Unreviewed, fix exception checking
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Unreviewed, fix exception checking
4         https://bugs.webkit.org/show_bug.cgi?id=185350
5
6         * runtime/CommonSlowPaths.h:
7         (JSC::CommonSlowPaths::putDirectWithReify):
8         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
9
10 2018-05-17  Michael Saboff  <msaboff@apple.com>
11
12         We don't throw SyntaxErrors for runtime generated regular expressions with errors
13         https://bugs.webkit.org/show_bug.cgi?id=185755
14
15         Reviewed by Keith Miller.
16
17         Added a new helper that creates the correct exception to throw for each type of error when
18         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
19         where we create a new RegExp from an existing one.  Also refactored other places that we
20         throw SyntaxErrors after a failed RegExp compile to use the new helper.
21
22         * runtime/RegExp.h:
23         * runtime/RegExpConstructor.cpp:
24         (JSC::regExpCreate):
25         (JSC::constructRegExp):
26         * runtime/RegExpPrototype.cpp:
27         (JSC::regExpProtoFuncCompile):
28         * yarr/YarrErrorCode.cpp:
29         (JSC::Yarr::errorToThrow):
30         * yarr/YarrErrorCode.h:
31
32 2018-05-17  Saam Barati  <sbarati@apple.com>
33
34         Remove shrinkFootprint test from apitests since it's flaky
35         https://bugs.webkit.org/show_bug.cgi?id=185754
36
37         Reviewed by Mark Lam.
38
39         This test is flaky as it keeps failing on certain people's machines.
40         Having a test about OS footprint seems like it'll forever be doomed
41         to being flaky.
42
43         * API/tests/testapi.mm:
44         (testObjectiveCAPIMain):
45
46 2018-05-17  Saam Barati  <sbarati@apple.com>
47
48         defaultConstructorSourceCode needs to makeSource every time it's called
49         https://bugs.webkit.org/show_bug.cgi?id=185753
50
51         Rubber-stamped by Mark Lam.
52
53         The bug here is multiple VMs can be running concurrently to one another
54         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
55         if we copy a static SourceCode. instead, we create a new one each time
56         this function is called.
57
58         * builtins/BuiltinExecutables.cpp:
59         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
60
61 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
62
63         [JSC] Use AssemblyHelpers' type checking functions as much as possible
64         https://bugs.webkit.org/show_bug.cgi?id=185730
65
66         Reviewed by Saam Barati.
67
68         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
69         bit and register operations for type tagging of JSValue. It is really useful when we would like
70         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
71         the named function is more readable than some branching operations.
72
73         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
74         to AssemblyHelpers' one.
75
76         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
77         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
78         semantics is aligned to the existing branchIfCell / branchIfNotCell.
79
80         * bytecode/AccessCase.cpp:
81         (JSC::AccessCase::generateWithGuard):
82         * dfg/DFGSpeculativeJIT.cpp:
83         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
84         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
85         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
86         (JSC::DFG::SpeculativeJIT::compileSpread):
87         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
88         (JSC::DFG::SpeculativeJIT::speculateCellType):
89         (JSC::DFG::SpeculativeJIT::speculateNumber):
90         (JSC::DFG::SpeculativeJIT::speculateMisc):
91         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
92         (JSC::DFG::SpeculativeJIT::compileCreateThis):
93         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
94         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
95         * dfg/DFGSpeculativeJIT32_64.cpp:
96         (JSC::DFG::SpeculativeJIT::emitCall):
97         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
98         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
99         (JSC::DFG::SpeculativeJIT::compile):
100         * dfg/DFGSpeculativeJIT64.cpp:
101         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
102         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
103         (JSC::DFG::SpeculativeJIT::emitCall):
104         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
105         (JSC::DFG::SpeculativeJIT::compile):
106         (JSC::DFG::SpeculativeJIT::convertAnyInt):
107         * ftl/FTLLowerDFGToB3.cpp:
108         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
109         * jit/AssemblyHelpers.h:
110         (JSC::AssemblyHelpers::branchIfInt32):
111         (JSC::AssemblyHelpers::branchIfNotInt32):
112         (JSC::AssemblyHelpers::branchIfNumber):
113         (JSC::AssemblyHelpers::branchIfNotNumber):
114         (JSC::AssemblyHelpers::branchIfBoolean):
115         (JSC::AssemblyHelpers::branchIfNotBoolean):
116         (JSC::AssemblyHelpers::branchIfEmpty):
117         (JSC::AssemblyHelpers::branchIfNotEmpty):
118         (JSC::AssemblyHelpers::branchIfUndefined):
119         (JSC::AssemblyHelpers::branchIfNotUndefined):
120         (JSC::AssemblyHelpers::branchIfNull):
121         (JSC::AssemblyHelpers::branchIfNotNull):
122         * jit/JIT.h:
123         * jit/JITArithmetic.cpp:
124         (JSC::JIT::emit_compareAndJump):
125         (JSC::JIT::emit_compareAndJumpSlow):
126         * jit/JITArithmetic32_64.cpp:
127         (JSC::JIT::emit_compareAndJump):
128         (JSC::JIT::emit_op_unsigned):
129         (JSC::JIT::emit_op_inc):
130         (JSC::JIT::emit_op_dec):
131         (JSC::JIT::emitBinaryDoubleOp):
132         (JSC::JIT::emit_op_mod):
133         * jit/JITCall.cpp:
134         (JSC::JIT::compileCallEval):
135         (JSC::JIT::compileOpCall):
136         * jit/JITCall32_64.cpp:
137         (JSC::JIT::compileCallEval):
138         (JSC::JIT::compileOpCall):
139         * jit/JITInlines.h:
140         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
141         (JSC::JIT::emitJumpIfBothJSCells):
142         (JSC::JIT::emitJumpSlowCaseIfJSCell):
143         (JSC::JIT::emitJumpIfNotInt):
144         (JSC::JIT::emitJumpSlowCaseIfNotInt):
145         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
146         (JSC::JIT::emitJumpIfCellObject): Deleted.
147         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
148         (JSC::JIT::emitJumpIfJSCell): Deleted.
149         (JSC::JIT::emitJumpIfInt): Deleted.
150         * jit/JITOpcodes.cpp:
151         (JSC::JIT::emit_op_instanceof):
152         (JSC::JIT::emit_op_is_undefined):
153         (JSC::JIT::emit_op_is_cell_with_type):
154         (JSC::JIT::emit_op_is_object):
155         (JSC::JIT::emit_op_to_primitive):
156         (JSC::JIT::emit_op_jeq_null):
157         (JSC::JIT::emit_op_jneq_null):
158         (JSC::JIT::compileOpStrictEq):
159         (JSC::JIT::compileOpStrictEqJump):
160         (JSC::JIT::emit_op_to_number):
161         (JSC::JIT::emit_op_to_string):
162         (JSC::JIT::emit_op_to_object):
163         (JSC::JIT::emit_op_eq_null):
164         (JSC::JIT::emit_op_neq_null):
165         (JSC::JIT::emit_op_to_this):
166         (JSC::JIT::emit_op_create_this):
167         (JSC::JIT::emit_op_check_tdz):
168         (JSC::JIT::emitNewFuncExprCommon):
169         (JSC::JIT::emit_op_profile_type):
170         * jit/JITOpcodes32_64.cpp:
171         (JSC::JIT::emit_op_instanceof):
172         (JSC::JIT::emit_op_is_undefined):
173         (JSC::JIT::emit_op_is_cell_with_type):
174         (JSC::JIT::emit_op_is_object):
175         (JSC::JIT::emit_op_to_primitive):
176         (JSC::JIT::emit_op_not):
177         (JSC::JIT::emit_op_jeq_null):
178         (JSC::JIT::emit_op_jneq_null):
179         (JSC::JIT::emit_op_jneq_ptr):
180         (JSC::JIT::emit_op_eq):
181         (JSC::JIT::emit_op_jeq):
182         (JSC::JIT::emit_op_neq):
183         (JSC::JIT::emit_op_jneq):
184         (JSC::JIT::compileOpStrictEq):
185         (JSC::JIT::compileOpStrictEqJump):
186         (JSC::JIT::emit_op_eq_null):
187         (JSC::JIT::emit_op_neq_null):
188         (JSC::JIT::emit_op_to_number):
189         (JSC::JIT::emit_op_to_string):
190         (JSC::JIT::emit_op_to_object):
191         (JSC::JIT::emit_op_create_this):
192         (JSC::JIT::emit_op_to_this):
193         (JSC::JIT::emit_op_check_tdz):
194         (JSC::JIT::emit_op_profile_type):
195         * jit/JITPropertyAccess.cpp:
196         (JSC::JIT::emit_op_get_by_val):
197         (JSC::JIT::emitGetByValWithCachedId):
198         (JSC::JIT::emitGenericContiguousPutByVal):
199         (JSC::JIT::emitPutByValWithCachedId):
200         (JSC::JIT::emit_op_get_from_scope):
201         (JSC::JIT::emit_op_put_to_scope):
202         (JSC::JIT::emitWriteBarrier):
203         (JSC::JIT::emitIntTypedArrayPutByVal):
204         (JSC::JIT::emitFloatTypedArrayPutByVal):
205         * jit/JITPropertyAccess32_64.cpp:
206         (JSC::JIT::emit_op_get_by_val):
207         (JSC::JIT::emitContiguousLoad):
208         (JSC::JIT::emitArrayStorageLoad):
209         (JSC::JIT::emitGetByValWithCachedId):
210         (JSC::JIT::emitGenericContiguousPutByVal):
211         (JSC::JIT::emitPutByValWithCachedId):
212         (JSC::JIT::emit_op_get_from_scope):
213         (JSC::JIT::emit_op_put_to_scope):
214         * jit/JSInterfaceJIT.h:
215         (JSC::JSInterfaceJIT::emitLoadJSCell):
216         (JSC::JSInterfaceJIT::emitLoadInt32):
217         (JSC::JSInterfaceJIT::emitLoadDouble):
218         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
219         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
220         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
221         * jit/Repatch.cpp:
222         (JSC::linkPolymorphicCall):
223         * jit/ThunkGenerators.cpp:
224         (JSC::virtualThunkFor):
225         (JSC::absThunkGenerator):
226         * tools/JSDollarVM.cpp:
227         (WTF::DOMJITNode::checkSubClassSnippet):
228         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
229
230 2018-05-17  Saam Barati  <sbarati@apple.com>
231
232         Unreviewed. Fix the build after my attempted build fix broke the build.
233
234         * builtins/BuiltinExecutables.cpp:
235         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
236         (JSC::BuiltinExecutables::createDefaultConstructor):
237         * builtins/BuiltinExecutables.h:
238
239 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
240
241         [JSC] Remove reifyPropertyNameIfNeeded
242         https://bugs.webkit.org/show_bug.cgi?id=185350
243
244         Reviewed by Saam Barati.
245
246         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
247         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
248         cost, we should remove this from the critical path.
249
250         This patch removes this function call from the critical path. And in our slow paths, we call
251         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
252         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
253         and care the edge cases. The other callsites of putDirect should know the type of the given
254         object and the name of the property (And avoid these edge cases).
255
256         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
257         regressions of the existing tests.
258
259                                            baseline                  patched
260         Kraken:
261             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
262
263         SixSpeed:
264             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
265
266         * dfg/DFGOperations.cpp:
267         (JSC::DFG::putByValInternal):
268         (JSC::DFG::putByValCellInternal):
269         * jit/JITOperations.cpp:
270         * llint/LLIntSlowPaths.cpp:
271         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
272         * runtime/ClassInfo.h:
273         * runtime/CommonSlowPaths.h:
274         (JSC::CommonSlowPaths::putDirectWithReify):
275         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
276         * runtime/JSCell.cpp:
277         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
278         * runtime/JSCell.h:
279         * runtime/JSFunction.cpp:
280         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
281         * runtime/JSFunction.h:
282         * runtime/JSObject.cpp:
283         (JSC::JSObject::putDirectAccessor):
284         (JSC::JSObject::putDirectNonIndexAccessor):
285         * runtime/JSObject.h:
286         * runtime/JSObjectInlines.h:
287         (JSC::JSObject::putDirectInternal):
288
289 2018-05-17  Saam Barati  <sbarati@apple.com>
290
291         Unreviewed. Try to fix windows build.
292
293         * builtins/BuiltinExecutables.cpp:
294         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
295
296 2018-05-16  Saam Barati  <sbarati@apple.com>
297
298         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
299         https://bugs.webkit.org/show_bug.cgi?id=185637
300
301         Reviewed by Keith Miller.
302
303         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
304         source code. However, we were only using this for default class constructors. There
305         are only two types of default class constructors. This patch makes it so that
306         we just store this information inside of a single bit, and ask for the source
307         code as needed instead of holding it in a nullable field that is 24 bytes in size.
308         
309         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
310         This has the consequence of making it allocated out of a 160 byte size class
311         instead of a 224 byte size class. This should bring down its memory footprint
312         by ~40%.
313
314         * builtins/BuiltinExecutables.cpp:
315         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
316         (JSC::BuiltinExecutables::createDefaultConstructor):
317         (JSC::BuiltinExecutables::createExecutable):
318         * builtins/BuiltinExecutables.h:
319         * bytecode/UnlinkedFunctionExecutable.cpp:
320         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
321         (JSC::UnlinkedFunctionExecutable::link):
322         * bytecode/UnlinkedFunctionExecutable.h:
323         * runtime/CodeCache.cpp:
324         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
325
326 2018-05-16  Saam Barati  <sbarati@apple.com>
327
328         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
329         https://bugs.webkit.org/show_bug.cgi?id=185707
330
331         Reviewed by Mark Lam.
332
333         * runtime/VM.cpp:
334         (JSC::VM::shrinkFootprint):
335
336 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
337
338         [ESNext][BigInt] Implement support for "/" operation
339         https://bugs.webkit.org/show_bug.cgi?id=183996
340
341         Reviewed by Yusuke Suzuki.
342
343         This patch is introducing the support for BigInt into divide
344         operation int LLInt and JIT layers.
345
346         * dfg/DFGOperations.cpp:
347         * runtime/CommonSlowPaths.cpp:
348         (JSC::SLOW_PATH_DECL):
349         * runtime/JSBigInt.cpp:
350         (JSC::JSBigInt::divide):
351         (JSC::JSBigInt::copy):
352         (JSC::JSBigInt::unaryMinus):
353         (JSC::JSBigInt::absoluteCompare):
354         (JSC::JSBigInt::absoluteDivLarge):
355         (JSC::JSBigInt::productGreaterThan):
356         (JSC::JSBigInt::inplaceAdd):
357         (JSC::JSBigInt::inplaceSub):
358         (JSC::JSBigInt::inplaceRightShift):
359         (JSC::JSBigInt::specialLeftShift):
360         (JSC::JSBigInt::digit):
361         (JSC::JSBigInt::setDigit):
362         * runtime/JSBigInt.h:
363
364 2018-05-16  Saam Barati  <sbarati@apple.com>
365
366         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
367         https://bugs.webkit.org/show_bug.cgi?id=185670
368
369         Reviewed by Yusuke Suzuki.
370
371         This patch makes it so that we constant fold CheckTypeInfoFlags for
372         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
373         fold in three ways:
374         - When the incoming value is a constant, we just look at its inline type
375         flags. Since those flags never change after an object is created, this
376         is sound.
377         - Based on the incoming value having a finite structure set. We just iterate
378         all structures and ensure they have the bit set.
379         - Based on speculated type. To do this, I split up SpecFunction into two
380         subheaps where one is for functions that have the bit set, and one for
381         functions that don't have the bit set. The latter is currently only comprised
382         of JSBoundFunctions. To constant fold, we check that the incoming
383         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
384
385         * bytecode/SpeculatedType.cpp:
386         (JSC::speculationFromClassInfo):
387         * bytecode/SpeculatedType.h:
388         * dfg/DFGAbstractInterpreterInlines.h:
389         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
390         * dfg/DFGConstantFoldingPhase.cpp:
391         (JSC::DFG::ConstantFoldingPhase::foldConstants):
392         * dfg/DFGSpeculativeJIT.cpp:
393         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
394         * dfg/DFGStrengthReductionPhase.cpp:
395         (JSC::DFG::StrengthReductionPhase::handleNode):
396         * runtime/JSFunction.cpp:
397         (JSC::JSFunction::JSFunction):
398         (JSC::JSFunction::assertTypeInfoFlagInvariants):
399         * runtime/JSFunction.h:
400         (JSC::JSFunction::assertTypeInfoFlagInvariants):
401         * runtime/JSFunctionInlines.h:
402         (JSC::JSFunction::JSFunction):
403
404 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
405
406         Web Inspector: create a navigation item for toggling the overlay rulers/guides
407         https://bugs.webkit.org/show_bug.cgi?id=185644
408
409         Reviewed by Matt Baker.
410
411         * inspector/protocol/OverlayTypes.json:
412         * inspector/protocol/Page.json:
413
414 2018-05-16  Commit Queue  <commit-queue@webkit.org>
415
416         Unreviewed, rolling out r231845.
417         https://bugs.webkit.org/show_bug.cgi?id=185702
418
419         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
420         caiolima on #webkit).
421
422         Reverted changeset:
423
424         "[ESNext][BigInt] Implement support for "/" operation"
425         https://bugs.webkit.org/show_bug.cgi?id=183996
426         https://trac.webkit.org/changeset/231845
427
428 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
429
430         DFG models InstanceOf incorrectly
431         https://bugs.webkit.org/show_bug.cgi?id=185694
432
433         Reviewed by Keith Miller.
434         
435         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
436         hoist it.
437
438         * dfg/DFGAbstractInterpreterInlines.h:
439         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
440         * dfg/DFGClobberize.h:
441         (JSC::DFG::clobberize):
442         * dfg/DFGHeapLocation.cpp:
443         (WTF::printInternal):
444         * dfg/DFGHeapLocation.h:
445         * dfg/DFGNodeType.h:
446
447 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
448
449         Add support for Intl NumberFormat formatToParts
450         https://bugs.webkit.org/show_bug.cgi?id=185375
451
452         Reviewed by Yusuke Suzuki.
453
454         Add flag for NumberFormat formatToParts. Implement formatToParts using
455         unum_formatDoubleForFields. Because the fields are nested and come back
456         in no guaranteed order, the simple algorithm to convert them to the
457         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
458         it appears to perform well enough for the initial implementation. Another
459         issue has been created to improve this algorithm.
460
461         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
462         on macOS, since only v57 is available.
463
464         * Configurations/FeatureDefines.xcconfig:
465         * runtime/IntlNumberFormat.cpp:
466         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
467         (JSC::IntlNumberFormat::partTypeString):
468         (JSC::IntlNumberFormat::formatToParts):
469         * runtime/IntlNumberFormat.h:
470         * runtime/IntlNumberFormatPrototype.cpp:
471         (JSC::IntlNumberFormatPrototype::create):
472         (JSC::IntlNumberFormatPrototype::finishCreation):
473         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
474         * runtime/IntlNumberFormatPrototype.h:
475         * runtime/Options.h:
476
477 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
478
479         [ESNext][BigInt] Implement support for "/" operation
480         https://bugs.webkit.org/show_bug.cgi?id=183996
481
482         Reviewed by Yusuke Suzuki.
483
484         This patch is introducing the support for BigInt into divide
485         operation int LLInt and JIT layers.
486
487         * dfg/DFGOperations.cpp:
488         * runtime/CommonSlowPaths.cpp:
489         (JSC::SLOW_PATH_DECL):
490         * runtime/JSBigInt.cpp:
491         (JSC::JSBigInt::divide):
492         (JSC::JSBigInt::copy):
493         (JSC::JSBigInt::unaryMinus):
494         (JSC::JSBigInt::absoluteCompare):
495         (JSC::JSBigInt::absoluteDivLarge):
496         (JSC::JSBigInt::productGreaterThan):
497         (JSC::JSBigInt::inplaceAdd):
498         (JSC::JSBigInt::inplaceSub):
499         (JSC::JSBigInt::inplaceRightShift):
500         (JSC::JSBigInt::specialLeftShift):
501         (JSC::JSBigInt::digit):
502         (JSC::JSBigInt::setDigit):
503         * runtime/JSBigInt.h:
504
505 2018-05-16  Alberto Garcia  <berto@igalia.com>
506
507         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
508         https://bugs.webkit.org/show_bug.cgi?id=182622
509
510         Reviewed by Michael Catanzaro.
511
512         We were linking JavaScriptCore against libatomic in MIPS because
513         in that architecture __atomic_fetch_add_8() is not a compiler
514         intrinsic and is provided by that library instead. However other
515         architectures (e.g armel) are in the same situation, so we need a
516         generic test.
517
518         That test already exists in WebKit/CMakeLists.txt, so we just have
519         to move it to a common file (WebKitCompilerFlags.cmake) and use
520         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
521
522         * CMakeLists.txt:
523
524 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
525
526         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
527         https://bugs.webkit.org/show_bug.cgi?id=185601
528
529         Reviewed by Saam Barati.
530
531         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
532         before calling getCallData when we would like to check whether a given object is callable
533         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
534         is fine. But if we would like to check whether the object is callable, we can have non
535         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
536
537         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
538         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
539         OverridesGetCallData checking before calling getCallData.
540
541         We found that this virtual call exists in JSON.stringify's critial path. Checking
542         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
543
544                                                baseline                  patched
545
546             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
547
548         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
549         since major cases are covered by this fast JSFunctionType checking.
550
551         * API/JSCallbackObject.h:
552         * dfg/DFGAbstractInterpreterInlines.h:
553         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
554         * dfg/DFGOperations.cpp:
555         * dfg/DFGSpeculativeJIT.cpp:
556         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
557         (JSC::DFG::SpeculativeJIT::compileIsFunction):
558         * ftl/FTLLowerDFGToB3.cpp:
559         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
560         * jit/AssemblyHelpers.h:
561         (JSC::AssemblyHelpers::emitTypeOf):
562         * runtime/ExceptionHelpers.cpp:
563         (JSC::createError):
564         (JSC::createInvalidFunctionApplyParameterError):
565         * runtime/FunctionPrototype.cpp:
566         (JSC::functionProtoFuncToString):
567         * runtime/InternalFunction.h:
568         * runtime/JSCJSValue.h:
569         * runtime/JSCJSValueInlines.h:
570         (JSC::JSValue::isFunction const):
571         (JSC::JSValue::isCallable const):
572         * runtime/JSCell.h:
573         * runtime/JSCellInlines.h:
574         (JSC::JSCell::isFunction):
575         ALWAYS_INLINE works well for my environment.
576         (JSC::JSCell::isCallable):
577         * runtime/JSFunction.h:
578         * runtime/JSONObject.cpp:
579         (JSC::Stringifier::toJSON):
580         (JSC::Stringifier::toJSONImpl):
581         (JSC::Stringifier::appendStringifiedValue):
582         * runtime/JSObjectInlines.h:
583         (JSC::createListFromArrayLike):
584         * runtime/JSTypeInfo.h:
585         (JSC::TypeInfo::overridesGetCallData const):
586         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
587         * runtime/Operations.cpp:
588         (JSC::jsTypeStringForValue):
589         (JSC::jsIsObjectTypeOrNull):
590         * runtime/ProxyObject.h:
591         * runtime/RuntimeType.cpp:
592         (JSC::runtimeTypeForValue):
593         * runtime/RuntimeType.h:
594         * runtime/Structure.cpp:
595         (JSC::Structure::Structure):
596         * runtime/TypeProfilerLog.cpp:
597         (JSC::TypeProfilerLog::TypeProfilerLog):
598         (JSC::TypeProfilerLog::processLogEntries):
599         * runtime/TypeProfilerLog.h:
600         * runtime/VM.cpp:
601         (JSC::VM::enableTypeProfiler):
602         * tools/JSDollarVM.cpp:
603         (JSC::functionFindTypeForExpression):
604         (JSC::functionReturnTypeFor):
605         (JSC::functionHasBasicBlockExecuted):
606         (JSC::functionBasicBlockExecutionCount):
607         * wasm/js/JSWebAssemblyHelpers.h:
608         (JSC::getWasmBufferFromValue):
609         * wasm/js/JSWebAssemblyInstance.cpp:
610         (JSC::JSWebAssemblyInstance::create):
611         * wasm/js/WebAssemblyFunction.cpp:
612         (JSC::callWebAssemblyFunction):
613         * wasm/js/WebAssemblyInstanceConstructor.cpp:
614         (JSC::constructJSWebAssemblyInstance):
615         * wasm/js/WebAssemblyModuleRecord.cpp:
616         (JSC::WebAssemblyModuleRecord::link):
617         * wasm/js/WebAssemblyPrototype.cpp:
618         (JSC::webAssemblyInstantiateFunc):
619         (JSC::webAssemblyInstantiateStreamingInternal):
620         * wasm/js/WebAssemblyWrapperFunction.cpp:
621         (JSC::WebAssemblyWrapperFunction::finishCreation):
622
623 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
624
625         Web Inspector: Add rulers and guides
626         https://bugs.webkit.org/show_bug.cgi?id=32263
627         <rdar://problem/19281564>
628
629         Reviewed by Matt Baker.
630
631         * inspector/protocol/OverlayTypes.json:
632
633 2018-05-14  Keith Miller  <keith_miller@apple.com>
634
635         Remove butterflyMask from DFGAbstractHeap
636         https://bugs.webkit.org/show_bug.cgi?id=185640
637
638         Reviewed by Saam Barati.
639
640         We don't have a butterfly indexing mask anymore so we don't need
641         the abstract heap information for it anymore.
642
643         * dfg/DFGAbstractHeap.h:
644         * dfg/DFGClobberize.h:
645         (JSC::DFG::clobberize):
646
647 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
648
649         [INTL] Handle error in defineProperty for supported locales length
650         https://bugs.webkit.org/show_bug.cgi?id=185623
651
652         Reviewed by Saam Barati.
653
654         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
655         length of the supported locales array.
656
657         * runtime/IntlObject.cpp:
658         (JSC::supportedLocales):
659
660 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
661
662         [JSC] Tweak LiteralParser to improve lexing performance
663         https://bugs.webkit.org/show_bug.cgi?id=185541
664
665         Reviewed by Saam Barati.
666
667         This patch attemps to improve LiteralParser performance.
668
669         This patch improves Kraken/json-parse-financial by roughly ~10%.
670                                            baseline                  patched
671
672             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
673
674         * parser/Lexer.cpp:
675         (JSC::Lexer<T>::Lexer):
676         * runtime/ArgList.h:
677         (JSC::MarkedArgumentBuffer::takeLast):
678         Add takeLast() for idiomatic last() + removeLast() calls.
679
680         * runtime/LiteralParser.cpp:
681         (JSC::LiteralParser<CharType>::Lexer::lex):
682         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
683         We should not include this mode in its template parameter to reduce the code size.
684         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
685         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
686
687         (JSC::LiteralParser<CharType>::Lexer::next):
688         (JSC::isSafeStringCharacter):
689         Take mode in its template parameter. But do not take terminator character in its template parameter.
690
691         (JSC::LiteralParser<CharType>::Lexer::lexString):
692         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
693         Duplicate while statements manually since this is a critical path.
694
695         (JSC::LiteralParser<CharType>::parse):
696         Use takeLast().
697
698         * runtime/LiteralParser.h:
699
700 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
701
702         [MIPS] Use btpz to compare against 0 instead of bpeq
703         https://bugs.webkit.org/show_bug.cgi?id=185607
704
705         Reviewed by Yusuke Suzuki.
706
707         Fixes build on MIPS since MIPS doesn't have an instruction to
708         compare a register against an immediate. Since the immediate is just 0
709         in this case the simplest solution is just to use btpz instead of bpeq
710         to compare to 0.
711
712         * llint/LowLevelInterpreter.asm:
713
714 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
715
716         CachedCall::call() should be faster
717         https://bugs.webkit.org/show_bug.cgi?id=185583
718
719         Reviewed by Yusuke Suzuki.
720         
721         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
722         Unfortunately, because of a combination of abstraction and assertions, this code path had a
723         lot of overhead. This patch reduces this overhead by:
724         
725         - Turning off some assertions. These assertions don't look to have security value; they're
726           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
727           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
728           call, considering that the caller would have already been strongly assuming that the JSLock
729           is held.
730         
731         - Making more things inlineable.
732         
733         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
734
735         * JavaScriptCore.xcodeproj/project.pbxproj:
736         * interpreter/CachedCall.h:
737         (JSC::CachedCall::call):
738         * interpreter/Interpreter.cpp:
739         (JSC::checkedReturn): Deleted.
740         * interpreter/Interpreter.h:
741         (JSC::Interpreter::checkedReturn):
742         * interpreter/InterpreterInlines.h:
743         (JSC::Interpreter::execute):
744         * jit/JITCode.cpp:
745         (JSC::JITCode::execute): Deleted.
746         * jit/JITCodeInlines.h: Added.
747         (JSC::JITCode::execute):
748         * llint/LowLevelInterpreter.asm:
749         * runtime/StringPrototype.cpp:
750
751 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
752
753         [INTL] Improve spec & test262 compliance for Intl APIs
754         https://bugs.webkit.org/show_bug.cgi?id=185578
755
756         Reviewed by Yusuke Suzuki.
757
758         Use putDirectIndex over push for lists to arrays.
759         Update default options to construct with a null prototype.
760         Define constructor and toStringTag on prototypes.
761         Add proper time clipping.
762         Remove some outdated comment spec text, use url instead.
763
764         * runtime/IntlCollator.cpp:
765         (JSC::IntlCollator::initializeCollator):
766         * runtime/IntlCollatorConstructor.cpp:
767         (JSC::IntlCollatorConstructor::finishCreation):
768         * runtime/IntlCollatorPrototype.cpp:
769         (JSC::IntlCollatorPrototype::finishCreation):
770         * runtime/IntlDateTimeFormatConstructor.cpp:
771         (JSC::IntlDateTimeFormatConstructor::finishCreation):
772         * runtime/IntlDateTimeFormatPrototype.cpp:
773         (JSC::IntlDateTimeFormatPrototype::finishCreation):
774         (JSC::IntlDateTimeFormatFuncFormatDateTime):
775         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
776         * runtime/IntlNumberFormat.cpp:
777         (JSC::IntlNumberFormat::initializeNumberFormat):
778         * runtime/IntlNumberFormatConstructor.cpp:
779         (JSC::IntlNumberFormatConstructor::finishCreation):
780         * runtime/IntlNumberFormatPrototype.cpp:
781         (JSC::IntlNumberFormatPrototype::finishCreation):
782         * runtime/IntlObject.cpp:
783         (JSC::lookupSupportedLocales):
784         (JSC::supportedLocales):
785         (JSC::intlObjectFuncGetCanonicalLocales):
786         * runtime/IntlPluralRules.cpp:
787         (JSC::IntlPluralRules::resolvedOptions):
788         * runtime/IntlPluralRulesConstructor.cpp:
789         (JSC::IntlPluralRulesConstructor::finishCreation):
790
791 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
792
793         [ESNext][BigInt] Implement support for "*" operation
794         https://bugs.webkit.org/show_bug.cgi?id=183721
795
796         Reviewed by Yusuke Suzuki.
797
798         Added BigInt support into times binary operator into LLInt and on
799         JITOperations profiledMul and unprofiledMul. We are also replacing all
800         uses of int to unsigned when there is no negative values for
801         variables.
802
803         * dfg/DFGConstantFoldingPhase.cpp:
804         (JSC::DFG::ConstantFoldingPhase::foldConstants):
805         * jit/JITOperations.cpp:
806         * runtime/CommonSlowPaths.cpp:
807         (JSC::SLOW_PATH_DECL):
808         * runtime/JSBigInt.cpp:
809         (JSC::JSBigInt::JSBigInt):
810         (JSC::JSBigInt::allocationSize):
811         (JSC::JSBigInt::createWithLength):
812         (JSC::JSBigInt::toString):
813         (JSC::JSBigInt::multiply):
814         (JSC::JSBigInt::digitDiv):
815         (JSC::JSBigInt::internalMultiplyAdd):
816         (JSC::JSBigInt::multiplyAccumulate):
817         (JSC::JSBigInt::equals):
818         (JSC::JSBigInt::absoluteDivSmall):
819         (JSC::JSBigInt::calculateMaximumCharactersRequired):
820         (JSC::JSBigInt::toStringGeneric):
821         (JSC::JSBigInt::rightTrim):
822         (JSC::JSBigInt::allocateFor):
823         (JSC::JSBigInt::parseInt):
824         (JSC::JSBigInt::digit):
825         (JSC::JSBigInt::setDigit):
826         * runtime/JSBigInt.h:
827         * runtime/JSCJSValue.h:
828         * runtime/JSCJSValueInlines.h:
829         (JSC::JSValue::toNumeric const):
830         * runtime/Operations.h:
831         (JSC::jsMul):
832
833 2018-05-11  Commit Queue  <commit-queue@webkit.org>
834
835         Unreviewed, rolling out r231316 and r231332.
836         https://bugs.webkit.org/show_bug.cgi?id=185564
837
838         Appears to be a Speedometer2/MotionMark regression (Requested
839         by keith_miller on #webkit).
840
841         Reverted changesets:
842
843         "Remove the prototype caching for get_by_id in the LLInt"
844         https://bugs.webkit.org/show_bug.cgi?id=185226
845         https://trac.webkit.org/changeset/231316
846
847         "Unreviewed, fix 32-bit profile offset for change in bytecode"
848         https://trac.webkit.org/changeset/231332
849
850 2018-05-11  Michael Saboff  <msaboff@apple.com>
851
852         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
853         https://bugs.webkit.org/show_bug.cgi?id=185328
854
855         Reviewed by Keith Miller.
856
857         Fixed a typo from when this code was added in r228968 where resultGPR
858         was assigned the input register instead of the result.gpr().
859
860         * dfg/DFGSpeculativeJIT64.cpp:
861         (JSC::DFG::SpeculativeJIT::compile):
862
863 2018-05-11  Saam Barati  <sbarati@apple.com>
864
865         Don't use inferred types when the JIT is disabled
866         https://bugs.webkit.org/show_bug.cgi?id=185539
867
868         Reviewed by Yusuke Suzuki.
869
870         There are many JSC API clients that run with the JIT disabled. They were
871         all allocating and tracking inferred types for no benefit. Inferred types
872         only benefit programs when they make it to the DFG/FTL. I was seeing cases
873         where the inferred type machinery used ~0.5MB. This patch makes is so we
874         don't allocate that machinery when the JIT is disabled.
875
876         * runtime/Structure.cpp:
877         (JSC::Structure::willStoreValueSlow):
878         * runtime/Structure.h:
879
880 2018-05-11  Saam Barati  <sbarati@apple.com>
881
882         Don't allocate value profiles when the JIT is disabled
883         https://bugs.webkit.org/show_bug.cgi?id=185525
884
885         Reviewed by Michael Saboff.
886
887         There are many JSC API clients that run with the JIT disabled. We were
888         still allocating a ton of value profiles in this use case even though
889         these clients get no benefit from doing value profiling. This patch makes
890         it so that we don't allocate value profiles or argument value profiles
891         when we're not using the JIT. We now just make all value profiles in
892         the instruction stream point to a global value profile that the VM owns.
893         And we make the argument value profile array have zero length and teach
894         the LLInt how to handle that. Heap clears the global value profile on each GC.
895
896         In an app that I'm testing this against, this saves ~1MB of memory.
897
898         * bytecode/CodeBlock.cpp:
899         (JSC::CodeBlock::finishCreation):
900         (JSC::CodeBlock::setNumParameters):
901         * bytecode/CodeBlock.h:
902         (JSC::CodeBlock::numberOfArgumentValueProfiles):
903         (JSC::CodeBlock::valueProfileForArgument):
904         * bytecompiler/BytecodeGenerator.cpp:
905         (JSC::BytecodeGenerator::emitProfiledOpcode):
906         * heap/Heap.cpp:
907         (JSC::Heap::runEndPhase):
908         * llint/LowLevelInterpreter.asm:
909         * runtime/VM.cpp:
910         (JSC::VM::VM):
911         * runtime/VM.h:
912
913 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
914
915         [JSC][GLIB] Add introspectable alternatives to functions using vargars
916         https://bugs.webkit.org/show_bug.cgi?id=185508
917
918         Reviewed by Michael Catanzaro.
919
920         * API/glib/JSCClass.cpp:
921         (jscClassCreateConstructor):
922         (jsc_class_add_constructor):
923         (jsc_class_add_constructorv):
924         (jscClassAddMethod):
925         (jsc_class_add_method):
926         (jsc_class_add_methodv):
927         * API/glib/JSCClass.h:
928         * API/glib/JSCValue.cpp:
929         (jsObjectCall):
930         (jscValueCallFunction):
931         (jsc_value_object_invoke_methodv):
932         (jscValueFunctionCreate):
933         (jsc_value_new_function):
934         (jsc_value_new_functionv):
935         (jsc_value_function_callv):
936         (jsc_value_constructor_callv):
937         * API/glib/JSCValue.h:
938         * API/glib/docs/jsc-glib-4.0-sections.txt:
939
940 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
941
942         [JSC] Make return types of construction functions tight
943         https://bugs.webkit.org/show_bug.cgi?id=185509
944
945         Reviewed by Saam Barati.
946
947         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
948
949         * runtime/ArrayConstructor.cpp:
950         (JSC::constructArrayWithSizeQuirk):
951         * runtime/ArrayConstructor.h:
952         * runtime/ObjectConstructor.h:
953         (JSC::constructEmptyObject):
954
955 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
956
957         [JSC] Object.assign for final objects should be faster
958         https://bugs.webkit.org/show_bug.cgi?id=185348
959
960         Reviewed by Saam Barati.
961
962         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
963         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
964
965         If enumerating properties of source objects and putting properties to target object are non observable,
966         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
967         and put them to target object. This patch adds this fast path to Object.assign implementation.
968
969         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
970         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
971         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
972
973         This improves object-assign.es6 by 1.85x.
974
975                                         baseline                  patched
976
977             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
978
979         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
980
981         * runtime/JSObject.h:
982         * runtime/JSObjectInlines.h:
983         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
984         (JSC::JSObject::canPerformFastPutInline):
985         * runtime/ObjectConstructor.cpp:
986         (JSC::objectConstructorAssign):
987         * runtime/Structure.cpp:
988         (JSC::Structure::Structure):
989         * runtime/Structure.h:
990         * runtime/StructureInlines.h:
991         (JSC::Structure::forEachProperty):
992         (JSC::Structure::add):
993
994 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
995
996         DFG CFA should pick the right time to inject OSR entry data
997         https://bugs.webkit.org/show_bug.cgi?id=185530
998
999         Reviewed by Saam Barati.
1000         
1001         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
1002         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
1003         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
1004         would eventually LUB to non-constant.
1005         
1006         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
1007         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
1008         useless regexp/string execution in the compiler.
1009
1010         * dfg/DFGBlockSet.h:
1011         (JSC::DFG::BlockSet::remove):
1012         * dfg/DFGCFAPhase.cpp:
1013         (JSC::DFG::CFAPhase::run):
1014         (JSC::DFG::CFAPhase::injectOSR):
1015         (JSC::DFG::CFAPhase::performBlockCFA):
1016
1017 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1018
1019         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
1020         https://bugs.webkit.org/show_bug.cgi?id=185452
1021
1022         Reviewed by Michael Saboff.
1023         
1024         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
1025         from the block head to InPlaceAbstractState::m_variables. It is necessary for
1026         InPlaceAbstractState to have its own copy since we need to mutate it separately from
1027         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
1028         of superfluous work.
1029         
1030         This change adds a bitvector called m_activeVariables that tracks which variables have been
1031         copied. We lazily copy the variables on first use. Variables that were never copied also have
1032         a simplified merging path, which just needs to consider if the variable got clobbered between
1033         head and tail.
1034         
1035         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
1036
1037         * bytecode/Operands.h:
1038         (JSC::Operands::argumentIndex const):
1039         (JSC::Operands::localIndex const):
1040         (JSC::Operands::argument):
1041         (JSC::Operands::argument const):
1042         (JSC::Operands::local):
1043         (JSC::Operands::local const):
1044         (JSC::Operands::operandIndex const):
1045         * dfg/DFGAbstractValue.h:
1046         (JSC::DFG::AbstractValue::fastForwardFromTo):
1047         * dfg/DFGCFAPhase.cpp:
1048         (JSC::DFG::CFAPhase::performForwardCFA):
1049         * dfg/DFGInPlaceAbstractState.cpp:
1050         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1051         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1052         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
1053         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1054         (JSC::DFG::InPlaceAbstractState::activateVariable):
1055         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
1056         * dfg/DFGInPlaceAbstractState.h:
1057         (JSC::DFG::InPlaceAbstractState::variableAt):
1058         (JSC::DFG::InPlaceAbstractState::operand):
1059         (JSC::DFG::InPlaceAbstractState::local):
1060         (JSC::DFG::InPlaceAbstractState::argument):
1061         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
1062         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
1063
1064 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
1065
1066         [ESNext][BigInt] Implement support for "==" operation
1067         https://bugs.webkit.org/show_bug.cgi?id=184474
1068
1069         Reviewed by Yusuke Suzuki.
1070
1071         This patch is implementing support of BigInt for equals operator
1072         following the spec semantics[1].
1073
1074         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
1075
1076         * runtime/JSBigInt.cpp:
1077         (JSC::JSBigInt::parseInt):
1078         (JSC::JSBigInt::stringToBigInt):
1079         (JSC::JSBigInt::toString):
1080         (JSC::JSBigInt::setDigit):
1081         (JSC::JSBigInt::equalsToNumber):
1082         (JSC::JSBigInt::compareToDouble):
1083         * runtime/JSBigInt.h:
1084         * runtime/JSCJSValueInlines.h:
1085         (JSC::JSValue::equalSlowCaseInline):
1086
1087 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1088
1089         Speed up AbstractInterpreter::executeEdges
1090         https://bugs.webkit.org/show_bug.cgi?id=185457
1091
1092         Reviewed by Saam Barati.
1093
1094         This patch started out with the desire to make executeEdges() faster by making filtering faster.
1095         However, when I studied the disassembly, I found that there are many opportunities for
1096         improvement and I implemented all of them:
1097         
1098         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
1099           for non-cells.
1100         
1101         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
1102           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
1103         
1104         - Similarly, edge verification doesn't need to fast-forward in the common case.
1105         
1106         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
1107         
1108         - The edge doesn't even have to be considered for execution if it's UntypedUse.
1109         
1110         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
1111         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
1112         it means proving that the value could either be formatted as a double (with impure NaN values),
1113         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
1114         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
1115         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
1116         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
1117         SpecBytecodeNumber (if returning a JSValueRep).
1118         
1119         But that fix revealed an amazing timeout in
1120         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
1121         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
1122         ever realizing that we should jettison something. The problem was with how
1123         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
1124         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
1125         
1126         This is a 1% improvement in V8Spider-CompileTime.
1127
1128         * bytecode/ExitKind.cpp:
1129         (JSC::exitKindMayJettison):
1130         * dfg/DFGAbstractInterpreter.h:
1131         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
1132         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
1133         * dfg/DFGAbstractInterpreterInlines.h:
1134         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
1135         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
1136         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
1137         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
1138         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1139         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1140         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1141         * dfg/DFGAbstractValue.cpp:
1142         (JSC::DFG::AbstractValue::filterSlow):
1143         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
1144         * dfg/DFGAbstractValue.h:
1145         (JSC::DFG::AbstractValue::filter):
1146         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
1147         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
1148         (JSC::DFG::AbstractValue::makeTop):
1149         * dfg/DFGAtTailAbstractState.h:
1150         (JSC::DFG::AtTailAbstractState::fastForward):
1151         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
1152         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
1153         * dfg/DFGGraph.h:
1154         (JSC::DFG::Graph::doToChildren):
1155         * dfg/DFGInPlaceAbstractState.h:
1156         (JSC::DFG::InPlaceAbstractState::fastForward):
1157         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
1158         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
1159         * dfg/DFGOSRExit.cpp:
1160         (JSC::DFG::OSRExit::executeOSRExit):
1161         * dfg/DFGOSRExitCompilerCommon.cpp:
1162         (JSC::DFG::handleExitCounts):
1163         * dfg/DFGOperations.cpp:
1164         * dfg/DFGOperations.h:
1165
1166 2018-05-09  Saam Barati  <sbarati@apple.com>
1167
1168         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
1169         https://bugs.webkit.org/show_bug.cgi?id=185441
1170         <rdar://problem/39999414>
1171
1172         Reviewed by Keith Miller.
1173
1174         This patch adds JSVirtualMachine SPI to release as much memory as possible.
1175         The SPI does:
1176         - Deletes all code caches.
1177         - Synchronous GC.
1178         - Run the scavenger.
1179
1180         * API/JSVirtualMachine.mm:
1181         (-[JSVirtualMachine shrinkFootprint]):
1182         * API/JSVirtualMachinePrivate.h: Added.
1183         * API/tests/testapi.mm:
1184         (testObjectiveCAPIMain):
1185         * JavaScriptCore.xcodeproj/project.pbxproj:
1186         * runtime/VM.cpp:
1187         (JSC::VM::shrinkFootprint):
1188         * runtime/VM.h:
1189
1190 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
1191
1192         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
1193         Error found in the following Test262 tests:
1194
1195         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
1196         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
1197         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
1198
1199         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
1200         presenting a length > 2**32-1
1201         https://bugs.webkit.org/show_bug.cgi?id=185476
1202
1203         Reviewed by Yusuke Suzuki.
1204
1205         * runtime/ArrayPrototype.cpp:
1206
1207 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
1208
1209         [WPE] Build cleanly with GCC 8 and ICU 60
1210         https://bugs.webkit.org/show_bug.cgi?id=185462
1211
1212         Reviewed by Carlos Alberto Lopez Perez.
1213
1214         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
1215         (jsc_class_add_constructor):
1216         (jsc_class_add_method):
1217         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
1218         (jsc_value_object_define_property_accessor):
1219         (jsc_value_new_function):
1220         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
1221         problem with GCC 7 too, but might as well fix it now.
1222         * assembler/ProbeContext.h:
1223         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
1224         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
1225         * b3/air/AirArg.h:
1226         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
1227         * builtins/BuiltinNames.cpp:
1228         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
1229         * builtins/BuiltinNames.h:
1230         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
1231         * dfg/DFGDoubleFormatState.h:
1232         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
1233         * heap/MarkedBlockInlines.h:
1234         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
1235         * runtime/ConfigFile.cpp:
1236         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
1237         with the wrong length parameter and the result is not null-terminated. Also, silence a
1238         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
1239         * runtime/IntlDateTimeFormat.cpp:
1240         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
1241         * runtime/JSGlobalObject.cpp:
1242         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
1243         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
1244
1245 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1246
1247         [ARMv7] Drop ARMv7 disassembler in favor of capstone
1248         https://bugs.webkit.org/show_bug.cgi?id=185423
1249
1250         Reviewed by Michael Catanzaro.
1251
1252         This patch removes ARMv7Disassembler in our tree.
1253         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
1254
1255         * CMakeLists.txt:
1256         * JavaScriptCore.xcodeproj/project.pbxproj:
1257         * Sources.txt:
1258         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
1259         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
1260         * disassembler/ARMv7Disassembler.cpp: Removed.
1261
1262 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
1263
1264         [MIPS] Optimize generated JIT code using r2
1265         https://bugs.webkit.org/show_bug.cgi?id=184584
1266
1267         Reviewed by Yusuke Suzuki.
1268
1269         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
1270         Also, done some code size optimizations that were discovered in meantime.
1271
1272         * assembler/MIPSAssembler.h:
1273         (JSC::MIPSAssembler::ext):
1274         (JSC::MIPSAssembler::mfhc1):
1275         * assembler/MacroAssemblerMIPS.cpp:
1276         * assembler/MacroAssemblerMIPS.h:
1277         (JSC::MacroAssemblerMIPS::isPowerOf2):
1278         (JSC::MacroAssemblerMIPS::bitPosition):
1279         (JSC::MacroAssemblerMIPS::loadAddress):
1280         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1281         (JSC::MacroAssemblerMIPS::load8):
1282         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1283         (JSC::MacroAssemblerMIPS::load32):
1284         (JSC::MacroAssemblerMIPS::load16Unaligned):
1285         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
1286         (JSC::MacroAssemblerMIPS::load16):
1287         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1288         (JSC::MacroAssemblerMIPS::store8):
1289         (JSC::MacroAssemblerMIPS::store16):
1290         (JSC::MacroAssemblerMIPS::store32):
1291         (JSC::MacroAssemblerMIPS::branchTest32):
1292         (JSC::MacroAssemblerMIPS::loadFloat):
1293         (JSC::MacroAssemblerMIPS::loadDouble):
1294         (JSC::MacroAssemblerMIPS::storeFloat):
1295         (JSC::MacroAssemblerMIPS::storeDouble):
1296
1297 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1298
1299         [JSC][GTK][JSCONLY] Use capstone disassembler
1300         https://bugs.webkit.org/show_bug.cgi?id=185283
1301
1302         Reviewed by Michael Catanzaro.
1303
1304         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
1305         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
1306
1307         And we remove ARM LLVM disassembler.
1308
1309         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
1310
1311         * CMakeLists.txt:
1312         * Sources.txt:
1313         * disassembler/ARMLLVMDisassembler.cpp: Removed.
1314         * disassembler/CapstoneDisassembler.cpp: Added.
1315         (JSC::tryToDisassemble):
1316
1317 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
1318
1319         [MIPS] Use mfhc1 and mthc1 to fix assembler error
1320         https://bugs.webkit.org/show_bug.cgi?id=185464
1321
1322         Reviewed by Yusuke Suzuki.
1323
1324         The binutils-assembler started to report failures for copying words between
1325         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
1326         of mfc1 and mtc1 for conversion.
1327
1328         * offlineasm/mips.rb:
1329
1330 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
1331
1332         [MIPS] Collect callee-saved register using inline assembly
1333         https://bugs.webkit.org/show_bug.cgi?id=185428
1334
1335         Reviewed by Yusuke Suzuki.
1336
1337         MIPS used setjmp instead of collecting registers with inline assembly like
1338         other architectures.
1339
1340         * heap/RegisterState.h:
1341
1342 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1343
1344         [BigInt] Simplifying JSBigInt by using bool addition
1345         https://bugs.webkit.org/show_bug.cgi?id=185374
1346
1347         Reviewed by Alex Christensen.
1348
1349         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
1350         Just adding overflow flag to carry/borrow produces setb + add in x86.
1351
1352         Also we annotate small helper functions and accessors with `inline` not to call these functions
1353         inside internalMultiplyAdd loop.
1354
1355         * runtime/JSBigInt.cpp:
1356         (JSC::JSBigInt::isZero):
1357         (JSC::JSBigInt::inplaceMultiplyAdd):
1358         (JSC::JSBigInt::digitAdd):
1359         (JSC::JSBigInt::digitSub):
1360         (JSC::JSBigInt::digitMul):
1361         (JSC::JSBigInt::digitPow):
1362         (JSC::JSBigInt::digitDiv):
1363         (JSC::JSBigInt::offsetOfData):
1364         (JSC::JSBigInt::dataStorage):
1365         (JSC::JSBigInt::digit):
1366         (JSC::JSBigInt::setDigit):
1367
1368 2018-05-08  Michael Saboff  <msaboff@apple.com>
1369
1370         Replace multiple Watchpoint Set fireAll() methods with templates
1371         https://bugs.webkit.org/show_bug.cgi?id=185456
1372
1373         Reviewed by Saam Barati.
1374
1375         Refactored to minimize duplicate code.
1376
1377         * bytecode/Watchpoint.h:
1378         (JSC::WatchpointSet::fireAll):
1379         (JSC::InlineWatchpointSet::fireAll):
1380
1381 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
1382
1383         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
1384         https://bugs.webkit.org/show_bug.cgi?id=185453
1385
1386         Reviewed by Michael Saboff.
1387         
1388         Tiny improvement for compile times.
1389
1390         * dfg/DFGFlowMap.h:
1391         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
1392         * dfg/DFGInPlaceAbstractState.cpp:
1393         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
1394
1395 2018-05-08  Michael Saboff  <msaboff@apple.com>
1396
1397         Deferred firing of structure transition watchpoints is racy
1398         https://bugs.webkit.org/show_bug.cgi?id=185438
1399
1400         Reviewed by Saam Barati.
1401
1402         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
1403         and fire them in the destructor.  When the watchpoints are taken from the
1404         original WatchpointSet, that WatchpointSet if marked invalid.
1405
1406         * bytecode/Watchpoint.cpp:
1407         (JSC::WatchpointSet::fireAllSlow):
1408         (JSC::WatchpointSet::take):
1409         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
1410         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
1411         (JSC::DeferredWatchpointFire::fireAll):
1412         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
1413         * bytecode/Watchpoint.h:
1414         (JSC::WatchpointSet::fireAll):
1415         (JSC::InlineWatchpointSet::fireAll):
1416         * runtime/JSObject.cpp:
1417         (JSC::JSObject::setPrototypeDirect):
1418         (JSC::JSObject::convertToDictionary):
1419         * runtime/JSObjectInlines.h:
1420         (JSC::JSObject::putDirectInternal):
1421         * runtime/Structure.cpp:
1422         (JSC::Structure::Structure):
1423         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
1424         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
1425         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
1426         (JSC::Structure::didTransitionFromThisStructure const):
1427         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
1428         * runtime/Structure.h:
1429         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
1430
1431 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
1432
1433         Consecutive messages logged as JSON are coalesced
1434         https://bugs.webkit.org/show_bug.cgi?id=185432
1435
1436         Reviewed by Joseph Pecoraro.
1437
1438         * inspector/ConsoleMessage.cpp:
1439         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
1440
1441 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1442
1443         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1444         https://bugs.webkit.org/show_bug.cgi?id=185365
1445
1446         Reviewed by Saam Barati.
1447         
1448         This patch does three things to improve compile times:
1449         
1450         - Fixes some inlining goofs.
1451         
1452         - Adds the ability to measure compile times with run-jsc-benchmarks.
1453         
1454         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1455           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1456           sense that this was the only thing protecting it from loading the abstract value of a no-result
1457           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1458           Any node that produces a result will explicitly set its abstract value, so this problem can
1459           also be guarded by just having constant folding check if the node it wants to fold returns any
1460           result.
1461         
1462         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1463         
1464         Rolling back in after fixing cloop build.
1465
1466         * dfg/DFGAbstractInterpreterInlines.h:
1467         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1468         * dfg/DFGAbstractValue.cpp:
1469         (JSC::DFG::AbstractValue::set):
1470         * dfg/DFGAbstractValue.h:
1471         (JSC::DFG::AbstractValue::merge):
1472         * dfg/DFGConstantFoldingPhase.cpp:
1473         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1474         * dfg/DFGGraph.h:
1475         (JSC::DFG::Graph::doToChildrenWithNode):
1476         (JSC::DFG::Graph::doToChildren):
1477         * dfg/DFGInPlaceAbstractState.cpp:
1478         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1479         * jit/JIT.cpp:
1480         (JSC::JIT::totalCompileTime):
1481         * jit/JIT.h:
1482         * jsc.cpp:
1483         (GlobalObject::finishCreation):
1484         (functionTotalCompileTime):
1485
1486 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
1487
1488         Unreviewed, rolling out r231468.
1489
1490         Broke the CLoop build
1491
1492         Reverted changeset:
1493
1494         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
1495         any abstract values"
1496         https://bugs.webkit.org/show_bug.cgi?id=185365
1497         https://trac.webkit.org/changeset/231468
1498
1499 2018-05-07  Daniel Bates  <dabates@apple.com>
1500
1501         Check X-Frame-Options and CSP frame-ancestors in network process
1502         https://bugs.webkit.org/show_bug.cgi?id=185410
1503         <rdar://problem/37733934>
1504
1505         Reviewed by Ryosuke Niwa.
1506
1507         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
1508
1509         * runtime/ConsoleTypes.h:
1510
1511 2018-05-07  Saam Barati  <sbarati@apple.com>
1512
1513         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
1514         https://bugs.webkit.org/show_bug.cgi?id=185329
1515         <rdar://problem/39961536>
1516
1517         Reviewed by Michael Saboff.
1518
1519         I was made aware of a memory goof inside of JSC where we would inefficiently
1520         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
1521         
1522         We did two things badly:
1523         1. We used a HashMap instead of a Vector to represent the environment. Having
1524         a HashMap is useful when looking things up when generating bytecode, but it's
1525         space inefficient. Because UnlinkedFunctionExecutables live a long time because
1526         of the code cache, we should have them store this information efficiently
1527         inside of a Vector.
1528         
1529         2. We didn't hash-cons these environments together. If you think about how
1530         some programs are structured, hash-consing these together is hugely profitable.
1531         Consider some code like this:
1532         ```
1533         const/let V_1 = ...;
1534         const/let V_2 = ...;
1535         ...
1536         const/let V_n = ...;
1537         
1538         function f_1() { ... };
1539         function f_2() { ... };
1540         ...
1541         function f_n() { ... };
1542         ```
1543         
1544         Each f_i would store an identical hash map for its parent TDZ variables
1545         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
1546         each f_i just holds onto a reference to the environment.
1547         
1548         I benchmarked this change against an app that made heavy use of the
1549         above code pattern and it reduced its peak memory footprint from ~220MB
1550         to ~160MB.
1551
1552         * bytecode/UnlinkedFunctionExecutable.cpp:
1553         (JSC::generateUnlinkedFunctionCodeBlock):
1554         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1555         * bytecode/UnlinkedFunctionExecutable.h:
1556         * parser/VariableEnvironment.cpp:
1557         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
1558         (JSC::CompactVariableEnvironment::operator== const):
1559         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
1560         (JSC::CompactVariableMap::get):
1561         (JSC::CompactVariableMap::Handle::~Handle):
1562         * parser/VariableEnvironment.h:
1563         (JSC::VariableEnvironmentEntry::bits const):
1564         (JSC::VariableEnvironmentEntry::operator== const):
1565         (JSC::VariableEnvironment::isEverythingCaptured const):
1566         (JSC::CompactVariableEnvironment::hash const):
1567         (JSC::CompactVariableMapKey::CompactVariableMapKey):
1568         (JSC::CompactVariableMapKey::hash):
1569         (JSC::CompactVariableMapKey::equal):
1570         (JSC::CompactVariableMapKey::makeDeletedValue):
1571         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
1572         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
1573         (JSC::CompactVariableMapKey::environment):
1574         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
1575         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
1576         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
1577         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
1578         (JSC::CompactVariableMap::Handle::Handle):
1579         (JSC::CompactVariableMap::Handle::environment const):
1580         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
1581         * runtime/VM.cpp:
1582         (JSC::VM::VM):
1583         * runtime/VM.h:
1584
1585 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1586
1587         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
1588         https://bugs.webkit.org/show_bug.cgi?id=185371
1589
1590         Reviewed by Mark Lam.
1591
1592         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
1593         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
1594         but actually MIPS have much more registers.
1595
1596         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
1597         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
1598         have extra mechanism.
1599
1600         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
1601
1602         * dfg/DFGByteCodeParser.cpp:
1603         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1604         * dfg/DFGFixupPhase.cpp:
1605         (JSC::DFG::FixupPhase::fixupNode):
1606         * dfg/DFGSpeculativeJIT32_64.cpp:
1607         (JSC::DFG::SpeculativeJIT::compile):
1608         * jit/CCallHelpers.h:
1609         * jit/GPRInfo.h:
1610         (JSC::GPRInfo::toRegister):
1611         (JSC::GPRInfo::toIndex):
1612         * offlineasm/mips.rb:
1613
1614 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1615
1616         DFG AI should have O(1) clobbering
1617         https://bugs.webkit.org/show_bug.cgi?id=185287
1618
1619         Reviewed by Saam Barati.
1620         
1621         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
1622         would traverse all of the state available to the AI at that time and clobber it.
1623         
1624         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
1625         
1626         This is a ~1% speed-up for compile times.
1627
1628         * JavaScriptCore.xcodeproj/project.pbxproj:
1629         * Sources.txt:
1630         * dfg/DFGAbstractInterpreter.h:
1631         (JSC::DFG::AbstractInterpreter::forNode):
1632         (JSC::DFG::AbstractInterpreter::setForNode):
1633         (JSC::DFG::AbstractInterpreter::clearForNode):
1634         (JSC::DFG::AbstractInterpreter::variables): Deleted.
1635         * dfg/DFGAbstractInterpreterInlines.h:
1636         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1637         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1638         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
1639         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
1640         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1641         * dfg/DFGAbstractValue.cpp:
1642         (JSC::DFG::AbstractValue::fastForwardToSlow):
1643         * dfg/DFGAbstractValue.h:
1644         (JSC::DFG::AbstractValue::fastForwardTo):
1645         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
1646         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
1647         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
1648         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
1649         (JSC::DFG::AbstractValueClobberEpoch::dump const):
1650         * dfg/DFGAbstractValueClobberEpoch.h: Added.
1651         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
1652         (JSC::DFG::AbstractValueClobberEpoch::first):
1653         (JSC::DFG::AbstractValueClobberEpoch::clobber):
1654         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
1655         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
1656         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
1657         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
1658         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
1659         * dfg/DFGAtTailAbstractState.h:
1660         (JSC::DFG::AtTailAbstractState::setForNode):
1661         (JSC::DFG::AtTailAbstractState::clearForNode):
1662         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
1663         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
1664         (JSC::DFG::AtTailAbstractState::operand):
1665         (JSC::DFG::AtTailAbstractState::local):
1666         (JSC::DFG::AtTailAbstractState::argument):
1667         (JSC::DFG::AtTailAbstractState::clobberStructures):
1668         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
1669         (JSC::DFG::AtTailAbstractState::variables): Deleted.
1670         * dfg/DFGCFAPhase.cpp:
1671         (JSC::DFG::CFAPhase::performBlockCFA):
1672         * dfg/DFGConstantFoldingPhase.cpp:
1673         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1674         * dfg/DFGFlowMap.h:
1675         (JSC::DFG::FlowMap::at):
1676         (JSC::DFG::FlowMap::atShadow):
1677         (JSC::DFG::FlowMap::at const):
1678         (JSC::DFG::FlowMap::atShadow const):
1679         * dfg/DFGInPlaceAbstractState.cpp:
1680         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1681         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1682         * dfg/DFGInPlaceAbstractState.h:
1683         (JSC::DFG::InPlaceAbstractState::forNode):
1684         (JSC::DFG::InPlaceAbstractState::setForNode):
1685         (JSC::DFG::InPlaceAbstractState::clearForNode):
1686         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1687         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
1688         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
1689         (JSC::DFG::InPlaceAbstractState::operand):
1690         (JSC::DFG::InPlaceAbstractState::local):
1691         (JSC::DFG::InPlaceAbstractState::argument):
1692         (JSC::DFG::InPlaceAbstractState::variableAt):
1693         (JSC::DFG::InPlaceAbstractState::clobberStructures):
1694         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
1695         (JSC::DFG::InPlaceAbstractState::fastForward):
1696         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
1697         * dfg/DFGSpeculativeJIT64.cpp:
1698         (JSC::DFG::SpeculativeJIT::compile):
1699         * ftl/FTLLowerDFGToB3.cpp:
1700         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
1701
1702 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1703
1704         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1705         https://bugs.webkit.org/show_bug.cgi?id=185365
1706
1707         Reviewed by Saam Barati.
1708         
1709         This patch does three things to improve compile times:
1710         
1711         - Fixes some inlining goofs.
1712         
1713         - Adds the ability to measure compile times with run-jsc-benchmarks.
1714         
1715         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1716           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1717           sense that this was the only thing protecting it from loading the abstract value of a no-result
1718           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1719           Any node that produces a result will explicitly set its abstract value, so this problem can
1720           also be guarded by just having constant folding check if the node it wants to fold returns any
1721           result.
1722         
1723         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1724
1725         * dfg/DFGAbstractInterpreterInlines.h:
1726         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1727         * dfg/DFGAbstractValue.cpp:
1728         (JSC::DFG::AbstractValue::set):
1729         * dfg/DFGAbstractValue.h:
1730         (JSC::DFG::AbstractValue::merge):
1731         * dfg/DFGConstantFoldingPhase.cpp:
1732         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1733         * dfg/DFGGraph.h:
1734         (JSC::DFG::Graph::doToChildrenWithNode):
1735         (JSC::DFG::Graph::doToChildren):
1736         * dfg/DFGInPlaceAbstractState.cpp:
1737         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1738         * jit/JIT.cpp:
1739         (JSC::JIT::totalCompileTime):
1740         * jit/JIT.h:
1741         * jsc.cpp:
1742         (GlobalObject::finishCreation):
1743         (functionTotalCompileTime):
1744
1745 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1746
1747         DFG AI doesn't need to merge valuesAtTail - it can just assign them
1748         https://bugs.webkit.org/show_bug.cgi?id=185355
1749
1750         Reviewed by Mark Lam.
1751         
1752         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
1753         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
1754         merging will get the same answer because the value computed this time will be either the same
1755         as or more general than the value computed last time. If the value does change for some
1756         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
1757         changes, then we have no reason to believe that this new value is less right than the last
1758         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
1759         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
1760
1761         * dfg/DFGInPlaceAbstractState.cpp:
1762         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1763
1764 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
1765
1766         Remove defunct email address
1767         https://bugs.webkit.org/show_bug.cgi?id=185396
1768
1769         Reviewed by Mark Lam.
1770
1771         The email address thetalecrafter@gmail.com is no longer valid, as the
1772         associated google account has been closed. This updates the email
1773         address so questions about these Intl contributions go to the right
1774         place.
1775
1776         * builtins/DatePrototype.js:
1777         * builtins/NumberPrototype.js:
1778         * builtins/StringPrototype.js:
1779         * runtime/IntlCollator.cpp:
1780         * runtime/IntlCollator.h:
1781         * runtime/IntlCollatorConstructor.cpp:
1782         * runtime/IntlCollatorConstructor.h:
1783         * runtime/IntlCollatorPrototype.cpp:
1784         * runtime/IntlCollatorPrototype.h:
1785         * runtime/IntlDateTimeFormat.cpp:
1786         * runtime/IntlDateTimeFormat.h:
1787         * runtime/IntlDateTimeFormatConstructor.cpp:
1788         * runtime/IntlDateTimeFormatConstructor.h:
1789         * runtime/IntlDateTimeFormatPrototype.cpp:
1790         * runtime/IntlDateTimeFormatPrototype.h:
1791         * runtime/IntlNumberFormat.cpp:
1792         * runtime/IntlNumberFormat.h:
1793         * runtime/IntlNumberFormatConstructor.cpp:
1794         * runtime/IntlNumberFormatConstructor.h:
1795         * runtime/IntlNumberFormatPrototype.cpp:
1796         * runtime/IntlNumberFormatPrototype.h:
1797         * runtime/IntlObject.cpp:
1798         * runtime/IntlObject.h:
1799         * runtime/IntlPluralRules.cpp:
1800         * runtime/IntlPluralRules.h:
1801         * runtime/IntlPluralRulesConstructor.cpp:
1802         * runtime/IntlPluralRulesConstructor.h:
1803         * runtime/IntlPluralRulesPrototype.cpp:
1804         * runtime/IntlPluralRulesPrototype.h:
1805
1806 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1807
1808         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
1809         https://bugs.webkit.org/show_bug.cgi?id=185362
1810
1811         Reviewed by Sam Weinig.
1812
1813         "namespace std" may include many names. It can conflict with names defined by our code,
1814         and the other platform provided headers. For example, std::byte conflicts with Windows'
1815         ::byte.
1816         This patch removes "using namespace std;" from JSC and bmalloc.
1817
1818         * API/JSClassRef.cpp:
1819         (OpaqueJSClass::create):
1820         * bytecode/Opcode.cpp:
1821         * bytecompiler/BytecodeGenerator.cpp:
1822         (JSC::BytecodeGenerator::newRegister):
1823         * heap/Heap.cpp:
1824         (JSC::Heap::updateAllocationLimits):
1825         * interpreter/Interpreter.cpp:
1826         * jit/JIT.cpp:
1827         * parser/Parser.cpp:
1828         * runtime/JSArray.cpp:
1829         * runtime/JSLexicalEnvironment.cpp:
1830         * runtime/JSModuleEnvironment.cpp:
1831         * runtime/Structure.cpp:
1832         * shell/DLLLauncherMain.cpp:
1833         (getStringValue):
1834         (applePathFromRegistry):
1835         (appleApplicationSupportDirectory):
1836         (copyEnvironmentVariable):
1837         (prependPath):
1838         (fatalError):
1839         (directoryExists):
1840         (modifyPath):
1841         (getLastErrorString):
1842         (wWinMain):
1843
1844 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1845
1846         DFG CFA phase should only do clobber asserts in debug
1847         https://bugs.webkit.org/show_bug.cgi?id=185354
1848
1849         Reviewed by Saam Barati.
1850         
1851         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
1852         unless asserts are enabled.
1853
1854         * dfg/DFGCFAPhase.cpp:
1855         (JSC::DFG::CFAPhase::performBlockCFA):
1856
1857 2018-05-04  Keith Miller  <keith_miller@apple.com>
1858
1859         isCacheableArrayLength should return true for undecided arrays
1860         https://bugs.webkit.org/show_bug.cgi?id=185309
1861
1862         Reviewed by Michael Saboff.
1863
1864         Undecided arrays have butterflies so there is no reason why we
1865         should not be able to cache their length.
1866
1867         * bytecode/InlineAccess.cpp:
1868         (JSC::InlineAccess::isCacheableArrayLength):
1869
1870 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1871
1872         Remove std::random_shuffle
1873         https://bugs.webkit.org/show_bug.cgi?id=185292
1874
1875         Reviewed by Darin Adler.
1876
1877         std::random_shuffle is deprecated in C++14 and removed in C++17,
1878         since std::random_shuffle relies on rand and srand.
1879         Use std::shuffle instead.
1880
1881         * jit/BinarySwitch.cpp:
1882         (JSC::RandomNumberGenerator::RandomNumberGenerator):
1883         (JSC::RandomNumberGenerator::operator()):
1884         (JSC::RandomNumberGenerator::min):
1885         (JSC::RandomNumberGenerator::max):
1886         (JSC::BinarySwitch::build):
1887
1888 2018-05-03  Saam Barati  <sbarati@apple.com>
1889
1890         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
1891         https://bugs.webkit.org/show_bug.cgi?id=185177
1892
1893         Reviewed by Filip Pizlo.
1894
1895         This patch teaches the DFG/FTL how to constant fold CreateThis with
1896         a known poly proto Structure to NewObject. We do it by emitting a NewObject
1897         followed by a PutByOffset for the prototype value.
1898         
1899         We make it so that ObjectAllocationProfile holds the prototype value.
1900         This is sound because JSFunction clears that profile when its 'prototype'
1901         field changes.
1902         
1903         This patch also renames underscoreProtoPrivateName to polyProtoName since
1904         that name was nonsensical: it was only used for poly proto.
1905         
1906         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
1907         regressed that benchmark when I first introduced poly proto.
1908
1909         * builtins/BuiltinNames.cpp:
1910         * builtins/BuiltinNames.h:
1911         (JSC::BuiltinNames::BuiltinNames):
1912         (JSC::BuiltinNames::polyProtoName const):
1913         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
1914         * bytecode/ObjectAllocationProfile.h:
1915         (JSC::ObjectAllocationProfile::prototype):
1916         (JSC::ObjectAllocationProfile::clear):
1917         (JSC::ObjectAllocationProfile::visitAggregate):
1918         * bytecode/ObjectAllocationProfileInlines.h:
1919         (JSC::ObjectAllocationProfile::initializeProfile):
1920         * dfg/DFGAbstractInterpreterInlines.h:
1921         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1922         * dfg/DFGByteCodeParser.cpp:
1923         (JSC::DFG::ByteCodeParser::parseBlock):
1924         * dfg/DFGConstantFoldingPhase.cpp:
1925         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1926         * dfg/DFGOperations.cpp:
1927         * runtime/CommonSlowPaths.cpp:
1928         (JSC::SLOW_PATH_DECL):
1929         * runtime/FunctionRareData.h:
1930         * runtime/Structure.cpp:
1931         (JSC::Structure::create):
1932
1933 2018-05-03  Michael Saboff  <msaboff@apple.com>
1934
1935         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
1936         https://bugs.webkit.org/show_bug.cgi?id=185281
1937
1938         Reviewed by Saam Barati.
1939
1940         When we compute bytecode block reachability, we need to take into account blocks
1941         containing try/catch.
1942
1943         * jit/JIT.cpp:
1944         (JSC::JIT::privateCompileMainPass):
1945
1946 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1947
1948         ARM: Wrong offset for operand rt in disassembler
1949         https://bugs.webkit.org/show_bug.cgi?id=184083
1950
1951         Reviewed by Yusuke Suzuki.
1952
1953         * disassembler/ARMv7/ARMv7DOpcode.h:
1954         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
1955         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
1956
1957 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1958
1959         ARM: Support vstr in disassembler
1960         https://bugs.webkit.org/show_bug.cgi?id=184084
1961
1962         Reviewed by Yusuke Suzuki.
1963
1964         * disassembler/ARMv7/ARMv7DOpcode.cpp:
1965         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
1966         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
1967         * disassembler/ARMv7/ARMv7DOpcode.h:
1968         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
1969         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
1970         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
1971         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
1972         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
1973         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
1974         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
1975
1976 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
1977
1978         Invoke ensureArrayStorage for all arguments
1979         https://bugs.webkit.org/show_bug.cgi?id=185247
1980
1981         Reviewed by Yusuke Suzuki.
1982
1983         ensureArrayStorage was only invoked for first argument in each loop iteration.
1984
1985         * jsc.cpp:
1986         (functionEnsureArrayStorage):
1987
1988 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
1989
1990         Make it easy to log compile times for all optimizing tiers
1991         https://bugs.webkit.org/show_bug.cgi?id=185270
1992
1993         Reviewed by Keith Miller.
1994         
1995         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
1996         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
1997         it.
1998         
1999         This should help us reduce compile times by telling us where to look. So, far, it looks like
2000         CFA is the worst.
2001
2002         * JavaScriptCore.xcodeproj/project.pbxproj:
2003         * Sources.txt:
2004         * b3/B3Common.cpp:
2005         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
2006         * b3/B3Common.h:
2007         * b3/B3TimingScope.cpp: Removed.
2008         * b3/B3TimingScope.h:
2009         (JSC::B3::TimingScope::TimingScope):
2010         * dfg/DFGPhase.h:
2011         (JSC::DFG::runAndLog):
2012         * dfg/DFGPlan.cpp:
2013         (JSC::DFG::Plan::compileInThread):
2014         * tools/CompilerTimingScope.cpp: Added.
2015         (JSC::CompilerTimingScope::CompilerTimingScope):
2016         (JSC::CompilerTimingScope::~CompilerTimingScope):
2017         * tools/CompilerTimingScope.h: Added.
2018         * runtime/Options.cpp:
2019         (JSC::recomputeDependentOptions):
2020         * runtime/Options.h:
2021
2022 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2023
2024         Strings should not be allocated in a gigacage
2025         https://bugs.webkit.org/show_bug.cgi?id=185218
2026
2027         Reviewed by Saam Barati.
2028
2029         * runtime/JSBigInt.cpp:
2030         (JSC::JSBigInt::toStringGeneric):
2031         * runtime/JSString.cpp:
2032         (JSC::JSRopeString::resolveRopeToAtomicString const):
2033         (JSC::JSRopeString::resolveRope const):
2034         * runtime/JSString.h:
2035         (JSC::JSString::create):
2036         (JSC::JSString::createHasOtherOwner):
2037         * runtime/VM.h:
2038         (JSC::VM::gigacageAuxiliarySpace):
2039
2040 2018-05-03  Keith Miller  <keith_miller@apple.com>
2041
2042         Unreviewed, fix 32-bit profile offset for change in bytecode
2043         length of the get_by_id and get_array_length opcodes.
2044
2045         * llint/LowLevelInterpreter32_64.asm:
2046
2047 2018-05-03  Michael Saboff  <msaboff@apple.com>
2048
2049         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
2050         https://bugs.webkit.org/show_bug.cgi?id=185231
2051
2052         Reviewed by Saam Barati.
2053
2054         We weren't clearing the scratch register cache when switching back and forth between 
2055         allowing scratch register usage.  We disallow scratch register usage when we are in
2056         code that will freely allocate and use any register.  Such usage can change the
2057         contents of scratch registers.  For ARM64, where we cache the contents of scratch
2058         registers to reuse some or all of the contained values, we need to invalidate these
2059         caches.  We do this when re-enabling scratch register usage, that is when we transition
2060         from disallow to allow scratch register usage.
2061
2062         Added a new Air regression test.
2063
2064         * assembler/AllowMacroScratchRegisterUsage.h:
2065         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
2066         * assembler/AllowMacroScratchRegisterUsageIf.h:
2067         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
2068         * assembler/DisallowMacroScratchRegisterUsage.h:
2069         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
2070         * b3/air/testair.cpp:
2071
2072 2018-05-03  Keith Miller  <keith_miller@apple.com>
2073
2074         Remove the prototype caching for get_by_id in the LLInt
2075         https://bugs.webkit.org/show_bug.cgi?id=185226
2076
2077         Reviewed by Michael Saboff.
2078
2079         There is no evidence that this is actually a speedup and we keep
2080         getting bugs with it. At this point it seems like we should just
2081         remove this code.
2082
2083         * CMakeLists.txt:
2084         * JavaScriptCore.xcodeproj/project.pbxproj:
2085         * Sources.txt:
2086         * bytecode/BytecodeDumper.cpp:
2087         (JSC::BytecodeDumper<Block>::printGetByIdOp):
2088         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
2089         (JSC::BytecodeDumper<Block>::dumpBytecode):
2090         * bytecode/BytecodeList.json:
2091         * bytecode/BytecodeUseDef.h:
2092         (JSC::computeUsesForBytecodeOffset):
2093         (JSC::computeDefsForBytecodeOffset):
2094         * bytecode/CodeBlock.cpp:
2095         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2096         * bytecode/CodeBlock.h:
2097         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
2098         * bytecode/GetByIdStatus.cpp:
2099         (JSC::GetByIdStatus::computeFromLLInt):
2100         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
2101         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
2102         * bytecompiler/BytecodeGenerator.cpp:
2103         (JSC::BytecodeGenerator::emitGetById):
2104         * dfg/DFGByteCodeParser.cpp:
2105         (JSC::DFG::ByteCodeParser::parseBlock):
2106         * dfg/DFGCapabilities.cpp:
2107         (JSC::DFG::capabilityLevel):
2108         * jit/JIT.cpp:
2109         (JSC::JIT::privateCompileMainPass):
2110         (JSC::JIT::privateCompileSlowCases):
2111         * llint/LLIntSlowPaths.cpp:
2112         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2113         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
2114         * llint/LowLevelInterpreter32_64.asm:
2115         * llint/LowLevelInterpreter64.asm:
2116         * runtime/Options.h:
2117
2118 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
2119
2120         Unreviewed, rolling out r231197.
2121
2122         The test added with this change crashes on the 32-bit JSC bot.
2123
2124         Reverted changeset:
2125
2126         "Correctly detect string overflow when using the 'Function'
2127         constructor"
2128         https://bugs.webkit.org/show_bug.cgi?id=184883
2129         https://trac.webkit.org/changeset/231197
2130
2131 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2132
2133         Disable usage of fused multiply-add instructions for JSC with compiler flag
2134         https://bugs.webkit.org/show_bug.cgi?id=184909
2135
2136         Reviewed by Yusuke Suzuki.
2137
2138         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
2139         like parseInt() do not return slightly different results depending on whether the
2140         compiler was able to use fused multiply-add instructions or not.
2141
2142         * CMakeLists.txt:
2143
2144 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2145
2146         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
2147         https://bugs.webkit.org/show_bug.cgi?id=185192
2148
2149         compareDouble relies on MacroAssembler::invert function.
2150
2151         * assembler/MacroAssembler.h:
2152         (JSC::MacroAssembler::compareDouble):
2153         * assembler/MacroAssemblerARM.h:
2154         (JSC::MacroAssemblerARM::compareDouble): Deleted.
2155         * assembler/MacroAssemblerARMv7.h:
2156         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
2157         * assembler/MacroAssemblerMIPS.h:
2158         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
2159
2160 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2161
2162         [JSC] Add MacroAssembler::and16 and store16
2163         https://bugs.webkit.org/show_bug.cgi?id=185188
2164
2165         Reviewed by Mark Lam.
2166
2167         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
2168         This patch adds these methods for ARM.
2169
2170         * assembler/MacroAssemblerARM.h:
2171         (JSC::MacroAssemblerARM::and16):
2172         (JSC::MacroAssemblerARM::store16):
2173
2174 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2175
2176         [DFG] Unify compare related code in 32bit and 64bit
2177         https://bugs.webkit.org/show_bug.cgi?id=185189
2178
2179         Reviewed by Mark Lam.
2180
2181         This patch unifies some part of compare related code in 32bit and 64bit
2182         to reduce the size of 32bit specific DFG code.
2183
2184         * dfg/DFGSpeculativeJIT.cpp:
2185         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
2186         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
2187         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2188         * dfg/DFGSpeculativeJIT32_64.cpp:
2189         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2190         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2191         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2192         * dfg/DFGSpeculativeJIT64.cpp:
2193         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2194         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2195         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2196
2197 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2198
2199         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
2200         https://bugs.webkit.org/show_bug.cgi?id=185192
2201
2202         Reviewed by Mark Lam.
2203
2204         Now Object.is starts using compareDouble. So we would like to have
2205         efficient implementation for compareDouble and compareFloat for
2206         major architectures, ARM64, X86, and X86_64.
2207
2208         This patch adds compareDouble and compareFloat implementations for
2209         these architectures. And generic implementation is moved to each
2210         architecture's MacroAssembler implementation.
2211
2212         We also add tests for them in testmasm. To implement this test
2213         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
2214         major architectures.
2215
2216         * assembler/MacroAssembler.h:
2217         (JSC::MacroAssembler::compareDouble): Deleted.
2218         (JSC::MacroAssembler::compareFloat): Deleted.
2219         * assembler/MacroAssemblerARM.h:
2220         (JSC::MacroAssemblerARM::compareDouble):
2221         * assembler/MacroAssemblerARM64.h:
2222         (JSC::MacroAssemblerARM64::compareDouble):
2223         (JSC::MacroAssemblerARM64::compareFloat):
2224         (JSC::MacroAssemblerARM64::loadFloat):
2225         (JSC::MacroAssemblerARM64::floatingPointCompare):
2226         * assembler/MacroAssemblerARMv7.h:
2227         (JSC::MacroAssemblerARMv7::compareDouble):
2228         * assembler/MacroAssemblerMIPS.h:
2229         (JSC::MacroAssemblerMIPS::compareDouble):
2230         * assembler/MacroAssemblerX86Common.h:
2231         (JSC::MacroAssemblerX86Common::loadFloat):
2232         (JSC::MacroAssemblerX86Common::compareDouble):
2233         (JSC::MacroAssemblerX86Common::compareFloat):
2234         (JSC::MacroAssemblerX86Common::floatingPointCompare):
2235         * assembler/X86Assembler.h:
2236         (JSC::X86Assembler::movss_mr):
2237         (JSC::X86Assembler::movss_rm):
2238         * assembler/testmasm.cpp:
2239         (JSC::floatOperands):
2240         (JSC::testCompareFloat):
2241         (JSC::run):
2242
2243 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2244
2245         Unreviewed, fix 32bit DFG code
2246         https://bugs.webkit.org/show_bug.cgi?id=185065
2247
2248         * dfg/DFGSpeculativeJIT.cpp:
2249         (JSC::DFG::SpeculativeJIT::compileSameValue):
2250
2251 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
2252
2253         JSC should know how to cache custom getter accesses on the prototype chain
2254         https://bugs.webkit.org/show_bug.cgi?id=185213
2255
2256         Reviewed by Keith Miller.
2257
2258         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
2259
2260         * jit/Repatch.cpp:
2261         (JSC::tryCacheGetByID):
2262
2263 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
2264
2265         JSC should be able to cache custom setter calls on the prototype chain
2266         https://bugs.webkit.org/show_bug.cgi?id=185174
2267
2268         Reviewed by Saam Barati.
2269
2270         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
2271         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
2272         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
2273         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
2274         custom accessors because it won't find the custom property in the structure.
2275
2276         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
2277
2278         This is a 4x speed-up on assign-custom-setter.js.
2279
2280         * bytecode/AccessCase.cpp:
2281         (JSC::AccessCase::hasAlternateBase const):
2282         (JSC::AccessCase::alternateBase const):
2283         (JSC::AccessCase::generateImpl):
2284         * bytecode/AccessCase.h:
2285         (JSC::AccessCase::alternateBase const): Deleted.
2286         * bytecode/GetterSetterAccessCase.cpp:
2287         (JSC::GetterSetterAccessCase::hasAlternateBase const):
2288         (JSC::GetterSetterAccessCase::alternateBase const):
2289         * bytecode/GetterSetterAccessCase.h:
2290         * bytecode/ObjectPropertyConditionSet.cpp:
2291         (JSC::generateConditionsForPrototypePropertyHitCustom):
2292         * bytecode/ObjectPropertyConditionSet.h:
2293         * jit/Repatch.cpp:
2294         (JSC::tryCacheGetByID):
2295         (JSC::tryCachePutByID):
2296
2297 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
2298
2299         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
2300         https://bugs.webkit.org/show_bug.cgi?id=185195
2301
2302         Reviewed by Mark Lam.
2303
2304         This implements the given function for MIPS, such that it builds again.
2305
2306         * assembler/MacroAssemblerMIPS.h:
2307         (JSC::MacroAssemblerMIPS::and16):
2308         (JSC::MacroAssemblerMIPS::store16):
2309
2310 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
2311
2312         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
2313         https://bugs.webkit.org/show_bug.cgi?id=185043
2314
2315         Reviewed by Filip Pizlo.
2316
2317         * jsc.cpp:
2318         (GlobalObject::finishCreation):
2319         (functionDollarAgentMonotonicNow):
2320
2321 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
2322
2323         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
2324         https://bugs.webkit.org/show_bug.cgi?id=185196
2325
2326         Reviewed by Mark Lam.
2327
2328         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
2329
2330         * assembler/MacroAssemblerARMv7.h:
2331         (JSC::MacroAssemblerARMv7::and16):
2332         (JSC::MacroAssemblerARMv7::store16):
2333
2334 2018-05-02  Robin Morisset  <rmorisset@apple.com>
2335
2336         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
2337         https://bugs.webkit.org/show_bug.cgi?id=183172
2338
2339         Reviewed by Filip Pizlo.
2340
2341         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
2342         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
2343
2344         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
2345         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
2346         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
2347
2348         * dfg/DFGArgumentsEliminationPhase.cpp:
2349         * dfg/DFGArgumentsUtilities.cpp:
2350         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2351
2352 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2353
2354         Unreviewed, stackPointer signature is different from declaration
2355         https://bugs.webkit.org/show_bug.cgi?id=184790
2356
2357         * runtime/MachineContext.h:
2358         (JSC::MachineContext::stackPointer):
2359
2360 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2361
2362         [JSC] Add SameValue DFG node
2363         https://bugs.webkit.org/show_bug.cgi?id=185065
2364
2365         Reviewed by Saam Barati.
2366
2367         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
2368         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
2369         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
2370         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
2371         implementations for these SameValue nodes.
2372
2373         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
2374         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
2375         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
2376         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
2377         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
2378         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
2379
2380         Added microbenchmark shows performance improvement.
2381
2382             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
2383
2384         * assembler/MacroAssembler.h:
2385         * assembler/MacroAssemblerX86Common.h:
2386         (JSC::MacroAssemblerX86Common::compareDouble):
2387         * assembler/MacroAssemblerX86_64.h:
2388         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
2389         * assembler/testmasm.cpp:
2390         (JSC::doubleOperands):
2391         (JSC::testCompareDouble):
2392         (JSC::run):
2393         * dfg/DFGAbstractInterpreterInlines.h:
2394         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2395         * dfg/DFGByteCodeParser.cpp:
2396         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2397         * dfg/DFGClobberize.h:
2398         (JSC::DFG::clobberize):
2399         * dfg/DFGConstantFoldingPhase.cpp:
2400         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2401         * dfg/DFGDoesGC.cpp:
2402         (JSC::DFG::doesGC):
2403         * dfg/DFGFixupPhase.cpp:
2404         (JSC::DFG::FixupPhase::fixupNode):
2405         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2406         * dfg/DFGNodeType.h:
2407         * dfg/DFGOperations.cpp:
2408         * dfg/DFGOperations.h:
2409         * dfg/DFGPredictionPropagationPhase.cpp:
2410         * dfg/DFGSafeToExecute.h:
2411         (JSC::DFG::safeToExecute):
2412         * dfg/DFGSpeculativeJIT.cpp:
2413         (JSC::DFG::SpeculativeJIT::compileSameValue):
2414         * dfg/DFGSpeculativeJIT.h:
2415         * dfg/DFGSpeculativeJIT32_64.cpp:
2416         (JSC::DFG::SpeculativeJIT::compile):
2417         * dfg/DFGSpeculativeJIT64.cpp:
2418         (JSC::DFG::SpeculativeJIT::compile):
2419         * dfg/DFGValidate.cpp:
2420         * ftl/FTLCapabilities.cpp:
2421         (JSC::FTL::canCompile):
2422         * ftl/FTLLowerDFGToB3.cpp:
2423         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2424         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
2425         * runtime/Intrinsic.cpp:
2426         (JSC::intrinsicName):
2427         * runtime/Intrinsic.h:
2428         * runtime/ObjectConstructor.cpp:
2429
2430 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
2431
2432         B3::demoteValues should be able to handle patchpoint terminals
2433         https://bugs.webkit.org/show_bug.cgi?id=185151
2434
2435         Reviewed by Saam Barati.
2436         
2437         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
2438         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
2439         longer the last thing in the block.
2440         
2441         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
2442         really do that because demotion happens as a prerequisite to other transformations.
2443         
2444         One solution might have been to make demoteValues insert a basic block whenever it encounters
2445         this problem. But that would break clients that do CFG analysis before demoteValues and use
2446         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
2447         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
2448         so it's not bad to introduce that requirement.
2449         
2450         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
2451         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
2452         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
2453         successors of the patchpoint terminal.
2454         
2455         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
2456         a unit test in testb3.
2457
2458         * b3/B3BreakCriticalEdges.cpp:
2459         (JSC::B3::breakCriticalEdges):
2460         * b3/B3BreakCriticalEdges.h:
2461         * b3/B3FixSSA.cpp:
2462         (JSC::B3::demoteValues):
2463         (JSC::B3::fixSSA):
2464         * b3/B3FixSSA.h:
2465         * b3/B3Value.cpp:
2466         (JSC::B3::Value::foldIdentity const):
2467         (JSC::B3::Value::performSubstitution):
2468         * b3/B3Value.h:
2469         * b3/testb3.cpp:
2470         (JSC::B3::testDemotePatchpointTerminal):
2471         (JSC::B3::run):
2472
2473 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2474
2475         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
2476         https://bugs.webkit.org/show_bug.cgi?id=184772
2477         <rdar://problem/39146327>
2478
2479         Reviewed by Filip Pizlo.
2480
2481         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
2482         This patch now makes sure that the check correctly detects if there is an integer overflow.
2483
2484         * runtime/JSArray.cpp:
2485         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2486
2487 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2488
2489         Correctly detect string overflow when using the 'Function' constructor
2490         https://bugs.webkit.org/show_bug.cgi?id=184883
2491         <rdar://problem/36320331>
2492
2493         Reviewed by Filip Pizlo.
2494
2495         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
2496         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
2497
2498         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
2499         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
2500         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
2501
2502         * runtime/FunctionConstructor.cpp:
2503         (JSC::constructFunctionSkippingEvalEnabledCheck):
2504         * runtime/JSONObject.cpp:
2505         (JSC::Stringifier::appendStringifiedValue):
2506
2507 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2508
2509         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
2510         https://bugs.webkit.org/show_bug.cgi?id=185162
2511
2512         Reviewed by Filip Pizlo.
2513
2514         * runtime/IntlObject.cpp:
2515         (JSC::removeUnicodeLocaleExtension):
2516
2517 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
2518
2519         Add SetCallee as DFG-Operation
2520         https://bugs.webkit.org/show_bug.cgi?id=184582
2521
2522         Reviewed by Filip Pizlo.
2523
2524         For recursive tail calls not only the argument count can change but also the
2525         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
2526         Also update the callee when optimizing a recursive tail call.
2527         Enable recursive tail call optimization also for closures.
2528
2529         * dfg/DFGAbstractInterpreterInlines.h:
2530         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2531         * dfg/DFGByteCodeParser.cpp:
2532         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2533         (JSC::DFG::ByteCodeParser::handleCallVariant):
2534         * dfg/DFGClobberize.h:
2535         (JSC::DFG::clobberize):
2536         * dfg/DFGDoesGC.cpp:
2537         (JSC::DFG::doesGC):
2538         * dfg/DFGFixupPhase.cpp:
2539         (JSC::DFG::FixupPhase::fixupNode):
2540         * dfg/DFGMayExit.cpp:
2541         * dfg/DFGNodeType.h:
2542         * dfg/DFGPredictionPropagationPhase.cpp:
2543         * dfg/DFGSafeToExecute.h:
2544         (JSC::DFG::safeToExecute):
2545         * dfg/DFGSpeculativeJIT.cpp:
2546         (JSC::DFG::SpeculativeJIT::compileSetCallee):
2547         * dfg/DFGSpeculativeJIT.h:
2548         * dfg/DFGSpeculativeJIT32_64.cpp:
2549         (JSC::DFG::SpeculativeJIT::compile):
2550         * dfg/DFGSpeculativeJIT64.cpp:
2551         (JSC::DFG::SpeculativeJIT::compile):
2552         * ftl/FTLCapabilities.cpp:
2553         (JSC::FTL::canCompile):
2554         * ftl/FTLLowerDFGToB3.cpp:
2555         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2556         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
2557
2558 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
2559
2560         WebAssembly: add support for stream APIs - JavaScript API
2561         https://bugs.webkit.org/show_bug.cgi?id=183442
2562
2563         Reviewed by Yusuke Suzuki and JF Bastien.
2564
2565         Add WebAssembly stream API. Current patch only add functions
2566         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
2567         does not add streaming way of the implementation. So in current version it
2568         only wait for load whole module, than start to parse.
2569
2570         * CMakeLists.txt:
2571         * Configurations/FeatureDefines.xcconfig:
2572         * DerivedSources.make:
2573         * JavaScriptCore.xcodeproj/project.pbxproj:
2574         * builtins/BuiltinNames.h:
2575         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
2576         (compileStreaming):
2577         (instantiateStreaming):
2578         * jsc.cpp:
2579         * runtime/JSGlobalObject.cpp:
2580         (JSC::JSGlobalObject::init):
2581         * runtime/JSGlobalObject.h:
2582         * runtime/Options.h:
2583         * runtime/PromiseDeferredTimer.cpp:
2584         (JSC::PromiseDeferredTimer::hasPendingPromise):
2585         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
2586         * runtime/PromiseDeferredTimer.h:
2587         * wasm/js/WebAssemblyPrototype.cpp:
2588         (JSC::webAssemblyModuleValidateAsyncInternal):
2589         (JSC::webAssemblyCompileFunc):
2590         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
2591         (JSC::webAssemblyModuleInstantinateAsyncInternal):
2592         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
2593         (JSC::webAssemblyCompileStreamingInternal):
2594         (JSC::webAssemblyInstantiateStreamingInternal):
2595         (JSC::WebAssemblyPrototype::create):
2596         (JSC::WebAssemblyPrototype::finishCreation):
2597         * wasm/js/WebAssemblyPrototype.h:
2598
2599 2018-04-30  Saam Barati  <sbarati@apple.com>
2600
2601         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
2602         https://bugs.webkit.org/show_bug.cgi?id=185149
2603         <rdar://problem/39455917>
2604
2605         Reviewed by Filip Pizlo.
2606
2607         The bug was that we were deleting checks that we shouldn't have deleted.
2608         This patch makes a helper inside strength reduction that converts to
2609         a LazyJSConstant while maintaining checks, and switches users of the
2610         node API inside strength reduction to instead call the helper function.
2611         
2612         This patch also fixes a potential bug where StringReplace and
2613         StringReplaceRegExp may not preserve all their checks.
2614
2615
2616         * dfg/DFGStrengthReductionPhase.cpp:
2617         (JSC::DFG::StrengthReductionPhase::handleNode):
2618         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
2619
2620 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2621
2622         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
2623         https://bugs.webkit.org/show_bug.cgi?id=185126
2624
2625         Reviewed by Saam Barati.
2626         
2627         This change is just restoring functionality that we've already had for a while. It had been
2628         accidentally broken due to an unrelated CodeBlock refactoring.
2629
2630         * dfg/DFGLICMPhase.cpp:
2631         (JSC::DFG::LICMPhase::attemptHoist):
2632
2633 2018-04-30  Mark Lam  <mark.lam@apple.com>
2634
2635         Apply PtrTags to the MetaAllocator and friends.
2636         https://bugs.webkit.org/show_bug.cgi?id=185110
2637         <rdar://problem/39533895>
2638
2639         Reviewed by Saam Barati.
2640
2641         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
2642         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
2643            and add a sanity check to verify that allocated code buffers are within those
2644            bounds.
2645
2646         * assembler/LinkBuffer.cpp:
2647         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
2648         (JSC::LinkBuffer::copyCompactAndLinkCode):
2649         (JSC::LinkBuffer::linkCode):
2650         (JSC::LinkBuffer::allocate):
2651         * assembler/LinkBuffer.h:
2652         (JSC::LinkBuffer::LinkBuffer):
2653         (JSC::LinkBuffer::debugAddress):
2654         (JSC::LinkBuffer::code):
2655         * assembler/MacroAssemblerCodeRef.h:
2656         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2657         * bytecode/InlineAccess.cpp:
2658         (JSC::linkCodeInline):
2659         (JSC::InlineAccess::rewireStubAsJump):
2660         * dfg/DFGJITCode.cpp:
2661         (JSC::DFG::JITCode::findPC):
2662         * ftl/FTLJITCode.cpp:
2663         (JSC::FTL::JITCode::findPC):
2664         * jit/ExecutableAllocator.cpp:
2665         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2666         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2667         (JSC::ExecutableAllocator::allocate):
2668         * jit/ExecutableAllocator.h:
2669         (JSC::isJITPC):
2670         (JSC::performJITMemcpy):
2671         * jit/JIT.cpp:
2672         (JSC::JIT::link):
2673         * jit/JITMathIC.h:
2674         (JSC::isProfileEmpty):
2675         * runtime/JSCPtrTag.h:
2676         * wasm/WasmCallee.cpp:
2677         (JSC::Wasm::Callee::Callee):
2678         * wasm/WasmFaultSignalHandler.cpp:
2679         (JSC::Wasm::trapHandler):
2680
2681 2018-04-30  Keith Miller  <keith_miller@apple.com>
2682
2683         Move the MayBePrototype JSCell header bit to InlineTypeFlags
2684         https://bugs.webkit.org/show_bug.cgi?id=185143
2685
2686         Reviewed by Mark Lam.
2687
2688         * runtime/IndexingType.h:
2689         * runtime/JSCellInlines.h:
2690         (JSC::JSCell::setStructure):
2691         (JSC::JSCell::mayBePrototype const):
2692         (JSC::JSCell::didBecomePrototype):
2693         * runtime/JSTypeInfo.h:
2694         (JSC::TypeInfo::mayBePrototype):
2695         (JSC::TypeInfo::mergeInlineTypeFlags):
2696
2697 2018-04-30  Keith Miller  <keith_miller@apple.com>
2698
2699         Remove unneeded exception check from String.fromCharCode
2700         https://bugs.webkit.org/show_bug.cgi?id=185083
2701
2702         Reviewed by Mark Lam.
2703
2704         * runtime/StringConstructor.cpp:
2705         (JSC::stringFromCharCode):
2706
2707 2018-04-30  Keith Miller  <keith_miller@apple.com>
2708
2709         Move StructureIsImmortal to out of line flags.
2710         https://bugs.webkit.org/show_bug.cgi?id=185101
2711
2712         Reviewed by Saam Barati.
2713
2714         This will free up a bit in the inline flags where we can move the
2715         isPrototype bit to. This will, in turn, free a bit for use in
2716         implementing copy on write butterflies.
2717
2718         Also, this patch removes an assertion from Structure::typeInfo()
2719         that inadvertently makes the function invalid to call while
2720         cleaning up the vm.
2721
2722         * heap/HeapCellType.cpp:
2723         (JSC::DefaultDestroyFunc::operator() const):
2724         * runtime/JSCell.h:
2725         * runtime/JSCellInlines.h:
2726         (JSC::JSCell::callDestructor): Deleted.
2727         * runtime/JSTypeInfo.h:
2728         (JSC::TypeInfo::hasStaticPropertyTable):
2729         (JSC::TypeInfo::structureIsImmortal const):
2730         * runtime/Structure.h:
2731
2732 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2733
2734         [JSC] Remove arity fixup check if the number of parameters is 1
2735         https://bugs.webkit.org/show_bug.cgi?id=183984
2736
2737         Reviewed by Mark Lam.
2738
2739         If the number of parameters is one (|this|), we never hit arity fixup check.
2740         We do not need to emit arity fixup check code.
2741
2742         * dfg/DFGDriver.cpp:
2743         (JSC::DFG::compileImpl):
2744         * dfg/DFGJITCompiler.cpp:
2745         (JSC::DFG::JITCompiler::compileFunction):
2746         * dfg/DFGJITCompiler.h:
2747         * ftl/FTLLink.cpp:
2748         (JSC::FTL::link):
2749         * jit/JIT.cpp:
2750         (JSC::JIT::compileWithoutLinking):
2751
2752 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2753
2754         Use WordLock instead of std::mutex for Threading
2755         https://bugs.webkit.org/show_bug.cgi?id=185121
2756
2757         Reviewed by Geoffrey Garen.
2758
2759         ThreadGroup starts using WordLock.
2760
2761         * heap/MachineStackMarker.h:
2762         (JSC::MachineThreads::getLock):
2763
2764 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2765
2766         B3 should run tail duplication at the bitter end
2767         https://bugs.webkit.org/show_bug.cgi?id=185123
2768
2769         Reviewed by Geoffrey Garen.
2770         
2771         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
2772         everywhere else.
2773         
2774         The goal of this change is to allow us to run path specialization after switch lowering but
2775         before tail duplication.
2776
2777         * b3/B3Generate.cpp:
2778         (JSC::B3::generateToAir):
2779         * runtime/Options.h:
2780
2781 2018-04-29  Commit Queue  <commit-queue@webkit.org>
2782
2783         Unreviewed, rolling out r231137.
2784         https://bugs.webkit.org/show_bug.cgi?id=185118
2785
2786         It is breaking Test262 language/expressions/multiplication
2787         /order-of-evaluation.js (Requested by caiolima on #webkit).
2788
2789         Reverted changeset:
2790
2791         "[ESNext][BigInt] Implement support for "*" operation"
2792         https://bugs.webkit.org/show_bug.cgi?id=183721
2793         https://trac.webkit.org/changeset/231137
2794
2795 2018-04-28  Saam Barati  <sbarati@apple.com>
2796
2797         We don't model regexp effects properly
2798         https://bugs.webkit.org/show_bug.cgi?id=185059
2799         <rdar://problem/39736150>
2800
2801         Reviewed by Filip Pizlo.
2802
2803         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
2804         the regexp is global.
2805
2806         * dfg/DFGAbstractInterpreterInlines.h:
2807         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2808         * dfg/DFGClobberize.h:
2809         (JSC::DFG::clobberize):
2810
2811 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
2812
2813         Token misspelled "tocken" in error message string
2814         https://bugs.webkit.org/show_bug.cgi?id=185030
2815
2816         Reviewed by Saam Barati.
2817
2818         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
2819         (JSC::Parser<LexerType>::Parser):
2820         (JSC::Parser<LexerType>::didFinishParsing):
2821         (JSC::Parser<LexerType>::parseSourceElements):
2822         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2823         (JSC::Parser<LexerType>::parseVariableDeclaration):
2824         (JSC::Parser<LexerType>::parseWhileStatement):
2825         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2826         (JSC::Parser<LexerType>::createBindingPattern):
2827         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2828         (JSC::Parser<LexerType>::parseObjectRestElement):
2829         (JSC::Parser<LexerType>::parseDestructuringPattern):
2830         (JSC::Parser<LexerType>::parseForStatement):
2831         (JSC::Parser<LexerType>::parseBreakStatement):
2832         (JSC::Parser<LexerType>::parseContinueStatement):
2833         (JSC::Parser<LexerType>::parseThrowStatement):
2834         (JSC::Parser<LexerType>::parseWithStatement):
2835         (JSC::Parser<LexerType>::parseSwitchStatement):
2836         (JSC::Parser<LexerType>::parseSwitchClauses):
2837         (JSC::Parser<LexerType>::parseTryStatement):
2838         (JSC::Parser<LexerType>::parseBlockStatement):
2839         (JSC::Parser<LexerType>::parseFormalParameters):
2840         (JSC::Parser<LexerType>::parseFunctionParameters):
2841         (JSC::Parser<LexerType>::parseFunctionInfo):
2842         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2843         (JSC::Parser<LexerType>::parseExpressionStatement):
2844         (JSC::Parser<LexerType>::parseIfStatement):
2845         (JSC::Parser<LexerType>::parseAssignmentExpression):
2846         (JSC::Parser<LexerType>::parseConditionalExpression):
2847         (JSC::Parser<LexerType>::parseBinaryExpression):
2848         (JSC::Parser<LexerType>::parseObjectLiteral):
2849         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
2850         (JSC::Parser<LexerType>::parseArrayLiteral):
2851         (JSC::Parser<LexerType>::parseArguments):
2852         (JSC::Parser<LexerType>::parseMemberExpression):
2853         (JSC::operatorString):
2854         (JSC::Parser<LexerType>::parseUnaryExpression):
2855         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2856
2857 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
2858
2859         [ESNext][BigInt] Implement support for "*" operation
2860         https://bugs.webkit.org/show_bug.cgi?id=183721
2861
2862         Reviewed by Saam Barati.
2863
2864         Added BigInt support into times binary operator into LLInt and on
2865         JITOperations profiledMul and unprofiledMul. We are also replacing all
2866         uses of int to unsigned when there is no negative values for
2867         variables.
2868
2869         * dfg/DFGConstantFoldingPhase.cpp:
2870         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2871         * jit/JITOperations.cpp:
2872         * runtime/CommonSlowPaths.cpp:
2873         (JSC::SLOW_PATH_DECL):
2874         * runtime/JSBigInt.cpp:
2875         (JSC::JSBigInt::JSBigInt):
2876         (JSC::JSBigInt::allocationSize):
2877         (JSC::JSBigInt::createWithLength):
2878         (JSC::JSBigInt::toString):
2879         (JSC::JSBigInt::multiply):
2880         (JSC::JSBigInt::digitDiv):
2881         (JSC::JSBigInt::internalMultiplyAdd):
2882         (JSC::JSBigInt::multiplyAccumulate):
2883         (JSC::JSBigInt::equals):
2884         (JSC::JSBigInt::absoluteDivSmall):
2885         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2886         (JSC::JSBigInt::toStringGeneric):
2887         (JSC::JSBigInt::rightTrim):
2888         (JSC::JSBigInt::allocateFor):
2889         (JSC::JSBigInt::parseInt):
2890         (JSC::JSBigInt::digit):
2891         (JSC::JSBigInt::setDigit):
2892         * runtime/JSBigInt.h:
2893         * runtime/Operations.h:
2894         (JSC::jsMul):
2895
2896 2018-04-28  Commit Queue  <commit-queue@webkit.org>
2897
2898         Unreviewed, rolling out r231131.
2899         https://bugs.webkit.org/show_bug.cgi?id=185112
2900
2901         It is breaking Debug build due to unchecked exception
2902         (Requested by caiolima on #webkit).
2903
2904         Reverted changeset:
2905
2906         "[ESNext][BigInt] Implement support for "*" operation"
2907         https://bugs.webkit.org/show_bug.cgi?id=183721
2908         https://trac.webkit.org/changeset/231131
2909
2910 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
2911
2912         [ESNext][BigInt] Implement support for "*" operation
2913         https://bugs.webkit.org/show_bug.cgi?id=183721
2914
2915         Reviewed by Saam Barati.
2916
2917         Added BigInt support into times binary operator into LLInt and on
2918         JITOperations profiledMul and unprofiledMul. We are also replacing all
2919         uses of int to unsigned when there is no negative values for
2920         variables.
2921
2922         * dfg/DFGConstantFoldingPhase.cpp:
2923         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2924         * jit/JITOperations.cpp:
2925         * runtime/CommonSlowPaths.cpp:
2926         (JSC::SLOW_PATH_DECL):
2927         * runtime/JSBigInt.cpp:
2928         (JSC::JSBigInt::JSBigInt):
2929         (JSC::JSBigInt::allocationSize):
2930         (JSC::JSBigInt::createWithLength):
2931         (JSC::JSBigInt::toString):
2932         (JSC::JSBigInt::multiply):
2933         (JSC::JSBigInt::digitDiv):
2934         (JSC::JSBigInt::internalMultiplyAdd):
2935         (JSC::JSBigInt::multiplyAccumulate):
2936         (JSC::JSBigInt::equals):
2937         (JSC::JSBigInt::absoluteDivSmall):
2938         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2939         (JSC::JSBigInt::toStringGeneric):
2940         (JSC::JSBigInt::rightTrim):
2941         (JSC::JSBigInt::allocateFor):
2942         (JSC::JSBigInt::parseInt):
2943         (JSC::JSBigInt::digit):
2944         (JSC::JSBigInt::setDigit):
2945         * runtime/JSBigInt.h:
2946         * runtime/Operations.h:
2947         (JSC::jsMul):
2948
2949 2018-04-27  JF Bastien  <jfbastien@apple.com>
2950
2951         Make the first 64 bits of JSString look like a double JSValue
2952         https://bugs.webkit.org/show_bug.cgi?id=185081
2953
2954         Reviewed by Filip Pizlo.
2955
2956         We can be clever about how we lay out JSString so that, were it
2957         reinterpreted as a JSValue, it would look like a double.
2958
2959         * assembler/MacroAssemblerX86Common.h:
2960         (JSC::MacroAssemblerX86Common::and16):
2961         * assembler/X86Assembler.h:
2962         (JSC::X86Assembler::andw_mr):
2963         * dfg/DFGSpeculativeJIT.cpp:
2964         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2965         * ftl/FTLLowerDFGToB3.cpp:
2966         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2967         * ftl/FTLOutput.h:
2968         (JSC::FTL::Output::store32As8):
2969         (JSC::FTL::Output::store32As16):
2970         * runtime/JSString.h:
2971         (JSC::JSString::JSString):
2972
2973 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2974
2975         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
2976         https://bugs.webkit.org/show_bug.cgi?id=185055
2977
2978         Reviewed by JF Bastien.
2979
2980         This patch is paving the way to emitting jscvt instruction if possible.
2981         To do that, we need to determine jscvt instruction is supported in the
2982         given CPU.
2983
2984         We add a function collectCPUFeatures, which is responsible to collect
2985         CPU features if necessary. In Linux, we can use auxiliary vector to get
2986         the information without parsing /proc/cpuinfo.
2987
2988         Currently, nobody calls this function. It is later called when we emit
2989         jscvt instruction. To make it possible, we also need to add disassembler
2990         support too.
2991
2992         * assembler/AbstractMacroAssembler.h:
2993         * assembler/MacroAssemblerARM64.cpp:
2994         (JSC::MacroAssemblerARM64::collectCPUFeatures):
2995         * assembler/MacroAssemblerARM64.h:
2996         * assembler/MacroAssemblerX86Common.h:
2997
2998 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
2999
3000         Also run foldPathConstants before mussing up SSA
3001         https://bugs.webkit.org/show_bug.cgi?id=185069
3002
3003         Reviewed by Saam Barati.
3004         
3005         This isn't needed now, but will be once I implement the phase in bug 185060.
3006         
3007         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
3008         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
3009         be landed separately and measured separately from that phase.
3010         
3011         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
3012         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
3013         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
3014         neutral. It all depends on what programs typically look like.
3015
3016         * b3/B3Generate.cpp:
3017         (JSC::B3::generateToAir):
3018
3019 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
3020
3021         Unreviewed, rolling out r231086.
3022
3023         Caused JSC test failures due to an unchecked exception.
3024
3025         Reverted changeset:
3026
3027         "[ESNext][BigInt] Implement support for "*" operation"
3028         https://bugs.webkit.org/show_bug.cgi?id=183721
3029         https://trac.webkit.org/changeset/231086
3030
3031 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
3032
3033         [ESNext][BigInt] Implement support for "*" operation
3034         https://bugs.webkit.org/show_bug.cgi?id=183721
3035
3036         Reviewed by Saam Barati.
3037
3038         Added BigInt support into times binary operator into LLInt and on
3039         JITOperations profiledMul and unprofiledMul. We are also replacing all
3040         uses of int to unsigned when there is no negative values for
3041         variables.
3042
3043         * dfg/DFGConstantFoldingPhase.cpp:
3044         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3045         * jit/JITOperations.cpp:
3046         * runtime/CommonSlowPaths.cpp:
3047         (JSC::SLOW_PATH_DECL):
3048         * runtime/JSBigInt.cpp:
3049         (JSC::JSBigInt::JSBigInt):
3050         (JSC::JSBigInt::allocationSize):
3051         (JSC::JSBigInt::createWithLength):
3052         (JSC::JSBigInt::toString):
3053         (JSC::JSBigInt::multiply):
3054         (JSC::JSBigInt::digitDiv):
3055         (JSC::JSBigInt::internalMultiplyAdd):
3056         (JSC::JSBigInt::multiplyAccumulate):
3057         (JSC::JSBigInt::equals):
3058         (JSC::JSBigInt::absoluteDivSmall):
3059         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3060         (JSC::JSBigInt::toStringGeneric):
3061         (JSC::JSBigInt::rightTrim):
3062         (JSC::JSBigInt::allocateFor):
3063         (JSC::JSBigInt::parseInt):
3064         (JSC::JSBigInt::digit):
3065         (JSC::JSBigInt::setDigit):
3066         * runtime/JSBigInt.h:
3067         * runtime/Operations.h:
3068         (JSC::jsMul):
3069
3070 2018-04-26  Mark Lam  <mark.lam@apple.com>
3071
3072         Gardening: Speculative build fix for Windows.
3073         https://bugs.webkit.org/show_bug.cgi?id=184976
3074         <rdar://problem/39723901>
3075
3076         Not reviewed.
3077
3078         * runtime/JSCPtrTag.h:
3079
3080 2018-04-26  Mark Lam  <mark.lam@apple.com>
3081
3082         Gardening: Windows build fix.
3083
3084         Not reviewed.
3085
3086         * runtime/Options.cpp:
3087
3088 2018-04-26  Jer Noble  <jer.noble@apple.com>
3089
3090         WK_COCOA_TOUCH all the things.
3091         https://bugs.webkit.org/show_bug.cgi?id=185006
3092         <rdar://problem/39736025>
3093
3094         Reviewed by Tim Horton.
3095
3096         * Configurations/Base.xcconfig:
3097
3098 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
3099
3100         Disable content filtering in minimal simulator mode
3101         https://bugs.webkit.org/show_bug.cgi?id=185027
3102         <rdar://problem/39736091>
3103
3104         Reviewed by Jer Noble.
3105
3106         * Configurations/FeatureDefines.xcconfig:
3107
3108 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
3109
3110         [INTL] Implement Intl.PluralRules
3111         https://bugs.webkit.org/show_bug.cgi?id=184312
3112
3113         Reviewed by JF Bastien.
3114
3115         Use UNumberFormat to enforce formatting, and then UPluralRules to find
3116         the correct plural rule for the given number. Relies on ICU v59+ for
3117         resolvedOptions().pluralCategories and trailing 0 detection.
3118         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
3119
3120         * CMakeLists.txt:
3121         * Configurations/FeatureDefines.xcconfig:
3122         * DerivedSources.make:
3123         * JavaScriptCore.xcodeproj/project.pbxproj:
3124         * Sources.txt:
3125         * builtins/BuiltinNames.h:
3126         * runtime/BigIntObject.cpp:
3127         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
3128         * runtime/BigIntObject.h:
3129         * runtime/CommonIdentifiers.h:
3130         * runtime/IntlObject.cpp:
3131         (JSC::IntlObject::finishCreation):
3132         * runtime/IntlObject.h:
3133         * runtime/IntlPluralRules.cpp: Added.
3134         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
3135         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
3136         (JSC::UEnumerationDeleter::operator() const):
3137         (JSC::IntlPluralRules::create):
3138         (JSC::IntlPluralRules::createStructure):
3139         (JSC::IntlPluralRules::IntlPluralRules):
3140         (JSC::IntlPluralRules::finishCreation):
3141         (JSC::IntlPluralRules::destroy):
3142         (JSC::IntlPluralRules::visitChildren):
3143         (JSC::IntlPRInternal::localeData):
3144         (JSC::IntlPluralRules::initializePluralRules):
3145         (JSC::IntlPluralRules::resolvedOptions):
3146         (JSC::IntlPluralRules::select):
3147         * runtime/IntlPluralRules.h: Added.
3148         * runtime/IntlPluralRulesConstructor.cpp: Added.
3149         (JSC::IntlPluralRulesConstructor::create):
3150         (JSC::IntlPluralRulesConstructor::createStructure):
3151         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
3152         (JSC::IntlPluralRulesConstructor::finishCreation):
3153         (JSC::constructIntlPluralRules):
3154         (JSC::callIntlPluralRules):
3155         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
3156         (JSC::IntlPluralRulesConstructor::visitChildren):
3157         * runtime/IntlPluralRulesConstructor.h: Added.
3158         * runtime/IntlPluralRulesPrototype.cpp: Added.
3159         (JSC::IntlPluralRulesPrototype::create):
3160         (JSC::IntlPluralRulesPrototype::createStructure):
3161         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
3162         (JSC::IntlPluralRulesPrototype::finishCreation):
3163         (JSC::IntlPluralRulesPrototypeFuncSelect):
3164         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
3165         * runtime/IntlPluralRulesPrototype.h: Added.
3166         * runtime/JSGlobalObject.cpp:
3167         (JSC::JSGlobalObject::init):
3168         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3169         * runtime/JSGlobalObject.h:
3170         * runtime/Options.h:
3171         * runtime/RegExpPrototype.cpp: Added inlines header.
3172         * runtime/VM.cpp:
3173         (JSC::VM::VM):
3174         * runtime/VM.h:
3175
3176 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
3177
3178         [MIPS] Fix branch offsets in branchNeg32
3179         https://bugs.webkit.org/show_bug.cgi?id=185025
3180
3181         Reviewed by Yusuke Suzuki.
3182
3183         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
3184
3185         * assembler/MacroAssemblerMIPS.h:
3186         (JSC::MacroAssemblerMIPS::branchNeg32):
3187
3188 2018-04-25  Robin Morisset  <rmorisset@apple.com>
3189
3190         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
3191         https://bugs.webkit.org/show_bug.cgi?id=184773
3192         <rdar://problem/37773612>
3193
3194         Reviewed by Filip Pizlo.
3195
3196         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
3197         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
3198         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
3199         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
3200         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
3201
3202         * ftl/FTLLowerDFGToB3.cpp:
3203         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3204
3205 2018-04-25  Mark Lam  <mark.lam@apple.com>
3206
3207         Push the definition of PtrTag down to the WTF layer.
3208         https://bugs.webkit.org/show_bug.cgi?id=184976
3209         <rdar://problem/39723901>
3210
3211         Reviewed by Saam Barati.
3212
3213         * CMakeLists.txt:
3214         * JavaScriptCore.xcodeproj/project.pbxproj:
3215         * assembler/ARM64Assembler.h:
3216         * assembler/AbstractMacroAssembler.h:
3217         * assembler/MacroAssemblerCodeRef.cpp:
3218         * assembler/MacroAssemblerCodeRef.h:
3219         * b3/B3MathExtras.cpp:
3220         * bytecode/LLIntCallLinkInfo.h:
3221         * disassembler/Disassembler.h:
3222         * ftl/FTLJITCode.cpp:
3223         * interpreter/InterpreterInlines.h:
3224         * jit/ExecutableAllocator.h:
3225         * jit/JITOperations.cpp:
3226         * jit/ThunkGenerator.h:
3227         * jit/ThunkGenerators.h:
3228         * llint/LLIntOffsetsExtractor.cpp:
3229         * llint/LLIntPCRanges.h:
3230         * runtime/JSCPtrTag.h: Added.
3231         * runtime/NativeFunction.h:
3232         * runtime/PtrTag.h: Removed.
3233         * runtime/VMTraps.cpp:
3234
3235 2018-04-25  Keith Miller  <keith_miller@apple.com>
3236
3237         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
3238         https://bugs.webkit.org/show_bug.cgi?id=184998
3239
3240         Reviewed by Saam Barati.
3241
3242         * runtime/CodeCache.cpp:
3243         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3244
3245 2018-04-25  Keith Miller  <keith_miller@apple.com>
3246
3247         Add missing scope release to functionProtoFuncToString
3248         https://bugs.webkit.org/show_bug.cgi?id=184995
3249
3250         Reviewed by Saam Barati.
3251
3252         * runtime/FunctionPrototype.cpp:
3253         (JSC::functionProtoFuncToString):
3254
3255 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3256
3257         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
3258         https://bugs.webkit.org/show_bug.cgi?id=184730
3259
3260         Reviewed by Mark Lam.
3261
3262         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
3263         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
3264
3265         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
3266         ARMv7 implementation.
3267
3268         * assembler/ARMAssembler.h:
3269         * assembler/MacroAssemblerARM.h:
3270         (JSC::MacroAssemblerARM::add32):
3271         (JSC::MacroAssemblerARM::and32):
3272         (JSC::MacroAssemblerARM::lshift32):
3273         (JSC::MacroAssemblerARM::mul32):
3274         (JSC::MacroAssemblerARM::or32):
3275         (JSC::MacroAssemblerARM::rshift32):
3276         (JSC::MacroAssemblerARM::urshift32):
3277         (JSC::MacroAssemblerARM::sub32):
3278         (JSC::MacroAssemblerARM::xor32):
3279         (JSC::MacroAssemblerARM::load8):
3280         (JSC::MacroAssemblerARM::abortWithReason):
3281         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
3282         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
3283         (JSC::MacroAssemblerARM::store8):
3284         (JSC::MacroAssemblerARM::store32):
3285         (JSC::MacroAssemblerARM::push):
3286         (JSC::MacroAssemblerARM::swap):
3287         (JSC::MacroAssemblerARM::branch8):
3288         (JSC::MacroAssemblerARM::branchPtr):
3289         (JSC::MacroAssemblerARM::branch32):
3290         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
3291         (JSC::MacroAssemblerARM::branchTest8):
3292         (JSC::MacroAssemblerARM::branchTest32):
3293         (JSC::MacroAssemblerARM::jump):
3294         (JSC::MacroAssemblerARM::branchAdd32):
3295         (JSC::MacroAssemblerARM::mull32):
3296         (JSC::MacroAssemblerARM::branchMul32):
3297         (JSC::MacroAssemblerARM::patchableBranch32):
3298         (JSC::MacroAssemblerARM::nearCall):
3299         (JSC::MacroAssemblerARM::compare32):
3300         (JSC::MacroAssemblerARM::compare8):
3301         (JSC::MacroAssemblerARM::test32):
3302         (JSC::MacroAssemblerARM::test8):
3303         (JSC::MacroAssemblerARM::add64):
3304         (JSC::MacroAssemblerARM::load32):
3305         (JSC::MacroAssemblerARM::call):
3306         (JSC::MacroAssemblerARM::branchPtrWithPatch):
3307         (JSC::MacroAssemblerARM::branch32WithPatch):
3308         (JSC::MacroAssemblerARM::storePtrWithPatch):
3309         (JSC::MacroAssemblerARM::loadDouble):
3310         (JSC::MacroAssemblerARM::storeDouble):
3311         (JSC::MacroAssemblerARM::addDouble):
3312         (JSC::MacroAssemblerARM::divDouble):
3313         (JSC::MacroAssemblerARM::subDouble):
3314         (JSC::MacroAssemblerARM::mulDouble):
3315         (JSC::MacroAssemblerARM::convertInt32ToDouble):
3316         (JSC::MacroAssemblerARM::branchDouble):
3317         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
3318         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
3319         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
3320         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
3321         (JSC::MacroAssemblerARM::branchDoubleNonZero):
3322         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
3323         (JSC::MacroAssemblerARM::call32):
3324         (JSC::MacroAssemblerARM::internalCompare32):
3325
3326 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
3327
3328         [WinCairo] Fix js/regexp-unicode.html crash.
3329         https://bugs.webkit.org/show_bug.cgi?id=184891
3330
3331         Reviewed by Yusuke Suzuki.
3332
3333         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
3334         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
3335
3336         * yarr/YarrJIT.cpp:
3337         (JSC::Yarr::YarrGenerator::generateEnter):
3338         (JSC::Yarr::YarrGenerator::generateReturn):
3339         Unconditionally save and restore RDI on 64-bit Windows.
3340
3341 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
3342
3343         [GTK] Miscellaneous build cleanups
3344         https://bugs.webkit.org/show_bug.cgi?id=184399
3345
3346         Reviewed by Žan Doberšek.
3347
3348         * PlatformGTK.cmake:
3349
3350 2018-04-24  Keith Miller  <keith_miller@apple.com>
3351
3352         fromCharCode is missing some exception checks
3353         https://bugs.webkit.org/show_bug.cgi?id=184952
3354
3355         Reviewed by Saam Barati.
3356
3357         I also removed the pointless slow path function and moved it into the
3358         main function.
3359
3360         * runtime/StringConstructor.cpp:
3361         (JSC::stringFromCharCode):
3362         (JSC::stringFromCharCodeSlowCase): Deleted.
3363
3364 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
3365
3366         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
3367         https://bugs.webkit.org/show_bug.cgi?id=184923
3368
3369         Reviewed by Saam Barati.
3370         
3371         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
3372         (i.e. we know that the object has one of those structures), then previously we would still emit a
3373         switch with a case per structure along with a default case. That would mean one extra redundant
3374         branch to check that whatever structure we wound up with belongs to the set. In that case, we
3375         were already making the default case be an Oops.
3376         
3377         One possible solution would be to say that the default case being Oops means that B3 doesn't need
3378         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
3379         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
3380         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
3381         trap.
3382         
3383         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
3384         extra branch.
3385         
3386         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
3387         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to