Generate a compile error if release is built without compiler optimizations
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-10-04  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2
3         Generate a compile error if release is built without compiler optimizations
4         https://bugs.webkit.org/show_bug.cgi?id=177665
5
6         Reviewed by Michael Catanzaro.
7
8         Pass -DRELEASE_WITHOUT_OPTIMIZATIONS to testair.cpp and testb3.cpp because
9         this files are compiled with -O0 for build speed reasons after r195639.
10
11         * JavaScriptCore.xcodeproj/project.pbxproj:
12
13 2017-10-03  Jon Davis  <jond@apple.com>
14
15         Update WebAssembly to "Supported"
16         https://bugs.webkit.org/show_bug.cgi?id=177831
17
18         Reviewed by Alexey Proskuryakov.
19         
20         Cleaned up Async Iteration and Object rest/spread to use "In Development" 
21         instead of "In development". 
22
23         * features.json: 
24
25 2017-10-03  Saam Barati  <sbarati@apple.com>
26
27         Implement polymorphic prototypes
28         https://bugs.webkit.org/show_bug.cgi?id=176391
29
30         Reviewed by Filip Pizlo.
31
32         This patch changes JSC's object model with respect to where the prototype
33         of an object is stored. Previously, it was always stored as
34         a constant value inside Structure. So an object's structure used to
35         always tell you what its prototype is. Anytime an object changed
36         its prototype, it would do a structure transition. This enables
37         a large class of optimizations: just by doing a structure check,
38         we know what the prototype is.
39         
40         However, this design falls down when you have many objects that
41         have the same shape, but only differ in what their prototype value
42         is. This arises in many JS programs. A simple, and probably common, example
43         is when the program has a constructor inside of a function:
44         ```
45         function foo() {
46             class C {
47                 constructor() { this.field1 = 42; ...; this.fieldN = 42; }
48                 method1() { doStuffWith(this.field); }
49                 method2() { doStuffWith(this.field); }
50             }
51             let c = new C;
52             do things with c;
53             }
54         repeatedly call foo() here.
55         ```
56         
57         Before this patch, in the above program, each time `new C` created an
58         object, it would create an object with a different structure. The
59         reason for this is that each time foo is called, there is a new
60         instance of C.prototype. However, each `new C` that was created
61         with have identical shape sans its prototype value. This would
62         cause all ICs that used `c` to quickly give up on any form of caching
63         because they would see too many structures and give up and permanently
64         divert control flow to the slow path.
65         
66         This patch fixes this issue by expanding the notion of where the prototype
67         of an object is stored. There are now two notions of where the prototype
68         is stored. A Structure can now be in two modes:
69         1. Mono proto mode. This is the same mode as we used to have. It means
70         the structure itself has a constant prototype value.
71         2. Poly proto mode. This means the structure knows nothing about the
72         prototype value itself. Objects with this structure store their prototype
73         in normal object field storage. The structure will tell you the offset of
74         this prototype inside the object's storage. As of today, we only reserve
75         inline slots for the prototype field because poly proto only occurs
76         for JSFinalObject. However, this will be expanded to support out of line
77         offsets in a future patch when we extend poly proto to work when we inherit
78         from builtin types like Map and Array.
79         
80         In this initial patch, we do poly proto style inline caching whenever
81         we see an object that is poly proto or if an object in its prototype lookup
82         chain is poly proto. Poly proto ICs work by verifying the lookup chain
83         at runtime. This essentially boils down to performing structure checks
84         up the prototype chain. In a future patch, we're going to extend object
85         property condition set to work with objects that don't have poly proto bases.
86         
87         Initially, accesses that have poly proto access chains will always turn
88         into GetById/PutById in the DFG. In a future patch, I'm going to teach
89         the DFG how to inline certain accesses that have poly proto in the access
90         chain.
91         
92         One of most interesting parts about this patch is how we decide when to go
93         poly proto. This patch uses a profiling based approach. An IC will inform
94         a watchpoint that it sees an opportunity when two Structure's are structurally
95         the same, sans the base object's prototype. This means that two structures
96         have equivalent shapes all the way up the prototype chain. To support fast
97         structural comparison, we compute a hash for a structure based on the properties
98         it has. We compute this hash as we add properties to the structure. This
99         computation is nearly free since we always add UniquedStringImpl*'s which
100         already have their hashes computed. To compare structural equivalence, we
101         just compare hash values all the way up the prototype chain. This means we
102         can get hash conflicts between two structures, but it's extremely rare. First,
103         it'll be rare for two structures to have the same hash. Secondly, we only
104         consider structures originating from the same executable.
105         
106         How we set up this poly proto watchpoint is crucial to its design. When we create_this
107         an object originating from some executable, that executable will create a Box<InlineWatchpointSet>.
108         Each structure that originates from this executable will get a copy of that
109         Box<InlineWatchpointSet>. As that structure transitions to new structures,
110         they too will get a copy of that Box<InilneWatchpointSet>. Therefore, when
111         invalidating an arbitrary structure's poly proto watchpoint, we will know
112         the next time we create_this from that executable that it had been
113         invalidated, and that we should create an object with a poly proto
114         structure. We also use the pointer value of this Box<InlineWatchpointSet>
115         to determine if two structures originated from the same executable. This
116         pruning will severely limit the chances of getting a hash conflict in practice.
117         
118         This patch is neutral on my MBP on traditional JS benchmarks like Octane/Kraken/Sunspider.
119         It may be a 1-2% ARES-6 progression.
120         
121         This patch is between neutral and a 9x progression on the various tests
122         I added. Most of the microbenchmarks are progressed by at least 50%.
123
124         * JavaScriptCore.xcodeproj/project.pbxproj:
125         * Sources.txt:
126         * builtins/BuiltinNames.cpp:
127         * builtins/BuiltinNames.h:
128         (JSC::BuiltinNames::BuiltinNames):
129         (JSC::BuiltinNames::underscoreProtoPrivateName const):
130         * bytecode/AccessCase.cpp:
131         (JSC::AccessCase::AccessCase):
132         (JSC::AccessCase::create):
133         (JSC::AccessCase::commit):
134         (JSC::AccessCase::guardedByStructureCheck const):
135         (JSC::AccessCase::canReplace const):
136         (JSC::AccessCase::dump const):
137         (JSC::AccessCase::visitWeak const):
138         (JSC::AccessCase::propagateTransitions const):
139         (JSC::AccessCase::generateWithGuard):
140         (JSC::AccessCase::generateImpl):
141         * bytecode/AccessCase.h:
142         (JSC::AccessCase::usesPolyProto const):
143         (JSC::AccessCase::AccessCase):
144         * bytecode/CodeBlock.cpp:
145         (JSC::CodeBlock::finishCreation):
146         * bytecode/GetByIdStatus.cpp:
147         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
148         * bytecode/GetterSetterAccessCase.cpp:
149         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
150         (JSC::GetterSetterAccessCase::create):
151         * bytecode/GetterSetterAccessCase.h:
152         * bytecode/InternalFunctionAllocationProfile.h:
153         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
154         * bytecode/IntrinsicGetterAccessCase.cpp:
155         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
156         * bytecode/IntrinsicGetterAccessCase.h:
157         * bytecode/ModuleNamespaceAccessCase.cpp:
158         (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
159         * bytecode/ObjectAllocationProfile.cpp: Added.
160         (JSC::ObjectAllocationProfile::initializeProfile):
161         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
162         * bytecode/ObjectAllocationProfile.h:
163         (JSC::ObjectAllocationProfile::clear):
164         (JSC::ObjectAllocationProfile::initialize): Deleted.
165         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): Deleted.
166         * bytecode/ObjectPropertyConditionSet.cpp:
167         * bytecode/PolyProtoAccessChain.cpp: Added.
168         (JSC::PolyProtoAccessChain::create):
169         (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const):
170         (JSC::PolyProtoAccessChain::operator== const):
171         (JSC::PolyProtoAccessChain::dump const):
172         * bytecode/PolyProtoAccessChain.h: Added.
173         (JSC::PolyProtoAccessChain::clone):
174         (JSC::PolyProtoAccessChain:: const):
175         (JSC::PolyProtoAccessChain::operator!= const):
176         (JSC::PolyProtoAccessChain::forEach const):
177         * bytecode/PolymorphicAccess.cpp:
178         (JSC::PolymorphicAccess::addCases):
179         (JSC::PolymorphicAccess::regenerate):
180         (WTF::printInternal):
181         * bytecode/PolymorphicAccess.h:
182         (JSC::AccessGenerationResult::shouldResetStub const):
183         (JSC::AccessGenerationState::AccessGenerationState):
184         * bytecode/PropertyCondition.cpp:
185         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
186         * bytecode/ProxyableAccessCase.cpp:
187         (JSC::ProxyableAccessCase::ProxyableAccessCase):
188         (JSC::ProxyableAccessCase::create):
189         * bytecode/ProxyableAccessCase.h:
190         * bytecode/PutByIdStatus.cpp:
191         (JSC::PutByIdStatus::computeForStubInfo):
192         * bytecode/StructureStubInfo.cpp:
193         (JSC::StructureStubInfo::addAccessCase):
194         * dfg/DFGByteCodeParser.cpp:
195         (JSC::DFG::ByteCodeParser::load):
196         (JSC::DFG::ByteCodeParser::parseBlock):
197         * dfg/DFGGraph.cpp:
198         (JSC::DFG::Graph::canDoFastSpread):
199         * dfg/DFGOperations.cpp:
200         * dfg/DFGSpeculativeJIT.cpp:
201         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
202         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
203         * dfg/DFGSpeculativeJIT.h:
204         * dfg/DFGSpeculativeJIT64.cpp:
205         (JSC::DFG::SpeculativeJIT::compile):
206         * ftl/FTLLowerDFGToB3.cpp:
207         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
208         * jit/JITOpcodes.cpp:
209         (JSC::JIT::emit_op_instanceof):
210         * jit/JITOpcodes32_64.cpp:
211         (JSC::JIT::emit_op_instanceof):
212         * jit/Repatch.cpp:
213         (JSC::tryCacheGetByID):
214         (JSC::tryCachePutByID):
215         (JSC::tryRepatchIn):
216         * jsc.cpp:
217         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
218         (WTF::DOMJITGetterBaseJSObject::createStructure):
219         (WTF::DOMJITGetterBaseJSObject::create):
220         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
221         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
222         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
223         (WTF::DOMJITGetterBaseJSObject::customGetter):
224         (WTF::DOMJITGetterBaseJSObject::finishCreation):
225         (GlobalObject::finishCreation):
226         (functionCreateDOMJITGetterBaseJSObject):
227         * llint/LLIntSlowPaths.cpp:
228         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
229         * runtime/ArrayPrototype.cpp:
230         (JSC::holesMustForwardToPrototype):
231         (JSC::fastJoin):
232         (JSC::arrayProtoFuncReverse):
233         (JSC::moveElements):
234         * runtime/ClonedArguments.cpp:
235         (JSC::ClonedArguments::createEmpty):
236         (JSC::ClonedArguments::createWithInlineFrame):
237         (JSC::ClonedArguments::createWithMachineFrame):
238         (JSC::ClonedArguments::createByCopyingFrom):
239         * runtime/CommonSlowPaths.cpp:
240         (JSC::SLOW_PATH_DECL):
241         * runtime/FunctionExecutable.cpp:
242         (JSC::FunctionExecutable::visitChildren):
243         * runtime/FunctionExecutable.h:
244         * runtime/FunctionRareData.cpp:
245         (JSC::FunctionRareData::initializeObjectAllocationProfile):
246         * runtime/FunctionRareData.h:
247         * runtime/InternalFunction.cpp:
248         (JSC::InternalFunction::createSubclassStructureSlow):
249         * runtime/JSArray.cpp:
250         (JSC::JSArray::fastSlice):
251         (JSC::JSArray::shiftCountWithArrayStorage):
252         (JSC::JSArray::shiftCountWithAnyIndexingType):
253         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
254         * runtime/JSArrayInlines.h:
255         (JSC::JSArray::canFastCopy):
256         * runtime/JSCJSValue.cpp:
257         (JSC::JSValue::dumpInContextAssumingStructure const):
258         * runtime/JSFunction.cpp:
259         (JSC::JSFunction::prototypeForConstruction):
260         (JSC::JSFunction::allocateAndInitializeRareData):
261         (JSC::JSFunction::initializeRareData):
262         (JSC::JSFunction::getOwnPropertySlot):
263         * runtime/JSFunction.h:
264         * runtime/JSMap.cpp:
265         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
266         (JSC::JSMap::canCloneFastAndNonObservable):
267         * runtime/JSObject.cpp:
268         (JSC::JSObject::putInlineSlow):
269         (JSC::JSObject::createInitialIndexedStorage):
270         (JSC::JSObject::createArrayStorage):
271         (JSC::JSObject::convertUndecidedToArrayStorage):
272         (JSC::JSObject::convertInt32ToArrayStorage):
273         (JSC::JSObject::convertDoubleToArrayStorage):
274         (JSC::JSObject::convertContiguousToArrayStorage):
275         (JSC::JSObject::ensureInt32Slow):
276         (JSC::JSObject::ensureDoubleSlow):
277         (JSC::JSObject::ensureContiguousSlow):
278         (JSC::JSObject::ensureArrayStorageSlow):
279         (JSC::JSObject::setPrototypeDirect):
280         (JSC::JSObject::ordinaryToPrimitive const):
281         (JSC::JSObject::putByIndexBeyondVectorLength):
282         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
283         (JSC::JSObject::getEnumerableLength):
284         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
285         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
286         (JSC::JSObject::needsSlowPutIndexing const):
287         (JSC::JSObject::suggestedArrayStorageTransition const):
288         * runtime/JSObject.h:
289         (JSC::JSObject::finishCreation):
290         (JSC::JSObject::getPrototypeDirect const):
291         (JSC::JSObject::getPropertySlot):
292         * runtime/JSObjectInlines.h:
293         (JSC::JSObject::getPropertySlot):
294         (JSC::JSObject::getNonIndexPropertySlot):
295         (JSC::JSObject::putInlineForJSObject):
296         * runtime/JSPropertyNameEnumerator.h:
297         (JSC::propertyNameEnumerator):
298         * runtime/JSSet.cpp:
299         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
300         (JSC::JSSet::canCloneFastAndNonObservable):
301         * runtime/LazyClassStructure.h:
302         (JSC::LazyClassStructure::prototypeConcurrently const): Deleted.
303         * runtime/Operations.cpp:
304         (JSC::normalizePrototypeChain):
305         * runtime/Operations.h:
306         * runtime/Options.h:
307         * runtime/PrototypeMap.cpp:
308         (JSC::PrototypeMap::createEmptyStructure):
309         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
310         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
311         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
312         * runtime/PrototypeMap.h:
313         * runtime/Structure.cpp:
314         (JSC::Structure::Structure):
315         (JSC::Structure::create):
316         (JSC::Structure::holesMustForwardToPrototype const):
317         (JSC::Structure::changePrototypeTransition):
318         (JSC::Structure::isCheapDuringGC):
319         (JSC::Structure::toStructureShape):
320         (JSC::Structure::dump const):
321         (JSC::Structure::canCachePropertyNameEnumerator const):
322         (JSC::Structure::anyObjectInChainMayInterceptIndexedAccesses const): Deleted.
323         (JSC::Structure::needsSlowPutIndexing const): Deleted.
324         (JSC::Structure::suggestedArrayStorageTransition const): Deleted.
325         (JSC::Structure::prototypeForLookup const): Deleted.
326         (JSC::Structure::prototypeChainMayInterceptStoreTo): Deleted.
327         (JSC::Structure::canUseForAllocationsOf): Deleted.
328         * runtime/Structure.h:
329         * runtime/StructureChain.h:
330         * runtime/StructureInlines.h:
331         (JSC::Structure::create):
332         (JSC::Structure::storedPrototypeObject const):
333         (JSC::Structure::storedPrototypeStructure const):
334         (JSC::Structure::storedPrototype const):
335         (JSC::prototypeForLookupPrimitiveImpl):
336         (JSC::Structure::prototypeForLookup const):
337         (JSC::Structure::prototypeChain const):
338         (JSC::Structure::isValid const):
339         (JSC::Structure::add):
340         (JSC::Structure::setPropertyTable):
341         (JSC::Structure::shouldConvertToPolyProto):
342         * runtime/StructureRareData.h:
343         * runtime/TypeProfilerLog.cpp:
344         (JSC::TypeProfilerLog::processLogEntries):
345         * runtime/TypeSet.cpp:
346         (JSC::TypeSet::addTypeInformation):
347         * runtime/TypeSet.h:
348         * runtime/WriteBarrier.h:
349         (JSC::WriteBarrierBase<Unknown>::isInt32 const):
350
351 2017-10-03  JF Bastien  <jfbastien@apple.com>
352
353         WebAssembly: no VM / JS version of everything but Instance
354         https://bugs.webkit.org/show_bug.cgi?id=177473
355
356         Reviewed by Filip Pizlo.
357
358         This change entails cleaning up and splitting a bunch of code which we had
359         intertwined between C++ classes which represent JS objects, and pure C++
360         implementation objects. This specific change goes most of the way towards
361         allowing JSC's WebAssembly to work without VM / JS, up to but excluding
362         JSWebAssemblyInstance (there's Wasm::Instance, but it's not *the* thing
363         yet). Because of this we still have a few FIXME identifying places that need to
364         change. A follow-up change will go the rest of the way.
365
366         I went about this change in the simplest way possible: grep the
367         JavaScriptCore/wasm directory for "JS[^C_]" as well as "VM" and exclude the /js/
368         sub-directory (which contains the JS implementation of WebAssembly).
369
370         None of this change removes the need for a JIT entitlement to be able to use
371         WebAssembly. We don't have an interpreter, the process therefore still needs to
372         be allowed to JIT to use these pure-C++ APIs.
373
374         Interesting things to note:
375
376           - Remove VM from Plan and associated places. It can just live as a capture in
377             the callback lambda if it's needed.
378           - Wasm::Memory shouldn't require a VM. It was only used to ask the GC to
379             collect. We now instead pass two lambdas at construction time for this
380             purpose: one to notify of memory pressure, and the other to ask for
381             syncrhonous memory reclamation. This allows whoever creates the memory to
382             dictate how to react to both these cases, and for a JS embedding that's to
383             call the GC (async or sync, respectively).
384           - Move grow logic from JSWebAssemblyMemory to Wasm::Memory::grow. Use Expected
385             there, with an enum class for failure types.
386           - Exceeding max on memory growth now returns a range error as per spec. This
387             is a (very minor) breaking change: it used to throw OOM error. Update the
388             corresponding test.
389           - When generating the grow_memory opcode, no need to get the VM. Instead,
390             reach directly for Wasm::Memory and grow it.
391           - JSWebAssemblyMemory::grow can now always throw on failure, because it's only
392             ever called from JS (not from grow_memory as before).
393           - Wasm::Memory now takes a callback for successful growth. This allows JS
394             wrappers to register themselves when growth succeeds without Wasm::Memory
395             knowning anything about JS. It'll also allow creating a list of callbacks
396             for when we add thread support (we'll want to notify many wrappers, all
397             under a lock).
398           - Wasm::Memory is now back to being the source of truth about address / size,
399             used directly by generated code instead of JSWebAssemblyMemory.
400           - Move wasmToJS from the general WasmBinding header to its own header under
401             wasm/js. It's only used by wasm/js/JSWebAssemblyCodeBlock.cpp, and uses VM,
402             and therefore isn't general WebAssembly.
403           - Make Wasm::Context an actual type (just a struct holding a
404             JSWebAssemlyInstance for now) instead of an alias for that. Notably this
405             doesn't add anything to the Context and doesn't change what actually gets
406             passed around in JIT code (fast TLS or registers) because these changes
407             potentially impact performance. The entire purpose of this change is to
408             allow passing Wasm::Context around without having to know about VM. Since VM
409             contains a Wasm::Context the JS embedding is effectively the same, but with
410             this setup a non-JS embedding is much better off.
411           - Move JSWebAssembly into the JS folder.
412           - OMGPlan: use Wasm::CodeBlock directly instead of JSWebAssemblyCodeBlock.
413           - wasm->JS stubs are now on Wasm::CodeBlock's tail as raw pointers, instead of
414             being on JSWebAssemblyCodeBlock, and are now called wasm->Embedder
415             stubs. The owned reference is still on JSWebAssemblyCodeBlock, and is still
416             called wasm->JS stub. This move means that the embedder must, after creating
417             a Wasm::CodeBlock, somehow create the stubs to call back into the
418             embedder. This isn't adding any indirection to the generated code because
419             the B3 IR generator now reaches for Wasm::CodeBlock instead of
420             JSWebAssemblyCodeBlock.
421           - Move more CodeBlock things. Compilation completion is now marked by its own
422             atomic<bool> flag instead of a nullptr plan: that required using a lock, and
423             was causing a deadlock in stack-trace.js because before my changes
424             JSWebAssemblyCodeBlock did its own completion checking separately from
425             Wasm::CodeBlock, without getting the lock. Now that everything points to
426             Wasm::CodeBlock and there's no cached completion marker, the lock was being
427             acquired in a sanity-check assertion.
428           - Embedder -> Wasm wrappers are now generated through a function that's passed
429             in at compilation time, instead of being hard-coded as a JS -> Wasm wrapper.
430           - WasmMemory doens't need to know about fault handling thunks. Only the IR
431             generator should know, and should make sure that the exception throwing
432             thunk is generated if any memory is present (note: with signal handling not
433             all of them generate an exception check).
434           - Make exception throwing pluggable: instead of having a hard-coded
435             JS-specific lambda we now have a regular C++ function being called from JIT
436             code when a WebAssembly exception is thrown. This allows any embedder to get
437             called as they wish. For now a process can only have a single of these
438             functions (i.e. only one embedder per process) because the trap handler is a
439             singleton. That can be fixed in in #177475.
440           - Create WasmEmbedder.h where all embedder plugging will live.
441           - Split up JSWebAssemblyTable into Wasm::Table which is
442             refcounted. JSWebAssemblyTable now only contains the JS functions in the
443             table, and Wasm::Table is what's used by the JIT code to lookup where to
444             call and do the instance check (for context switch). Note that this creates
445             an extra allocation for all the instances in Wasm::Table, and in exchange
446             removes an indirection in JIT code because the instance used to be obtained
447             off of the JS function. Also note that it's the embedder than keeps the
448             instances alive, not Wasm::Table (which holds a dumb pointer to the
449             instance), because doing otherwise would cause reference cycles.
450           - Add WasmInstance. It doesn't do much for now, owns globals.
451           - JSWebAssembly instance now doesn't just contain the imported functions as
452             JSObjects, it also has the corresponding import's instance and wasm
453             entrypoint. This triples the space allocated per instance's imported
454             function, but there shouldn't be that many imports. This has two upsides: it
455             creates smaller and faster code, and makes is easier to disassociate
456             embedder-specific things from embedder-neutral things. The small / faster
457             win is in two places: B3 IR generator only needs offsetOfImportFunction for
458             the call opcode (when the called index is an import) to know whether the
459             import is wasm->wasm or wasm->embedder (this isn't known at compile-time
460             because it's dependent on the import object), this is now done by seeing if
461             that import function has an associated target instance (only wasm->wasm
462             does); the other place is wasmBinding which uses offsetOfImportFunction to
463             figure out the wasm->wasm target instance, and then gets
464             WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation to do a tail
465             call. The disassociation comes because the target instance can be
466             Wasm::Instance once we change what the Context is, and
467             WasmEntrypointLoadLocation is already embedder-independent. As a next step I
468             can move this tail allocation from JSWebAssemblyInstance to Wasm::Instance,
469             and leave importFunction in as an opaque pointer which is embedder-specific,
470             and in JS will remain WriteBarrier<JSObject>.
471           - Rename VMEntryFrame to EntryFrame, and in many places pass a pointer to it
472             around instead of VM. This is a first step in allowing entry frames which
473             aren't stored on VM, but which are instead stored in an embedder-specific
474             location. That change won't really affect JS except through code churn, but
475             will allow WebAssembly to use some machinery in a generic manner without
476             having a VM.
477
478         * JavaScriptCore.xcodeproj/project.pbxproj:
479         * Sources.txt:
480         * bytecode/PolymorphicAccess.cpp:
481         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
482         * debugger/Debugger.cpp:
483         (JSC::Debugger::stepOutOfFunction):
484         (JSC::Debugger::returnEvent):
485         (JSC::Debugger::unwindEvent):
486         (JSC::Debugger::didExecuteProgram):
487         * dfg/DFGJITCompiler.cpp:
488         (JSC::DFG::JITCompiler::compileExceptionHandlers):
489         * dfg/DFGOSREntry.cpp:
490         (JSC::DFG::prepareOSREntry):
491         * dfg/DFGOSRExit.cpp:
492         (JSC::DFG::OSRExit::compileOSRExit):
493         (JSC::DFG::OSRExit::compileExit):
494         * dfg/DFGThunks.cpp:
495         (JSC::DFG::osrEntryThunkGenerator):
496         * ftl/FTLCompile.cpp:
497         (JSC::FTL::compile):
498         * ftl/FTLLink.cpp:
499         (JSC::FTL::link):
500         * ftl/FTLLowerDFGToB3.cpp:
501         (JSC::FTL::DFG::LowerDFGToB3::lower):
502         * ftl/FTLOSRExitCompiler.cpp:
503         (JSC::FTL::compileStub):
504         * interpreter/CallFrame.cpp:
505         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
506         (JSC::CallFrame::callerFrame):
507         (JSC::CallFrame::unsafeCallerFrame):
508         * interpreter/CallFrame.h:
509         (JSC::ExecState::callerFrame const):
510         (JSC::ExecState::callerFrameOrEntryFrame const):
511         (JSC::ExecState::unsafeCallerFrameOrEntryFrame const):
512         * interpreter/FrameTracers.h:
513         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
514         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
515         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
516         * interpreter/Interpreter.cpp:
517         (JSC::UnwindFunctor::operator() const):
518         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
519         (JSC::Interpreter::unwind):
520         * interpreter/StackVisitor.cpp:
521         (JSC::StackVisitor::StackVisitor):
522         (JSC::StackVisitor::gotoNextFrame):
523         (JSC::StackVisitor::readNonInlinedFrame):
524         (JSC::StackVisitor::Frame::dump const):
525         * interpreter/StackVisitor.h:
526         (JSC::StackVisitor::Frame::callerIsEntryFrame const):
527         * interpreter/VMEntryRecord.h:
528         (JSC::VMEntryRecord::prevTopEntryFrame):
529         (JSC::VMEntryRecord::unsafePrevTopEntryFrame):
530         (JSC::EntryFrame::vmEntryRecordOffset):
531         * jit/AssemblyHelpers.cpp:
532         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
533         (JSC::AssemblyHelpers::loadWasmContextInstance):
534         (JSC::AssemblyHelpers::storeWasmContextInstance):
535         (JSC::AssemblyHelpers::loadWasmContextInstanceNeedsMacroScratchRegister):
536         (JSC::AssemblyHelpers::storeWasmContextInstanceNeedsMacroScratchRegister):
537         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
538         * jit/AssemblyHelpers.h:
539         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
540         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
541         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
542         * jit/JIT.cpp:
543         (JSC::JIT::emitEnterOptimizationCheck):
544         (JSC::JIT::privateCompileExceptionHandlers):
545         * jit/JITExceptions.cpp:
546         (JSC::genericUnwind):
547         * jit/JITOpcodes.cpp:
548         (JSC::JIT::emit_op_throw):
549         (JSC::JIT::emit_op_catch):
550         (JSC::JIT::emitSlow_op_loop_hint):
551         * jit/JITOpcodes32_64.cpp:
552         (JSC::JIT::emit_op_throw):
553         (JSC::JIT::emit_op_catch):
554         * jit/JITOperations.cpp:
555         * jit/ThunkGenerators.cpp:
556         (JSC::throwExceptionFromCallSlowPathGenerator):
557         (JSC::nativeForGenerator):
558         * jsc.cpp:
559         (functionDumpCallFrame):
560         * llint/LLIntSlowPaths.cpp:
561         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
562         * llint/LLIntThunks.cpp:
563         (JSC::vmEntryRecord):
564         * llint/LowLevelInterpreter.asm:
565         * llint/LowLevelInterpreter32_64.asm:
566         * llint/LowLevelInterpreter64.asm:
567         * runtime/Options.cpp:
568         (JSC::recomputeDependentOptions):
569         * runtime/Options.h:
570         * runtime/SamplingProfiler.cpp:
571         (JSC::FrameWalker::FrameWalker):
572         (JSC::FrameWalker::advanceToParentFrame):
573         (JSC::SamplingProfiler::processUnverifiedStackTraces):
574         * runtime/ThrowScope.cpp:
575         (JSC::ThrowScope::~ThrowScope):
576         * runtime/VM.cpp:
577         (JSC::VM::VM):
578         (JSC::VM::~VM):
579         * runtime/VM.h:
580         (JSC::VM::topEntryFrameOffset):
581         * runtime/VMTraps.cpp:
582         (JSC::isSaneFrame):
583         (JSC::VMTraps::tryInstallTrapBreakpoints):
584         (JSC::VMTraps::invalidateCodeBlocksOnStack):
585         * wasm/WasmB3IRGenerator.cpp:
586         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
587         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
588         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
589         (JSC::Wasm::B3IRGenerator::addGrowMemory):
590         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
591         (JSC::Wasm::B3IRGenerator::addCall):
592         (JSC::Wasm::B3IRGenerator::addCallIndirect):
593         (JSC::Wasm::parseAndCompile):
594         * wasm/WasmB3IRGenerator.h:
595         * wasm/WasmBBQPlan.cpp:
596         (JSC::Wasm::BBQPlan::BBQPlan):
597         (JSC::Wasm::BBQPlan::compileFunctions):
598         (JSC::Wasm::BBQPlan::complete):
599         * wasm/WasmBBQPlan.h:
600         * wasm/WasmBBQPlanInlines.h:
601         (JSC::Wasm::BBQPlan::initializeCallees):
602         * wasm/WasmBinding.cpp:
603         (JSC::Wasm::wasmToWasm):
604         * wasm/WasmBinding.h:
605         * wasm/WasmCodeBlock.cpp:
606         (JSC::Wasm::CodeBlock::create):
607         (JSC::Wasm::CodeBlock::CodeBlock):
608         (JSC::Wasm::CodeBlock::compileAsync):
609         (JSC::Wasm::CodeBlock::setCompilationFinished):
610         * wasm/WasmCodeBlock.h:
611         (JSC::Wasm::CodeBlock::offsetOfImportStubs):
612         (JSC::Wasm::CodeBlock::allocationSize):
613         (JSC::Wasm::CodeBlock::importWasmToEmbedderStub):
614         (JSC::Wasm::CodeBlock::offsetOfImportWasmToEmbedderStub):
615         (JSC::Wasm::CodeBlock::wasmToJSCallStubForImport):
616         (JSC::Wasm::CodeBlock::compilationFinished):
617         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
618         (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
619         * wasm/WasmContext.cpp:
620         (JSC::Wasm::Context::useFastTLS):
621         (JSC::Wasm::Context::load const):
622         (JSC::Wasm::Context::store):
623         * wasm/WasmContext.h:
624         * wasm/WasmEmbedder.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
625         * wasm/WasmFaultSignalHandler.cpp:
626         * wasm/WasmFaultSignalHandler.h:
627         * wasm/WasmFormat.h:
628         * wasm/WasmInstance.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
629         (JSC::Wasm::Instance::Instance):
630         (JSC::Wasm::Instance::~Instance):
631         (JSC::Wasm::Instance::extraMemoryAllocated const):
632         * wasm/WasmInstance.h: Added.
633         (JSC::Wasm::Instance::create):
634         (JSC::Wasm::Instance::finalizeCreation):
635         (JSC::Wasm::Instance::module):
636         (JSC::Wasm::Instance::codeBlock):
637         (JSC::Wasm::Instance::memory):
638         (JSC::Wasm::Instance::table):
639         (JSC::Wasm::Instance::loadI32Global const):
640         (JSC::Wasm::Instance::loadI64Global const):
641         (JSC::Wasm::Instance::loadF32Global const):
642         (JSC::Wasm::Instance::loadF64Global const):
643         (JSC::Wasm::Instance::setGlobal):
644         (JSC::Wasm::Instance::offsetOfCachedStackLimit):
645         (JSC::Wasm::Instance::cachedStackLimit const):
646         (JSC::Wasm::Instance::setCachedStackLimit):
647         * wasm/WasmMemory.cpp:
648         (JSC::Wasm::Memory::Memory):
649         (JSC::Wasm::Memory::create):
650         (JSC::Wasm::Memory::~Memory):
651         (JSC::Wasm::Memory::grow):
652         * wasm/WasmMemory.h:
653         (JSC::Wasm::Memory::offsetOfMemory):
654         (JSC::Wasm::Memory::offsetOfSize):
655         * wasm/WasmMemoryInformation.cpp:
656         (JSC::Wasm::PinnedRegisterInfo::get):
657         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
658         * wasm/WasmMemoryInformation.h:
659         (JSC::Wasm::PinnedRegisterInfo::toSave const):
660         * wasm/WasmMemoryMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
661         (JSC::Wasm::makeString):
662         * wasm/WasmMemoryMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
663         * wasm/WasmModule.cpp:
664         (JSC::Wasm::makeValidationCallback):
665         (JSC::Wasm::Module::validateSync):
666         (JSC::Wasm::Module::validateAsync):
667         (JSC::Wasm::Module::getOrCreateCodeBlock):
668         (JSC::Wasm::Module::compileSync):
669         (JSC::Wasm::Module::compileAsync):
670         * wasm/WasmModule.h:
671         * wasm/WasmModuleParser.cpp:
672         (JSC::Wasm::ModuleParser::parseTableHelper):
673         * wasm/WasmOMGPlan.cpp:
674         (JSC::Wasm::OMGPlan::OMGPlan):
675         (JSC::Wasm::OMGPlan::runForIndex):
676         * wasm/WasmOMGPlan.h:
677         * wasm/WasmPageCount.h:
678         (JSC::Wasm::PageCount::isValid const):
679         * wasm/WasmPlan.cpp:
680         (JSC::Wasm::Plan::Plan):
681         (JSC::Wasm::Plan::runCompletionTasks):
682         (JSC::Wasm::Plan::addCompletionTask):
683         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
684         * wasm/WasmPlan.h:
685         (JSC::Wasm::Plan::dontFinalize):
686         * wasm/WasmSignature.cpp:
687         * wasm/WasmSignature.h:
688         * wasm/WasmTable.cpp: Added.
689         (JSC::Wasm::Table::create):
690         (JSC::Wasm::Table::~Table):
691         (JSC::Wasm::Table::Table):
692         (JSC::Wasm::Table::grow):
693         (JSC::Wasm::Table::clearFunction):
694         (JSC::Wasm::Table::setFunction):
695         * wasm/WasmTable.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h.
696         (JSC::Wasm::Table::maximum const):
697         (JSC::Wasm::Table::size const):
698         (JSC::Wasm::Table::offsetOfSize):
699         (JSC::Wasm::Table::offsetOfFunctions):
700         (JSC::Wasm::Table::offsetOfInstances):
701         (JSC::Wasm::Table::isValidSize):
702         * wasm/WasmThunks.cpp:
703         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
704         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
705         (JSC::Wasm::Thunks::setThrowWasmException):
706         (JSC::Wasm::Thunks::throwWasmException):
707         * wasm/WasmThunks.h:
708         * wasm/WasmWorklist.cpp:
709         (JSC::Wasm::Worklist::stopAllPlansForContext):
710         * wasm/WasmWorklist.h:
711         * wasm/js/JSToWasm.cpp: Added.
712         (JSC::Wasm::createJSToWasmWrapper):
713         * wasm/js/JSToWasm.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
714         * wasm/js/JSWebAssembly.cpp: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.cpp.
715         * wasm/js/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.h.
716         * wasm/js/JSWebAssemblyCodeBlock.cpp:
717         (JSC::JSWebAssemblyCodeBlock::create):
718         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
719         * wasm/js/JSWebAssemblyCodeBlock.h:
720         * wasm/js/JSWebAssemblyInstance.cpp:
721         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
722         (JSC::JSWebAssemblyInstance::finishCreation):
723         (JSC::JSWebAssemblyInstance::visitChildren):
724         (JSC::JSWebAssemblyInstance::finalizeCreation):
725         (JSC::JSWebAssemblyInstance::create):
726         * wasm/js/JSWebAssemblyInstance.h:
727         (JSC::JSWebAssemblyInstance::instance):
728         (JSC::JSWebAssemblyInstance::context const):
729         (JSC::JSWebAssemblyInstance::table):
730         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
731         (JSC::JSWebAssemblyInstance::setMemory):
732         (JSC::JSWebAssemblyInstance::offsetOfTail):
733         (JSC::JSWebAssemblyInstance::importFunctionInfo):
734         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance):
735         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint):
736         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
737         (JSC::JSWebAssemblyInstance::importFunction):
738         (JSC::JSWebAssemblyInstance::internalMemory):
739         (JSC::JSWebAssemblyInstance::wasmCodeBlock const):
740         (JSC::JSWebAssemblyInstance::offsetOfWasmTable):
741         (JSC::JSWebAssemblyInstance::offsetOfCallee):
742         (JSC::JSWebAssemblyInstance::offsetOfGlobals):
743         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock):
744         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory):
745         (JSC::JSWebAssemblyInstance::cachedStackLimit const):
746         (JSC::JSWebAssemblyInstance::setCachedStackLimit):
747         (JSC::JSWebAssemblyInstance::wasmMemory):
748         (JSC::JSWebAssemblyInstance::wasmModule):
749         (JSC::JSWebAssemblyInstance::allocationSize):
750         (JSC::JSWebAssemblyInstance::module const):
751         * wasm/js/JSWebAssemblyMemory.cpp:
752         (JSC::JSWebAssemblyMemory::create):
753         (JSC::JSWebAssemblyMemory::adopt):
754         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
755         (JSC::JSWebAssemblyMemory::grow):
756         (JSC::JSWebAssemblyMemory::growSuccessCallback):
757         * wasm/js/JSWebAssemblyMemory.h:
758         * wasm/js/JSWebAssemblyModule.cpp:
759         (JSC::JSWebAssemblyModule::moduleInformation const):
760         (JSC::JSWebAssemblyModule::exportSymbolTable const):
761         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace const):
762         (JSC::JSWebAssemblyModule::callee const):
763         (JSC::JSWebAssemblyModule::codeBlock):
764         (JSC::JSWebAssemblyModule::module):
765         * wasm/js/JSWebAssemblyModule.h:
766         * wasm/js/JSWebAssemblyTable.cpp:
767         (JSC::JSWebAssemblyTable::create):
768         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
769         (JSC::JSWebAssemblyTable::visitChildren):
770         (JSC::JSWebAssemblyTable::grow):
771         (JSC::JSWebAssemblyTable::getFunction):
772         (JSC::JSWebAssemblyTable::clearFunction):
773         (JSC::JSWebAssemblyTable::setFunction):
774         * wasm/js/JSWebAssemblyTable.h:
775         (JSC::JSWebAssemblyTable::isValidSize):
776         (JSC::JSWebAssemblyTable::maximum const):
777         (JSC::JSWebAssemblyTable::size const):
778         (JSC::JSWebAssemblyTable::table):
779         * wasm/js/WasmToJS.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.cpp.
780         (JSC::Wasm::materializeImportJSCell):
781         (JSC::Wasm::wasmToJS):
782         (JSC::Wasm::wasmToJSException):
783         * wasm/js/WasmToJS.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
784         * wasm/js/WebAssemblyFunction.cpp:
785         (JSC::callWebAssemblyFunction):
786         * wasm/js/WebAssemblyInstanceConstructor.cpp:
787         (JSC::constructJSWebAssemblyInstance):
788         * wasm/js/WebAssemblyMemoryConstructor.cpp:
789         (JSC::constructJSWebAssemblyMemory):
790         * wasm/js/WebAssemblyMemoryPrototype.cpp:
791         (JSC::webAssemblyMemoryProtoFuncGrow):
792         * wasm/js/WebAssemblyModuleConstructor.cpp:
793         (JSC::constructJSWebAssemblyModule):
794         (JSC::WebAssemblyModuleConstructor::createModule):
795         * wasm/js/WebAssemblyModuleConstructor.h:
796         * wasm/js/WebAssemblyModuleRecord.cpp:
797         (JSC::WebAssemblyModuleRecord::link):
798         (JSC::WebAssemblyModuleRecord::evaluate):
799         * wasm/js/WebAssemblyPrototype.cpp:
800         (JSC::webAssemblyCompileFunc):
801         (JSC::instantiate):
802         (JSC::compileAndInstantiate):
803         (JSC::webAssemblyValidateFunc):
804         * wasm/js/WebAssemblyTableConstructor.cpp:
805         (JSC::constructJSWebAssemblyTable):
806         * wasm/js/WebAssemblyWrapperFunction.cpp:
807         (JSC::WebAssemblyWrapperFunction::create):
808
809 2017-10-02  Keith Miller  <keith_miller@apple.com>
810
811         VMTraps shouldn't crash if it sees an exception it doesn't understand.
812         https://bugs.webkit.org/show_bug.cgi?id=177780
813
814         Reviewed by Mark Lam.
815
816         VMTraps could see a JIT breakpoint (SegV) for any number of
817         reasons it doesn't understand. e.g.  a bug in JIT code, Wasm OOB,
818         etc. This patch makes it handle that case gracefully. It's worth
819         noting that this means there's no way to know if, due to a bug, we
820         didn't accurately track all the VMTraps we installed. I'm not sure
821         if there is a good solution to that problem though.
822
823         * runtime/VMTraps.cpp:
824
825 2017-10-02  Saam Barati  <sbarati@apple.com>
826
827         Unreviewed. Add missing exception check for the custom-get-set-inline-caching-one-level-up-proto-chain.js
828         test that I added. It uncovered a pre-existing missing exception check.
829
830         * runtime/JSObject.cpp:
831         (JSC::JSObject::putInlineSlow):
832
833 2017-10-02  Joseph Pecoraro  <pecoraro@apple.com>
834
835         Web Inspector: Include Beacon and Ping requests in Network tab
836         https://bugs.webkit.org/show_bug.cgi?id=177641
837         <rdar://problem/33086839>
838
839         Reviewed by Chris Dumez.
840
841         * inspector/protocol/Page.json:
842         Include new "Beacon" and "Ping" resource types.
843
844 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
845
846         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
847         https://bugs.webkit.org/show_bug.cgi?id=175642
848
849         Reviewed by Darin Adler.
850
851         According JS spec, the ToLength operation[1] has a range of 0..(2^53)
852         - 1. In Interpreter.cpp::sizeFrameForVarargs, the call to
853         sizeOfVarargs() was being assigned to "unsigned length", forcing a
854         type cast that results in different value among architectures JSC supports.
855         For instance, in x86_64 "4294967295 + 1" results in 0, while in ARMv6 it
856         results 4294967295. This patch is changing "sizeOfVarargs" to clamp the
857         result from "toLength" to unsigned and then get desired behavior for
858         all supported platforms.
859
860         [1] - https://tc39.github.io/ecma262/#sec-tolength
861
862         * interpreter/Interpreter.cpp:
863         (JSC::sizeOfVarargs):
864         * interpreter/Interpreter.h:
865
866 2017-10-02  Saam Barati  <sbarati@apple.com>
867
868         Unreviewed. Fix debug assertion after r222671. 
869
870         JSTestCustomGetterSetter::finishCreation needs to call its base's finishCreation implementation.
871
872         * jsc.cpp:
873         (JSTestCustomGetterSetter::finishCreation):
874
875 2017-10-01  Commit Queue  <commit-queue@webkit.org>
876
877         Unreviewed, rolling out r222564.
878         https://bugs.webkit.org/show_bug.cgi?id=177720
879
880         "It regressed JetStream by 2% on iOS caused by a 50%
881         regression on the bigfib subtest" (Requested by saamyjoon on
882         #webkit).
883
884         Reverted changeset:
885
886         "Add Above/Below comparisons for UInt32 patterns"
887         https://bugs.webkit.org/show_bug.cgi?id=177281
888         http://trac.webkit.org/changeset/222564
889
890 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
891
892         [DFG] Support ArrayPush with multiple args
893         https://bugs.webkit.org/show_bug.cgi?id=175823
894
895         Reviewed by Saam Barati.
896
897         Reviewed by Saam Barati.
898
899         This patch implements ArrayPush(with multiple arguments) in DFG and FTL. Previously, they are not handled
900         by ArrayPush. Then they go to generic direct call to Array#push and it does in slow path. This patch
901         extends ArrayPush to push multiple arguments in a bulk push manner.
902
903         The problem of ArrayPush is that we need to perform ArrayPush atomically: If OSR exit occurs in the middle
904         of ArrayPush, we incorrectly push pushed elements twice. Once we start pushing values, we should not exit.
905         But we do not want to iterate elements twice, once for type checks and once for actually pushing it. It
906         could move elements between registers and memory back and forth.
907
908         This patch achieves the above goal by separating type checks from ArrayPush. When starting ArrayPush, type
909         checks for elements are already done by separately emitted Check nodes.
910
911         We also add JSArray::pushInline for DFG operations just calling JSArray::push. And we also use it in
912         arrayProtoFuncPush's fast path.
913
914         This patch significantly improves performance of `push(multiple args)`.
915
916                                             baseline                  patched
917             Microbenchmarks:
918                 array-push-0            461.8455+-28.9995    ^    151.3438+-6.5653        ^ definitely 3.0516x faster
919                 array-push-1            133.8845+-7.0349     ?    136.1775+-5.8327        ? might be 1.0171x slower
920                 array-push-2            675.6555+-13.4645    ^    145.8747+-6.4621        ^ definitely 4.6318x faster
921                 array-push-3            849.5284+-15.2540    ^    253.4421+-9.1249        ^ definitely 3.3520x faster
922
923                                             baseline                  patched
924             SixSpeed:
925                 spread-literal.es5       90.3482+-6.6514     ^     24.8123+-2.3304        ^ definitely 3.6413x faster
926
927         * dfg/DFGByteCodeParser.cpp:
928         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
929         * dfg/DFGFixupPhase.cpp:
930         (JSC::DFG::FixupPhase::fixupNode):
931         * dfg/DFGNodeType.h:
932         * dfg/DFGOperations.cpp:
933         * dfg/DFGOperations.h:
934         * dfg/DFGSpeculativeJIT.cpp:
935         (JSC::DFG::SpeculativeJIT::compileArrayPush):
936         * dfg/DFGSpeculativeJIT.h:
937         (JSC::DFG::SpeculativeJIT::callOperation):
938         * dfg/DFGSpeculativeJIT32_64.cpp:
939         (JSC::DFG::SpeculativeJIT::compile):
940         * dfg/DFGSpeculativeJIT64.cpp:
941         (JSC::DFG::SpeculativeJIT::compile):
942         * dfg/DFGStoreBarrierInsertionPhase.cpp:
943         * ftl/FTLLowerDFGToB3.cpp:
944         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
945         * jit/JITOperations.h:
946         * runtime/ArrayPrototype.cpp:
947         (JSC::arrayProtoFuncPush):
948         * runtime/JSArray.cpp:
949         (JSC::JSArray::push):
950         * runtime/JSArray.h:
951         * runtime/JSArrayInlines.h:
952         (JSC::JSArray::pushInline):
953
954 2017-09-29  Saam Barati  <sbarati@apple.com>
955
956         Custom GetterSetterAccessCase does not use the correct slotBase when making call
957         https://bugs.webkit.org/show_bug.cgi?id=177639
958
959         Reviewed by Geoffrey Garen.
960
961         The bug occurred when you had a custom set value. Custom set/get
962         values are passed the property holder, not the base of the access.
963         If we had an object chain like this:
964         o = {__proto__: thingWithCustomSetValue}
965         
966         We would end up not providing thingWithCustomSetValue as the argument
967         to the PutValueFunc. The reason is, we would use generateConditionsForPrototypePropertyHitCustom
968         for custom sets. This would return to us an empty ConditionSet, because
969         the property holder was only one level up the prototype chain. The reason
970         is, it didn't generate a condition for the slot holder, because the
971         protocol for custom set/get is that if an object responds to a custom
972         setter/getter, it will continue to respond to that getter/setter for
973         the lifetime of that object. Therefore, it's not strictly necessary to
974         generate an OPC for the slot base for custom accesses. However, AccessCase
975         uses !m_conditionSet.isEmtpy() to indicate that the IC is doing a prototype
976         access. With the above object "o", we were doing a prototype access, but we
977         had an empty condition set. This lead us to passing the base instead of
978         the property holder to the custom set value function, which is incorrect.
979         
980         With custom getters, we never called to into the generateConditionsForPrototypePropertyHitCustom
981         API. Gets would always call into generateConditionsForPrototypePropertyHit, which
982         will generate an OPC on the slot base, even if it isn't strictly necessary for custom accessors.
983         This patch simply removes generateConditionsForPrototypePropertyHitCustom
984         and aligns the set case with the get case. It makes us properly detect
985         when we're doing a prototype access with the above object "o". If we find
986         that generateConditionsForPrototypePropertyHitCustom was a worthwhile
987         optimization to have, we can re-introduce it. We'll just need to pipe through
988         a new notion of when we're doing prototype accesses that doesn't rely solely
989         on !m_conditionSet.isEmpty().
990
991         * bytecode/ObjectPropertyConditionSet.cpp:
992         (JSC::generateConditionsForPrototypePropertyHitCustom): Deleted.
993         * bytecode/ObjectPropertyConditionSet.h:
994         * jit/Repatch.cpp:
995         (JSC::tryCachePutByID):
996         * jsc.cpp:
997         (JSTestCustomGetterSetter::JSTestCustomGetterSetter):
998         (JSTestCustomGetterSetter::create):
999         (JSTestCustomGetterSetter::createStructure):
1000         (customGetAccessor):
1001         (customGetValue):
1002         (customSetAccessor):
1003         (customSetValue):
1004         (JSTestCustomGetterSetter::finishCreation):
1005         (GlobalObject::finishCreation):
1006         (functionLoadGetterFromGetterSetter):
1007         (functionCreateCustomTestGetterSetter):
1008         * runtime/PropertySlot.h:
1009         (JSC::PropertySlot::setCustomGetterSetter):
1010
1011 2017-09-29  Commit Queue  <commit-queue@webkit.org>
1012
1013         Unreviewed, rolling out r222563, r222565, and r222581.
1014         https://bugs.webkit.org/show_bug.cgi?id=177675
1015
1016         "It causes a crash when playing youtube videos" (Requested by
1017         saamyjoon on #webkit).
1018
1019         Reverted changesets:
1020
1021         "[DFG] Support ArrayPush with multiple args"
1022         https://bugs.webkit.org/show_bug.cgi?id=175823
1023         http://trac.webkit.org/changeset/222563
1024
1025         "Unreviewed, build fix after r222563"
1026         https://bugs.webkit.org/show_bug.cgi?id=175823
1027         http://trac.webkit.org/changeset/222565
1028
1029         "Unreviewed, fix x86 breaking due to exhausted registers"
1030         https://bugs.webkit.org/show_bug.cgi?id=175823
1031         http://trac.webkit.org/changeset/222581
1032
1033 2017-09-29  Commit Queue  <commit-queue@webkit.org>
1034
1035         Unreviewed, rolling out r222625.
1036         https://bugs.webkit.org/show_bug.cgi?id=177664
1037
1038         causes crashes on iOS (Requested by pizlo-mbp on #webkit).
1039
1040         Reverted changeset:
1041
1042         "Enable gigacage on iOS"
1043         https://bugs.webkit.org/show_bug.cgi?id=177586
1044         http://trac.webkit.org/changeset/222625
1045
1046 2017-09-28  Mark Lam  <mark.lam@apple.com>
1047
1048         test262: Unexpected passes after r222617 and r222618.
1049         https://bugs.webkit.org/show_bug.cgi?id=177622
1050         <rdar://problem/34725960>
1051
1052         Reviewed by Saam Barati.
1053
1054         Now that these tests are marked as "normal", we will run them and discover a few
1055         missing exception checks.  This patch also adds those missing exception checks.
1056
1057         * runtime/DatePrototype.cpp:
1058         (JSC::fillStructuresUsingDateArgs):
1059
1060 2017-09-28  Filip Pizlo  <fpizlo@apple.com>
1061
1062         Enable gigacage on iOS
1063         https://bugs.webkit.org/show_bug.cgi?id=177586
1064
1065         Reviewed by Michael Saboff.
1066         
1067         The hardest part of enabling Gigacage on iOS is that it requires loading global variables whil
1068         executing JS, so the LLInt needs to know how to load from global variables on all platforms that
1069         have Gigacage. So, this teaches ARM64 how to load from global variables.
1070
1071         * offlineasm/arm64.rb:
1072         * offlineasm/asm.rb:
1073         * offlineasm/instructions.rb:
1074
1075 2017-09-28  Mark Lam  <mark.lam@apple.com>
1076
1077         Add missing exception checks and book-keeping for exception check validation.
1078         https://bugs.webkit.org/show_bug.cgi?id=177609
1079         <rdar://problem/34717972>
1080
1081         Reviewed by Keith Miller.
1082
1083         This resolves exception check validation failures when running test262 tests and
1084         a few other tests.
1085
1086         * API/APIUtils.h:
1087         (handleExceptionIfNeeded):
1088         * API/JSObjectRef.cpp:
1089         (JSObjectMakeFunction):
1090         (JSObjectMakeArray):
1091         (JSObjectMakeDate):
1092         (JSObjectMakeError):
1093         (JSObjectMakeRegExp):
1094         (JSObjectSetPrototype):
1095         (JSObjectGetProperty):
1096         (JSObjectSetProperty):
1097         (JSObjectGetPropertyAtIndex):
1098         (JSObjectSetPropertyAtIndex):
1099         (JSObjectDeleteProperty):
1100         (JSObjectCallAsFunction):
1101         (JSObjectCallAsConstructor):
1102         * API/JSTypedArray.cpp:
1103         (JSObjectMakeTypedArray):
1104         (JSObjectMakeTypedArrayWithBytesNoCopy):
1105         (JSObjectMakeTypedArrayWithArrayBuffer):
1106         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
1107         (JSObjectMakeArrayBufferWithBytesNoCopy):
1108         * API/JSValueRef.cpp:
1109         (JSValueIsEqual):
1110         (JSValueIsInstanceOfConstructor):
1111         (JSValueCreateJSONString):
1112         (JSValueToNumber):
1113         (JSValueToStringCopy):
1114         (JSValueToObject):
1115         * interpreter/Interpreter.cpp:
1116         (JSC::Interpreter::executeProgram):
1117         * llint/LLIntSlowPaths.cpp:
1118         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1119         * runtime/ArrayPrototype.cpp:
1120         (JSC::arrayProtoFuncIndexOf):
1121         (JSC::arrayProtoFuncLastIndexOf):
1122         * runtime/DatePrototype.cpp:
1123         (JSC::fillStructuresUsingTimeArgs):
1124         (JSC::setNewValueFromDateArgs):
1125         (JSC::dateProtoFuncSetYear):
1126         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1127         (JSC::constructGenericTypedArrayViewWithArguments):
1128         * runtime/JSModuleEnvironment.cpp:
1129         (JSC::JSModuleEnvironment::put):
1130         * runtime/ProgramExecutable.cpp:
1131         (JSC::ProgramExecutable::initializeGlobalProperties):
1132         * runtime/ProxyObject.cpp:
1133         (JSC::ProxyObject::toStringName):
1134         * runtime/StringPrototype.cpp:
1135         (JSC::stringProtoFuncCharAt):
1136         (JSC::stringProtoFuncCharCodeAt):
1137         (JSC::stringProtoFuncIndexOf):
1138         (JSC::stringProtoFuncLastIndexOf):
1139         (JSC::stringProtoFuncSlice):
1140         (JSC::stringProtoFuncSplitFast):
1141         (JSC::stringProtoFuncSubstr):
1142
1143 2017-09-27  Michael Saboff  <msaboff@apple.com>
1144
1145         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
1146         https://bugs.webkit.org/show_bug.cgi?id=177570
1147
1148         Reviewed by Filip Pizlo.
1149
1150         The change in r210837 neglected to change the check in Interpreter::backtrackParentheses() that
1151         greedy parenthesis have backtracked as far as possible.  Prior to r210837, non-zero minimum greedy
1152         parenthesis were factored into a fixed component and a zero-based variable component.  After
1153         r210837, the variable component is not zero based and the check needs to compare the
1154         backTrack->matchAmount with the quantity iminimum count.
1155
1156         * yarr/YarrInterpreter.cpp:
1157         (JSC::Yarr::Interpreter::backtrackParentheses):
1158
1159 2017-09-28  Michael Saboff  <msaboff@apple.com>
1160
1161         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
1162         https://bugs.webkit.org/show_bug.cgi?id=177423
1163
1164         Reviewed by Mark Lam.
1165
1166         Updated fix that restructures that changes the do ... while to a while and adds another
1167         atEndOfPattern() check before looking for the first named group identifier character.
1168
1169         * yarr/YarrParser.h:
1170         (JSC::Yarr::Parser::tryConsumeGroupName):
1171
1172 2017-09-27  Mark Lam  <mark.lam@apple.com>
1173
1174         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
1175         https://bugs.webkit.org/show_bug.cgi?id=177584
1176         <rdar://problem/34463903>
1177
1178         Reviewed by Saam Barati.
1179
1180         If the source and destination arrays are the same, we may be copying overlapping
1181         regions.  Hence, we need to take the slow path.
1182
1183         * runtime/JSArrayInlines.h:
1184         (JSC::JSArray::canFastCopy):
1185
1186 2017-09-27  Saam Barati  <sbarati@apple.com>
1187
1188         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
1189         https://bugs.webkit.org/show_bug.cgi?id=177523
1190
1191         Reviewed by Mark Lam.
1192
1193         There was a bug in Structure's transition constructor where it didn't
1194         propagate forward the hasBeenFlattenedBefore bit. In practice, this meant
1195         that every time we asked a dictionary structure if it has been flattened
1196         before, it would return false. This patch fixes this bug. It also fixes
1197         a bug that this uncovers in our for-in implementation. Our implementation
1198         would cache the property name enumerator even when the prototype chain
1199         included a structure that is as dictionary. This is wrong because that
1200         prototype object may add properties without transitioning, and the for-in
1201         loop would vend a stale set of prototype properties.
1202
1203         * jit/JITOperations.cpp:
1204         * runtime/JSPropertyNameEnumerator.h:
1205         (JSC::propertyNameEnumerator):
1206         * runtime/Structure.cpp:
1207         (JSC::Structure::Structure):
1208         (JSC::Structure::canCachePropertyNameEnumerator const):
1209
1210 2017-09-27  Mark Lam  <mark.lam@apple.com>
1211
1212         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
1213         https://bugs.webkit.org/show_bug.cgi?id=177423
1214         <rdar://problem/34621320>
1215
1216         Reviewed by Keith Miller.
1217
1218         * yarr/YarrParser.h:
1219         (JSC::Yarr::Parser::tryConsumeGroupName):
1220
1221 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1222
1223         Unreviewed, fix x86 breaking due to exhausted registers
1224         https://bugs.webkit.org/show_bug.cgi?id=175823
1225
1226         * dfg/DFGByteCodeParser.cpp:
1227         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1228
1229 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1230
1231         Unreviewed, build fix after r222563
1232         https://bugs.webkit.org/show_bug.cgi?id=175823
1233
1234         * runtime/JSArrayInlines.h:
1235
1236 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1237
1238         Add Above/Below comparisons for UInt32 patterns
1239         https://bugs.webkit.org/show_bug.cgi?id=177281
1240
1241         Reviewed by Saam Barati.
1242
1243         Sometimes, we would like to have UInt32 operations in JS. While VM does
1244         not support UInt32 nicely, VM supports efficient Int32 operations. As long
1245         as signedness does not matter, we can just perform Int32 operations instead
1246         and recognize its bit pattern as UInt32.
1247
1248         But of course, some operations respect signedness. The most frequently
1249         used one is comparison. Octane/zlib performs UInt32 comparison by performing
1250         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
1251         UInt32 in Int32 form. And op_unsigned will generate Double value if
1252         the generated Int32 is < 0 (which should be UInt32).
1253
1254         There is a chance for optimization. The given code pattern is the following.
1255
1256             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
1257
1258         This can be converted to the following.
1259
1260             op_urshift(@1) below:< op_urshift(@2)
1261
1262         The above conversion is nice since
1263
1264         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
1265         this check depends on the value of Int32, dropping this check is not as easy as
1266         removing Int32 edge filters.
1267
1268         2. We can perform unsigned comparison in Int32 form. We do not need to convert
1269         them to DoubleRep.
1270
1271         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
1272         op_unsigned offers huge win.
1273
1274         At first, my patch attempts to convert the above thing in DFG pipeline.
1275         However it poses several problems.
1276
1277         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
1278         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
1279
1280             2: UInt32ToNumber(@0)
1281             3: MovHint(@2, xxx)
1282             4: UInt32ToNumber(@1)
1283             5: MovHint(@1, xxx)
1284
1285         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
1286
1287         So, instead, we start introducing a simple optimization in the bytecode compiler.
1288         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
1289         We adds op_below and op_above families to bytecodes. They only accept Int32 and
1290         perform unsigned comparison.
1291
1292         This offers 4% performance improvement in Octane/zlib.
1293
1294                                     baseline                  patched
1295
1296         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
1297
1298         * bytecode/BytecodeDumper.cpp:
1299         (JSC::BytecodeDumper<Block>::printCompareJump):
1300         (JSC::BytecodeDumper<Block>::dumpBytecode):
1301         * bytecode/BytecodeDumper.h:
1302         * bytecode/BytecodeList.json:
1303         * bytecode/BytecodeUseDef.h:
1304         (JSC::computeUsesForBytecodeOffset):
1305         (JSC::computeDefsForBytecodeOffset):
1306         * bytecode/Opcode.h:
1307         (JSC::isBranch):
1308         * bytecode/PreciseJumpTargetsInlines.h:
1309         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1310         * bytecompiler/BytecodeGenerator.cpp:
1311         (JSC::BytecodeGenerator::emitJumpIfTrue):
1312         (JSC::BytecodeGenerator::emitJumpIfFalse):
1313         * bytecompiler/NodesCodegen.cpp:
1314         (JSC::BinaryOpNode::emitBytecode):
1315         * dfg/DFGAbstractInterpreterInlines.h:
1316         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1317         * dfg/DFGByteCodeParser.cpp:
1318         (JSC::DFG::ByteCodeParser::parseBlock):
1319         * dfg/DFGCapabilities.cpp:
1320         (JSC::DFG::capabilityLevel):
1321         * dfg/DFGClobberize.h:
1322         (JSC::DFG::clobberize):
1323         * dfg/DFGDoesGC.cpp:
1324         (JSC::DFG::doesGC):
1325         * dfg/DFGFixupPhase.cpp:
1326         (JSC::DFG::FixupPhase::fixupNode):
1327         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1328         * dfg/DFGNodeType.h:
1329         * dfg/DFGPredictionPropagationPhase.cpp:
1330         * dfg/DFGSafeToExecute.h:
1331         (JSC::DFG::safeToExecute):
1332         * dfg/DFGSpeculativeJIT.cpp:
1333         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
1334         * dfg/DFGSpeculativeJIT.h:
1335         * dfg/DFGSpeculativeJIT32_64.cpp:
1336         (JSC::DFG::SpeculativeJIT::compile):
1337         * dfg/DFGSpeculativeJIT64.cpp:
1338         (JSC::DFG::SpeculativeJIT::compile):
1339         * dfg/DFGStrengthReductionPhase.cpp:
1340         (JSC::DFG::StrengthReductionPhase::handleNode):
1341         * dfg/DFGValidate.cpp:
1342         * ftl/FTLCapabilities.cpp:
1343         (JSC::FTL::canCompile):
1344         * ftl/FTLLowerDFGToB3.cpp:
1345         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1346         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
1347         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
1348         * jit/JIT.cpp:
1349         (JSC::JIT::privateCompileMainPass):
1350         * jit/JIT.h:
1351         * jit/JITArithmetic.cpp:
1352         (JSC::JIT::emit_op_below):
1353         (JSC::JIT::emit_op_beloweq):
1354         (JSC::JIT::emit_op_jbelow):
1355         (JSC::JIT::emit_op_jbeloweq):
1356         (JSC::JIT::emit_compareUnsignedAndJump):
1357         (JSC::JIT::emit_compareUnsigned):
1358         * jit/JITArithmetic32_64.cpp:
1359         (JSC::JIT::emit_compareUnsignedAndJump):
1360         (JSC::JIT::emit_compareUnsigned):
1361         * llint/LowLevelInterpreter.asm:
1362         * llint/LowLevelInterpreter32_64.asm:
1363         * llint/LowLevelInterpreter64.asm:
1364         * parser/Nodes.h:
1365         (JSC::ExpressionNode::isBinaryOpNode const):
1366
1367 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1368
1369         [DFG] Support ArrayPush with multiple args
1370         https://bugs.webkit.org/show_bug.cgi?id=175823
1371
1372         Reviewed by Saam Barati.
1373
1374         This patch implements ArrayPush(with multiple arguments) in DFG and FTL. Previously, they are not handled
1375         by ArrayPush. Then they go to generic direct call to Array#push and it does in slow path. This patch
1376         extends ArrayPush to push multiple arguments in a bulk push manner.
1377
1378         The problem of ArrayPush is that we need to perform ArrayPush atomically: If OSR exit occurs in the middle
1379         of ArrayPush, we incorrectly push pushed elements twice. Once we start pushing values, we should not exit.
1380         But we do not want to iterate elements twice, once for type checks and once for actually pushing it. It
1381         could move elements between registers and memory back and forth.
1382
1383         This patch achieves the above goal by separating type checks from ArrayPush. When starting ArrayPush, type
1384         checks for elements are already done by separately emitted Check nodes.
1385
1386         We also add JSArray::pushInline for DFG operations just calling JSArray::push. And we also use it in
1387         arrayProtoFuncPush's fast path.
1388
1389         This patch significantly improves performance of `push(multiple args)`.
1390
1391                                             baseline                  patched
1392             Microbenchmarks:
1393                 array-push-0            461.8455+-28.9995    ^    151.3438+-6.5653        ^ definitely 3.0516x faster
1394                 array-push-1            133.8845+-7.0349     ?    136.1775+-5.8327        ? might be 1.0171x slower
1395                 array-push-2            675.6555+-13.4645    ^    145.8747+-6.4621        ^ definitely 4.6318x faster
1396                 array-push-3            849.5284+-15.2540    ^    253.4421+-9.1249        ^ definitely 3.3520x faster
1397
1398                                             baseline                  patched
1399             SixSpeed:
1400                 spread-literal.es5       90.3482+-6.6514     ^     24.8123+-2.3304        ^ definitely 3.6413x faster
1401
1402         * dfg/DFGByteCodeParser.cpp:
1403         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1404         * dfg/DFGFixupPhase.cpp:
1405         (JSC::DFG::FixupPhase::fixupNode):
1406         * dfg/DFGNodeType.h:
1407         * dfg/DFGOperations.cpp:
1408         * dfg/DFGOperations.h:
1409         * dfg/DFGSpeculativeJIT.cpp:
1410         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1411         * dfg/DFGSpeculativeJIT.h:
1412         (JSC::DFG::SpeculativeJIT::callOperation):
1413         * dfg/DFGSpeculativeJIT32_64.cpp:
1414         (JSC::DFG::SpeculativeJIT::compile):
1415         * dfg/DFGSpeculativeJIT64.cpp:
1416         (JSC::DFG::SpeculativeJIT::compile):
1417         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1418         * ftl/FTLLowerDFGToB3.cpp:
1419         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
1420         * jit/JITOperations.h:
1421         * runtime/ArrayPrototype.cpp:
1422         (JSC::arrayProtoFuncPush):
1423         * runtime/JSArray.cpp:
1424         (JSC::JSArray::push):
1425         * runtime/JSArray.h:
1426         * runtime/JSArrayInlines.h:
1427         (JSC::JSArray::pushInline):
1428
1429 2017-09-26  Joseph Pecoraro  <pecoraro@apple.com>
1430
1431         Web Inspector: Remove unused parameter of Page.reload
1432         https://bugs.webkit.org/show_bug.cgi?id=177522
1433
1434         Reviewed by Matt Baker.
1435
1436         * inspector/protocol/Page.json:
1437
1438 2017-09-26  Filip Pizlo  <fpizlo@apple.com>
1439
1440         Put g_gigacageBasePtr into its own page and make it read-only
1441         https://bugs.webkit.org/show_bug.cgi?id=174972
1442
1443         Reviewed by Michael Saboff.
1444         
1445         C++ code doesn't have to know about this change. That includes C++ code that generates JIT code.
1446         
1447         But the offline assembler now needs to know about how to load from offsets of global variables.
1448         This turned out to be easy to support by extending the existing expression support.
1449
1450         * llint/LowLevelInterpreter64.asm:
1451         * offlineasm/ast.rb:
1452         * offlineasm/parser.rb:
1453         * offlineasm/transform.rb:
1454         * offlineasm/x86.rb:
1455
1456 2017-09-26  Commit Queue  <commit-queue@webkit.org>
1457
1458         Unreviewed, rolling out r222518.
1459         https://bugs.webkit.org/show_bug.cgi?id=177507
1460
1461         Break the High Sierra build (Requested by yusukesuzuki on
1462         #webkit).
1463
1464         Reverted changeset:
1465
1466         "Add Above/Below comparisons for UInt32 patterns"
1467         https://bugs.webkit.org/show_bug.cgi?id=177281
1468         http://trac.webkit.org/changeset/222518
1469
1470 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1471
1472         Add Above/Below comparisons for UInt32 patterns
1473         https://bugs.webkit.org/show_bug.cgi?id=177281
1474
1475         Reviewed by Saam Barati.
1476
1477         Sometimes, we would like to have UInt32 operations in JS. While VM does
1478         not support UInt32 nicely, VM supports efficient Int32 operations. As long
1479         as signedness does not matter, we can just perform Int32 operations instead
1480         and recognize its bit pattern as UInt32.
1481
1482         But of course, some operations respect signedness. The most frequently
1483         used one is comparison. Octane/zlib performs UInt32 comparison by performing
1484         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
1485         UInt32 in Int32 form. And op_unsigned will generate Double value if
1486         the generated Int32 is < 0 (which should be UInt32).
1487
1488         There is a chance for optimization. The given code pattern is the following.
1489
1490             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
1491
1492         This can be converted to the following.
1493
1494             op_urshift(@1) below:< op_urshift(@2)
1495
1496         The above conversion is nice since
1497
1498         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
1499         this check depends on the value of Int32, dropping this check is not as easy as
1500         removing Int32 edge filters.
1501
1502         2. We can perform unsigned comparison in Int32 form. We do not need to convert
1503         them to DoubleRep.
1504
1505         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
1506         op_unsigned offers huge win.
1507
1508         At first, my patch attempts to convert the above thing in DFG pipeline.
1509         However it poses several problems.
1510
1511         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
1512         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
1513
1514             2: UInt32ToNumber(@0)
1515             3: MovHint(@2, xxx)
1516             4: UInt32ToNumber(@1)
1517             5: MovHint(@1, xxx)
1518
1519         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
1520
1521         So, instead, we start introducing a simple optimization in the bytecode compiler.
1522         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
1523         We adds op_below and op_above families to bytecodes. They only accept Int32 and
1524         perform unsigned comparison.
1525
1526         This offers 4% performance improvement in Octane/zlib.
1527
1528                                     baseline                  patched
1529
1530         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
1531
1532         * bytecode/BytecodeDumper.cpp:
1533         (JSC::BytecodeDumper<Block>::printCompareJump):
1534         (JSC::BytecodeDumper<Block>::dumpBytecode):
1535         * bytecode/BytecodeDumper.h:
1536         * bytecode/BytecodeList.json:
1537         * bytecode/BytecodeUseDef.h:
1538         (JSC::computeUsesForBytecodeOffset):
1539         (JSC::computeDefsForBytecodeOffset):
1540         * bytecode/Opcode.h:
1541         (JSC::isBranch):
1542         * bytecode/PreciseJumpTargetsInlines.h:
1543         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1544         * bytecompiler/BytecodeGenerator.cpp:
1545         (JSC::BytecodeGenerator::emitJumpIfTrue):
1546         (JSC::BytecodeGenerator::emitJumpIfFalse):
1547         * bytecompiler/NodesCodegen.cpp:
1548         (JSC::BinaryOpNode::emitBytecode):
1549         * dfg/DFGAbstractInterpreterInlines.h:
1550         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1551         * dfg/DFGByteCodeParser.cpp:
1552         (JSC::DFG::ByteCodeParser::parseBlock):
1553         * dfg/DFGCapabilities.cpp:
1554         (JSC::DFG::capabilityLevel):
1555         * dfg/DFGClobberize.h:
1556         (JSC::DFG::clobberize):
1557         * dfg/DFGDoesGC.cpp:
1558         (JSC::DFG::doesGC):
1559         * dfg/DFGFixupPhase.cpp:
1560         (JSC::DFG::FixupPhase::fixupNode):
1561         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1562         * dfg/DFGNodeType.h:
1563         * dfg/DFGPredictionPropagationPhase.cpp:
1564         * dfg/DFGSafeToExecute.h:
1565         (JSC::DFG::safeToExecute):
1566         * dfg/DFGSpeculativeJIT.cpp:
1567         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
1568         * dfg/DFGSpeculativeJIT.h:
1569         * dfg/DFGSpeculativeJIT32_64.cpp:
1570         (JSC::DFG::SpeculativeJIT::compile):
1571         * dfg/DFGSpeculativeJIT64.cpp:
1572         (JSC::DFG::SpeculativeJIT::compile):
1573         * dfg/DFGStrengthReductionPhase.cpp:
1574         (JSC::DFG::StrengthReductionPhase::handleNode):
1575         * dfg/DFGValidate.cpp:
1576         * ftl/FTLCapabilities.cpp:
1577         (JSC::FTL::canCompile):
1578         * ftl/FTLLowerDFGToB3.cpp:
1579         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1580         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
1581         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
1582         * jit/JIT.cpp:
1583         (JSC::JIT::privateCompileMainPass):
1584         * jit/JIT.h:
1585         * jit/JITArithmetic.cpp:
1586         (JSC::JIT::emit_op_below):
1587         (JSC::JIT::emit_op_beloweq):
1588         (JSC::JIT::emit_op_jbelow):
1589         (JSC::JIT::emit_op_jbeloweq):
1590         (JSC::JIT::emit_compareUnsignedAndJump):
1591         (JSC::JIT::emit_compareUnsigned):
1592         * jit/JITArithmetic32_64.cpp:
1593         (JSC::JIT::emit_compareUnsignedAndJump):
1594         (JSC::JIT::emit_compareUnsigned):
1595         * llint/LowLevelInterpreter.asm:
1596         * llint/LowLevelInterpreter32_64.asm:
1597         * llint/LowLevelInterpreter64.asm:
1598         * parser/Nodes.h:
1599         (JSC::ExpressionNode::isBinaryOpNode const):
1600
1601 2017-09-24  Keith Miller  <keith_miller@apple.com>
1602
1603         JSC build should use unified sources for derived sources
1604         https://bugs.webkit.org/show_bug.cgi?id=177421
1605
1606         Reviewed by JF Bastien.
1607
1608         This patch make a couple of changes:
1609
1610         1) Make derived sources added to relevant bundles. I was going to add JSCBuiltins.cpp
1611         to runtime but that kept breaking the windows build. I'll get back to it later
1612         2) Move the derived location of some sources both for clarity and for ease of use.
1613         3) Make auto generator scripts able to create directories if needed.
1614         4) Move some scripts from the top level of the JavaScriptCore directory to a
1615         more appropriate directory.
1616         5) Move some CMake generation commands around for clarity.
1617
1618         * CMakeLists.txt:
1619         * DerivedSources.make:
1620         * JavaScriptCore.xcodeproj/project.pbxproj:
1621         * Scripts/lazywriter.py:
1622         (LazyFileWriter.close):
1623         * Sources.txt:
1624         * inspector/scripts/generate-inspector-protocol-bindings.py:
1625         (IncrementalFileWriter.close):
1626         * yarr/create_regex_tables: Renamed from Source/JavaScriptCore/create_regex_tables.
1627         * yarr/generateYarrCanonicalizeUnicode: Renamed from Source/JavaScriptCore/generateYarrCanonicalizeUnicode.
1628
1629 2017-09-26  Zan Dobersek  <zdobersek@igalia.com>
1630
1631         Support building JavaScriptCore with the Bionic C library
1632         https://bugs.webkit.org/show_bug.cgi?id=177427
1633
1634         Reviewed by Michael Catanzaro.
1635
1636         When compiling with the Bionic C library, the MachineContext.h header
1637         should enable the same code paths that are enabled for the GNU C library.
1638
1639         The Bionic C library defines the __BIONIC__ macro, but unlike other C
1640         libraries that mimic the GNU one, it doesn't define __GLIBC__. So the
1641         __BIONIC__ macro checks have to match the __GLIBC__ ones.
1642
1643         * runtime/MachineContext.h:
1644         (JSC::MachineContext::stackPointer):
1645         (JSC::MachineContext::framePointer):
1646         (JSC::MachineContext::instructionPointer):
1647         (JSC::MachineContext::argumentPointer<1>):
1648         (JSC::MachineContext::llintInstructionPointer):
1649
1650 2017-09-25  Devin Rousso  <webkit@devinrousso.com>
1651
1652         Web Inspector: move Console.addInspectedNode to DOM.setInspectedNode
1653         https://bugs.webkit.org/show_bug.cgi?id=176827
1654
1655         Reviewed by Joseph Pecoraro.
1656
1657         * inspector/agents/InspectorConsoleAgent.h:
1658
1659         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1660         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
1661         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode): Deleted.
1662
1663         * inspector/protocol/Console.json:
1664         * inspector/protocol/DOM.json:
1665
1666 2017-09-25  Ryan Haddad  <ryanhaddad@apple.com>
1667
1668         Unreviewed, rebaseline builtins generator tests after r222473.
1669
1670         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1671
1672 2017-09-25  Alex Christensen  <achristensen@webkit.org>
1673
1674         Make Attribute an enum class
1675         https://bugs.webkit.org/show_bug.cgi?id=177414
1676
1677         Reviewed by Yusuke Suzuki.
1678
1679         I've had enough of these naming collisions.  This is what enum classes are for.
1680         Unfortunately a lot of static_cast<unsigned> is necessary until those functions take
1681         an OptionSet<Attribute> instead of an unsigned parameter, but this is a big step
1682         towards where we ought to be.
1683
1684         * API/JSCallbackObjectFunctions.h:
1685         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1686         * API/JSObjectRef.cpp:
1687         (JSObjectMakeConstructor):
1688         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
1689         (BuiltinsInternalsWrapperImplementationGenerator.property_macro):
1690         * bytecode/GetByIdStatus.cpp:
1691         (JSC::GetByIdStatus::computeFromLLInt):
1692         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1693         (JSC::GetByIdStatus::computeFor):
1694         * bytecode/PropertyCondition.cpp:
1695         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1696         (JSC::PropertyCondition::isValidValueForAttributes):
1697         * bytecode/PutByIdStatus.cpp:
1698         (JSC::PutByIdStatus::computeFor):
1699         * bytecompiler/BytecodeGenerator.cpp:
1700         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1701         (JSC::BytecodeGenerator::variable):
1702         * bytecompiler/BytecodeGenerator.h:
1703         (JSC::Variable::isReadOnly const):
1704         (JSC::Variable::setIsReadOnly):
1705         * bytecompiler/NodesCodegen.cpp:
1706         (JSC::PropertyListNode::emitBytecode):
1707         * create_hash_table:
1708         * debugger/DebuggerScope.cpp:
1709         (JSC::DebuggerScope::getOwnPropertySlot):
1710         * dfg/DFGOperations.cpp:
1711         * inspector/JSInjectedScriptHostPrototype.cpp:
1712         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1713         * inspector/JSJavaScriptCallFramePrototype.cpp:
1714         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
1715         * jit/Repatch.cpp:
1716         (JSC::tryCacheGetByID):
1717         * jsc.cpp:
1718         (WTF::CustomGetter::getOwnPropertySlot):
1719         (WTF::RuntimeArray::getOwnPropertySlot):
1720         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
1721         (WTF::DOMJITGetter::finishCreation):
1722         (WTF::DOMJITGetterComplex::finishCreation):
1723         (WTF::DOMJITFunctionObject::finishCreation):
1724         (WTF::DOMJITCheckSubClassObject::finishCreation):
1725         (GlobalObject::finishCreation):
1726         * runtime/ArrayConstructor.cpp:
1727         (JSC::ArrayConstructor::finishCreation):
1728         * runtime/ArrayIteratorPrototype.cpp:
1729         (JSC::ArrayIteratorPrototype::finishCreation):
1730         * runtime/ArrayPrototype.cpp:
1731         (JSC::ArrayPrototype::finishCreation):
1732         * runtime/AsyncFromSyncIteratorPrototype.cpp:
1733         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
1734         * runtime/AsyncFunctionConstructor.cpp:
1735         (JSC::AsyncFunctionConstructor::finishCreation):
1736         * runtime/AsyncFunctionPrototype.cpp:
1737         (JSC::AsyncFunctionPrototype::finishCreation):
1738         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1739         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
1740         * runtime/AsyncGeneratorFunctionPrototype.cpp:
1741         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
1742         * runtime/AsyncGeneratorPrototype.cpp:
1743         (JSC::AsyncGeneratorPrototype::finishCreation):
1744         * runtime/AsyncIteratorPrototype.cpp:
1745         (JSC::AsyncIteratorPrototype::finishCreation):
1746         * runtime/AtomicsObject.cpp:
1747         (JSC::AtomicsObject::finishCreation):
1748         * runtime/BooleanConstructor.cpp:
1749         (JSC::BooleanConstructor::finishCreation):
1750         * runtime/ClonedArguments.cpp:
1751         (JSC::ClonedArguments::createStructure):
1752         (JSC::ClonedArguments::getOwnPropertySlot):
1753         (JSC::ClonedArguments::materializeSpecials):
1754         * runtime/CommonSlowPaths.cpp:
1755         (JSC::SLOW_PATH_DECL):
1756         * runtime/ConsoleObject.cpp:
1757         (JSC::ConsoleObject::finishCreation):
1758         * runtime/DateConstructor.cpp:
1759         (JSC::DateConstructor::finishCreation):
1760         * runtime/DatePrototype.cpp:
1761         (JSC::DatePrototype::finishCreation):
1762         * runtime/DirectArguments.cpp:
1763         (JSC::DirectArguments::overrideThings):
1764         * runtime/Error.cpp:
1765         (JSC::addErrorInfo):
1766         * runtime/ErrorConstructor.cpp:
1767         (JSC::ErrorConstructor::finishCreation):
1768         * runtime/ErrorInstance.cpp:
1769         (JSC::ErrorInstance::finishCreation):
1770         * runtime/ErrorPrototype.cpp:
1771         (JSC::ErrorPrototype::finishCreation):
1772         * runtime/FunctionConstructor.cpp:
1773         (JSC::FunctionConstructor::finishCreation):
1774         * runtime/FunctionPrototype.cpp:
1775         (JSC::FunctionPrototype::finishCreation):
1776         (JSC::FunctionPrototype::addFunctionProperties):
1777         (JSC::FunctionPrototype::initRestrictedProperties):
1778         * runtime/GeneratorFunctionConstructor.cpp:
1779         (JSC::GeneratorFunctionConstructor::finishCreation):
1780         * runtime/GeneratorFunctionPrototype.cpp:
1781         (JSC::GeneratorFunctionPrototype::finishCreation):
1782         * runtime/GeneratorPrototype.cpp:
1783         (JSC::GeneratorPrototype::finishCreation):
1784         * runtime/GenericArgumentsInlines.h:
1785         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1786         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1787         * runtime/InternalFunction.cpp:
1788         (JSC::InternalFunction::finishCreation):
1789         * runtime/IntlCollatorConstructor.cpp:
1790         (JSC::IntlCollatorConstructor::finishCreation):
1791         * runtime/IntlDateTimeFormatConstructor.cpp:
1792         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1793         * runtime/IntlDateTimeFormatPrototype.cpp:
1794         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1795         * runtime/IntlNumberFormatConstructor.cpp:
1796         (JSC::IntlNumberFormatConstructor::finishCreation):
1797         * runtime/IntlObject.cpp:
1798         (JSC::IntlObject::finishCreation):
1799         * runtime/IteratorPrototype.cpp:
1800         (JSC::IteratorPrototype::finishCreation):
1801         * runtime/JSArray.cpp:
1802         (JSC::JSArray::getOwnPropertySlot):
1803         (JSC::JSArray::setLengthWithArrayStorage):
1804         * runtime/JSArrayBufferConstructor.cpp:
1805         (JSC::JSArrayBufferConstructor::finishCreation):
1806         * runtime/JSArrayBufferPrototype.cpp:
1807         (JSC::JSArrayBufferPrototype::finishCreation):
1808         * runtime/JSBoundFunction.cpp:
1809         (JSC::JSBoundFunction::finishCreation):
1810         * runtime/JSCJSValue.cpp:
1811         (JSC::JSValue::putToPrimitive):
1812         * runtime/JSDataView.cpp:
1813         (JSC::JSDataView::getOwnPropertySlot):
1814         * runtime/JSDataViewPrototype.cpp:
1815         (JSC::JSDataViewPrototype::finishCreation):
1816         * runtime/JSFunction.cpp:
1817         (JSC::JSFunction::finishCreation):
1818         (JSC::JSFunction::getOwnPropertySlot):
1819         (JSC::JSFunction::defineOwnProperty):
1820         (JSC::JSFunction::reifyLength):
1821         (JSC::JSFunction::reifyName):
1822         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1823         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1824         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
1825         * runtime/JSGenericTypedArrayViewInlines.h:
1826         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1827         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1828         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
1829         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
1830         * runtime/JSGlobalObject.cpp:
1831         (JSC::JSGlobalObject::init):
1832         (JSC::JSGlobalObject::addStaticGlobals):
1833         * runtime/JSLexicalEnvironment.cpp:
1834         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1835         * runtime/JSModuleNamespaceObject.cpp:
1836         (JSC::JSModuleNamespaceObject::finishCreation):
1837         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
1838         * runtime/JSONObject.cpp:
1839         (JSC::JSONObject::finishCreation):
1840         * runtime/JSObject.cpp:
1841         (JSC::getClassPropertyNames):
1842         (JSC::JSObject::getOwnPropertySlotByIndex):
1843         (JSC::ordinarySetSlow):
1844         (JSC::JSObject::putInlineSlow):
1845         (JSC::JSObject::putGetter):
1846         (JSC::JSObject::putSetter):
1847         (JSC::JSObject::putDirectAccessor):
1848         (JSC::JSObject::putDirectCustomAccessor):
1849         (JSC::JSObject::putDirectNonIndexAccessor):
1850         (JSC::JSObject::deleteProperty):
1851         (JSC::JSObject::deletePropertyByIndex):
1852         (JSC::JSObject::getOwnPropertyNames):
1853         (JSC::JSObject::putIndexedDescriptor):
1854         (JSC::JSObject::defineOwnIndexedProperty):
1855         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1856         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1857         (JSC::JSObject::getOwnPropertyDescriptor):
1858         (JSC::putDescriptor):
1859         (JSC::validateAndApplyPropertyDescriptor):
1860         * runtime/JSObject.h:
1861         (JSC::JSObject::putDirect):
1862         * runtime/JSObjectInlines.h:
1863         (JSC::JSObject::putDirectWithoutTransition):
1864         (JSC::JSObject::putDirectInternal):
1865         * runtime/JSPromiseConstructor.cpp:
1866         (JSC::JSPromiseConstructor::finishCreation):
1867         (JSC::JSPromiseConstructor::addOwnInternalSlots):
1868         * runtime/JSPromisePrototype.cpp:
1869         (JSC::JSPromisePrototype::finishCreation):
1870         (JSC::JSPromisePrototype::addOwnInternalSlots):
1871         * runtime/JSString.cpp:
1872         (JSC::JSString::getStringPropertyDescriptor):
1873         * runtime/JSString.h:
1874         (JSC::JSString::getStringPropertySlot):
1875         * runtime/JSSymbolTableObject.cpp:
1876         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1877         * runtime/JSSymbolTableObject.h:
1878         (JSC::symbolTableGet):
1879         * runtime/JSTypedArrayViewConstructor.cpp:
1880         (JSC::JSTypedArrayViewConstructor::finishCreation):
1881         * runtime/JSTypedArrayViewPrototype.cpp:
1882         (JSC::JSTypedArrayViewPrototype::finishCreation):
1883         * runtime/LazyClassStructure.cpp:
1884         (JSC::LazyClassStructure::Initializer::setConstructor):
1885         * runtime/Lookup.cpp:
1886         (JSC::reifyStaticAccessor):
1887         (JSC::setUpStaticFunctionSlot):
1888         * runtime/Lookup.h:
1889         (JSC::HashTableValue::intrinsic const):
1890         (JSC::HashTableValue::builtinGenerator const):
1891         (JSC::HashTableValue::function const):
1892         (JSC::HashTableValue::functionLength const):
1893         (JSC::HashTableValue::propertyGetter const):
1894         (JSC::HashTableValue::propertyPutter const):
1895         (JSC::HashTableValue::domJIT const):
1896         (JSC::HashTableValue::signature const):
1897         (JSC::HashTableValue::accessorGetter const):
1898         (JSC::HashTableValue::accessorSetter const):
1899         (JSC::HashTableValue::constantInteger const):
1900         (JSC::HashTableValue::lazyCellPropertyOffset const):
1901         (JSC::HashTableValue::lazyClassStructureOffset const):
1902         (JSC::HashTableValue::lazyPropertyCallback const):
1903         (JSC::HashTableValue::builtinAccessorGetterGenerator const):
1904         (JSC::HashTableValue::builtinAccessorSetterGenerator const):
1905         (JSC::getStaticPropertySlotFromTable):
1906         (JSC::putEntry):
1907         (JSC::reifyStaticProperty):
1908         * runtime/MapConstructor.cpp:
1909         (JSC::MapConstructor::finishCreation):
1910         * runtime/MapIteratorPrototype.cpp:
1911         (JSC::MapIteratorPrototype::finishCreation):
1912         * runtime/MapPrototype.cpp:
1913         (JSC::MapPrototype::finishCreation):
1914         * runtime/MathObject.cpp:
1915         (JSC::MathObject::finishCreation):
1916         * runtime/NativeErrorConstructor.cpp:
1917         (JSC::NativeErrorConstructor::finishCreation):
1918         * runtime/NativeErrorPrototype.cpp:
1919         (JSC::NativeErrorPrototype::finishCreation):
1920         * runtime/NumberConstructor.cpp:
1921         (JSC::NumberConstructor::finishCreation):
1922         * runtime/NumberPrototype.cpp:
1923         (JSC::NumberPrototype::finishCreation):
1924         * runtime/ObjectConstructor.cpp:
1925         (JSC::ObjectConstructor::finishCreation):
1926         (JSC::objectConstructorAssign):
1927         (JSC::objectConstructorValues):
1928         (JSC::objectConstructorDefineProperty):
1929         * runtime/ObjectPrototype.cpp:
1930         (JSC::ObjectPrototype::finishCreation):
1931         (JSC::objectProtoFuncLookupGetter):
1932         (JSC::objectProtoFuncLookupSetter):
1933         * runtime/ProgramExecutable.cpp:
1934         (JSC::ProgramExecutable::initializeGlobalProperties):
1935         * runtime/PropertyDescriptor.cpp:
1936         (JSC::PropertyDescriptor::writable const):
1937         (JSC::PropertyDescriptor::enumerable const):
1938         (JSC::PropertyDescriptor::configurable const):
1939         (JSC::PropertyDescriptor::setUndefined):
1940         (JSC::PropertyDescriptor::setDescriptor):
1941         (JSC::PropertyDescriptor::setCustomDescriptor):
1942         (JSC::PropertyDescriptor::setAccessorDescriptor):
1943         (JSC::PropertyDescriptor::setWritable):
1944         (JSC::PropertyDescriptor::setEnumerable):
1945         (JSC::PropertyDescriptor::setConfigurable):
1946         (JSC::PropertyDescriptor::setSetter):
1947         (JSC::PropertyDescriptor::setGetter):
1948         (JSC::PropertyDescriptor::attributesEqual const):
1949         (JSC::PropertyDescriptor::attributesOverridingCurrent const):
1950         * runtime/PropertySlot.cpp:
1951         (JSC::PropertySlot::customGetter const):
1952         * runtime/PropertySlot.h:
1953         (JSC::operator| ):
1954         (JSC::operator&):
1955         (JSC::operator<):
1956         (JSC::operator~):
1957         (JSC::operator|=):
1958         (JSC::PropertySlot::setUndefined):
1959         * runtime/ProxyConstructor.cpp:
1960         (JSC::makeRevocableProxy):
1961         (JSC::ProxyConstructor::finishCreation):
1962         * runtime/ProxyObject.cpp:
1963         (JSC::ProxyObject::performHasProperty):
1964         * runtime/ProxyRevoke.cpp:
1965         (JSC::ProxyRevoke::finishCreation):
1966         * runtime/ReflectObject.cpp:
1967         (JSC::ReflectObject::finishCreation):
1968         (JSC::reflectObjectDefineProperty):
1969         * runtime/RegExpConstructor.cpp:
1970         (JSC::RegExpConstructor::finishCreation):
1971         * runtime/RegExpObject.cpp:
1972         (JSC::RegExpObject::getOwnPropertySlot):
1973         * runtime/RegExpPrototype.cpp:
1974         (JSC::RegExpPrototype::finishCreation):
1975         * runtime/ScopedArguments.cpp:
1976         (JSC::ScopedArguments::overrideThings):
1977         * runtime/SetConstructor.cpp:
1978         (JSC::SetConstructor::finishCreation):
1979         * runtime/SetIteratorPrototype.cpp:
1980         (JSC::SetIteratorPrototype::finishCreation):
1981         * runtime/SetPrototype.cpp:
1982         (JSC::SetPrototype::finishCreation):
1983         * runtime/SparseArrayValueMap.cpp:
1984         (JSC::SparseArrayValueMap::putDirect):
1985         (JSC::SparseArrayEntry::put):
1986         * runtime/StringConstructor.cpp:
1987         (JSC::StringConstructor::finishCreation):
1988         * runtime/StringIteratorPrototype.cpp:
1989         (JSC::StringIteratorPrototype::finishCreation):
1990         * runtime/StringPrototype.cpp:
1991         (JSC::StringPrototype::finishCreation):
1992         * runtime/Structure.cpp:
1993         (JSC::Structure::nonPropertyTransition):
1994         (JSC::Structure::isSealed):
1995         (JSC::Structure::isFrozen):
1996         (JSC::Structure::getPropertyNamesFromStructure):
1997         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1998         * runtime/StructureInlines.h:
1999         (JSC::Structure::add):
2000         * runtime/SymbolConstructor.cpp:
2001         (JSC::SymbolConstructor::finishCreation):
2002         * runtime/SymbolPrototype.cpp:
2003         (JSC::SymbolPrototype::finishCreation):
2004         * runtime/SymbolTable.h:
2005         (JSC::SymbolTableEntry::Fast::getAttributes const):
2006         (JSC::SymbolTableEntry::SymbolTableEntry):
2007         (JSC::SymbolTableEntry::setAttributes):
2008         * runtime/TemplateRegistry.cpp:
2009         (JSC::TemplateRegistry::getTemplateObject):
2010         * runtime/WeakMapConstructor.cpp:
2011         (JSC::WeakMapConstructor::finishCreation):
2012         * runtime/WeakMapPrototype.cpp:
2013         (JSC::WeakMapPrototype::finishCreation):
2014         * runtime/WeakSetConstructor.cpp:
2015         (JSC::WeakSetConstructor::finishCreation):
2016         * runtime/WeakSetPrototype.cpp:
2017         (JSC::WeakSetPrototype::finishCreation):
2018         * tools/JSDollarVMPrototype.cpp:
2019         (JSC::JSDollarVMPrototype::finishCreation):
2020         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2021         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
2022         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2023         (JSC::WebAssemblyInstanceConstructor::finishCreation):
2024         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2025         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
2026         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2027         (JSC::WebAssemblyMemoryConstructor::finishCreation):
2028         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2029         * wasm/js/WebAssemblyModuleConstructor.cpp:
2030         (JSC::WebAssemblyModuleConstructor::finishCreation):
2031         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2032         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
2033         * wasm/js/WebAssemblyTableConstructor.cpp:
2034         (JSC::WebAssemblyTableConstructor::finishCreation):
2035
2036 2017-09-23  Oleksandr Skachkov  <gskachkov@gmail.com>
2037
2038         [ESNext] Async iteration - Implement Async Generator - optimization
2039         https://bugs.webkit.org/show_bug.cgi?id=175891
2040
2041         Reviewed by Yusuke Suzuki.
2042
2043         Add small optimization for async generators:
2044         1. merging async generator queue to async generator itself
2045         generator.@first / generator.@last is enough, by doing so,
2046           we remove one unnecessary object alloc.
2047         2. merging request with queue.
2048
2049         * builtins/AsyncGeneratorPrototype.js:
2050         (globalPrivate.asyncGeneratorQueueIsEmpty):
2051         (globalPrivate.asyncGeneratorQueueCreateItem):
2052         (globalPrivate.asyncGeneratorQueueEnqueue):
2053         (globalPrivate.asyncGeneratorQueueDequeue):
2054         (globalPrivate.asyncGeneratorDequeue):
2055         (globalPrivate.isSuspendYieldState):
2056         (globalPrivate.asyncGeneratorEnqueue):
2057         * builtins/BuiltinNames.h:
2058         * bytecompiler/BytecodeGenerator.cpp:
2059         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
2060         * bytecompiler/BytecodeGenerator.h:
2061         * bytecompiler/NodesCodegen.cpp:
2062         (JSC::FunctionNode::emitBytecode):
2063
2064 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
2065
2066         test262: $.agent became $262.agent in test262 update
2067         https://bugs.webkit.org/show_bug.cgi?id=177407
2068
2069         Reviewed by Yusuke Suzuki.
2070
2071         * jsc.cpp:
2072         (GlobalObject::finishCreation):
2073         Alias `$` and `$262` for now.
2074
2075 2017-09-22  Keith Miller  <keith_miller@apple.com>
2076
2077         Speculatively change iteration protocall to use the same next function
2078         https://bugs.webkit.org/show_bug.cgi?id=175653
2079
2080         Reviewed by Saam Barati.
2081
2082         This patch speculatively makes a change to the iteration protocall to fetch the next
2083         property immediately after calling the Symbol.iterator function. This is, in theory,
2084         a breaking change, so we will see if this breaks things (most likely it won't as this
2085         is a relatively subtle point).
2086
2087         See: https://github.com/tc39/ecma262/issues/976
2088
2089         * builtins/IteratorHelpers.js:
2090         (performIteration):
2091         * bytecompiler/BytecodeGenerator.cpp:
2092         (JSC::BytecodeGenerator::emitEnumeration):
2093         (JSC::BytecodeGenerator::emitIteratorNext):
2094         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
2095         (JSC::BytecodeGenerator::emitDelegateYield):
2096         * bytecompiler/BytecodeGenerator.h:
2097         * bytecompiler/NodesCodegen.cpp:
2098         (JSC::ArrayPatternNode::bindValue const):
2099         * inspector/JSInjectedScriptHost.cpp:
2100         (Inspector::JSInjectedScriptHost::iteratorEntries):
2101         * runtime/IteratorOperations.cpp:
2102         (JSC::iteratorNext):
2103         (JSC::iteratorStep):
2104         (JSC::iteratorClose):
2105         (JSC::iteratorForIterable):
2106         * runtime/IteratorOperations.h:
2107         (JSC::forEachInIterable):
2108         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2109         (JSC::constructGenericTypedArrayViewFromIterator):
2110         (JSC::constructGenericTypedArrayViewWithArguments):
2111
2112 2017-09-22  Fujii Hironori  <Hironori.Fujii@sony.com>
2113
2114         [Win64] Crashes in Yarr JIT compiled code
2115         https://bugs.webkit.org/show_bug.cgi?id=177293
2116
2117         Reviewed by Yusuke Suzuki.
2118
2119         In x64 Windows, rcx register is used for the address of allocated
2120         space for the return value. But, rcx is used for regT1 since
2121         r221052. Save rcx in the stack.
2122
2123         * yarr/YarrJIT.cpp:
2124         (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
2125         (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
2126
2127 2017-09-22  Saam Barati  <sbarati@apple.com>
2128
2129         Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
2130         https://bugs.webkit.org/show_bug.cgi?id=177368
2131
2132         Reviewed by Keith Miller.
2133
2134         * runtime/ErrorInstance.cpp:
2135         (JSC::ErrorInstance::finishCreation):
2136         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2137         (JSC::ErrorInstance::visitChildren):
2138
2139 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2140
2141         [DFG][FTL] Profile array vector length for array allocation
2142         https://bugs.webkit.org/show_bug.cgi?id=177051
2143
2144         Reviewed by Saam Barati.
2145
2146         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
2147         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
2148         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
2149         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
2150
2151             empty array allocation,
2152
2153             var array = [];
2154             array.push(0);
2155             array.push(1);
2156             array.push(2);
2157             array.push(3);
2158             array.push(4);
2159
2160             v.s. new_array_buffer case,
2161
2162             var array = [0];
2163             array.push(1);
2164             array.push(2);
2165             array.push(3);
2166             array.push(4);
2167
2168         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
2169         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
2170
2171         We select 25 to make it fit to one of size classes.
2172
2173         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
2174         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
2175         is larger than 25, we just use it for allocation as before.
2176
2177         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
2178
2179             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
2180             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
2181
2182         * bytecode/ArrayAllocationProfile.cpp:
2183         (JSC::ArrayAllocationProfile::updateProfile):
2184         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
2185         * bytecode/ArrayAllocationProfile.h:
2186         (JSC::ArrayAllocationProfile::selectIndexingType):
2187         (JSC::ArrayAllocationProfile::vectorLengthHint):
2188         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
2189         * bytecode/CodeBlock.cpp:
2190         (JSC::CodeBlock::updateAllArrayPredictions):
2191         * dfg/DFGByteCodeParser.cpp:
2192         (JSC::DFG::ByteCodeParser::parseBlock):
2193         * dfg/DFGGraph.cpp:
2194         (JSC::DFG::Graph::dump):
2195         * dfg/DFGNode.h:
2196         (JSC::DFG::Node::vectorLengthHint):
2197         * dfg/DFGOperations.cpp:
2198         * dfg/DFGOperations.h:
2199         * dfg/DFGSpeculativeJIT64.cpp:
2200         (JSC::DFG::SpeculativeJIT::compile):
2201         * ftl/FTLLowerDFGToB3.cpp:
2202         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2203         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2204         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2205         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2206         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
2207         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
2208         * runtime/ArrayConventions.h:
2209         * runtime/JSArray.h:
2210         (JSC::JSArray::tryCreate):
2211
2212 2017-09-22  Commit Queue  <commit-queue@webkit.org>
2213
2214         Unreviewed, rolling out r222380.
2215         https://bugs.webkit.org/show_bug.cgi?id=177352
2216
2217         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
2218         #webkit).
2219
2220         Reverted changeset:
2221
2222         "[DFG][FTL] Profile array vector length for array allocation"
2223         https://bugs.webkit.org/show_bug.cgi?id=177051
2224         http://trac.webkit.org/changeset/222380
2225
2226 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2227
2228         [DFG][FTL] Profile array vector length for array allocation
2229         https://bugs.webkit.org/show_bug.cgi?id=177051
2230
2231         Reviewed by Saam Barati.
2232
2233         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
2234         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
2235         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
2236         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
2237
2238             empty array allocation,
2239
2240             var array = [];
2241             array.push(0);
2242             array.push(1);
2243             array.push(2);
2244             array.push(3);
2245             array.push(4);
2246
2247             v.s. new_array_buffer case,
2248
2249             var array = [0];
2250             array.push(1);
2251             array.push(2);
2252             array.push(3);
2253             array.push(4);
2254
2255         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
2256         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
2257
2258         We select 25 to make it fit to one of size classes.
2259
2260         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
2261         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
2262         is larger than 25, we just use it for allocation as before.
2263
2264         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
2265
2266             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
2267             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
2268
2269         * bytecode/ArrayAllocationProfile.cpp:
2270         (JSC::ArrayAllocationProfile::updateProfile):
2271         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
2272         * bytecode/ArrayAllocationProfile.h:
2273         (JSC::ArrayAllocationProfile::selectIndexingType):
2274         (JSC::ArrayAllocationProfile::vectorLengthHint):
2275         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
2276         * bytecode/CodeBlock.cpp:
2277         (JSC::CodeBlock::updateAllArrayPredictions):
2278         * dfg/DFGByteCodeParser.cpp:
2279         (JSC::DFG::ByteCodeParser::parseBlock):
2280         * dfg/DFGGraph.cpp:
2281         (JSC::DFG::Graph::dump):
2282         * dfg/DFGNode.h:
2283         (JSC::DFG::Node::vectorLengthHint):
2284         * dfg/DFGOperations.cpp:
2285         * dfg/DFGOperations.h:
2286         * dfg/DFGSpeculativeJIT64.cpp:
2287         (JSC::DFG::SpeculativeJIT::compile):
2288         * ftl/FTLLowerDFGToB3.cpp:
2289         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2290         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2291         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2292         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2293         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
2294         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
2295         * runtime/ArrayConventions.h:
2296         * runtime/JSArray.h:
2297         (JSC::JSArray::tryCreate):
2298
2299 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
2300
2301         Web Inspector: Remove support for CSS Regions
2302         https://bugs.webkit.org/show_bug.cgi?id=177287
2303
2304         Reviewed by Matt Baker.
2305
2306         * inspector/protocol/CSS.json:
2307         * inspector/protocol/OverlayTypes.json:
2308
2309 2017-09-21  Brian Burg  <bburg@apple.com>
2310
2311         Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
2312         https://bugs.webkit.org/show_bug.cgi?id=177010
2313         <rdar://problem/33134548>
2314
2315         Reviewed by Joseph Pecoraro.
2316
2317         Use "reload from origin" nomenclature instead of "reload ignoring cache".
2318
2319         * inspector/protocol/Page.json: Improve the comment, but don't change the
2320         parameter name since this would be a divergence from legacy protocols.
2321
2322 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
2323
2324         test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
2325         https://bugs.webkit.org/show_bug.cgi?id=177307
2326
2327         Reviewed by Michael Saboff.
2328
2329         * runtime/RegExpPrototype.cpp:
2330         In r221160 we added support for the new RegExp flag (dotAll).
2331         We needed to make space for it in FlagsString.
2332
2333 2017-09-20  Keith Miller  <keith_miller@apple.com>
2334
2335         JSC should use unified sources for platform specific files.
2336         https://bugs.webkit.org/show_bug.cgi?id=177290
2337
2338         Reviewed by Michael Saboff.
2339
2340         Add a list of platform specific source files and update the
2341         Generate Unified Sources phase of the Xcode build. I skipped WPE
2342         since that seems to have failed for some reason that I didn't
2343         fully understand. See:
2344         https://webkit-queues.webkit.org/results/4611260
2345
2346         Also, fix duplicate symbols in Glib remote inspector files.
2347
2348         * CMakeLists.txt:
2349         * JavaScriptCore.xcodeproj/project.pbxproj:
2350         * PlatformGTK.cmake:
2351         * PlatformMac.cmake:
2352         * SourcesGTK.txt: Added.
2353         * SourcesMac.txt: Added.
2354         * inspector/remote/glib/RemoteInspectorServer.cpp:
2355         (Inspector::RemoteInspectorServer::interfaceInfo):
2356         (Inspector::RemoteInspectorServer::setTargetList):
2357         (Inspector::RemoteInspectorServer::setupInspectorClient):
2358         (Inspector::RemoteInspectorServer::setup):
2359         (Inspector::RemoteInspectorServer::close):
2360         (Inspector::RemoteInspectorServer::connectionClosed):
2361         (Inspector::RemoteInspectorServer::sendMessageToBackend):
2362         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
2363         (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
2364
2365 2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>
2366
2367         [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
2368         https://bugs.webkit.org/show_bug.cgi?id=177017
2369
2370         Reviewed by Alex Christensen.
2371
2372         * API/JSRemoteInspector.cpp:
2373         (JSRemoteInspectorSetParentProcessInformation):
2374         * API/JSRemoteInspector.h:
2375         * inspector/remote/RemoteInspector.h:
2376
2377 2017-09-20  Keith Miller  <keith_miller@apple.com>
2378
2379         Rename source list file to Sources.txt
2380         https://bugs.webkit.org/show_bug.cgi?id=177283
2381
2382         Reviewed by Saam Barati.
2383
2384         * CMakeLists.txt:
2385         * JavaScriptCore.xcodeproj/project.pbxproj:
2386         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
2387
2388 2017-09-20  Keith Miller  <keith_miller@apple.com>
2389
2390         Unreviewed, fix string capitalization
2391
2392         * JavaScriptCore.xcodeproj/project.pbxproj:
2393
2394 2017-09-20  Keith Miller  <keith_miller@apple.com>
2395
2396         JSC Xcode build should use unified sources for platform independent files
2397         https://bugs.webkit.org/show_bug.cgi?id=177190
2398
2399         Reviewed by Saam Barati.
2400
2401         This patch changes the Xcode build to use unified sources. The
2402         main difference from a development perspective is that instead of
2403         added source files to Xcode they need to be added to the shared
2404         sources.txt. For now, platform specific files are still added
2405         to the JavaScriptCore target.
2406
2407         Because Xcode needs to know about all the files before we generate
2408         them all the unified source files need to be added to the
2409         JavaScriptCore framework target. As a result, if we run out of
2410         bundle files more will need to be added to the project. Currently,
2411         there are no spare files. If adding more bundle files becomes
2412         problematic we can change this.
2413
2414         LowLevelInterpreter.cpp can't be added to the unified source list yet
2415         due to a clang bug.
2416
2417         * CMakeLists.txt:
2418         * JavaScriptCore.xcodeproj/project.pbxproj:
2419         * sources.txt: Added.
2420
2421 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
2422
2423         [Win] Cannot find script to generate unified sources.
2424         https://bugs.webkit.org/show_bug.cgi?id=177014
2425
2426         Reviewed by Keith Miller.
2427
2428         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
2429
2430         * CMakeLists.txt:
2431         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2432
2433 2017-09-20  Alberto Garcia  <berto@igalia.com>
2434
2435         Fix HPPA and Alpha builds
2436         https://bugs.webkit.org/show_bug.cgi?id=177224
2437
2438         Reviewed by Alex Christensen.
2439
2440         * CMakeLists.txt:
2441
2442 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
2443
2444         ErrorInstance and Exception need destroy methods
2445         https://bugs.webkit.org/show_bug.cgi?id=177095
2446
2447         Reviewed by Saam Barati.
2448         
2449         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
2450         follow that type's protocol.
2451
2452         * runtime/ErrorInstance.cpp:
2453         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
2454         * runtime/ErrorInstance.h:
2455         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
2456
2457 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2458
2459         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
2460         https://bugs.webkit.org/show_bug.cgi?id=177070
2461
2462         Reviewed by Saam Barati.
2463
2464         Due to the security reason, our global object is immutable prototype exotic object.
2465         It prevents users from injecting proxies into the prototype chain of the global object[1].
2466         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
2467         of the global object after instantiating it.
2468
2469         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
2470         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
2471         edge cases.
2472
2473         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
2474
2475         * API/JSObjectRef.cpp:
2476         (JSObjectSetPrototype):
2477         * API/tests/CustomGlobalObjectClassTest.c:
2478         (globalObjectSetPrototypeTest):
2479
2480 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2481
2482         [DFG] Remove ToThis more aggressively
2483         https://bugs.webkit.org/show_bug.cgi?id=177056
2484
2485         Reviewed by Saam Barati.
2486
2487         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
2488         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
2489         and attempts to fold/convert to efficient nodes.
2490
2491         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
2492         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
2493
2494         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
2495         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
2496
2497         This removes GetGlobalThis from ES6 generators in common cases.
2498
2499         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
2500
2501         * dfg/DFGAbstractInterpreterInlines.h:
2502         (JSC::DFG::isToThisAnIdentity):
2503         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2504         * dfg/DFGClobberize.h:
2505         (JSC::DFG::clobberize):
2506         * dfg/DFGConstantFoldingPhase.cpp:
2507         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2508         * dfg/DFGDoesGC.cpp:
2509         (JSC::DFG::doesGC):
2510         * dfg/DFGFixupPhase.cpp:
2511         (JSC::DFG::FixupPhase::fixupNode):
2512         * dfg/DFGNode.h:
2513         (JSC::DFG::Node::convertToGetGlobalThis):
2514         * dfg/DFGNodeType.h:
2515         * dfg/DFGPredictionPropagationPhase.cpp:
2516         * dfg/DFGSafeToExecute.h:
2517         (JSC::DFG::safeToExecute):
2518         * dfg/DFGSpeculativeJIT.cpp:
2519         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
2520         * dfg/DFGSpeculativeJIT.h:
2521         * dfg/DFGSpeculativeJIT32_64.cpp:
2522         (JSC::DFG::SpeculativeJIT::compile):
2523         * dfg/DFGSpeculativeJIT64.cpp:
2524         (JSC::DFG::SpeculativeJIT::compile):
2525         * ftl/FTLCapabilities.cpp:
2526         (JSC::FTL::canCompile):
2527         * ftl/FTLLowerDFGToB3.cpp:
2528         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2529         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
2530         * runtime/JSGlobalLexicalEnvironment.cpp:
2531         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
2532         * runtime/JSGlobalLexicalEnvironment.h:
2533         * runtime/JSGlobalObject.cpp:
2534         (JSC::JSGlobalObject::toThis): Deleted.
2535         * runtime/JSGlobalObject.h:
2536         (JSC::JSGlobalObject::addressOfGlobalThis):
2537         * runtime/JSLexicalEnvironment.cpp:
2538         (JSC::JSLexicalEnvironment::toThis): Deleted.
2539         * runtime/JSLexicalEnvironment.h:
2540         * runtime/JSScope.cpp:
2541         (JSC::JSScope::toThis):
2542         * runtime/JSScope.h:
2543         * runtime/StrictEvalActivation.cpp:
2544         (JSC::StrictEvalActivation::toThis): Deleted.
2545         * runtime/StrictEvalActivation.h:
2546
2547 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2548
2549         Merge JSLexicalEnvironment and JSEnvironmentRecord
2550         https://bugs.webkit.org/show_bug.cgi?id=175492
2551
2552         Reviewed by Saam Barati.
2553
2554         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
2555         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
2556
2557         * CMakeLists.txt:
2558         * JavaScriptCore.xcodeproj/project.pbxproj:
2559         * dfg/DFGSpeculativeJIT.cpp:
2560         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2561         * dfg/DFGSpeculativeJIT32_64.cpp:
2562         (JSC::DFG::SpeculativeJIT::compile):
2563         * dfg/DFGSpeculativeJIT64.cpp:
2564         (JSC::DFG::SpeculativeJIT::compile):
2565         * ftl/FTLAbstractHeapRepository.h:
2566         * ftl/FTLLowerDFGToB3.cpp:
2567         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2568         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
2569         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
2570         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
2571         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
2572         * jit/JITPropertyAccess.cpp:
2573         (JSC::JIT::emitGetClosureVar):
2574         (JSC::JIT::emitPutClosureVar):
2575         (JSC::JIT::emitScopedArgumentsGetByVal):
2576         * jit/JITPropertyAccess32_64.cpp:
2577         (JSC::JIT::emitGetClosureVar):
2578         (JSC::JIT::emitPutClosureVar):
2579         * llint/LLIntOffsetsExtractor.cpp:
2580         * llint/LowLevelInterpreter.asm:
2581         * llint/LowLevelInterpreter32_64.asm:
2582         * llint/LowLevelInterpreter64.asm:
2583         * runtime/JSEnvironmentRecord.cpp: Removed.
2584         * runtime/JSEnvironmentRecord.h: Removed.
2585         * runtime/JSLexicalEnvironment.cpp:
2586         (JSC::JSLexicalEnvironment::visitChildren):
2587         (JSC::JSLexicalEnvironment::heapSnapshot):
2588         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2589         * runtime/JSLexicalEnvironment.h:
2590         (JSC::JSLexicalEnvironment::subspaceFor):
2591         (JSC::JSLexicalEnvironment::variables):
2592         (JSC::JSLexicalEnvironment::isValidScopeOffset):
2593         (JSC::JSLexicalEnvironment::variableAt):
2594         (JSC::JSLexicalEnvironment::offsetOfVariables):
2595         (JSC::JSLexicalEnvironment::offsetOfVariable):
2596         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
2597         (JSC::JSLexicalEnvironment::allocationSize):
2598         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
2599         (JSC::JSLexicalEnvironment::finishCreation):
2600         * runtime/JSModuleEnvironment.cpp:
2601         (JSC::JSModuleEnvironment::create):
2602         * runtime/JSObject.h:
2603         (JSC::JSObject::isEnvironment const):
2604         (JSC::JSObject::isEnvironmentRecord const): Deleted.
2605         * runtime/JSSegmentedVariableObject.h:
2606         * runtime/StringPrototype.cpp:
2607         (JSC::checkObjectCoercible):
2608
2609 2017-09-15  Saam Barati  <sbarati@apple.com>
2610
2611         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
2612         https://bugs.webkit.org/show_bug.cgi?id=176981
2613
2614         Reviewed by Yusuke Suzuki.
2615
2616         This patch makes inline arity fixup happen in two phases:
2617         1. We get all the values we need and MovHint them to the expected locals.
2618         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
2619            frame is already set up. If any SetLocal exits, we have a valid exit state.
2620            This is required because if we didn't do this in two phases, we may exit in
2621            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
2622            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
2623            of the frame right before exiting. For example, consider if we need to pad two args:
2624            [arg3][arg2][arg1][arg0]
2625            [fix ][fix ][arg3][arg2][arg1][arg0]
2626            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
2627            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
2628            [arg3][arg2][arg1][arg2][arg1][arg0]
2629            And the caller would then just end up thinking its argument are:
2630            [arg3][arg2][arg1][arg2]
2631            which is incorrect.
2632        
2633        
2634         This patch also fixes a couple of bugs in IdentitiyWithProfile:
2635         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
2636            It needed to store the result of evaluating its argument in a temporary that
2637            it creates. Otherwise, it might try to simply overwrite a constant
2638            or a register that it didn't own.
2639         2. We weren't eliminating this node in CSE inside the DFG.
2640
2641         * bytecompiler/NodesCodegen.cpp:
2642         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
2643         * dfg/DFGByteCodeParser.cpp:
2644         (JSC::DFG::ByteCodeParser::inlineCall):
2645         * dfg/DFGCSEPhase.cpp:
2646
2647 2017-09-15  JF Bastien  <jfbastien@apple.com>
2648
2649         WTF: use Forward.h when appropriate instead of Vector.h
2650         https://bugs.webkit.org/show_bug.cgi?id=176984
2651
2652         Reviewed by Saam Barati.
2653
2654         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
2655
2656         * bytecode/HandlerInfo.h:
2657         * heap/GCIncomingRefCounted.h:
2658         * heap/GCSegmentedArray.h:
2659         * wasm/js/JSWebAssemblyModule.h:
2660
2661 2017-09-14  Saam Barati  <sbarati@apple.com>
2662
2663         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
2664         https://bugs.webkit.org/show_bug.cgi?id=176863
2665
2666         Reviewed by Keith Miller.
2667
2668         * CMakeLists.txt:
2669         * JavaScriptCore.xcodeproj/project.pbxproj:
2670         * runtime/ProxyObject.cpp:
2671         (JSC::performProxyGet):
2672         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2673         (JSC::ProxyObject::performHasProperty):
2674         (JSC::ProxyObject::getOwnPropertySlotCommon):
2675         (JSC::ProxyObject::performPut):
2676         (JSC::performProxyCall):
2677         (JSC::performProxyConstruct):
2678         (JSC::ProxyObject::performDelete):
2679         (JSC::ProxyObject::performPreventExtensions):
2680         (JSC::ProxyObject::performIsExtensible):
2681         (JSC::ProxyObject::performDefineOwnProperty):
2682         (JSC::ProxyObject::performGetOwnPropertyNames):
2683         (JSC::ProxyObject::performSetPrototype):
2684         (JSC::ProxyObject::performGetPrototype):
2685
2686 2017-09-14  Saam Barati  <sbarati@apple.com>
2687
2688         Make dumping the graph print when both when exitOK and !exitOK
2689         https://bugs.webkit.org/show_bug.cgi?id=176954
2690
2691         Reviewed by Keith Miller.
2692
2693         * dfg/DFGGraph.cpp:
2694         (JSC::DFG::Graph::dump):
2695
2696 2017-09-14  Saam Barati  <sbarati@apple.com>
2697
2698         It should be valid to exit before each set when doing arity fixup when inlining
2699         https://bugs.webkit.org/show_bug.cgi?id=176948
2700
2701         Reviewed by Keith Miller.
2702
2703         This patch makes it so that we can exit before each SetLocal when doing arity
2704         fixup during inlining. This is OK because if we exit at any of these SetLocals,
2705         we will simply exit to the beginning of the call instruction.
2706         
2707         Not doing this led to a bug where FixupPhase would insert a ValueRep of
2708         a node before the actual node. This is obviously invalid IR. I've added
2709         a new validation rule to catch this malformed IR.
2710
2711         * dfg/DFGByteCodeParser.cpp:
2712         (JSC::DFG::ByteCodeParser::inliningCost):
2713         (JSC::DFG::ByteCodeParser::inlineCall):
2714         * dfg/DFGValidate.cpp:
2715         * runtime/Options.h:
2716
2717 2017-09-14  Mark Lam  <mark.lam@apple.com>
2718
2719         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
2720         https://bugs.webkit.org/show_bug.cgi?id=176874
2721         <rdar://problem/34436415>
2722
2723         Reviewed by Saam Barati.
2724
2725         1. Make Probe::Stack play nice with ASan by:
2726
2727            a. using a local memcpy implementation that suppresses ASan on ASan builds.
2728               We don't want to use std:memcpy() which validates stack memory because
2729               we are intentionally copying stack memory beyond the current frame.
2730
2731            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
2732               This ensures that Page::flushWrites() only writes stack memory that was
2733               modified by a probe.  The probes should only modify stack memory that
2734               belongs to JSC stack data structures.  We don't want to inadvertently
2735               modify adjacent words that may belong to ASan (which may happen if
2736               s_chunkSize is larger than sizeof(uintptr_t)).
2737
2738            c. fixing a bug in Page dirtyBits management for when the size of the value to
2739               write is greater than s_chunkSize.  The fix in generic, but in practice,
2740               this currently only manifests on 32-bit ASan builds because
2741               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
2742               values.
2743
2744            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
2745               s_chunksPerPage we can have even on ASan builds.
2746
2747         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
2748            std::memcpy to avoid strict aliasing issues.
2749
2750         3. Optimized the implementation of Page::physicalAddressFor().
2751
2752         4. Optimized the implementation of Stack::set() in the recording of the low
2753            watermark.  We just record the lowest raw pointer now, and only compute the
2754            alignment to its chuck boundary later when the low watermark is requested.
2755
2756         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
2757
2758         No new test needed because this is already covered by testmasm with ASan enabled.
2759
2760         * assembler/ProbeContext.h:
2761         (JSC::Probe::CPUState::gpr const):
2762         (JSC::Probe::CPUState::spr const):
2763         (JSC::Probe::Context::gpr):
2764         (JSC::Probe::Context::spr):
2765         (JSC::Probe::Context::fpr):
2766         (JSC::Probe::Context::gprName):
2767         (JSC::Probe::Context::sprName):
2768         (JSC::Probe::Context::fprName):
2769         (JSC::Probe::Context::gpr const):
2770         (JSC::Probe::Context::spr const):
2771         (JSC::Probe::Context::fpr const):
2772         (JSC::Probe::Context::pc):
2773         (JSC::Probe::Context::fp):
2774         (JSC::Probe::Context::sp):
2775         (JSC::Probe:: const): Deleted.
2776         * assembler/ProbeStack.cpp:
2777         (JSC::Probe::copyStackPage):
2778         (JSC::Probe::Page::Page):
2779         (JSC::Probe::Page::flushWrites):
2780         * assembler/ProbeStack.h:
2781         (JSC::Probe::Page::get):
2782         (JSC::Probe::Page::set):
2783         (JSC::Probe::Page::dirtyBitFor):
2784         (JSC::Probe::Page::physicalAddressFor):
2785         (JSC::Probe::Stack::lowWatermark):
2786         (JSC::Probe::Stack::get):
2787         (JSC::Probe::Stack::set):
2788         * assembler/testmasm.cpp:
2789         (JSC::testProbeModifiesStackValues):
2790
2791 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2792
2793         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
2794         https://bugs.webkit.org/show_bug.cgi?id=176917
2795
2796         Reviewed by Saam Barati.
2797
2798         * dfg/DFGByteCodeParser.cpp:
2799         (JSC::DFG::ByteCodeParser::inliningCost):
2800         * runtime/Options.h:
2801
2802 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2803
2804         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
2805         https://bugs.webkit.org/show_bug.cgi?id=176867
2806
2807         Reviewed by Sam Weinig.
2808
2809         We rarely require private symbols when enumerating property names.
2810         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
2811         is specified, PropertyNameArray does not include private symbols.
2812         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
2813
2814         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
2815         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
2816
2817         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
2818
2819         * API/JSObjectRef.cpp:
2820         (JSObjectCopyPropertyNames):
2821         * bindings/ScriptValue.cpp:
2822         (Inspector::jsToInspectorValue):
2823         * bytecode/ObjectAllocationProfile.h:
2824         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2825         * runtime/EnumerationMode.h:
2826         * runtime/IntlObject.cpp:
2827         (JSC::supportedLocales):
2828         * runtime/JSONObject.cpp:
2829         (JSC::Stringifier::Stringifier):
2830         (JSC::Stringifier::Holder::appendNextProperty):
2831         (JSC::Walker::walk):
2832         * runtime/JSPropertyNameEnumerator.cpp:
2833         (JSC::JSPropertyNameEnumerator::create):
2834         * runtime/JSPropertyNameEnumerator.h:
2835         (JSC::propertyNameEnumerator):
2836         * runtime/ObjectConstructor.cpp:
2837         (JSC::objectConstructorGetOwnPropertyDescriptors):
2838         (JSC::objectConstructorAssign):
2839         (JSC::objectConstructorValues):
2840         (JSC::defineProperties):
2841         (JSC::setIntegrityLevel):
2842         (JSC::testIntegrityLevel):
2843         (JSC::ownPropertyKeys):
2844         * runtime/PropertyNameArray.h:
2845         (JSC::PropertyNameArray::PropertyNameArray):
2846         (JSC::PropertyNameArray::propertyNameMode const):
2847         (JSC::PropertyNameArray::privateSymbolMode const):
2848         (JSC::PropertyNameArray::addUncheckedInternal):
2849         (JSC::PropertyNameArray::addUnchecked):
2850         (JSC::PropertyNameArray::add):
2851         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
2852         (JSC::PropertyNameArray::includeSymbolProperties const):
2853         (JSC::PropertyNameArray::includeStringProperties const):
2854         (JSC::PropertyNameArray::mode const): Deleted.
2855         * runtime/ProxyObject.cpp:
2856         (JSC::ProxyObject::performGetOwnPropertyNames):
2857
2858 2017-09-13  Mark Lam  <mark.lam@apple.com>
2859
2860         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
2861         https://bugs.webkit.org/show_bug.cgi?id=176888
2862         <rdar://problem/34381832>
2863
2864         Not reviewed.
2865
2866         * JavaScriptCore.xcodeproj/project.pbxproj:
2867         * assembler/MacroAssembler.cpp:
2868         (JSC::stdFunctionCallback):
2869         * assembler/MacroAssemblerPrinter.cpp:
2870         (JSC::Printer::printCallback):
2871         * assembler/ProbeContext.h:
2872         (JSC::Probe:: const):
2873         (JSC::Probe::Context::Context):
2874         (JSC::Probe::Context::gpr):
2875         (JSC::Probe::Context::spr):
2876         (JSC::Probe::Context::fpr):
2877         (JSC::Probe::Context::gprName):
2878         (JSC::Probe::Context::sprName):
2879         (JSC::Probe::Context::fprName):
2880         (JSC::Probe::Context::pc):
2881         (JSC::Probe::Context::fp):
2882         (JSC::Probe::Context::sp):
2883         (JSC::Probe::CPUState::gpr const): Deleted.
2884         (JSC::Probe::CPUState::spr const): Deleted.
2885         (JSC::Probe::Context::arg): Deleted.
2886         (JSC::Probe::Context::gpr const): Deleted.
2887         (JSC::Probe::Context::spr const): Deleted.
2888         (JSC::Probe::Context::fpr const): Deleted.
2889         * assembler/ProbeFrame.h: Removed.
2890         * assembler/ProbeStack.cpp:
2891         (JSC::Probe::Page::Page):
2892         * assembler/ProbeStack.h:
2893         (JSC::Probe::Page::get):
2894         (JSC::Probe::Page::set):
2895         (JSC::Probe::Page::physicalAddressFor):
2896         (JSC::Probe::Stack::lowWatermark):
2897         (JSC::Probe::Stack::get):
2898         (JSC::Probe::Stack::set):
2899         * bytecode/ArithProfile.cpp:
2900         * bytecode/ArithProfile.h:
2901         * bytecode/ArrayProfile.h:
2902         (JSC::ArrayProfile::observeArrayMode): Deleted.
2903         * bytecode/CodeBlock.cpp:
2904         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
2905         * bytecode/CodeBlock.h:
2906         (JSC::CodeBlock::addressOfOSRExitCounter):
2907         * bytecode/ExecutionCounter.h:
2908         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
2909         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
2910         * bytecode/MethodOfGettingAValueProfile.cpp:
2911         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
2912         * bytecode/MethodOfGettingAValueProfile.h:
2913         * dfg/DFGDriver.cpp:
2914         (JSC::DFG::compileImpl):
2915         * dfg/DFGJITCode.cpp:
2916         (JSC::DFG::JITCode::findPC):
2917         * dfg/DFGJITCode.h:
2918         * dfg/DFGJITCompiler.cpp:
2919         (JSC::DFG::JITCompiler::linkOSRExits):
2920         (JSC::DFG::JITCompiler::link):
2921         * dfg/DFGOSRExit.cpp:
2922         (JSC::DFG::OSRExit::setPatchableCodeOffset):
2923         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
2924         (JSC::DFG::OSRExit::codeLocationForRepatch const):
2925         (JSC::DFG::OSRExit::correctJump):
2926         (JSC::DFG::OSRExit::emitRestoreArguments):
2927         (JSC::DFG::OSRExit::compileOSRExit):
2928         (JSC::DFG::OSRExit::compileExit):
2929         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2930         (JSC::DFG::jsValueFor): Deleted.
2931         (JSC::DFG::restoreCalleeSavesFor): Deleted.
2932         (JSC::DFG::saveCalleeSavesFor): Deleted.
2933         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
2934         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
2935         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
2936         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
2937         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
2938         (JSC::DFG::emitRestoreArguments): Deleted.
2939         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
2940         (JSC::DFG::reifyInlinedCallFrames): Deleted.
2941         (JSC::DFG::adjustAndJumpToTarget): Deleted.
2942         (JSC::DFG::printOSRExit): Deleted.
2943         * dfg/DFGOSRExit.h:
2944         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
2945         * dfg/DFGOSRExitCompilerCommon.cpp:
2946         * dfg/DFGOSRExitCompilerCommon.h:
2947         * dfg/DFGOperations.cpp:
2948         * dfg/DFGOperations.h:
2949         * dfg/DFGThunks.cpp:
2950         (JSC::DFG::osrExitGenerationThunkGenerator):
2951         (JSC::DFG::osrExitThunkGenerator): Deleted.
2952         * dfg/DFGThunks.h:
2953         * jit/AssemblyHelpers.cpp:
2954         (JSC::AssemblyHelpers::debugCall):
2955         * jit/AssemblyHelpers.h:
2956         * jit/JITOperations.cpp:
2957         * jit/JITOperations.h:
2958         * profiler/ProfilerOSRExit.h:
2959         (JSC::Profiler::OSRExit::incCount): Deleted.
2960         * runtime/JSCJSValue.h:
2961         * runtime/JSCJSValueInlines.h:
2962         * runtime/VM.h:
2963
2964 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2965
2966         [JSC] Move class/struct used in other class' member out of anonymous namespace
2967         https://bugs.webkit.org/show_bug.cgi?id=176876
2968
2969         Reviewed by Saam Barati.
2970
2971         GCC warns if a class has a base or field whose type uses the anonymous namespace
2972         and it is defined in an included file. This is because this possibly violates
2973         one definition rule (ODR): if an included file has the anonymous namespace, each
2974         translation unit creates its private anonymous namespace. Thus, each type
2975         inside the anonymous namespace becomes different in each translation unit if
2976         the file is included in multiple translation units.
2977
2978         While the current use in JSC is not violating ODR since these cpp files are included
2979         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
2980         the actual bugs. So, in this patch, we just move related classes/structs out of
2981         the anonymous namespace.
2982
2983         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2984         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
2985         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
2986         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
2987         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
2988         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
2989         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
2990         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
2991         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
2992         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
2993         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
2994         * dfg/DFGLICMPhase.cpp:
2995
2996 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
2997
2998         Web Inspector: Event Listeners section does not update when listeners are added/removed
2999         https://bugs.webkit.org/show_bug.cgi?id=170570
3000         <rdar://problem/31501645>
3001
3002         Reviewed by Joseph Pecoraro.
3003
3004         * inspector/protocol/DOM.json:
3005         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
3006         contain any information about the event listeners that were added/removed. They serve more
3007         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
3008
3009 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3010
3011         [JSC] Fix Array allocation in Object.keys
3012         https://bugs.webkit.org/show_bug.cgi?id=176826
3013
3014         Reviewed by Saam Barati.
3015
3016         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
3017         We check isHavingABadTime() in ownPropertyKeys fast path.
3018         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
3019
3020         * runtime/ObjectConstructor.cpp:
3021         (JSC::ownPropertyKeys):
3022
3023 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3024
3025         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3026         https://bugs.webkit.org/show_bug.cgi?id=176010
3027
3028         Reviewed by Filip Pizlo.
3029
3030         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
3031         It is used for meta property for objects (see peekMeta function in Ember.js).
3032
3033         This patch optimizes WeakMap#get.
3034
3035         1. We use inlineGet to inline WeakMap#get operation in the native function.
3036         Since this native function itself is very small, we should inline HashMap#get
3037         entirely in this function.
3038
3039         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
3040         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
3041         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
3042         ObjectUse, and Int32Use.
3043
3044         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
3045         calculate hash value for the key's Object and use this hash value to look up value from
3046         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
3047         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
3048         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
3049         patches.
3050
3051         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
3052         not used in Ember.js right now.
3053
3054         This patch optimizes WeakMap#get by 50%.
3055
3056                                  baseline                  patched
3057
3058         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
3059
3060         * bytecode/DirectEvalCodeCache.h:
3061         (JSC::DirectEvalCodeCache::tryGet):
3062         * bytecode/SpeculatedType.cpp:
3063         (JSC::dumpSpeculation):
3064         (JSC::speculationFromClassInfo):
3065         (JSC::speculationFromJSType):
3066         (JSC::speculationFromString):
3067         * bytecode/SpeculatedType.h:
3068         * dfg/DFGAbstractInterpreterInlines.h:
3069         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3070         * dfg/DFGByteCodeParser.cpp:
3071         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3072         * dfg/DFGClobberize.h:
3073         (JSC::DFG::clobberize):
3074         * dfg/DFGDoesGC.cpp:
3075         (JSC::DFG::doesGC):
3076         * dfg/DFGFixupPhase.cpp:
3077         (JSC::DFG::FixupPhase::fixupNode):
3078         * dfg/DFGHeapLocation.cpp:
3079         (WTF::printInternal):
3080         * dfg/DFGHeapLocation.h:
3081         * dfg/DFGNode.h:
3082         (JSC::DFG::Node::hasHeapPrediction):
3083         * dfg/DFGNodeType.h:
3084         * dfg/DFGOperations.cpp:
3085         * dfg/DFGOperations.h:
3086         * dfg/DFGPredictionPropagationPhase.cpp:
3087         * dfg/DFGSafeToExecute.h:
3088         (JSC::DFG::SafeToExecuteEdge::operator()):
3089         (JSC::DFG::safeToExecute):
3090         * dfg/DFGSpeculativeJIT.cpp:
3091         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
3092         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
3093         (JSC::DFG::SpeculativeJIT::speculate):
3094         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
3095         * dfg/DFGSpeculativeJIT.h:
3096         (JSC::DFG::SpeculativeJIT::callOperation):
3097         * dfg/DFGSpeculativeJIT32_64.cpp:
3098         (JSC::DFG::SpeculativeJIT::compile):
3099         * dfg/DFGSpeculativeJIT64.cpp:
3100         (JSC::DFG::SpeculativeJIT::compile):
3101         * dfg/DFGUseKind.cpp:
3102         (WTF::printInternal):
3103         * dfg/DFGUseKind.h:
3104         (JSC::DFG::typeFilterFor):
3105         (JSC::DFG::isCell):
3106         * ftl/FTLCapabilities.cpp:
3107         (JSC::FTL::canCompile):
3108         * ftl/FTLLowerDFGToB3.cpp:
3109         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3110         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
3111         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
3112         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
3113         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3114         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
3115         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
3116         * jit/JITOperations.h:
3117         * runtime/HashMapImpl.h:
3118         (JSC::WeakMapHash::hash):
3119         (JSC::WeakMapHash::equal):
3120         * runtime/Intrinsic.cpp:
3121         (JSC::intrinsicName):
3122         * runtime/Intrinsic.h:
3123         * runtime/JSType.h:
3124         * runtime/JSWeakMap.h:
3125         (JSC::isJSWeakMap):
3126         * runtime/JSWeakSet.h:
3127         (JSC::isJSWeakSet):
3128         * runtime/WeakMapBase.cpp:
3129         (JSC::WeakMapBase::get):
3130         * runtime/WeakMapBase.h:
3131         (JSC::WeakMapBase::HashTranslator::hash):
3132         (JSC::WeakMapBase::HashTranslator::equal):
3133         (JSC::WeakMapBase::inlineGet):
3134         * runtime/WeakMapPrototype.cpp:
3135         (JSC::WeakMapPrototype::finishCreation):
3136         (JSC::getWeakMap):
3137         (JSC::protoFuncWeakMapGet):
3138         * runtime/WeakSetPrototype.cpp:
3139         (JSC::getWeakSet):
3140
3141 2017-09-12  Keith Miller  <keith_miller@apple.com>
3142
3143         Rename JavaScriptCore CMake unifiable sources list
3144         https://bugs.webkit.org/show_bug.cgi?id=176823
3145
3146         Reviewed by Joseph Pecoraro.
3147
3148         This patch also changes the error message when the unified source
3149         bundler fails to be more accurate.
3150
3151         * CMakeLists.txt:
3152
3153 2017-09-12  Keith Miller  <keith_miller@apple.com>
3154
3155         Do unified source builds for JSC
3156         https://bugs.webkit.org/show_bug.cgi?id=176076
3157
3158         Reviewed by Geoffrey Garen.
3159
3160         This patch switches the CMake JavaScriptCore build to use unified sources.
3161         The Xcode build will be upgraded in a follow up patch.
3162
3163         Most of the source changes in this patch are fixing static
3164         variable/functions name collisions. The most common collisions
3165         were from our use of "static const bool verbose" and "using
3166         namespace ...". I fixed all the verbose cases and fixed the "using
3167         namespace" issues that occurred under the current bundling
3168         strategy. It's likely that more of the "using namespace" issues
3169         will need to be resolved in the future, particularly in the FTL.
3170
3171         I don't expect either of these problems will apply to other parts
3172         of the project nearly as much as in JSC. Using a verbose variable
3173         is a JSC idiom and JSC tends use the same, canonical, class name
3174         in multiple parts of the engine.
3175
3176         * CMakeLists.txt:
3177         * b3/B3CheckSpecial.cpp:
3178         (JSC::B3::CheckSpecial::forEachArg):
3179         (JSC::B3::CheckSpecial::generate):
3180         (JSC::B3::Air::numB3Args): Deleted.
3181         * b3/B3DuplicateTails.cpp:
3182         * b3/B3EliminateCommonSubexpressions.cpp:
3183         * b3/B3FixSSA.cpp:
3184         (JSC::B3::demoteValues):
3185         * b3/B3FoldPathConstants.cpp:
3186         * b3/B3InferSwitches.cpp:
3187         * b3/B3LowerMacrosAfterOptimizations.cpp:
3188         (): Deleted.
3189         * b3/B3LowerToAir.cpp:
3190         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
3191         (JSC::B3::Air::LowerToAir::run): Deleted.
3192         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
3193         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
3194         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
3195         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
3196         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
3197         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
3198         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
3199         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
3200         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
3201         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
3202         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
3203         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
3204         (JSC::B3::Air::LowerToAir::tmp): Deleted.
3205         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
3206         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
3207         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
3208         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
3209         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
3210         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
3211         (JSC::B3::Air::LowerToAir::addr): Deleted.
3212         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
3213         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
3214         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
3215         (JSC::B3::Air::LowerToAir::imm): Deleted.
3216         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
3217         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
3218         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
3219         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
3220         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
3221         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
3222         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
3223         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
3224         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
3225         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
3226         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
3227         (JSC::B3::Air::LowerToAir::createStore): Deleted.
3228         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
3229         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
3230         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
3231         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
3232         (JSC::B3::Air::LowerToAir::print): Deleted.
3233         (JSC::B3::Air::LowerToAir::append): Deleted.
3234         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
3235         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
3236         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
3237         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
3238         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
3239         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
3240         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
3241         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
3242         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
3243         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
3244         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
3245         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
3246         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
3247         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
3248         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
3249         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
3250         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
3251         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
3252         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
3253         (JSC::B3::Air::LowerToAir::lower): Deleted.
3254         * b3/B3PatchpointSpecial.cpp:
3255         (JSC::B3::PatchpointSpecial::generate):
3256         * b3/B3ReduceDoubleToFloat.cpp:
3257         (JSC::B3::reduceDoubleToFloat):
3258         * b3/B3ReduceStrength.cpp:
3259         * b3/B3StackmapGenerationParams.cpp:
3260         * b3/B3StackmapSpecial.cpp:
3261         (JSC::B3::StackmapSpecial::repsImpl):
3262         (JSC::B3::StackmapSpecial::repForArg):
3263         * b3/air/AirAllocateStackByGraphColoring.cpp:
3264         (JSC::B3::Air::allocateStackByGraphColoring):
3265         * b3/air/AirEmitShuffle.cpp:
3266         (JSC::B3::Air::emitShuffle):
3267         * b3/air/AirFixObviousSpills.cpp:
3268         * b3/air/AirLowerAfterRegAlloc.cpp:
3269         (JSC::B3::Air::lowerAfterRegAlloc):
3270         * b3/air/AirStackAllocation.cpp:
3271         (JSC::B3::Air::attemptAssignment):
3272         (JSC::B3::Air::assign):
3273         * bytecode/AccessCase.cpp:
3274         (JSC::AccessCase::generateImpl):
3275         * bytecode/CallLinkStatus.cpp:
3276         (JSC::CallLinkStatus::computeDFGStatuses):
3277         * bytecode/GetterSetterAccessCase.cpp:
3278         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3279         * bytecode/ObjectPropertyConditionSet.cpp:
3280         * bytecode/PolymorphicAccess.cpp:
3281         (JSC::PolymorphicAccess::addCases):
3282         (JSC::PolymorphicAccess::regenerate):
3283         * bytecode/PropertyCondition.cpp:
3284         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
3285         * bytecode/StructureStubInfo.cpp:
3286         (JSC::StructureStubInfo::addAccessCase):
3287         * dfg/DFGArgumentsEliminationPhase.cpp:
3288         * dfg/DFGByteCodeParser.cpp:
3289         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
3290         (JSC::DFG::ByteCodeParser::inliningCost):
3291         (JSC::DFG::ByteCodeParser::inlineCall):
3292