Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-28  Michael Saboff  <msaboff@apple.com>
2
3         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
4         https://bugs.webkit.org/show_bug.cgi?id=177423
5
6         Reviewed by Mark Lam.
7
8         Updated fix that restructures that changes the do ... while to a while and adds another
9         atEndOfPattern() check before looking for the first named group identifier character.
10
11         * yarr/YarrParser.h:
12         (JSC::Yarr::Parser::tryConsumeGroupName):
13
14 2017-09-27  Mark Lam  <mark.lam@apple.com>
15
16         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
17         https://bugs.webkit.org/show_bug.cgi?id=177584
18         <rdar://problem/34463903>
19
20         Reviewed by Saam Barati.
21
22         If the source and destination arrays are the same, we may be copying overlapping
23         regions.  Hence, we need to take the slow path.
24
25         * runtime/JSArrayInlines.h:
26         (JSC::JSArray::canFastCopy):
27
28 2017-09-27  Saam Barati  <sbarati@apple.com>
29
30         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
31         https://bugs.webkit.org/show_bug.cgi?id=177523
32
33         Reviewed by Mark Lam.
34
35         There was a bug in Structure's transition constructor where it didn't
36         propagate forward the hasBeenFlattenedBefore bit. In practice, this meant
37         that every time we asked a dictionary structure if it has been flattened
38         before, it would return false. This patch fixes this bug. It also fixes
39         a bug that this uncovers in our for-in implementation. Our implementation
40         would cache the property name enumerator even when the prototype chain
41         included a structure that is as dictionary. This is wrong because that
42         prototype object may add properties without transitioning, and the for-in
43         loop would vend a stale set of prototype properties.
44
45         * jit/JITOperations.cpp:
46         * runtime/JSPropertyNameEnumerator.h:
47         (JSC::propertyNameEnumerator):
48         * runtime/Structure.cpp:
49         (JSC::Structure::Structure):
50         (JSC::Structure::canCachePropertyNameEnumerator const):
51
52 2017-09-27  Mark Lam  <mark.lam@apple.com>
53
54         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
55         https://bugs.webkit.org/show_bug.cgi?id=177423
56         <rdar://problem/34621320>
57
58         Reviewed by Keith Miller.
59
60         * yarr/YarrParser.h:
61         (JSC::Yarr::Parser::tryConsumeGroupName):
62
63 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
64
65         Unreviewed, fix x86 breaking due to exhausted registers
66         https://bugs.webkit.org/show_bug.cgi?id=175823
67
68         * dfg/DFGByteCodeParser.cpp:
69         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
70
71 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
72
73         Unreviewed, build fix after r222563
74         https://bugs.webkit.org/show_bug.cgi?id=175823
75
76         * runtime/JSArrayInlines.h:
77
78 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
79
80         Add Above/Below comparisons for UInt32 patterns
81         https://bugs.webkit.org/show_bug.cgi?id=177281
82
83         Reviewed by Saam Barati.
84
85         Sometimes, we would like to have UInt32 operations in JS. While VM does
86         not support UInt32 nicely, VM supports efficient Int32 operations. As long
87         as signedness does not matter, we can just perform Int32 operations instead
88         and recognize its bit pattern as UInt32.
89
90         But of course, some operations respect signedness. The most frequently
91         used one is comparison. Octane/zlib performs UInt32 comparison by performing
92         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
93         UInt32 in Int32 form. And op_unsigned will generate Double value if
94         the generated Int32 is < 0 (which should be UInt32).
95
96         There is a chance for optimization. The given code pattern is the following.
97
98             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
99
100         This can be converted to the following.
101
102             op_urshift(@1) below:< op_urshift(@2)
103
104         The above conversion is nice since
105
106         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
107         this check depends on the value of Int32, dropping this check is not as easy as
108         removing Int32 edge filters.
109
110         2. We can perform unsigned comparison in Int32 form. We do not need to convert
111         them to DoubleRep.
112
113         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
114         op_unsigned offers huge win.
115
116         At first, my patch attempts to convert the above thing in DFG pipeline.
117         However it poses several problems.
118
119         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
120         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
121
122             2: UInt32ToNumber(@0)
123             3: MovHint(@2, xxx)
124             4: UInt32ToNumber(@1)
125             5: MovHint(@1, xxx)
126
127         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
128
129         So, instead, we start introducing a simple optimization in the bytecode compiler.
130         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
131         We adds op_below and op_above families to bytecodes. They only accept Int32 and
132         perform unsigned comparison.
133
134         This offers 4% performance improvement in Octane/zlib.
135
136                                     baseline                  patched
137
138         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
139
140         * bytecode/BytecodeDumper.cpp:
141         (JSC::BytecodeDumper<Block>::printCompareJump):
142         (JSC::BytecodeDumper<Block>::dumpBytecode):
143         * bytecode/BytecodeDumper.h:
144         * bytecode/BytecodeList.json:
145         * bytecode/BytecodeUseDef.h:
146         (JSC::computeUsesForBytecodeOffset):
147         (JSC::computeDefsForBytecodeOffset):
148         * bytecode/Opcode.h:
149         (JSC::isBranch):
150         * bytecode/PreciseJumpTargetsInlines.h:
151         (JSC::extractStoredJumpTargetsForBytecodeOffset):
152         * bytecompiler/BytecodeGenerator.cpp:
153         (JSC::BytecodeGenerator::emitJumpIfTrue):
154         (JSC::BytecodeGenerator::emitJumpIfFalse):
155         * bytecompiler/NodesCodegen.cpp:
156         (JSC::BinaryOpNode::emitBytecode):
157         * dfg/DFGAbstractInterpreterInlines.h:
158         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
159         * dfg/DFGByteCodeParser.cpp:
160         (JSC::DFG::ByteCodeParser::parseBlock):
161         * dfg/DFGCapabilities.cpp:
162         (JSC::DFG::capabilityLevel):
163         * dfg/DFGClobberize.h:
164         (JSC::DFG::clobberize):
165         * dfg/DFGDoesGC.cpp:
166         (JSC::DFG::doesGC):
167         * dfg/DFGFixupPhase.cpp:
168         (JSC::DFG::FixupPhase::fixupNode):
169         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
170         * dfg/DFGNodeType.h:
171         * dfg/DFGPredictionPropagationPhase.cpp:
172         * dfg/DFGSafeToExecute.h:
173         (JSC::DFG::safeToExecute):
174         * dfg/DFGSpeculativeJIT.cpp:
175         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
176         * dfg/DFGSpeculativeJIT.h:
177         * dfg/DFGSpeculativeJIT32_64.cpp:
178         (JSC::DFG::SpeculativeJIT::compile):
179         * dfg/DFGSpeculativeJIT64.cpp:
180         (JSC::DFG::SpeculativeJIT::compile):
181         * dfg/DFGStrengthReductionPhase.cpp:
182         (JSC::DFG::StrengthReductionPhase::handleNode):
183         * dfg/DFGValidate.cpp:
184         * ftl/FTLCapabilities.cpp:
185         (JSC::FTL::canCompile):
186         * ftl/FTLLowerDFGToB3.cpp:
187         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
188         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
189         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
190         * jit/JIT.cpp:
191         (JSC::JIT::privateCompileMainPass):
192         * jit/JIT.h:
193         * jit/JITArithmetic.cpp:
194         (JSC::JIT::emit_op_below):
195         (JSC::JIT::emit_op_beloweq):
196         (JSC::JIT::emit_op_jbelow):
197         (JSC::JIT::emit_op_jbeloweq):
198         (JSC::JIT::emit_compareUnsignedAndJump):
199         (JSC::JIT::emit_compareUnsigned):
200         * jit/JITArithmetic32_64.cpp:
201         (JSC::JIT::emit_compareUnsignedAndJump):
202         (JSC::JIT::emit_compareUnsigned):
203         * llint/LowLevelInterpreter.asm:
204         * llint/LowLevelInterpreter32_64.asm:
205         * llint/LowLevelInterpreter64.asm:
206         * parser/Nodes.h:
207         (JSC::ExpressionNode::isBinaryOpNode const):
208
209 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
210
211         [DFG] Support ArrayPush with multiple args
212         https://bugs.webkit.org/show_bug.cgi?id=175823
213
214         Reviewed by Saam Barati.
215
216         This patch implements ArrayPush(with multiple arguments) in DFG and FTL. Previously, they are not handled
217         by ArrayPush. Then they go to generic direct call to Array#push and it does in slow path. This patch
218         extends ArrayPush to push multiple arguments in a bulk push manner.
219
220         The problem of ArrayPush is that we need to perform ArrayPush atomically: If OSR exit occurs in the middle
221         of ArrayPush, we incorrectly push pushed elements twice. Once we start pushing values, we should not exit.
222         But we do not want to iterate elements twice, once for type checks and once for actually pushing it. It
223         could move elements between registers and memory back and forth.
224
225         This patch achieves the above goal by separating type checks from ArrayPush. When starting ArrayPush, type
226         checks for elements are already done by separately emitted Check nodes.
227
228         We also add JSArray::pushInline for DFG operations just calling JSArray::push. And we also use it in
229         arrayProtoFuncPush's fast path.
230
231         This patch significantly improves performance of `push(multiple args)`.
232
233                                             baseline                  patched
234             Microbenchmarks:
235                 array-push-0            461.8455+-28.9995    ^    151.3438+-6.5653        ^ definitely 3.0516x faster
236                 array-push-1            133.8845+-7.0349     ?    136.1775+-5.8327        ? might be 1.0171x slower
237                 array-push-2            675.6555+-13.4645    ^    145.8747+-6.4621        ^ definitely 4.6318x faster
238                 array-push-3            849.5284+-15.2540    ^    253.4421+-9.1249        ^ definitely 3.3520x faster
239
240                                             baseline                  patched
241             SixSpeed:
242                 spread-literal.es5       90.3482+-6.6514     ^     24.8123+-2.3304        ^ definitely 3.6413x faster
243
244         * dfg/DFGByteCodeParser.cpp:
245         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
246         * dfg/DFGFixupPhase.cpp:
247         (JSC::DFG::FixupPhase::fixupNode):
248         * dfg/DFGNodeType.h:
249         * dfg/DFGOperations.cpp:
250         * dfg/DFGOperations.h:
251         * dfg/DFGSpeculativeJIT.cpp:
252         (JSC::DFG::SpeculativeJIT::compileArrayPush):
253         * dfg/DFGSpeculativeJIT.h:
254         (JSC::DFG::SpeculativeJIT::callOperation):
255         * dfg/DFGSpeculativeJIT32_64.cpp:
256         (JSC::DFG::SpeculativeJIT::compile):
257         * dfg/DFGSpeculativeJIT64.cpp:
258         (JSC::DFG::SpeculativeJIT::compile):
259         * dfg/DFGStoreBarrierInsertionPhase.cpp:
260         * ftl/FTLLowerDFGToB3.cpp:
261         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
262         * jit/JITOperations.h:
263         * runtime/ArrayPrototype.cpp:
264         (JSC::arrayProtoFuncPush):
265         * runtime/JSArray.cpp:
266         (JSC::JSArray::push):
267         * runtime/JSArray.h:
268         * runtime/JSArrayInlines.h:
269         (JSC::JSArray::pushInline):
270
271 2017-09-26  Joseph Pecoraro  <pecoraro@apple.com>
272
273         Web Inspector: Remove unused parameter of Page.reload
274         https://bugs.webkit.org/show_bug.cgi?id=177522
275
276         Reviewed by Matt Baker.
277
278         * inspector/protocol/Page.json:
279
280 2017-09-26  Filip Pizlo  <fpizlo@apple.com>
281
282         Put g_gigacageBasePtr into its own page and make it read-only
283         https://bugs.webkit.org/show_bug.cgi?id=174972
284
285         Reviewed by Michael Saboff.
286         
287         C++ code doesn't have to know about this change. That includes C++ code that generates JIT code.
288         
289         But the offline assembler now needs to know about how to load from offsets of global variables.
290         This turned out to be easy to support by extending the existing expression support.
291
292         * llint/LowLevelInterpreter64.asm:
293         * offlineasm/ast.rb:
294         * offlineasm/parser.rb:
295         * offlineasm/transform.rb:
296         * offlineasm/x86.rb:
297
298 2017-09-26  Commit Queue  <commit-queue@webkit.org>
299
300         Unreviewed, rolling out r222518.
301         https://bugs.webkit.org/show_bug.cgi?id=177507
302
303         Break the High Sierra build (Requested by yusukesuzuki on
304         #webkit).
305
306         Reverted changeset:
307
308         "Add Above/Below comparisons for UInt32 patterns"
309         https://bugs.webkit.org/show_bug.cgi?id=177281
310         http://trac.webkit.org/changeset/222518
311
312 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
313
314         Add Above/Below comparisons for UInt32 patterns
315         https://bugs.webkit.org/show_bug.cgi?id=177281
316
317         Reviewed by Saam Barati.
318
319         Sometimes, we would like to have UInt32 operations in JS. While VM does
320         not support UInt32 nicely, VM supports efficient Int32 operations. As long
321         as signedness does not matter, we can just perform Int32 operations instead
322         and recognize its bit pattern as UInt32.
323
324         But of course, some operations respect signedness. The most frequently
325         used one is comparison. Octane/zlib performs UInt32 comparison by performing
326         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
327         UInt32 in Int32 form. And op_unsigned will generate Double value if
328         the generated Int32 is < 0 (which should be UInt32).
329
330         There is a chance for optimization. The given code pattern is the following.
331
332             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
333
334         This can be converted to the following.
335
336             op_urshift(@1) below:< op_urshift(@2)
337
338         The above conversion is nice since
339
340         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
341         this check depends on the value of Int32, dropping this check is not as easy as
342         removing Int32 edge filters.
343
344         2. We can perform unsigned comparison in Int32 form. We do not need to convert
345         them to DoubleRep.
346
347         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
348         op_unsigned offers huge win.
349
350         At first, my patch attempts to convert the above thing in DFG pipeline.
351         However it poses several problems.
352
353         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
354         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
355
356             2: UInt32ToNumber(@0)
357             3: MovHint(@2, xxx)
358             4: UInt32ToNumber(@1)
359             5: MovHint(@1, xxx)
360
361         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
362
363         So, instead, we start introducing a simple optimization in the bytecode compiler.
364         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
365         We adds op_below and op_above families to bytecodes. They only accept Int32 and
366         perform unsigned comparison.
367
368         This offers 4% performance improvement in Octane/zlib.
369
370                                     baseline                  patched
371
372         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
373
374         * bytecode/BytecodeDumper.cpp:
375         (JSC::BytecodeDumper<Block>::printCompareJump):
376         (JSC::BytecodeDumper<Block>::dumpBytecode):
377         * bytecode/BytecodeDumper.h:
378         * bytecode/BytecodeList.json:
379         * bytecode/BytecodeUseDef.h:
380         (JSC::computeUsesForBytecodeOffset):
381         (JSC::computeDefsForBytecodeOffset):
382         * bytecode/Opcode.h:
383         (JSC::isBranch):
384         * bytecode/PreciseJumpTargetsInlines.h:
385         (JSC::extractStoredJumpTargetsForBytecodeOffset):
386         * bytecompiler/BytecodeGenerator.cpp:
387         (JSC::BytecodeGenerator::emitJumpIfTrue):
388         (JSC::BytecodeGenerator::emitJumpIfFalse):
389         * bytecompiler/NodesCodegen.cpp:
390         (JSC::BinaryOpNode::emitBytecode):
391         * dfg/DFGAbstractInterpreterInlines.h:
392         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
393         * dfg/DFGByteCodeParser.cpp:
394         (JSC::DFG::ByteCodeParser::parseBlock):
395         * dfg/DFGCapabilities.cpp:
396         (JSC::DFG::capabilityLevel):
397         * dfg/DFGClobberize.h:
398         (JSC::DFG::clobberize):
399         * dfg/DFGDoesGC.cpp:
400         (JSC::DFG::doesGC):
401         * dfg/DFGFixupPhase.cpp:
402         (JSC::DFG::FixupPhase::fixupNode):
403         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
404         * dfg/DFGNodeType.h:
405         * dfg/DFGPredictionPropagationPhase.cpp:
406         * dfg/DFGSafeToExecute.h:
407         (JSC::DFG::safeToExecute):
408         * dfg/DFGSpeculativeJIT.cpp:
409         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
410         * dfg/DFGSpeculativeJIT.h:
411         * dfg/DFGSpeculativeJIT32_64.cpp:
412         (JSC::DFG::SpeculativeJIT::compile):
413         * dfg/DFGSpeculativeJIT64.cpp:
414         (JSC::DFG::SpeculativeJIT::compile):
415         * dfg/DFGStrengthReductionPhase.cpp:
416         (JSC::DFG::StrengthReductionPhase::handleNode):
417         * dfg/DFGValidate.cpp:
418         * ftl/FTLCapabilities.cpp:
419         (JSC::FTL::canCompile):
420         * ftl/FTLLowerDFGToB3.cpp:
421         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
422         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
423         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
424         * jit/JIT.cpp:
425         (JSC::JIT::privateCompileMainPass):
426         * jit/JIT.h:
427         * jit/JITArithmetic.cpp:
428         (JSC::JIT::emit_op_below):
429         (JSC::JIT::emit_op_beloweq):
430         (JSC::JIT::emit_op_jbelow):
431         (JSC::JIT::emit_op_jbeloweq):
432         (JSC::JIT::emit_compareUnsignedAndJump):
433         (JSC::JIT::emit_compareUnsigned):
434         * jit/JITArithmetic32_64.cpp:
435         (JSC::JIT::emit_compareUnsignedAndJump):
436         (JSC::JIT::emit_compareUnsigned):
437         * llint/LowLevelInterpreter.asm:
438         * llint/LowLevelInterpreter32_64.asm:
439         * llint/LowLevelInterpreter64.asm:
440         * parser/Nodes.h:
441         (JSC::ExpressionNode::isBinaryOpNode const):
442
443 2017-09-24  Keith Miller  <keith_miller@apple.com>
444
445         JSC build should use unified sources for derived sources
446         https://bugs.webkit.org/show_bug.cgi?id=177421
447
448         Reviewed by JF Bastien.
449
450         This patch make a couple of changes:
451
452         1) Make derived sources added to relevant bundles. I was going to add JSCBuiltins.cpp
453         to runtime but that kept breaking the windows build. I'll get back to it later
454         2) Move the derived location of some sources both for clarity and for ease of use.
455         3) Make auto generator scripts able to create directories if needed.
456         4) Move some scripts from the top level of the JavaScriptCore directory to a
457         more appropriate directory.
458         5) Move some CMake generation commands around for clarity.
459
460         * CMakeLists.txt:
461         * DerivedSources.make:
462         * JavaScriptCore.xcodeproj/project.pbxproj:
463         * Scripts/lazywriter.py:
464         (LazyFileWriter.close):
465         * Sources.txt:
466         * inspector/scripts/generate-inspector-protocol-bindings.py:
467         (IncrementalFileWriter.close):
468         * yarr/create_regex_tables: Renamed from Source/JavaScriptCore/create_regex_tables.
469         * yarr/generateYarrCanonicalizeUnicode: Renamed from Source/JavaScriptCore/generateYarrCanonicalizeUnicode.
470
471 2017-09-26  Zan Dobersek  <zdobersek@igalia.com>
472
473         Support building JavaScriptCore with the Bionic C library
474         https://bugs.webkit.org/show_bug.cgi?id=177427
475
476         Reviewed by Michael Catanzaro.
477
478         When compiling with the Bionic C library, the MachineContext.h header
479         should enable the same code paths that are enabled for the GNU C library.
480
481         The Bionic C library defines the __BIONIC__ macro, but unlike other C
482         libraries that mimic the GNU one, it doesn't define __GLIBC__. So the
483         __BIONIC__ macro checks have to match the __GLIBC__ ones.
484
485         * runtime/MachineContext.h:
486         (JSC::MachineContext::stackPointer):
487         (JSC::MachineContext::framePointer):
488         (JSC::MachineContext::instructionPointer):
489         (JSC::MachineContext::argumentPointer<1>):
490         (JSC::MachineContext::llintInstructionPointer):
491
492 2017-09-25  Devin Rousso  <webkit@devinrousso.com>
493
494         Web Inspector: move Console.addInspectedNode to DOM.setInspectedNode
495         https://bugs.webkit.org/show_bug.cgi?id=176827
496
497         Reviewed by Joseph Pecoraro.
498
499         * inspector/agents/InspectorConsoleAgent.h:
500
501         * inspector/agents/JSGlobalObjectConsoleAgent.h:
502         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
503         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode): Deleted.
504
505         * inspector/protocol/Console.json:
506         * inspector/protocol/DOM.json:
507
508 2017-09-25  Ryan Haddad  <ryanhaddad@apple.com>
509
510         Unreviewed, rebaseline builtins generator tests after r222473.
511
512         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
513
514 2017-09-25  Alex Christensen  <achristensen@webkit.org>
515
516         Make Attribute an enum class
517         https://bugs.webkit.org/show_bug.cgi?id=177414
518
519         Reviewed by Yusuke Suzuki.
520
521         I've had enough of these naming collisions.  This is what enum classes are for.
522         Unfortunately a lot of static_cast<unsigned> is necessary until those functions take
523         an OptionSet<Attribute> instead of an unsigned parameter, but this is a big step
524         towards where we ought to be.
525
526         * API/JSCallbackObjectFunctions.h:
527         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
528         * API/JSObjectRef.cpp:
529         (JSObjectMakeConstructor):
530         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
531         (BuiltinsInternalsWrapperImplementationGenerator.property_macro):
532         * bytecode/GetByIdStatus.cpp:
533         (JSC::GetByIdStatus::computeFromLLInt):
534         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
535         (JSC::GetByIdStatus::computeFor):
536         * bytecode/PropertyCondition.cpp:
537         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
538         (JSC::PropertyCondition::isValidValueForAttributes):
539         * bytecode/PutByIdStatus.cpp:
540         (JSC::PutByIdStatus::computeFor):
541         * bytecompiler/BytecodeGenerator.cpp:
542         (JSC::BytecodeGenerator::instantiateLexicalVariables):
543         (JSC::BytecodeGenerator::variable):
544         * bytecompiler/BytecodeGenerator.h:
545         (JSC::Variable::isReadOnly const):
546         (JSC::Variable::setIsReadOnly):
547         * bytecompiler/NodesCodegen.cpp:
548         (JSC::PropertyListNode::emitBytecode):
549         * create_hash_table:
550         * debugger/DebuggerScope.cpp:
551         (JSC::DebuggerScope::getOwnPropertySlot):
552         * dfg/DFGOperations.cpp:
553         * inspector/JSInjectedScriptHostPrototype.cpp:
554         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
555         * inspector/JSJavaScriptCallFramePrototype.cpp:
556         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
557         * jit/Repatch.cpp:
558         (JSC::tryCacheGetByID):
559         * jsc.cpp:
560         (WTF::CustomGetter::getOwnPropertySlot):
561         (WTF::RuntimeArray::getOwnPropertySlot):
562         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
563         (WTF::DOMJITGetter::finishCreation):
564         (WTF::DOMJITGetterComplex::finishCreation):
565         (WTF::DOMJITFunctionObject::finishCreation):
566         (WTF::DOMJITCheckSubClassObject::finishCreation):
567         (GlobalObject::finishCreation):
568         * runtime/ArrayConstructor.cpp:
569         (JSC::ArrayConstructor::finishCreation):
570         * runtime/ArrayIteratorPrototype.cpp:
571         (JSC::ArrayIteratorPrototype::finishCreation):
572         * runtime/ArrayPrototype.cpp:
573         (JSC::ArrayPrototype::finishCreation):
574         * runtime/AsyncFromSyncIteratorPrototype.cpp:
575         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
576         * runtime/AsyncFunctionConstructor.cpp:
577         (JSC::AsyncFunctionConstructor::finishCreation):
578         * runtime/AsyncFunctionPrototype.cpp:
579         (JSC::AsyncFunctionPrototype::finishCreation):
580         * runtime/AsyncGeneratorFunctionConstructor.cpp:
581         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
582         * runtime/AsyncGeneratorFunctionPrototype.cpp:
583         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
584         * runtime/AsyncGeneratorPrototype.cpp:
585         (JSC::AsyncGeneratorPrototype::finishCreation):
586         * runtime/AsyncIteratorPrototype.cpp:
587         (JSC::AsyncIteratorPrototype::finishCreation):
588         * runtime/AtomicsObject.cpp:
589         (JSC::AtomicsObject::finishCreation):
590         * runtime/BooleanConstructor.cpp:
591         (JSC::BooleanConstructor::finishCreation):
592         * runtime/ClonedArguments.cpp:
593         (JSC::ClonedArguments::createStructure):
594         (JSC::ClonedArguments::getOwnPropertySlot):
595         (JSC::ClonedArguments::materializeSpecials):
596         * runtime/CommonSlowPaths.cpp:
597         (JSC::SLOW_PATH_DECL):
598         * runtime/ConsoleObject.cpp:
599         (JSC::ConsoleObject::finishCreation):
600         * runtime/DateConstructor.cpp:
601         (JSC::DateConstructor::finishCreation):
602         * runtime/DatePrototype.cpp:
603         (JSC::DatePrototype::finishCreation):
604         * runtime/DirectArguments.cpp:
605         (JSC::DirectArguments::overrideThings):
606         * runtime/Error.cpp:
607         (JSC::addErrorInfo):
608         * runtime/ErrorConstructor.cpp:
609         (JSC::ErrorConstructor::finishCreation):
610         * runtime/ErrorInstance.cpp:
611         (JSC::ErrorInstance::finishCreation):
612         * runtime/ErrorPrototype.cpp:
613         (JSC::ErrorPrototype::finishCreation):
614         * runtime/FunctionConstructor.cpp:
615         (JSC::FunctionConstructor::finishCreation):
616         * runtime/FunctionPrototype.cpp:
617         (JSC::FunctionPrototype::finishCreation):
618         (JSC::FunctionPrototype::addFunctionProperties):
619         (JSC::FunctionPrototype::initRestrictedProperties):
620         * runtime/GeneratorFunctionConstructor.cpp:
621         (JSC::GeneratorFunctionConstructor::finishCreation):
622         * runtime/GeneratorFunctionPrototype.cpp:
623         (JSC::GeneratorFunctionPrototype::finishCreation):
624         * runtime/GeneratorPrototype.cpp:
625         (JSC::GeneratorPrototype::finishCreation):
626         * runtime/GenericArgumentsInlines.h:
627         (JSC::GenericArguments<Type>::getOwnPropertySlot):
628         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
629         * runtime/InternalFunction.cpp:
630         (JSC::InternalFunction::finishCreation):
631         * runtime/IntlCollatorConstructor.cpp:
632         (JSC::IntlCollatorConstructor::finishCreation):
633         * runtime/IntlDateTimeFormatConstructor.cpp:
634         (JSC::IntlDateTimeFormatConstructor::finishCreation):
635         * runtime/IntlDateTimeFormatPrototype.cpp:
636         (JSC::IntlDateTimeFormatPrototype::finishCreation):
637         * runtime/IntlNumberFormatConstructor.cpp:
638         (JSC::IntlNumberFormatConstructor::finishCreation):
639         * runtime/IntlObject.cpp:
640         (JSC::IntlObject::finishCreation):
641         * runtime/IteratorPrototype.cpp:
642         (JSC::IteratorPrototype::finishCreation):
643         * runtime/JSArray.cpp:
644         (JSC::JSArray::getOwnPropertySlot):
645         (JSC::JSArray::setLengthWithArrayStorage):
646         * runtime/JSArrayBufferConstructor.cpp:
647         (JSC::JSArrayBufferConstructor::finishCreation):
648         * runtime/JSArrayBufferPrototype.cpp:
649         (JSC::JSArrayBufferPrototype::finishCreation):
650         * runtime/JSBoundFunction.cpp:
651         (JSC::JSBoundFunction::finishCreation):
652         * runtime/JSCJSValue.cpp:
653         (JSC::JSValue::putToPrimitive):
654         * runtime/JSDataView.cpp:
655         (JSC::JSDataView::getOwnPropertySlot):
656         * runtime/JSDataViewPrototype.cpp:
657         (JSC::JSDataViewPrototype::finishCreation):
658         * runtime/JSFunction.cpp:
659         (JSC::JSFunction::finishCreation):
660         (JSC::JSFunction::getOwnPropertySlot):
661         (JSC::JSFunction::defineOwnProperty):
662         (JSC::JSFunction::reifyLength):
663         (JSC::JSFunction::reifyName):
664         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
665         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
666         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
667         * runtime/JSGenericTypedArrayViewInlines.h:
668         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
669         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
670         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
671         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
672         * runtime/JSGlobalObject.cpp:
673         (JSC::JSGlobalObject::init):
674         (JSC::JSGlobalObject::addStaticGlobals):
675         * runtime/JSLexicalEnvironment.cpp:
676         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
677         * runtime/JSModuleNamespaceObject.cpp:
678         (JSC::JSModuleNamespaceObject::finishCreation):
679         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
680         * runtime/JSONObject.cpp:
681         (JSC::JSONObject::finishCreation):
682         * runtime/JSObject.cpp:
683         (JSC::getClassPropertyNames):
684         (JSC::JSObject::getOwnPropertySlotByIndex):
685         (JSC::ordinarySetSlow):
686         (JSC::JSObject::putInlineSlow):
687         (JSC::JSObject::putGetter):
688         (JSC::JSObject::putSetter):
689         (JSC::JSObject::putDirectAccessor):
690         (JSC::JSObject::putDirectCustomAccessor):
691         (JSC::JSObject::putDirectNonIndexAccessor):
692         (JSC::JSObject::deleteProperty):
693         (JSC::JSObject::deletePropertyByIndex):
694         (JSC::JSObject::getOwnPropertyNames):
695         (JSC::JSObject::putIndexedDescriptor):
696         (JSC::JSObject::defineOwnIndexedProperty):
697         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
698         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
699         (JSC::JSObject::getOwnPropertyDescriptor):
700         (JSC::putDescriptor):
701         (JSC::validateAndApplyPropertyDescriptor):
702         * runtime/JSObject.h:
703         (JSC::JSObject::putDirect):
704         * runtime/JSObjectInlines.h:
705         (JSC::JSObject::putDirectWithoutTransition):
706         (JSC::JSObject::putDirectInternal):
707         * runtime/JSPromiseConstructor.cpp:
708         (JSC::JSPromiseConstructor::finishCreation):
709         (JSC::JSPromiseConstructor::addOwnInternalSlots):
710         * runtime/JSPromisePrototype.cpp:
711         (JSC::JSPromisePrototype::finishCreation):
712         (JSC::JSPromisePrototype::addOwnInternalSlots):
713         * runtime/JSString.cpp:
714         (JSC::JSString::getStringPropertyDescriptor):
715         * runtime/JSString.h:
716         (JSC::JSString::getStringPropertySlot):
717         * runtime/JSSymbolTableObject.cpp:
718         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
719         * runtime/JSSymbolTableObject.h:
720         (JSC::symbolTableGet):
721         * runtime/JSTypedArrayViewConstructor.cpp:
722         (JSC::JSTypedArrayViewConstructor::finishCreation):
723         * runtime/JSTypedArrayViewPrototype.cpp:
724         (JSC::JSTypedArrayViewPrototype::finishCreation):
725         * runtime/LazyClassStructure.cpp:
726         (JSC::LazyClassStructure::Initializer::setConstructor):
727         * runtime/Lookup.cpp:
728         (JSC::reifyStaticAccessor):
729         (JSC::setUpStaticFunctionSlot):
730         * runtime/Lookup.h:
731         (JSC::HashTableValue::intrinsic const):
732         (JSC::HashTableValue::builtinGenerator const):
733         (JSC::HashTableValue::function const):
734         (JSC::HashTableValue::functionLength const):
735         (JSC::HashTableValue::propertyGetter const):
736         (JSC::HashTableValue::propertyPutter const):
737         (JSC::HashTableValue::domJIT const):
738         (JSC::HashTableValue::signature const):
739         (JSC::HashTableValue::accessorGetter const):
740         (JSC::HashTableValue::accessorSetter const):
741         (JSC::HashTableValue::constantInteger const):
742         (JSC::HashTableValue::lazyCellPropertyOffset const):
743         (JSC::HashTableValue::lazyClassStructureOffset const):
744         (JSC::HashTableValue::lazyPropertyCallback const):
745         (JSC::HashTableValue::builtinAccessorGetterGenerator const):
746         (JSC::HashTableValue::builtinAccessorSetterGenerator const):
747         (JSC::getStaticPropertySlotFromTable):
748         (JSC::putEntry):
749         (JSC::reifyStaticProperty):
750         * runtime/MapConstructor.cpp:
751         (JSC::MapConstructor::finishCreation):
752         * runtime/MapIteratorPrototype.cpp:
753         (JSC::MapIteratorPrototype::finishCreation):
754         * runtime/MapPrototype.cpp:
755         (JSC::MapPrototype::finishCreation):
756         * runtime/MathObject.cpp:
757         (JSC::MathObject::finishCreation):
758         * runtime/NativeErrorConstructor.cpp:
759         (JSC::NativeErrorConstructor::finishCreation):
760         * runtime/NativeErrorPrototype.cpp:
761         (JSC::NativeErrorPrototype::finishCreation):
762         * runtime/NumberConstructor.cpp:
763         (JSC::NumberConstructor::finishCreation):
764         * runtime/NumberPrototype.cpp:
765         (JSC::NumberPrototype::finishCreation):
766         * runtime/ObjectConstructor.cpp:
767         (JSC::ObjectConstructor::finishCreation):
768         (JSC::objectConstructorAssign):
769         (JSC::objectConstructorValues):
770         (JSC::objectConstructorDefineProperty):
771         * runtime/ObjectPrototype.cpp:
772         (JSC::ObjectPrototype::finishCreation):
773         (JSC::objectProtoFuncLookupGetter):
774         (JSC::objectProtoFuncLookupSetter):
775         * runtime/ProgramExecutable.cpp:
776         (JSC::ProgramExecutable::initializeGlobalProperties):
777         * runtime/PropertyDescriptor.cpp:
778         (JSC::PropertyDescriptor::writable const):
779         (JSC::PropertyDescriptor::enumerable const):
780         (JSC::PropertyDescriptor::configurable const):
781         (JSC::PropertyDescriptor::setUndefined):
782         (JSC::PropertyDescriptor::setDescriptor):
783         (JSC::PropertyDescriptor::setCustomDescriptor):
784         (JSC::PropertyDescriptor::setAccessorDescriptor):
785         (JSC::PropertyDescriptor::setWritable):
786         (JSC::PropertyDescriptor::setEnumerable):
787         (JSC::PropertyDescriptor::setConfigurable):
788         (JSC::PropertyDescriptor::setSetter):
789         (JSC::PropertyDescriptor::setGetter):
790         (JSC::PropertyDescriptor::attributesEqual const):
791         (JSC::PropertyDescriptor::attributesOverridingCurrent const):
792         * runtime/PropertySlot.cpp:
793         (JSC::PropertySlot::customGetter const):
794         * runtime/PropertySlot.h:
795         (JSC::operator| ):
796         (JSC::operator&):
797         (JSC::operator<):
798         (JSC::operator~):
799         (JSC::operator|=):
800         (JSC::PropertySlot::setUndefined):
801         * runtime/ProxyConstructor.cpp:
802         (JSC::makeRevocableProxy):
803         (JSC::ProxyConstructor::finishCreation):
804         * runtime/ProxyObject.cpp:
805         (JSC::ProxyObject::performHasProperty):
806         * runtime/ProxyRevoke.cpp:
807         (JSC::ProxyRevoke::finishCreation):
808         * runtime/ReflectObject.cpp:
809         (JSC::ReflectObject::finishCreation):
810         (JSC::reflectObjectDefineProperty):
811         * runtime/RegExpConstructor.cpp:
812         (JSC::RegExpConstructor::finishCreation):
813         * runtime/RegExpObject.cpp:
814         (JSC::RegExpObject::getOwnPropertySlot):
815         * runtime/RegExpPrototype.cpp:
816         (JSC::RegExpPrototype::finishCreation):
817         * runtime/ScopedArguments.cpp:
818         (JSC::ScopedArguments::overrideThings):
819         * runtime/SetConstructor.cpp:
820         (JSC::SetConstructor::finishCreation):
821         * runtime/SetIteratorPrototype.cpp:
822         (JSC::SetIteratorPrototype::finishCreation):
823         * runtime/SetPrototype.cpp:
824         (JSC::SetPrototype::finishCreation):
825         * runtime/SparseArrayValueMap.cpp:
826         (JSC::SparseArrayValueMap::putDirect):
827         (JSC::SparseArrayEntry::put):
828         * runtime/StringConstructor.cpp:
829         (JSC::StringConstructor::finishCreation):
830         * runtime/StringIteratorPrototype.cpp:
831         (JSC::StringIteratorPrototype::finishCreation):
832         * runtime/StringPrototype.cpp:
833         (JSC::StringPrototype::finishCreation):
834         * runtime/Structure.cpp:
835         (JSC::Structure::nonPropertyTransition):
836         (JSC::Structure::isSealed):
837         (JSC::Structure::isFrozen):
838         (JSC::Structure::getPropertyNamesFromStructure):
839         (JSC::Structure::prototypeChainMayInterceptStoreTo):
840         * runtime/StructureInlines.h:
841         (JSC::Structure::add):
842         * runtime/SymbolConstructor.cpp:
843         (JSC::SymbolConstructor::finishCreation):
844         * runtime/SymbolPrototype.cpp:
845         (JSC::SymbolPrototype::finishCreation):
846         * runtime/SymbolTable.h:
847         (JSC::SymbolTableEntry::Fast::getAttributes const):
848         (JSC::SymbolTableEntry::SymbolTableEntry):
849         (JSC::SymbolTableEntry::setAttributes):
850         * runtime/TemplateRegistry.cpp:
851         (JSC::TemplateRegistry::getTemplateObject):
852         * runtime/WeakMapConstructor.cpp:
853         (JSC::WeakMapConstructor::finishCreation):
854         * runtime/WeakMapPrototype.cpp:
855         (JSC::WeakMapPrototype::finishCreation):
856         * runtime/WeakSetConstructor.cpp:
857         (JSC::WeakSetConstructor::finishCreation):
858         * runtime/WeakSetPrototype.cpp:
859         (JSC::WeakSetPrototype::finishCreation):
860         * tools/JSDollarVMPrototype.cpp:
861         (JSC::JSDollarVMPrototype::finishCreation):
862         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
863         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
864         * wasm/js/WebAssemblyInstanceConstructor.cpp:
865         (JSC::WebAssemblyInstanceConstructor::finishCreation):
866         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
867         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
868         * wasm/js/WebAssemblyMemoryConstructor.cpp:
869         (JSC::WebAssemblyMemoryConstructor::finishCreation):
870         * wasm/js/WebAssemblyMemoryPrototype.cpp:
871         * wasm/js/WebAssemblyModuleConstructor.cpp:
872         (JSC::WebAssemblyModuleConstructor::finishCreation):
873         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
874         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
875         * wasm/js/WebAssemblyTableConstructor.cpp:
876         (JSC::WebAssemblyTableConstructor::finishCreation):
877
878 2017-09-23  Oleksandr Skachkov  <gskachkov@gmail.com>
879
880         [ESNext] Async iteration - Implement Async Generator - optimization
881         https://bugs.webkit.org/show_bug.cgi?id=175891
882
883         Reviewed by Yusuke Suzuki.
884
885         Add small optimization for async generators:
886         1. merging async generator queue to async generator itself
887         generator.@first / generator.@last is enough, by doing so,
888           we remove one unnecessary object alloc.
889         2. merging request with queue.
890
891         * builtins/AsyncGeneratorPrototype.js:
892         (globalPrivate.asyncGeneratorQueueIsEmpty):
893         (globalPrivate.asyncGeneratorQueueCreateItem):
894         (globalPrivate.asyncGeneratorQueueEnqueue):
895         (globalPrivate.asyncGeneratorQueueDequeue):
896         (globalPrivate.asyncGeneratorDequeue):
897         (globalPrivate.isSuspendYieldState):
898         (globalPrivate.asyncGeneratorEnqueue):
899         * builtins/BuiltinNames.h:
900         * bytecompiler/BytecodeGenerator.cpp:
901         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
902         * bytecompiler/BytecodeGenerator.h:
903         * bytecompiler/NodesCodegen.cpp:
904         (JSC::FunctionNode::emitBytecode):
905
906 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
907
908         test262: $.agent became $262.agent in test262 update
909         https://bugs.webkit.org/show_bug.cgi?id=177407
910
911         Reviewed by Yusuke Suzuki.
912
913         * jsc.cpp:
914         (GlobalObject::finishCreation):
915         Alias `$` and `$262` for now.
916
917 2017-09-22  Keith Miller  <keith_miller@apple.com>
918
919         Speculatively change iteration protocall to use the same next function
920         https://bugs.webkit.org/show_bug.cgi?id=175653
921
922         Reviewed by Saam Barati.
923
924         This patch speculatively makes a change to the iteration protocall to fetch the next
925         property immediately after calling the Symbol.iterator function. This is, in theory,
926         a breaking change, so we will see if this breaks things (most likely it won't as this
927         is a relatively subtle point).
928
929         See: https://github.com/tc39/ecma262/issues/976
930
931         * builtins/IteratorHelpers.js:
932         (performIteration):
933         * bytecompiler/BytecodeGenerator.cpp:
934         (JSC::BytecodeGenerator::emitEnumeration):
935         (JSC::BytecodeGenerator::emitIteratorNext):
936         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
937         (JSC::BytecodeGenerator::emitDelegateYield):
938         * bytecompiler/BytecodeGenerator.h:
939         * bytecompiler/NodesCodegen.cpp:
940         (JSC::ArrayPatternNode::bindValue const):
941         * inspector/JSInjectedScriptHost.cpp:
942         (Inspector::JSInjectedScriptHost::iteratorEntries):
943         * runtime/IteratorOperations.cpp:
944         (JSC::iteratorNext):
945         (JSC::iteratorStep):
946         (JSC::iteratorClose):
947         (JSC::iteratorForIterable):
948         * runtime/IteratorOperations.h:
949         (JSC::forEachInIterable):
950         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
951         (JSC::constructGenericTypedArrayViewFromIterator):
952         (JSC::constructGenericTypedArrayViewWithArguments):
953
954 2017-09-22  Fujii Hironori  <Hironori.Fujii@sony.com>
955
956         [Win64] Crashes in Yarr JIT compiled code
957         https://bugs.webkit.org/show_bug.cgi?id=177293
958
959         Reviewed by Yusuke Suzuki.
960
961         In x64 Windows, rcx register is used for the address of allocated
962         space for the return value. But, rcx is used for regT1 since
963         r221052. Save rcx in the stack.
964
965         * yarr/YarrJIT.cpp:
966         (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
967         (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
968
969 2017-09-22  Saam Barati  <sbarati@apple.com>
970
971         Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
972         https://bugs.webkit.org/show_bug.cgi?id=177368
973
974         Reviewed by Keith Miller.
975
976         * runtime/ErrorInstance.cpp:
977         (JSC::ErrorInstance::finishCreation):
978         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
979         (JSC::ErrorInstance::visitChildren):
980
981 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
982
983         [DFG][FTL] Profile array vector length for array allocation
984         https://bugs.webkit.org/show_bug.cgi?id=177051
985
986         Reviewed by Saam Barati.
987
988         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
989         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
990         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
991         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
992
993             empty array allocation,
994
995             var array = [];
996             array.push(0);
997             array.push(1);
998             array.push(2);
999             array.push(3);
1000             array.push(4);
1001
1002             v.s. new_array_buffer case,
1003
1004             var array = [0];
1005             array.push(1);
1006             array.push(2);
1007             array.push(3);
1008             array.push(4);
1009
1010         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
1011         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
1012
1013         We select 25 to make it fit to one of size classes.
1014
1015         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
1016         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
1017         is larger than 25, we just use it for allocation as before.
1018
1019         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
1020
1021             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
1022             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
1023
1024         * bytecode/ArrayAllocationProfile.cpp:
1025         (JSC::ArrayAllocationProfile::updateProfile):
1026         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
1027         * bytecode/ArrayAllocationProfile.h:
1028         (JSC::ArrayAllocationProfile::selectIndexingType):
1029         (JSC::ArrayAllocationProfile::vectorLengthHint):
1030         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
1031         * bytecode/CodeBlock.cpp:
1032         (JSC::CodeBlock::updateAllArrayPredictions):
1033         * dfg/DFGByteCodeParser.cpp:
1034         (JSC::DFG::ByteCodeParser::parseBlock):
1035         * dfg/DFGGraph.cpp:
1036         (JSC::DFG::Graph::dump):
1037         * dfg/DFGNode.h:
1038         (JSC::DFG::Node::vectorLengthHint):
1039         * dfg/DFGOperations.cpp:
1040         * dfg/DFGOperations.h:
1041         * dfg/DFGSpeculativeJIT64.cpp:
1042         (JSC::DFG::SpeculativeJIT::compile):
1043         * ftl/FTLLowerDFGToB3.cpp:
1044         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1045         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1046         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1047         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1048         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
1049         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
1050         * runtime/ArrayConventions.h:
1051         * runtime/JSArray.h:
1052         (JSC::JSArray::tryCreate):
1053
1054 2017-09-22  Commit Queue  <commit-queue@webkit.org>
1055
1056         Unreviewed, rolling out r222380.
1057         https://bugs.webkit.org/show_bug.cgi?id=177352
1058
1059         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
1060         #webkit).
1061
1062         Reverted changeset:
1063
1064         "[DFG][FTL] Profile array vector length for array allocation"
1065         https://bugs.webkit.org/show_bug.cgi?id=177051
1066         http://trac.webkit.org/changeset/222380
1067
1068 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1069
1070         [DFG][FTL] Profile array vector length for array allocation
1071         https://bugs.webkit.org/show_bug.cgi?id=177051
1072
1073         Reviewed by Saam Barati.
1074
1075         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
1076         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
1077         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
1078         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
1079
1080             empty array allocation,
1081
1082             var array = [];
1083             array.push(0);
1084             array.push(1);
1085             array.push(2);
1086             array.push(3);
1087             array.push(4);
1088
1089             v.s. new_array_buffer case,
1090
1091             var array = [0];
1092             array.push(1);
1093             array.push(2);
1094             array.push(3);
1095             array.push(4);
1096
1097         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
1098         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
1099
1100         We select 25 to make it fit to one of size classes.
1101
1102         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
1103         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
1104         is larger than 25, we just use it for allocation as before.
1105
1106         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
1107
1108             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
1109             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
1110
1111         * bytecode/ArrayAllocationProfile.cpp:
1112         (JSC::ArrayAllocationProfile::updateProfile):
1113         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
1114         * bytecode/ArrayAllocationProfile.h:
1115         (JSC::ArrayAllocationProfile::selectIndexingType):
1116         (JSC::ArrayAllocationProfile::vectorLengthHint):
1117         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
1118         * bytecode/CodeBlock.cpp:
1119         (JSC::CodeBlock::updateAllArrayPredictions):
1120         * dfg/DFGByteCodeParser.cpp:
1121         (JSC::DFG::ByteCodeParser::parseBlock):
1122         * dfg/DFGGraph.cpp:
1123         (JSC::DFG::Graph::dump):
1124         * dfg/DFGNode.h:
1125         (JSC::DFG::Node::vectorLengthHint):
1126         * dfg/DFGOperations.cpp:
1127         * dfg/DFGOperations.h:
1128         * dfg/DFGSpeculativeJIT64.cpp:
1129         (JSC::DFG::SpeculativeJIT::compile):
1130         * ftl/FTLLowerDFGToB3.cpp:
1131         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1132         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1133         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1134         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1135         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
1136         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
1137         * runtime/ArrayConventions.h:
1138         * runtime/JSArray.h:
1139         (JSC::JSArray::tryCreate):
1140
1141 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
1142
1143         Web Inspector: Remove support for CSS Regions
1144         https://bugs.webkit.org/show_bug.cgi?id=177287
1145
1146         Reviewed by Matt Baker.
1147
1148         * inspector/protocol/CSS.json:
1149         * inspector/protocol/OverlayTypes.json:
1150
1151 2017-09-21  Brian Burg  <bburg@apple.com>
1152
1153         Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
1154         https://bugs.webkit.org/show_bug.cgi?id=177010
1155         <rdar://problem/33134548>
1156
1157         Reviewed by Joseph Pecoraro.
1158
1159         Use "reload from origin" nomenclature instead of "reload ignoring cache".
1160
1161         * inspector/protocol/Page.json: Improve the comment, but don't change the
1162         parameter name since this would be a divergence from legacy protocols.
1163
1164 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
1165
1166         test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
1167         https://bugs.webkit.org/show_bug.cgi?id=177307
1168
1169         Reviewed by Michael Saboff.
1170
1171         * runtime/RegExpPrototype.cpp:
1172         In r221160 we added support for the new RegExp flag (dotAll).
1173         We needed to make space for it in FlagsString.
1174
1175 2017-09-20  Keith Miller  <keith_miller@apple.com>
1176
1177         JSC should use unified sources for platform specific files.
1178         https://bugs.webkit.org/show_bug.cgi?id=177290
1179
1180         Reviewed by Michael Saboff.
1181
1182         Add a list of platform specific source files and update the
1183         Generate Unified Sources phase of the Xcode build. I skipped WPE
1184         since that seems to have failed for some reason that I didn't
1185         fully understand. See:
1186         https://webkit-queues.webkit.org/results/4611260
1187
1188         Also, fix duplicate symbols in Glib remote inspector files.
1189
1190         * CMakeLists.txt:
1191         * JavaScriptCore.xcodeproj/project.pbxproj:
1192         * PlatformGTK.cmake:
1193         * PlatformMac.cmake:
1194         * SourcesGTK.txt: Added.
1195         * SourcesMac.txt: Added.
1196         * inspector/remote/glib/RemoteInspectorServer.cpp:
1197         (Inspector::RemoteInspectorServer::interfaceInfo):
1198         (Inspector::RemoteInspectorServer::setTargetList):
1199         (Inspector::RemoteInspectorServer::setupInspectorClient):
1200         (Inspector::RemoteInspectorServer::setup):
1201         (Inspector::RemoteInspectorServer::close):
1202         (Inspector::RemoteInspectorServer::connectionClosed):
1203         (Inspector::RemoteInspectorServer::sendMessageToBackend):
1204         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
1205         (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
1206
1207 2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>
1208
1209         [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
1210         https://bugs.webkit.org/show_bug.cgi?id=177017
1211
1212         Reviewed by Alex Christensen.
1213
1214         * API/JSRemoteInspector.cpp:
1215         (JSRemoteInspectorSetParentProcessInformation):
1216         * API/JSRemoteInspector.h:
1217         * inspector/remote/RemoteInspector.h:
1218
1219 2017-09-20  Keith Miller  <keith_miller@apple.com>
1220
1221         Rename source list file to Sources.txt
1222         https://bugs.webkit.org/show_bug.cgi?id=177283
1223
1224         Reviewed by Saam Barati.
1225
1226         * CMakeLists.txt:
1227         * JavaScriptCore.xcodeproj/project.pbxproj:
1228         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
1229
1230 2017-09-20  Keith Miller  <keith_miller@apple.com>
1231
1232         Unreviewed, fix string capitalization
1233
1234         * JavaScriptCore.xcodeproj/project.pbxproj:
1235
1236 2017-09-20  Keith Miller  <keith_miller@apple.com>
1237
1238         JSC Xcode build should use unified sources for platform independent files
1239         https://bugs.webkit.org/show_bug.cgi?id=177190
1240
1241         Reviewed by Saam Barati.
1242
1243         This patch changes the Xcode build to use unified sources. The
1244         main difference from a development perspective is that instead of
1245         added source files to Xcode they need to be added to the shared
1246         sources.txt. For now, platform specific files are still added
1247         to the JavaScriptCore target.
1248
1249         Because Xcode needs to know about all the files before we generate
1250         them all the unified source files need to be added to the
1251         JavaScriptCore framework target. As a result, if we run out of
1252         bundle files more will need to be added to the project. Currently,
1253         there are no spare files. If adding more bundle files becomes
1254         problematic we can change this.
1255
1256         LowLevelInterpreter.cpp can't be added to the unified source list yet
1257         due to a clang bug.
1258
1259         * CMakeLists.txt:
1260         * JavaScriptCore.xcodeproj/project.pbxproj:
1261         * sources.txt: Added.
1262
1263 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
1264
1265         [Win] Cannot find script to generate unified sources.
1266         https://bugs.webkit.org/show_bug.cgi?id=177014
1267
1268         Reviewed by Keith Miller.
1269
1270         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
1271
1272         * CMakeLists.txt:
1273         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1274
1275 2017-09-20  Alberto Garcia  <berto@igalia.com>
1276
1277         Fix HPPA and Alpha builds
1278         https://bugs.webkit.org/show_bug.cgi?id=177224
1279
1280         Reviewed by Alex Christensen.
1281
1282         * CMakeLists.txt:
1283
1284 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
1285
1286         ErrorInstance and Exception need destroy methods
1287         https://bugs.webkit.org/show_bug.cgi?id=177095
1288
1289         Reviewed by Saam Barati.
1290         
1291         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
1292         follow that type's protocol.
1293
1294         * runtime/ErrorInstance.cpp:
1295         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
1296         * runtime/ErrorInstance.h:
1297         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
1298
1299 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1300
1301         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
1302         https://bugs.webkit.org/show_bug.cgi?id=177070
1303
1304         Reviewed by Saam Barati.
1305
1306         Due to the security reason, our global object is immutable prototype exotic object.
1307         It prevents users from injecting proxies into the prototype chain of the global object[1].
1308         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
1309         of the global object after instantiating it.
1310
1311         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
1312         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
1313         edge cases.
1314
1315         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
1316
1317         * API/JSObjectRef.cpp:
1318         (JSObjectSetPrototype):
1319         * API/tests/CustomGlobalObjectClassTest.c:
1320         (globalObjectSetPrototypeTest):
1321
1322 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1323
1324         [DFG] Remove ToThis more aggressively
1325         https://bugs.webkit.org/show_bug.cgi?id=177056
1326
1327         Reviewed by Saam Barati.
1328
1329         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
1330         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
1331         and attempts to fold/convert to efficient nodes.
1332
1333         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
1334         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
1335
1336         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
1337         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
1338
1339         This removes GetGlobalThis from ES6 generators in common cases.
1340
1341         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
1342
1343         * dfg/DFGAbstractInterpreterInlines.h:
1344         (JSC::DFG::isToThisAnIdentity):
1345         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1346         * dfg/DFGClobberize.h:
1347         (JSC::DFG::clobberize):
1348         * dfg/DFGConstantFoldingPhase.cpp:
1349         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1350         * dfg/DFGDoesGC.cpp:
1351         (JSC::DFG::doesGC):
1352         * dfg/DFGFixupPhase.cpp:
1353         (JSC::DFG::FixupPhase::fixupNode):
1354         * dfg/DFGNode.h:
1355         (JSC::DFG::Node::convertToGetGlobalThis):
1356         * dfg/DFGNodeType.h:
1357         * dfg/DFGPredictionPropagationPhase.cpp:
1358         * dfg/DFGSafeToExecute.h:
1359         (JSC::DFG::safeToExecute):
1360         * dfg/DFGSpeculativeJIT.cpp:
1361         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
1362         * dfg/DFGSpeculativeJIT.h:
1363         * dfg/DFGSpeculativeJIT32_64.cpp:
1364         (JSC::DFG::SpeculativeJIT::compile):
1365         * dfg/DFGSpeculativeJIT64.cpp:
1366         (JSC::DFG::SpeculativeJIT::compile):
1367         * ftl/FTLCapabilities.cpp:
1368         (JSC::FTL::canCompile):
1369         * ftl/FTLLowerDFGToB3.cpp:
1370         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1371         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
1372         * runtime/JSGlobalLexicalEnvironment.cpp:
1373         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
1374         * runtime/JSGlobalLexicalEnvironment.h:
1375         * runtime/JSGlobalObject.cpp:
1376         (JSC::JSGlobalObject::toThis): Deleted.
1377         * runtime/JSGlobalObject.h:
1378         (JSC::JSGlobalObject::addressOfGlobalThis):
1379         * runtime/JSLexicalEnvironment.cpp:
1380         (JSC::JSLexicalEnvironment::toThis): Deleted.
1381         * runtime/JSLexicalEnvironment.h:
1382         * runtime/JSScope.cpp:
1383         (JSC::JSScope::toThis):
1384         * runtime/JSScope.h:
1385         * runtime/StrictEvalActivation.cpp:
1386         (JSC::StrictEvalActivation::toThis): Deleted.
1387         * runtime/StrictEvalActivation.h:
1388
1389 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1390
1391         Merge JSLexicalEnvironment and JSEnvironmentRecord
1392         https://bugs.webkit.org/show_bug.cgi?id=175492
1393
1394         Reviewed by Saam Barati.
1395
1396         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
1397         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
1398
1399         * CMakeLists.txt:
1400         * JavaScriptCore.xcodeproj/project.pbxproj:
1401         * dfg/DFGSpeculativeJIT.cpp:
1402         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1403         * dfg/DFGSpeculativeJIT32_64.cpp:
1404         (JSC::DFG::SpeculativeJIT::compile):
1405         * dfg/DFGSpeculativeJIT64.cpp:
1406         (JSC::DFG::SpeculativeJIT::compile):
1407         * ftl/FTLAbstractHeapRepository.h:
1408         * ftl/FTLLowerDFGToB3.cpp:
1409         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1410         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1411         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
1412         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
1413         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1414         * jit/JITPropertyAccess.cpp:
1415         (JSC::JIT::emitGetClosureVar):
1416         (JSC::JIT::emitPutClosureVar):
1417         (JSC::JIT::emitScopedArgumentsGetByVal):
1418         * jit/JITPropertyAccess32_64.cpp:
1419         (JSC::JIT::emitGetClosureVar):
1420         (JSC::JIT::emitPutClosureVar):
1421         * llint/LLIntOffsetsExtractor.cpp:
1422         * llint/LowLevelInterpreter.asm:
1423         * llint/LowLevelInterpreter32_64.asm:
1424         * llint/LowLevelInterpreter64.asm:
1425         * runtime/JSEnvironmentRecord.cpp: Removed.
1426         * runtime/JSEnvironmentRecord.h: Removed.
1427         * runtime/JSLexicalEnvironment.cpp:
1428         (JSC::JSLexicalEnvironment::visitChildren):
1429         (JSC::JSLexicalEnvironment::heapSnapshot):
1430         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1431         * runtime/JSLexicalEnvironment.h:
1432         (JSC::JSLexicalEnvironment::subspaceFor):
1433         (JSC::JSLexicalEnvironment::variables):
1434         (JSC::JSLexicalEnvironment::isValidScopeOffset):
1435         (JSC::JSLexicalEnvironment::variableAt):
1436         (JSC::JSLexicalEnvironment::offsetOfVariables):
1437         (JSC::JSLexicalEnvironment::offsetOfVariable):
1438         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
1439         (JSC::JSLexicalEnvironment::allocationSize):
1440         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
1441         (JSC::JSLexicalEnvironment::finishCreation):
1442         * runtime/JSModuleEnvironment.cpp:
1443         (JSC::JSModuleEnvironment::create):
1444         * runtime/JSObject.h:
1445         (JSC::JSObject::isEnvironment const):
1446         (JSC::JSObject::isEnvironmentRecord const): Deleted.
1447         * runtime/JSSegmentedVariableObject.h:
1448         * runtime/StringPrototype.cpp:
1449         (JSC::checkObjectCoercible):
1450
1451 2017-09-15  Saam Barati  <sbarati@apple.com>
1452
1453         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
1454         https://bugs.webkit.org/show_bug.cgi?id=176981
1455
1456         Reviewed by Yusuke Suzuki.
1457
1458         This patch makes inline arity fixup happen in two phases:
1459         1. We get all the values we need and MovHint them to the expected locals.
1460         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
1461            frame is already set up. If any SetLocal exits, we have a valid exit state.
1462            This is required because if we didn't do this in two phases, we may exit in
1463            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
1464            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
1465            of the frame right before exiting. For example, consider if we need to pad two args:
1466            [arg3][arg2][arg1][arg0]
1467            [fix ][fix ][arg3][arg2][arg1][arg0]
1468            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
1469            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
1470            [arg3][arg2][arg1][arg2][arg1][arg0]
1471            And the caller would then just end up thinking its argument are:
1472            [arg3][arg2][arg1][arg2]
1473            which is incorrect.
1474        
1475        
1476         This patch also fixes a couple of bugs in IdentitiyWithProfile:
1477         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
1478            It needed to store the result of evaluating its argument in a temporary that
1479            it creates. Otherwise, it might try to simply overwrite a constant
1480            or a register that it didn't own.
1481         2. We weren't eliminating this node in CSE inside the DFG.
1482
1483         * bytecompiler/NodesCodegen.cpp:
1484         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1485         * dfg/DFGByteCodeParser.cpp:
1486         (JSC::DFG::ByteCodeParser::inlineCall):
1487         * dfg/DFGCSEPhase.cpp:
1488
1489 2017-09-15  JF Bastien  <jfbastien@apple.com>
1490
1491         WTF: use Forward.h when appropriate instead of Vector.h
1492         https://bugs.webkit.org/show_bug.cgi?id=176984
1493
1494         Reviewed by Saam Barati.
1495
1496         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
1497
1498         * bytecode/HandlerInfo.h:
1499         * heap/GCIncomingRefCounted.h:
1500         * heap/GCSegmentedArray.h:
1501         * wasm/js/JSWebAssemblyModule.h:
1502
1503 2017-09-14  Saam Barati  <sbarati@apple.com>
1504
1505         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
1506         https://bugs.webkit.org/show_bug.cgi?id=176863
1507
1508         Reviewed by Keith Miller.
1509
1510         * CMakeLists.txt:
1511         * JavaScriptCore.xcodeproj/project.pbxproj:
1512         * runtime/ProxyObject.cpp:
1513         (JSC::performProxyGet):
1514         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1515         (JSC::ProxyObject::performHasProperty):
1516         (JSC::ProxyObject::getOwnPropertySlotCommon):
1517         (JSC::ProxyObject::performPut):
1518         (JSC::performProxyCall):
1519         (JSC::performProxyConstruct):
1520         (JSC::ProxyObject::performDelete):
1521         (JSC::ProxyObject::performPreventExtensions):
1522         (JSC::ProxyObject::performIsExtensible):
1523         (JSC::ProxyObject::performDefineOwnProperty):
1524         (JSC::ProxyObject::performGetOwnPropertyNames):
1525         (JSC::ProxyObject::performSetPrototype):
1526         (JSC::ProxyObject::performGetPrototype):
1527
1528 2017-09-14  Saam Barati  <sbarati@apple.com>
1529
1530         Make dumping the graph print when both when exitOK and !exitOK
1531         https://bugs.webkit.org/show_bug.cgi?id=176954
1532
1533         Reviewed by Keith Miller.
1534
1535         * dfg/DFGGraph.cpp:
1536         (JSC::DFG::Graph::dump):
1537
1538 2017-09-14  Saam Barati  <sbarati@apple.com>
1539
1540         It should be valid to exit before each set when doing arity fixup when inlining
1541         https://bugs.webkit.org/show_bug.cgi?id=176948
1542
1543         Reviewed by Keith Miller.
1544
1545         This patch makes it so that we can exit before each SetLocal when doing arity
1546         fixup during inlining. This is OK because if we exit at any of these SetLocals,
1547         we will simply exit to the beginning of the call instruction.
1548         
1549         Not doing this led to a bug where FixupPhase would insert a ValueRep of
1550         a node before the actual node. This is obviously invalid IR. I've added
1551         a new validation rule to catch this malformed IR.
1552
1553         * dfg/DFGByteCodeParser.cpp:
1554         (JSC::DFG::ByteCodeParser::inliningCost):
1555         (JSC::DFG::ByteCodeParser::inlineCall):
1556         * dfg/DFGValidate.cpp:
1557         * runtime/Options.h:
1558
1559 2017-09-14  Mark Lam  <mark.lam@apple.com>
1560
1561         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
1562         https://bugs.webkit.org/show_bug.cgi?id=176874
1563         <rdar://problem/34436415>
1564
1565         Reviewed by Saam Barati.
1566
1567         1. Make Probe::Stack play nice with ASan by:
1568
1569            a. using a local memcpy implementation that suppresses ASan on ASan builds.
1570               We don't want to use std:memcpy() which validates stack memory because
1571               we are intentionally copying stack memory beyond the current frame.
1572
1573            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
1574               This ensures that Page::flushWrites() only writes stack memory that was
1575               modified by a probe.  The probes should only modify stack memory that
1576               belongs to JSC stack data structures.  We don't want to inadvertently
1577               modify adjacent words that may belong to ASan (which may happen if
1578               s_chunkSize is larger than sizeof(uintptr_t)).
1579
1580            c. fixing a bug in Page dirtyBits management for when the size of the value to
1581               write is greater than s_chunkSize.  The fix in generic, but in practice,
1582               this currently only manifests on 32-bit ASan builds because
1583               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
1584               values.
1585
1586            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
1587               s_chunksPerPage we can have even on ASan builds.
1588
1589         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
1590            std::memcpy to avoid strict aliasing issues.
1591
1592         3. Optimized the implementation of Page::physicalAddressFor().
1593
1594         4. Optimized the implementation of Stack::set() in the recording of the low
1595            watermark.  We just record the lowest raw pointer now, and only compute the
1596            alignment to its chuck boundary later when the low watermark is requested.
1597
1598         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
1599
1600         No new test needed because this is already covered by testmasm with ASan enabled.
1601
1602         * assembler/ProbeContext.h:
1603         (JSC::Probe::CPUState::gpr const):
1604         (JSC::Probe::CPUState::spr const):
1605         (JSC::Probe::Context::gpr):
1606         (JSC::Probe::Context::spr):
1607         (JSC::Probe::Context::fpr):
1608         (JSC::Probe::Context::gprName):
1609         (JSC::Probe::Context::sprName):
1610         (JSC::Probe::Context::fprName):
1611         (JSC::Probe::Context::gpr const):
1612         (JSC::Probe::Context::spr const):
1613         (JSC::Probe::Context::fpr const):
1614         (JSC::Probe::Context::pc):
1615         (JSC::Probe::Context::fp):
1616         (JSC::Probe::Context::sp):
1617         (JSC::Probe:: const): Deleted.
1618         * assembler/ProbeStack.cpp:
1619         (JSC::Probe::copyStackPage):
1620         (JSC::Probe::Page::Page):
1621         (JSC::Probe::Page::flushWrites):
1622         * assembler/ProbeStack.h:
1623         (JSC::Probe::Page::get):
1624         (JSC::Probe::Page::set):
1625         (JSC::Probe::Page::dirtyBitFor):
1626         (JSC::Probe::Page::physicalAddressFor):
1627         (JSC::Probe::Stack::lowWatermark):
1628         (JSC::Probe::Stack::get):
1629         (JSC::Probe::Stack::set):
1630         * assembler/testmasm.cpp:
1631         (JSC::testProbeModifiesStackValues):
1632
1633 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1634
1635         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
1636         https://bugs.webkit.org/show_bug.cgi?id=176917
1637
1638         Reviewed by Saam Barati.
1639
1640         * dfg/DFGByteCodeParser.cpp:
1641         (JSC::DFG::ByteCodeParser::inliningCost):
1642         * runtime/Options.h:
1643
1644 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1645
1646         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
1647         https://bugs.webkit.org/show_bug.cgi?id=176867
1648
1649         Reviewed by Sam Weinig.
1650
1651         We rarely require private symbols when enumerating property names.
1652         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
1653         is specified, PropertyNameArray does not include private symbols.
1654         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
1655
1656         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
1657         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
1658
1659         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
1660
1661         * API/JSObjectRef.cpp:
1662         (JSObjectCopyPropertyNames):
1663         * bindings/ScriptValue.cpp:
1664         (Inspector::jsToInspectorValue):
1665         * bytecode/ObjectAllocationProfile.h:
1666         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1667         * runtime/EnumerationMode.h:
1668         * runtime/IntlObject.cpp:
1669         (JSC::supportedLocales):
1670         * runtime/JSONObject.cpp:
1671         (JSC::Stringifier::Stringifier):
1672         (JSC::Stringifier::Holder::appendNextProperty):
1673         (JSC::Walker::walk):
1674         * runtime/JSPropertyNameEnumerator.cpp:
1675         (JSC::JSPropertyNameEnumerator::create):
1676         * runtime/JSPropertyNameEnumerator.h:
1677         (JSC::propertyNameEnumerator):
1678         * runtime/ObjectConstructor.cpp:
1679         (JSC::objectConstructorGetOwnPropertyDescriptors):
1680         (JSC::objectConstructorAssign):
1681         (JSC::objectConstructorValues):
1682         (JSC::defineProperties):
1683         (JSC::setIntegrityLevel):
1684         (JSC::testIntegrityLevel):
1685         (JSC::ownPropertyKeys):
1686         * runtime/PropertyNameArray.h:
1687         (JSC::PropertyNameArray::PropertyNameArray):
1688         (JSC::PropertyNameArray::propertyNameMode const):
1689         (JSC::PropertyNameArray::privateSymbolMode const):
1690         (JSC::PropertyNameArray::addUncheckedInternal):
1691         (JSC::PropertyNameArray::addUnchecked):
1692         (JSC::PropertyNameArray::add):
1693         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
1694         (JSC::PropertyNameArray::includeSymbolProperties const):
1695         (JSC::PropertyNameArray::includeStringProperties const):
1696         (JSC::PropertyNameArray::mode const): Deleted.
1697         * runtime/ProxyObject.cpp:
1698         (JSC::ProxyObject::performGetOwnPropertyNames):
1699
1700 2017-09-13  Mark Lam  <mark.lam@apple.com>
1701
1702         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
1703         https://bugs.webkit.org/show_bug.cgi?id=176888
1704         <rdar://problem/34381832>
1705
1706         Not reviewed.
1707
1708         * JavaScriptCore.xcodeproj/project.pbxproj:
1709         * assembler/MacroAssembler.cpp:
1710         (JSC::stdFunctionCallback):
1711         * assembler/MacroAssemblerPrinter.cpp:
1712         (JSC::Printer::printCallback):
1713         * assembler/ProbeContext.h:
1714         (JSC::Probe:: const):
1715         (JSC::Probe::Context::Context):
1716         (JSC::Probe::Context::gpr):
1717         (JSC::Probe::Context::spr):
1718         (JSC::Probe::Context::fpr):
1719         (JSC::Probe::Context::gprName):
1720         (JSC::Probe::Context::sprName):
1721         (JSC::Probe::Context::fprName):
1722         (JSC::Probe::Context::pc):
1723         (JSC::Probe::Context::fp):
1724         (JSC::Probe::Context::sp):
1725         (JSC::Probe::CPUState::gpr const): Deleted.
1726         (JSC::Probe::CPUState::spr const): Deleted.
1727         (JSC::Probe::Context::arg): Deleted.
1728         (JSC::Probe::Context::gpr const): Deleted.
1729         (JSC::Probe::Context::spr const): Deleted.
1730         (JSC::Probe::Context::fpr const): Deleted.
1731         * assembler/ProbeFrame.h: Removed.
1732         * assembler/ProbeStack.cpp:
1733         (JSC::Probe::Page::Page):
1734         * assembler/ProbeStack.h:
1735         (JSC::Probe::Page::get):
1736         (JSC::Probe::Page::set):
1737         (JSC::Probe::Page::physicalAddressFor):
1738         (JSC::Probe::Stack::lowWatermark):
1739         (JSC::Probe::Stack::get):
1740         (JSC::Probe::Stack::set):
1741         * bytecode/ArithProfile.cpp:
1742         * bytecode/ArithProfile.h:
1743         * bytecode/ArrayProfile.h:
1744         (JSC::ArrayProfile::observeArrayMode): Deleted.
1745         * bytecode/CodeBlock.cpp:
1746         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
1747         * bytecode/CodeBlock.h:
1748         (JSC::CodeBlock::addressOfOSRExitCounter):
1749         * bytecode/ExecutionCounter.h:
1750         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
1751         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
1752         * bytecode/MethodOfGettingAValueProfile.cpp:
1753         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
1754         * bytecode/MethodOfGettingAValueProfile.h:
1755         * dfg/DFGDriver.cpp:
1756         (JSC::DFG::compileImpl):
1757         * dfg/DFGJITCode.cpp:
1758         (JSC::DFG::JITCode::findPC):
1759         * dfg/DFGJITCode.h:
1760         * dfg/DFGJITCompiler.cpp:
1761         (JSC::DFG::JITCompiler::linkOSRExits):
1762         (JSC::DFG::JITCompiler::link):
1763         * dfg/DFGOSRExit.cpp:
1764         (JSC::DFG::OSRExit::setPatchableCodeOffset):
1765         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
1766         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1767         (JSC::DFG::OSRExit::correctJump):
1768         (JSC::DFG::OSRExit::emitRestoreArguments):
1769         (JSC::DFG::OSRExit::compileOSRExit):
1770         (JSC::DFG::OSRExit::compileExit):
1771         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1772         (JSC::DFG::jsValueFor): Deleted.
1773         (JSC::DFG::restoreCalleeSavesFor): Deleted.
1774         (JSC::DFG::saveCalleeSavesFor): Deleted.
1775         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
1776         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
1777         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
1778         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
1779         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
1780         (JSC::DFG::emitRestoreArguments): Deleted.
1781         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
1782         (JSC::DFG::reifyInlinedCallFrames): Deleted.
1783         (JSC::DFG::adjustAndJumpToTarget): Deleted.
1784         (JSC::DFG::printOSRExit): Deleted.
1785         * dfg/DFGOSRExit.h:
1786         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
1787         * dfg/DFGOSRExitCompilerCommon.cpp:
1788         * dfg/DFGOSRExitCompilerCommon.h:
1789         * dfg/DFGOperations.cpp:
1790         * dfg/DFGOperations.h:
1791         * dfg/DFGThunks.cpp:
1792         (JSC::DFG::osrExitGenerationThunkGenerator):
1793         (JSC::DFG::osrExitThunkGenerator): Deleted.
1794         * dfg/DFGThunks.h:
1795         * jit/AssemblyHelpers.cpp:
1796         (JSC::AssemblyHelpers::debugCall):
1797         * jit/AssemblyHelpers.h:
1798         * jit/JITOperations.cpp:
1799         * jit/JITOperations.h:
1800         * profiler/ProfilerOSRExit.h:
1801         (JSC::Profiler::OSRExit::incCount): Deleted.
1802         * runtime/JSCJSValue.h:
1803         * runtime/JSCJSValueInlines.h:
1804         * runtime/VM.h:
1805
1806 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1807
1808         [JSC] Move class/struct used in other class' member out of anonymous namespace
1809         https://bugs.webkit.org/show_bug.cgi?id=176876
1810
1811         Reviewed by Saam Barati.
1812
1813         GCC warns if a class has a base or field whose type uses the anonymous namespace
1814         and it is defined in an included file. This is because this possibly violates
1815         one definition rule (ODR): if an included file has the anonymous namespace, each
1816         translation unit creates its private anonymous namespace. Thus, each type
1817         inside the anonymous namespace becomes different in each translation unit if
1818         the file is included in multiple translation units.
1819
1820         While the current use in JSC is not violating ODR since these cpp files are included
1821         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
1822         the actual bugs. So, in this patch, we just move related classes/structs out of
1823         the anonymous namespace.
1824
1825         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1826         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
1827         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
1828         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
1829         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
1830         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
1831         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
1832         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
1833         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
1834         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
1835         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
1836         * dfg/DFGLICMPhase.cpp:
1837
1838 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
1839
1840         Web Inspector: Event Listeners section does not update when listeners are added/removed
1841         https://bugs.webkit.org/show_bug.cgi?id=170570
1842         <rdar://problem/31501645>
1843
1844         Reviewed by Joseph Pecoraro.
1845
1846         * inspector/protocol/DOM.json:
1847         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
1848         contain any information about the event listeners that were added/removed. They serve more
1849         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
1850
1851 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1852
1853         [JSC] Fix Array allocation in Object.keys
1854         https://bugs.webkit.org/show_bug.cgi?id=176826
1855
1856         Reviewed by Saam Barati.
1857
1858         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
1859         We check isHavingABadTime() in ownPropertyKeys fast path.
1860         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
1861
1862         * runtime/ObjectConstructor.cpp:
1863         (JSC::ownPropertyKeys):
1864
1865 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1866
1867         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
1868         https://bugs.webkit.org/show_bug.cgi?id=176010
1869
1870         Reviewed by Filip Pizlo.
1871
1872         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
1873         It is used for meta property for objects (see peekMeta function in Ember.js).
1874
1875         This patch optimizes WeakMap#get.
1876
1877         1. We use inlineGet to inline WeakMap#get operation in the native function.
1878         Since this native function itself is very small, we should inline HashMap#get
1879         entirely in this function.
1880
1881         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
1882         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
1883         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
1884         ObjectUse, and Int32Use.
1885
1886         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
1887         calculate hash value for the key's Object and use this hash value to look up value from
1888         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
1889         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
1890         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
1891         patches.
1892
1893         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
1894         not used in Ember.js right now.
1895
1896         This patch optimizes WeakMap#get by 50%.
1897
1898                                  baseline                  patched
1899
1900         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
1901
1902         * bytecode/DirectEvalCodeCache.h:
1903         (JSC::DirectEvalCodeCache::tryGet):
1904         * bytecode/SpeculatedType.cpp:
1905         (JSC::dumpSpeculation):
1906         (JSC::speculationFromClassInfo):
1907         (JSC::speculationFromJSType):
1908         (JSC::speculationFromString):
1909         * bytecode/SpeculatedType.h:
1910         * dfg/DFGAbstractInterpreterInlines.h:
1911         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1912         * dfg/DFGByteCodeParser.cpp:
1913         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1914         * dfg/DFGClobberize.h:
1915         (JSC::DFG::clobberize):
1916         * dfg/DFGDoesGC.cpp:
1917         (JSC::DFG::doesGC):
1918         * dfg/DFGFixupPhase.cpp:
1919         (JSC::DFG::FixupPhase::fixupNode):
1920         * dfg/DFGHeapLocation.cpp:
1921         (WTF::printInternal):
1922         * dfg/DFGHeapLocation.h:
1923         * dfg/DFGNode.h:
1924         (JSC::DFG::Node::hasHeapPrediction):
1925         * dfg/DFGNodeType.h:
1926         * dfg/DFGOperations.cpp:
1927         * dfg/DFGOperations.h:
1928         * dfg/DFGPredictionPropagationPhase.cpp:
1929         * dfg/DFGSafeToExecute.h:
1930         (JSC::DFG::SafeToExecuteEdge::operator()):
1931         (JSC::DFG::safeToExecute):
1932         * dfg/DFGSpeculativeJIT.cpp:
1933         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1934         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1935         (JSC::DFG::SpeculativeJIT::speculate):
1936         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1937         * dfg/DFGSpeculativeJIT.h:
1938         (JSC::DFG::SpeculativeJIT::callOperation):
1939         * dfg/DFGSpeculativeJIT32_64.cpp:
1940         (JSC::DFG::SpeculativeJIT::compile):
1941         * dfg/DFGSpeculativeJIT64.cpp:
1942         (JSC::DFG::SpeculativeJIT::compile):
1943         * dfg/DFGUseKind.cpp:
1944         (WTF::printInternal):
1945         * dfg/DFGUseKind.h:
1946         (JSC::DFG::typeFilterFor):
1947         (JSC::DFG::isCell):
1948         * ftl/FTLCapabilities.cpp:
1949         (JSC::FTL::canCompile):
1950         * ftl/FTLLowerDFGToB3.cpp:
1951         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1952         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1953         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1954         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1955         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1956         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1957         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1958         * jit/JITOperations.h:
1959         * runtime/HashMapImpl.h:
1960         (JSC::WeakMapHash::hash):
1961         (JSC::WeakMapHash::equal):
1962         * runtime/Intrinsic.cpp:
1963         (JSC::intrinsicName):
1964         * runtime/Intrinsic.h:
1965         * runtime/JSType.h:
1966         * runtime/JSWeakMap.h:
1967         (JSC::isJSWeakMap):
1968         * runtime/JSWeakSet.h:
1969         (JSC::isJSWeakSet):
1970         * runtime/WeakMapBase.cpp:
1971         (JSC::WeakMapBase::get):
1972         * runtime/WeakMapBase.h:
1973         (JSC::WeakMapBase::HashTranslator::hash):
1974         (JSC::WeakMapBase::HashTranslator::equal):
1975         (JSC::WeakMapBase::inlineGet):
1976         * runtime/WeakMapPrototype.cpp:
1977         (JSC::WeakMapPrototype::finishCreation):
1978         (JSC::getWeakMap):
1979         (JSC::protoFuncWeakMapGet):
1980         * runtime/WeakSetPrototype.cpp:
1981         (JSC::getWeakSet):
1982
1983 2017-09-12  Keith Miller  <keith_miller@apple.com>
1984
1985         Rename JavaScriptCore CMake unifiable sources list
1986         https://bugs.webkit.org/show_bug.cgi?id=176823
1987
1988         Reviewed by Joseph Pecoraro.
1989
1990         This patch also changes the error message when the unified source
1991         bundler fails to be more accurate.
1992
1993         * CMakeLists.txt:
1994
1995 2017-09-12  Keith Miller  <keith_miller@apple.com>
1996
1997         Do unified source builds for JSC
1998         https://bugs.webkit.org/show_bug.cgi?id=176076
1999
2000         Reviewed by Geoffrey Garen.
2001
2002         This patch switches the CMake JavaScriptCore build to use unified sources.
2003         The Xcode build will be upgraded in a follow up patch.
2004
2005         Most of the source changes in this patch are fixing static
2006         variable/functions name collisions. The most common collisions
2007         were from our use of "static const bool verbose" and "using
2008         namespace ...". I fixed all the verbose cases and fixed the "using
2009         namespace" issues that occurred under the current bundling
2010         strategy. It's likely that more of the "using namespace" issues
2011         will need to be resolved in the future, particularly in the FTL.
2012
2013         I don't expect either of these problems will apply to other parts
2014         of the project nearly as much as in JSC. Using a verbose variable
2015         is a JSC idiom and JSC tends use the same, canonical, class name
2016         in multiple parts of the engine.
2017
2018         * CMakeLists.txt:
2019         * b3/B3CheckSpecial.cpp:
2020         (JSC::B3::CheckSpecial::forEachArg):
2021         (JSC::B3::CheckSpecial::generate):
2022         (JSC::B3::Air::numB3Args): Deleted.
2023         * b3/B3DuplicateTails.cpp:
2024         * b3/B3EliminateCommonSubexpressions.cpp:
2025         * b3/B3FixSSA.cpp:
2026         (JSC::B3::demoteValues):
2027         * b3/B3FoldPathConstants.cpp:
2028         * b3/B3InferSwitches.cpp:
2029         * b3/B3LowerMacrosAfterOptimizations.cpp:
2030         (): Deleted.
2031         * b3/B3LowerToAir.cpp:
2032         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
2033         (JSC::B3::Air::LowerToAir::run): Deleted.
2034         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
2035         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
2036         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
2037         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
2038         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
2039         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
2040         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
2041         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
2042         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
2043         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
2044         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
2045         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
2046         (JSC::B3::Air::LowerToAir::tmp): Deleted.
2047         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
2048         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
2049         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
2050         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
2051         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
2052         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
2053         (JSC::B3::Air::LowerToAir::addr): Deleted.
2054         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
2055         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
2056         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
2057         (JSC::B3::Air::LowerToAir::imm): Deleted.
2058         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
2059         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
2060         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
2061         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
2062         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
2063         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
2064         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
2065         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
2066         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
2067         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
2068         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
2069         (JSC::B3::Air::LowerToAir::createStore): Deleted.
2070         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
2071         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
2072         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
2073         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
2074         (JSC::B3::Air::LowerToAir::print): Deleted.
2075         (JSC::B3::Air::LowerToAir::append): Deleted.
2076         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
2077         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
2078         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
2079         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
2080         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
2081         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
2082         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
2083         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
2084         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
2085         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
2086         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
2087         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
2088         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
2089         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
2090         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
2091         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
2092         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
2093         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
2094         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
2095         (JSC::B3::Air::LowerToAir::lower): Deleted.
2096         * b3/B3PatchpointSpecial.cpp:
2097         (JSC::B3::PatchpointSpecial::generate):
2098         * b3/B3ReduceDoubleToFloat.cpp:
2099         (JSC::B3::reduceDoubleToFloat):
2100         * b3/B3ReduceStrength.cpp:
2101         * b3/B3StackmapGenerationParams.cpp:
2102         * b3/B3StackmapSpecial.cpp:
2103         (JSC::B3::StackmapSpecial::repsImpl):
2104         (JSC::B3::StackmapSpecial::repForArg):
2105         * b3/air/AirAllocateStackByGraphColoring.cpp:
2106         (JSC::B3::Air::allocateStackByGraphColoring):
2107         * b3/air/AirEmitShuffle.cpp:
2108         (JSC::B3::Air::emitShuffle):
2109         * b3/air/AirFixObviousSpills.cpp:
2110         * b3/air/AirLowerAfterRegAlloc.cpp:
2111         (JSC::B3::Air::lowerAfterRegAlloc):
2112         * b3/air/AirStackAllocation.cpp:
2113         (JSC::B3::Air::attemptAssignment):
2114         (JSC::B3::Air::assign):
2115         * bytecode/AccessCase.cpp:
2116         (JSC::AccessCase::generateImpl):
2117         * bytecode/CallLinkStatus.cpp:
2118         (JSC::CallLinkStatus::computeDFGStatuses):
2119         * bytecode/GetterSetterAccessCase.cpp:
2120         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2121         * bytecode/ObjectPropertyConditionSet.cpp:
2122         * bytecode/PolymorphicAccess.cpp:
2123         (JSC::PolymorphicAccess::addCases):
2124         (JSC::PolymorphicAccess::regenerate):
2125         * bytecode/PropertyCondition.cpp:
2126         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2127         * bytecode/StructureStubInfo.cpp:
2128         (JSC::StructureStubInfo::addAccessCase):
2129         * dfg/DFGArgumentsEliminationPhase.cpp:
2130         * dfg/DFGByteCodeParser.cpp:
2131         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
2132         (JSC::DFG::ByteCodeParser::inliningCost):
2133         (JSC::DFG::ByteCodeParser::inlineCall):
2134         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2135         (JSC::DFG::ByteCodeParser::handleInlining):
2136         (JSC::DFG::ByteCodeParser::planLoad):
2137         (JSC::DFG::ByteCodeParser::store):
2138         (JSC::DFG::ByteCodeParser::parseBlock):
2139         (JSC::DFG::ByteCodeParser::linkBlock):
2140         (JSC::DFG::ByteCodeParser::linkBlocks):
2141         * dfg/DFGCSEPhase.cpp:
2142         * dfg/DFGInPlaceAbstractState.cpp:
2143         (JSC::DFG::InPlaceAbstractState::merge):
2144         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2145         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
2146         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2147         * dfg/DFGMovHintRemovalPhase.cpp:
2148         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2149         * dfg/DFGPhantomInsertionPhase.cpp:
2150         * dfg/DFGPutStackSinkingPhase.cpp:
2151         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2152         * dfg/DFGVarargsForwardingPhase.cpp:
2153         * ftl/FTLAbstractHeap.cpp:
2154         (JSC::FTL::AbstractHeap::compute):
2155         * ftl/FTLAbstractHeapRepository.cpp:
2156         (JSC::FTL::AbstractHeapRepository::decorateMemory):
2157         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
2158         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
2159         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
2160         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
2161         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
2162         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
2163         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
2164         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
2165         * ftl/FTLLink.cpp:
2166         (JSC::FTL::link):
2167         * heap/MarkingConstraintSet.cpp:
2168         (JSC::MarkingConstraintSet::add):
2169         * interpreter/ShadowChicken.cpp:
2170         (JSC::ShadowChicken::update):
2171         * jit/BinarySwitch.cpp:
2172         (JSC::BinarySwitch::BinarySwitch):
2173         (JSC::BinarySwitch::build):
2174         * llint/LLIntData.cpp:
2175         (JSC::LLInt::Data::loadStats):
2176         (JSC::LLInt::Data::saveStats):
2177         * runtime/ArrayPrototype.cpp:
2178         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2179         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2180         * runtime/ErrorInstance.cpp:
2181         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
2182         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
2183         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
2184         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
2185         * runtime/IntlDateTimeFormat.cpp:
2186         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2187         * runtime/PromiseDeferredTimer.cpp:
2188         (JSC::PromiseDeferredTimer::doWork):
2189         (JSC::PromiseDeferredTimer::addPendingPromise):
2190         (JSC::PromiseDeferredTimer::cancelPendingPromise):
2191         * runtime/TypeProfiler.cpp:
2192         (JSC::TypeProfiler::insertNewLocation):
2193         * runtime/TypeProfilerLog.cpp:
2194         (JSC::TypeProfilerLog::processLogEntries):
2195         * runtime/WeakMapPrototype.cpp:
2196         (JSC::protoFuncWeakMapDelete):
2197         (JSC::protoFuncWeakMapGet):
2198         (JSC::protoFuncWeakMapHas):
2199         (JSC::protoFuncWeakMapSet):
2200         (JSC::getWeakMapData): Deleted.
2201         * runtime/WeakSetPrototype.cpp:
2202         (JSC::protoFuncWeakSetDelete):
2203         (JSC::protoFuncWeakSetHas):
2204         (JSC::protoFuncWeakSetAdd):
2205         (JSC::getWeakMapData): Deleted.
2206         * testRegExp.cpp:
2207         (testOneRegExp):
2208         (runFromFiles):
2209         * wasm/WasmB3IRGenerator.cpp:
2210         (JSC::Wasm::parseAndCompile):
2211         * wasm/WasmBBQPlan.cpp:
2212         (JSC::Wasm::BBQPlan::moveToState):
2213         (JSC::Wasm::BBQPlan::parseAndValidateModule):
2214         (JSC::Wasm::BBQPlan::prepare):
2215         (JSC::Wasm::BBQPlan::compileFunctions):
2216         (JSC::Wasm::BBQPlan::complete):
2217         * wasm/WasmFaultSignalHandler.cpp:
2218         (JSC::Wasm::trapHandler):
2219         * wasm/WasmOMGPlan.cpp:
2220         (JSC::Wasm::OMGPlan::OMGPlan):
2221         (JSC::Wasm::OMGPlan::work):
2222         * wasm/WasmPlan.cpp:
2223         (JSC::Wasm::Plan::fail):
2224         * wasm/WasmSignature.cpp:
2225         (JSC::Wasm::SignatureInformation::adopt):
2226         * wasm/WasmWorklist.cpp:
2227         (JSC::Wasm::Worklist::enqueue):
2228
2229 2017-09-12  Michael Saboff  <msaboff@apple.com>
2230
2231         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
2232         https://bugs.webkit.org/show_bug.cgi?id=176814
2233
2234         Reviewed by Mark Lam.
2235
2236         The copy and advance indices where off by one and needed a little fine tuning.
2237
2238         * runtime/StringPrototype.cpp:
2239         (JSC::substituteBackreferencesSlow):
2240
2241 2017-09-11  Mark Lam  <mark.lam@apple.com>
2242
2243         More exception check book-keeping needed found by 32-bit JSC test failures.
2244         https://bugs.webkit.org/show_bug.cgi?id=176742
2245
2246         Reviewed by Michael Saboff and Keith Miller.
2247
2248         * dfg/DFGOperations.cpp:
2249
2250 2017-09-11  Mark Lam  <mark.lam@apple.com>
2251
2252         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
2253         https://bugs.webkit.org/show_bug.cgi?id=176722
2254
2255         Reviewed by Saam Barati.
2256
2257         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
2258         in effect when jsc is invoked.
2259
2260         * jsc.cpp:
2261         (CommandLine::parseArguments):
2262
2263 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
2264
2265         Unreviewed, rolling out r221854.
2266
2267         The test added with this change fails on 32-bit JSC bots.
2268
2269         Reverted changeset:
2270
2271         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
2272         https://bugs.webkit.org/show_bug.cgi?id=176010
2273         http://trac.webkit.org/changeset/221854
2274
2275 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2276
2277         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
2278         https://bugs.webkit.org/show_bug.cgi?id=176010
2279
2280         Reviewed by Filip Pizlo.
2281
2282         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
2283         It is used for meta property for objects (see peekMeta function in Ember.js).
2284
2285         This patch optimizes WeakMap#get.
2286
2287         1. We use inlineGet to inline WeakMap#get operation in the native function.
2288         Since this native function itself is very small, we should inline HashMap#get
2289         entirely in this function.
2290
2291         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
2292         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
2293         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
2294         ObjectUse, and Int32Use.
2295
2296         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
2297         calculate hash value for the key's Object and use this hash value to look up value from
2298         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
2299         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
2300         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
2301         patches.
2302
2303         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
2304         not used in Ember.js right now.
2305
2306         This patch optimizes WeakMap#get by 50%.
2307
2308                                  baseline                  patched
2309
2310         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
2311
2312         * bytecode/DirectEvalCodeCache.h:
2313         (JSC::DirectEvalCodeCache::tryGet):
2314         * bytecode/SpeculatedType.cpp:
2315         (JSC::dumpSpeculation):
2316         (JSC::speculationFromClassInfo):
2317         (JSC::speculationFromJSType):
2318         (JSC::speculationFromString):
2319         * bytecode/SpeculatedType.h:
2320         * dfg/DFGAbstractInterpreterInlines.h:
2321         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2322         * dfg/DFGByteCodeParser.cpp:
2323         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2324         * dfg/DFGClobberize.h:
2325         (JSC::DFG::clobberize):
2326         * dfg/DFGDoesGC.cpp:
2327         (JSC::DFG::doesGC):
2328         * dfg/DFGFixupPhase.cpp:
2329         (JSC::DFG::FixupPhase::fixupNode):
2330         * dfg/DFGHeapLocation.cpp:
2331         (WTF::printInternal):
2332         * dfg/DFGHeapLocation.h:
2333         * dfg/DFGNode.h:
2334         (JSC::DFG::Node::hasHeapPrediction):
2335         * dfg/DFGNodeType.h:
2336         * dfg/DFGOperations.cpp:
2337         * dfg/DFGOperations.h:
2338         * dfg/DFGPredictionPropagationPhase.cpp:
2339         * dfg/DFGSafeToExecute.h:
2340         (JSC::DFG::SafeToExecuteEdge::operator()):
2341         (JSC::DFG::safeToExecute):
2342         * dfg/DFGSpeculativeJIT.cpp:
2343         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
2344         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
2345         (JSC::DFG::SpeculativeJIT::speculate):
2346         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
2347         * dfg/DFGSpeculativeJIT.h:
2348         (JSC::DFG::SpeculativeJIT::callOperation):
2349         * dfg/DFGSpeculativeJIT32_64.cpp:
2350         (JSC::DFG::SpeculativeJIT::compile):
2351         * dfg/DFGSpeculativeJIT64.cpp:
2352         (JSC::DFG::SpeculativeJIT::compile):
2353         * dfg/DFGUseKind.cpp:
2354         (WTF::printInternal):
2355         * dfg/DFGUseKind.h:
2356         (JSC::DFG::typeFilterFor):
2357         (JSC::DFG::isCell):
2358         * ftl/FTLCapabilities.cpp:
2359         (JSC::FTL::canCompile):
2360         * ftl/FTLLowerDFGToB3.cpp:
2361         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2362         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
2363         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
2364         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
2365         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2366         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
2367         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
2368         * jit/JITOperations.h:
2369         * runtime/Intrinsic.cpp:
2370         (JSC::intrinsicName):
2371         * runtime/Intrinsic.h:
2372         * runtime/JSType.h:
2373         * runtime/JSWeakMap.h:
2374         (JSC::isJSWeakMap):
2375         * runtime/JSWeakSet.h:
2376         (JSC::isJSWeakSet):
2377         * runtime/WeakMapBase.cpp:
2378         (JSC::WeakMapBase::get):
2379         * runtime/WeakMapBase.h:
2380         (JSC::WeakMapBase::HashTranslator::hash):
2381         (JSC::WeakMapBase::HashTranslator::equal):
2382         (JSC::WeakMapBase::inlineGet):
2383         * runtime/WeakMapPrototype.cpp:
2384         (JSC::WeakMapPrototype::finishCreation):
2385         (JSC::getWeakMap):
2386         (JSC::protoFuncWeakMapGet):
2387         * runtime/WeakSetPrototype.cpp:
2388         (JSC::getWeakSet):
2389
2390 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2391
2392         [JSC] Optimize Object.keys by using careful array allocation
2393         https://bugs.webkit.org/show_bug.cgi?id=176654
2394
2395         Reviewed by Darin Adler.
2396
2397         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
2398         function in JS apps. Luckily Object.keys has several good features.
2399
2400         1. Once PropertyNameArray is allocated, we know the length of the result array since
2401         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
2402         but it rarely appears. ProxyObject case goes to the generic path.
2403
2404         2. Object.keys does not need to access object after listing PropertyNameArray. It means
2405         that we do not need to worry about enumeration attribute change by touching object.
2406
2407         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
2408         with the size and ArrayContiguous indexing shape.
2409
2410         This further improves SixSpeed object-assign.es5 by 13%.
2411
2412                                             baseline                  patched
2413         Microbenchmarks:
2414            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
2415            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
2416
2417                                             baseline                  patched
2418         SixSpeed:
2419            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
2420
2421         BTW, the further optimization of Object.keys can be considered: introducing own property keys
2422         cache which is similar to the current enumeration cache. But this patch is orthogonal to
2423         this optimization!
2424
2425         * runtime/ObjectConstructor.cpp:
2426         (JSC::objectConstructorValues):
2427         (JSC::ownPropertyKeys):
2428         * runtime/ObjectConstructor.h:
2429
2430 2017-09-10  Mark Lam  <mark.lam@apple.com>
2431
2432         Fix all ExceptionScope verification failures in JavaScriptCore.
2433         https://bugs.webkit.org/show_bug.cgi?id=176662
2434         <rdar://problem/34352085>
2435
2436         Reviewed by Filip Pizlo.
2437
2438         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
2439            verification for release builds too (though this requires manually setting
2440            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
2441
2442            This is useful because it allows us to run the tests more quickly to check
2443            if any regressions have occurred.  Debug builds run so much slower and not
2444            good for a quick turn around.  Debug builds are necessary though to get
2445            trace information without inlining by the C++ compiler.  This is necessary to
2446            diagnose where the missing exception check is.
2447
2448         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
2449            simulated throw when an exception scope verification fails.
2450
2451            Previously, this option dumps the stack trace on all simulated throws.  That
2452            turned out to not be very useful, and slows down the debugging process.
2453            Instead, the new implementation captures the stack trace and only dumps it
2454            if we have a verification failure.
2455
2456         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
2457            to pass with JSC_validateExceptionChecks=true.
2458
2459         * bytecode/CodeBlock.cpp:
2460         (JSC::CodeBlock::finishCreation):
2461         * dfg/DFGOSRExit.cpp:
2462         (JSC::DFG::OSRExit::executeOSRExit):
2463         * dfg/DFGOperations.cpp:
2464         * interpreter/Interpreter.cpp:
2465         (JSC::eval):
2466         (JSC::loadVarargs):
2467         (JSC::Interpreter::unwind):
2468         (JSC::Interpreter::executeProgram):
2469         (JSC::Interpreter::executeCall):
2470         (JSC::Interpreter::executeConstruct):
2471         (JSC::Interpreter::prepareForRepeatCall):
2472         (JSC::Interpreter::execute):
2473         (JSC::Interpreter::executeModuleProgram):
2474         * jit/JITOperations.cpp:
2475         (JSC::getByVal):
2476         * jsc.cpp:
2477         (WTF::CustomGetter::customGetterAcessor):
2478         (GlobalObject::moduleLoaderImportModule):
2479         (GlobalObject::moduleLoaderResolve):
2480         * llint/LLIntSlowPaths.cpp:
2481         (JSC::LLInt::getByVal):
2482         (JSC::LLInt::setUpCall):
2483         * parser/Parser.h:
2484         (JSC::Parser::popScopeInternal):
2485         * runtime/AbstractModuleRecord.cpp:
2486         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2487         (JSC::AbstractModuleRecord::resolveImport):
2488         (JSC::AbstractModuleRecord::resolveExportImpl):
2489         (JSC::getExportedNames):
2490         (JSC::AbstractModuleRecord::getModuleNamespace):
2491         * runtime/ArrayPrototype.cpp:
2492         (JSC::getProperty):
2493         (JSC::unshift):
2494         (JSC::arrayProtoFuncToString):
2495         (JSC::arrayProtoFuncToLocaleString):
2496         (JSC::arrayProtoFuncJoin):
2497         (JSC::arrayProtoFuncPop):
2498         (JSC::arrayProtoFuncPush):
2499         (JSC::arrayProtoFuncReverse):
2500         (JSC::arrayProtoFuncShift):
2501         (JSC::arrayProtoFuncSlice):
2502         (JSC::arrayProtoFuncSplice):
2503         (JSC::arrayProtoFuncUnShift):
2504         (JSC::arrayProtoFuncIndexOf):
2505         (JSC::arrayProtoFuncLastIndexOf):
2506         (JSC::concatAppendOne):
2507         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2508         (JSC::arrayProtoPrivateFuncAppendMemcpy):
2509         * runtime/CatchScope.h:
2510         * runtime/CommonSlowPaths.cpp:
2511         (JSC::SLOW_PATH_DECL):
2512         * runtime/DatePrototype.cpp:
2513         (JSC::dateProtoFuncSetTime):
2514         (JSC::setNewValueFromTimeArgs):
2515         * runtime/DirectArguments.h:
2516         (JSC::DirectArguments::length const):
2517         * runtime/ErrorPrototype.cpp:
2518         (JSC::errorProtoFuncToString):
2519         * runtime/ExceptionFuzz.cpp:
2520         (JSC::doExceptionFuzzing):
2521         * runtime/ExceptionScope.h:
2522         (JSC::ExceptionScope::needExceptionCheck):
2523         (JSC::ExceptionScope::assertNoException):
2524         * runtime/GenericArgumentsInlines.h:
2525         (JSC::GenericArguments<Type>::defineOwnProperty):
2526         * runtime/HashMapImpl.h:
2527         (JSC::HashMapImpl::rehash):
2528         * runtime/IntlDateTimeFormat.cpp:
2529         (JSC::IntlDateTimeFormat::formatToParts):
2530         * runtime/JSArray.cpp:
2531         (JSC::JSArray::defineOwnProperty):
2532         (JSC::JSArray::put):
2533         * runtime/JSCJSValue.cpp:
2534         (JSC::JSValue::putToPrimitive):
2535         (JSC::JSValue::putToPrimitiveByIndex):
2536         * runtime/JSCJSValueInlines.h:
2537         (JSC::JSValue::toIndex const):
2538         (JSC::JSValue::get const):
2539         (JSC::JSValue::getPropertySlot const):
2540         (JSC::JSValue::equalSlowCaseInline):
2541         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2542         (JSC::constructGenericTypedArrayViewFromIterator):
2543         (JSC::constructGenericTypedArrayViewWithArguments):
2544         * runtime/JSGenericTypedArrayViewInlines.h:
2545         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2546         * runtime/JSGlobalObject.cpp:
2547         (JSC::JSGlobalObject::put):
2548         * runtime/JSGlobalObjectFunctions.cpp:
2549         (JSC::decode):
2550         (JSC::globalFuncEval):
2551         (JSC::globalFuncProtoGetter):
2552         (JSC::globalFuncProtoSetter):
2553         (JSC::globalFuncImportModule):
2554         * runtime/JSInternalPromise.cpp:
2555         (JSC::JSInternalPromise::then):
2556         * runtime/JSInternalPromiseDeferred.cpp:
2557         (JSC::JSInternalPromiseDeferred::create):
2558         * runtime/JSJob.cpp:
2559         (JSC::JSJobMicrotask::run):
2560         * runtime/JSModuleEnvironment.cpp:
2561         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2562         (JSC::JSModuleEnvironment::put):
2563         (JSC::JSModuleEnvironment::deleteProperty):
2564         * runtime/JSModuleLoader.cpp:
2565         (JSC::JSModuleLoader::provide):
2566         (JSC::JSModuleLoader::loadAndEvaluateModule):
2567         (JSC::JSModuleLoader::loadModule):
2568         (JSC::JSModuleLoader::linkAndEvaluateModule):
2569         (JSC::JSModuleLoader::requestImportModule):
2570         * runtime/JSModuleRecord.cpp:
2571         (JSC::JSModuleRecord::link):
2572         (JSC::JSModuleRecord::instantiateDeclarations):
2573         * runtime/JSONObject.cpp:
2574         (JSC::Stringifier::stringify):
2575         (JSC::Stringifier::toJSON):
2576         (JSC::JSONProtoFuncParse):
2577         * runtime/JSObject.cpp:
2578         (JSC::JSObject::calculatedClassName):
2579         (JSC::ordinarySetSlow):
2580         (JSC::JSObject::putInlineSlow):
2581         (JSC::JSObject::ordinaryToPrimitive const):
2582         (JSC::JSObject::toPrimitive const):
2583         (JSC::JSObject::hasInstance):
2584         (JSC::JSObject::getPropertyNames):
2585         (JSC::JSObject::toNumber const):
2586         (JSC::JSObject::defineOwnIndexedProperty):
2587         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2588         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2589         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2590         (JSC::validateAndApplyPropertyDescriptor):
2591         (JSC::JSObject::defineOwnNonIndexProperty):
2592         (JSC::JSObject::getGenericPropertyNames):
2593         * runtime/JSObject.h:
2594         (JSC::JSObject::get const):
2595         * runtime/JSObjectInlines.h:
2596         (JSC::JSObject::getPropertySlot const):
2597         (JSC::JSObject::getPropertySlot):
2598         (JSC::JSObject::getNonIndexPropertySlot):
2599         (JSC::JSObject::putInlineForJSObject):
2600         * runtime/JSPromiseConstructor.cpp:
2601         (JSC::constructPromise):
2602         * runtime/JSPromiseDeferred.cpp:
2603         (JSC::JSPromiseDeferred::create):
2604         * runtime/JSScope.cpp:
2605         (JSC::abstractAccess):
2606         (JSC::JSScope::resolve):
2607         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
2608         (JSC::JSScope::abstractResolve):
2609         * runtime/LiteralParser.cpp:
2610         (JSC::LiteralParser<CharType>::tryJSONPParse):
2611         (JSC::LiteralParser<CharType>::parse):
2612         * runtime/Lookup.h:
2613         (JSC::putEntry):
2614         * runtime/MapConstructor.cpp:
2615         (JSC::constructMap):
2616         * runtime/NumberPrototype.cpp:
2617         (JSC::numberProtoFuncToString):
2618         * runtime/ObjectConstructor.cpp:
2619         (JSC::objectConstructorSetPrototypeOf):
2620         (JSC::objectConstructorGetOwnPropertyDescriptor):
2621         (JSC::objectConstructorGetOwnPropertyDescriptors):
2622         (JSC::objectConstructorAssign):
2623         (JSC::objectConstructorValues):
2624         (JSC::toPropertyDescriptor):
2625         (JSC::objectConstructorDefineProperty):
2626         (JSC::defineProperties):
2627         (JSC::objectConstructorDefineProperties):
2628         (JSC::ownPropertyKeys):
2629         * runtime/ObjectPrototype.cpp:
2630         (JSC::objectProtoFuncHasOwnProperty):
2631         (JSC::objectProtoFuncIsPrototypeOf):
2632         (JSC::objectProtoFuncLookupGetter):
2633         (JSC::objectProtoFuncLookupSetter):
2634         (JSC::objectProtoFuncToLocaleString):
2635         (JSC::objectProtoFuncToString):
2636         * runtime/Options.h:
2637         * runtime/ParseInt.h:
2638         (JSC::toStringView):
2639         * runtime/ProxyObject.cpp:
2640         (JSC::performProxyGet):
2641         (JSC::ProxyObject::performPut):
2642         * runtime/ReflectObject.cpp:
2643         (JSC::reflectObjectDefineProperty):
2644         * runtime/RegExpConstructor.cpp:
2645         (JSC::toFlags):
2646         (JSC::regExpCreate):
2647         (JSC::constructRegExp):
2648         * runtime/RegExpObject.cpp:
2649         (JSC::collectMatches):
2650         * runtime/RegExpObjectInlines.h:
2651         (JSC::RegExpObject::execInline):
2652         (JSC::RegExpObject::matchInline):
2653         * runtime/RegExpPrototype.cpp:
2654         (JSC::regExpProtoFuncTestFast):
2655         (JSC::regExpProtoFuncExec):
2656         (JSC::regExpProtoFuncMatchFast):
2657         (JSC::regExpProtoFuncToString):
2658         (JSC::regExpProtoFuncSplitFast):
2659         * runtime/ScriptExecutable.cpp:
2660         (JSC::ScriptExecutable::newCodeBlockFor):
2661         (JSC::ScriptExecutable::prepareForExecutionImpl):
2662         * runtime/SetConstructor.cpp:
2663         (JSC::constructSet):
2664         * runtime/ThrowScope.cpp:
2665         (JSC::ThrowScope::simulateThrow):
2666         * runtime/VM.cpp:
2667         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
2668         * runtime/VM.h:
2669         * runtime/WeakMapPrototype.cpp:
2670         (JSC::protoFuncWeakMapSet):
2671         * runtime/WeakSetPrototype.cpp:
2672         (JSC::protoFuncWeakSetAdd):
2673         * wasm/js/WebAssemblyModuleConstructor.cpp:
2674         (JSC::WebAssemblyModuleConstructor::createModule):
2675         * wasm/js/WebAssemblyModuleRecord.cpp:
2676         (JSC::WebAssemblyModuleRecord::link):
2677         * wasm/js/WebAssemblyPrototype.cpp:
2678         (JSC::reject):
2679         (JSC::webAssemblyCompileFunc):
2680         (JSC::resolve):
2681         (JSC::webAssemblyInstantiateFunc):
2682
2683 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
2684
2685         Error should compute .stack and friends lazily
2686         https://bugs.webkit.org/show_bug.cgi?id=176645
2687
2688         Reviewed by Saam Barati.
2689         
2690         Building the string portion of the stack trace after we walk the stack accounts for most of
2691         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
2692         Vector<StackFrame> so that it can build the string only once it's really needed.
2693         
2694         This is an enormous speed-up for programs that allocate and throw exceptions.
2695         
2696         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
2697         
2698         It's a 2.2x speed-up for throwing and catching an Error.
2699         
2700         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
2701         
2702         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
2703         delta-blue-try-catch is 1.16x faster.
2704
2705         * interpreter/Interpreter.cpp:
2706         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
2707         (JSC::GetStackTraceFunctor::operator() const):
2708         (JSC::Interpreter::getStackTrace):
2709         * interpreter/Interpreter.h:
2710         * runtime/Error.cpp:
2711         (JSC::getStackTrace):
2712         (JSC::getBytecodeOffset):
2713         (JSC::addErrorInfo):
2714         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
2715         * runtime/Error.h:
2716         * runtime/ErrorInstance.cpp:
2717         (JSC::ErrorInstance::ErrorInstance):
2718         (JSC::ErrorInstance::finishCreation):
2719         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2720         (JSC::ErrorInstance::visitChildren):
2721         (JSC::ErrorInstance::getOwnPropertySlot):
2722         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
2723         (JSC::ErrorInstance::defineOwnProperty):
2724         (JSC::ErrorInstance::put):
2725         (JSC::ErrorInstance::deleteProperty):
2726         * runtime/ErrorInstance.h:
2727         * runtime/Exception.cpp:
2728         (JSC::Exception::visitChildren):
2729         (JSC::Exception::finishCreation):
2730         * runtime/Exception.h:
2731         * runtime/StackFrame.cpp:
2732         (JSC::StackFrame::visitChildren):
2733         * runtime/StackFrame.h:
2734         (JSC::StackFrame::StackFrame):
2735
2736 2017-09-09  Mark Lam  <mark.lam@apple.com>
2737
2738         [Re-landing] Use JIT probes for DFG OSR exit.
2739         https://bugs.webkit.org/show_bug.cgi?id=175144
2740         <rdar://problem/33437050>
2741
2742         Not reviewed.  Original patch reviewed by Saam Barati.
2743
2744         Relanding r221774.
2745
2746         * JavaScriptCore.xcodeproj/project.pbxproj:
2747         * assembler/MacroAssembler.cpp:
2748         (JSC::stdFunctionCallback):
2749         * assembler/MacroAssemblerPrinter.cpp:
2750         (JSC::Printer::printCallback):
2751         * assembler/ProbeContext.h:
2752         (JSC::Probe::CPUState::gpr const):
2753         (JSC::Probe::CPUState::spr const):
2754         (JSC::Probe::Context::Context):
2755         (JSC::Probe::Context::arg):
2756         (JSC::Probe::Context::gpr):
2757         (JSC::Probe::Context::spr):
2758         (JSC::Probe::Context::fpr):
2759         (JSC::Probe::Context::gprName):
2760         (JSC::Probe::Context::sprName):
2761         (JSC::Probe::Context::fprName):
2762         (JSC::Probe::Context::gpr const):
2763         (JSC::Probe::Context::spr const):
2764         (JSC::Probe::Context::fpr const):
2765         (JSC::Probe::Context::pc):
2766         (JSC::Probe::Context::fp):
2767         (JSC::Probe::Context::sp):
2768         (JSC::Probe:: const): Deleted.
2769         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
2770         * assembler/ProbeStack.cpp:
2771         (JSC::Probe::Page::Page):
2772         * assembler/ProbeStack.h:
2773         (JSC::Probe::Page::get):
2774         (JSC::Probe::Page::set):
2775         (JSC::Probe::Page::physicalAddressFor):
2776         (JSC::Probe::Stack::lowWatermark):
2777         (JSC::Probe::Stack::get):
2778         (JSC::Probe::Stack::set):
2779         * bytecode/ArithProfile.cpp:
2780         * bytecode/ArithProfile.h:
2781         * bytecode/ArrayProfile.h:
2782         (JSC::ArrayProfile::observeArrayMode):
2783         * bytecode/CodeBlock.cpp:
2784         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
2785         * bytecode/CodeBlock.h:
2786         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
2787         * bytecode/ExecutionCounter.h:
2788         (JSC::ExecutionCounter::hasCrossedThreshold const):
2789         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
2790         * bytecode/MethodOfGettingAValueProfile.cpp:
2791         (JSC::MethodOfGettingAValueProfile::reportValue):
2792         * bytecode/MethodOfGettingAValueProfile.h:
2793         * dfg/DFGDriver.cpp:
2794         (JSC::DFG::compileImpl):
2795         * dfg/DFGJITCode.cpp:
2796         (JSC::DFG::JITCode::findPC): Deleted.
2797         * dfg/DFGJITCode.h:
2798         * dfg/DFGJITCompiler.cpp:
2799         (JSC::DFG::JITCompiler::linkOSRExits):
2800         (JSC::DFG::JITCompiler::link):
2801         * dfg/DFGOSRExit.cpp:
2802         (JSC::DFG::jsValueFor):
2803         (JSC::DFG::restoreCalleeSavesFor):
2804         (JSC::DFG::saveCalleeSavesFor):
2805         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2806         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2807         (JSC::DFG::saveOrCopyCalleeSavesFor):
2808         (JSC::DFG::createDirectArgumentsDuringExit):
2809         (JSC::DFG::createClonedArgumentsDuringExit):
2810         (JSC::DFG::OSRExit::OSRExit):
2811         (JSC::DFG::emitRestoreArguments):
2812         (JSC::DFG::OSRExit::executeOSRExit):
2813         (JSC::DFG::reifyInlinedCallFrames):
2814         (JSC::DFG::adjustAndJumpToTarget):
2815         (JSC::DFG::printOSRExit):
2816         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2817         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2818         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
2819         (JSC::DFG::OSRExit::correctJump): Deleted.
2820         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
2821         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
2822         (JSC::DFG::OSRExit::compileExit): Deleted.
2823         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2824         * dfg/DFGOSRExit.h:
2825         (JSC::DFG::OSRExitState::OSRExitState):
2826         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2827         * dfg/DFGOSRExitCompilerCommon.cpp:
2828         * dfg/DFGOSRExitCompilerCommon.h:
2829         * dfg/DFGOperations.cpp:
2830         * dfg/DFGOperations.h:
2831         * dfg/DFGThunks.cpp:
2832         (JSC::DFG::osrExitThunkGenerator):
2833         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2834         * dfg/DFGThunks.h:
2835         * jit/AssemblyHelpers.cpp:
2836         (JSC::AssemblyHelpers::debugCall): Deleted.
2837         * jit/AssemblyHelpers.h:
2838         * jit/JITOperations.cpp:
2839         * jit/JITOperations.h:
2840         * profiler/ProfilerOSRExit.h:
2841         (JSC::Profiler::OSRExit::incCount):
2842         * runtime/JSCJSValue.h:
2843         * runtime/JSCJSValueInlines.h:
2844         * runtime/VM.h:
2845
2846 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
2847
2848         Unreviewed, rolling out r221774.
2849
2850         This change introduced three debug JSC test timeouts.
2851
2852         Reverted changeset:
2853
2854         "Use JIT probes for DFG OSR exit."
2855         https://bugs.webkit.org/show_bug.cgi?id=175144
2856         http://trac.webkit.org/changeset/221774
2857
2858 2017-09-09  Mark Lam  <mark.lam@apple.com>
2859
2860         Avoid duplicate computations of ExecState::vm().
2861         https://bugs.webkit.org/show_bug.cgi?id=176647
2862
2863         Reviewed by Saam Barati.
2864
2865         Because while computing ExecState::vm() is cheap, it is not free.
2866
2867         This patch also:
2868         1. gets rids of some convenience methods in CallFrame that implicitly does a
2869            ExecState::vm() computation.  This minimizes the chance of us accidentally
2870            computing ExecState::vm() more than necessary.
2871         2. passes vm (when available) to methodTable().
2872         3. passes vm (when available) to JSLockHolder.
2873
2874         * API/JSBase.cpp:
2875         (JSCheckScriptSyntax):
2876         (JSGarbageCollect):
2877         (JSReportExtraMemoryCost):
2878         (JSSynchronousGarbageCollectForDebugging):
2879         (JSSynchronousEdenCollectForDebugging):
2880         * API/JSCallbackConstructor.h:
2881         (JSC::JSCallbackConstructor::create):
2882         * API/JSCallbackObject.h:
2883         (JSC::JSCallbackObject::create):
2884         * API/JSContext.mm:
2885         (-[JSContext setException:]):
2886         * API/JSContextRef.cpp:
2887         (JSContextGetGlobalObject):
2888         (JSContextCreateBacktrace):
2889         * API/JSManagedValue.mm:
2890         (-[JSManagedValue value]):
2891         * API/JSObjectRef.cpp:
2892         (JSObjectMake):
2893         (JSObjectMakeFunctionWithCallback):
2894         (JSObjectMakeConstructor):
2895         (JSObjectMakeFunction):
2896         (JSObjectSetPrototype):
2897         (JSObjectHasProperty):
2898         (JSObjectGetProperty):
2899         (JSObjectSetProperty):
2900         (JSObjectSetPropertyAtIndex):
2901         (JSObjectDeleteProperty):
2902         (JSObjectGetPrivateProperty):
2903         (JSObjectSetPrivateProperty):
2904         (JSObjectDeletePrivateProperty):
2905         (JSObjectIsFunction):
2906         (JSObjectCallAsFunction):
2907         (JSObjectCallAsConstructor):
2908         (JSObjectCopyPropertyNames):
2909         (JSPropertyNameAccumulatorAddName):
2910         * API/JSScriptRef.cpp:
2911         * API/JSTypedArray.cpp:
2912         (JSValueGetTypedArrayType):
2913         (JSObjectMakeTypedArrayWithArrayBuffer):
2914         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
2915         (JSObjectGetTypedArrayBytesPtr):
2916         (JSObjectGetTypedArrayBuffer):
2917         (JSObjectMakeArrayBufferWithBytesNoCopy):
2918         (JSObjectGetArrayBufferBytesPtr):
2919         * API/JSWeakObjectMapRefPrivate.cpp:
2920         * API/JSWrapperMap.mm:
2921         (constructorHasInstance):
2922         (makeWrapper):
2923         * API/ObjCCallbackFunction.mm:
2924         (objCCallbackFunctionForInvocation):
2925         * bytecode/CodeBlock.cpp:
2926         (JSC::CodeBlock::CodeBlock):
2927         (JSC::CodeBlock::jettison):
2928         * bytecode/CodeBlock.h:
2929         (JSC::CodeBlock::addConstant):
2930         (JSC::CodeBlock::replaceConstant):
2931         * bytecode/PutByIdStatus.cpp:
2932         (JSC::PutByIdStatus::computeFromLLInt):
2933         (JSC::PutByIdStatus::computeFor):
2934         * dfg/DFGDesiredWatchpoints.cpp:
2935         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2936         * dfg/DFGGraph.h:
2937         (JSC::DFG::Graph::globalThisObjectFor):
2938         * dfg/DFGOperations.cpp:
2939         * ftl/FTLOSRExitCompiler.cpp:
2940         (JSC::FTL::compileFTLOSRExit):
2941         * ftl/FTLOperations.cpp:
2942         (JSC::FTL::operationPopulateObjectInOSR):
2943         (JSC::FTL::operationMaterializeObjectInOSR):
2944         * heap/GCAssertions.h:
2945         * inspector/InjectedScriptHost.cpp:
2946         (Inspector::InjectedScriptHost::wrapper):
2947         * inspector/JSInjectedScriptHost.cpp:
2948         (Inspector::JSInjectedScriptHost::subtype):
2949         (Inspector::constructInternalProperty):
2950         (Inspector::JSInjectedScriptHost::getInternalProperties):
2951         (Inspector::JSInjectedScriptHost::weakMapEntries):
2952         (Inspector::JSInjectedScriptHost::weakSetEntries):
2953         (Inspector::JSInjectedScriptHost::iteratorEntries):
2954         * inspector/JSJavaScriptCallFrame.cpp:
2955         (Inspector::valueForScopeLocation):
2956         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2957         (Inspector::toJS):
2958         * inspector/ScriptCallStackFactory.cpp:
2959         (Inspector::extractSourceInformationFromException):
2960         (Inspector::createScriptArguments):
2961         * interpreter/CachedCall.h:
2962         (JSC::CachedCall::CachedCall):
2963         * interpreter/CallFrame.h:
2964         (JSC::ExecState::atomicStringTable const): Deleted.
2965         (JSC::ExecState::propertyNames const): Deleted.
2966         (JSC::ExecState::emptyList const): Deleted.
2967         (JSC::ExecState::interpreter): Deleted.
2968         (JSC::ExecState::heap): Deleted.
2969         * interpreter/Interpreter.cpp:
2970         (JSC::Interpreter::executeProgram):
2971         (JSC::Interpreter::execute):
2972         (JSC::Interpreter::executeModuleProgram):
2973         * jit/JIT.cpp:
2974         (JSC::JIT::privateCompileMainPass):
2975         * jit/JITOperations.cpp:
2976         * jit/JITWorklist.cpp:
2977         (JSC::JITWorklist::compileNow):
2978         * jsc.cpp:
2979         (WTF::RuntimeArray::create):
2980         (WTF::RuntimeArray::getOwnPropertySlot):
2981         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2982         (WTF::DOMJITFunctionObject::unsafeFunction):
2983         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2984         (GlobalObject::moduleLoaderFetch):
2985         (functionDumpCallFrame):
2986         (functionCreateRoot):
2987         (functionGetElement):
2988         (functionSetElementRoot):
2989         (functionCreateSimpleObject):
2990         (functionSetHiddenValue):
2991         (functionCreateProxy):
2992         (functionCreateImpureGetter):
2993         (functionCreateCustomGetterObject):
2994         (functionCreateDOMJITNodeObject):
2995         (functionCreateDOMJITGetterObject):
2996         (functionCreateDOMJITGetterComplexObject):
2997         (functionCreateDOMJITFunctionObject):
2998         (functionCreateDOMJITCheckSubClassObject):
2999         (functionGCAndSweep):
3000         (functionFullGC):
3001         (functionEdenGC):
3002         (functionHeapSize):
3003         (functionShadowChickenFunctionsOnStack):
3004         (functionSetGlobalConstRedeclarationShouldNotThrow):
3005         (functionJSCOptions):
3006         (functionFailNextNewCodeBlock):
3007         (functionMakeMasquerader):
3008         (functionDumpTypesForAllVariables):
3009         (functionFindTypeForExpression):
3010         (functionReturnTypeFor):
3011         (functionDumpBasicBlockExecutionRanges):
3012         (functionBasicBlockExecutionCount):
3013         (functionDrainMicrotasks):
3014         (functionGenerateHeapSnapshot):
3015         (functionEnsureArrayStorage):
3016         (functionStartSamplingProfiler):
3017         (runInteractive):
3018         * llint/LLIntSlowPaths.cpp:
3019         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3020         * parser/ModuleAnalyzer.cpp:
3021         (JSC::ModuleAnalyzer::ModuleAnalyzer):
3022         * profiler/ProfilerBytecode.cpp:
3023         (JSC::Profiler::Bytecode::toJS const):
3024         * profiler/ProfilerBytecodeSequence.cpp:
3025         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
3026         * profiler/ProfilerBytecodes.cpp:
3027         (JSC::Profiler::Bytecodes::toJS const):
3028         * profiler/ProfilerCompilation.cpp:
3029         (JSC::Profiler::Compilation::toJS const):
3030         * profiler/ProfilerCompiledBytecode.cpp:
3031         (JSC::Profiler::CompiledBytecode::toJS const):
3032         * profiler/ProfilerDatabase.cpp:
3033         (JSC::Profiler::Database::toJS const):
3034         * profiler/ProfilerEvent.cpp:
3035         (JSC::Profiler::Event::toJS const):
3036         * profiler/ProfilerOSRExit.cpp:
3037         (JSC::Profiler::OSRExit::toJS const):
3038         * profiler/ProfilerOrigin.cpp:
3039         (JSC::Profiler::Origin::toJS const):
3040         * profiler/ProfilerProfiledBytecodes.cpp:
3041         (JSC::Profiler::ProfiledBytecodes::toJS const):
3042         * runtime/AbstractModuleRecord.cpp:
3043         (JSC::identifierToJSValue):
3044         (JSC::AbstractModuleRecord::resolveExportImpl):
3045         (JSC::getExportedNames):
3046         * runtime/ArrayPrototype.cpp:
3047         (JSC::arrayProtoFuncToString):
3048         (JSC::arrayProtoFuncToLocaleString):
3049         * runtime/BooleanConstructor.cpp:
3050         (JSC::constructBooleanFromImmediateBoolean):
3051         * runtime/CallData.cpp:
3052         (JSC::call):
3053         * runtime/CommonSlowPaths.cpp:
3054         (JSC::SLOW_PATH_DECL):
3055         * runtime/CommonSlowPaths.h:
3056         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3057         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
3058         * runtime/Completion.cpp:
3059         (JSC::checkSyntax):
3060         (JSC::evaluate):
3061         (JSC::loadAndEvaluateModule):
3062         (JSC::loadModule):
3063         (JSC::linkAndEvaluateModule):
3064         (JSC::importModule):
3065         * runtime/ConstructData.cpp:
3066         (JSC::construct):
3067         * runtime/DatePrototype.cpp:
3068         (JSC::dateProtoFuncToJSON):
3069         * runtime/DirectArguments.h:
3070         (JSC::DirectArguments::length const):
3071         * runtime/DirectEvalExecutable.cpp:
3072         (JSC::DirectEvalExecutable::create):
3073         * runtime/ErrorPrototype.cpp:
3074         (JSC::errorProtoFuncToString):
3075         * runtime/ExceptionHelpers.cpp:
3076         (JSC::createUndefinedVariableError):
3077         (JSC::errorDescriptionForValue):
3078         * runtime/FunctionConstructor.cpp:
3079         (JSC::constructFunction):
3080         * runtime/GenericArgumentsInlines.h:
3081         (JSC::GenericArguments<Type>::getOwnPropertyNames):
3082         * runtime/IdentifierInlines.h:
3083         (JSC::Identifier::add):
3084         * runtime/IndirectEvalExecutable.cpp:
3085         (JSC::IndirectEvalExecutable::create):
3086         * runtime/InternalFunction.cpp:
3087         (JSC::InternalFunction::finishCreation):
3088         (JSC::InternalFunction::createSubclassStructureSlow):
3089         * runtime/JSArray.cpp:
3090         (JSC::JSArray::getOwnPropertySlot):
3091         (JSC::JSArray::put):
3092         (JSC::JSArray::deleteProperty):
3093         (JSC::JSArray::getOwnNonIndexPropertyNames):
3094         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
3095         * runtime/JSArray.h:
3096         (JSC::JSArray::shiftCountForShift):
3097         * runtime/JSCJSValue.cpp:
3098         (JSC::JSValue::dumpForBacktrace const):
3099         * runtime/JSDataView.cpp:
3100         (JSC::JSDataView::getOwnPropertySlot):
3101         (JSC::JSDataView::deleteProperty):
3102         (JSC::JSDataView::getOwnNonIndexPropertyNames):
3103         * runtime/JSFunction.cpp:
3104         (JSC::JSFunction::getOwnPropertySlot):
3105         (JSC::JSFunction::deleteProperty):
3106         (JSC::JSFunction::reifyName):
3107         * runtime/JSGlobalObjectFunctions.cpp:
3108         (JSC::globalFuncEval):
3109         * runtime/JSInternalPromise.cpp:
3110         (JSC::JSInternalPromise::then):
3111         * runtime/JSLexicalEnvironment.cpp:
3112         (JSC::JSLexicalEnvironment::deleteProperty):
3113         * runtime/JSMap.cpp:
3114         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
3115         * runtime/JSMapIterator.h:
3116         (JSC::JSMapIterator::advanceIter):
3117         * runtime/JSModuleEnvironment.cpp:
3118         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
3119         * runtime/JSModuleLoader.cpp:
3120         (JSC::printableModuleKey):
3121         (JSC::JSModuleLoader::provide):
3122         (JSC::JSModuleLoader::loadAndEvaluateModule):
3123         (JSC::JSModuleLoader::loadModule):
3124         (JSC::JSModuleLoader::linkAndEvaluateModule):
3125         (JSC::JSModuleLoader::requestImportModule):
3126         * runtime/JSModuleNamespaceObject.h:
3127         * runtime/JSModuleRecord.cpp:
3128         (JSC::JSModuleRecord::evaluate):
3129         * runtime/JSONObject.cpp:
3130         (JSC::Stringifier::Stringifier):
3131         (JSC::Stringifier::appendStringifiedValue):
3132         (JSC::Stringifier::Holder::appendNextProperty):
3133         * runtime/JSObject.cpp:
3134         (JSC::JSObject::calculatedClassName):
3135         (JSC::JSObject::putByIndex):
3136         (JSC::JSObject::ordinaryToPrimitive const):
3137         (JSC::JSObject::toPrimitive const):
3138         (JSC::JSObject::hasInstance):
3139         (JSC::JSObject::getOwnPropertyNames):
3140         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3141         (JSC::getCustomGetterSetterFunctionForGetterSetter):
3142         (JSC::JSObject::getOwnPropertyDescriptor):
3143         (JSC::JSObject::getMethod):
3144         * runtime/JSObject.h:
3145         (JSC::JSObject::createRawObject):
3146         (JSC::JSFinalObject::create):
3147         * runtime/JSObjectInlines.h:
3148         (JSC::JSObject::canPerformFastPutInline):
3149         (JSC::JSObject::putInlineForJSObject):
3150         (JSC::JSObject::hasOwnProperty const):
3151         * runtime/JSScope.cpp:
3152         (JSC::isUnscopable):
3153         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
3154         * runtime/JSSet.cpp:
3155         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
3156         * runtime/JSSetIterator.h:
3157         (JSC::JSSetIterator::advanceIter):
3158         * runtime/JSString.cpp:
3159         (JSC::JSString::getStringPropertyDescriptor):
3160         * runtime/JSString.h:
3161         (JSC::JSString::getStringPropertySlot):
3162         * runtime/MapConstructor.cpp:
3163         (JSC::constructMap):
3164         * runtime/ModuleProgramExecutable.cpp:
3165         (JSC::ModuleProgramExecutable::create):
3166         * runtime/ObjectPrototype.cpp:
3167         (JSC::objectProtoFuncToLocaleString):
3168         * runtime/ProgramExecutable.h:
3169         * runtime/RegExpObject.cpp:
3170         (JSC::RegExpObject::getOwnPropertySlot):
3171         (JSC::RegExpObject::deleteProperty):
3172         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
3173         (JSC::RegExpObject::getPropertyNames):
3174         (JSC::RegExpObject::getGenericPropertyNames):
3175         (JSC::RegExpObject::put):
3176         * runtime/ScopedArguments.h:
3177         (JSC::ScopedArguments::length const):
3178         * runtime/StrictEvalActivation.h:
3179         (JSC::StrictEvalActivation::create):
3180         * runtime/StringObject.cpp:
3181         (JSC::isStringOwnProperty):
3182         (JSC::StringObject::deleteProperty):
3183         (JSC::StringObject::getOwnNonIndexPropertyNames):
3184         * tools/JSDollarVMPrototype.cpp:
3185         (JSC::JSDollarVMPrototype::gc):
3186         (JSC::JSDollarVMPrototype::edenGC):
3187         * wasm/js/WebAssemblyModuleRecord.cpp:
3188         (JSC::WebAssemblyModuleRecord::evaluate):
3189
3190 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3191
3192         [DFG] NewArrayWithSize(size)'s size does not care negative zero
3193         https://bugs.webkit.org/show_bug.cgi?id=176300
3194
3195         Reviewed by Saam Barati.
3196
3197         NewArrayWithSize(size)'s size does not care negative zero as
3198         is the same to NewTypedArray. We propagate this information
3199         in DFGBackwardsPropagationPhase. This removes negative zero
3200         check in kraken fft's deinterleave function.
3201
3202         * dfg/DFGBackwardsPropagationPhase.cpp:
3203         (JSC::DFG::BackwardsPropagationPhase::propagate):
3204
3205 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3206
3207         [DFG] PutByVal with Array::Generic is too generic
3208         https://bugs.webkit.org/show_bug.cgi?id=176345
3209
3210         Reviewed by Filip Pizlo.
3211
3212         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
3213         We could have the case like,
3214
3215             dst[key] = src[key];
3216
3217         with string or symbol keys. But they are handled in slow path.
3218         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
3219         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
3220
3221         This improves SixSpeed object-assign.es5 by 9.1%.
3222
3223         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
3224
3225         * dfg/DFGFixupPhase.cpp:
3226         (JSC::DFG::FixupPhase::fixupNode):
3227         * dfg/DFGOperations.cpp:
3228         (JSC::DFG::putByVal):
3229         (JSC::DFG::putByValInternal):
3230         (JSC::DFG::putByValCellInternal):
3231         (JSC::DFG::putByValCellStringInternal):
3232         (JSC::DFG::operationPutByValInternal): Deleted.
3233         * dfg/DFGOperations.h:
3234         * dfg/DFGSpeculativeJIT.cpp:
3235         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
3236         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
3237         * dfg/DFGSpeculativeJIT.h:
3238         (JSC::DFG::SpeculativeJIT::callOperation):
3239         * dfg/DFGSpeculativeJIT32_64.cpp:
3240         (JSC::DFG::SpeculativeJIT::compile):
3241         * dfg/DFGSpeculativeJIT64.cpp:
3242         (JSC::DFG::SpeculativeJIT::compile):
3243         * ftl/FTLLowerDFGToB3.cpp:
3244         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
3245         * jit/JITOperations.h:
3246
3247 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3248
3249         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
3250         https://bugs.webkit.org/show_bug.cgi?id=176590
3251
3252         Reviewed by Saam Barati.
3253
3254         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
3255
3256                                          baseline                  patched
3257
3258         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
3259         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
3260
3261         * dfg/DFGFixupPhase.cpp:
3262         (JSC::DFG::FixupPhase::fixupNode):
3263         * dfg/DFGOperations.cpp:
3264         (JSC::DFG::getByValObject):
3265         * dfg/DFGOperations.h:
3266         * dfg/DFGSpeculativeJIT.cpp:
3267         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
3268         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
3269         * dfg/DFGSpeculativeJIT.h:
3270         * dfg/DFGSpeculativeJIT32_64.cpp:
3271         (JSC::DFG::SpeculativeJIT::compile):
3272         * dfg/DFGSpeculativeJIT64.cpp:
3273         (JSC::DFG::SpeculativeJIT::compile):
3274         * ftl/FTLLowerDFGToB3.cpp:
3275         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3276
3277 2017-09-07  Mark Lam  <mark.lam@apple.com>
3278
3279         Use JIT probes for DFG OSR exit.
3280         https://bugs.webkit.org/show_bug.cgi?id=175144
3281         <rdar://problem/33437050>
3282
3283         Reviewed by Saam Barati.
3284
3285         This patch does the following:
3286         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
3287            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
3288            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
3289            generates a thunk that just executes the OSR exit.
3290
3291            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
3292            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
3293            CPU registers, and providing the Probe::Stack mechanism for modifying the
3294            stack frame.
3295
3296            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
3297            OSRExit::compileExit().  It is basically a re-write of those functions to
3298            execute the OSR exit work instead of compiling code to execute the work.
3299
3300            As a result, we get the following savings:
3301            a. no more OSR exit ramp compilation time.
3302            b. no use of JIT executable memory for storing each unique OSR exit ramp.
3303
3304            On the negative side, we incur these costs:
3305
3306            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
3307               version of the ramp.  However, OSR exits are rare.  Hence, this small
3308               difference should not matter much.  It is also offset by the savings from
3309               (a).
3310
3311            d. the Probe::Stack allocates 1K pages for memory for buffering stack
3312               modifcations.  The number of these pages depends on the span of stack memory
3313               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
3314               tends to only modify values in the current DFG frame and the current
3315               VMEntryRecord, the number of pages tends to only be 1 or 2.
3316
3317               Using the jsc tests as a workload, the vast majority of tests that do OSR
3318               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
3319               A few tests that are pathological uses up to 14 pages, and one particularly
3320               bad test (function-apply-many-args.js) uses 513 pages.
3321
3322            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
3323            only executed once to compute some values for the exit site that is used by
3324            all exit operations from that site, and a 2nd part to execute the exit.  The
3325            1st part is protected by a checking if exit.exitState has already been
3326            initialized.  The computed values are cached in exit.exitState.
3327
3328            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
3329            longer need the facility to patch the site that jumps to the OSR exit ramp.
3330            The DFG::JITCompiler has been modified to remove this patching code.
3331
3332         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
3333            std::memcpy to avoid strict aliasing issues.
3334
3335            Also optimized the implementation of Probe::Stack::physicalAddressFor().
3336
3337         3. Miscellaneous convenience methods added to make the Probe::Context easier of
3338            use.
3339
3340         4. Added a Probe::Frame class that makes it easier to get/set operands and
3341            arguments in a given frame using the deferred write properties of the
3342            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
3343            the OSR exit ramp.
3344