi?id=185842
2334
2335         causes crashes on 32 JSC bot (Requested by realdawei on
2336         #webkit).
2337
2338         Reverted changesets:
2339
2340         "[JSC] JSC should have consistent InById IC"
2341         https://bugs.webkit.org/show_bug.cgi?id=185682
2342         https://trac.webkit.org/changeset/231998
2343
2344         "Unreviewed, fix 32bit and scope release"
2345         https://bugs.webkit.org/show_bug.cgi?id=185682
2346         https://trac.webkit.org/changeset/232017
2347
2348 2018-05-21  Jer Noble  <jer.noble@apple.com>
2349
2350         Complete fix for enabling modern EME by default
2351         https://bugs.webkit.org/show_bug.cgi?id=185770
2352         <rdar://problem/40368220>
2353
2354         Reviewed by Eric Carlson.
2355
2356         * Configurations/FeatureDefines.xcconfig:
2357
2358 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2359
2360         Unreviewed, fix 32bit and scope release
2361         https://bugs.webkit.org/show_bug.cgi?id=185682
2362
2363         * jit/JITOperations.cpp:
2364         * jit/JITPropertyAccess32_64.cpp:
2365         (JSC::JIT::emitSlow_op_in_by_id):
2366
2367 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
2368
2369         Revert the B3 compiler pipeline's treatment of taildup
2370         https://bugs.webkit.org/show_bug.cgi?id=185808
2371
2372         Reviewed by Yusuke Suzuki.
2373         
2374         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
2375         But then path specialization turned out to be a negative result. This reverts the pipeline to the
2376         way it was before that work.
2377         
2378         1.5% progression on V8Spider-CompileTime.
2379
2380         * b3/B3Generate.cpp:
2381         (JSC::B3::generateToAir):
2382
2383 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2384
2385         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
2386         https://bugs.webkit.org/show_bug.cgi?id=185802
2387
2388         Reviewed by Saam Barati.
2389
2390         * dfg/DFGConstantFoldingPhase.cpp:
2391         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2392
2393 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
2394
2395         DFG should inline InstanceOf ICs
2396         https://bugs.webkit.org/show_bug.cgi?id=185695
2397
2398         Reviewed by Yusuke Suzuki.
2399         
2400         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
2401         be folded to a CheckStructure + JSConstant.
2402         
2403         In the process of testing this, I found a bug where LICM was not hoisting things that
2404         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
2405         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
2406         
2407         This is a ~5% speed-up on boyer.
2408         
2409         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
2410         instanceof-sometimes-hit microbenchmarks.
2411
2412         * JavaScriptCore.xcodeproj/project.pbxproj:
2413         * Sources.txt:
2414         * bytecode/GetByIdStatus.cpp:
2415         (JSC::GetByIdStatus::appendVariant):
2416         (JSC::GetByIdStatus::filter):
2417         * bytecode/GetByIdStatus.h:
2418         (JSC::GetByIdStatus::operator bool const):
2419         (JSC::GetByIdStatus::operator! const): Deleted.
2420         * bytecode/GetByIdVariant.h:
2421         (JSC::GetByIdVariant::operator bool const):
2422         (JSC::GetByIdVariant::operator! const): Deleted.
2423         * bytecode/ICStatusUtils.h: Added.
2424         (JSC::appendICStatusVariant):
2425         (JSC::filterICStatusVariants):
2426         * bytecode/InstanceOfStatus.cpp: Added.
2427         (JSC::InstanceOfStatus::appendVariant):
2428         (JSC::InstanceOfStatus::computeFor):
2429         (JSC::InstanceOfStatus::computeForStubInfo):
2430         (JSC::InstanceOfStatus::commonPrototype const):
2431         (JSC::InstanceOfStatus::filter):
2432         * bytecode/InstanceOfStatus.h: Added.
2433         (JSC::InstanceOfStatus::InstanceOfStatus):
2434         (JSC::InstanceOfStatus::state const):
2435         (JSC::InstanceOfStatus::isSet const):
2436         (JSC::InstanceOfStatus::operator bool const):
2437         (JSC::InstanceOfStatus::isSimple const):
2438         (JSC::InstanceOfStatus::takesSlowPath const):
2439         (JSC::InstanceOfStatus::numVariants const):
2440         (JSC::InstanceOfStatus::variants const):
2441         (JSC::InstanceOfStatus::at const):
2442         (JSC::InstanceOfStatus::operator[] const):
2443         * bytecode/InstanceOfVariant.cpp: Added.
2444         (JSC::InstanceOfVariant::InstanceOfVariant):
2445         (JSC::InstanceOfVariant::attemptToMerge):
2446         (JSC::InstanceOfVariant::dump const):
2447         (JSC::InstanceOfVariant::dumpInContext const):
2448         * bytecode/InstanceOfVariant.h: Added.
2449         (JSC::InstanceOfVariant::InstanceOfVariant):
2450         (JSC::InstanceOfVariant::operator bool const):
2451         (JSC::InstanceOfVariant::structureSet const):
2452         (JSC::InstanceOfVariant::structureSet):
2453         (JSC::InstanceOfVariant::conditionSet const):
2454         (JSC::InstanceOfVariant::prototype const):
2455         (JSC::InstanceOfVariant::isHit const):
2456         * bytecode/StructureStubInfo.cpp:
2457         (JSC::StructureStubInfo::StructureStubInfo):
2458         * bytecode/StructureStubInfo.h:
2459         (JSC::StructureStubInfo::considerCaching):
2460         * dfg/DFGAbstractInterpreterInlines.h:
2461         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2462         * dfg/DFGByteCodeParser.cpp:
2463         (JSC::DFG::ByteCodeParser::parseBlock):
2464         * dfg/DFGClobberize.h:
2465         (JSC::DFG::clobberize):
2466         * dfg/DFGConstantFoldingPhase.cpp:
2467         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2468         * dfg/DFGDoesGC.cpp:
2469         (JSC::DFG::doesGC):
2470         * dfg/DFGFixupPhase.cpp:
2471         (JSC::DFG::FixupPhase::fixupNode):
2472         * dfg/DFGGraph.cpp:
2473         (JSC::DFG::Graph::dump):
2474         * dfg/DFGGraph.h:
2475         * dfg/DFGLICMPhase.cpp:
2476         (JSC::DFG::LICMPhase::attemptHoist):
2477         * dfg/DFGNode.cpp:
2478         (JSC::DFG::Node::remove):
2479         * dfg/DFGNode.h:
2480         (JSC::DFG::Node::hasMatchStructureData):
2481         (JSC::DFG::Node::matchStructureData):
2482         * dfg/DFGNodeType.h:
2483         * dfg/DFGSafeToExecute.h:
2484         (JSC::DFG::safeToExecute):
2485         * dfg/DFGSpeculativeJIT.cpp:
2486         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
2487         * dfg/DFGSpeculativeJIT.h:
2488         * dfg/DFGSpeculativeJIT32_64.cpp:
2489         (JSC::DFG::SpeculativeJIT::compile):
2490         * dfg/DFGSpeculativeJIT64.cpp:
2491         (JSC::DFG::SpeculativeJIT::compile):
2492         * ftl/FTLCapabilities.cpp:
2493         (JSC::FTL::canCompile):
2494         * ftl/FTLLowerDFGToB3.cpp:
2495         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2496         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
2497
2498 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2499
2500         [JSC] JSC should have consistent InById IC
2501         https://bugs.webkit.org/show_bug.cgi?id=185682
2502
2503         Reviewed by Filip Pizlo.
2504
2505         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
2506         when we found that DFG::In's parameter is constant string. We should
2507         align this IC to the other ById ICs to clean up and remove adhoc code
2508         in DFG and FTL.
2509
2510         This patch cleans up our "In" IC by aligning it to the other ById ICs.
2511         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
2512         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
2513         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
2514         has a inline access cache for own property case, which is the same to
2515         JITGetByIdGenerator.
2516
2517         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
2518         to the original In DFG node. DFG AI attempts to lower InByVal to InById
2519         if AI figured out that the property name is a constant string. And in
2520         InById node, we use JITInByIdGenerator code.
2521
2522         This patch cleans up DFG and FTL's adhoc In IC code.
2523
2524         In a subsequent patch, we should introduce InByIdStatus to optimize
2525         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
2526         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
2527         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
2528
2529         * bytecode/AccessCase.cpp:
2530         (JSC::AccessCase::fromStructureStubInfo):
2531         (JSC::AccessCase::generateWithGuard):
2532         * bytecode/BytecodeDumper.cpp:
2533         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
2534         (JSC::BytecodeDumper<Block>::dumpBytecode):
2535         * bytecode/BytecodeDumper.h:
2536         * bytecode/BytecodeList.json:
2537         * bytecode/BytecodeUseDef.h:
2538         (JSC::computeUsesForBytecodeOffset):
2539         (JSC::computeDefsForBytecodeOffset):
2540         * bytecode/CodeBlock.cpp:
2541         (JSC::CodeBlock::finishCreation):
2542         * bytecode/InlineAccess.cpp:
2543         (JSC::InlineAccess::generateSelfInAccess):
2544         * bytecode/InlineAccess.h:
2545         * bytecode/StructureStubInfo.cpp:
2546         (JSC::StructureStubInfo::initInByIdSelf):
2547         (JSC::StructureStubInfo::deref):
2548         (JSC::StructureStubInfo::aboutToDie):
2549         (JSC::StructureStubInfo::reset):
2550         (JSC::StructureStubInfo::visitWeakReferences):
2551         (JSC::StructureStubInfo::propagateTransitions):
2552         * bytecode/StructureStubInfo.h:
2553         (JSC::StructureStubInfo::patchableJump):
2554         * bytecompiler/BytecodeGenerator.cpp:
2555         (JSC::BytecodeGenerator::emitInByVal):
2556         (JSC::BytecodeGenerator::emitInById):
2557         (JSC::BytecodeGenerator::emitIn): Deleted.
2558         * bytecompiler/BytecodeGenerator.h:
2559         * bytecompiler/NodesCodegen.cpp:
2560         (JSC::InNode::emitBytecode):
2561         * dfg/DFGAbstractInterpreterInlines.h:
2562         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2563         * dfg/DFGByteCodeParser.cpp:
2564         (JSC::DFG::ByteCodeParser::parseBlock):
2565         * dfg/DFGCapabilities.cpp:
2566         (JSC::DFG::capabilityLevel):
2567         * dfg/DFGClobberize.h:
2568         (JSC::DFG::clobberize):
2569         * dfg/DFGConstantFoldingPhase.cpp:
2570         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2571         * dfg/DFGDoesGC.cpp:
2572         (JSC::DFG::doesGC):
2573         * dfg/DFGFixupPhase.cpp:
2574         (JSC::DFG::FixupPhase::fixupNode):
2575         * dfg/DFGJITCompiler.cpp:
2576         (JSC::DFG::JITCompiler::link):
2577         * dfg/DFGJITCompiler.h:
2578         (JSC::DFG::JITCompiler::addInById):
2579         (JSC::DFG::InRecord::InRecord): Deleted.
2580         (JSC::DFG::JITCompiler::addIn): Deleted.
2581         * dfg/DFGNode.h:
2582         (JSC::DFG::Node::convertToInById):
2583         (JSC::DFG::Node::hasIdentifier):
2584         (JSC::DFG::Node::hasArrayMode):
2585         * dfg/DFGNodeType.h:
2586         * dfg/DFGPredictionPropagationPhase.cpp:
2587         * dfg/DFGSafeToExecute.h:
2588         (JSC::DFG::safeToExecute):
2589         * dfg/DFGSpeculativeJIT.cpp:
2590         (JSC::DFG::SpeculativeJIT::compileInById):
2591         (JSC::DFG::SpeculativeJIT::compileInByVal):
2592         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
2593         * dfg/DFGSpeculativeJIT.h:
2594         * dfg/DFGSpeculativeJIT32_64.cpp:
2595         (JSC::DFG::SpeculativeJIT::compile):
2596         * dfg/DFGSpeculativeJIT64.cpp:
2597         (JSC::DFG::SpeculativeJIT::compile):
2598         * ftl/FTLCapabilities.cpp:
2599         (JSC::FTL::canCompile):
2600         * ftl/FTLLowerDFGToB3.cpp:
2601         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2602         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
2603         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
2604         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
2605         * jit/ICStats.h:
2606         * jit/JIT.cpp:
2607         (JSC::JIT::JIT):
2608         (JSC::JIT::privateCompileMainPass):
2609         (JSC::JIT::privateCompileSlowCases):
2610         (JSC::JIT::link):
2611         * jit/JIT.h:
2612         * jit/JITInlineCacheGenerator.cpp:
2613         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2614         (JSC::JITInByIdGenerator::generateFastPath):
2615         * jit/JITInlineCacheGenerator.h:
2616         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2617         * jit/JITOperations.cpp:
2618         * jit/JITOperations.h:
2619         * jit/JITPropertyAccess.cpp:
2620         (JSC::JIT::emit_op_in_by_id):
2621         (JSC::JIT::emitSlow_op_in_by_id):
2622         * jit/JITPropertyAccess32_64.cpp:
2623         (JSC::JIT::emit_op_in_by_id):
2624         (JSC::JIT::emitSlow_op_in_by_id):
2625         * jit/Repatch.cpp:
2626         (JSC::tryCacheInByID):
2627         (JSC::repatchInByID):
2628         (JSC::resetInByID):
2629         (JSC::tryCacheIn): Deleted.
2630         (JSC::repatchIn): Deleted.
2631         (JSC::resetIn): Deleted.
2632         * jit/Repatch.h:
2633         * llint/LowLevelInterpreter.asm:
2634         * llint/LowLevelInterpreter64.asm:
2635         * parser/NodeConstructors.h:
2636         (JSC::InNode::InNode):
2637         * runtime/CommonSlowPaths.cpp:
2638         (JSC::SLOW_PATH_DECL):
2639         * runtime/CommonSlowPaths.h:
2640         (JSC::CommonSlowPaths::opInByVal):
2641         (JSC::CommonSlowPaths::opIn): Deleted.
2642
2643 2018-05-18  Commit Queue  <commit-queue@webkit.org>
2644
2645         Unreviewed, rolling out r231982.
2646         https://bugs.webkit.org/show_bug.cgi?id=185793
2647
2648         Caused layout test failures (Requested by realdawei on
2649         #webkit).
2650
2651         Reverted changeset:
2652
2653         "Complete fix for enabling modern EME by default"
2654         https://bugs.webkit.org/show_bug.cgi?id=185770
2655         https://trac.webkit.org/changeset/231982
2656
2657 2018-05-18  Keith Miller  <keith_miller@apple.com>
2658
2659         op_in should mark if it sees out of bounds accesses
2660         https://bugs.webkit.org/show_bug.cgi?id=185792
2661
2662         Reviewed by Filip Pizlo.
2663
2664         This would used to cause us to OSR loop since we would always speculate
2665         we were in bounds in HasIndexedProperty.
2666
2667         * bytecode/ArrayProfile.cpp:
2668         (JSC::ArrayProfile::observeIndexedRead):
2669         * bytecode/ArrayProfile.h:
2670         * runtime/CommonSlowPaths.h:
2671         (JSC::CommonSlowPaths::opIn):
2672
2673 2018-05-18  Mark Lam  <mark.lam@apple.com>
2674
2675         Add missing exception check.
2676         https://bugs.webkit.org/show_bug.cgi?id=185786
2677         <rdar://problem/35686560>
2678
2679         Reviewed by Michael Saboff.
2680
2681         * runtime/JSPropertyNameEnumerator.h:
2682         (JSC::propertyNameEnumerator):
2683
2684 2018-05-18  Jer Noble  <jer.noble@apple.com>
2685
2686         Complete fix for enabling modern EME by default
2687         https://bugs.webkit.org/show_bug.cgi?id=185770
2688         <rdar://problem/40368220>
2689
2690         Reviewed by Eric Carlson.
2691
2692         * Configurations/FeatureDefines.xcconfig:
2693
2694 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2695
2696         Unreviewed, fix exception checking, part 2
2697         https://bugs.webkit.org/show_bug.cgi?id=185350
2698
2699         * dfg/DFGOperations.cpp:
2700         (JSC::DFG::putByValInternal):
2701         * jit/JITOperations.cpp:
2702         * runtime/CommonSlowPaths.h:
2703         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2704
2705 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
2706
2707         JSC should have InstanceOf inline caching
2708         https://bugs.webkit.org/show_bug.cgi?id=185652
2709
2710         Reviewed by Saam Barati.
2711         
2712         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
2713         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
2714         too many cases, we emit the generic instanceof implementation instead.
2715         
2716         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
2717         abstraction.
2718         
2719         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
2720         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
2721
2722         * API/tests/testapi.mm:
2723         (testObjectiveCAPIMain):
2724         * JavaScriptCore.xcodeproj/project.pbxproj:
2725         * Sources.txt:
2726         * b3/B3Effects.h:
2727         (JSC::B3::Effects::forReadOnlyCall):
2728         * bytecode/AccessCase.cpp:
2729         (JSC::AccessCase::guardedByStructureCheck const):
2730         (JSC::AccessCase::canReplace const):
2731         (JSC::AccessCase::visitWeak const):
2732         (JSC::AccessCase::generateWithGuard):
2733         (JSC::AccessCase::generateImpl):
2734         * bytecode/AccessCase.h:
2735         * bytecode/InstanceOfAccessCase.cpp: Added.
2736         (JSC::InstanceOfAccessCase::create):
2737         (JSC::InstanceOfAccessCase::dumpImpl const):
2738         (JSC::InstanceOfAccessCase::clone const):
2739         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
2740         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
2741         * bytecode/InstanceOfAccessCase.h: Added.
2742         (JSC::InstanceOfAccessCase::prototype const):
2743         * bytecode/ObjectPropertyCondition.h:
2744         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
2745         (JSC::ObjectPropertyCondition::hasPrototype):
2746         * bytecode/ObjectPropertyConditionSet.cpp:
2747         (JSC::generateConditionsForInstanceOf):
2748         * bytecode/ObjectPropertyConditionSet.h:
2749         * bytecode/PolymorphicAccess.cpp:
2750         (JSC::PolymorphicAccess::addCases):
2751         (JSC::PolymorphicAccess::regenerate):
2752         (WTF::printInternal):
2753         * bytecode/PropertyCondition.cpp:
2754         (JSC::PropertyCondition::dumpInContext const):
2755         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2756         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
2757         (WTF::printInternal):
2758         * bytecode/PropertyCondition.h:
2759         (JSC::PropertyCondition::absenceWithoutBarrier):
2760         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2761         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
2762         (JSC::PropertyCondition::hasPrototype):
2763         (JSC::PropertyCondition::hasPrototype const):
2764         (JSC::PropertyCondition::prototype const):
2765         (JSC::PropertyCondition::hash const):
2766         (JSC::PropertyCondition::operator== const):
2767         * bytecode/StructureStubInfo.cpp:
2768         (JSC::StructureStubInfo::StructureStubInfo):
2769         (JSC::StructureStubInfo::reset):
2770         * bytecode/StructureStubInfo.h:
2771         (JSC::StructureStubInfo::considerCaching):
2772         * dfg/DFGByteCodeParser.cpp:
2773         (JSC::DFG::ByteCodeParser::parseBlock):
2774         * dfg/DFGFixupPhase.cpp:
2775         (JSC::DFG::FixupPhase::fixupNode):
2776         * dfg/DFGInlineCacheWrapper.h:
2777         * dfg/DFGInlineCacheWrapperInlines.h:
2778         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
2779         * dfg/DFGJITCompiler.cpp:
2780         (JSC::DFG::JITCompiler::link):
2781         * dfg/DFGJITCompiler.h:
2782         (JSC::DFG::JITCompiler::addInstanceOf):
2783         * dfg/DFGOperations.cpp:
2784         * dfg/DFGSpeculativeJIT.cpp:
2785         (JSC::DFG::SpeculativeJIT::usedRegisters):
2786         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
2787         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2788         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
2789         * dfg/DFGSpeculativeJIT.h:
2790         * dfg/DFGSpeculativeJIT64.cpp:
2791         (JSC::DFG::SpeculativeJIT::cachedGetById):
2792         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2793         * ftl/FTLLowerDFGToB3.cpp:
2794         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2795         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2796         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
2797         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2798         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2799         (JSC::FTL::DFG::LowerDFGToB3::getById):
2800         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
2801         * jit/ICStats.h:
2802         * jit/JIT.cpp:
2803         (JSC::JIT::privateCompileSlowCases):
2804         (JSC::JIT::link):
2805         * jit/JIT.h:
2806         * jit/JITInlineCacheGenerator.cpp:
2807         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2808         (JSC::JITInlineCacheGenerator::finalize):
2809         (JSC::JITByIdGenerator::JITByIdGenerator):
2810         (JSC::JITByIdGenerator::finalize):
2811         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
2812         (JSC::JITInstanceOfGenerator::generateFastPath):
2813         (JSC::JITInstanceOfGenerator::finalize):
2814         * jit/JITInlineCacheGenerator.h:
2815         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
2816         (JSC::JITInlineCacheGenerator::slowPathBegin const):
2817         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
2818         (JSC::finalizeInlineCaches):
2819         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
2820         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
2821         * jit/JITOpcodes.cpp:
2822         (JSC::JIT::emit_op_instanceof):
2823         (JSC::JIT::emitSlow_op_instanceof):
2824         * jit/JITOperations.cpp:
2825         * jit/JITOperations.h:
2826         * jit/JITPropertyAccess.cpp:
2827         (JSC::JIT::privateCompileGetByValWithCachedId):
2828         (JSC::JIT::privateCompilePutByValWithCachedId):
2829         * jit/RegisterSet.cpp:
2830         (JSC::RegisterSet::stubUnavailableRegisters):
2831         * jit/Repatch.cpp:
2832         (JSC::tryCacheIn):
2833         (JSC::tryCacheInstanceOf):
2834         (JSC::repatchInstanceOf):
2835         (JSC::resetPatchableJump):
2836         (JSC::resetIn):
2837         (JSC::resetInstanceOf):
2838         * jit/Repatch.h:
2839         * runtime/Options.h:
2840         * runtime/Structure.h:
2841
2842 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2843
2844         Unreviewed, fix exception checking
2845         https://bugs.webkit.org/show_bug.cgi?id=185350
2846
2847         * runtime/CommonSlowPaths.h:
2848         (JSC::CommonSlowPaths::putDirectWithReify):
2849         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2850
2851 2018-05-17  Michael Saboff  <msaboff@apple.com>
2852
2853         We don't throw SyntaxErrors for runtime generated regular expressions with errors
2854         https://bugs.webkit.org/show_bug.cgi?id=185755
2855
2856         Reviewed by Keith Miller.
2857
2858         Added a new helper that creates the correct exception to throw for each type of error when
2859         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
2860         where we create a new RegExp from an existing one.  Also refactored other places that we
2861         throw SyntaxErrors after a failed RegExp compile to use the new helper.
2862
2863         * runtime/RegExp.h:
2864         * runtime/RegExpConstructor.cpp:
2865         (JSC::regExpCreate):
2866         (JSC::constructRegExp):
2867         * runtime/RegExpPrototype.cpp:
2868         (JSC::regExpProtoFuncCompile):
2869         * yarr/YarrErrorCode.cpp:
2870         (JSC::Yarr::errorToThrow):
2871         * yarr/YarrErrorCode.h:
2872
2873 2018-05-17  Saam Barati  <sbarati@apple.com>
2874
2875         Remove shrinkFootprint test from apitests since it's flaky
2876         https://bugs.webkit.org/show_bug.cgi?id=185754
2877
2878         Reviewed by Mark Lam.
2879
2880         This test is flaky as it keeps failing on certain people's machines.
2881         Having a test about OS footprint seems like it'll forever be doomed
2882         to being flaky.
2883
2884         * API/tests/testapi.mm:
2885         (testObjectiveCAPIMain):
2886
2887 2018-05-17  Saam Barati  <sbarati@apple.com>
2888
2889         defaultConstructorSourceCode needs to makeSource every time it's called
2890         https://bugs.webkit.org/show_bug.cgi?id=185753
2891
2892         Rubber-stamped by Mark Lam.
2893
2894         The bug here is multiple VMs can be running concurrently to one another
2895         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
2896         if we copy a static SourceCode. instead, we create a new one each time
2897         this function is called.
2898
2899         * builtins/BuiltinExecutables.cpp:
2900         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2901
2902 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2903
2904         [JSC] Use AssemblyHelpers' type checking functions as much as possible
2905         https://bugs.webkit.org/show_bug.cgi?id=185730
2906
2907         Reviewed by Saam Barati.
2908
2909         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
2910         bit and register operations for type tagging of JSValue. It is really useful when we would like
2911         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
2912         the named function is more readable than some branching operations.
2913
2914         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
2915         to AssemblyHelpers' one.
2916
2917         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
2918         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
2919         semantics is aligned to the existing branchIfCell / branchIfNotCell.
2920
2921         * bytecode/AccessCase.cpp:
2922         (JSC::AccessCase::generateWithGuard):
2923         * dfg/DFGSpeculativeJIT.cpp:
2924         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2925         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2926         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2927         (JSC::DFG::SpeculativeJIT::compileSpread):
2928         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
2929         (JSC::DFG::SpeculativeJIT::speculateCellType):
2930         (JSC::DFG::SpeculativeJIT::speculateNumber):
2931         (JSC::DFG::SpeculativeJIT::speculateMisc):
2932         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
2933         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2934         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2935         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2936         * dfg/DFGSpeculativeJIT32_64.cpp:
2937         (JSC::DFG::SpeculativeJIT::emitCall):
2938         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2939         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2940         (JSC::DFG::SpeculativeJIT::compile):
2941         * dfg/DFGSpeculativeJIT64.cpp:
2942         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2943         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2944         (JSC::DFG::SpeculativeJIT::emitCall):
2945         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2946         (JSC::DFG::SpeculativeJIT::compile):
2947         (JSC::DFG::SpeculativeJIT::convertAnyInt):
2948         * ftl/FTLLowerDFGToB3.cpp:
2949         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2950         * jit/AssemblyHelpers.h:
2951         (JSC::AssemblyHelpers::branchIfInt32):
2952         (JSC::AssemblyHelpers::branchIfNotInt32):
2953         (JSC::AssemblyHelpers::branchIfNumber):
2954         (JSC::AssemblyHelpers::branchIfNotNumber):
2955         (JSC::AssemblyHelpers::branchIfBoolean):
2956         (JSC::AssemblyHelpers::branchIfNotBoolean):
2957         (JSC::AssemblyHelpers::branchIfEmpty):
2958         (JSC::AssemblyHelpers::branchIfNotEmpty):
2959         (JSC::AssemblyHelpers::branchIfUndefined):
2960         (JSC::AssemblyHelpers::branchIfNotUndefined):
2961         (JSC::AssemblyHelpers::branchIfNull):
2962         (JSC::AssemblyHelpers::branchIfNotNull):
2963         * jit/JIT.h:
2964         * jit/JITArithmetic.cpp:
2965         (JSC::JIT::emit_compareAndJump):
2966         (JSC::JIT::emit_compareAndJumpSlow):
2967         * jit/JITArithmetic32_64.cpp:
2968         (JSC::JIT::emit_compareAndJump):
2969         (JSC::JIT::emit_op_unsigned):
2970         (JSC::JIT::emit_op_inc):
2971         (JSC::JIT::emit_op_dec):
2972         (JSC::JIT::emitBinaryDoubleOp):
2973         (JSC::JIT::emit_op_mod):
2974         * jit/JITCall.cpp:
2975         (JSC::JIT::compileCallEval):
2976         (JSC::JIT::compileOpCall):
2977         * jit/JITCall32_64.cpp:
2978         (JSC::JIT::compileCallEval):
2979         (JSC::JIT::compileOpCall):
2980         * jit/JITInlines.h:
2981         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
2982         (JSC::JIT::emitJumpIfBothJSCells):
2983         (JSC::JIT::emitJumpSlowCaseIfJSCell):
2984         (JSC::JIT::emitJumpIfNotInt):
2985         (JSC::JIT::emitJumpSlowCaseIfNotInt):
2986         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
2987         (JSC::JIT::emitJumpIfCellObject): Deleted.
2988         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
2989         (JSC::JIT::emitJumpIfJSCell): Deleted.
2990         (JSC::JIT::emitJumpIfInt): Deleted.
2991         * jit/JITOpcodes.cpp:
2992         (JSC::JIT::emit_op_instanceof):
2993         (JSC::JIT::emit_op_is_undefined):
2994         (JSC::JIT::emit_op_is_cell_with_type):
2995         (JSC::JIT::emit_op_is_object):
2996         (JSC::JIT::emit_op_to_primitive):
2997         (JSC::JIT::emit_op_jeq_null):
2998         (JSC::JIT::emit_op_jneq_null):
2999         (JSC::JIT::compileOpStrictEq):
3000         (JSC::JIT::compileOpStrictEqJump):
3001         (JSC::JIT::emit_op_to_number):
3002         (JSC::JIT::emit_op_to_string):
3003         (JSC::JIT::emit_op_to_object):
3004         (JSC::JIT::emit_op_eq_null):
3005         (JSC::JIT::emit_op_neq_null):
3006         (JSC::JIT::emit_op_to_this):
3007         (JSC::JIT::emit_op_create_this):
3008         (JSC::JIT::emit_op_check_tdz):
3009         (JSC::JIT::emitNewFuncExprCommon):
3010         (JSC::JIT::emit_op_profile_type):
3011         * jit/JITOpcodes32_64.cpp:
3012         (JSC::JIT::emit_op_instanceof):
3013         (JSC::JIT::emit_op_is_undefined):
3014         (JSC::JIT::emit_op_is_cell_with_type):
3015         (JSC::JIT::emit_op_is_object):
3016         (JSC::JIT::emit_op_to_primitive):
3017         (JSC::JIT::emit_op_not):
3018         (JSC::JIT::emit_op_jeq_null):
3019         (JSC::JIT::emit_op_jneq_null):
3020         (JSC::JIT::emit_op_jneq_ptr):
3021         (JSC::JIT::emit_op_eq):
3022         (JSC::JIT::emit_op_jeq):
3023         (JSC::JIT::emit_op_neq):
3024         (JSC::JIT::emit_op_jneq):
3025         (JSC::JIT::compileOpStrictEq):
3026         (JSC::JIT::compileOpStrictEqJump):
3027         (JSC::JIT::emit_op_eq_null):
3028         (JSC::JIT::emit_op_neq_null):
3029         (JSC::JIT::emit_op_to_number):
3030         (JSC::JIT::emit_op_to_string):
3031         (JSC::JIT::emit_op_to_object):
3032         (JSC::JIT::emit_op_create_this):
3033         (JSC::JIT::emit_op_to_this):
3034         (JSC::JIT::emit_op_check_tdz):
3035         (JSC::JIT::emit_op_profile_type):
3036         * jit/JITPropertyAccess.cpp:
3037         (JSC::JIT::emit_op_get_by_val):
3038         (JSC::JIT::emitGetByValWithCachedId):
3039         (JSC::JIT::emitGenericContiguousPutByVal):
3040         (JSC::JIT::emitPutByValWithCachedId):
3041         (JSC::JIT::emit_op_get_from_scope):
3042         (JSC::JIT::emit_op_put_to_scope):
3043         (JSC::JIT::emitWriteBarrier):
3044         (JSC::JIT::emitIntTypedArrayPutByVal):
3045         (JSC::JIT::emitFloatTypedArrayPutByVal):
3046         * jit/JITPropertyAccess32_64.cpp:
3047         (JSC::JIT::emit_op_get_by_val):
3048         (JSC::JIT::emitContiguousLoad):
3049         (JSC::JIT::emitArrayStorageLoad):
3050         (JSC::JIT::emitGetByValWithCachedId):
3051         (JSC::JIT::emitGenericContiguousPutByVal):
3052         (JSC::JIT::emitPutByValWithCachedId):
3053         (JSC::JIT::emit_op_get_from_scope):
3054         (JSC::JIT::emit_op_put_to_scope):
3055         * jit/JSInterfaceJIT.h:
3056         (JSC::JSInterfaceJIT::emitLoadJSCell):
3057         (JSC::JSInterfaceJIT::emitLoadInt32):
3058         (JSC::JSInterfaceJIT::emitLoadDouble):
3059         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
3060         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
3061         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
3062         * jit/Repatch.cpp:
3063         (JSC::linkPolymorphicCall):
3064         * jit/ThunkGenerators.cpp:
3065         (JSC::virtualThunkFor):
3066         (JSC::absThunkGenerator):
3067         * tools/JSDollarVM.cpp:
3068         (WTF::DOMJITNode::checkSubClassSnippet):
3069         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
3070
3071 2018-05-17  Saam Barati  <sbarati@apple.com>
3072
3073         Unreviewed. Fix the build after my attempted build fix broke the build.
3074
3075         * builtins/BuiltinExecutables.cpp:
3076         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
3077         (JSC::BuiltinExecutables::createDefaultConstructor):
3078         * builtins/BuiltinExecutables.h:
3079
3080 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3081
3082         [JSC] Remove reifyPropertyNameIfNeeded
3083         https://bugs.webkit.org/show_bug.cgi?id=185350
3084
3085         Reviewed by Saam Barati.
3086
3087         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
3088         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
3089         cost, we should remove this from the critical path.
3090
3091         This patch removes this function call from the critical path. And in our slow paths, we call
3092         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
3093         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
3094         and care the edge cases. The other callsites of putDirect should know the type of the given
3095         object and the name of the property (And avoid these edge cases).
3096
3097         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
3098         regressions of the existing tests.
3099
3100                                            baseline                  patched
3101         Kraken:
3102             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
3103
3104         SixSpeed:
3105             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
3106
3107         * dfg/DFGOperations.cpp:
3108         (JSC::DFG::putByValInternal):
3109         (JSC::DFG::putByValCellInternal):
3110         * jit/JITOperations.cpp:
3111         * llint/LLIntSlowPaths.cpp:
3112         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3113         * runtime/ClassInfo.h:
3114         * runtime/CommonSlowPaths.h:
3115         (JSC::CommonSlowPaths::putDirectWithReify):
3116         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
3117         * runtime/JSCell.cpp:
3118         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
3119         * runtime/JSCell.h:
3120         * runtime/JSFunction.cpp:
3121         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
3122         * runtime/JSFunction.h:
3123         * runtime/JSObject.cpp:
3124         (JSC::JSObject::putDirectAccessor):
3125         (JSC::JSObject::putDirectNonIndexAccessor):
3126         * runtime/JSObject.h:
3127         * runtime/JSObjectInlines.h:
3128         (JSC::JSObject::putDirectInternal):
3129
3130 2018-05-17  Saam Barati  <sbarati@apple.com>
3131
3132         Unreviewed. Try to fix windows build.
3133
3134         * builtins/BuiltinExecutables.cpp:
3135         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
3136
3137 2018-05-16  Saam Barati  <sbarati@apple.com>
3138
3139         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
3140         https://bugs.webkit.org/show_bug.cgi?id=185637
3141
3142         Reviewed by Keith Miller.
3143
3144         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
3145         source code. However, we were only using this for default class constructors. There
3146         are only two types of default class constructors. This patch makes it so that
3147         we just store this information inside of a single bit, and ask for the source
3148         code as needed instead of holding it in a nullable field that is 24 bytes in size.
3149         
3150         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
3151         This has the consequence of making it allocated out of a 160 byte size class
3152         instead of a 224 byte size class. This should bring down its memory footprint
3153         by ~40%.
3154
3155         * builtins/BuiltinExecutables.cpp:
3156         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
3157         (JSC::BuiltinExecutables::createDefaultConstructor):
3158         (JSC::BuiltinExecutables::createExecutable):
3159         * builtins/BuiltinExecutables.h:
3160         * bytecode/UnlinkedFunctionExecutable.cpp:
3161         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3162         (JSC::UnlinkedFunctionExecutable::link):
3163         * bytecode/UnlinkedFunctionExecutable.h:
3164         * runtime/CodeCache.cpp:
3165         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3166
3167 2018-05-16  Saam Barati  <sbarati@apple.com>
3168
3169         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
3170         https://bugs.webkit.org/show_bug.cgi?id=185707
3171
3172         Reviewed by Mark Lam.
3173
3174         * runtime/VM.cpp:
3175         (JSC::VM::shrinkFootprint):
3176
3177 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
3178
3179         [ESNext][BigInt] Implement support for "/" operation
3180         https://bugs.webkit.org/show_bug.cgi?id=183996
3181
3182         Reviewed by Yusuke Suzuki.
3183
3184         This patch is introducing the support for BigInt into divide
3185         operation int LLInt and JIT layers.
3186
3187         * dfg/DFGOperations.cpp:
3188         * runtime/CommonSlowPaths.cpp:
3189         (JSC::SLOW_PATH_DECL):
3190         * runtime/JSBigInt.cpp:
3191         (JSC::JSBigInt::divide):
3192         (JSC::JSBigInt::copy):
3193         (JSC::JSBigInt::unaryMinus):
3194         (JSC::JSBigInt::absoluteCompare):
3195         (JSC::JSBigInt::absoluteDivLarge):
3196         (JSC::JSBigInt::productGreaterThan):
3197         (JSC::JSBigInt::inplaceAdd):
3198         (JSC::JSBigInt::inplaceSub):
3199         (JSC::JSBigInt::inplaceRightShift):
3200         (JSC::JSBigInt::specialLeftShift):
3201         (JSC::JSBigInt::digit):
3202         (JSC::JSBigInt::setDigit):
3203         * runtime/JSBigInt.h:
3204
3205 2018-05-16  Saam Barati  <sbarati@apple.com>
3206
3207         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
3208         https://bugs.webkit.org/show_bug.cgi?id=185670
3209
3210         Reviewed by Yusuke Suzuki.
3211
3212         This patch makes it so that we constant fold CheckTypeInfoFlags for
3213         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
3214         fold in three ways:
3215         - When the incoming value is a constant, we just look at its inline type
3216         flags. Since those flags never change after an object is created, this
3217         is sound.
3218         - Based on the incoming value having a finite structure set. We just iterate
3219         all structures and ensure they have the bit set.
3220         - Based on speculated type. To do this, I split up SpecFunction into two
3221         subheaps where one is for functions that have the bit set, and one for
3222         functions that don't have the bit set. The latter is currently only comprised
3223         of JSBoundFunctions. To constant fold, we check that the incoming
3224         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
3225
3226         * bytecode/SpeculatedType.cpp:
3227         (JSC::speculationFromClassInfo):
3228         * bytecode/SpeculatedType.h:
3229         * dfg/DFGAbstractInterpreterInlines.h:
3230         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3231         * dfg/DFGConstantFoldingPhase.cpp:
3232         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3233         * dfg/DFGSpeculativeJIT.cpp:
3234         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
3235         * dfg/DFGStrengthReductionPhase.cpp:
3236         (JSC::DFG::StrengthReductionPhase::handleNode):
3237         * runtime/JSFunction.cpp:
3238         (JSC::JSFunction::JSFunction):
3239         (JSC::JSFunction::assertTypeInfoFlagInvariants):
3240         * runtime/JSFunction.h:
3241         (JSC::JSFunction::assertTypeInfoFlagInvariants):
3242         * runtime/JSFunctionInlines.h:
3243         (JSC::JSFunction::JSFunction):
3244
3245 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
3246
3247         Web Inspector: create a navigation item for toggling the overlay rulers/guides
3248         https://bugs.webkit.org/show_bug.cgi?id=185644
3249
3250         Reviewed by Matt Baker.
3251
3252         * inspector/protocol/OverlayTypes.json:
3253         * inspector/protocol/Page.json:
3254
3255 2018-05-16  Commit Queue  <commit-queue@webkit.org>
3256
3257         Unreviewed, rolling out r231845.
3258         https://bugs.webkit.org/show_bug.cgi?id=185702
3259
3260         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
3261         caiolima on #webkit).
3262
3263         Reverted changeset:
3264
3265         "[ESNext][BigInt] Implement support for "/" operation"
3266         https://bugs.webkit.org/show_bug.cgi?id=183996
3267         https://trac.webkit.org/changeset/231845
3268
3269 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
3270
3271         DFG models InstanceOf incorrectly
3272         https://bugs.webkit.org/show_bug.cgi?id=185694
3273
3274         Reviewed by Keith Miller.
3275         
3276         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
3277         hoist it.
3278
3279         * dfg/DFGAbstractInterpreterInlines.h:
3280         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3281         * dfg/DFGClobberize.h:
3282         (JSC::DFG::clobberize):
3283         * dfg/DFGHeapLocation.cpp:
3284         (WTF::printInternal):
3285         * dfg/DFGHeapLocation.h:
3286         * dfg/DFGNodeType.h:
3287
3288 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
3289
3290         Add support for Intl NumberFormat formatToParts
3291         https://bugs.webkit.org/show_bug.cgi?id=185375
3292
3293         Reviewed by Yusuke Suzuki.
3294
3295         Add flag for NumberFormat formatToParts. Implement formatToParts using
3296         unum_formatDoubleForFields. Because the fields are nested and come back
3297         in no guaranteed order, the simple algorithm to convert them to the
3298         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
3299         it appears to perform well enough for the initial implementation. Another
3300         issue has been created to improve this algorithm.
3301
3302         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
3303         on macOS, since only v57 is available.
3304
3305         * Configurations/FeatureDefines.xcconfig:
3306         * runtime/IntlNumberFormat.cpp:
3307         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
3308         (JSC::IntlNumberFormat::partTypeString):
3309         (JSC::IntlNumberFormat::formatToParts):
3310         * runtime/IntlNumberFormat.h:
3311         * runtime/IntlNumberFormatPrototype.cpp:
3312         (JSC::IntlNumberFormatPrototype::create):
3313         (JSC::IntlNumberFormatPrototype::finishCreation):
3314         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
3315         * runtime/IntlNumberFormatPrototype.h:
3316         * runtime/Options.h:
3317
3318 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
3319
3320         [ESNext][BigInt] Implement support for "/" operation
3321         https://bugs.webkit.org/show_bug.cgi?id=183996
3322
3323         Reviewed by Yusuke Suzuki.
3324
3325         This patch is introducing the support for BigInt into divide
3326         operation int LLInt and JIT layers.
3327
3328         * dfg/DFGOperations.cpp:
3329         * runtime/CommonSlowPaths.cpp:
3330         (JSC::SLOW_PATH_DECL):
3331         * runtime/JSBigInt.cpp:
3332         (JSC::JSBigInt::divide):
3333         (JSC::JSBigInt::copy):
3334         (JSC::JSBigInt::unaryMinus):
3335         (JSC::JSBigInt::absoluteCompare):
3336         (JSC::JSBigInt::absoluteDivLarge):
3337         (JSC::JSBigInt::productGreaterThan):
3338         (JSC::JSBigInt::inplaceAdd):
3339         (JSC::JSBigInt::inplaceSub):
3340         (JSC::JSBigInt::inplaceRightShift):
3341         (JSC::JSBigInt::specialLeftShift):
3342         (JSC::JSBigInt::digit):
3343         (JSC::JSBigInt::setDigit):
3344         * runtime/JSBigInt.h:
3345
3346 2018-05-16  Alberto Garcia  <berto@igalia.com>
3347
3348         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
3349         https://bugs.webkit.org/show_bug.cgi?id=182622
3350
3351         Reviewed by Michael Catanzaro.
3352
3353         We were linking JavaScriptCore against libatomic in MIPS because
3354         in that architecture __atomic_fetch_add_8() is not a compiler
3355         intrinsic and is provided by that library instead. However other
3356         architectures (e.g armel) are in the same situation, so we need a
3357         generic test.
3358
3359         That test already exists in WebKit/CMakeLists.txt, so we just have
3360         to move it to a common file (WebKitCompilerFlags.cmake) and use
3361         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
3362
3363         * CMakeLists.txt:
3364
3365 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3366
3367         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
3368         https://bugs.webkit.org/show_bug.cgi?id=185601
3369
3370         Reviewed by Saam Barati.
3371
3372         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
3373         before calling getCallData when we would like to check whether a given object is callable
3374         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
3375         is fine. But if we would like to check whether the object is callable, we can have non
3376         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
3377
3378         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
3379         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
3380         OverridesGetCallData checking before calling getCallData.
3381
3382         We found that this virtual call exists in JSON.stringify's critial path. Checking
3383         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.