3594eb325bdfc07806fb0b75f2273621faff539a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Unreviewed, fix exception checking, part 2
4         https://bugs.webkit.org/show_bug.cgi?id=185350
5
6         * dfg/DFGOperations.cpp:
7         (JSC::DFG::putByValInternal):
8         * jit/JITOperations.cpp:
9         * runtime/CommonSlowPaths.h:
10         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
11
12 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
13
14         JSC should have InstanceOf inline caching
15         https://bugs.webkit.org/show_bug.cgi?id=185652
16
17         Reviewed by Saam Barati.
18         
19         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
20         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
21         too many cases, we emit the generic instanceof implementation instead.
22         
23         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
24         abstraction.
25         
26         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
27         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
28
29         * API/tests/testapi.mm:
30         (testObjectiveCAPIMain):
31         * JavaScriptCore.xcodeproj/project.pbxproj:
32         * Sources.txt:
33         * b3/B3Effects.h:
34         (JSC::B3::Effects::forReadOnlyCall):
35         * bytecode/AccessCase.cpp:
36         (JSC::AccessCase::guardedByStructureCheck const):
37         (JSC::AccessCase::canReplace const):
38         (JSC::AccessCase::visitWeak const):
39         (JSC::AccessCase::generateWithGuard):
40         (JSC::AccessCase::generateImpl):
41         * bytecode/AccessCase.h:
42         * bytecode/InstanceOfAccessCase.cpp: Added.
43         (JSC::InstanceOfAccessCase::create):
44         (JSC::InstanceOfAccessCase::dumpImpl const):
45         (JSC::InstanceOfAccessCase::clone const):
46         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
47         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
48         * bytecode/InstanceOfAccessCase.h: Added.
49         (JSC::InstanceOfAccessCase::prototype const):
50         * bytecode/ObjectPropertyCondition.h:
51         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
52         (JSC::ObjectPropertyCondition::hasPrototype):
53         * bytecode/ObjectPropertyConditionSet.cpp:
54         (JSC::generateConditionsForInstanceOf):
55         * bytecode/ObjectPropertyConditionSet.h:
56         * bytecode/PolymorphicAccess.cpp:
57         (JSC::PolymorphicAccess::addCases):
58         (JSC::PolymorphicAccess::regenerate):
59         (WTF::printInternal):
60         * bytecode/PropertyCondition.cpp:
61         (JSC::PropertyCondition::dumpInContext const):
62         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
63         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
64         (WTF::printInternal):
65         * bytecode/PropertyCondition.h:
66         (JSC::PropertyCondition::absenceWithoutBarrier):
67         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
68         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
69         (JSC::PropertyCondition::hasPrototype):
70         (JSC::PropertyCondition::hasPrototype const):
71         (JSC::PropertyCondition::prototype const):
72         (JSC::PropertyCondition::hash const):
73         (JSC::PropertyCondition::operator== const):
74         * bytecode/StructureStubInfo.cpp:
75         (JSC::StructureStubInfo::StructureStubInfo):
76         (JSC::StructureStubInfo::reset):
77         * bytecode/StructureStubInfo.h:
78         (JSC::StructureStubInfo::considerCaching):
79         * dfg/DFGByteCodeParser.cpp:
80         (JSC::DFG::ByteCodeParser::parseBlock):
81         * dfg/DFGFixupPhase.cpp:
82         (JSC::DFG::FixupPhase::fixupNode):
83         * dfg/DFGInlineCacheWrapper.h:
84         * dfg/DFGInlineCacheWrapperInlines.h:
85         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
86         * dfg/DFGJITCompiler.cpp:
87         (JSC::DFG::JITCompiler::link):
88         * dfg/DFGJITCompiler.h:
89         (JSC::DFG::JITCompiler::addInstanceOf):
90         * dfg/DFGOperations.cpp:
91         * dfg/DFGSpeculativeJIT.cpp:
92         (JSC::DFG::SpeculativeJIT::usedRegisters):
93         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
94         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
95         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
96         * dfg/DFGSpeculativeJIT.h:
97         * dfg/DFGSpeculativeJIT64.cpp:
98         (JSC::DFG::SpeculativeJIT::cachedGetById):
99         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
100         * ftl/FTLLowerDFGToB3.cpp:
101         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
102         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
103         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
104         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
105         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
106         (JSC::FTL::DFG::LowerDFGToB3::getById):
107         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
108         * jit/ICStats.h:
109         * jit/JIT.cpp:
110         (JSC::JIT::privateCompileSlowCases):
111         (JSC::JIT::link):
112         * jit/JIT.h:
113         * jit/JITInlineCacheGenerator.cpp:
114         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
115         (JSC::JITInlineCacheGenerator::finalize):
116         (JSC::JITByIdGenerator::JITByIdGenerator):
117         (JSC::JITByIdGenerator::finalize):
118         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
119         (JSC::JITInstanceOfGenerator::generateFastPath):
120         (JSC::JITInstanceOfGenerator::finalize):
121         * jit/JITInlineCacheGenerator.h:
122         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
123         (JSC::JITInlineCacheGenerator::slowPathBegin const):
124         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
125         (JSC::finalizeInlineCaches):
126         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
127         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
128         * jit/JITOpcodes.cpp:
129         (JSC::JIT::emit_op_instanceof):
130         (JSC::JIT::emitSlow_op_instanceof):
131         * jit/JITOperations.cpp:
132         * jit/JITOperations.h:
133         * jit/JITPropertyAccess.cpp:
134         (JSC::JIT::privateCompileGetByValWithCachedId):
135         (JSC::JIT::privateCompilePutByValWithCachedId):
136         * jit/RegisterSet.cpp:
137         (JSC::RegisterSet::stubUnavailableRegisters):
138         * jit/Repatch.cpp:
139         (JSC::tryCacheIn):
140         (JSC::tryCacheInstanceOf):
141         (JSC::repatchInstanceOf):
142         (JSC::resetPatchableJump):
143         (JSC::resetIn):
144         (JSC::resetInstanceOf):
145         * jit/Repatch.h:
146         * runtime/Options.h:
147         * runtime/Structure.h:
148
149 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
150
151         Unreviewed, fix exception checking
152         https://bugs.webkit.org/show_bug.cgi?id=185350
153
154         * runtime/CommonSlowPaths.h:
155         (JSC::CommonSlowPaths::putDirectWithReify):
156         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
157
158 2018-05-17  Michael Saboff  <msaboff@apple.com>
159
160         We don't throw SyntaxErrors for runtime generated regular expressions with errors
161         https://bugs.webkit.org/show_bug.cgi?id=185755
162
163         Reviewed by Keith Miller.
164
165         Added a new helper that creates the correct exception to throw for each type of error when
166         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
167         where we create a new RegExp from an existing one.  Also refactored other places that we
168         throw SyntaxErrors after a failed RegExp compile to use the new helper.
169
170         * runtime/RegExp.h:
171         * runtime/RegExpConstructor.cpp:
172         (JSC::regExpCreate):
173         (JSC::constructRegExp):
174         * runtime/RegExpPrototype.cpp:
175         (JSC::regExpProtoFuncCompile):
176         * yarr/YarrErrorCode.cpp:
177         (JSC::Yarr::errorToThrow):
178         * yarr/YarrErrorCode.h:
179
180 2018-05-17  Saam Barati  <sbarati@apple.com>
181
182         Remove shrinkFootprint test from apitests since it's flaky
183         https://bugs.webkit.org/show_bug.cgi?id=185754
184
185         Reviewed by Mark Lam.
186
187         This test is flaky as it keeps failing on certain people's machines.
188         Having a test about OS footprint seems like it'll forever be doomed
189         to being flaky.
190
191         * API/tests/testapi.mm:
192         (testObjectiveCAPIMain):
193
194 2018-05-17  Saam Barati  <sbarati@apple.com>
195
196         defaultConstructorSourceCode needs to makeSource every time it's called
197         https://bugs.webkit.org/show_bug.cgi?id=185753
198
199         Rubber-stamped by Mark Lam.
200
201         The bug here is multiple VMs can be running concurrently to one another
202         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
203         if we copy a static SourceCode. instead, we create a new one each time
204         this function is called.
205
206         * builtins/BuiltinExecutables.cpp:
207         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
208
209 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
210
211         [JSC] Use AssemblyHelpers' type checking functions as much as possible
212         https://bugs.webkit.org/show_bug.cgi?id=185730
213
214         Reviewed by Saam Barati.
215
216         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
217         bit and register operations for type tagging of JSValue. It is really useful when we would like
218         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
219         the named function is more readable than some branching operations.
220
221         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
222         to AssemblyHelpers' one.
223
224         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
225         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
226         semantics is aligned to the existing branchIfCell / branchIfNotCell.
227
228         * bytecode/AccessCase.cpp:
229         (JSC::AccessCase::generateWithGuard):
230         * dfg/DFGSpeculativeJIT.cpp:
231         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
232         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
233         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
234         (JSC::DFG::SpeculativeJIT::compileSpread):
235         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
236         (JSC::DFG::SpeculativeJIT::speculateCellType):
237         (JSC::DFG::SpeculativeJIT::speculateNumber):
238         (JSC::DFG::SpeculativeJIT::speculateMisc):
239         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
240         (JSC::DFG::SpeculativeJIT::compileCreateThis):
241         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
242         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
243         * dfg/DFGSpeculativeJIT32_64.cpp:
244         (JSC::DFG::SpeculativeJIT::emitCall):
245         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
246         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
247         (JSC::DFG::SpeculativeJIT::compile):
248         * dfg/DFGSpeculativeJIT64.cpp:
249         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
250         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
251         (JSC::DFG::SpeculativeJIT::emitCall):
252         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
253         (JSC::DFG::SpeculativeJIT::compile):
254         (JSC::DFG::SpeculativeJIT::convertAnyInt):
255         * ftl/FTLLowerDFGToB3.cpp:
256         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
257         * jit/AssemblyHelpers.h:
258         (JSC::AssemblyHelpers::branchIfInt32):
259         (JSC::AssemblyHelpers::branchIfNotInt32):
260         (JSC::AssemblyHelpers::branchIfNumber):
261         (JSC::AssemblyHelpers::branchIfNotNumber):
262         (JSC::AssemblyHelpers::branchIfBoolean):
263         (JSC::AssemblyHelpers::branchIfNotBoolean):
264         (JSC::AssemblyHelpers::branchIfEmpty):
265         (JSC::AssemblyHelpers::branchIfNotEmpty):
266         (JSC::AssemblyHelpers::branchIfUndefined):
267         (JSC::AssemblyHelpers::branchIfNotUndefined):
268         (JSC::AssemblyHelpers::branchIfNull):
269         (JSC::AssemblyHelpers::branchIfNotNull):
270         * jit/JIT.h:
271         * jit/JITArithmetic.cpp:
272         (JSC::JIT::emit_compareAndJump):
273         (JSC::JIT::emit_compareAndJumpSlow):
274         * jit/JITArithmetic32_64.cpp:
275         (JSC::JIT::emit_compareAndJump):
276         (JSC::JIT::emit_op_unsigned):
277         (JSC::JIT::emit_op_inc):
278         (JSC::JIT::emit_op_dec):
279         (JSC::JIT::emitBinaryDoubleOp):
280         (JSC::JIT::emit_op_mod):
281         * jit/JITCall.cpp:
282         (JSC::JIT::compileCallEval):
283         (JSC::JIT::compileOpCall):
284         * jit/JITCall32_64.cpp:
285         (JSC::JIT::compileCallEval):
286         (JSC::JIT::compileOpCall):
287         * jit/JITInlines.h:
288         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
289         (JSC::JIT::emitJumpIfBothJSCells):
290         (JSC::JIT::emitJumpSlowCaseIfJSCell):
291         (JSC::JIT::emitJumpIfNotInt):
292         (JSC::JIT::emitJumpSlowCaseIfNotInt):
293         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
294         (JSC::JIT::emitJumpIfCellObject): Deleted.
295         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
296         (JSC::JIT::emitJumpIfJSCell): Deleted.
297         (JSC::JIT::emitJumpIfInt): Deleted.
298         * jit/JITOpcodes.cpp:
299         (JSC::JIT::emit_op_instanceof):
300         (JSC::JIT::emit_op_is_undefined):
301         (JSC::JIT::emit_op_is_cell_with_type):
302         (JSC::JIT::emit_op_is_object):
303         (JSC::JIT::emit_op_to_primitive):
304         (JSC::JIT::emit_op_jeq_null):
305         (JSC::JIT::emit_op_jneq_null):
306         (JSC::JIT::compileOpStrictEq):
307         (JSC::JIT::compileOpStrictEqJump):
308         (JSC::JIT::emit_op_to_number):
309         (JSC::JIT::emit_op_to_string):
310         (JSC::JIT::emit_op_to_object):
311         (JSC::JIT::emit_op_eq_null):
312         (JSC::JIT::emit_op_neq_null):
313         (JSC::JIT::emit_op_to_this):
314         (JSC::JIT::emit_op_create_this):
315         (JSC::JIT::emit_op_check_tdz):
316         (JSC::JIT::emitNewFuncExprCommon):
317         (JSC::JIT::emit_op_profile_type):
318         * jit/JITOpcodes32_64.cpp:
319         (JSC::JIT::emit_op_instanceof):
320         (JSC::JIT::emit_op_is_undefined):
321         (JSC::JIT::emit_op_is_cell_with_type):
322         (JSC::JIT::emit_op_is_object):
323         (JSC::JIT::emit_op_to_primitive):
324         (JSC::JIT::emit_op_not):
325         (JSC::JIT::emit_op_jeq_null):
326         (JSC::JIT::emit_op_jneq_null):
327         (JSC::JIT::emit_op_jneq_ptr):
328         (JSC::JIT::emit_op_eq):
329         (JSC::JIT::emit_op_jeq):
330         (JSC::JIT::emit_op_neq):
331         (JSC::JIT::emit_op_jneq):
332         (JSC::JIT::compileOpStrictEq):
333         (JSC::JIT::compileOpStrictEqJump):
334         (JSC::JIT::emit_op_eq_null):
335         (JSC::JIT::emit_op_neq_null):
336         (JSC::JIT::emit_op_to_number):
337         (JSC::JIT::emit_op_to_string):
338         (JSC::JIT::emit_op_to_object):
339         (JSC::JIT::emit_op_create_this):
340         (JSC::JIT::emit_op_to_this):
341         (JSC::JIT::emit_op_check_tdz):
342         (JSC::JIT::emit_op_profile_type):
343         * jit/JITPropertyAccess.cpp:
344         (JSC::JIT::emit_op_get_by_val):
345         (JSC::JIT::emitGetByValWithCachedId):
346         (JSC::JIT::emitGenericContiguousPutByVal):
347         (JSC::JIT::emitPutByValWithCachedId):
348         (JSC::JIT::emit_op_get_from_scope):
349         (JSC::JIT::emit_op_put_to_scope):
350         (JSC::JIT::emitWriteBarrier):
351         (JSC::JIT::emitIntTypedArrayPutByVal):
352         (JSC::JIT::emitFloatTypedArrayPutByVal):
353         * jit/JITPropertyAccess32_64.cpp:
354         (JSC::JIT::emit_op_get_by_val):
355         (JSC::JIT::emitContiguousLoad):
356         (JSC::JIT::emitArrayStorageLoad):
357         (JSC::JIT::emitGetByValWithCachedId):
358         (JSC::JIT::emitGenericContiguousPutByVal):
359         (JSC::JIT::emitPutByValWithCachedId):
360         (JSC::JIT::emit_op_get_from_scope):
361         (JSC::JIT::emit_op_put_to_scope):
362         * jit/JSInterfaceJIT.h:
363         (JSC::JSInterfaceJIT::emitLoadJSCell):
364         (JSC::JSInterfaceJIT::emitLoadInt32):
365         (JSC::JSInterfaceJIT::emitLoadDouble):
366         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
367         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
368         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
369         * jit/Repatch.cpp:
370         (JSC::linkPolymorphicCall):
371         * jit/ThunkGenerators.cpp:
372         (JSC::virtualThunkFor):
373         (JSC::absThunkGenerator):
374         * tools/JSDollarVM.cpp:
375         (WTF::DOMJITNode::checkSubClassSnippet):
376         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
377
378 2018-05-17  Saam Barati  <sbarati@apple.com>
379
380         Unreviewed. Fix the build after my attempted build fix broke the build.
381
382         * builtins/BuiltinExecutables.cpp:
383         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
384         (JSC::BuiltinExecutables::createDefaultConstructor):
385         * builtins/BuiltinExecutables.h:
386
387 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
388
389         [JSC] Remove reifyPropertyNameIfNeeded
390         https://bugs.webkit.org/show_bug.cgi?id=185350
391
392         Reviewed by Saam Barati.
393
394         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
395         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
396         cost, we should remove this from the critical path.
397
398         This patch removes this function call from the critical path. And in our slow paths, we call
399         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
400         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
401         and care the edge cases. The other callsites of putDirect should know the type of the given
402         object and the name of the property (And avoid these edge cases).
403
404         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
405         regressions of the existing tests.
406
407                                            baseline                  patched
408         Kraken:
409             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
410
411         SixSpeed:
412             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
413
414         * dfg/DFGOperations.cpp:
415         (JSC::DFG::putByValInternal):
416         (JSC::DFG::putByValCellInternal):
417         * jit/JITOperations.cpp:
418         * llint/LLIntSlowPaths.cpp:
419         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
420         * runtime/ClassInfo.h:
421         * runtime/CommonSlowPaths.h:
422         (JSC::CommonSlowPaths::putDirectWithReify):
423         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
424         * runtime/JSCell.cpp:
425         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
426         * runtime/JSCell.h:
427         * runtime/JSFunction.cpp:
428         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
429         * runtime/JSFunction.h:
430         * runtime/JSObject.cpp:
431         (JSC::JSObject::putDirectAccessor):
432         (JSC::JSObject::putDirectNonIndexAccessor):
433         * runtime/JSObject.h:
434         * runtime/JSObjectInlines.h:
435         (JSC::JSObject::putDirectInternal):
436
437 2018-05-17  Saam Barati  <sbarati@apple.com>
438
439         Unreviewed. Try to fix windows build.
440
441         * builtins/BuiltinExecutables.cpp:
442         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
443
444 2018-05-16  Saam Barati  <sbarati@apple.com>
445
446         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
447         https://bugs.webkit.org/show_bug.cgi?id=185637
448
449         Reviewed by Keith Miller.
450
451         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
452         source code. However, we were only using this for default class constructors. There
453         are only two types of default class constructors. This patch makes it so that
454         we just store this information inside of a single bit, and ask for the source
455         code as needed instead of holding it in a nullable field that is 24 bytes in size.
456         
457         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
458         This has the consequence of making it allocated out of a 160 byte size class
459         instead of a 224 byte size class. This should bring down its memory footprint
460         by ~40%.
461
462         * builtins/BuiltinExecutables.cpp:
463         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
464         (JSC::BuiltinExecutables::createDefaultConstructor):
465         (JSC::BuiltinExecutables::createExecutable):
466         * builtins/BuiltinExecutables.h:
467         * bytecode/UnlinkedFunctionExecutable.cpp:
468         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
469         (JSC::UnlinkedFunctionExecutable::link):
470         * bytecode/UnlinkedFunctionExecutable.h:
471         * runtime/CodeCache.cpp:
472         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
473
474 2018-05-16  Saam Barati  <sbarati@apple.com>
475
476         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
477         https://bugs.webkit.org/show_bug.cgi?id=185707
478
479         Reviewed by Mark Lam.
480
481         * runtime/VM.cpp:
482         (JSC::VM::shrinkFootprint):
483
484 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
485
486         [ESNext][BigInt] Implement support for "/" operation
487         https://bugs.webkit.org/show_bug.cgi?id=183996
488
489         Reviewed by Yusuke Suzuki.
490
491         This patch is introducing the support for BigInt into divide
492         operation int LLInt and JIT layers.
493
494         * dfg/DFGOperations.cpp:
495         * runtime/CommonSlowPaths.cpp:
496         (JSC::SLOW_PATH_DECL):
497         * runtime/JSBigInt.cpp:
498         (JSC::JSBigInt::divide):
499         (JSC::JSBigInt::copy):
500         (JSC::JSBigInt::unaryMinus):
501         (JSC::JSBigInt::absoluteCompare):
502         (JSC::JSBigInt::absoluteDivLarge):
503         (JSC::JSBigInt::productGreaterThan):
504         (JSC::JSBigInt::inplaceAdd):
505         (JSC::JSBigInt::inplaceSub):
506         (JSC::JSBigInt::inplaceRightShift):
507         (JSC::JSBigInt::specialLeftShift):
508         (JSC::JSBigInt::digit):
509         (JSC::JSBigInt::setDigit):
510         * runtime/JSBigInt.h:
511
512 2018-05-16  Saam Barati  <sbarati@apple.com>
513
514         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
515         https://bugs.webkit.org/show_bug.cgi?id=185670
516
517         Reviewed by Yusuke Suzuki.
518
519         This patch makes it so that we constant fold CheckTypeInfoFlags for
520         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
521         fold in three ways:
522         - When the incoming value is a constant, we just look at its inline type
523         flags. Since those flags never change after an object is created, this
524         is sound.
525         - Based on the incoming value having a finite structure set. We just iterate
526         all structures and ensure they have the bit set.
527         - Based on speculated type. To do this, I split up SpecFunction into two
528         subheaps where one is for functions that have the bit set, and one for
529         functions that don't have the bit set. The latter is currently only comprised
530         of JSBoundFunctions. To constant fold, we check that the incoming
531         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
532
533         * bytecode/SpeculatedType.cpp:
534         (JSC::speculationFromClassInfo):
535         * bytecode/SpeculatedType.h:
536         * dfg/DFGAbstractInterpreterInlines.h:
537         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
538         * dfg/DFGConstantFoldingPhase.cpp:
539         (JSC::DFG::ConstantFoldingPhase::foldConstants):
540         * dfg/DFGSpeculativeJIT.cpp:
541         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
542         * dfg/DFGStrengthReductionPhase.cpp:
543         (JSC::DFG::StrengthReductionPhase::handleNode):
544         * runtime/JSFunction.cpp:
545         (JSC::JSFunction::JSFunction):
546         (JSC::JSFunction::assertTypeInfoFlagInvariants):
547         * runtime/JSFunction.h:
548         (JSC::JSFunction::assertTypeInfoFlagInvariants):
549         * runtime/JSFunctionInlines.h:
550         (JSC::JSFunction::JSFunction):
551
552 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
553
554         Web Inspector: create a navigation item for toggling the overlay rulers/guides
555         https://bugs.webkit.org/show_bug.cgi?id=185644
556
557         Reviewed by Matt Baker.
558
559         * inspector/protocol/OverlayTypes.json:
560         * inspector/protocol/Page.json:
561
562 2018-05-16  Commit Queue  <commit-queue@webkit.org>
563
564         Unreviewed, rolling out r231845.
565         https://bugs.webkit.org/show_bug.cgi?id=185702
566
567         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
568         caiolima on #webkit).
569
570         Reverted changeset:
571
572         "[ESNext][BigInt] Implement support for "/" operation"
573         https://bugs.webkit.org/show_bug.cgi?id=183996
574         https://trac.webkit.org/changeset/231845
575
576 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
577
578         DFG models InstanceOf incorrectly
579         https://bugs.webkit.org/show_bug.cgi?id=185694
580
581         Reviewed by Keith Miller.
582         
583         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
584         hoist it.
585
586         * dfg/DFGAbstractInterpreterInlines.h:
587         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
588         * dfg/DFGClobberize.h:
589         (JSC::DFG::clobberize):
590         * dfg/DFGHeapLocation.cpp:
591         (WTF::printInternal):
592         * dfg/DFGHeapLocation.h:
593         * dfg/DFGNodeType.h:
594
595 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
596
597         Add support for Intl NumberFormat formatToParts
598         https://bugs.webkit.org/show_bug.cgi?id=185375
599
600         Reviewed by Yusuke Suzuki.
601
602         Add flag for NumberFormat formatToParts. Implement formatToParts using
603         unum_formatDoubleForFields. Because the fields are nested and come back
604         in no guaranteed order, the simple algorithm to convert them to the
605         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
606         it appears to perform well enough for the initial implementation. Another
607         issue has been created to improve this algorithm.
608
609         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
610         on macOS, since only v57 is available.
611
612         * Configurations/FeatureDefines.xcconfig:
613         * runtime/IntlNumberFormat.cpp:
614         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
615         (JSC::IntlNumberFormat::partTypeString):
616         (JSC::IntlNumberFormat::formatToParts):
617         * runtime/IntlNumberFormat.h:
618         * runtime/IntlNumberFormatPrototype.cpp:
619         (JSC::IntlNumberFormatPrototype::create):
620         (JSC::IntlNumberFormatPrototype::finishCreation):
621         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
622         * runtime/IntlNumberFormatPrototype.h:
623         * runtime/Options.h:
624
625 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
626
627         [ESNext][BigInt] Implement support for "/" operation
628         https://bugs.webkit.org/show_bug.cgi?id=183996
629
630         Reviewed by Yusuke Suzuki.
631
632         This patch is introducing the support for BigInt into divide
633         operation int LLInt and JIT layers.
634
635         * dfg/DFGOperations.cpp:
636         * runtime/CommonSlowPaths.cpp:
637         (JSC::SLOW_PATH_DECL):
638         * runtime/JSBigInt.cpp:
639         (JSC::JSBigInt::divide):
640         (JSC::JSBigInt::copy):
641         (JSC::JSBigInt::unaryMinus):
642         (JSC::JSBigInt::absoluteCompare):
643         (JSC::JSBigInt::absoluteDivLarge):
644         (JSC::JSBigInt::productGreaterThan):
645         (JSC::JSBigInt::inplaceAdd):
646         (JSC::JSBigInt::inplaceSub):
647         (JSC::JSBigInt::inplaceRightShift):
648         (JSC::JSBigInt::specialLeftShift):
649         (JSC::JSBigInt::digit):
650         (JSC::JSBigInt::setDigit):
651         * runtime/JSBigInt.h:
652
653 2018-05-16  Alberto Garcia  <berto@igalia.com>
654
655         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
656         https://bugs.webkit.org/show_bug.cgi?id=182622
657
658         Reviewed by Michael Catanzaro.
659
660         We were linking JavaScriptCore against libatomic in MIPS because
661         in that architecture __atomic_fetch_add_8() is not a compiler
662         intrinsic and is provided by that library instead. However other
663         architectures (e.g armel) are in the same situation, so we need a
664         generic test.
665
666         That test already exists in WebKit/CMakeLists.txt, so we just have
667         to move it to a common file (WebKitCompilerFlags.cmake) and use
668         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
669
670         * CMakeLists.txt:
671
672 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
673
674         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
675         https://bugs.webkit.org/show_bug.cgi?id=185601
676
677         Reviewed by Saam Barati.
678
679         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
680         before calling getCallData when we would like to check whether a given object is callable
681         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
682         is fine. But if we would like to check whether the object is callable, we can have non
683         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
684
685         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
686         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
687         OverridesGetCallData checking before calling getCallData.
688
689         We found that this virtual call exists in JSON.stringify's critial path. Checking
690         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
691
692                                                baseline                  patched
693
694             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
695
696         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
697         since major cases are covered by this fast JSFunctionType checking.
698
699         * API/JSCallbackObject.h:
700         * dfg/DFGAbstractInterpreterInlines.h:
701         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
702         * dfg/DFGOperations.cpp:
703         * dfg/DFGSpeculativeJIT.cpp:
704         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
705         (JSC::DFG::SpeculativeJIT::compileIsFunction):
706         * ftl/FTLLowerDFGToB3.cpp:
707         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
708         * jit/AssemblyHelpers.h:
709         (JSC::AssemblyHelpers::emitTypeOf):
710         * runtime/ExceptionHelpers.cpp:
711         (JSC::createError):
712         (JSC::createInvalidFunctionApplyParameterError):
713         * runtime/FunctionPrototype.cpp:
714         (JSC::functionProtoFuncToString):
715         * runtime/InternalFunction.h:
716         * runtime/JSCJSValue.h:
717         * runtime/JSCJSValueInlines.h:
718         (JSC::JSValue::isFunction const):
719         (JSC::JSValue::isCallable const):
720         * runtime/JSCell.h:
721         * runtime/JSCellInlines.h:
722         (JSC::JSCell::isFunction):
723         ALWAYS_INLINE works well for my environment.
724         (JSC::JSCell::isCallable):
725         * runtime/JSFunction.h:
726         * runtime/JSONObject.cpp:
727         (JSC::Stringifier::toJSON):
728         (JSC::Stringifier::toJSONImpl):
729         (JSC::Stringifier::appendStringifiedValue):
730         * runtime/JSObjectInlines.h:
731         (JSC::createListFromArrayLike):
732         * runtime/JSTypeInfo.h:
733         (JSC::TypeInfo::overridesGetCallData const):
734         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
735         * runtime/Operations.cpp:
736         (JSC::jsTypeStringForValue):
737         (JSC::jsIsObjectTypeOrNull):
738         * runtime/ProxyObject.h:
739         * runtime/RuntimeType.cpp:
740         (JSC::runtimeTypeForValue):
741         * runtime/RuntimeType.h:
742         * runtime/Structure.cpp:
743         (JSC::Structure::Structure):
744         * runtime/TypeProfilerLog.cpp:
745         (JSC::TypeProfilerLog::TypeProfilerLog):
746         (JSC::TypeProfilerLog::processLogEntries):
747         * runtime/TypeProfilerLog.h:
748         * runtime/VM.cpp:
749         (JSC::VM::enableTypeProfiler):
750         * tools/JSDollarVM.cpp:
751         (JSC::functionFindTypeForExpression):
752         (JSC::functionReturnTypeFor):
753         (JSC::functionHasBasicBlockExecuted):
754         (JSC::functionBasicBlockExecutionCount):
755         * wasm/js/JSWebAssemblyHelpers.h:
756         (JSC::getWasmBufferFromValue):
757         * wasm/js/JSWebAssemblyInstance.cpp:
758         (JSC::JSWebAssemblyInstance::create):
759         * wasm/js/WebAssemblyFunction.cpp:
760         (JSC::callWebAssemblyFunction):
761         * wasm/js/WebAssemblyInstanceConstructor.cpp:
762         (JSC::constructJSWebAssemblyInstance):
763         * wasm/js/WebAssemblyModuleRecord.cpp:
764         (JSC::WebAssemblyModuleRecord::link):
765         * wasm/js/WebAssemblyPrototype.cpp:
766         (JSC::webAssemblyInstantiateFunc):
767         (JSC::webAssemblyInstantiateStreamingInternal):
768         * wasm/js/WebAssemblyWrapperFunction.cpp:
769         (JSC::WebAssemblyWrapperFunction::finishCreation):
770
771 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
772
773         Web Inspector: Add rulers and guides
774         https://bugs.webkit.org/show_bug.cgi?id=32263
775         <rdar://problem/19281564>
776
777         Reviewed by Matt Baker.
778
779         * inspector/protocol/OverlayTypes.json:
780
781 2018-05-14  Keith Miller  <keith_miller@apple.com>
782
783         Remove butterflyMask from DFGAbstractHeap
784         https://bugs.webkit.org/show_bug.cgi?id=185640
785
786         Reviewed by Saam Barati.
787
788         We don't have a butterfly indexing mask anymore so we don't need
789         the abstract heap information for it anymore.
790
791         * dfg/DFGAbstractHeap.h:
792         * dfg/DFGClobberize.h:
793         (JSC::DFG::clobberize):
794
795 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
796
797         [INTL] Handle error in defineProperty for supported locales length
798         https://bugs.webkit.org/show_bug.cgi?id=185623
799
800         Reviewed by Saam Barati.
801
802         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
803         length of the supported locales array.
804
805         * runtime/IntlObject.cpp:
806         (JSC::supportedLocales):
807
808 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
809
810         [JSC] Tweak LiteralParser to improve lexing performance
811         https://bugs.webkit.org/show_bug.cgi?id=185541
812
813         Reviewed by Saam Barati.
814
815         This patch attemps to improve LiteralParser performance.
816
817         This patch improves Kraken/json-parse-financial by roughly ~10%.
818                                            baseline                  patched
819
820             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
821
822         * parser/Lexer.cpp:
823         (JSC::Lexer<T>::Lexer):
824         * runtime/ArgList.h:
825         (JSC::MarkedArgumentBuffer::takeLast):
826         Add takeLast() for idiomatic last() + removeLast() calls.
827
828         * runtime/LiteralParser.cpp:
829         (JSC::LiteralParser<CharType>::Lexer::lex):
830         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
831         We should not include this mode in its template parameter to reduce the code size.
832         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
833         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
834
835         (JSC::LiteralParser<CharType>::Lexer::next):
836         (JSC::isSafeStringCharacter):
837         Take mode in its template parameter. But do not take terminator character in its template parameter.
838
839         (JSC::LiteralParser<CharType>::Lexer::lexString):
840         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
841         Duplicate while statements manually since this is a critical path.
842
843         (JSC::LiteralParser<CharType>::parse):
844         Use takeLast().
845
846         * runtime/LiteralParser.h:
847
848 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
849
850         [MIPS] Use btpz to compare against 0 instead of bpeq
851         https://bugs.webkit.org/show_bug.cgi?id=185607
852
853         Reviewed by Yusuke Suzuki.
854
855         Fixes build on MIPS since MIPS doesn't have an instruction to
856         compare a register against an immediate. Since the immediate is just 0
857         in this case the simplest solution is just to use btpz instead of bpeq
858         to compare to 0.
859
860         * llint/LowLevelInterpreter.asm:
861
862 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
863
864         CachedCall::call() should be faster
865         https://bugs.webkit.org/show_bug.cgi?id=185583
866
867         Reviewed by Yusuke Suzuki.
868         
869         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
870         Unfortunately, because of a combination of abstraction and assertions, this code path had a
871         lot of overhead. This patch reduces this overhead by:
872         
873         - Turning off some assertions. These assertions don't look to have security value; they're
874           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
875           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
876           call, considering that the caller would have already been strongly assuming that the JSLock
877           is held.
878         
879         - Making more things inlineable.
880         
881         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
882
883         * JavaScriptCore.xcodeproj/project.pbxproj:
884         * interpreter/CachedCall.h:
885         (JSC::CachedCall::call):
886         * interpreter/Interpreter.cpp:
887         (JSC::checkedReturn): Deleted.
888         * interpreter/Interpreter.h:
889         (JSC::Interpreter::checkedReturn):
890         * interpreter/InterpreterInlines.h:
891         (JSC::Interpreter::execute):
892         * jit/JITCode.cpp:
893         (JSC::JITCode::execute): Deleted.
894         * jit/JITCodeInlines.h: Added.
895         (JSC::JITCode::execute):
896         * llint/LowLevelInterpreter.asm:
897         * runtime/StringPrototype.cpp:
898
899 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
900
901         [INTL] Improve spec & test262 compliance for Intl APIs
902         https://bugs.webkit.org/show_bug.cgi?id=185578
903
904         Reviewed by Yusuke Suzuki.
905
906         Use putDirectIndex over push for lists to arrays.
907         Update default options to construct with a null prototype.
908         Define constructor and toStringTag on prototypes.
909         Add proper time clipping.
910         Remove some outdated comment spec text, use url instead.
911
912         * runtime/IntlCollator.cpp:
913         (JSC::IntlCollator::initializeCollator):
914         * runtime/IntlCollatorConstructor.cpp:
915         (JSC::IntlCollatorConstructor::finishCreation):
916         * runtime/IntlCollatorPrototype.cpp:
917         (JSC::IntlCollatorPrototype::finishCreation):
918         * runtime/IntlDateTimeFormatConstructor.cpp:
919         (JSC::IntlDateTimeFormatConstructor::finishCreation):
920         * runtime/IntlDateTimeFormatPrototype.cpp:
921         (JSC::IntlDateTimeFormatPrototype::finishCreation):
922         (JSC::IntlDateTimeFormatFuncFormatDateTime):
923         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
924         * runtime/IntlNumberFormat.cpp:
925         (JSC::IntlNumberFormat::initializeNumberFormat):
926         * runtime/IntlNumberFormatConstructor.cpp:
927         (JSC::IntlNumberFormatConstructor::finishCreation):
928         * runtime/IntlNumberFormatPrototype.cpp:
929         (JSC::IntlNumberFormatPrototype::finishCreation):
930         * runtime/IntlObject.cpp:
931         (JSC::lookupSupportedLocales):
932         (JSC::supportedLocales):
933         (JSC::intlObjectFuncGetCanonicalLocales):
934         * runtime/IntlPluralRules.cpp:
935         (JSC::IntlPluralRules::resolvedOptions):
936         * runtime/IntlPluralRulesConstructor.cpp:
937         (JSC::IntlPluralRulesConstructor::finishCreation):
938
939 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
940
941         [ESNext][BigInt] Implement support for "*" operation
942         https://bugs.webkit.org/show_bug.cgi?id=183721
943
944         Reviewed by Yusuke Suzuki.
945
946         Added BigInt support into times binary operator into LLInt and on
947         JITOperations profiledMul and unprofiledMul. We are also replacing all
948         uses of int to unsigned when there is no negative values for
949         variables.
950
951         * dfg/DFGConstantFoldingPhase.cpp:
952         (JSC::DFG::ConstantFoldingPhase::foldConstants):
953         * jit/JITOperations.cpp:
954         * runtime/CommonSlowPaths.cpp:
955         (JSC::SLOW_PATH_DECL):
956         * runtime/JSBigInt.cpp:
957         (JSC::JSBigInt::JSBigInt):
958         (JSC::JSBigInt::allocationSize):
959         (JSC::JSBigInt::createWithLength):
960         (JSC::JSBigInt::toString):
961         (JSC::JSBigInt::multiply):
962         (JSC::JSBigInt::digitDiv):
963         (JSC::JSBigInt::internalMultiplyAdd):
964         (JSC::JSBigInt::multiplyAccumulate):
965         (JSC::JSBigInt::equals):
966         (JSC::JSBigInt::absoluteDivSmall):
967         (JSC::JSBigInt::calculateMaximumCharactersRequired):
968         (JSC::JSBigInt::toStringGeneric):
969         (JSC::JSBigInt::rightTrim):
970         (JSC::JSBigInt::allocateFor):
971         (JSC::JSBigInt::parseInt):
972         (JSC::JSBigInt::digit):
973         (JSC::JSBigInt::setDigit):
974         * runtime/JSBigInt.h:
975         * runtime/JSCJSValue.h:
976         * runtime/JSCJSValueInlines.h:
977         (JSC::JSValue::toNumeric const):
978         * runtime/Operations.h:
979         (JSC::jsMul):
980
981 2018-05-11  Commit Queue  <commit-queue@webkit.org>
982
983         Unreviewed, rolling out r231316 and r231332.
984         https://bugs.webkit.org/show_bug.cgi?id=185564
985
986         Appears to be a Speedometer2/MotionMark regression (Requested
987         by keith_miller on #webkit).
988
989         Reverted changesets:
990
991         "Remove the prototype caching for get_by_id in the LLInt"
992         https://bugs.webkit.org/show_bug.cgi?id=185226
993         https://trac.webkit.org/changeset/231316
994
995         "Unreviewed, fix 32-bit profile offset for change in bytecode"
996         https://trac.webkit.org/changeset/231332
997
998 2018-05-11  Michael Saboff  <msaboff@apple.com>
999
1000         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
1001         https://bugs.webkit.org/show_bug.cgi?id=185328
1002
1003         Reviewed by Keith Miller.
1004
1005         Fixed a typo from when this code was added in r228968 where resultGPR
1006         was assigned the input register instead of the result.gpr().
1007
1008         * dfg/DFGSpeculativeJIT64.cpp:
1009         (JSC::DFG::SpeculativeJIT::compile):
1010
1011 2018-05-11  Saam Barati  <sbarati@apple.com>
1012
1013         Don't use inferred types when the JIT is disabled
1014         https://bugs.webkit.org/show_bug.cgi?id=185539
1015
1016         Reviewed by Yusuke Suzuki.
1017
1018         There are many JSC API clients that run with the JIT disabled. They were
1019         all allocating and tracking inferred types for no benefit. Inferred types
1020         only benefit programs when they make it to the DFG/FTL. I was seeing cases
1021         where the inferred type machinery used ~0.5MB. This patch makes is so we
1022         don't allocate that machinery when the JIT is disabled.
1023
1024         * runtime/Structure.cpp:
1025         (JSC::Structure::willStoreValueSlow):
1026         * runtime/Structure.h:
1027
1028 2018-05-11  Saam Barati  <sbarati@apple.com>
1029
1030         Don't allocate value profiles when the JIT is disabled
1031         https://bugs.webkit.org/show_bug.cgi?id=185525
1032
1033         Reviewed by Michael Saboff.
1034
1035         There are many JSC API clients that run with the JIT disabled. We were
1036         still allocating a ton of value profiles in this use case even though
1037         these clients get no benefit from doing value profiling. This patch makes
1038         it so that we don't allocate value profiles or argument value profiles
1039         when we're not using the JIT. We now just make all value profiles in
1040         the instruction stream point to a global value profile that the VM owns.
1041         And we make the argument value profile array have zero length and teach
1042         the LLInt how to handle that. Heap clears the global value profile on each GC.
1043
1044         In an app that I'm testing this against, this saves ~1MB of memory.
1045
1046         * bytecode/CodeBlock.cpp:
1047         (JSC::CodeBlock::finishCreation):
1048         (JSC::CodeBlock::setNumParameters):
1049         * bytecode/CodeBlock.h:
1050         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1051         (JSC::CodeBlock::valueProfileForArgument):
1052         * bytecompiler/BytecodeGenerator.cpp:
1053         (JSC::BytecodeGenerator::emitProfiledOpcode):
1054         * heap/Heap.cpp:
1055         (JSC::Heap::runEndPhase):
1056         * llint/LowLevelInterpreter.asm:
1057         * runtime/VM.cpp:
1058         (JSC::VM::VM):
1059         * runtime/VM.h:
1060
1061 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1062
1063         [JSC][GLIB] Add introspectable alternatives to functions using vargars
1064         https://bugs.webkit.org/show_bug.cgi?id=185508
1065
1066         Reviewed by Michael Catanzaro.
1067
1068         * API/glib/JSCClass.cpp:
1069         (jscClassCreateConstructor):
1070         (jsc_class_add_constructor):
1071         (jsc_class_add_constructorv):
1072         (jscClassAddMethod):
1073         (jsc_class_add_method):
1074         (jsc_class_add_methodv):
1075         * API/glib/JSCClass.h:
1076         * API/glib/JSCValue.cpp:
1077         (jsObjectCall):
1078         (jscValueCallFunction):
1079         (jsc_value_object_invoke_methodv):
1080         (jscValueFunctionCreate):
1081         (jsc_value_new_function):
1082         (jsc_value_new_functionv):
1083         (jsc_value_function_callv):
1084         (jsc_value_constructor_callv):
1085         * API/glib/JSCValue.h:
1086         * API/glib/docs/jsc-glib-4.0-sections.txt:
1087
1088 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1089
1090         [JSC] Make return types of construction functions tight
1091         https://bugs.webkit.org/show_bug.cgi?id=185509
1092
1093         Reviewed by Saam Barati.
1094
1095         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
1096
1097         * runtime/ArrayConstructor.cpp:
1098         (JSC::constructArrayWithSizeQuirk):
1099         * runtime/ArrayConstructor.h:
1100         * runtime/ObjectConstructor.h:
1101         (JSC::constructEmptyObject):
1102
1103 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1104
1105         [JSC] Object.assign for final objects should be faster
1106         https://bugs.webkit.org/show_bug.cgi?id=185348
1107
1108         Reviewed by Saam Barati.
1109
1110         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
1111         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
1112
1113         If enumerating properties of source objects and putting properties to target object are non observable,
1114         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
1115         and put them to target object. This patch adds this fast path to Object.assign implementation.
1116
1117         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
1118         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
1119         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
1120
1121         This improves object-assign.es6 by 1.85x.
1122
1123                                         baseline                  patched
1124
1125             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
1126
1127         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
1128
1129         * runtime/JSObject.h:
1130         * runtime/JSObjectInlines.h:
1131         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
1132         (JSC::JSObject::canPerformFastPutInline):
1133         * runtime/ObjectConstructor.cpp:
1134         (JSC::objectConstructorAssign):
1135         * runtime/Structure.cpp:
1136         (JSC::Structure::Structure):
1137         * runtime/Structure.h:
1138         * runtime/StructureInlines.h:
1139         (JSC::Structure::forEachProperty):
1140         (JSC::Structure::add):
1141
1142 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
1143
1144         DFG CFA should pick the right time to inject OSR entry data
1145         https://bugs.webkit.org/show_bug.cgi?id=185530
1146
1147         Reviewed by Saam Barati.
1148         
1149         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
1150         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
1151         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
1152         would eventually LUB to non-constant.
1153         
1154         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
1155         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
1156         useless regexp/string execution in the compiler.
1157
1158         * dfg/DFGBlockSet.h:
1159         (JSC::DFG::BlockSet::remove):
1160         * dfg/DFGCFAPhase.cpp:
1161         (JSC::DFG::CFAPhase::run):
1162         (JSC::DFG::CFAPhase::injectOSR):
1163         (JSC::DFG::CFAPhase::performBlockCFA):
1164
1165 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1166
1167         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
1168         https://bugs.webkit.org/show_bug.cgi?id=185452
1169
1170         Reviewed by Michael Saboff.
1171         
1172         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
1173         from the block head to InPlaceAbstractState::m_variables. It is necessary for
1174         InPlaceAbstractState to have its own copy since we need to mutate it separately from
1175         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
1176         of superfluous work.
1177         
1178         This change adds a bitvector called m_activeVariables that tracks which variables have been
1179         copied. We lazily copy the variables on first use. Variables that were never copied also have
1180         a simplified merging path, which just needs to consider if the variable got clobbered between
1181         head and tail.
1182         
1183         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
1184
1185         * bytecode/Operands.h:
1186         (JSC::Operands::argumentIndex const):
1187         (JSC::Operands::localIndex const):
1188         (JSC::Operands::argument):
1189         (JSC::Operands::argument const):
1190         (JSC::Operands::local):
1191         (JSC::Operands::local const):
1192         (JSC::Operands::operandIndex const):
1193         * dfg/DFGAbstractValue.h:
1194         (JSC::DFG::AbstractValue::fastForwardFromTo):
1195         * dfg/DFGCFAPhase.cpp:
1196         (JSC::DFG::CFAPhase::performForwardCFA):
1197         * dfg/DFGInPlaceAbstractState.cpp:
1198         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1199         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1200         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
1201         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1202         (JSC::DFG::InPlaceAbstractState::activateVariable):
1203         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
1204         * dfg/DFGInPlaceAbstractState.h:
1205         (JSC::DFG::InPlaceAbstractState::variableAt):
1206         (JSC::DFG::InPlaceAbstractState::operand):
1207         (JSC::DFG::InPlaceAbstractState::local):
1208         (JSC::DFG::InPlaceAbstractState::argument):
1209         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
1210         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
1211
1212 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
1213
1214         [ESNext][BigInt] Implement support for "==" operation
1215         https://bugs.webkit.org/show_bug.cgi?id=184474
1216
1217         Reviewed by Yusuke Suzuki.
1218
1219         This patch is implementing support of BigInt for equals operator
1220         following the spec semantics[1].
1221
1222         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
1223
1224         * runtime/JSBigInt.cpp:
1225         (JSC::JSBigInt::parseInt):
1226         (JSC::JSBigInt::stringToBigInt):
1227         (JSC::JSBigInt::toString):
1228         (JSC::JSBigInt::setDigit):
1229         (JSC::JSBigInt::equalsToNumber):
1230         (JSC::JSBigInt::compareToDouble):
1231         * runtime/JSBigInt.h:
1232         * runtime/JSCJSValueInlines.h:
1233         (JSC::JSValue::equalSlowCaseInline):
1234
1235 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1236
1237         Speed up AbstractInterpreter::executeEdges
1238         https://bugs.webkit.org/show_bug.cgi?id=185457
1239
1240         Reviewed by Saam Barati.
1241
1242         This patch started out with the desire to make executeEdges() faster by making filtering faster.
1243         However, when I studied the disassembly, I found that there are many opportunities for
1244         improvement and I implemented all of them:
1245         
1246         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
1247           for non-cells.
1248         
1249         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
1250           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
1251         
1252         - Similarly, edge verification doesn't need to fast-forward in the common case.
1253         
1254         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
1255         
1256         - The edge doesn't even have to be considered for execution if it's UntypedUse.
1257         
1258         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
1259         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
1260         it means proving that the value could either be formatted as a double (with impure NaN values),
1261         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
1262         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
1263         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
1264         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
1265         SpecBytecodeNumber (if returning a JSValueRep).
1266         
1267         But that fix revealed an amazing timeout in
1268         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
1269         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
1270         ever realizing that we should jettison something. The problem was with how
1271         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
1272         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
1273         
1274         This is a 1% improvement in V8Spider-CompileTime.
1275
1276         * bytecode/ExitKind.cpp:
1277         (JSC::exitKindMayJettison):
1278         * dfg/DFGAbstractInterpreter.h:
1279         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
1280         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
1281         * dfg/DFGAbstractInterpreterInlines.h:
1282         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
1283         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
1284         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
1285         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
1286         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1287         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1288         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1289         * dfg/DFGAbstractValue.cpp:
1290         (JSC::DFG::AbstractValue::filterSlow):
1291         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
1292         * dfg/DFGAbstractValue.h:
1293         (JSC::DFG::AbstractValue::filter):
1294         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
1295         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
1296         (JSC::DFG::AbstractValue::makeTop):
1297         * dfg/DFGAtTailAbstractState.h:
1298         (JSC::DFG::AtTailAbstractState::fastForward):
1299         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
1300         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
1301         * dfg/DFGGraph.h:
1302         (JSC::DFG::Graph::doToChildren):
1303         * dfg/DFGInPlaceAbstractState.h:
1304         (JSC::DFG::InPlaceAbstractState::fastForward):
1305         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
1306         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
1307         * dfg/DFGOSRExit.cpp:
1308         (JSC::DFG::OSRExit::executeOSRExit):
1309         * dfg/DFGOSRExitCompilerCommon.cpp:
1310         (JSC::DFG::handleExitCounts):
1311         * dfg/DFGOperations.cpp:
1312         * dfg/DFGOperations.h:
1313
1314 2018-05-09  Saam Barati  <sbarati@apple.com>
1315
1316         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
1317         https://bugs.webkit.org/show_bug.cgi?id=185441
1318         <rdar://problem/39999414>
1319
1320         Reviewed by Keith Miller.
1321
1322         This patch adds JSVirtualMachine SPI to release as much memory as possible.
1323         The SPI does:
1324         - Deletes all code caches.
1325         - Synchronous GC.
1326         - Run the scavenger.
1327
1328         * API/JSVirtualMachine.mm:
1329         (-[JSVirtualMachine shrinkFootprint]):
1330         * API/JSVirtualMachinePrivate.h: Added.
1331         * API/tests/testapi.mm:
1332         (testObjectiveCAPIMain):
1333         * JavaScriptCore.xcodeproj/project.pbxproj:
1334         * runtime/VM.cpp:
1335         (JSC::VM::shrinkFootprint):
1336         * runtime/VM.h:
1337
1338 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
1339
1340         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
1341         Error found in the following Test262 tests:
1342
1343         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
1344         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
1345         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
1346
1347         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
1348         presenting a length > 2**32-1
1349         https://bugs.webkit.org/show_bug.cgi?id=185476
1350
1351         Reviewed by Yusuke Suzuki.
1352
1353         * runtime/ArrayPrototype.cpp:
1354
1355 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
1356
1357         [WPE] Build cleanly with GCC 8 and ICU 60
1358         https://bugs.webkit.org/show_bug.cgi?id=185462
1359
1360         Reviewed by Carlos Alberto Lopez Perez.
1361
1362         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
1363         (jsc_class_add_constructor):
1364         (jsc_class_add_method):
1365         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
1366         (jsc_value_object_define_property_accessor):
1367         (jsc_value_new_function):
1368         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
1369         problem with GCC 7 too, but might as well fix it now.
1370         * assembler/ProbeContext.h:
1371         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
1372         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
1373         * b3/air/AirArg.h:
1374         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
1375         * builtins/BuiltinNames.cpp:
1376         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
1377         * builtins/BuiltinNames.h:
1378         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
1379         * dfg/DFGDoubleFormatState.h:
1380         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
1381         * heap/MarkedBlockInlines.h:
1382         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
1383         * runtime/ConfigFile.cpp:
1384         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
1385         with the wrong length parameter and the result is not null-terminated. Also, silence a
1386         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
1387         * runtime/IntlDateTimeFormat.cpp:
1388         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
1389         * runtime/JSGlobalObject.cpp:
1390         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
1391         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
1392
1393 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1394
1395         [ARMv7] Drop ARMv7 disassembler in favor of capstone
1396         https://bugs.webkit.org/show_bug.cgi?id=185423
1397
1398         Reviewed by Michael Catanzaro.
1399
1400         This patch removes ARMv7Disassembler in our tree.
1401         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
1402
1403         * CMakeLists.txt:
1404         * JavaScriptCore.xcodeproj/project.pbxproj:
1405         * Sources.txt:
1406         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
1407         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
1408         * disassembler/ARMv7Disassembler.cpp: Removed.
1409
1410 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
1411
1412         [MIPS] Optimize generated JIT code using r2
1413         https://bugs.webkit.org/show_bug.cgi?id=184584
1414
1415         Reviewed by Yusuke Suzuki.
1416
1417         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
1418         Also, done some code size optimizations that were discovered in meantime.
1419
1420         * assembler/MIPSAssembler.h:
1421         (JSC::MIPSAssembler::ext):
1422         (JSC::MIPSAssembler::mfhc1):
1423         * assembler/MacroAssemblerMIPS.cpp:
1424         * assembler/MacroAssemblerMIPS.h:
1425         (JSC::MacroAssemblerMIPS::isPowerOf2):
1426         (JSC::MacroAssemblerMIPS::bitPosition):
1427         (JSC::MacroAssemblerMIPS::loadAddress):
1428         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1429         (JSC::MacroAssemblerMIPS::load8):
1430         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1431         (JSC::MacroAssemblerMIPS::load32):
1432         (JSC::MacroAssemblerMIPS::load16Unaligned):
1433         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
1434         (JSC::MacroAssemblerMIPS::load16):
1435         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1436         (JSC::MacroAssemblerMIPS::store8):
1437         (JSC::MacroAssemblerMIPS::store16):
1438         (JSC::MacroAssemblerMIPS::store32):
1439         (JSC::MacroAssemblerMIPS::branchTest32):
1440         (JSC::MacroAssemblerMIPS::loadFloat):
1441         (JSC::MacroAssemblerMIPS::loadDouble):
1442         (JSC::MacroAssemblerMIPS::storeFloat):
1443         (JSC::MacroAssemblerMIPS::storeDouble):
1444
1445 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1446
1447         [JSC][GTK][JSCONLY] Use capstone disassembler
1448         https://bugs.webkit.org/show_bug.cgi?id=185283
1449
1450         Reviewed by Michael Catanzaro.
1451
1452         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
1453         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
1454
1455         And we remove ARM LLVM disassembler.
1456
1457         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
1458
1459         * CMakeLists.txt:
1460         * Sources.txt:
1461         * disassembler/ARMLLVMDisassembler.cpp: Removed.
1462         * disassembler/CapstoneDisassembler.cpp: Added.
1463         (JSC::tryToDisassemble):
1464
1465 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
1466
1467         [MIPS] Use mfhc1 and mthc1 to fix assembler error
1468         https://bugs.webkit.org/show_bug.cgi?id=185464
1469
1470         Reviewed by Yusuke Suzuki.
1471
1472         The binutils-assembler started to report failures for copying words between
1473         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
1474         of mfc1 and mtc1 for conversion.
1475
1476         * offlineasm/mips.rb:
1477
1478 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
1479
1480         [MIPS] Collect callee-saved register using inline assembly
1481         https://bugs.webkit.org/show_bug.cgi?id=185428
1482
1483         Reviewed by Yusuke Suzuki.
1484
1485         MIPS used setjmp instead of collecting registers with inline assembly like
1486         other architectures.
1487
1488         * heap/RegisterState.h:
1489
1490 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1491
1492         [BigInt] Simplifying JSBigInt by using bool addition
1493         https://bugs.webkit.org/show_bug.cgi?id=185374
1494
1495         Reviewed by Alex Christensen.
1496
1497         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
1498         Just adding overflow flag to carry/borrow produces setb + add in x86.
1499
1500         Also we annotate small helper functions and accessors with `inline` not to call these functions
1501         inside internalMultiplyAdd loop.
1502
1503         * runtime/JSBigInt.cpp:
1504         (JSC::JSBigInt::isZero):
1505         (JSC::JSBigInt::inplaceMultiplyAdd):
1506         (JSC::JSBigInt::digitAdd):
1507         (JSC::JSBigInt::digitSub):
1508         (JSC::JSBigInt::digitMul):
1509         (JSC::JSBigInt::digitPow):
1510         (JSC::JSBigInt::digitDiv):
1511         (JSC::JSBigInt::offsetOfData):
1512         (JSC::JSBigInt::dataStorage):
1513         (JSC::JSBigInt::digit):
1514         (JSC::JSBigInt::setDigit):
1515
1516 2018-05-08  Michael Saboff  <msaboff@apple.com>
1517
1518         Replace multiple Watchpoint Set fireAll() methods with templates
1519         https://bugs.webkit.org/show_bug.cgi?id=185456
1520
1521         Reviewed by Saam Barati.
1522
1523         Refactored to minimize duplicate code.
1524
1525         * bytecode/Watchpoint.h:
1526         (JSC::WatchpointSet::fireAll):
1527         (JSC::InlineWatchpointSet::fireAll):
1528
1529 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
1530
1531         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
1532         https://bugs.webkit.org/show_bug.cgi?id=185453
1533
1534         Reviewed by Michael Saboff.
1535         
1536         Tiny improvement for compile times.
1537
1538         * dfg/DFGFlowMap.h:
1539         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
1540         * dfg/DFGInPlaceAbstractState.cpp:
1541         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
1542
1543 2018-05-08  Michael Saboff  <msaboff@apple.com>
1544
1545         Deferred firing of structure transition watchpoints is racy
1546         https://bugs.webkit.org/show_bug.cgi?id=185438
1547
1548         Reviewed by Saam Barati.
1549
1550         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
1551         and fire them in the destructor.  When the watchpoints are taken from the
1552         original WatchpointSet, that WatchpointSet if marked invalid.
1553
1554         * bytecode/Watchpoint.cpp:
1555         (JSC::WatchpointSet::fireAllSlow):
1556         (JSC::WatchpointSet::take):
1557         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
1558         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
1559         (JSC::DeferredWatchpointFire::fireAll):
1560         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
1561         * bytecode/Watchpoint.h:
1562         (JSC::WatchpointSet::fireAll):
1563         (JSC::InlineWatchpointSet::fireAll):
1564         * runtime/JSObject.cpp:
1565         (JSC::JSObject::setPrototypeDirect):
1566         (JSC::JSObject::convertToDictionary):
1567         * runtime/JSObjectInlines.h:
1568         (JSC::JSObject::putDirectInternal):
1569         * runtime/Structure.cpp:
1570         (JSC::Structure::Structure):
1571         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
1572         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
1573         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
1574         (JSC::Structure::didTransitionFromThisStructure const):
1575         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
1576         * runtime/Structure.h:
1577         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
1578
1579 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
1580
1581         Consecutive messages logged as JSON are coalesced
1582         https://bugs.webkit.org/show_bug.cgi?id=185432
1583
1584         Reviewed by Joseph Pecoraro.
1585
1586         * inspector/ConsoleMessage.cpp:
1587         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
1588
1589 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1590
1591         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1592         https://bugs.webkit.org/show_bug.cgi?id=185365
1593
1594         Reviewed by Saam Barati.
1595         
1596         This patch does three things to improve compile times:
1597         
1598         - Fixes some inlining goofs.
1599         
1600         - Adds the ability to measure compile times with run-jsc-benchmarks.
1601         
1602         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1603           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1604           sense that this was the only thing protecting it from loading the abstract value of a no-result
1605           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1606           Any node that produces a result will explicitly set its abstract value, so this problem can
1607           also be guarded by just having constant folding check if the node it wants to fold returns any
1608           result.
1609         
1610         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1611         
1612         Rolling back in after fixing cloop build.
1613
1614         * dfg/DFGAbstractInterpreterInlines.h:
1615         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1616         * dfg/DFGAbstractValue.cpp:
1617         (JSC::DFG::AbstractValue::set):
1618         * dfg/DFGAbstractValue.h:
1619         (JSC::DFG::AbstractValue::merge):
1620         * dfg/DFGConstantFoldingPhase.cpp:
1621         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1622         * dfg/DFGGraph.h:
1623         (JSC::DFG::Graph::doToChildrenWithNode):
1624         (JSC::DFG::Graph::doToChildren):
1625         * dfg/DFGInPlaceAbstractState.cpp:
1626         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1627         * jit/JIT.cpp:
1628         (JSC::JIT::totalCompileTime):
1629         * jit/JIT.h:
1630         * jsc.cpp:
1631         (GlobalObject::finishCreation):
1632         (functionTotalCompileTime):
1633
1634 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
1635
1636         Unreviewed, rolling out r231468.
1637
1638         Broke the CLoop build
1639
1640         Reverted changeset:
1641
1642         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
1643         any abstract values"
1644         https://bugs.webkit.org/show_bug.cgi?id=185365
1645         https://trac.webkit.org/changeset/231468
1646
1647 2018-05-07  Daniel Bates  <dabates@apple.com>
1648
1649         Check X-Frame-Options and CSP frame-ancestors in network process
1650         https://bugs.webkit.org/show_bug.cgi?id=185410
1651         <rdar://problem/37733934>
1652
1653         Reviewed by Ryosuke Niwa.
1654
1655         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
1656
1657         * runtime/ConsoleTypes.h:
1658
1659 2018-05-07  Saam Barati  <sbarati@apple.com>
1660
1661         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
1662         https://bugs.webkit.org/show_bug.cgi?id=185329
1663         <rdar://problem/39961536>
1664
1665         Reviewed by Michael Saboff.
1666
1667         I was made aware of a memory goof inside of JSC where we would inefficiently
1668         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
1669         
1670         We did two things badly:
1671         1. We used a HashMap instead of a Vector to represent the environment. Having
1672         a HashMap is useful when looking things up when generating bytecode, but it's
1673         space inefficient. Because UnlinkedFunctionExecutables live a long time because
1674         of the code cache, we should have them store this information efficiently
1675         inside of a Vector.
1676         
1677         2. We didn't hash-cons these environments together. If you think about how
1678         some programs are structured, hash-consing these together is hugely profitable.
1679         Consider some code like this:
1680         ```
1681         const/let V_1 = ...;
1682         const/let V_2 = ...;
1683         ...
1684         const/let V_n = ...;
1685         
1686         function f_1() { ... };
1687         function f_2() { ... };
1688         ...
1689         function f_n() { ... };
1690         ```
1691         
1692         Each f_i would store an identical hash map for its parent TDZ variables
1693         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
1694         each f_i just holds onto a reference to the environment.
1695         
1696         I benchmarked this change against an app that made heavy use of the
1697         above code pattern and it reduced its peak memory footprint from ~220MB
1698         to ~160MB.
1699
1700         * bytecode/UnlinkedFunctionExecutable.cpp:
1701         (JSC::generateUnlinkedFunctionCodeBlock):
1702         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1703         * bytecode/UnlinkedFunctionExecutable.h:
1704         * parser/VariableEnvironment.cpp:
1705         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
1706         (JSC::CompactVariableEnvironment::operator== const):
1707         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
1708         (JSC::CompactVariableMap::get):
1709         (JSC::CompactVariableMap::Handle::~Handle):
1710         * parser/VariableEnvironment.h:
1711         (JSC::VariableEnvironmentEntry::bits const):
1712         (JSC::VariableEnvironmentEntry::operator== const):
1713         (JSC::VariableEnvironment::isEverythingCaptured const):
1714         (JSC::CompactVariableEnvironment::hash const):
1715         (JSC::CompactVariableMapKey::CompactVariableMapKey):
1716         (JSC::CompactVariableMapKey::hash):
1717         (JSC::CompactVariableMapKey::equal):
1718         (JSC::CompactVariableMapKey::makeDeletedValue):
1719         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
1720         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
1721         (JSC::CompactVariableMapKey::environment):
1722         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
1723         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
1724         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
1725         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
1726         (JSC::CompactVariableMap::Handle::Handle):
1727         (JSC::CompactVariableMap::Handle::environment const):
1728         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
1729         * runtime/VM.cpp:
1730         (JSC::VM::VM):
1731         * runtime/VM.h:
1732
1733 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1734
1735         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
1736         https://bugs.webkit.org/show_bug.cgi?id=185371
1737
1738         Reviewed by Mark Lam.
1739
1740         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
1741         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
1742         but actually MIPS have much more registers.
1743
1744         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
1745         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
1746         have extra mechanism.
1747
1748         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
1749
1750         * dfg/DFGByteCodeParser.cpp:
1751         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1752         * dfg/DFGFixupPhase.cpp:
1753         (JSC::DFG::FixupPhase::fixupNode):
1754         * dfg/DFGSpeculativeJIT32_64.cpp:
1755         (JSC::DFG::SpeculativeJIT::compile):
1756         * jit/CCallHelpers.h:
1757         * jit/GPRInfo.h:
1758         (JSC::GPRInfo::toRegister):
1759         (JSC::GPRInfo::toIndex):
1760         * offlineasm/mips.rb:
1761
1762 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1763
1764         DFG AI should have O(1) clobbering
1765         https://bugs.webkit.org/show_bug.cgi?id=185287
1766
1767         Reviewed by Saam Barati.
1768         
1769         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
1770         would traverse all of the state available to the AI at that time and clobber it.
1771         
1772         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
1773         
1774         This is a ~1% speed-up for compile times.
1775
1776         * JavaScriptCore.xcodeproj/project.pbxproj:
1777         * Sources.txt:
1778         * dfg/DFGAbstractInterpreter.h:
1779         (JSC::DFG::AbstractInterpreter::forNode):
1780         (JSC::DFG::AbstractInterpreter::setForNode):
1781         (JSC::DFG::AbstractInterpreter::clearForNode):
1782         (JSC::DFG::AbstractInterpreter::variables): Deleted.
1783         * dfg/DFGAbstractInterpreterInlines.h:
1784         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1785         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1786         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
1787         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
1788         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1789         * dfg/DFGAbstractValue.cpp:
1790         (JSC::DFG::AbstractValue::fastForwardToSlow):
1791         * dfg/DFGAbstractValue.h:
1792         (JSC::DFG::AbstractValue::fastForwardTo):
1793         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
1794         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
1795         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
1796         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
1797         (JSC::DFG::AbstractValueClobberEpoch::dump const):
1798         * dfg/DFGAbstractValueClobberEpoch.h: Added.
1799         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
1800         (JSC::DFG::AbstractValueClobberEpoch::first):
1801         (JSC::DFG::AbstractValueClobberEpoch::clobber):
1802         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
1803         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
1804         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
1805         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
1806         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
1807         * dfg/DFGAtTailAbstractState.h:
1808         (JSC::DFG::AtTailAbstractState::setForNode):
1809         (JSC::DFG::AtTailAbstractState::clearForNode):
1810         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
1811         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
1812         (JSC::DFG::AtTailAbstractState::operand):
1813         (JSC::DFG::AtTailAbstractState::local):
1814         (JSC::DFG::AtTailAbstractState::argument):
1815         (JSC::DFG::AtTailAbstractState::clobberStructures):
1816         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
1817         (JSC::DFG::AtTailAbstractState::variables): Deleted.
1818         * dfg/DFGCFAPhase.cpp:
1819         (JSC::DFG::CFAPhase::performBlockCFA):
1820         * dfg/DFGConstantFoldingPhase.cpp:
1821         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1822         * dfg/DFGFlowMap.h:
1823         (JSC::DFG::FlowMap::at):
1824         (JSC::DFG::FlowMap::atShadow):
1825         (JSC::DFG::FlowMap::at const):
1826         (JSC::DFG::FlowMap::atShadow const):
1827         * dfg/DFGInPlaceAbstractState.cpp:
1828         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1829         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1830         * dfg/DFGInPlaceAbstractState.h:
1831         (JSC::DFG::InPlaceAbstractState::forNode):
1832         (JSC::DFG::InPlaceAbstractState::setForNode):
1833         (JSC::DFG::InPlaceAbstractState::clearForNode):
1834         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1835         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
1836         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
1837         (JSC::DFG::InPlaceAbstractState::operand):
1838         (JSC::DFG::InPlaceAbstractState::local):
1839         (JSC::DFG::InPlaceAbstractState::argument):
1840         (JSC::DFG::InPlaceAbstractState::variableAt):
1841         (JSC::DFG::InPlaceAbstractState::clobberStructures):
1842         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
1843         (JSC::DFG::InPlaceAbstractState::fastForward):
1844         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
1845         * dfg/DFGSpeculativeJIT64.cpp:
1846         (JSC::DFG::SpeculativeJIT::compile):
1847         * ftl/FTLLowerDFGToB3.cpp:
1848         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
1849
1850 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1851
1852         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1853         https://bugs.webkit.org/show_bug.cgi?id=185365
1854
1855         Reviewed by Saam Barati.
1856         
1857         This patch does three things to improve compile times:
1858         
1859         - Fixes some inlining goofs.
1860         
1861         - Adds the ability to measure compile times with run-jsc-benchmarks.
1862         
1863         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1864           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1865           sense that this was the only thing protecting it from loading the abstract value of a no-result
1866           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1867           Any node that produces a result will explicitly set its abstract value, so this problem can
1868           also be guarded by just having constant folding check if the node it wants to fold returns any
1869           result.
1870         
1871         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1872
1873         * dfg/DFGAbstractInterpreterInlines.h:
1874         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1875         * dfg/DFGAbstractValue.cpp:
1876         (JSC::DFG::AbstractValue::set):
1877         * dfg/DFGAbstractValue.h:
1878         (JSC::DFG::AbstractValue::merge):
1879         * dfg/DFGConstantFoldingPhase.cpp:
1880         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1881         * dfg/DFGGraph.h:
1882         (JSC::DFG::Graph::doToChildrenWithNode):
1883         (JSC::DFG::Graph::doToChildren):
1884         * dfg/DFGInPlaceAbstractState.cpp:
1885         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1886         * jit/JIT.cpp:
1887         (JSC::JIT::totalCompileTime):
1888         * jit/JIT.h:
1889         * jsc.cpp:
1890         (GlobalObject::finishCreation):
1891         (functionTotalCompileTime):
1892
1893 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1894
1895         DFG AI doesn't need to merge valuesAtTail - it can just assign them
1896         https://bugs.webkit.org/show_bug.cgi?id=185355
1897
1898         Reviewed by Mark Lam.
1899         
1900         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
1901         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
1902         merging will get the same answer because the value computed this time will be either the same
1903         as or more general than the value computed last time. If the value does change for some
1904         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
1905         changes, then we have no reason to believe that this new value is less right than the last
1906         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
1907         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
1908
1909         * dfg/DFGInPlaceAbstractState.cpp:
1910         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1911
1912 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
1913
1914         Remove defunct email address
1915         https://bugs.webkit.org/show_bug.cgi?id=185396
1916
1917         Reviewed by Mark Lam.
1918
1919         The email address thetalecrafter@gmail.com is no longer valid, as the
1920         associated google account has been closed. This updates the email
1921         address so questions about these Intl contributions go to the right
1922         place.
1923
1924         * builtins/DatePrototype.js:
1925         * builtins/NumberPrototype.js:
1926         * builtins/StringPrototype.js:
1927         * runtime/IntlCollator.cpp:
1928         * runtime/IntlCollator.h:
1929         * runtime/IntlCollatorConstructor.cpp:
1930         * runtime/IntlCollatorConstructor.h:
1931         * runtime/IntlCollatorPrototype.cpp:
1932         * runtime/IntlCollatorPrototype.h:
1933         * runtime/IntlDateTimeFormat.cpp:
1934         * runtime/IntlDateTimeFormat.h:
1935         * runtime/IntlDateTimeFormatConstructor.cpp:
1936         * runtime/IntlDateTimeFormatConstructor.h:
1937         * runtime/IntlDateTimeFormatPrototype.cpp:
1938         * runtime/IntlDateTimeFormatPrototype.h:
1939         * runtime/IntlNumberFormat.cpp:
1940         * runtime/IntlNumberFormat.h:
1941         * runtime/IntlNumberFormatConstructor.cpp:
1942         * runtime/IntlNumberFormatConstructor.h:
1943         * runtime/IntlNumberFormatPrototype.cpp:
1944         * runtime/IntlNumberFormatPrototype.h:
1945         * runtime/IntlObject.cpp:
1946         * runtime/IntlObject.h:
1947         * runtime/IntlPluralRules.cpp:
1948         * runtime/IntlPluralRules.h:
1949         * runtime/IntlPluralRulesConstructor.cpp:
1950         * runtime/IntlPluralRulesConstructor.h:
1951         * runtime/IntlPluralRulesPrototype.cpp:
1952         * runtime/IntlPluralRulesPrototype.h:
1953
1954 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1955
1956         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
1957         https://bugs.webkit.org/show_bug.cgi?id=185362
1958
1959         Reviewed by Sam Weinig.
1960
1961         "namespace std" may include many names. It can conflict with names defined by our code,
1962         and the other platform provided headers. For example, std::byte conflicts with Windows'
1963         ::byte.
1964         This patch removes "using namespace std;" from JSC and bmalloc.
1965
1966         * API/JSClassRef.cpp:
1967         (OpaqueJSClass::create):
1968         * bytecode/Opcode.cpp:
1969         * bytecompiler/BytecodeGenerator.cpp:
1970         (JSC::BytecodeGenerator::newRegister):
1971         * heap/Heap.cpp:
1972         (JSC::Heap::updateAllocationLimits):
1973         * interpreter/Interpreter.cpp:
1974         * jit/JIT.cpp:
1975         * parser/Parser.cpp:
1976         * runtime/JSArray.cpp:
1977         * runtime/JSLexicalEnvironment.cpp:
1978         * runtime/JSModuleEnvironment.cpp:
1979         * runtime/Structure.cpp:
1980         * shell/DLLLauncherMain.cpp:
1981         (getStringValue):
1982         (applePathFromRegistry):
1983         (appleApplicationSupportDirectory):
1984         (copyEnvironmentVariable):
1985         (prependPath):
1986         (fatalError):
1987         (directoryExists):
1988         (modifyPath):
1989         (getLastErrorString):
1990         (wWinMain):
1991
1992 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1993
1994         DFG CFA phase should only do clobber asserts in debug
1995         https://bugs.webkit.org/show_bug.cgi?id=185354
1996
1997         Reviewed by Saam Barati.
1998         
1999         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
2000         unless asserts are enabled.
2001
2002         * dfg/DFGCFAPhase.cpp:
2003         (JSC::DFG::CFAPhase::performBlockCFA):
2004
2005 2018-05-04  Keith Miller  <keith_miller@apple.com>
2006
2007         isCacheableArrayLength should return true for undecided arrays
2008         https://bugs.webkit.org/show_bug.cgi?id=185309
2009
2010         Reviewed by Michael Saboff.
2011
2012         Undecided arrays have butterflies so there is no reason why we
2013         should not be able to cache their length.
2014
2015         * bytecode/InlineAccess.cpp:
2016         (JSC::InlineAccess::isCacheableArrayLength):
2017
2018 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2019
2020         Remove std::random_shuffle
2021         https://bugs.webkit.org/show_bug.cgi?id=185292
2022
2023         Reviewed by Darin Adler.
2024
2025         std::random_shuffle is deprecated in C++14 and removed in C++17,
2026         since std::random_shuffle relies on rand and srand.
2027         Use std::shuffle instead.
2028
2029         * jit/BinarySwitch.cpp:
2030         (JSC::RandomNumberGenerator::RandomNumberGenerator):
2031         (JSC::RandomNumberGenerator::operator()):
2032         (JSC::RandomNumberGenerator::min):
2033         (JSC::RandomNumberGenerator::max):
2034         (JSC::BinarySwitch::build):
2035
2036 2018-05-03  Saam Barati  <sbarati@apple.com>
2037
2038         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
2039         https://bugs.webkit.org/show_bug.cgi?id=185177
2040
2041         Reviewed by Filip Pizlo.
2042
2043         This patch teaches the DFG/FTL how to constant fold CreateThis with
2044         a known poly proto Structure to NewObject. We do it by emitting a NewObject
2045         followed by a PutByOffset for the prototype value.
2046         
2047         We make it so that ObjectAllocationProfile holds the prototype value.
2048         This is sound because JSFunction clears that profile when its 'prototype'
2049         field changes.
2050         
2051         This patch also renames underscoreProtoPrivateName to polyProtoName since
2052         that name was nonsensical: it was only used for poly proto.
2053         
2054         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
2055         regressed that benchmark when I first introduced poly proto.
2056
2057         * builtins/BuiltinNames.cpp:
2058         * builtins/BuiltinNames.h:
2059         (JSC::BuiltinNames::BuiltinNames):
2060         (JSC::BuiltinNames::polyProtoName const):
2061         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
2062         * bytecode/ObjectAllocationProfile.h:
2063         (JSC::ObjectAllocationProfile::prototype):
2064         (JSC::ObjectAllocationProfile::clear):
2065         (JSC::ObjectAllocationProfile::visitAggregate):
2066         * bytecode/ObjectAllocationProfileInlines.h:
2067         (JSC::ObjectAllocationProfile::initializeProfile):
2068         * dfg/DFGAbstractInterpreterInlines.h:
2069         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2070         * dfg/DFGByteCodeParser.cpp:
2071         (JSC::DFG::ByteCodeParser::parseBlock):
2072         * dfg/DFGConstantFoldingPhase.cpp:
2073         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2074         * dfg/DFGOperations.cpp:
2075         * runtime/CommonSlowPaths.cpp:
2076         (JSC::SLOW_PATH_DECL):
2077         * runtime/FunctionRareData.h:
2078         * runtime/Structure.cpp:
2079         (JSC::Structure::create):
2080
2081 2018-05-03  Michael Saboff  <msaboff@apple.com>
2082
2083         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
2084         https://bugs.webkit.org/show_bug.cgi?id=185281
2085
2086         Reviewed by Saam Barati.
2087
2088         When we compute bytecode block reachability, we need to take into account blocks
2089         containing try/catch.
2090
2091         * jit/JIT.cpp:
2092         (JSC::JIT::privateCompileMainPass):
2093
2094 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2095
2096         ARM: Wrong offset for operand rt in disassembler
2097         https://bugs.webkit.org/show_bug.cgi?id=184083
2098
2099         Reviewed by Yusuke Suzuki.
2100
2101         * disassembler/ARMv7/ARMv7DOpcode.h:
2102         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
2103         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
2104
2105 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2106
2107         ARM: Support vstr in disassembler
2108         https://bugs.webkit.org/show_bug.cgi?id=184084
2109
2110         Reviewed by Yusuke Suzuki.
2111
2112         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2113         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
2114         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
2115         * disassembler/ARMv7/ARMv7DOpcode.h:
2116         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
2117         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
2118         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
2119         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
2120         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
2121         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
2122         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
2123
2124 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2125
2126         Invoke ensureArrayStorage for all arguments
2127         https://bugs.webkit.org/show_bug.cgi?id=185247
2128
2129         Reviewed by Yusuke Suzuki.
2130
2131         ensureArrayStorage was only invoked for first argument in each loop iteration.
2132
2133         * jsc.cpp:
2134         (functionEnsureArrayStorage):
2135
2136 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2137
2138         Make it easy to log compile times for all optimizing tiers
2139         https://bugs.webkit.org/show_bug.cgi?id=185270
2140
2141         Reviewed by Keith Miller.
2142         
2143         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
2144         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
2145         it.
2146         
2147         This should help us reduce compile times by telling us where to look. So, far, it looks like
2148         CFA is the worst.
2149
2150         * JavaScriptCore.xcodeproj/project.pbxproj:
2151         * Sources.txt:
2152         * b3/B3Common.cpp:
2153         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
2154         * b3/B3Common.h:
2155         * b3/B3TimingScope.cpp: Removed.
2156         * b3/B3TimingScope.h:
2157         (JSC::B3::TimingScope::TimingScope):
2158         * dfg/DFGPhase.h:
2159         (JSC::DFG::runAndLog):
2160         * dfg/DFGPlan.cpp:
2161         (JSC::DFG::Plan::compileInThread):
2162         * tools/CompilerTimingScope.cpp: Added.
2163         (JSC::CompilerTimingScope::CompilerTimingScope):
2164         (JSC::CompilerTimingScope::~CompilerTimingScope):
2165         * tools/CompilerTimingScope.h: Added.
2166         * runtime/Options.cpp:
2167         (JSC::recomputeDependentOptions):
2168         * runtime/Options.h:
2169
2170 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2171
2172         Strings should not be allocated in a gigacage
2173         https://bugs.webkit.org/show_bug.cgi?id=185218
2174
2175         Reviewed by Saam Barati.
2176
2177         * runtime/JSBigInt.cpp:
2178         (JSC::JSBigInt::toStringGeneric):
2179         * runtime/JSString.cpp:
2180         (JSC::JSRopeString::resolveRopeToAtomicString const):
2181         (JSC::JSRopeString::resolveRope const):
2182         * runtime/JSString.h:
2183         (JSC::JSString::create):
2184         (JSC::JSString::createHasOtherOwner):
2185         * runtime/VM.h:
2186         (JSC::VM::gigacageAuxiliarySpace):
2187
2188 2018-05-03  Keith Miller  <keith_miller@apple.com>
2189
2190         Unreviewed, fix 32-bit profile offset for change in bytecode
2191         length of the get_by_id and get_array_length opcodes.
2192
2193         * llint/LowLevelInterpreter32_64.asm:
2194
2195 2018-05-03  Michael Saboff  <msaboff@apple.com>
2196
2197         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
2198         https://bugs.webkit.org/show_bug.cgi?id=185231
2199
2200         Reviewed by Saam Barati.
2201
2202         We weren't clearing the scratch register cache when switching back and forth between 
2203         allowing scratch register usage.  We disallow scratch register usage when we are in
2204         code that will freely allocate and use any register.  Such usage can change the
2205         contents of scratch registers.  For ARM64, where we cache the contents of scratch
2206         registers to reuse some or all of the contained values, we need to invalidate these
2207         caches.  We do this when re-enabling scratch register usage, that is when we transition
2208         from disallow to allow scratch register usage.
2209
2210         Added a new Air regression test.
2211
2212         * assembler/AllowMacroScratchRegisterUsage.h:
2213         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
2214         * assembler/AllowMacroScratchRegisterUsageIf.h:
2215         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
2216         * assembler/DisallowMacroScratchRegisterUsage.h:
2217         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
2218         * b3/air/testair.cpp:
2219
2220 2018-05-03  Keith Miller  <keith_miller@apple.com>
2221
2222         Remove the prototype caching for get_by_id in the LLInt
2223         https://bugs.webkit.org/show_bug.cgi?id=185226
2224
2225         Reviewed by Michael Saboff.
2226
2227         There is no evidence that this is actually a speedup and we keep
2228         getting bugs with it. At this point it seems like we should just
2229         remove this code.
2230
2231         * CMakeLists.txt:
2232         * JavaScriptCore.xcodeproj/project.pbxproj:
2233         * Sources.txt:
2234         * bytecode/BytecodeDumper.cpp:
2235         (JSC::BytecodeDumper<Block>::printGetByIdOp):
2236         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
2237         (JSC::BytecodeDumper<Block>::dumpBytecode):
2238         * bytecode/BytecodeList.json:
2239         * bytecode/BytecodeUseDef.h:
2240         (JSC::computeUsesForBytecodeOffset):
2241         (JSC::computeDefsForBytecodeOffset):
2242         * bytecode/CodeBlock.cpp:
2243         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2244         * bytecode/CodeBlock.h:
2245         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
2246         * bytecode/GetByIdStatus.cpp:
2247         (JSC::GetByIdStatus::computeFromLLInt):
2248         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
2249         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
2250         * bytecompiler/BytecodeGenerator.cpp:
2251         (JSC::BytecodeGenerator::emitGetById):
2252         * dfg/DFGByteCodeParser.cpp:
2253         (JSC::DFG::ByteCodeParser::parseBlock):
2254         * dfg/DFGCapabilities.cpp:
2255         (JSC::DFG::capabilityLevel):
2256         * jit/JIT.cpp:
2257         (JSC::JIT::privateCompileMainPass):
2258         (JSC::JIT::privateCompileSlowCases):
2259         * llint/LLIntSlowPaths.cpp:
2260         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2261         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
2262         * llint/LowLevelInterpreter32_64.asm:
2263         * llint/LowLevelInterpreter64.asm:
2264         * runtime/Options.h:
2265
2266 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
2267
2268         Unreviewed, rolling out r231197.
2269
2270         The test added with this change crashes on the 32-bit JSC bot.
2271
2272         Reverted changeset:
2273
2274         "Correctly detect string overflow when using the 'Function'
2275         constructor"
2276         https://bugs.webkit.org/show_bug.cgi?id=184883
2277         https://trac.webkit.org/changeset/231197
2278
2279 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2280
2281         Disable usage of fused multiply-add instructions for JSC with compiler flag
2282         https://bugs.webkit.org/show_bug.cgi?id=184909
2283
2284         Reviewed by Yusuke Suzuki.
2285
2286         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
2287         like parseInt() do not return slightly different results depending on whether the
2288         compiler was able to use fused multiply-add instructions or not.
2289
2290         * CMakeLists.txt:
2291
2292 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2293
2294         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
2295         https://bugs.webkit.org/show_bug.cgi?id=185192
2296
2297         compareDouble relies on MacroAssembler::invert function.
2298
2299         * assembler/MacroAssembler.h:
2300         (JSC::MacroAssembler::compareDouble):
2301         * assembler/MacroAssemblerARM.h:
2302         (JSC::MacroAssemblerARM::compareDouble): Deleted.
2303         * assembler/MacroAssemblerARMv7.h:
2304         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
2305         * assembler/MacroAssemblerMIPS.h:
2306         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
2307
2308 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2309
2310         [JSC] Add MacroAssembler::and16 and store16
2311         https://bugs.webkit.org/show_bug.cgi?id=185188
2312
2313         Reviewed by Mark Lam.
2314
2315         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
2316         This patch adds these methods for ARM.
2317
2318         * assembler/MacroAssemblerARM.h:
2319         (JSC::MacroAssemblerARM::and16):
2320         (JSC::MacroAssemblerARM::store16):
2321
2322 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2323
2324         [DFG] Unify compare related code in 32bit and 64bit
2325         https://bugs.webkit.org/show_bug.cgi?id=185189
2326
2327         Reviewed by Mark Lam.
2328
2329         This patch unifies some part of compare related code in 32bit and 64bit
2330         to reduce the size of 32bit specific DFG code.
2331
2332         * dfg/DFGSpeculativeJIT.cpp:
2333         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
2334         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
2335         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2336         * dfg/DFGSpeculativeJIT32_64.cpp:
2337         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2338         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2339         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2340         * dfg/DFGSpeculativeJIT64.cpp:
2341         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2342         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2343         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2344
2345 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2346
2347         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
2348         https://bugs.webkit.org/show_bug.cgi?id=185192
2349
2350         Reviewed by Mark Lam.
2351
2352         Now Object.is starts using compareDouble. So we would like to have
2353         efficient implementation for compareDouble and compareFloat for
2354         major architectures, ARM64, X86, and X86_64.
2355
2356         This patch adds compareDouble and compareFloat implementations for
2357         these architectures. And generic implementation is moved to each
2358         architecture's MacroAssembler implementation.
2359
2360         We also add tests for them in testmasm. To implement this test
2361         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
2362         major architectures.
2363
2364         * assembler/MacroAssembler.h:
2365         (JSC::MacroAssembler::compareDouble): Deleted.
2366         (JSC::MacroAssembler::compareFloat): Deleted.
2367         * assembler/MacroAssemblerARM.h:
2368         (JSC::MacroAssemblerARM::compareDouble):
2369         * assembler/MacroAssemblerARM64.h:
2370         (JSC::MacroAssemblerARM64::compareDouble):
2371         (JSC::MacroAssemblerARM64::compareFloat):
2372         (JSC::MacroAssemblerARM64::loadFloat):
2373         (JSC::MacroAssemblerARM64::floatingPointCompare):
2374         * assembler/MacroAssemblerARMv7.h:
2375         (JSC::MacroAssemblerARMv7::compareDouble):
2376         * assembler/MacroAssemblerMIPS.h:
2377         (JSC::MacroAssemblerMIPS::compareDouble):
2378         * assembler/MacroAssemblerX86Common.h:
2379         (JSC::MacroAssemblerX86Common::loadFloat):
2380         (JSC::MacroAssemblerX86Common::compareDouble):
2381         (JSC::MacroAssemblerX86Common::compareFloat):
2382         (JSC::MacroAssemblerX86Common::floatingPointCompare):
2383         * assembler/X86Assembler.h:
2384         (JSC::X86Assembler::movss_mr):
2385         (JSC::X86Assembler::movss_rm):
2386         * assembler/testmasm.cpp:
2387         (JSC::floatOperands):
2388         (JSC::testCompareFloat):
2389         (JSC::run):
2390
2391 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2392
2393         Unreviewed, fix 32bit DFG code
2394         https://bugs.webkit.org/show_bug.cgi?id=185065
2395
2396         * dfg/DFGSpeculativeJIT.cpp:
2397         (JSC::DFG::SpeculativeJIT::compileSameValue):
2398
2399 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
2400
2401         JSC should know how to cache custom getter accesses on the prototype chain
2402         https://bugs.webkit.org/show_bug.cgi?id=185213
2403
2404         Reviewed by Keith Miller.
2405
2406         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
2407
2408         * jit/Repatch.cpp:
2409         (JSC::tryCacheGetByID):
2410
2411 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
2412
2413         JSC should be able to cache custom setter calls on the prototype chain
2414         https://bugs.webkit.org/show_bug.cgi?id=185174
2415
2416         Reviewed by Saam Barati.
2417
2418         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
2419         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
2420         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
2421         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
2422         custom accessors because it won't find the custom property in the structure.
2423
2424         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
2425
2426         This is a 4x speed-up on assign-custom-setter.js.
2427
2428         * bytecode/AccessCase.cpp:
2429         (JSC::AccessCase::hasAlternateBase const):
2430         (JSC::AccessCase::alternateBase const):
2431         (JSC::AccessCase::generateImpl):
2432         * bytecode/AccessCase.h:
2433         (JSC::AccessCase::alternateBase const): Deleted.
2434         * bytecode/GetterSetterAccessCase.cpp:
2435         (JSC::GetterSetterAccessCase::hasAlternateBase const):
2436         (JSC::GetterSetterAccessCase::alternateBase const):
2437         * bytecode/GetterSetterAccessCase.h:
2438         * bytecode/ObjectPropertyConditionSet.cpp:
2439         (JSC::generateConditionsForPrototypePropertyHitCustom):
2440         * bytecode/ObjectPropertyConditionSet.h:
2441         * jit/Repatch.cpp:
2442         (JSC::tryCacheGetByID):
2443         (JSC::tryCachePutByID):
2444
2445 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
2446
2447         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
2448         https://bugs.webkit.org/show_bug.cgi?id=185195
2449
2450         Reviewed by Mark Lam.
2451
2452         This implements the given function for MIPS, such that it builds again.
2453
2454         * assembler/MacroAssemblerMIPS.h:
2455         (JSC::MacroAssemblerMIPS::and16):
2456         (JSC::MacroAssemblerMIPS::store16):
2457
2458 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
2459
2460         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
2461         https://bugs.webkit.org/show_bug.cgi?id=185043
2462
2463         Reviewed by Filip Pizlo.
2464
2465         * jsc.cpp:
2466         (GlobalObject::finishCreation):
2467         (functionDollarAgentMonotonicNow):
2468
2469 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
2470
2471         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
2472         https://bugs.webkit.org/show_bug.cgi?id=185196
2473
2474         Reviewed by Mark Lam.
2475
2476         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
2477
2478         * assembler/MacroAssemblerARMv7.h:
2479         (JSC::MacroAssemblerARMv7::and16):
2480         (JSC::MacroAssemblerARMv7::store16):
2481
2482 2018-05-02  Robin Morisset  <rmorisset@apple.com>
2483
2484         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
2485         https://bugs.webkit.org/show_bug.cgi?id=183172
2486
2487         Reviewed by Filip Pizlo.
2488
2489         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
2490         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
2491
2492         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
2493         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
2494         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
2495
2496         * dfg/DFGArgumentsEliminationPhase.cpp:
2497         * dfg/DFGArgumentsUtilities.cpp:
2498         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2499
2500 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2501
2502         Unreviewed, stackPointer signature is different from declaration
2503         https://bugs.webkit.org/show_bug.cgi?id=184790
2504
2505         * runtime/MachineContext.h:
2506         (JSC::MachineContext::stackPointer):
2507
2508 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2509
2510         [JSC] Add SameValue DFG node
2511         https://bugs.webkit.org/show_bug.cgi?id=185065
2512
2513         Reviewed by Saam Barati.
2514
2515         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
2516         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
2517         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
2518         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
2519         implementations for these SameValue nodes.
2520
2521         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
2522         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
2523         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
2524         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
2525         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
2526         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
2527
2528         Added microbenchmark shows performance improvement.
2529
2530             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
2531
2532         * assembler/MacroAssembler.h:
2533         * assembler/MacroAssemblerX86Common.h:
2534         (JSC::MacroAssemblerX86Common::compareDouble):
2535         * assembler/MacroAssemblerX86_64.h:
2536         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
2537         * assembler/testmasm.cpp:
2538         (JSC::doubleOperands):
2539         (JSC::testCompareDouble):
2540         (JSC::run):
2541         * dfg/DFGAbstractInterpreterInlines.h:
2542         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2543         * dfg/DFGByteCodeParser.cpp:
2544         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2545         * dfg/DFGClobberize.h:
2546         (JSC::DFG::clobberize):
2547         * dfg/DFGConstantFoldingPhase.cpp:
2548         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2549         * dfg/DFGDoesGC.cpp:
2550         (JSC::DFG::doesGC):
2551         * dfg/DFGFixupPhase.cpp:
2552         (JSC::DFG::FixupPhase::fixupNode):
2553         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2554         * dfg/DFGNodeType.h:
2555         * dfg/DFGOperations.cpp:
2556         * dfg/DFGOperations.h:
2557         * dfg/DFGPredictionPropagationPhase.cpp:
2558         * dfg/DFGSafeToExecute.h:
2559         (JSC::DFG::safeToExecute):
2560         * dfg/DFGSpeculativeJIT.cpp:
2561         (JSC::DFG::SpeculativeJIT::compileSameValue):
2562         * dfg/DFGSpeculativeJIT.h:
2563         * dfg/DFGSpeculativeJIT32_64.cpp:
2564         (JSC::DFG::SpeculativeJIT::compile):
2565         * dfg/DFGSpeculativeJIT64.cpp:
2566         (JSC::DFG::SpeculativeJIT::compile):
2567         * dfg/DFGValidate.cpp:
2568         * ftl/FTLCapabilities.cpp:
2569         (JSC::FTL::canCompile):
2570         * ftl/FTLLowerDFGToB3.cpp:
2571         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2572         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
2573         * runtime/Intrinsic.cpp:
2574         (JSC::intrinsicName):
2575         * runtime/Intrinsic.h:
2576         * runtime/ObjectConstructor.cpp:
2577
2578 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
2579
2580         B3::demoteValues should be able to handle patchpoint terminals
2581         https://bugs.webkit.org/show_bug.cgi?id=185151
2582
2583         Reviewed by Saam Barati.
2584         
2585         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
2586         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
2587         longer the last thing in the block.
2588         
2589         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
2590         really do that because demotion happens as a prerequisite to other transformations.
2591         
2592         One solution might have been to make demoteValues insert a basic block whenever it encounters
2593         this problem. But that would break clients that do CFG analysis before demoteValues and use
2594         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
2595         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
2596         so it's not bad to introduce that requirement.
2597         
2598         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
2599         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
2600         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
2601         successors of the patchpoint terminal.
2602         
2603         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
2604         a unit test in testb3.
2605
2606         * b3/B3BreakCriticalEdges.cpp:
2607         (JSC::B3::breakCriticalEdges):
2608         * b3/B3BreakCriticalEdges.h:
2609         * b3/B3FixSSA.cpp:
2610         (JSC::B3::demoteValues):
2611         (JSC::B3::fixSSA):
2612         * b3/B3FixSSA.h:
2613         * b3/B3Value.cpp:
2614         (JSC::B3::Value::foldIdentity const):
2615         (JSC::B3::Value::performSubstitution):
2616         * b3/B3Value.h:
2617         * b3/testb3.cpp:
2618         (JSC::B3::testDemotePatchpointTerminal):
2619         (JSC::B3::run):
2620
2621 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2622
2623         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
2624         https://bugs.webkit.org/show_bug.cgi?id=184772
2625         <rdar://problem/39146327>
2626
2627         Reviewed by Filip Pizlo.
2628
2629         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
2630         This patch now makes sure that the check correctly detects if there is an integer overflow.
2631
2632         * runtime/JSArray.cpp:
2633         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2634
2635 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2636
2637         Correctly detect string overflow when using the 'Function' constructor
2638         https://bugs.webkit.org/show_bug.cgi?id=184883
2639         <rdar://problem/36320331>
2640
2641         Reviewed by Filip Pizlo.
2642
2643         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
2644         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
2645
2646         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
2647         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
2648         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
2649
2650         * runtime/FunctionConstructor.cpp:
2651         (JSC::constructFunctionSkippingEvalEnabledCheck):
2652         * runtime/JSONObject.cpp:
2653         (JSC::Stringifier::appendStringifiedValue):
2654
2655 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2656
2657         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
2658         https://bugs.webkit.org/show_bug.cgi?id=185162
2659
2660         Reviewed by Filip Pizlo.
2661
2662         * runtime/IntlObject.cpp:
2663         (JSC::removeUnicodeLocaleExtension):
2664
2665 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
2666
2667         Add SetCallee as DFG-Operation
2668         https://bugs.webkit.org/show_bug.cgi?id=184582
2669
2670         Reviewed by Filip Pizlo.
2671
2672         For recursive tail calls not only the argument count can change but also the
2673         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
2674         Also update the callee when optimizing a recursive tail call.
2675         Enable recursive tail call optimization also for closures.
2676
2677         * dfg/DFGAbstractInterpreterInlines.h:
2678         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2679         * dfg/DFGByteCodeParser.cpp:
2680         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2681         (JSC::DFG::ByteCodeParser::handleCallVariant):
2682         * dfg/DFGClobberize.h:
2683         (JSC::DFG::clobberize):
2684         * dfg/DFGDoesGC.cpp:
2685         (JSC::DFG::doesGC):
2686         * dfg/DFGFixupPhase.cpp:
2687         (JSC::DFG::FixupPhase::fixupNode):
2688         * dfg/DFGMayExit.cpp:
2689         * dfg/DFGNodeType.h:
2690         * dfg/DFGPredictionPropagationPhase.cpp:
2691         * dfg/DFGSafeToExecute.h:
2692         (JSC::DFG::safeToExecute):
2693         * dfg/DFGSpeculativeJIT.cpp:
2694         (JSC::DFG::SpeculativeJIT::compileSetCallee):
2695         * dfg/DFGSpeculativeJIT.h:
2696         * dfg/DFGSpeculativeJIT32_64.cpp:
2697         (JSC::DFG::SpeculativeJIT::compile):
2698         * dfg/DFGSpeculativeJIT64.cpp:
2699         (JSC::DFG::SpeculativeJIT::compile):
2700         * ftl/FTLCapabilities.cpp:
2701         (JSC::FTL::canCompile):
2702         * ftl/FTLLowerDFGToB3.cpp:
2703         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2704         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
2705
2706 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
2707
2708         WebAssembly: add support for stream APIs - JavaScript API
2709         https://bugs.webkit.org/show_bug.cgi?id=183442
2710
2711         Reviewed by Yusuke Suzuki and JF Bastien.
2712
2713         Add WebAssembly stream API. Current patch only add functions
2714         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
2715         does not add streaming way of the implementation. So in current version it
2716         only wait for load whole module, than start to parse.
2717
2718         * CMakeLists.txt:
2719         * Configurations/FeatureDefines.xcconfig:
2720         * DerivedSources.make:
2721         * JavaScriptCore.xcodeproj/project.pbxproj:
2722         * builtins/BuiltinNames.h:
2723         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
2724         (compileStreaming):
2725         (instantiateStreaming):
2726         * jsc.cpp:
2727         * runtime/JSGlobalObject.cpp:
2728         (JSC::JSGlobalObject::init):
2729         * runtime/JSGlobalObject.h:
2730         * runtime/Options.h:
2731         * runtime/PromiseDeferredTimer.cpp:
2732         (JSC::PromiseDeferredTimer::hasPendingPromise):
2733         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
2734         * runtime/PromiseDeferredTimer.h:
2735         * wasm/js/WebAssemblyPrototype.cpp:
2736         (JSC::webAssemblyModuleValidateAsyncInternal):
2737         (JSC::webAssemblyCompileFunc):
2738         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
2739         (JSC::webAssemblyModuleInstantinateAsyncInternal):
2740         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
2741         (JSC::webAssemblyCompileStreamingInternal):
2742         (JSC::webAssemblyInstantiateStreamingInternal):
2743         (JSC::WebAssemblyPrototype::create):
2744         (JSC::WebAssemblyPrototype::finishCreation):
2745         * wasm/js/WebAssemblyPrototype.h:
2746
2747 2018-04-30  Saam Barati  <sbarati@apple.com>
2748
2749         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
2750         https://bugs.webkit.org/show_bug.cgi?id=185149
2751         <rdar://problem/39455917>
2752
2753         Reviewed by Filip Pizlo.
2754
2755         The bug was that we were deleting checks that we shouldn't have deleted.
2756         This patch makes a helper inside strength reduction that converts to
2757         a LazyJSConstant while maintaining checks, and switches users of the
2758         node API inside strength reduction to instead call the helper function.
2759         
2760         This patch also fixes a potential bug where StringReplace and
2761         StringReplaceRegExp may not preserve all their checks.
2762
2763
2764         * dfg/DFGStrengthReductionPhase.cpp:
2765         (JSC::DFG::StrengthReductionPhase::handleNode):
2766         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
2767
2768 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2769
2770         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
2771         https://bugs.webkit.org/show_bug.cgi?id=185126
2772
2773         Reviewed by Saam Barati.
2774         
2775         This change is just restoring functionality that we've already had for a while. It had been
2776         accidentally broken due to an unrelated CodeBlock refactoring.
2777
2778         * dfg/DFGLICMPhase.cpp:
2779         (JSC::DFG::LICMPhase::attemptHoist):
2780
2781 2018-04-30  Mark Lam  <mark.lam@apple.com>
2782
2783         Apply PtrTags to the MetaAllocator and friends.
2784         https://bugs.webkit.org/show_bug.cgi?id=185110
2785         <rdar://problem/39533895>
2786
2787         Reviewed by Saam Barati.
2788
2789         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
2790         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
2791            and add a sanity check to verify that allocated code buffers are within those
2792            bounds.
2793
2794         * assembler/LinkBuffer.cpp:
2795         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
2796         (JSC::LinkBuffer::copyCompactAndLinkCode):
2797         (JSC::LinkBuffer::linkCode):
2798         (JSC::LinkBuffer::allocate):
2799         * assembler/LinkBuffer.h:
2800         (JSC::LinkBuffer::LinkBuffer):
2801         (JSC::LinkBuffer::debugAddress):
2802         (JSC::LinkBuffer::code):
2803         * assembler/MacroAssemblerCodeRef.h:
2804         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2805         * bytecode/InlineAccess.cpp:
2806         (JSC::linkCodeInline):
2807         (JSC::InlineAccess::rewireStubAsJump):
2808         * dfg/DFGJITCode.cpp:
2809         (JSC::DFG::JITCode::findPC):
2810         * ftl/FTLJITCode.cpp:
2811         (JSC::FTL::JITCode::findPC):
2812         * jit/ExecutableAllocator.cpp:
2813         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2814         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2815         (JSC::ExecutableAllocator::allocate):
2816         * jit/ExecutableAllocator.h:
2817         (JSC::isJITPC):
2818         (JSC::performJITMemcpy):
2819         * jit/JIT.cpp:
2820         (JSC::JIT::link):
2821         * jit/JITMathIC.h:
2822         (JSC::isProfileEmpty):
2823         * runtime/JSCPtrTag.h:
2824         * wasm/WasmCallee.cpp:
2825         (JSC::Wasm::Callee::Callee):
2826         * wasm/WasmFaultSignalHandler.cpp:
2827         (JSC::Wasm::trapHandler):
2828
2829 2018-04-30  Keith Miller  <keith_miller@apple.com>
2830
2831         Move the MayBePrototype JSCell header bit to InlineTypeFlags
2832         https://bugs.webkit.org/show_bug.cgi?id=185143
2833
2834         Reviewed by Mark Lam.
2835
2836         * runtime/IndexingType.h:
2837         * runtime/JSCellInlines.h:
2838         (JSC::JSCell::setStructure):
2839         (JSC::JSCell::mayBePrototype const):
2840         (JSC::JSCell::didBecomePrototype):
2841         * runtime/JSTypeInfo.h:
2842         (JSC::TypeInfo::mayBePrototype):
2843         (JSC::TypeInfo::mergeInlineTypeFlags):
2844
2845 2018-04-30  Keith Miller  <keith_miller@apple.com>
2846
2847         Remove unneeded exception check from String.fromCharCode
2848         https://bugs.webkit.org/show_bug.cgi?id=185083
2849
2850         Reviewed by Mark Lam.
2851
2852         * runtime/StringConstructor.cpp:
2853         (JSC::stringFromCharCode):
2854
2855 2018-04-30  Keith Miller  <keith_miller@apple.com>
2856
2857         Move StructureIsImmortal to out of line flags.
2858         https://bugs.webkit.org/show_bug.cgi?id=185101
2859
2860         Reviewed by Saam Barati.
2861
2862         This will free up a bit in the inline flags where we can move the
2863         isPrototype bit to. This will, in turn, free a bit for use in
2864         implementing copy on write butterflies.
2865
2866         Also, this patch removes an assertion from Structure::typeInfo()
2867         that inadvertently makes the function invalid to call while
2868         cleaning up the vm.
2869
2870         * heap/HeapCellType.cpp:
2871         (JSC::DefaultDestroyFunc::operator() const):
2872         * runtime/JSCell.h:
2873         * runtime/JSCellInlines.h:
2874         (JSC::JSCell::callDestructor): Deleted.
2875         * runtime/JSTypeInfo.h:
2876         (JSC::TypeInfo::hasStaticPropertyTable):
2877         (JSC::TypeInfo::structureIsImmortal const):
2878         * runtime/Structure.h:
2879
2880 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2881
2882         [JSC] Remove arity fixup check if the number of parameters is 1
2883         https://bugs.webkit.org/show_bug.cgi?id=183984
2884
2885         Reviewed by Mark Lam.
2886
2887         If the number of parameters is one (|this|), we never hit arity fixup check.
2888         We do not need to emit arity fixup check code.
2889
2890         * dfg/DFGDriver.cpp:
2891         (JSC::DFG::compileImpl):
2892         * dfg/DFGJITCompiler.cpp:
2893         (JSC::DFG::JITCompiler::compileFunction):
2894         * dfg/DFGJITCompiler.h:
2895         * ftl/FTLLink.cpp:
2896         (JSC::FTL::link):
2897         * jit/JIT.cpp:
2898         (JSC::JIT::compileWithoutLinking):
2899
2900 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2901
2902         Use WordLock instead of std::mutex for Threading
2903         https://bugs.webkit.org/show_bug.cgi?id=185121
2904
2905         Reviewed by Geoffrey Garen.
2906
2907         ThreadGroup starts using WordLock.
2908
2909         * heap/MachineStackMarker.h:
2910         (JSC::MachineThreads::getLock):
2911
2912 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2913
2914         B3 should run tail duplication at the bitter end
2915         https://bugs.webkit.org/show_bug.cgi?id=185123
2916
2917         Reviewed by Geoffrey Garen.
2918         
2919         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
2920         everywhere else.
2921         
2922         The goal of this change is to allow us to run path specialization after switch lowering but
2923         before tail duplication.
2924
2925         * b3/B3Generate.cpp:
2926         (JSC::B3::generateToAir):
2927         * runtime/Options.h:
2928
2929 2018-04-29  Commit Queue  <commit-queue@webkit.org>
2930
2931         Unreviewed, rolling out r231137.
2932         https://bugs.webkit.org/show_bug.cgi?id=185118
2933
2934         It is breaking Test262 language/expressions/multiplication
2935         /order-of-evaluation.js (Requested by caiolima on #webkit).
2936
2937         Reverted changeset:
2938
2939         "[ESNext][BigInt] Implement support for "*" operation"
2940         https://bugs.webkit.org/show_bug.cgi?id=183721
2941         https://trac.webkit.org/changeset/231137
2942
2943 2018-04-28  Saam Barati  <sbarati@apple.com>
2944
2945         We don't model regexp effects properly
2946         https://bugs.webkit.org/show_bug.cgi?id=185059
2947         <rdar://problem/39736150>
2948
2949         Reviewed by Filip Pizlo.
2950
2951         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
2952         the regexp is global.
2953
2954         * dfg/DFGAbstractInterpreterInlines.h:
2955         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2956         * dfg/DFGClobberize.h:
2957         (JSC::DFG::clobberize):
2958
2959 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
2960
2961         Token misspelled "tocken" in error message string
2962         https://bugs.webkit.org/show_bug.cgi?id=185030
2963
2964         Reviewed by Saam Barati.
2965
2966         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
2967         (JSC::Parser<LexerType>::Parser):
2968         (JSC::Parser<LexerType>::didFinishParsing):
2969         (JSC::Parser<LexerType>::parseSourceElements):
2970         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2971         (JSC::Parser<LexerType>::parseVariableDeclaration):
2972         (JSC::Parser<LexerType>::parseWhileStatement):
2973         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2974         (JSC::Parser<LexerType>::createBindingPattern):
2975         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2976         (JSC::Parser<LexerType>::parseObjectRestElement):
2977         (JSC::Parser<LexerType>::parseDestructuringPattern):
2978         (JSC::Parser<LexerType>::parseForStatement):
2979         (JSC::Parser<LexerType>::parseBreakStatement):
2980         (JSC::Parser<LexerType>::parseContinueStatement):
2981         (JSC::Parser<LexerType>::parseThrowStatement):
2982         (JSC::Parser<LexerType>::parseWithStatement):
2983         (JSC::Parser<LexerType>::parseSwitchStatement):
2984         (JSC::Parser<LexerType>::parseSwitchClauses):
2985         (JSC::Parser<LexerType>::parseTryStatement):
2986         (JSC::Parser<LexerType>::parseBlockStatement):
2987         (JSC::Parser<LexerType>::parseFormalParameters):
2988         (JSC::Parser<LexerType>::parseFunctionParameters):
2989         (JSC::Parser<LexerType>::parseFunctionInfo):
2990         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2991         (JSC::Parser<LexerType>::parseExpressionStatement):
2992         (JSC::Parser<LexerType>::parseIfStatement):
2993         (JSC::Parser<LexerType>::parseAssignmentExpression):
2994         (JSC::Parser<LexerType>::parseConditionalExpression):
2995         (JSC::Parser<LexerType>::parseBinaryExpression):
2996         (JSC::Parser<LexerType>::parseObjectLiteral):
2997         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
2998         (JSC::Parser<LexerType>::parseArrayLiteral):
2999         (JSC::Parser<LexerType>::parseArguments):
3000         (JSC::Parser<LexerType>::parseMemberExpression):
3001         (JSC::operatorString):
3002         (JSC::Parser<LexerType>::parseUnaryExpression):
3003         (JSC::Parser<LexerType>::printUnexpectedTokenText):
3004
3005 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
3006
3007         [ESNext][BigInt] Implement support for "*" operation
3008         https://bugs.webkit.org/show_bug.cgi?id=183721
3009
3010         Reviewed by Saam Barati.
3011
3012         Added BigInt support into times binary operator into LLInt and on
3013         JITOperations profiledMul and unprofiledMul. We are also replacing all
3014         uses of int to unsigned when there is no negative values for
3015         variables.
3016
3017         * dfg/DFGConstantFoldingPhase.cpp:
3018         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3019         * jit/JITOperations.cpp:
3020         * runtime/CommonSlowPaths.cpp:
3021         (JSC::SLOW_PATH_DECL):
3022         * runtime/JSBigInt.cpp:
3023         (JSC::JSBigInt::JSBigInt):
3024         (JSC::JSBigInt::allocationSize):
3025         (JSC::JSBigInt::createWithLength):
3026         (JSC::JSBigInt::toString):
3027         (JSC::JSBigInt::multiply):
3028         (JSC::JSBigInt::digitDiv):
3029         (JSC::JSBigInt::internalMultiplyAdd):
3030         (JSC::JSBigInt::multiplyAccumulate):
3031         (JSC::JSBigInt::equals):
3032         (JSC::JSBigInt::absoluteDivSmall):
3033         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3034         (JSC::JSBigInt::toStringGeneric):
3035         (JSC::JSBigInt::rightTrim):
3036         (JSC::JSBigInt::allocateFor):
3037         (JSC::JSBigInt::parseInt):
3038         (JSC::JSBigInt::digit):
3039         (JSC::JSBigInt::setDigit):
3040         * runtime/JSBigInt.h:
3041         * runtime/Operations.h:
3042         (JSC::jsMul):
3043
3044 2018-04-28  Commit Queue  <commit-queue@webkit.org>
3045
3046         Unreviewed, rolling out r231131.
3047         https://bugs.webkit.org/show_bug.cgi?id=185112
3048
3049         It is breaking Debug build due to unchecked exception
3050         (Requested by caiolima on #webkit).
3051
3052         Reverted changeset:
3053
3054         "[ESNext][BigInt] Implement support for "*" operation"
3055         https://bugs.webkit.org/show_bug.cgi?id=183721
3056         https://trac.webkit.org/changeset/231131
3057
3058 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
3059
3060         [ESNext][BigInt] Implement support for "*" operation
3061         https://bugs.webkit.org/show_bug.cgi?id=183721
3062
3063         Reviewed by Saam Barati.
3064
3065         Added BigInt support into times binary operator into LLInt and on
3066         JITOperations profiledMul and unprofiledMul. We are also replacing all
3067         uses of int to unsigned when there is no negative values for
3068         variables.
3069
3070         * dfg/DFGConstantFoldingPhase.cpp:
3071         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3072         * jit/JITOperations.cpp:
3073         * runtime/CommonSlowPaths.cpp:
3074         (JSC::SLOW_PATH_DECL):
3075         * runtime/JSBigInt.cpp:
3076         (JSC::JSBigInt::JSBigInt):
3077         (JSC::JSBigInt::allocationSize):
3078         (JSC::JSBigInt::createWithLength):
3079         (JSC::JSBigInt::toString):
3080         (JSC::JSBigInt::multiply):
3081         (JSC::JSBigInt::digitDiv):
3082         (JSC::JSBigInt::internalMultiplyAdd):
3083         (JSC::JSBigInt::multiplyAccumulate):
3084         (JSC::JSBigInt::equals):
3085         (JSC::JSBigInt::absoluteDivSmall):
3086         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3087         (JSC::JSBigInt::toStringGeneric):
3088         (JSC::JSBigInt::rightTrim):
3089         (JSC::JSBigInt::allocateFor):
3090         (JSC::JSBigInt::parseInt):
3091         (JSC::JSBigInt::digit):
3092         (JSC::JSBigInt::setDigit):
3093         * runtime/JSBigInt.h:
3094         * runtime/Operations.h:
3095         (JSC::jsMul):
3096
3097 2018-04-27  JF Bastien  <jfbastien@apple.com>
3098
3099         Make the first 64 bits of JSString look like a double JSValue
3100         https://bugs.webkit.org/show_bug.cgi?id=185081
3101
3102         Reviewed by Filip Pizlo.
3103
3104         We can be clever about how we lay out JSString so that, were it
3105         reinterpreted as a JSValue, it would look like a double.
3106
3107         * assembler/MacroAssemblerX86Common.h:
3108         (JSC::MacroAssemblerX86Common::and16):
3109         * assembler/X86Assembler.h:
3110         (JSC::X86Assembler::andw_mr):
3111         * dfg/DFGSpeculativeJIT.cpp:
3112         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3113         * ftl/FTLLowerDFGToB3.cpp:
3114         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3115         * ftl/FTLOutput.h:
3116         (JSC::FTL::Output::store32As8):
3117         (JSC::FTL::Output::store32As16):
3118         * runtime/JSString.h:
3119         (JSC::JSString::JSString):
3120
3121 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3122
3123         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
3124         https://bugs.webkit.org/show_bug.cgi?id=185055
3125
3126         Reviewed by JF Bastien.
3127
3128         This patch is paving the way to emitting jscvt instruction if possible.
3129         To do that, we need to determine jscvt instruction is supported in the
3130         given CPU.
3131
3132         We add a function collectCPUFeatures, which is responsible to collect
3133         CPU features if necessary. In Linux, we can use auxiliary vector to get
3134         the information without parsing /proc/cpuinfo.
3135
3136         Currently, nobody calls this function. It is later called when we emit
3137         jscvt instruction. To make it possible, we also need to add disassembler
3138         support too.
3139
3140         * assembler/AbstractMacroAssembler.h:
3141         * assembler/MacroAssemblerARM64.cpp:
3142         (JSC::MacroAssemblerARM64::collectCPUFeatures):
3143         * assembler/MacroAssemblerARM64.h:
3144         * assembler/MacroAssemblerX86Common.h:
3145
3146 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
3147
3148         Also run foldPathConstants before mussing up SSA
3149         https://bugs.webkit.org/show_bug.cgi?id=185069
3150
3151         Reviewed by Saam Barati.
3152         
3153         This isn't needed now, but will be once I implement the phase in bug 185060.
3154         
3155         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
3156         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
3157         be landed separately and measured separately from that phase.
3158         
3159         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
3160         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
3161         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
3162         neutral. It all depends on what programs typically look like.
3163
3164         * b3/B3Generate.cpp:
3165         (JSC::B3::generateToAir):
3166
3167 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
3168
3169         Unreviewed, rolling out r231086.
3170
3171         Caused JSC test failures due to an unchecked exception.
3172
3173         Reverted changeset:
3174
3175         "[ESNext][BigInt] Implement support for "*" operation"
3176         https://bugs.webkit.org/show_bug.cgi?id=183721
3177         https://trac.webkit.org/changeset/231086
3178
3179 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
3180
3181         [ESNext][BigInt] Implement support for "*" operation
3182         https://bugs.webkit.org/show_bug.cgi?id=183721
3183
3184         Reviewed by Saam Barati.
3185
3186         Added BigInt support into times binary operator into LLInt and on
3187         JITOperations profiledMul and unprofiledMul. We are also replacing all
3188         uses of int to unsigned when there is no negative values for
3189         variables.
3190
3191         * dfg/DFGConstantFoldingPhase.cpp:
3192         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3193         * jit/JITOperations.cpp:
3194         * runtime/CommonSlowPaths.cpp:
3195         (JSC::SLOW_PATH_DECL):
3196         * runtime/JSBigInt.cpp:
3197         (JSC::JSBigInt::JSBigInt):
3198         (JSC::JSBigInt::allocationSize):
3199         (JSC::JSBigInt::createWithLength):
3200         (JSC::JSBigInt::toString):
3201         (JSC::JSBigInt::multiply):
3202         (JSC::JSBigInt::digitDiv):
3203         (JSC::JSBigInt::internalMultiplyAdd):
3204         (JSC::JSBigInt::multiplyAccumulate):
3205         (JSC::JSBigInt::equals):
3206         (JSC::JSBigInt::absoluteDivSmall):
3207         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3208         (JSC::JSBigInt::toStringGeneric):
3209         (JSC::JSBigInt::rightTrim):
3210         (JSC::JSBigInt::allocateFor):
3211         (JSC::JSBigInt::parseInt):
3212         (JSC::JSBigInt::digit):
3213         (JSC::JSBigInt::setDigit):
3214         * runtime/JSBigInt.h:
3215         * runtime/Operations.h:
3216         (JSC::jsMul):
3217
3218 2018-04-26  Mark Lam  <mark.lam@apple.com>
3219
3220         Gardening: Speculative build fix for Windows.
3221         https://bugs.webkit.org/show_bug.cgi?id=184976
3222         <rdar://problem/39723901>
3223
3224         Not reviewed.
3225
3226         * runtime/JSCPtrTag.h:
3227
3228 2018-04-26  Mark Lam  <mark.lam@apple.com>
3229
3230         Gardening: Windows build fix.
3231
3232         Not reviewed.
3233
3234         * runtime/Options.cpp:
3235
3236 2018-04-26  Jer Noble  <jer.noble@apple.com>
3237
3238         WK_COCOA_TOUCH all the things.
3239         https://bugs.webkit.org/show_bug.cgi?id=185006
3240         <rdar://problem/39736025>
3241
3242         Reviewed by Tim Horton.
3243
3244         * Configurations/Base.xcconfig:
3245
3246 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
3247
3248         Disable content filtering in minimal simulator mode
3249         https://bugs.webkit.org/show_bug.cgi?id=185027
3250         <rdar://problem/39736091>
3251
3252         Reviewed by Jer Noble.
3253
3254         * Configurations/FeatureDefines.xcconfig:
3255
3256 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
3257
3258         [INTL] Implement Intl.PluralRules
3259         https://bugs.webkit.org/show_bug.cgi?id=184312
3260
3261         Reviewed by JF Bastien.
3262
3263         Use UNumberFormat to enforce formatting, and then UPluralRules to find
3264         the correct plural rule for the given number. Relies on ICU v59+ for
3265         resolvedOptions().pluralCategories and trailing 0 detection.
3266         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
3267
3268         * CMakeLists.txt:
3269         * Configurations/FeatureDefines.xcconfig:
3270         * DerivedSources.make:
3271         * JavaScriptCore.xcodeproj/project.pbxproj:
3272         * Sources.txt:
3273         * builtins/BuiltinNames.h:
3274         * runtime/BigIntObject.cpp:
3275         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
3276         * runtime/BigIntObject.h:
3277         * runtime/CommonIdentifiers.h:
3278         * runtime/IntlObject.cpp:
3279         (JSC::IntlObject::finishCreation):
3280         * runtime/IntlObject.h:
3281         * runtime/IntlPluralRules.cpp: Added.
3282         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
3283         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
3284         (JSC::UEnumerationDeleter::operator() const):
3285         (JSC::IntlPluralRules::create):
3286         (JSC::IntlPluralRules::createStructure):
3287         (JSC::IntlPluralRules::IntlPluralRules):
3288         (JSC::IntlPluralRules::finishCreation):
3289         (JSC::IntlPluralRules::destroy):
3290         (JSC::IntlPluralRules::visitChildren):
3291         (JSC::IntlPRInternal::localeData):
3292         (JSC::IntlPluralRules::initializePluralRules):
3293         (JSC::IntlPluralRules::resolvedOptions):
3294         (JSC::IntlPluralRules::select):
3295         * runtime/IntlPluralRules.h: Added.
3296         * runtime/IntlPluralRulesConstructor.cpp: Added.
3297         (JSC::IntlPluralRulesConstructor::create):
3298         (JSC::IntlPluralRulesConstructor::createStructure):
3299         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
3300         (JSC::IntlPluralRulesConstructor::finishCreation):
3301         (JSC::constructIntlPluralRules):
3302         (JSC::callIntlPluralRules):
3303         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
3304         (JSC::IntlPluralRulesConstructor::visitChildren):
3305         * runtime/IntlPluralRulesConstructor.h: Added.
3306         * runtime/IntlPluralRulesPrototype.cpp: Added.
3307         (JSC::IntlPluralRulesPrototype::create):
3308         (JSC::IntlPluralRulesPrototype::createStructure):
3309         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
3310         (JSC::IntlPluralRulesPrototype::finishCreation):
3311         (JSC::IntlPluralRulesPrototypeFuncSelect):
3312         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
3313         * runtime/IntlPluralRulesPrototype.h: Added.
3314         * runtime/JSGlobalObject.cpp:
3315         (JSC::JSGlobalObject::init):
3316         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3317         * runtime/JSGlobalObject.h:
3318         * runtime/Options.h:
3319         * runtime/RegExpPrototype.cpp: Added inlines header.
3320         * runtime/VM.cpp:
3321         (JSC::VM::VM):
3322         * runtime/VM.h:
3323
3324 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
3325
3326         [MIPS] Fix branch offsets in branchNeg32
3327         https://bugs.webkit.org/show_bug.cgi?id=185025
3328
3329         Reviewed by Yusuke Suzuki.
3330
3331         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
3332
3333         * assembler/MacroAssemblerMIPS.h:
3334         (JSC::MacroAssemblerMIPS::branchNeg32):
3335
3336 2018-04-25  Robin Morisset  <rmorisset@apple.com>
3337
3338         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
3339         https://bugs.webkit.org/show_bug.cgi?id=184773
3340         <rdar://problem/37773612>
3341
3342         Reviewed by Filip Pizlo.
3343
3344         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
3345         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
3346         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
3347         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
3348         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
3349
3350         * ftl/FTLLowerDFGToB3.cpp:
3351         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3352
3353 2018-04-25  Mark Lam  <mark.lam@apple.com>
3354
3355         Push the definition of PtrTag down to the WTF layer.
3356         https://bugs.webkit.org/show_bug.cgi?id=184976
3357         <rdar://problem/39723901>
3358
3359         Reviewed by Saam Barati.
3360
3361         * CMakeLists.txt:
3362         * JavaScriptCore.xcodeproj/project.pbxproj:
3363         * assembler/ARM64Assembler.h:
3364         * assembler/AbstractMacroAssembler.h:
3365         * assembler/MacroAssemblerCodeRef.cpp:
3366         * assembler/MacroAssemblerCodeRef.h:
3367         * b3/B3MathExtras.cpp:
3368         * bytecode/LLIntCallLinkInfo.h:
3369         * disassembler/Disassembler.h:
3370         * ftl/FTLJITCode.cpp:
3371         * interpreter/InterpreterInlines.h:
3372         * jit/ExecutableAllocator.h:
3373         * jit/JITOperations.cpp:
3374         * jit/ThunkGenerator.h:
3375         * jit/ThunkGenerators.h:
3376         * llint/LLIntOffsetsExtractor.cpp:
3377         * llint/LLIntPCRanges.h:
3378         * runtime/JSCPtrTag.h: Added.
3379         * runtime/NativeFunction.h:
3380         * runtime/PtrTag.h: Removed.
3381         * runtime/VMTraps.cpp:
3382
3383 2018-04-25  Keith Miller  <keith_miller@apple.com>
3384
3385         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
3386         https://bugs.webkit.org/show_bug.cgi?id=184998
3387
3388         Reviewed by Saam Barati.
3389
3390         * runtime/CodeCache.cpp:
3391         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3392
3393 2018-04-25  Keith Miller  <keith_miller@apple.com>
3394
3395         Add missing scope release to functionProtoFuncToString
3396         https://bugs.webkit.org/show_bug.cgi?id=184995
3397
3398         Reviewed by Saam Barati.
3399
3400         * runtime/FunctionPrototype.cpp:
3401         (JSC::functionProtoFuncToString):
3402
3403 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3404
3405         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
3406         https://bugs.webkit.org/show_bug.cgi?id=184730
3407
3408         Reviewed by Mark Lam.
3409
3410         Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
3411         And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
3412
3413         We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
3414         ARMv7 implementation.
3415
3416         * assembler/ARMAssembler.h:
3417         * assembler/MacroAssemblerARM.h:
3418         (JSC::MacroAssemblerARM::add32):
3419         (JSC::MacroAssemblerARM::and32):
3420         (JSC::MacroAssemblerARM::lshift32):
3421         (JSC::MacroAssemblerARM::mul32):
3422         (JSC::MacroAssemblerARM::or32):
3423         (JSC::MacroAssemblerARM::rshift32):
3424         (JSC::MacroAssemblerARM::urshift32):
3425         (JSC::MacroAssemblerARM::sub32):
3426         (JSC::MacroAssemblerARM::xor32):
3427         (JSC::MacroAssemblerARM::load8):
3428         (JSC::MacroAssemblerARM::abortWithReason):
3429         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
3430         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
3431         (JSC::MacroAssemblerARM::store8):
3432         (JSC::MacroAssemblerARM::store32):
3433         (JSC::MacroAssemblerARM::push):
3434         (JSC::MacroAssemblerARM::swap):
3435         (JSC::MacroAssemblerARM::branch8):
3436         (JSC::MacroAssemblerARM::branchPtr):
3437         (JSC::MacroAssemblerARM::branch32):
3438         (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
3439         (JSC::MacroAssemblerARM::branchTest8):
3440         (JSC::MacroAssemblerARM::branchTest32):
3441         (JSC::MacroAssemblerARM::jump):
3442         (JSC::MacroAssemblerARM::branchAdd32):
3443         (JSC::MacroAssemblerARM::mull32):
3444         (JSC::MacroAssemblerARM::branchMul32):
3445         (JSC::MacroAssemblerARM::patchableBranch32):
3446         (JSC::MacroAssemblerARM::nearCall):
3447         (JSC::MacroAssemblerARM::compare32):
3448         (JSC::MacroAssemblerARM::compare8):
3449         (JSC::MacroAssemblerARM::test32):
3450         (JSC::MacroAssemblerARM::test8):
3451         (JSC::MacroAssemblerARM::add64):
3452         (JSC::MacroAssemblerARM::load32):
3453         (JSC::MacroAssemblerARM::call):
3454         (JSC::MacroAssemblerARM::branchPtrWithPatch):
3455         (JSC::MacroAssemblerARM::branch32WithPatch):
3456         (JSC::MacroAssemblerARM::storePtrWithPatch):
3457         (JSC::MacroAssemblerARM::loadDouble):
3458         (JSC::MacroAssemblerARM::storeDouble):
3459         (JSC::MacroAssemblerARM::addDouble):
3460         (JSC::MacroAssemblerARM::divDouble):
3461         (JSC::MacroAssemblerARM::subDouble):
3462         (JSC::MacroAssemblerARM::mulDouble):
3463         (JSC::MacroAssemblerARM::convertInt32ToDouble):
3464         (JSC::MacroAssemblerARM::branchDouble):
3465         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
3466         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
3467         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
3468         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
3469         (JSC::MacroAssemblerARM::branchDoubleNonZero):
3470         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
3471         (JSC::MacroAssemblerARM::call32):
3472         (JSC::MacroAssemblerARM::internalCompare32):
3473
3474 2018-04-25  Ross Kirsling  <ross.kirsling@sony.com>
3475
3476         [WinCairo] Fix js/regexp-unicode.html crash.
3477         https://bugs.webkit.org/show_bug.cgi?id=184891
3478
3479         Reviewed by Yusuke Suzuki.
3480
3481         On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
3482         RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
3483
3484         * yarr/YarrJIT.cpp:
3485         (JSC::Yarr::YarrGenerator::generateEnter):
3486         (JSC::Yarr::YarrGenerator::generateReturn):
3487         Unconditionally save and restore RDI on 64-bit Windows.
3488
3489 2018-04-25  Michael Catanzaro  <mcatanzaro@igalia.com>
3490
3491         [GTK] Miscellaneous build cleanups
3492         https://bugs.webkit.org/show_bug.cgi?id=184399
3493
3494         Reviewed by Žan Doberšek.
3495
3496         * PlatformGTK.cmake:
3497
3498 2018-04-24  Keith Miller  <keith_miller@apple.com>
3499
3500         fromCharCode is missing some exception checks
3501         https://bugs.webkit.org/show_bug.cgi?id=184952
3502
3503         Reviewed by Saam Barati.
3504
3505         I also removed the pointless slow path function and moved it into the
3506         main function.
3507
3508         * runtime/StringConstructor.cpp:
3509         (JSC::stringFromCharCode):
3510         (JSC::stringFromCharCodeSlowCase): Deleted.
3511
3512 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
3513
3514         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
3515         https://bugs.webkit.org/show_bug.cgi?id=184923
3516
3517         Reviewed by Saam Barati.
3518         
3519         If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
3520         (i.e. we know that the object has one of those structures), then previously we would still emit a
3521         switch with a case per structure along with a default case. That would mean one extra redundant
3522         branch to check that whatever structure we wound up with belongs to the set. In that case, we
3523         were already making the default case be an Oops.
3524         
3525         One possible solution would be to say that the default case being Oops means that B3 doesn't need
3526         to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
3527         be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
3528         seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
3529         trap.
3530         
3531         So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
3532         extra branch.
3533         
3534         This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
3535         it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
3536         read.
3537
3538         * ftl/FTLLowerDFGToB3.cpp:
3539         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
3540         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
3541         (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
3542
3543 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
3544
3545         DFG CSE should know how to decay a MultiGetByOffset
3546         https://bugs.webkit.org/show_bug.cgi?id=159859
3547
3548         Reviewed by Keith Miller.
3549         
3550         This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
3551         clobberize() can report a def() for MultiGetByOffset.
3552         
3553         This is a slight improvement to codegen in splay because splay is a heavy user of
3554         MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
3555         "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
3556         removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
3557         splay's time.
3558
3559         * dfg/DFGClobberize.h:
3560         (JSC::DFG::clobberize):
3561         * dfg/DFGNode.cpp:
3562         (JSC::DFG::Node::remove):
3563         (JSC::DFG::Node::removeWithoutChecks):
3564         (JSC::DFG::Node::replaceWith):
3565         (JSC::DFG::Node::replaceWithWithoutChecks):
3566         * dfg/DFGNode.h:
3567         (JSC::DFG::Node::convertToMultiGetByOffset):
3568         (JSC::DFG::Node::replaceWith): Deleted.
3569         * dfg/DFGNodeType.h:
3570         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3571
3572 2018-04-24  Keith Miller  <keith_miller@apple.com>
3573
3574         Update API docs with information on which run loop the VM will use
3575         https://bugs.webkit.org/show_bug.cgi?id=184900
3576         <rdar://problem/39166054>
3577
3578         Reviewed by Mark Lam.
3579
3580         * API/JSContextRef.h:
3581         * API/JSVirtualMachine.h:
3582
3583 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
3584
3585         $vm.totalGCTime() should be a thing
3586         https://bugs.webkit.org/show_bug.cgi?id=184916
3587
3588         Reviewed by Sam Weinig.
3589         
3590         When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
3591         time spent in GC to determine if the regression is because the GC got slower.
3592         
3593         This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
3594
3595         * heap/Heap.cpp:
3596         (JSC::Heap::runEndPhase):
3597         * heap/Heap.h:
3598         (JSC::Heap::totalGCTime const):
3599         * tools/JSDollarVM.cpp:
3600         (JSC::functionTotalGCTime):
3601         (JSC::JSDollarVM::finishCreation):
3602
3603 2018-04-23  Zalan Bujtas  <zalan@apple.com>
3604
3605         [LayoutFormattingContext] Initial commit.
3606         https://bugs.webkit.org/show_bug.cgi?id=184896
3607
3608         Reviewed by Antti Koivisto.
3609
3610         * Configurations/FeatureDefines.xcconfig:
3611
3612 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
3613
3614         Unreviewed, revert accidental change to verbose flag.
3615
3616         * dfg/DFGByteCodeParser.cpp:
3617
3618 2018-04-23  Filip Pizlo  <fpizlo@apple.com>
3619
3620         Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
3621
3622         Rubber stamped by Saam Barati.
3623         
3624         This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
3625         anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
3626         Seems sensible to just roll it out.
3627
3628         * dfg/DFGByteCodeParser.cpp:
3629         (JSC::DFG::ByteCodeParser::addToGraph):
3630         (JSC::DFG::ByteCodeParser::parse):
3631
3632 2018-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3633
3634         [JSC] Remove ModuleLoaderPrototype
3635         https://bugs.webkit.org/show_bug.cgi?id=184784
3636
3637         Reviewed by Mark Lam.
3638
3639         When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
3640         However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
3641         This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
3642
3643         * CMakeLists.txt:
3644         * DerivedSources.make:
3645         * JavaScriptCore.xcodeproj/project.pbxproj:
3646         * Sources.txt:
3647         * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
3648         * runtime/JSGlobalObject.cpp:
3649         (JSC::JSGlobalObject::init):
3650         (JSC::JSGlobalObject::visitChildren):
3651         * runtime/JSGlobalObject.h:
3652         (JSC::JSGlobalObject::proxyRevokeStructure const):
3653         (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
3654         * runtime/JSModuleLoader.cpp:
3655         (JSC::moduleLoaderParseModule):
3656         (JSC::moduleLoaderRequestedModules):
3657         (JSC::moduleLoaderModuleDeclarationInstantiation):
3658         (JSC::moduleLoaderResolve):
3659         (JSC::moduleLoaderResolveSync):
3660         (JSC::moduleLoaderFetch):
3661         (JSC::moduleLoaderGetModuleNamespaceObject):
3662         (JSC::moduleLoaderEvaluate):
3663         * runtime/JSModuleLoader.h:
3664         * runtime/ModuleLoaderPrototype.cpp: Removed.
3665         * runtime/ModuleLoaderPrototype.h: Removed.
3666
3667 2018-04-20  Carlos Garcia Campos  <cgarcia@igalia.com>
3668
3669         [GLIB] All API tests fail in debug builds
3670         https://bugs.webkit.org/show_bug.cgi?id=184813
3671
3672         Reviewed by Mark Lam.
3673
3674         This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
3675         JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
3676
3677         * API/glib/JSCContext.cpp:
3678         (JSCContextExceptionHandler::JSCContextExceptionHandler):
3679         (JSCContextExceptionHandler::~JSCContextExceptionHandler):
3680         (jscContextConstructed):
3681         (ExceptionHandler::ExceptionHandler): Deleted.
3682         (ExceptionHandler::~ExceptionHandler): Deleted.
3683
3684 2018-04-20  Tim Horton  <timothy_horton@apple.com>
3685
3686         Adjust geolocation feature flag
3687         https://bugs.webkit.org/show_bug.cgi?id=184856
3688
3689         Reviewed by Wenson Hsieh.
3690
3691         * Configurations/FeatureDefines.xcconfig:
3692
3693 2018-04-20  Brian Burg  <bburg@apple.com>
3694
3695         Web Inspector: remove some dead code in IdentifiersFactory
3696         https://bugs.webkit.org/show_bug.cgi?id=184839
3697
3698         Reviewed by Timothy Hatcher.
3699
3700         This was never used on non-Chrome ports, so the identifier always has a
3701         prefix of '0.'. We may change this in the future, but for now remove this.
3702         Using a PID for this purpose is problematic anyway.
3703
3704         * inspector/IdentifiersFactory.cpp:
3705         (Inspector::addPrefixToIdentifier):
3706         (Inspector::IdentifiersFactory::createIdentifier):
3707         (Inspector::IdentifiersFactory::requestId):
3708         (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
3709         * inspector/IdentifiersFactory.h:
3710
3711 2018-04-20  Mark Lam  <mark.lam@apple.com>
3712
3713         Add the ability to use a hash for setting PtrTag enum values.
3714         https://bugs.webkit.org/show_bug.cgi?id=184852
3715         <rdar://problem/39613891>
3716
3717         Reviewed by Saam Barati.
3718
3719         * runtime/PtrTag.h:
3720
3721 2018-04-20  Mark Lam  <mark.lam@apple.com>
3722
3723         Some JSEntryPtrTags should actually be JSInternalPtrTags.
3724         https://bugs.webkit.org/show_bug.cgi?id=184712
3725         <rdar://problem/39507381>
3726
3727         Reviewed by Michael Saboff.
3728
3729         1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
3730         2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
3731            only when needed.
3732
3733         * bytecode/AccessCase.cpp:
3734         (JSC::AccessCase::generateImpl):
3735         * bytecode/ByValInfo.h:
3736         (JSC::ByValInfo::ByValInfo):
3737         * bytecode/CallLinkInfo.cpp:
3738         (JSC::CallLinkInfo::callReturnLocation):
3739         (JSC::CallLinkInfo::patchableJump):
3740         (JSC::CallLinkInfo::hotPathBegin):
3741         (JSC::CallLinkInfo::slowPathStart):
3742         * bytecode/CallLinkInfo.h:
3743         (JSC::CallLinkInfo::setCallLocations):
3744         (JSC::CallLinkInfo::hotPathOther):
3745         * bytecode/PolymorphicAccess.cpp:
3746         (JSC::PolymorphicAccess::regenerate):
3747         * bytecode/StructureStubInfo.h:
3748         (JSC::StructureStubInfo::doneLocation):
3749         * dfg/DFGJITCompiler.cpp:
3750         (JSC::DFG::JITCompiler::link):
3751         * dfg/DFGOSRExit.cpp:
3752         (JSC::DFG::reifyInlinedCallFrames):
3753         * ftl/FTLLazySlowPath.cpp:
3754         (JSC::FTL::LazySlowPath::initialize):
3755         * ftl/FTLLazySlowPath.h:
3756         (JSC::FTL::LazySlowPath::done const):
3757         * ftl/FTLLowerDFGToB3.cpp:
3758         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3759         (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3760         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3761         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3762         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3763         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3764         (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3765         * jit/JIT.cpp:
3766         (JSC::JIT::link):
3767         * jit/JITExceptions.cpp:
3768         (JSC::genericUnwind):
3769         * jit/JITMathIC.h:
3770         (JSC::isProfileEmpty):
3771         * llint/LLIntData.cpp:
3772         (JSC::LLInt::initialize):
3773         * llint/LLIntData.h:
3774         (JSC::LLInt::getCodePtr):
3775         (JSC::LLInt::getExecutableAddress): Deleted.
3776         * llint/LLIntExceptions.cpp:
3777         (JSC::LLInt::callToThrow):
3778         * llint/LLIntSlowPaths.cpp:
3779         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3780         * wasm/js/WasmToJS.cpp:
3781         (JSC::Wasm::wasmToJS):
3782
3783 2018-04-18  Jer Noble  <jer.noble@apple.com>
3784
3785         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
3786         https://bugs.webkit.org/show_bug.cgi?id=184762
3787
3788         Reviewed by Dan Bernstein.
3789
3790         * Configurations/Base.xcconfig:
3791         * JavaScriptCore.xcodeproj/project.pbxproj:
3792
3793 2018-04-20  Daniel Bates  <dabates@apple.com>
3794
3795         Remove code for compilers that did not support NSDMI for aggregates
3796         https://bugs.webkit.org/show_bug.cgi?id=184599
3797
3798         Reviewed by Per Arne Vollan.
3799
3800         Remove workaround for earlier Visual Studio versions that did not support non-static data
3801         member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
3802         and EWS bots to a newer version that supports this feature.
3803
3804         * domjit/DOMJITEffect.h:
3805         (JSC::DOMJIT::Effect::Effect): Deleted.
3806         * runtime/HasOwnPropertyCache.h:
3807         (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
3808         * wasm/WasmFormat.h:
3809         (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
3810
3811 2018-04-20  Mark Lam  <mark.lam@apple.com>
3812
3813         Build fix for internal builds after r230826.
3814         https://bugs.webkit.org/show_bug.cgi?id=184790
3815         <rdar://problem/39301369>
3816
3817         Not reviewed.
3818
3819         * runtime/Options.cpp:
3820         (JSC::overrideDefaults):
3821         * tools/SigillCrashAnalyzer.cpp:
3822         (JSC::SignalContext::dump):
3823
3824 2018-04-19  Tadeu Zagallo  <tzagallo@apple.com>
3825
3826         REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
3827         https://bugs.webkit.org/show_bug.cgi?id=184254
3828         <rdar://problem/39140200>
3829
3830         Reviewed by Daniel Bates.
3831
3832         Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
3833
3834         * runtime/ArrayBuffer.h:
3835         (JSC::ArrayBufferContents::ArrayBufferContents):
3836
3837 2018-04-19  Mark Lam  <mark.lam@apple.com>
3838
3839         Apply pointer profiling to Signal pointers.
3840         https://bugs.webkit.org/show_bug.cgi?id=184790
3841         <rdar://problem/39301369>
3842
3843         Reviewed by Michael Saboff.
3844
3845         1. Change stackPointer, framePointer, and instructionPointer accessors to
3846            be a pair of getter/setter functions.
3847         2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
3848            a pointer profiling variants of these accessors.
3849         3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
3850
3851         * JavaScriptCorePrefix.h:
3852         * runtime/MachineContext.h:
3853         (JSC::MachineContext::stackPointerImpl):
3854         (JSC::MachineContext::stackPointer):
3855         (JSC::MachineContext::setStackPointer):
3856         (JSC::MachineContext::framePointerImpl):
3857         (JSC::MachineContext::framePointer):
3858         (JSC::MachineContext::setFramePointer):
3859         (JSC::MachineContext::instructionPointerImpl):
3860         (JSC::MachineContext::instructionPointer):
3861         (JSC::MachineContext::setInstructionPointer):
3862         (JSC::MachineContext::linkRegisterImpl):
3863         (JSC::MachineContext::linkRegister):
3864         (JSC::MachineContext::setLinkRegister):
3865         * runtime/SamplingProfiler.cpp:
3866         (JSC::SamplingProfiler::takeSample):
3867         * runtime/VMTraps.cpp:
3868         (JSC::SignalContext::SignalContext):
3869         (JSC::VMTraps::tryInstallTrapBreakpoints):
3870         * tools/CodeProfiling.cpp:
3871         (JSC::profilingTimer):
3872         * tools/SigillCrashAnalyzer.cpp:
3873         (JSC::SignalContext::dump):
3874         (JSC::installCrashHandler):
3875         (JSC::SigillCrashAnalyzer::analyze):
3876         * wasm/WasmFaultSignalHandler.cpp:
3877         (JSC::Wasm::trapHandler):
3878
3879 2018-04-19  David Kilzer  <ddkilzer@apple.com>
3880
3881         Enable Objective-C weak references
3882         <https://webkit.org/b/184789>
3883         <rdar://problem/39571716>
3884
3885         Reviewed by Dan Bernstein.
3886
3887         * Configurations/Base.xcconfig:
3888         (CLANG_ENABLE_OBJC_WEAK): Enable.
3889         * Configurations/ToolExecutable.xcconfig:
3890         (CLANG_ENABLE_OBJC_ARC): Simplify.
3891
3892 2018-04-17  Filip Pizlo  <fpizlo@apple.com>
3893
3894         The InternalFunction hierarchy should be in IsoSubspaces
3895         https://bugs.webkit.org/show_bug.cgi?id=184721
3896
3897         Reviewed by Saam Barati.
3898         
3899         This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
3900         but subclasses that are the same size as InternalFunction share its subspace. I did this
3901         because the subclasses appear to just override methods, which are called dynamically via the
3902         structure or class of the object. So, I don't see a type confusion risk if UAF is used to
3903         allocate one kind of InternalFunction over another.
3904
3905         * API/JSBase.h:
3906         * API/JSCallbackFunction.h:
3907         * API/ObjCCallbackFunction.h:
3908         (JSC::ObjCCallbackFunction::subspaceFor):
3909         * CMakeLists.txt:
3910         * JavaScriptCore.xcodeproj/project.pbxproj:
3911         * Sources.txt:
3912         * heap/IsoSubspacePerVM.cpp: Added.
3913         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
3914         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
3915         (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
3916         (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
3917         (JSC::IsoSubspacePerVM::forVM):
3918         * heap/IsoSubspacePerVM.h: Added.
3919         (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
3920         * runtime/Error.h:
3921         * runtime/ErrorConstructor.h:
3922         * runtime/InternalFunction.h:
3923         (JSC::InternalFunction::subspaceFor):
3924         * runtime/IntlCollatorConstructor.h:
3925         * runtime/IntlDateTimeFormatConstructor.h:
3926         * runtime/IntlNumberFormatConstructor.h:
3927         * runtime/JSArrayBufferConstructor.h:
3928         * runtime/NativeErrorConstructor.h:
3929         * runtime/ProxyRevoke.h:
3930         * runtime/RegExpConstructor.h:
3931         * runtime/VM.cpp:
3932         (JSC::VM::VM):
3933         * runtime/VM.h:
3934
3935 2018-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3936
3937         Unreviewed, Fix jsc shell
3938         https://bugs.webkit.org/show_bug.cgi?id=184600
3939
3940         WebAssembly module loading does not finish with drainMicrotasks().
3941         So JSNativeStdFunction's capturing variables become invalid.
3942         This patch fixes this issue.
3943
3944         * jsc.cpp:
3945         (functionDollarAgentStart):
3946         (runWithOptions):
3947         (runJSC):
3948         (jscmain):
3949
3950 2018-04-18  Ross Kirsling  <ross.kirsling@sony.com>
3951
3952         REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
3953         https://bugs.webkit.org/show_bug.cgi?id=184725
3954
3955         Reviewed by Mark Lam.
3956
3957         * jit/JIT.h:
3958
3959 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3960
3961         [WebAssembly][Modules] Import tables in wasm modules
3962         https://bugs.webkit.org/show_bug.cgi?id=184738
3963
3964         Reviewed by JF Bastien.
3965
3966         This patch simply allows wasm modules to import table from wasm modules / js re-exporting.