Use more C++17
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Use more C++17
4         https://bugs.webkit.org/show_bug.cgi?id=185176
5
6         Reviewed by JF Bastien.
7
8         * Configurations/Base.xcconfig:
9
10 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
11
12         [JSC] Remove duplicate methods in JSInterfaceJIT
13         https://bugs.webkit.org/show_bug.cgi?id=185813
14
15         Reviewed by Saam Barati.
16
17         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
18         This patch removes these ones and use AssemblyHelpers' ones instead.
19
20         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
21
22         * jit/AssemblyHelpers.h:
23         (JSC::AssemblyHelpers::tagFor):
24         (JSC::AssemblyHelpers::payloadFor):
25         * jit/JIT.h:
26         * jit/JITArithmetic.cpp:
27         (JSC::JIT::emit_op_unsigned):
28         (JSC::JIT::emit_compareUnsigned):
29         (JSC::JIT::emit_op_inc):
30         (JSC::JIT::emit_op_dec):
31         (JSC::JIT::emit_op_mod):
32         * jit/JITCall32_64.cpp:
33         (JSC::JIT::compileOpCall):
34         * jit/JITInlines.h:
35         (JSC::JIT::emitPutIntToCallFrameHeader):
36         (JSC::JIT::updateTopCallFrame):
37         (JSC::JIT::emitInitRegister):
38         (JSC::JIT::emitLoad):
39         (JSC::JIT::emitStore):
40         (JSC::JIT::emitStoreInt32):
41         (JSC::JIT::emitStoreCell):
42         (JSC::JIT::emitStoreBool):
43         (JSC::JIT::emitGetVirtualRegister):
44         (JSC::JIT::emitPutVirtualRegister):
45         (JSC::JIT::emitTagBool): Deleted.
46         * jit/JITOpcodes.cpp:
47         (JSC::JIT::emit_op_overrides_has_instance):
48         (JSC::JIT::emit_op_is_empty):
49         (JSC::JIT::emit_op_is_undefined):
50         (JSC::JIT::emit_op_is_boolean):
51         (JSC::JIT::emit_op_is_number):
52         (JSC::JIT::emit_op_is_cell_with_type):
53         (JSC::JIT::emit_op_is_object):
54         (JSC::JIT::emit_op_eq):
55         (JSC::JIT::emit_op_neq):
56         (JSC::JIT::compileOpStrictEq):
57         (JSC::JIT::emit_op_eq_null):
58         (JSC::JIT::emit_op_neq_null):
59         (JSC::JIT::emitSlow_op_eq):
60         (JSC::JIT::emitSlow_op_neq):
61         (JSC::JIT::emitSlow_op_instanceof_custom):
62         (JSC::JIT::emitNewFuncExprCommon):
63         * jit/JSInterfaceJIT.h:
64         (JSC::JSInterfaceJIT::emitLoadInt32):
65         (JSC::JSInterfaceJIT::emitLoadDouble):
66         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
67         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
68         (JSC::JSInterfaceJIT::tagFor): Deleted.
69         (JSC::JSInterfaceJIT::payloadFor): Deleted.
70         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
71         (JSC::JSInterfaceJIT::intTagFor): Deleted.
72         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
73         (JSC::JSInterfaceJIT::addressFor): Deleted.
74         * jit/SpecializedThunkJIT.h:
75         (JSC::SpecializedThunkJIT::returnDouble):
76         * jit/ThunkGenerators.cpp:
77         (JSC::nativeForGenerator):
78         (JSC::arityFixupGenerator):
79
80 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
81
82         Unreviewed, reland InById cache
83         https://bugs.webkit.org/show_bug.cgi?id=185682
84
85         Includes Dominik's 32bit fix.
86
87         * bytecode/AccessCase.cpp:
88         (JSC::AccessCase::fromStructureStubInfo):
89         (JSC::AccessCase::generateWithGuard):
90         (JSC::AccessCase::generateImpl):
91         * bytecode/BytecodeDumper.cpp:
92         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
93         (JSC::BytecodeDumper<Block>::dumpBytecode):
94         * bytecode/BytecodeDumper.h:
95         * bytecode/BytecodeList.json:
96         * bytecode/BytecodeUseDef.h:
97         (JSC::computeUsesForBytecodeOffset):
98         (JSC::computeDefsForBytecodeOffset):
99         * bytecode/CodeBlock.cpp:
100         (JSC::CodeBlock::finishCreation):
101         * bytecode/InlineAccess.cpp:
102         (JSC::InlineAccess::generateSelfInAccess):
103         * bytecode/InlineAccess.h:
104         * bytecode/StructureStubInfo.cpp:
105         (JSC::StructureStubInfo::initInByIdSelf):
106         (JSC::StructureStubInfo::deref):
107         (JSC::StructureStubInfo::aboutToDie):
108         (JSC::StructureStubInfo::reset):
109         (JSC::StructureStubInfo::visitWeakReferences):
110         (JSC::StructureStubInfo::propagateTransitions):
111         * bytecode/StructureStubInfo.h:
112         (JSC::StructureStubInfo::patchableJump):
113         * bytecompiler/BytecodeGenerator.cpp:
114         (JSC::BytecodeGenerator::emitInByVal):
115         (JSC::BytecodeGenerator::emitInById):
116         (JSC::BytecodeGenerator::emitIn): Deleted.
117         * bytecompiler/BytecodeGenerator.h:
118         * bytecompiler/NodesCodegen.cpp:
119         (JSC::InNode::emitBytecode):
120         * dfg/DFGAbstractInterpreterInlines.h:
121         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
122         * dfg/DFGByteCodeParser.cpp:
123         (JSC::DFG::ByteCodeParser::parseBlock):
124         * dfg/DFGCapabilities.cpp:
125         (JSC::DFG::capabilityLevel):
126         * dfg/DFGClobberize.h:
127         (JSC::DFG::clobberize):
128         * dfg/DFGConstantFoldingPhase.cpp:
129         (JSC::DFG::ConstantFoldingPhase::foldConstants):
130         * dfg/DFGDoesGC.cpp:
131         (JSC::DFG::doesGC):
132         * dfg/DFGFixupPhase.cpp:
133         (JSC::DFG::FixupPhase::fixupNode):
134         * dfg/DFGJITCompiler.cpp:
135         (JSC::DFG::JITCompiler::link):
136         * dfg/DFGJITCompiler.h:
137         (JSC::DFG::JITCompiler::addInById):
138         (JSC::DFG::InRecord::InRecord): Deleted.
139         (JSC::DFG::JITCompiler::addIn): Deleted.
140         * dfg/DFGNode.h:
141         (JSC::DFG::Node::convertToInById):
142         (JSC::DFG::Node::hasIdentifier):
143         (JSC::DFG::Node::hasArrayMode):
144         * dfg/DFGNodeType.h:
145         * dfg/DFGPredictionPropagationPhase.cpp:
146         * dfg/DFGSafeToExecute.h:
147         (JSC::DFG::safeToExecute):
148         * dfg/DFGSpeculativeJIT.cpp:
149         (JSC::DFG::SpeculativeJIT::compileInById):
150         (JSC::DFG::SpeculativeJIT::compileInByVal):
151         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
152         * dfg/DFGSpeculativeJIT.h:
153         * dfg/DFGSpeculativeJIT32_64.cpp:
154         (JSC::DFG::SpeculativeJIT::compile):
155         * dfg/DFGSpeculativeJIT64.cpp:
156         (JSC::DFG::SpeculativeJIT::compile):
157         * ftl/FTLCapabilities.cpp:
158         (JSC::FTL::canCompile):
159         * ftl/FTLLowerDFGToB3.cpp:
160         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
161         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
162         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
163         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
164         * jit/AssemblyHelpers.h:
165         (JSC::AssemblyHelpers::boxBoolean):
166         * jit/ICStats.h:
167         * jit/JIT.cpp:
168         (JSC::JIT::JIT):
169         (JSC::JIT::privateCompileMainPass):
170         (JSC::JIT::privateCompileSlowCases):
171         (JSC::JIT::link):
172         * jit/JIT.h:
173         * jit/JITInlineCacheGenerator.cpp:
174         (JSC::JITInByIdGenerator::JITInByIdGenerator):
175         (JSC::JITInByIdGenerator::generateFastPath):
176         * jit/JITInlineCacheGenerator.h:
177         (JSC::JITInByIdGenerator::JITInByIdGenerator):
178         * jit/JITOperations.cpp:
179         * jit/JITOperations.h:
180         * jit/JITPropertyAccess.cpp:
181         (JSC::JIT::emit_op_in_by_id):
182         (JSC::JIT::emitSlow_op_in_by_id):
183         * jit/JITPropertyAccess32_64.cpp:
184         (JSC::JIT::emit_op_in_by_id):
185         (JSC::JIT::emitSlow_op_in_by_id):
186         * jit/Repatch.cpp:
187         (JSC::tryCacheInByID):
188         (JSC::repatchInByID):
189         (JSC::resetInByID):
190         (JSC::tryCacheIn): Deleted.
191         (JSC::repatchIn): Deleted.
192         (JSC::resetIn): Deleted.
193         * jit/Repatch.h:
194         * llint/LowLevelInterpreter.asm:
195         * llint/LowLevelInterpreter64.asm:
196         * parser/NodeConstructors.h:
197         (JSC::InNode::InNode):
198         * runtime/CommonSlowPaths.cpp:
199         (JSC::SLOW_PATH_DECL):
200         * runtime/CommonSlowPaths.h:
201         (JSC::CommonSlowPaths::opInByVal):
202         (JSC::CommonSlowPaths::opIn): Deleted.
203
204 2018-05-21  Commit Queue  <commit-queue@webkit.org>
205
206         Unreviewed, rolling out r231998 and r232017.
207         https://bugs.webkit.org/show_bug.cgi?id=185842
208
209         causes crashes on 32 JSC bot (Requested by realdawei on
210         #webkit).
211
212         Reverted changesets:
213
214         "[JSC] JSC should have consistent InById IC"
215         https://bugs.webkit.org/show_bug.cgi?id=185682
216         https://trac.webkit.org/changeset/231998
217
218         "Unreviewed, fix 32bit and scope release"
219         https://bugs.webkit.org/show_bug.cgi?id=185682
220         https://trac.webkit.org/changeset/232017
221
222 2018-05-21  Jer Noble  <jer.noble@apple.com>
223
224         Complete fix for enabling modern EME by default
225         https://bugs.webkit.org/show_bug.cgi?id=185770
226         <rdar://problem/40368220>
227
228         Reviewed by Eric Carlson.
229
230         * Configurations/FeatureDefines.xcconfig:
231
232 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
233
234         Unreviewed, fix 32bit and scope release
235         https://bugs.webkit.org/show_bug.cgi?id=185682
236
237         * jit/JITOperations.cpp:
238         * jit/JITPropertyAccess32_64.cpp:
239         (JSC::JIT::emitSlow_op_in_by_id):
240
241 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
242
243         Revert the B3 compiler pipeline's treatment of taildup
244         https://bugs.webkit.org/show_bug.cgi?id=185808
245
246         Reviewed by Yusuke Suzuki.
247         
248         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
249         But then path specialization turned out to be a negative result. This reverts the pipeline to the
250         way it was before that work.
251         
252         1.5% progression on V8Spider-CompileTime.
253
254         * b3/B3Generate.cpp:
255         (JSC::B3::generateToAir):
256
257 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
258
259         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
260         https://bugs.webkit.org/show_bug.cgi?id=185802
261
262         Reviewed by Saam Barati.
263
264         * dfg/DFGConstantFoldingPhase.cpp:
265         (JSC::DFG::ConstantFoldingPhase::foldConstants):
266
267 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
268
269         DFG should inline InstanceOf ICs
270         https://bugs.webkit.org/show_bug.cgi?id=185695
271
272         Reviewed by Yusuke Suzuki.
273         
274         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
275         be folded to a CheckStructure + JSConstant.
276         
277         In the process of testing this, I found a bug where LICM was not hoisting things that
278         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
279         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
280         
281         This is a ~5% speed-up on boyer.
282         
283         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
284         instanceof-sometimes-hit microbenchmarks.
285
286         * JavaScriptCore.xcodeproj/project.pbxproj:
287         * Sources.txt:
288         * bytecode/GetByIdStatus.cpp:
289         (JSC::GetByIdStatus::appendVariant):
290         (JSC::GetByIdStatus::filter):
291         * bytecode/GetByIdStatus.h:
292         (JSC::GetByIdStatus::operator bool const):
293         (JSC::GetByIdStatus::operator! const): Deleted.
294         * bytecode/GetByIdVariant.h:
295         (JSC::GetByIdVariant::operator bool const):
296         (JSC::GetByIdVariant::operator! const): Deleted.
297         * bytecode/ICStatusUtils.h: Added.
298         (JSC::appendICStatusVariant):
299         (JSC::filterICStatusVariants):
300         * bytecode/InstanceOfStatus.cpp: Added.
301         (JSC::InstanceOfStatus::appendVariant):
302         (JSC::InstanceOfStatus::computeFor):
303         (JSC::InstanceOfStatus::computeForStubInfo):
304         (JSC::InstanceOfStatus::commonPrototype const):
305         (JSC::InstanceOfStatus::filter):
306         * bytecode/InstanceOfStatus.h: Added.
307         (JSC::InstanceOfStatus::InstanceOfStatus):
308         (JSC::InstanceOfStatus::state const):
309         (JSC::InstanceOfStatus::isSet const):
310         (JSC::InstanceOfStatus::operator bool const):
311         (JSC::InstanceOfStatus::isSimple const):
312         (JSC::InstanceOfStatus::takesSlowPath const):
313         (JSC::InstanceOfStatus::numVariants const):
314         (JSC::InstanceOfStatus::variants const):
315         (JSC::InstanceOfStatus::at const):
316         (JSC::InstanceOfStatus::operator[] const):
317         * bytecode/InstanceOfVariant.cpp: Added.
318         (JSC::InstanceOfVariant::InstanceOfVariant):
319         (JSC::InstanceOfVariant::attemptToMerge):
320         (JSC::InstanceOfVariant::dump const):
321         (JSC::InstanceOfVariant::dumpInContext const):
322         * bytecode/InstanceOfVariant.h: Added.
323         (JSC::InstanceOfVariant::InstanceOfVariant):
324         (JSC::InstanceOfVariant::operator bool const):
325         (JSC::InstanceOfVariant::structureSet const):
326         (JSC::InstanceOfVariant::structureSet):
327         (JSC::InstanceOfVariant::conditionSet const):
328         (JSC::InstanceOfVariant::prototype const):
329         (JSC::InstanceOfVariant::isHit const):
330         * bytecode/StructureStubInfo.cpp:
331         (JSC::StructureStubInfo::StructureStubInfo):
332         * bytecode/StructureStubInfo.h:
333         (JSC::StructureStubInfo::considerCaching):
334         * dfg/DFGAbstractInterpreterInlines.h:
335         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
336         * dfg/DFGByteCodeParser.cpp:
337         (JSC::DFG::ByteCodeParser::parseBlock):
338         * dfg/DFGClobberize.h:
339         (JSC::DFG::clobberize):
340         * dfg/DFGConstantFoldingPhase.cpp:
341         (JSC::DFG::ConstantFoldingPhase::foldConstants):
342         * dfg/DFGDoesGC.cpp:
343         (JSC::DFG::doesGC):
344         * dfg/DFGFixupPhase.cpp:
345         (JSC::DFG::FixupPhase::fixupNode):
346         * dfg/DFGGraph.cpp:
347         (JSC::DFG::Graph::dump):
348         * dfg/DFGGraph.h:
349         * dfg/DFGLICMPhase.cpp:
350         (JSC::DFG::LICMPhase::attemptHoist):
351         * dfg/DFGNode.cpp:
352         (JSC::DFG::Node::remove):
353         * dfg/DFGNode.h:
354         (JSC::DFG::Node::hasMatchStructureData):
355         (JSC::DFG::Node::matchStructureData):
356         * dfg/DFGNodeType.h:
357         * dfg/DFGSafeToExecute.h:
358         (JSC::DFG::safeToExecute):
359         * dfg/DFGSpeculativeJIT.cpp:
360         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
361         * dfg/DFGSpeculativeJIT.h:
362         * dfg/DFGSpeculativeJIT32_64.cpp:
363         (JSC::DFG::SpeculativeJIT::compile):
364         * dfg/DFGSpeculativeJIT64.cpp:
365         (JSC::DFG::SpeculativeJIT::compile):
366         * ftl/FTLCapabilities.cpp:
367         (JSC::FTL::canCompile):
368         * ftl/FTLLowerDFGToB3.cpp:
369         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
370         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
371
372 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
373
374         [JSC] JSC should have consistent InById IC
375         https://bugs.webkit.org/show_bug.cgi?id=185682
376
377         Reviewed by Filip Pizlo.
378
379         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
380         when we found that DFG::In's parameter is constant string. We should
381         align this IC to the other ById ICs to clean up and remove adhoc code
382         in DFG and FTL.
383
384         This patch cleans up our "In" IC by aligning it to the other ById ICs.
385         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
386         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
387         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
388         has a inline access cache for own property case, which is the same to
389         JITGetByIdGenerator.
390
391         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
392         to the original In DFG node. DFG AI attempts to lower InByVal to InById
393         if AI figured out that the property name is a constant string. And in
394         InById node, we use JITInByIdGenerator code.
395
396         This patch cleans up DFG and FTL's adhoc In IC code.
397
398         In a subsequent patch, we should introduce InByIdStatus to optimize
399         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
400         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
401         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
402
403         * bytecode/AccessCase.cpp:
404         (JSC::AccessCase::fromStructureStubInfo):
405         (JSC::AccessCase::generateWithGuard):
406         * bytecode/BytecodeDumper.cpp:
407         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
408         (JSC::BytecodeDumper<Block>::dumpBytecode):
409         * bytecode/BytecodeDumper.h:
410         * bytecode/BytecodeList.json:
411         * bytecode/BytecodeUseDef.h:
412         (JSC::computeUsesForBytecodeOffset):
413         (JSC::computeDefsForBytecodeOffset):
414         * bytecode/CodeBlock.cpp:
415         (JSC::CodeBlock::finishCreation):
416         * bytecode/InlineAccess.cpp:
417         (JSC::InlineAccess::generateSelfInAccess):
418         * bytecode/InlineAccess.h:
419         * bytecode/StructureStubInfo.cpp:
420         (JSC::StructureStubInfo::initInByIdSelf):
421         (JSC::StructureStubInfo::deref):
422         (JSC::StructureStubInfo::aboutToDie):
423         (JSC::StructureStubInfo::reset):
424         (JSC::StructureStubInfo::visitWeakReferences):
425         (JSC::StructureStubInfo::propagateTransitions):
426         * bytecode/StructureStubInfo.h:
427         (JSC::StructureStubInfo::patchableJump):
428         * bytecompiler/BytecodeGenerator.cpp:
429         (JSC::BytecodeGenerator::emitInByVal):
430         (JSC::BytecodeGenerator::emitInById):
431         (JSC::BytecodeGenerator::emitIn): Deleted.
432         * bytecompiler/BytecodeGenerator.h:
433         * bytecompiler/NodesCodegen.cpp:
434         (JSC::InNode::emitBytecode):
435         * dfg/DFGAbstractInterpreterInlines.h:
436         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
437         * dfg/DFGByteCodeParser.cpp:
438         (JSC::DFG::ByteCodeParser::parseBlock):
439         * dfg/DFGCapabilities.cpp:
440         (JSC::DFG::capabilityLevel):
441         * dfg/DFGClobberize.h:
442         (JSC::DFG::clobberize):
443         * dfg/DFGConstantFoldingPhase.cpp:
444         (JSC::DFG::ConstantFoldingPhase::foldConstants):
445         * dfg/DFGDoesGC.cpp:
446         (JSC::DFG::doesGC):
447         * dfg/DFGFixupPhase.cpp:
448         (JSC::DFG::FixupPhase::fixupNode):
449         * dfg/DFGJITCompiler.cpp:
450         (JSC::DFG::JITCompiler::link):
451         * dfg/DFGJITCompiler.h:
452         (JSC::DFG::JITCompiler::addInById):
453         (JSC::DFG::InRecord::InRecord): Deleted.
454         (JSC::DFG::JITCompiler::addIn): Deleted.
455         * dfg/DFGNode.h:
456         (JSC::DFG::Node::convertToInById):
457         (JSC::DFG::Node::hasIdentifier):
458         (JSC::DFG::Node::hasArrayMode):
459         * dfg/DFGNodeType.h:
460         * dfg/DFGPredictionPropagationPhase.cpp:
461         * dfg/DFGSafeToExecute.h:
462         (JSC::DFG::safeToExecute):
463         * dfg/DFGSpeculativeJIT.cpp:
464         (JSC::DFG::SpeculativeJIT::compileInById):
465         (JSC::DFG::SpeculativeJIT::compileInByVal):
466         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
467         * dfg/DFGSpeculativeJIT.h:
468         * dfg/DFGSpeculativeJIT32_64.cpp:
469         (JSC::DFG::SpeculativeJIT::compile):
470         * dfg/DFGSpeculativeJIT64.cpp:
471         (JSC::DFG::SpeculativeJIT::compile):
472         * ftl/FTLCapabilities.cpp:
473         (JSC::FTL::canCompile):
474         * ftl/FTLLowerDFGToB3.cpp:
475         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
476         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
477         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
478         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
479         * jit/ICStats.h:
480         * jit/JIT.cpp:
481         (JSC::JIT::JIT):
482         (JSC::JIT::privateCompileMainPass):
483         (JSC::JIT::privateCompileSlowCases):
484         (JSC::JIT::link):
485         * jit/JIT.h:
486         * jit/JITInlineCacheGenerator.cpp:
487         (JSC::JITInByIdGenerator::JITInByIdGenerator):
488         (JSC::JITInByIdGenerator::generateFastPath):
489         * jit/JITInlineCacheGenerator.h:
490         (JSC::JITInByIdGenerator::JITInByIdGenerator):
491         * jit/JITOperations.cpp:
492         * jit/JITOperations.h:
493         * jit/JITPropertyAccess.cpp:
494         (JSC::JIT::emit_op_in_by_id):
495         (JSC::JIT::emitSlow_op_in_by_id):
496         * jit/JITPropertyAccess32_64.cpp:
497         (JSC::JIT::emit_op_in_by_id):
498         (JSC::JIT::emitSlow_op_in_by_id):
499         * jit/Repatch.cpp:
500         (JSC::tryCacheInByID):
501         (JSC::repatchInByID):
502         (JSC::resetInByID):
503         (JSC::tryCacheIn): Deleted.
504         (JSC::repatchIn): Deleted.
505         (JSC::resetIn): Deleted.
506         * jit/Repatch.h:
507         * llint/LowLevelInterpreter.asm:
508         * llint/LowLevelInterpreter64.asm:
509         * parser/NodeConstructors.h:
510         (JSC::InNode::InNode):
511         * runtime/CommonSlowPaths.cpp:
512         (JSC::SLOW_PATH_DECL):
513         * runtime/CommonSlowPaths.h:
514         (JSC::CommonSlowPaths::opInByVal):
515         (JSC::CommonSlowPaths::opIn): Deleted.
516
517 2018-05-18  Commit Queue  <commit-queue@webkit.org>
518
519         Unreviewed, rolling out r231982.
520         https://bugs.webkit.org/show_bug.cgi?id=185793
521
522         Caused layout test failures (Requested by realdawei on
523         #webkit).
524
525         Reverted changeset:
526
527         "Complete fix for enabling modern EME by default"
528         https://bugs.webkit.org/show_bug.cgi?id=185770
529         https://trac.webkit.org/changeset/231982
530
531 2018-05-18  Keith Miller  <keith_miller@apple.com>
532
533         op_in should mark if it sees out of bounds accesses
534         https://bugs.webkit.org/show_bug.cgi?id=185792
535
536         Reviewed by Filip Pizlo.
537
538         This would used to cause us to OSR loop since we would always speculate
539         we were in bounds in HasIndexedProperty.
540
541         * bytecode/ArrayProfile.cpp:
542         (JSC::ArrayProfile::observeIndexedRead):
543         * bytecode/ArrayProfile.h:
544         * runtime/CommonSlowPaths.h:
545         (JSC::CommonSlowPaths::opIn):
546
547 2018-05-18  Mark Lam  <mark.lam@apple.com>
548
549         Add missing exception check.
550         https://bugs.webkit.org/show_bug.cgi?id=185786
551         <rdar://problem/35686560>
552
553         Reviewed by Michael Saboff.
554
555         * runtime/JSPropertyNameEnumerator.h:
556         (JSC::propertyNameEnumerator):
557
558 2018-05-18  Jer Noble  <jer.noble@apple.com>
559
560         Complete fix for enabling modern EME by default
561         https://bugs.webkit.org/show_bug.cgi?id=185770
562         <rdar://problem/40368220>
563
564         Reviewed by Eric Carlson.
565
566         * Configurations/FeatureDefines.xcconfig:
567
568 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
569
570         Unreviewed, fix exception checking, part 2
571         https://bugs.webkit.org/show_bug.cgi?id=185350
572
573         * dfg/DFGOperations.cpp:
574         (JSC::DFG::putByValInternal):
575         * jit/JITOperations.cpp:
576         * runtime/CommonSlowPaths.h:
577         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
578
579 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
580
581         JSC should have InstanceOf inline caching
582         https://bugs.webkit.org/show_bug.cgi?id=185652
583
584         Reviewed by Saam Barati.
585         
586         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
587         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
588         too many cases, we emit the generic instanceof implementation instead.
589         
590         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
591         abstraction.
592         
593         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
594         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
595
596         * API/tests/testapi.mm:
597         (testObjectiveCAPIMain):
598         * JavaScriptCore.xcodeproj/project.pbxproj:
599         * Sources.txt:
600         * b3/B3Effects.h:
601         (JSC::B3::Effects::forReadOnlyCall):
602         * bytecode/AccessCase.cpp:
603         (JSC::AccessCase::guardedByStructureCheck const):
604         (JSC::AccessCase::canReplace const):
605         (JSC::AccessCase::visitWeak const):
606         (JSC::AccessCase::generateWithGuard):
607         (JSC::AccessCase::generateImpl):
608         * bytecode/AccessCase.h:
609         * bytecode/InstanceOfAccessCase.cpp: Added.
610         (JSC::InstanceOfAccessCase::create):
611         (JSC::InstanceOfAccessCase::dumpImpl const):
612         (JSC::InstanceOfAccessCase::clone const):
613         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
614         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
615         * bytecode/InstanceOfAccessCase.h: Added.
616         (JSC::InstanceOfAccessCase::prototype const):
617         * bytecode/ObjectPropertyCondition.h:
618         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
619         (JSC::ObjectPropertyCondition::hasPrototype):
620         * bytecode/ObjectPropertyConditionSet.cpp:
621         (JSC::generateConditionsForInstanceOf):
622         * bytecode/ObjectPropertyConditionSet.h:
623         * bytecode/PolymorphicAccess.cpp:
624         (JSC::PolymorphicAccess::addCases):
625         (JSC::PolymorphicAccess::regenerate):
626         (WTF::printInternal):
627         * bytecode/PropertyCondition.cpp:
628         (JSC::PropertyCondition::dumpInContext const):
629         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
630         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
631         (WTF::printInternal):
632         * bytecode/PropertyCondition.h:
633         (JSC::PropertyCondition::absenceWithoutBarrier):
634         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
635         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
636         (JSC::PropertyCondition::hasPrototype):
637         (JSC::PropertyCondition::hasPrototype const):
638         (JSC::PropertyCondition::prototype const):
639         (JSC::PropertyCondition::hash const):
640         (JSC::PropertyCondition::operator== const):
641         * bytecode/StructureStubInfo.cpp:
642         (JSC::StructureStubInfo::StructureStubInfo):
643         (JSC::StructureStubInfo::reset):
644         * bytecode/StructureStubInfo.h:
645         (JSC::StructureStubInfo::considerCaching):
646         * dfg/DFGByteCodeParser.cpp:
647         (JSC::DFG::ByteCodeParser::parseBlock):
648         * dfg/DFGFixupPhase.cpp:
649         (JSC::DFG::FixupPhase::fixupNode):
650         * dfg/DFGInlineCacheWrapper.h:
651         * dfg/DFGInlineCacheWrapperInlines.h:
652         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
653         * dfg/DFGJITCompiler.cpp:
654         (JSC::DFG::JITCompiler::link):
655         * dfg/DFGJITCompiler.h:
656         (JSC::DFG::JITCompiler::addInstanceOf):
657         * dfg/DFGOperations.cpp:
658         * dfg/DFGSpeculativeJIT.cpp:
659         (JSC::DFG::SpeculativeJIT::usedRegisters):
660         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
661         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
662         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
663         * dfg/DFGSpeculativeJIT.h:
664         * dfg/DFGSpeculativeJIT64.cpp:
665         (JSC::DFG::SpeculativeJIT::cachedGetById):
666         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
667         * ftl/FTLLowerDFGToB3.cpp:
668         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
669         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
670         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
671         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
672         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
673         (JSC::FTL::DFG::LowerDFGToB3::getById):
674         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
675         * jit/ICStats.h:
676         * jit/JIT.cpp:
677         (JSC::JIT::privateCompileSlowCases):
678         (JSC::JIT::link):
679         * jit/JIT.h:
680         * jit/JITInlineCacheGenerator.cpp:
681         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
682         (JSC::JITInlineCacheGenerator::finalize):
683         (JSC::JITByIdGenerator::JITByIdGenerator):
684         (JSC::JITByIdGenerator::finalize):
685         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
686         (JSC::JITInstanceOfGenerator::generateFastPath):
687         (JSC::JITInstanceOfGenerator::finalize):
688         * jit/JITInlineCacheGenerator.h:
689         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
690         (JSC::JITInlineCacheGenerator::slowPathBegin const):
691         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
692         (JSC::finalizeInlineCaches):
693         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
694         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
695         * jit/JITOpcodes.cpp:
696         (JSC::JIT::emit_op_instanceof):
697         (JSC::JIT::emitSlow_op_instanceof):
698         * jit/JITOperations.cpp:
699         * jit/JITOperations.h:
700         * jit/JITPropertyAccess.cpp:
701         (JSC::JIT::privateCompileGetByValWithCachedId):
702         (JSC::JIT::privateCompilePutByValWithCachedId):
703         * jit/RegisterSet.cpp:
704         (JSC::RegisterSet::stubUnavailableRegisters):
705         * jit/Repatch.cpp:
706         (JSC::tryCacheIn):
707         (JSC::tryCacheInstanceOf):
708         (JSC::repatchInstanceOf):
709         (JSC::resetPatchableJump):
710         (JSC::resetIn):
711         (JSC::resetInstanceOf):
712         * jit/Repatch.h:
713         * runtime/Options.h:
714         * runtime/Structure.h:
715
716 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
717
718         Unreviewed, fix exception checking
719         https://bugs.webkit.org/show_bug.cgi?id=185350
720
721         * runtime/CommonSlowPaths.h:
722         (JSC::CommonSlowPaths::putDirectWithReify):
723         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
724
725 2018-05-17  Michael Saboff  <msaboff@apple.com>
726
727         We don't throw SyntaxErrors for runtime generated regular expressions with errors
728         https://bugs.webkit.org/show_bug.cgi?id=185755
729
730         Reviewed by Keith Miller.
731
732         Added a new helper that creates the correct exception to throw for each type of error when
733         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
734         where we create a new RegExp from an existing one.  Also refactored other places that we
735         throw SyntaxErrors after a failed RegExp compile to use the new helper.
736
737         * runtime/RegExp.h:
738         * runtime/RegExpConstructor.cpp:
739         (JSC::regExpCreate):
740         (JSC::constructRegExp):
741         * runtime/RegExpPrototype.cpp:
742         (JSC::regExpProtoFuncCompile):
743         * yarr/YarrErrorCode.cpp:
744         (JSC::Yarr::errorToThrow):
745         * yarr/YarrErrorCode.h:
746
747 2018-05-17  Saam Barati  <sbarati@apple.com>
748
749         Remove shrinkFootprint test from apitests since it's flaky
750         https://bugs.webkit.org/show_bug.cgi?id=185754
751
752         Reviewed by Mark Lam.
753
754         This test is flaky as it keeps failing on certain people's machines.
755         Having a test about OS footprint seems like it'll forever be doomed
756         to being flaky.
757
758         * API/tests/testapi.mm:
759         (testObjectiveCAPIMain):
760
761 2018-05-17  Saam Barati  <sbarati@apple.com>
762
763         defaultConstructorSourceCode needs to makeSource every time it's called
764         https://bugs.webkit.org/show_bug.cgi?id=185753
765
766         Rubber-stamped by Mark Lam.
767
768         The bug here is multiple VMs can be running concurrently to one another
769         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
770         if we copy a static SourceCode. instead, we create a new one each time
771         this function is called.
772
773         * builtins/BuiltinExecutables.cpp:
774         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
775
776 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
777
778         [JSC] Use AssemblyHelpers' type checking functions as much as possible
779         https://bugs.webkit.org/show_bug.cgi?id=185730
780
781         Reviewed by Saam Barati.
782
783         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
784         bit and register operations for type tagging of JSValue. It is really useful when we would like
785         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
786         the named function is more readable than some branching operations.
787
788         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
789         to AssemblyHelpers' one.
790
791         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
792         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
793         semantics is aligned to the existing branchIfCell / branchIfNotCell.
794
795         * bytecode/AccessCase.cpp:
796         (JSC::AccessCase::generateWithGuard):
797         * dfg/DFGSpeculativeJIT.cpp:
798         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
799         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
800         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
801         (JSC::DFG::SpeculativeJIT::compileSpread):
802         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
803         (JSC::DFG::SpeculativeJIT::speculateCellType):
804         (JSC::DFG::SpeculativeJIT::speculateNumber):
805         (JSC::DFG::SpeculativeJIT::speculateMisc):
806         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
807         (JSC::DFG::SpeculativeJIT::compileCreateThis):
808         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
809         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
810         * dfg/DFGSpeculativeJIT32_64.cpp:
811         (JSC::DFG::SpeculativeJIT::emitCall):
812         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
813         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
814         (JSC::DFG::SpeculativeJIT::compile):
815         * dfg/DFGSpeculativeJIT64.cpp:
816         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
817         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
818         (JSC::DFG::SpeculativeJIT::emitCall):
819         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
820         (JSC::DFG::SpeculativeJIT::compile):
821         (JSC::DFG::SpeculativeJIT::convertAnyInt):
822         * ftl/FTLLowerDFGToB3.cpp:
823         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
824         * jit/AssemblyHelpers.h:
825         (JSC::AssemblyHelpers::branchIfInt32):
826         (JSC::AssemblyHelpers::branchIfNotInt32):
827         (JSC::AssemblyHelpers::branchIfNumber):
828         (JSC::AssemblyHelpers::branchIfNotNumber):
829         (JSC::AssemblyHelpers::branchIfBoolean):
830         (JSC::AssemblyHelpers::branchIfNotBoolean):
831         (JSC::AssemblyHelpers::branchIfEmpty):
832         (JSC::AssemblyHelpers::branchIfNotEmpty):
833         (JSC::AssemblyHelpers::branchIfUndefined):
834         (JSC::AssemblyHelpers::branchIfNotUndefined):
835         (JSC::AssemblyHelpers::branchIfNull):
836         (JSC::AssemblyHelpers::branchIfNotNull):
837         * jit/JIT.h:
838         * jit/JITArithmetic.cpp:
839         (JSC::JIT::emit_compareAndJump):
840         (JSC::JIT::emit_compareAndJumpSlow):
841         * jit/JITArithmetic32_64.cpp:
842         (JSC::JIT::emit_compareAndJump):
843         (JSC::JIT::emit_op_unsigned):
844         (JSC::JIT::emit_op_inc):
845         (JSC::JIT::emit_op_dec):
846         (JSC::JIT::emitBinaryDoubleOp):
847         (JSC::JIT::emit_op_mod):
848         * jit/JITCall.cpp:
849         (JSC::JIT::compileCallEval):
850         (JSC::JIT::compileOpCall):
851         * jit/JITCall32_64.cpp:
852         (JSC::JIT::compileCallEval):
853         (JSC::JIT::compileOpCall):
854         * jit/JITInlines.h:
855         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
856         (JSC::JIT::emitJumpIfBothJSCells):
857         (JSC::JIT::emitJumpSlowCaseIfJSCell):
858         (JSC::JIT::emitJumpIfNotInt):
859         (JSC::JIT::emitJumpSlowCaseIfNotInt):
860         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
861         (JSC::JIT::emitJumpIfCellObject): Deleted.
862         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
863         (JSC::JIT::emitJumpIfJSCell): Deleted.
864         (JSC::JIT::emitJumpIfInt): Deleted.
865         * jit/JITOpcodes.cpp:
866         (JSC::JIT::emit_op_instanceof):
867         (JSC::JIT::emit_op_is_undefined):
868         (JSC::JIT::emit_op_is_cell_with_type):
869         (JSC::JIT::emit_op_is_object):
870         (JSC::JIT::emit_op_to_primitive):
871         (JSC::JIT::emit_op_jeq_null):
872         (JSC::JIT::emit_op_jneq_null):
873         (JSC::JIT::compileOpStrictEq):
874         (JSC::JIT::compileOpStrictEqJump):
875         (JSC::JIT::emit_op_to_number):
876         (JSC::JIT::emit_op_to_string):
877         (JSC::JIT::emit_op_to_object):
878         (JSC::JIT::emit_op_eq_null):
879         (JSC::JIT::emit_op_neq_null):
880         (JSC::JIT::emit_op_to_this):
881         (JSC::JIT::emit_op_create_this):
882         (JSC::JIT::emit_op_check_tdz):
883         (JSC::JIT::emitNewFuncExprCommon):
884         (JSC::JIT::emit_op_profile_type):
885         * jit/JITOpcodes32_64.cpp:
886         (JSC::JIT::emit_op_instanceof):
887         (JSC::JIT::emit_op_is_undefined):
888         (JSC::JIT::emit_op_is_cell_with_type):
889         (JSC::JIT::emit_op_is_object):
890         (JSC::JIT::emit_op_to_primitive):
891         (JSC::JIT::emit_op_not):
892         (JSC::JIT::emit_op_jeq_null):
893         (JSC::JIT::emit_op_jneq_null):
894         (JSC::JIT::emit_op_jneq_ptr):
895         (JSC::JIT::emit_op_eq):
896         (JSC::JIT::emit_op_jeq):
897         (JSC::JIT::emit_op_neq):
898         (JSC::JIT::emit_op_jneq):
899         (JSC::JIT::compileOpStrictEq):
900         (JSC::JIT::compileOpStrictEqJump):
901         (JSC::JIT::emit_op_eq_null):
902         (JSC::JIT::emit_op_neq_null):
903         (JSC::JIT::emit_op_to_number):
904         (JSC::JIT::emit_op_to_string):
905         (JSC::JIT::emit_op_to_object):
906         (JSC::JIT::emit_op_create_this):
907         (JSC::JIT::emit_op_to_this):
908         (JSC::JIT::emit_op_check_tdz):
909         (JSC::JIT::emit_op_profile_type):
910         * jit/JITPropertyAccess.cpp:
911         (JSC::JIT::emit_op_get_by_val):
912         (JSC::JIT::emitGetByValWithCachedId):
913         (JSC::JIT::emitGenericContiguousPutByVal):
914         (JSC::JIT::emitPutByValWithCachedId):
915         (JSC::JIT::emit_op_get_from_scope):
916         (JSC::JIT::emit_op_put_to_scope):
917         (JSC::JIT::emitWriteBarrier):
918         (JSC::JIT::emitIntTypedArrayPutByVal):
919         (JSC::JIT::emitFloatTypedArrayPutByVal):
920         * jit/JITPropertyAccess32_64.cpp:
921         (JSC::JIT::emit_op_get_by_val):
922         (JSC::JIT::emitContiguousLoad):
923         (JSC::JIT::emitArrayStorageLoad):
924         (JSC::JIT::emitGetByValWithCachedId):
925         (JSC::JIT::emitGenericContiguousPutByVal):
926         (JSC::JIT::emitPutByValWithCachedId):
927         (JSC::JIT::emit_op_get_from_scope):
928         (JSC::JIT::emit_op_put_to_scope):
929         * jit/JSInterfaceJIT.h:
930         (JSC::JSInterfaceJIT::emitLoadJSCell):
931         (JSC::JSInterfaceJIT::emitLoadInt32):
932         (JSC::JSInterfaceJIT::emitLoadDouble):
933         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
934         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
935         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
936         * jit/Repatch.cpp:
937         (JSC::linkPolymorphicCall):
938         * jit/ThunkGenerators.cpp:
939         (JSC::virtualThunkFor):
940         (JSC::absThunkGenerator):
941         * tools/JSDollarVM.cpp:
942         (WTF::DOMJITNode::checkSubClassSnippet):
943         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
944
945 2018-05-17  Saam Barati  <sbarati@apple.com>
946
947         Unreviewed. Fix the build after my attempted build fix broke the build.
948
949         * builtins/BuiltinExecutables.cpp:
950         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
951         (JSC::BuiltinExecutables::createDefaultConstructor):
952         * builtins/BuiltinExecutables.h:
953
954 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
955
956         [JSC] Remove reifyPropertyNameIfNeeded
957         https://bugs.webkit.org/show_bug.cgi?id=185350
958
959         Reviewed by Saam Barati.
960
961         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
962         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
963         cost, we should remove this from the critical path.
964
965         This patch removes this function call from the critical path. And in our slow paths, we call
966         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
967         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
968         and care the edge cases. The other callsites of putDirect should know the type of the given
969         object and the name of the property (And avoid these edge cases).
970
971         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
972         regressions of the existing tests.
973
974                                            baseline                  patched
975         Kraken:
976             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
977
978         SixSpeed:
979             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
980
981         * dfg/DFGOperations.cpp:
982         (JSC::DFG::putByValInternal):
983         (JSC::DFG::putByValCellInternal):
984         * jit/JITOperations.cpp:
985         * llint/LLIntSlowPaths.cpp:
986         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
987         * runtime/ClassInfo.h:
988         * runtime/CommonSlowPaths.h:
989         (JSC::CommonSlowPaths::putDirectWithReify):
990         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
991         * runtime/JSCell.cpp:
992         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
993         * runtime/JSCell.h:
994         * runtime/JSFunction.cpp:
995         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
996         * runtime/JSFunction.h:
997         * runtime/JSObject.cpp:
998         (JSC::JSObject::putDirectAccessor):
999         (JSC::JSObject::putDirectNonIndexAccessor):
1000         * runtime/JSObject.h:
1001         * runtime/JSObjectInlines.h:
1002         (JSC::JSObject::putDirectInternal):
1003
1004 2018-05-17  Saam Barati  <sbarati@apple.com>
1005
1006         Unreviewed. Try to fix windows build.
1007
1008         * builtins/BuiltinExecutables.cpp:
1009         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1010
1011 2018-05-16  Saam Barati  <sbarati@apple.com>
1012
1013         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
1014         https://bugs.webkit.org/show_bug.cgi?id=185637
1015
1016         Reviewed by Keith Miller.
1017
1018         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
1019         source code. However, we were only using this for default class constructors. There
1020         are only two types of default class constructors. This patch makes it so that
1021         we just store this information inside of a single bit, and ask for the source
1022         code as needed instead of holding it in a nullable field that is 24 bytes in size.
1023         
1024         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
1025         This has the consequence of making it allocated out of a 160 byte size class
1026         instead of a 224 byte size class. This should bring down its memory footprint
1027         by ~40%.
1028
1029         * builtins/BuiltinExecutables.cpp:
1030         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1031         (JSC::BuiltinExecutables::createDefaultConstructor):
1032         (JSC::BuiltinExecutables::createExecutable):
1033         * builtins/BuiltinExecutables.h:
1034         * bytecode/UnlinkedFunctionExecutable.cpp:
1035         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1036         (JSC::UnlinkedFunctionExecutable::link):
1037         * bytecode/UnlinkedFunctionExecutable.h:
1038         * runtime/CodeCache.cpp:
1039         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1040
1041 2018-05-16  Saam Barati  <sbarati@apple.com>
1042
1043         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
1044         https://bugs.webkit.org/show_bug.cgi?id=185707
1045
1046         Reviewed by Mark Lam.
1047
1048         * runtime/VM.cpp:
1049         (JSC::VM::shrinkFootprint):
1050
1051 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
1052
1053         [ESNext][BigInt] Implement support for "/" operation
1054         https://bugs.webkit.org/show_bug.cgi?id=183996
1055
1056         Reviewed by Yusuke Suzuki.
1057
1058         This patch is introducing the support for BigInt into divide
1059         operation int LLInt and JIT layers.
1060
1061         * dfg/DFGOperations.cpp:
1062         * runtime/CommonSlowPaths.cpp:
1063         (JSC::SLOW_PATH_DECL):
1064         * runtime/JSBigInt.cpp:
1065         (JSC::JSBigInt::divide):
1066         (JSC::JSBigInt::copy):
1067         (JSC::JSBigInt::unaryMinus):
1068         (JSC::JSBigInt::absoluteCompare):
1069         (JSC::JSBigInt::absoluteDivLarge):
1070         (JSC::JSBigInt::productGreaterThan):
1071         (JSC::JSBigInt::inplaceAdd):
1072         (JSC::JSBigInt::inplaceSub):
1073         (JSC::JSBigInt::inplaceRightShift):
1074         (JSC::JSBigInt::specialLeftShift):
1075         (JSC::JSBigInt::digit):
1076         (JSC::JSBigInt::setDigit):
1077         * runtime/JSBigInt.h:
1078
1079 2018-05-16  Saam Barati  <sbarati@apple.com>
1080
1081         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
1082         https://bugs.webkit.org/show_bug.cgi?id=185670
1083
1084         Reviewed by Yusuke Suzuki.
1085
1086         This patch makes it so that we constant fold CheckTypeInfoFlags for
1087         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
1088         fold in three ways:
1089         - When the incoming value is a constant, we just look at its inline type
1090         flags. Since those flags never change after an object is created, this
1091         is sound.
1092         - Based on the incoming value having a finite structure set. We just iterate
1093         all structures and ensure they have the bit set.
1094         - Based on speculated type. To do this, I split up SpecFunction into two
1095         subheaps where one is for functions that have the bit set, and one for
1096         functions that don't have the bit set. The latter is currently only comprised
1097         of JSBoundFunctions. To constant fold, we check that the incoming
1098         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
1099
1100         * bytecode/SpeculatedType.cpp:
1101         (JSC::speculationFromClassInfo):
1102         * bytecode/SpeculatedType.h:
1103         * dfg/DFGAbstractInterpreterInlines.h:
1104         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1105         * dfg/DFGConstantFoldingPhase.cpp:
1106         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1107         * dfg/DFGSpeculativeJIT.cpp:
1108         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
1109         * dfg/DFGStrengthReductionPhase.cpp:
1110         (JSC::DFG::StrengthReductionPhase::handleNode):
1111         * runtime/JSFunction.cpp:
1112         (JSC::JSFunction::JSFunction):
1113         (JSC::JSFunction::assertTypeInfoFlagInvariants):
1114         * runtime/JSFunction.h:
1115         (JSC::JSFunction::assertTypeInfoFlagInvariants):
1116         * runtime/JSFunctionInlines.h:
1117         (JSC::JSFunction::JSFunction):
1118
1119 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
1120
1121         Web Inspector: create a navigation item for toggling the overlay rulers/guides
1122         https://bugs.webkit.org/show_bug.cgi?id=185644
1123
1124         Reviewed by Matt Baker.
1125
1126         * inspector/protocol/OverlayTypes.json:
1127         * inspector/protocol/Page.json:
1128
1129 2018-05-16  Commit Queue  <commit-queue@webkit.org>
1130
1131         Unreviewed, rolling out r231845.
1132         https://bugs.webkit.org/show_bug.cgi?id=185702
1133
1134         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
1135         caiolima on #webkit).
1136
1137         Reverted changeset:
1138
1139         "[ESNext][BigInt] Implement support for "/" operation"
1140         https://bugs.webkit.org/show_bug.cgi?id=183996
1141         https://trac.webkit.org/changeset/231845
1142
1143 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
1144
1145         DFG models InstanceOf incorrectly
1146         https://bugs.webkit.org/show_bug.cgi?id=185694
1147
1148         Reviewed by Keith Miller.
1149         
1150         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
1151         hoist it.
1152
1153         * dfg/DFGAbstractInterpreterInlines.h:
1154         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1155         * dfg/DFGClobberize.h:
1156         (JSC::DFG::clobberize):
1157         * dfg/DFGHeapLocation.cpp:
1158         (WTF::printInternal):
1159         * dfg/DFGHeapLocation.h:
1160         * dfg/DFGNodeType.h:
1161
1162 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
1163
1164         Add support for Intl NumberFormat formatToParts
1165         https://bugs.webkit.org/show_bug.cgi?id=185375
1166
1167         Reviewed by Yusuke Suzuki.
1168
1169         Add flag for NumberFormat formatToParts. Implement formatToParts using
1170         unum_formatDoubleForFields. Because the fields are nested and come back
1171         in no guaranteed order, the simple algorithm to convert them to the
1172         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
1173         it appears to perform well enough for the initial implementation. Another
1174         issue has been created to improve this algorithm.
1175
1176         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
1177         on macOS, since only v57 is available.
1178
1179         * Configurations/FeatureDefines.xcconfig:
1180         * runtime/IntlNumberFormat.cpp:
1181         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
1182         (JSC::IntlNumberFormat::partTypeString):
1183         (JSC::IntlNumberFormat::formatToParts):
1184         * runtime/IntlNumberFormat.h:
1185         * runtime/IntlNumberFormatPrototype.cpp:
1186         (JSC::IntlNumberFormatPrototype::create):
1187         (JSC::IntlNumberFormatPrototype::finishCreation):
1188         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1189         * runtime/IntlNumberFormatPrototype.h:
1190         * runtime/Options.h:
1191
1192 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
1193
1194         [ESNext][BigInt] Implement support for "/" operation
1195         https://bugs.webkit.org/show_bug.cgi?id=183996
1196
1197         Reviewed by Yusuke Suzuki.
1198
1199         This patch is introducing the support for BigInt into divide
1200         operation int LLInt and JIT layers.
1201
1202         * dfg/DFGOperations.cpp:
1203         * runtime/CommonSlowPaths.cpp:
1204         (JSC::SLOW_PATH_DECL):
1205         * runtime/JSBigInt.cpp:
1206         (JSC::JSBigInt::divide):
1207         (JSC::JSBigInt::copy):
1208         (JSC::JSBigInt::unaryMinus):
1209         (JSC::JSBigInt::absoluteCompare):
1210         (JSC::JSBigInt::absoluteDivLarge):
1211         (JSC::JSBigInt::productGreaterThan):
1212         (JSC::JSBigInt::inplaceAdd):
1213         (JSC::JSBigInt::inplaceSub):
1214         (JSC::JSBigInt::inplaceRightShift):
1215         (JSC::JSBigInt::specialLeftShift):
1216         (JSC::JSBigInt::digit):
1217         (JSC::JSBigInt::setDigit):
1218         * runtime/JSBigInt.h:
1219
1220 2018-05-16  Alberto Garcia  <berto@igalia.com>
1221
1222         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
1223         https://bugs.webkit.org/show_bug.cgi?id=182622
1224
1225         Reviewed by Michael Catanzaro.
1226
1227         We were linking JavaScriptCore against libatomic in MIPS because
1228         in that architecture __atomic_fetch_add_8() is not a compiler
1229         intrinsic and is provided by that library instead. However other
1230         architectures (e.g armel) are in the same situation, so we need a
1231         generic test.
1232
1233         That test already exists in WebKit/CMakeLists.txt, so we just have
1234         to move it to a common file (WebKitCompilerFlags.cmake) and use
1235         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
1236
1237         * CMakeLists.txt:
1238
1239 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1240
1241         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
1242         https://bugs.webkit.org/show_bug.cgi?id=185601
1243
1244         Reviewed by Saam Barati.
1245
1246         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
1247         before calling getCallData when we would like to check whether a given object is callable
1248         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
1249         is fine. But if we would like to check whether the object is callable, we can have non
1250         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
1251
1252         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
1253         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
1254         OverridesGetCallData checking before calling getCallData.
1255
1256         We found that this virtual call exists in JSON.stringify's critial path. Checking
1257         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
1258
1259                                                baseline                  patched
1260
1261             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
1262
1263         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
1264         since major cases are covered by this fast JSFunctionType checking.
1265
1266         * API/JSCallbackObject.h:
1267         * dfg/DFGAbstractInterpreterInlines.h:
1268         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1269         * dfg/DFGOperations.cpp:
1270         * dfg/DFGSpeculativeJIT.cpp:
1271         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
1272         (JSC::DFG::SpeculativeJIT::compileIsFunction):
1273         * ftl/FTLLowerDFGToB3.cpp:
1274         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
1275         * jit/AssemblyHelpers.h:
1276         (JSC::AssemblyHelpers::emitTypeOf):
1277         * runtime/ExceptionHelpers.cpp:
1278         (JSC::createError):
1279         (JSC::createInvalidFunctionApplyParameterError):
1280         * runtime/FunctionPrototype.cpp:
1281         (JSC::functionProtoFuncToString):
1282         * runtime/InternalFunction.h:
1283         * runtime/JSCJSValue.h:
1284         * runtime/JSCJSValueInlines.h:
1285         (JSC::JSValue::isFunction const):
1286         (JSC::JSValue::isCallable const):
1287         * runtime/JSCell.h:
1288         * runtime/JSCellInlines.h:
1289         (JSC::JSCell::isFunction):
1290         ALWAYS_INLINE works well for my environment.
1291         (JSC::JSCell::isCallable):
1292         * runtime/JSFunction.h:
1293         * runtime/JSONObject.cpp:
1294         (JSC::Stringifier::toJSON):
1295         (JSC::Stringifier::toJSONImpl):
1296         (JSC::Stringifier::appendStringifiedValue):
1297         * runtime/JSObjectInlines.h:
1298         (JSC::createListFromArrayLike):
1299         * runtime/JSTypeInfo.h:
1300         (JSC::TypeInfo::overridesGetCallData const):
1301         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
1302         * runtime/Operations.cpp:
1303         (JSC::jsTypeStringForValue):
1304         (JSC::jsIsObjectTypeOrNull):
1305         * runtime/ProxyObject.h:
1306         * runtime/RuntimeType.cpp:
1307         (JSC::runtimeTypeForValue):
1308         * runtime/RuntimeType.h:
1309         * runtime/Structure.cpp:
1310         (JSC::Structure::Structure):
1311         * runtime/TypeProfilerLog.cpp:
1312         (JSC::TypeProfilerLog::TypeProfilerLog):
1313         (JSC::TypeProfilerLog::processLogEntries):
1314         * runtime/TypeProfilerLog.h:
1315         * runtime/VM.cpp:
1316         (JSC::VM::enableTypeProfiler):
1317         * tools/JSDollarVM.cpp:
1318         (JSC::functionFindTypeForExpression):
1319         (JSC::functionReturnTypeFor):
1320         (JSC::functionHasBasicBlockExecuted):
1321         (JSC::functionBasicBlockExecutionCount):
1322         * wasm/js/JSWebAssemblyHelpers.h:
1323         (JSC::getWasmBufferFromValue):
1324         * wasm/js/JSWebAssemblyInstance.cpp:
1325         (JSC::JSWebAssemblyInstance::create):
1326         * wasm/js/WebAssemblyFunction.cpp:
1327         (JSC::callWebAssemblyFunction):
1328         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1329         (JSC::constructJSWebAssemblyInstance):
1330         * wasm/js/WebAssemblyModuleRecord.cpp:
1331         (JSC::WebAssemblyModuleRecord::link):
1332         * wasm/js/WebAssemblyPrototype.cpp:
1333         (JSC::webAssemblyInstantiateFunc):
1334         (JSC::webAssemblyInstantiateStreamingInternal):
1335         * wasm/js/WebAssemblyWrapperFunction.cpp:
1336         (JSC::WebAssemblyWrapperFunction::finishCreation):
1337
1338 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
1339
1340         Web Inspector: Add rulers and guides
1341         https://bugs.webkit.org/show_bug.cgi?id=32263
1342         <rdar://problem/19281564>
1343
1344         Reviewed by Matt Baker.
1345
1346         * inspector/protocol/OverlayTypes.json:
1347
1348 2018-05-14  Keith Miller  <keith_miller@apple.com>
1349
1350         Remove butterflyMask from DFGAbstractHeap
1351         https://bugs.webkit.org/show_bug.cgi?id=185640
1352
1353         Reviewed by Saam Barati.
1354
1355         We don't have a butterfly indexing mask anymore so we don't need
1356         the abstract heap information for it anymore.
1357
1358         * dfg/DFGAbstractHeap.h:
1359         * dfg/DFGClobberize.h:
1360         (JSC::DFG::clobberize):
1361
1362 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
1363
1364         [INTL] Handle error in defineProperty for supported locales length
1365         https://bugs.webkit.org/show_bug.cgi?id=185623
1366
1367         Reviewed by Saam Barati.
1368
1369         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
1370         length of the supported locales array.
1371
1372         * runtime/IntlObject.cpp:
1373         (JSC::supportedLocales):
1374
1375 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1376
1377         [JSC] Tweak LiteralParser to improve lexing performance
1378         https://bugs.webkit.org/show_bug.cgi?id=185541
1379
1380         Reviewed by Saam Barati.
1381
1382         This patch attemps to improve LiteralParser performance.
1383
1384         This patch improves Kraken/json-parse-financial by roughly ~10%.
1385                                            baseline                  patched
1386
1387             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
1388
1389         * parser/Lexer.cpp:
1390         (JSC::Lexer<T>::Lexer):
1391         * runtime/ArgList.h:
1392         (JSC::MarkedArgumentBuffer::takeLast):
1393         Add takeLast() for idiomatic last() + removeLast() calls.
1394
1395         * runtime/LiteralParser.cpp:
1396         (JSC::LiteralParser<CharType>::Lexer::lex):
1397         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
1398         We should not include this mode in its template parameter to reduce the code size.
1399         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
1400         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
1401
1402         (JSC::LiteralParser<CharType>::Lexer::next):
1403         (JSC::isSafeStringCharacter):
1404         Take mode in its template parameter. But do not take terminator character in its template parameter.
1405
1406         (JSC::LiteralParser<CharType>::Lexer::lexString):
1407         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
1408         Duplicate while statements manually since this is a critical path.
1409
1410         (JSC::LiteralParser<CharType>::parse):
1411         Use takeLast().
1412
1413         * runtime/LiteralParser.h:
1414
1415 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
1416
1417         [MIPS] Use btpz to compare against 0 instead of bpeq
1418         https://bugs.webkit.org/show_bug.cgi?id=185607
1419
1420         Reviewed by Yusuke Suzuki.
1421
1422         Fixes build on MIPS since MIPS doesn't have an instruction to
1423         compare a register against an immediate. Since the immediate is just 0
1424         in this case the simplest solution is just to use btpz instead of bpeq
1425         to compare to 0.
1426
1427         * llint/LowLevelInterpreter.asm:
1428
1429 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
1430
1431         CachedCall::call() should be faster
1432         https://bugs.webkit.org/show_bug.cgi?id=185583
1433
1434         Reviewed by Yusuke Suzuki.
1435         
1436         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
1437         Unfortunately, because of a combination of abstraction and assertions, this code path had a
1438         lot of overhead. This patch reduces this overhead by:
1439         
1440         - Turning off some assertions. These assertions don't look to have security value; they're
1441           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
1442           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
1443           call, considering that the caller would have already been strongly assuming that the JSLock
1444           is held.
1445         
1446         - Making more things inlineable.
1447         
1448         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
1449
1450         * JavaScriptCore.xcodeproj/project.pbxproj:
1451         * interpreter/CachedCall.h:
1452         (JSC::CachedCall::call):
1453         * interpreter/Interpreter.cpp:
1454         (JSC::checkedReturn): Deleted.
1455         * interpreter/Interpreter.h:
1456         (JSC::Interpreter::checkedReturn):
1457         * interpreter/InterpreterInlines.h:
1458         (JSC::Interpreter::execute):
1459         * jit/JITCode.cpp:
1460         (JSC::JITCode::execute): Deleted.
1461         * jit/JITCodeInlines.h: Added.
1462         (JSC::JITCode::execute):
1463         * llint/LowLevelInterpreter.asm:
1464         * runtime/StringPrototype.cpp:
1465
1466 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
1467
1468         [INTL] Improve spec & test262 compliance for Intl APIs
1469         https://bugs.webkit.org/show_bug.cgi?id=185578
1470
1471         Reviewed by Yusuke Suzuki.
1472
1473         Use putDirectIndex over push for lists to arrays.
1474         Update default options to construct with a null prototype.
1475         Define constructor and toStringTag on prototypes.
1476         Add proper time clipping.
1477         Remove some outdated comment spec text, use url instead.
1478
1479         * runtime/IntlCollator.cpp:
1480         (JSC::IntlCollator::initializeCollator):
1481         * runtime/IntlCollatorConstructor.cpp:
1482         (JSC::IntlCollatorConstructor::finishCreation):
1483         * runtime/IntlCollatorPrototype.cpp:
1484         (JSC::IntlCollatorPrototype::finishCreation):
1485         * runtime/IntlDateTimeFormatConstructor.cpp:
1486         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1487         * runtime/IntlDateTimeFormatPrototype.cpp:
1488         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1489         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1490         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1491         * runtime/IntlNumberFormat.cpp:
1492         (JSC::IntlNumberFormat::initializeNumberFormat):
1493         * runtime/IntlNumberFormatConstructor.cpp:
1494         (JSC::IntlNumberFormatConstructor::finishCreation):
1495         * runtime/IntlNumberFormatPrototype.cpp:
1496         (JSC::IntlNumberFormatPrototype::finishCreation):
1497         * runtime/IntlObject.cpp:
1498         (JSC::lookupSupportedLocales):
1499         (JSC::supportedLocales):
1500         (JSC::intlObjectFuncGetCanonicalLocales):
1501         * runtime/IntlPluralRules.cpp:
1502         (JSC::IntlPluralRules::resolvedOptions):
1503         * runtime/IntlPluralRulesConstructor.cpp:
1504         (JSC::IntlPluralRulesConstructor::finishCreation):
1505
1506 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
1507
1508         [ESNext][BigInt] Implement support for "*" operation
1509         https://bugs.webkit.org/show_bug.cgi?id=183721
1510
1511         Reviewed by Yusuke Suzuki.
1512
1513         Added BigInt support into times binary operator into LLInt and on
1514         JITOperations profiledMul and unprofiledMul. We are also replacing all
1515         uses of int to unsigned when there is no negative values for
1516         variables.
1517
1518         * dfg/DFGConstantFoldingPhase.cpp:
1519         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1520         * jit/JITOperations.cpp:
1521         * runtime/CommonSlowPaths.cpp:
1522         (JSC::SLOW_PATH_DECL):
1523         * runtime/JSBigInt.cpp:
1524         (JSC::JSBigInt::JSBigInt):
1525         (JSC::JSBigInt::allocationSize):
1526         (JSC::JSBigInt::createWithLength):
1527         (JSC::JSBigInt::toString):
1528         (JSC::JSBigInt::multiply):
1529         (JSC::JSBigInt::digitDiv):
1530         (JSC::JSBigInt::internalMultiplyAdd):
1531         (JSC::JSBigInt::multiplyAccumulate):
1532         (JSC::JSBigInt::equals):
1533         (JSC::JSBigInt::absoluteDivSmall):
1534         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1535         (JSC::JSBigInt::toStringGeneric):
1536         (JSC::JSBigInt::rightTrim):
1537         (JSC::JSBigInt::allocateFor):
1538         (JSC::JSBigInt::parseInt):
1539         (JSC::JSBigInt::digit):
1540         (JSC::JSBigInt::setDigit):
1541         * runtime/JSBigInt.h:
1542         * runtime/JSCJSValue.h:
1543         * runtime/JSCJSValueInlines.h:
1544         (JSC::JSValue::toNumeric const):
1545         * runtime/Operations.h:
1546         (JSC::jsMul):
1547
1548 2018-05-11  Commit Queue  <commit-queue@webkit.org>
1549
1550         Unreviewed, rolling out r231316 and r231332.
1551         https://bugs.webkit.org/show_bug.cgi?id=185564
1552
1553         Appears to be a Speedometer2/MotionMark regression (Requested
1554         by keith_miller on #webkit).
1555
1556         Reverted changesets:
1557
1558         "Remove the prototype caching for get_by_id in the LLInt"
1559         https://bugs.webkit.org/show_bug.cgi?id=185226
1560         https://trac.webkit.org/changeset/231316
1561
1562         "Unreviewed, fix 32-bit profile offset for change in bytecode"
1563         https://trac.webkit.org/changeset/231332
1564
1565 2018-05-11  Michael Saboff  <msaboff@apple.com>
1566
1567         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
1568         https://bugs.webkit.org/show_bug.cgi?id=185328
1569
1570         Reviewed by Keith Miller.
1571
1572         Fixed a typo from when this code was added in r228968 where resultGPR
1573         was assigned the input register instead of the result.gpr().
1574
1575         * dfg/DFGSpeculativeJIT64.cpp:
1576         (JSC::DFG::SpeculativeJIT::compile):
1577
1578 2018-05-11  Saam Barati  <sbarati@apple.com>
1579
1580         Don't use inferred types when the JIT is disabled
1581         https://bugs.webkit.org/show_bug.cgi?id=185539
1582
1583         Reviewed by Yusuke Suzuki.
1584
1585         There are many JSC API clients that run with the JIT disabled. They were
1586         all allocating and tracking inferred types for no benefit. Inferred types
1587         only benefit programs when they make it to the DFG/FTL. I was seeing cases
1588         where the inferred type machinery used ~0.5MB. This patch makes is so we
1589         don't allocate that machinery when the JIT is disabled.
1590
1591         * runtime/Structure.cpp:
1592         (JSC::Structure::willStoreValueSlow):
1593         * runtime/Structure.h:
1594
1595 2018-05-11  Saam Barati  <sbarati@apple.com>
1596
1597         Don't allocate value profiles when the JIT is disabled
1598         https://bugs.webkit.org/show_bug.cgi?id=185525
1599
1600         Reviewed by Michael Saboff.
1601
1602         There are many JSC API clients that run with the JIT disabled. We were
1603         still allocating a ton of value profiles in this use case even though
1604         these clients get no benefit from doing value profiling. This patch makes
1605         it so that we don't allocate value profiles or argument value profiles
1606         when we're not using the JIT. We now just make all value profiles in
1607         the instruction stream point to a global value profile that the VM owns.
1608         And we make the argument value profile array have zero length and teach
1609         the LLInt how to handle that. Heap clears the global value profile on each GC.
1610
1611         In an app that I'm testing this against, this saves ~1MB of memory.
1612
1613         * bytecode/CodeBlock.cpp:
1614         (JSC::CodeBlock::finishCreation):
1615         (JSC::CodeBlock::setNumParameters):
1616         * bytecode/CodeBlock.h:
1617         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1618         (JSC::CodeBlock::valueProfileForArgument):
1619         * bytecompiler/BytecodeGenerator.cpp:
1620         (JSC::BytecodeGenerator::emitProfiledOpcode):
1621         * heap/Heap.cpp:
1622         (JSC::Heap::runEndPhase):
1623         * llint/LowLevelInterpreter.asm:
1624         * runtime/VM.cpp:
1625         (JSC::VM::VM):
1626         * runtime/VM.h:
1627
1628 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1629
1630         [JSC][GLIB] Add introspectable alternatives to functions using vargars
1631         https://bugs.webkit.org/show_bug.cgi?id=185508
1632
1633         Reviewed by Michael Catanzaro.
1634
1635         * API/glib/JSCClass.cpp:
1636         (jscClassCreateConstructor):
1637         (jsc_class_add_constructor):
1638         (jsc_class_add_constructorv):
1639         (jscClassAddMethod):
1640         (jsc_class_add_method):
1641         (jsc_class_add_methodv):
1642         * API/glib/JSCClass.h:
1643         * API/glib/JSCValue.cpp:
1644         (jsObjectCall):
1645         (jscValueCallFunction):
1646         (jsc_value_object_invoke_methodv):
1647         (jscValueFunctionCreate):
1648         (jsc_value_new_function):
1649         (jsc_value_new_functionv):
1650         (jsc_value_function_callv):
1651         (jsc_value_constructor_callv):
1652         * API/glib/JSCValue.h:
1653         * API/glib/docs/jsc-glib-4.0-sections.txt:
1654
1655 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1656
1657         [JSC] Make return types of construction functions tight
1658         https://bugs.webkit.org/show_bug.cgi?id=185509
1659
1660         Reviewed by Saam Barati.
1661
1662         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
1663
1664         * runtime/ArrayConstructor.cpp:
1665         (JSC::constructArrayWithSizeQuirk):
1666         * runtime/ArrayConstructor.h:
1667         * runtime/ObjectConstructor.h:
1668         (JSC::constructEmptyObject):
1669
1670 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1671
1672         [JSC] Object.assign for final objects should be faster
1673         https://bugs.webkit.org/show_bug.cgi?id=185348
1674
1675         Reviewed by Saam Barati.
1676
1677         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
1678         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
1679
1680         If enumerating properties of source objects and putting properties to target object are non observable,
1681         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
1682         and put them to target object. This patch adds this fast path to Object.assign implementation.
1683
1684         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
1685         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
1686         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
1687
1688         This improves object-assign.es6 by 1.85x.
1689
1690                                         baseline                  patched
1691
1692             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
1693
1694         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
1695
1696         * runtime/JSObject.h:
1697         * runtime/JSObjectInlines.h:
1698         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
1699         (JSC::JSObject::canPerformFastPutInline):
1700         * runtime/ObjectConstructor.cpp:
1701         (JSC::objectConstructorAssign):
1702         * runtime/Structure.cpp:
1703         (JSC::Structure::Structure):
1704         * runtime/Structure.h:
1705         * runtime/StructureInlines.h:
1706         (JSC::Structure::forEachProperty):
1707         (JSC::Structure::add):
1708
1709 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
1710
1711         DFG CFA should pick the right time to inject OSR entry data
1712         https://bugs.webkit.org/show_bug.cgi?id=185530
1713
1714         Reviewed by Saam Barati.
1715         
1716         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
1717         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
1718         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
1719         would eventually LUB to non-constant.
1720         
1721         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
1722         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
1723         useless regexp/string execution in the compiler.
1724
1725         * dfg/DFGBlockSet.h:
1726         (JSC::DFG::BlockSet::remove):
1727         * dfg/DFGCFAPhase.cpp:
1728         (JSC::DFG::CFAPhase::run):
1729         (JSC::DFG::CFAPhase::injectOSR):
1730         (JSC::DFG::CFAPhase::performBlockCFA):
1731
1732 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1733
1734         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
1735         https://bugs.webkit.org/show_bug.cgi?id=185452
1736
1737         Reviewed by Michael Saboff.
1738         
1739         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
1740         from the block head to InPlaceAbstractState::m_variables. It is necessary for
1741         InPlaceAbstractState to have its own copy since we need to mutate it separately from
1742         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
1743         of superfluous work.
1744         
1745         This change adds a bitvector called m_activeVariables that tracks which variables have been
1746         copied. We lazily copy the variables on first use. Variables that were never copied also have
1747         a simplified merging path, which just needs to consider if the variable got clobbered between
1748         head and tail.
1749         
1750         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
1751
1752         * bytecode/Operands.h:
1753         (JSC::Operands::argumentIndex const):
1754         (JSC::Operands::localIndex const):
1755         (JSC::Operands::argument):
1756         (JSC::Operands::argument const):
1757         (JSC::Operands::local):
1758         (JSC::Operands::local const):
1759         (JSC::Operands::operandIndex const):
1760         * dfg/DFGAbstractValue.h:
1761         (JSC::DFG::AbstractValue::fastForwardFromTo):
1762         * dfg/DFGCFAPhase.cpp:
1763         (JSC::DFG::CFAPhase::performForwardCFA):
1764         * dfg/DFGInPlaceAbstractState.cpp:
1765         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1766         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1767         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
1768         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1769         (JSC::DFG::InPlaceAbstractState::activateVariable):
1770         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
1771         * dfg/DFGInPlaceAbstractState.h:
1772         (JSC::DFG::InPlaceAbstractState::variableAt):
1773         (JSC::DFG::InPlaceAbstractState::operand):
1774         (JSC::DFG::InPlaceAbstractState::local):
1775         (JSC::DFG::InPlaceAbstractState::argument):
1776         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
1777         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
1778
1779 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
1780
1781         [ESNext][BigInt] Implement support for "==" operation
1782         https://bugs.webkit.org/show_bug.cgi?id=184474
1783
1784         Reviewed by Yusuke Suzuki.
1785
1786         This patch is implementing support of BigInt for equals operator
1787         following the spec semantics[1].
1788
1789         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
1790
1791         * runtime/JSBigInt.cpp:
1792         (JSC::JSBigInt::parseInt):
1793         (JSC::JSBigInt::stringToBigInt):
1794         (JSC::JSBigInt::toString):
1795         (JSC::JSBigInt::setDigit):
1796         (JSC::JSBigInt::equalsToNumber):
1797         (JSC::JSBigInt::compareToDouble):
1798         * runtime/JSBigInt.h:
1799         * runtime/JSCJSValueInlines.h:
1800         (JSC::JSValue::equalSlowCaseInline):
1801
1802 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1803
1804         Speed up AbstractInterpreter::executeEdges
1805         https://bugs.webkit.org/show_bug.cgi?id=185457
1806
1807         Reviewed by Saam Barati.
1808
1809         This patch started out with the desire to make executeEdges() faster by making filtering faster.
1810         However, when I studied the disassembly, I found that there are many opportunities for
1811         improvement and I implemented all of them:
1812         
1813         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
1814           for non-cells.
1815         
1816         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
1817           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
1818         
1819         - Similarly, edge verification doesn't need to fast-forward in the common case.
1820         
1821         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
1822         
1823         - The edge doesn't even have to be considered for execution if it's UntypedUse.
1824         
1825         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
1826         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
1827         it means proving that the value could either be formatted as a double (with impure NaN values),
1828         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
1829         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
1830         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
1831         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
1832         SpecBytecodeNumber (if returning a JSValueRep).
1833         
1834         But that fix revealed an amazing timeout in
1835         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
1836         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
1837         ever realizing that we should jettison something. The problem was with how
1838         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
1839         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
1840         
1841         This is a 1% improvement in V8Spider-CompileTime.
1842
1843         * bytecode/ExitKind.cpp:
1844         (JSC::exitKindMayJettison):
1845         * dfg/DFGAbstractInterpreter.h:
1846         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
1847         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
1848         * dfg/DFGAbstractInterpreterInlines.h:
1849         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
1850         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
1851         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
1852         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
1853         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1854         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1855         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1856         * dfg/DFGAbstractValue.cpp:
1857         (JSC::DFG::AbstractValue::filterSlow):
1858         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
1859         * dfg/DFGAbstractValue.h:
1860         (JSC::DFG::AbstractValue::filter):
1861         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
1862         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
1863         (JSC::DFG::AbstractValue::makeTop):
1864         * dfg/DFGAtTailAbstractState.h:
1865         (JSC::DFG::AtTailAbstractState::fastForward):
1866         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
1867         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
1868         * dfg/DFGGraph.h:
1869         (JSC::DFG::Graph::doToChildren):
1870         * dfg/DFGInPlaceAbstractState.h:
1871         (JSC::DFG::InPlaceAbstractState::fastForward):
1872         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
1873         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
1874         * dfg/DFGOSRExit.cpp:
1875         (JSC::DFG::OSRExit::executeOSRExit):
1876         * dfg/DFGOSRExitCompilerCommon.cpp:
1877         (JSC::DFG::handleExitCounts):
1878         * dfg/DFGOperations.cpp:
1879         * dfg/DFGOperations.h:
1880
1881 2018-05-09  Saam Barati  <sbarati@apple.com>
1882
1883         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
1884         https://bugs.webkit.org/show_bug.cgi?id=185441
1885         <rdar://problem/39999414>
1886
1887         Reviewed by Keith Miller.
1888
1889         This patch adds JSVirtualMachine SPI to release as much memory as possible.
1890         The SPI does:
1891         - Deletes all code caches.
1892         - Synchronous GC.
1893         - Run the scavenger.
1894
1895         * API/JSVirtualMachine.mm:
1896         (-[JSVirtualMachine shrinkFootprint]):
1897         * API/JSVirtualMachinePrivate.h: Added.
1898         * API/tests/testapi.mm:
1899         (testObjectiveCAPIMain):
1900         * JavaScriptCore.xcodeproj/project.pbxproj:
1901         * runtime/VM.cpp:
1902         (JSC::VM::shrinkFootprint):
1903         * runtime/VM.h:
1904
1905 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
1906
1907         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
1908         Error found in the following Test262 tests:
1909
1910         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
1911         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
1912         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
1913
1914         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
1915         presenting a length > 2**32-1
1916         https://bugs.webkit.org/show_bug.cgi?id=185476
1917
1918         Reviewed by Yusuke Suzuki.
1919
1920         * runtime/ArrayPrototype.cpp:
1921
1922 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
1923
1924         [WPE] Build cleanly with GCC 8 and ICU 60
1925         https://bugs.webkit.org/show_bug.cgi?id=185462
1926
1927         Reviewed by Carlos Alberto Lopez Perez.
1928
1929         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
1930         (jsc_class_add_constructor):
1931         (jsc_class_add_method):
1932         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
1933         (jsc_value_object_define_property_accessor):
1934         (jsc_value_new_function):
1935         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
1936         problem with GCC 7 too, but might as well fix it now.
1937         * assembler/ProbeContext.h:
1938         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
1939         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
1940         * b3/air/AirArg.h:
1941         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
1942         * builtins/BuiltinNames.cpp:
1943         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
1944         * builtins/BuiltinNames.h:
1945         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
1946         * dfg/DFGDoubleFormatState.h:
1947         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
1948         * heap/MarkedBlockInlines.h:
1949         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
1950         * runtime/ConfigFile.cpp:
1951         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
1952         with the wrong length parameter and the result is not null-terminated. Also, silence a
1953         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
1954         * runtime/IntlDateTimeFormat.cpp:
1955         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
1956         * runtime/JSGlobalObject.cpp:
1957         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
1958         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
1959
1960 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1961
1962         [ARMv7] Drop ARMv7 disassembler in favor of capstone
1963         https://bugs.webkit.org/show_bug.cgi?id=185423
1964
1965         Reviewed by Michael Catanzaro.
1966
1967         This patch removes ARMv7Disassembler in our tree.
1968         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
1969
1970         * CMakeLists.txt:
1971         * JavaScriptCore.xcodeproj/project.pbxproj:
1972         * Sources.txt:
1973         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
1974         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
1975         * disassembler/ARMv7Disassembler.cpp: Removed.
1976
1977 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
1978
1979         [MIPS] Optimize generated JIT code using r2
1980         https://bugs.webkit.org/show_bug.cgi?id=184584
1981
1982         Reviewed by Yusuke Suzuki.
1983
1984         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
1985         Also, done some code size optimizations that were discovered in meantime.
1986
1987         * assembler/MIPSAssembler.h:
1988         (JSC::MIPSAssembler::ext):
1989         (JSC::MIPSAssembler::mfhc1):
1990         * assembler/MacroAssemblerMIPS.cpp:
1991         * assembler/MacroAssemblerMIPS.h:
1992         (JSC::MacroAssemblerMIPS::isPowerOf2):
1993         (JSC::MacroAssemblerMIPS::bitPosition):
1994         (JSC::MacroAssemblerMIPS::loadAddress):
1995         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1996         (JSC::MacroAssemblerMIPS::load8):
1997         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1998         (JSC::MacroAssemblerMIPS::load32):
1999         (JSC::MacroAssemblerMIPS::load16Unaligned):
2000         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
2001         (JSC::MacroAssemblerMIPS::load16):
2002         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
2003         (JSC::MacroAssemblerMIPS::store8):
2004         (JSC::MacroAssemblerMIPS::store16):
2005         (JSC::MacroAssemblerMIPS::store32):
2006         (JSC::MacroAssemblerMIPS::branchTest32):
2007         (JSC::MacroAssemblerMIPS::loadFloat):
2008         (JSC::MacroAssemblerMIPS::loadDouble):
2009         (JSC::MacroAssemblerMIPS::storeFloat):
2010         (JSC::MacroAssemblerMIPS::storeDouble):
2011
2012 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2013
2014         [JSC][GTK][JSCONLY] Use capstone disassembler
2015         https://bugs.webkit.org/show_bug.cgi?id=185283
2016
2017         Reviewed by Michael Catanzaro.
2018
2019         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
2020         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
2021
2022         And we remove ARM LLVM disassembler.
2023
2024         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
2025
2026         * CMakeLists.txt:
2027         * Sources.txt:
2028         * disassembler/ARMLLVMDisassembler.cpp: Removed.
2029         * disassembler/CapstoneDisassembler.cpp: Added.
2030         (JSC::tryToDisassemble):
2031
2032 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
2033
2034         [MIPS] Use mfhc1 and mthc1 to fix assembler error
2035         https://bugs.webkit.org/show_bug.cgi?id=185464
2036
2037         Reviewed by Yusuke Suzuki.
2038
2039         The binutils-assembler started to report failures for copying words between
2040         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
2041         of mfc1 and mtc1 for conversion.
2042
2043         * offlineasm/mips.rb:
2044
2045 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
2046
2047         [MIPS] Collect callee-saved register using inline assembly
2048         https://bugs.webkit.org/show_bug.cgi?id=185428
2049
2050         Reviewed by Yusuke Suzuki.
2051
2052         MIPS used setjmp instead of collecting registers with inline assembly like
2053         other architectures.
2054
2055         * heap/RegisterState.h:
2056
2057 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2058
2059         [BigInt] Simplifying JSBigInt by using bool addition
2060         https://bugs.webkit.org/show_bug.cgi?id=185374
2061
2062         Reviewed by Alex Christensen.
2063
2064         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
2065         Just adding overflow flag to carry/borrow produces setb + add in x86.
2066
2067         Also we annotate small helper functions and accessors with `inline` not to call these functions
2068         inside internalMultiplyAdd loop.
2069
2070         * runtime/JSBigInt.cpp:
2071         (JSC::JSBigInt::isZero):
2072         (JSC::JSBigInt::inplaceMultiplyAdd):
2073         (JSC::JSBigInt::digitAdd):
2074         (JSC::JSBigInt::digitSub):
2075         (JSC::JSBigInt::digitMul):
2076         (JSC::JSBigInt::digitPow):
2077         (JSC::JSBigInt::digitDiv):
2078         (JSC::JSBigInt::offsetOfData):
2079         (JSC::JSBigInt::dataStorage):
2080         (JSC::JSBigInt::digit):
2081         (JSC::JSBigInt::setDigit):
2082
2083 2018-05-08  Michael Saboff  <msaboff@apple.com>
2084
2085         Replace multiple Watchpoint Set fireAll() methods with templates
2086         https://bugs.webkit.org/show_bug.cgi?id=185456
2087
2088         Reviewed by Saam Barati.
2089
2090         Refactored to minimize duplicate code.
2091
2092         * bytecode/Watchpoint.h:
2093         (JSC::WatchpointSet::fireAll):
2094         (JSC::InlineWatchpointSet::fireAll):
2095
2096 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
2097
2098         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
2099         https://bugs.webkit.org/show_bug.cgi?id=185453
2100
2101         Reviewed by Michael Saboff.
2102         
2103         Tiny improvement for compile times.
2104
2105         * dfg/DFGFlowMap.h:
2106         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
2107         * dfg/DFGInPlaceAbstractState.cpp:
2108         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
2109
2110 2018-05-08  Michael Saboff  <msaboff@apple.com>
2111
2112         Deferred firing of structure transition watchpoints is racy
2113         https://bugs.webkit.org/show_bug.cgi?id=185438
2114
2115         Reviewed by Saam Barati.
2116
2117         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
2118         and fire them in the destructor.  When the watchpoints are taken from the
2119         original WatchpointSet, that WatchpointSet if marked invalid.
2120
2121         * bytecode/Watchpoint.cpp:
2122         (JSC::WatchpointSet::fireAllSlow):
2123         (JSC::WatchpointSet::take):
2124         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
2125         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
2126         (JSC::DeferredWatchpointFire::fireAll):
2127         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
2128         * bytecode/Watchpoint.h:
2129         (JSC::WatchpointSet::fireAll):
2130         (JSC::InlineWatchpointSet::fireAll):
2131         * runtime/JSObject.cpp:
2132         (JSC::JSObject::setPrototypeDirect):
2133         (JSC::JSObject::convertToDictionary):
2134         * runtime/JSObjectInlines.h:
2135         (JSC::JSObject::putDirectInternal):
2136         * runtime/Structure.cpp:
2137         (JSC::Structure::Structure):
2138         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
2139         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
2140         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
2141         (JSC::Structure::didTransitionFromThisStructure const):
2142         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
2143         * runtime/Structure.h:
2144         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
2145
2146 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
2147
2148         Consecutive messages logged as JSON are coalesced
2149         https://bugs.webkit.org/show_bug.cgi?id=185432
2150
2151         Reviewed by Joseph Pecoraro.
2152
2153         * inspector/ConsoleMessage.cpp:
2154         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
2155
2156 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
2157
2158         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
2159         https://bugs.webkit.org/show_bug.cgi?id=185365
2160
2161         Reviewed by Saam Barati.
2162         
2163         This patch does three things to improve compile times:
2164         
2165         - Fixes some inlining goofs.
2166         
2167         - Adds the ability to measure compile times with run-jsc-benchmarks.
2168         
2169         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
2170           code that clears abstract values. It turns out that on constant folding "needed" this, in the
2171           sense that this was the only thing protecting it from loading the abstract value of a no-result
2172           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
2173           Any node that produces a result will explicitly set its abstract value, so this problem can
2174           also be guarded by just having constant folding check if the node it wants to fold returns any
2175           result.
2176         
2177         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
2178         
2179         Rolling back in after fixing cloop build.
2180
2181         * dfg/DFGAbstractInterpreterInlines.h:
2182         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2183         * dfg/DFGAbstractValue.cpp:
2184         (JSC::DFG::AbstractValue::set):
2185         * dfg/DFGAbstractValue.h:
2186         (JSC::DFG::AbstractValue::merge):
2187         * dfg/DFGConstantFoldingPhase.cpp:
2188         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2189         * dfg/DFGGraph.h:
2190         (JSC::DFG::Graph::doToChildrenWithNode):
2191         (JSC::DFG::Graph::doToChildren):
2192         * dfg/DFGInPlaceAbstractState.cpp:
2193         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2194         * jit/JIT.cpp:
2195         (JSC::JIT::totalCompileTime):
2196         * jit/JIT.h:
2197         * jsc.cpp:
2198         (GlobalObject::finishCreation):
2199         (functionTotalCompileTime):
2200
2201 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2202
2203         Unreviewed, rolling out r231468.
2204
2205         Broke the CLoop build
2206
2207         Reverted changeset:
2208
2209         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
2210         any abstract values"
2211         https://bugs.webkit.org/show_bug.cgi?id=185365
2212         https://trac.webkit.org/changeset/231468
2213
2214 2018-05-07  Daniel Bates  <dabates@apple.com>
2215
2216         Check X-Frame-Options and CSP frame-ancestors in network process
2217         https://bugs.webkit.org/show_bug.cgi?id=185410
2218         <rdar://problem/37733934>
2219
2220         Reviewed by Ryosuke Niwa.
2221
2222         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
2223
2224         * runtime/ConsoleTypes.h:
2225
2226 2018-05-07  Saam Barati  <sbarati@apple.com>
2227
2228         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
2229         https://bugs.webkit.org/show_bug.cgi?id=185329
2230         <rdar://problem/39961536>
2231
2232         Reviewed by Michael Saboff.
2233
2234         I was made aware of a memory goof inside of JSC where we would inefficiently
2235         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
2236         
2237         We did two things badly:
2238         1. We used a HashMap instead of a Vector to represent the environment. Having
2239         a HashMap is useful when looking things up when generating bytecode, but it's
2240         space inefficient. Because UnlinkedFunctionExecutables live a long time because
2241         of the code cache, we should have them store this information efficiently
2242         inside of a Vector.
2243         
2244         2. We didn't hash-cons these environments together. If you think about how
2245         some programs are structured, hash-consing these together is hugely profitable.
2246         Consider some code like this:
2247         ```
2248         const/let V_1 = ...;
2249         const/let V_2 = ...;
2250         ...
2251         const/let V_n = ...;
2252         
2253         function f_1() { ... };
2254         function f_2() { ... };
2255         ...
2256         function f_n() { ... };
2257         ```
2258         
2259         Each f_i would store an identical hash map for its parent TDZ variables
2260         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
2261         each f_i just holds onto a reference to the environment.
2262         
2263         I benchmarked this change against an app that made heavy use of the
2264         above code pattern and it reduced its peak memory footprint from ~220MB
2265         to ~160MB.
2266
2267         * bytecode/UnlinkedFunctionExecutable.cpp:
2268         (JSC::generateUnlinkedFunctionCodeBlock):
2269         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2270         * bytecode/UnlinkedFunctionExecutable.h:
2271         * parser/VariableEnvironment.cpp:
2272         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
2273         (JSC::CompactVariableEnvironment::operator== const):
2274         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
2275         (JSC::CompactVariableMap::get):
2276         (JSC::CompactVariableMap::Handle::~Handle):
2277         * parser/VariableEnvironment.h:
2278         (JSC::VariableEnvironmentEntry::bits const):
2279         (JSC::VariableEnvironmentEntry::operator== const):
2280         (JSC::VariableEnvironment::isEverythingCaptured const):
2281         (JSC::CompactVariableEnvironment::hash const):
2282         (JSC::CompactVariableMapKey::CompactVariableMapKey):
2283         (JSC::CompactVariableMapKey::hash):
2284         (JSC::CompactVariableMapKey::equal):
2285         (JSC::CompactVariableMapKey::makeDeletedValue):
2286         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
2287         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
2288         (JSC::CompactVariableMapKey::environment):
2289         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
2290         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
2291         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
2292         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
2293         (JSC::CompactVariableMap::Handle::Handle):
2294         (JSC::CompactVariableMap::Handle::environment const):
2295         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
2296         * runtime/VM.cpp:
2297         (JSC::VM::VM):
2298         * runtime/VM.h:
2299
2300 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2301
2302         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
2303         https://bugs.webkit.org/show_bug.cgi?id=185371
2304
2305         Reviewed by Mark Lam.
2306
2307         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
2308         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
2309         but actually MIPS have much more registers.
2310
2311         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
2312         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
2313         have extra mechanism.
2314
2315         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
2316
2317         * dfg/DFGByteCodeParser.cpp:
2318         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2319         * dfg/DFGFixupPhase.cpp:
2320         (JSC::DFG::FixupPhase::fixupNode):
2321         * dfg/DFGSpeculativeJIT32_64.cpp:
2322         (JSC::DFG::SpeculativeJIT::compile):
2323         * jit/CCallHelpers.h:
2324         * jit/GPRInfo.h:
2325         (JSC::GPRInfo::toRegister):
2326         (JSC::GPRInfo::toIndex):
2327         * offlineasm/mips.rb:
2328
2329 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2330
2331         DFG AI should have O(1) clobbering
2332         https://bugs.webkit.org/show_bug.cgi?id=185287
2333
2334         Reviewed by Saam Barati.
2335         
2336         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
2337         would traverse all of the state available to the AI at that time and clobber it.
2338         
2339         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
2340         
2341         This is a ~1% speed-up for compile times.
2342
2343         * JavaScriptCore.xcodeproj/project.pbxproj:
2344         * Sources.txt:
2345         * dfg/DFGAbstractInterpreter.h:
2346         (JSC::DFG::AbstractInterpreter::forNode):
2347         (JSC::DFG::AbstractInterpreter::setForNode):
2348         (JSC::DFG::AbstractInterpreter::clearForNode):
2349         (JSC::DFG::AbstractInterpreter::variables): Deleted.
2350         * dfg/DFGAbstractInterpreterInlines.h:
2351         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2352         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
2353         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2354         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
2355         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2356         * dfg/DFGAbstractValue.cpp:
2357         (JSC::DFG::AbstractValue::fastForwardToSlow):
2358         * dfg/DFGAbstractValue.h:
2359         (JSC::DFG::AbstractValue::fastForwardTo):
2360         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
2361         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
2362         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
2363         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
2364         (JSC::DFG::AbstractValueClobberEpoch::dump const):
2365         * dfg/DFGAbstractValueClobberEpoch.h: Added.
2366         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
2367         (JSC::DFG::AbstractValueClobberEpoch::first):
2368         (JSC::DFG::AbstractValueClobberEpoch::clobber):
2369         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
2370         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
2371         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
2372         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
2373         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
2374         * dfg/DFGAtTailAbstractState.h:
2375         (JSC::DFG::AtTailAbstractState::setForNode):
2376         (JSC::DFG::AtTailAbstractState::clearForNode):
2377         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
2378         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
2379         (JSC::DFG::AtTailAbstractState::operand):
2380         (JSC::DFG::AtTailAbstractState::local):
2381         (JSC::DFG::AtTailAbstractState::argument):
2382         (JSC::DFG::AtTailAbstractState::clobberStructures):
2383         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
2384         (JSC::DFG::AtTailAbstractState::variables): Deleted.
2385         * dfg/DFGCFAPhase.cpp:
2386         (JSC::DFG::CFAPhase::performBlockCFA):
2387         * dfg/DFGConstantFoldingPhase.cpp:
2388         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2389         * dfg/DFGFlowMap.h:
2390         (JSC::DFG::FlowMap::at):
2391         (JSC::DFG::FlowMap::atShadow):
2392         (JSC::DFG::FlowMap::at const):
2393         (JSC::DFG::FlowMap::atShadow const):
2394         * dfg/DFGInPlaceAbstractState.cpp:
2395         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2396         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2397         * dfg/DFGInPlaceAbstractState.h:
2398         (JSC::DFG::InPlaceAbstractState::forNode):
2399         (JSC::DFG::InPlaceAbstractState::setForNode):
2400         (JSC::DFG::InPlaceAbstractState::clearForNode):
2401         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
2402         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
2403         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
2404         (JSC::DFG::InPlaceAbstractState::operand):
2405         (JSC::DFG::InPlaceAbstractState::local):
2406         (JSC::DFG::InPlaceAbstractState::argument):
2407         (JSC::DFG::InPlaceAbstractState::variableAt):
2408         (JSC::DFG::InPlaceAbstractState::clobberStructures):
2409         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
2410         (JSC::DFG::InPlaceAbstractState::fastForward):
2411         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
2412         * dfg/DFGSpeculativeJIT64.cpp:
2413         (JSC::DFG::SpeculativeJIT::compile):
2414         * ftl/FTLLowerDFGToB3.cpp:
2415         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
2416
2417 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
2418
2419         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
2420         https://bugs.webkit.org/show_bug.cgi?id=185365
2421
2422         Reviewed by Saam Barati.
2423         
2424         This patch does three things to improve compile times:
2425         
2426         - Fixes some inlining goofs.
2427         
2428         - Adds the ability to measure compile times with run-jsc-benchmarks.
2429         
2430         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
2431           code that clears abstract values. It turns out that on constant folding "needed" this, in the
2432           sense that this was the only thing protecting it from loading the abstract value of a no-result
2433           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
2434           Any node that produces a result will explicitly set its abstract value, so this problem can
2435           also be guarded by just having constant folding check if the node it wants to fold returns any
2436           result.
2437         
2438         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
2439
2440         * dfg/DFGAbstractInterpreterInlines.h:
2441         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2442         * dfg/DFGAbstractValue.cpp:
2443         (JSC::DFG::AbstractValue::set):
2444         * dfg/DFGAbstractValue.h:
2445         (JSC::DFG::AbstractValue::merge):
2446         * dfg/DFGConstantFoldingPhase.cpp:
2447         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2448         * dfg/DFGGraph.h:
2449         (JSC::DFG::Graph::doToChildrenWithNode):
2450         (JSC::DFG::Graph::doToChildren):
2451         * dfg/DFGInPlaceAbstractState.cpp:
2452         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2453         * jit/JIT.cpp:
2454         (JSC::JIT::totalCompileTime):
2455         * jit/JIT.h:
2456         * jsc.cpp:
2457         (GlobalObject::finishCreation):
2458         (functionTotalCompileTime):
2459
2460 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2461
2462         DFG AI doesn't need to merge valuesAtTail - it can just assign them
2463         https://bugs.webkit.org/show_bug.cgi?id=185355
2464
2465         Reviewed by Mark Lam.
2466         
2467         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
2468         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
2469         merging will get the same answer because the value computed this time will be either the same
2470         as or more general than the value computed last time. If the value does change for some
2471         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
2472         changes, then we have no reason to believe that this new value is less right than the last
2473         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
2474         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
2475
2476         * dfg/DFGInPlaceAbstractState.cpp:
2477         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2478
2479 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
2480
2481         Remove defunct email address
2482         https://bugs.webkit.org/show_bug.cgi?id=185396
2483
2484         Reviewed by Mark Lam.
2485
2486         The email address thetalecrafter@gmail.com is no longer valid, as the
2487         associated google account has been closed. This updates the email
2488         address so questions about these Intl contributions go to the right
2489         place.
2490
2491         * builtins/DatePrototype.js:
2492         * builtins/NumberPrototype.js:
2493         * builtins/StringPrototype.js:
2494         * runtime/IntlCollator.cpp:
2495         * runtime/IntlCollator.h:
2496         * runtime/IntlCollatorConstructor.cpp:
2497         * runtime/IntlCollatorConstructor.h:
2498         * runtime/IntlCollatorPrototype.cpp:
2499         * runtime/IntlCollatorPrototype.h:
2500         * runtime/IntlDateTimeFormat.cpp:
2501         * runtime/IntlDateTimeFormat.h:
2502         * runtime/IntlDateTimeFormatConstructor.cpp:
2503         * runtime/IntlDateTimeFormatConstructor.h:
2504         * runtime/IntlDateTimeFormatPrototype.cpp:
2505         * runtime/IntlDateTimeFormatPrototype.h:
2506         * runtime/IntlNumberFormat.cpp:
2507         * runtime/IntlNumberFormat.h:
2508         * runtime/IntlNumberFormatConstructor.cpp:
2509         * runtime/IntlNumberFormatConstructor.h:
2510         * runtime/IntlNumberFormatPrototype.cpp:
2511         * runtime/IntlNumberFormatPrototype.h:
2512         * runtime/IntlObject.cpp:
2513         * runtime/IntlObject.h:
2514         * runtime/IntlPluralRules.cpp:
2515         * runtime/IntlPluralRules.h:
2516         * runtime/IntlPluralRulesConstructor.cpp:
2517         * runtime/IntlPluralRulesConstructor.h:
2518         * runtime/IntlPluralRulesPrototype.cpp:
2519         * runtime/IntlPluralRulesPrototype.h:
2520
2521 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2522
2523         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
2524         https://bugs.webkit.org/show_bug.cgi?id=185362
2525
2526         Reviewed by Sam Weinig.
2527
2528         "namespace std" may include many names. It can conflict with names defined by our code,
2529         and the other platform provided headers. For example, std::byte conflicts with Windows'
2530         ::byte.
2531         This patch removes "using namespace std;" from JSC and bmalloc.
2532
2533         * API/JSClassRef.cpp:
2534         (OpaqueJSClass::create):
2535         * bytecode/Opcode.cpp:
2536         * bytecompiler/BytecodeGenerator.cpp:
2537         (JSC::BytecodeGenerator::newRegister):
2538         * heap/Heap.cpp:
2539         (JSC::Heap::updateAllocationLimits):
2540         * interpreter/Interpreter.cpp:
2541         * jit/JIT.cpp:
2542         * parser/Parser.cpp:
2543         * runtime/JSArray.cpp:
2544         * runtime/JSLexicalEnvironment.cpp:
2545         * runtime/JSModuleEnvironment.cpp:
2546         * runtime/Structure.cpp:
2547         * shell/DLLLauncherMain.cpp:
2548         (getStringValue):
2549         (applePathFromRegistry):
2550         (appleApplicationSupportDirectory):
2551         (copyEnvironmentVariable):
2552         (prependPath):
2553         (fatalError):
2554         (directoryExists):
2555         (modifyPath):
2556         (getLastErrorString):
2557         (wWinMain):
2558
2559 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2560
2561         DFG CFA phase should only do clobber asserts in debug
2562         https://bugs.webkit.org/show_bug.cgi?id=185354
2563
2564         Reviewed by Saam Barati.
2565         
2566         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
2567         unless asserts are enabled.
2568
2569         * dfg/DFGCFAPhase.cpp:
2570         (JSC::DFG::CFAPhase::performBlockCFA):
2571
2572 2018-05-04  Keith Miller  <keith_miller@apple.com>
2573
2574         isCacheableArrayLength should return true for undecided arrays
2575         https://bugs.webkit.org/show_bug.cgi?id=185309
2576
2577         Reviewed by Michael Saboff.
2578
2579         Undecided arrays have butterflies so there is no reason why we
2580         should not be able to cache their length.
2581
2582         * bytecode/InlineAccess.cpp:
2583         (JSC::InlineAccess::isCacheableArrayLength):
2584
2585 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2586
2587         Remove std::random_shuffle
2588         https://bugs.webkit.org/show_bug.cgi?id=185292
2589
2590         Reviewed by Darin Adler.
2591
2592         std::random_shuffle is deprecated in C++14 and removed in C++17,
2593         since std::random_shuffle relies on rand and srand.
2594         Use std::shuffle instead.
2595
2596         * jit/BinarySwitch.cpp:
2597         (JSC::RandomNumberGenerator::RandomNumberGenerator):
2598         (JSC::RandomNumberGenerator::operator()):
2599         (JSC::RandomNumberGenerator::min):
2600         (JSC::RandomNumberGenerator::max):
2601         (JSC::BinarySwitch::build):
2602
2603 2018-05-03  Saam Barati  <sbarati@apple.com>
2604
2605         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
2606         https://bugs.webkit.org/show_bug.cgi?id=185177
2607
2608         Reviewed by Filip Pizlo.
2609
2610         This patch teaches the DFG/FTL how to constant fold CreateThis with
2611         a known poly proto Structure to NewObject. We do it by emitting a NewObject
2612         followed by a PutByOffset for the prototype value.
2613         
2614         We make it so that ObjectAllocationProfile holds the prototype value.
2615         This is sound because JSFunction clears that profile when its 'prototype'
2616         field changes.
2617         
2618         This patch also renames underscoreProtoPrivateName to polyProtoName since
2619         that name was nonsensical: it was only used for poly proto.
2620         
2621         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
2622         regressed that benchmark when I first introduced poly proto.
2623
2624         * builtins/BuiltinNames.cpp:
2625         * builtins/BuiltinNames.h:
2626         (JSC::BuiltinNames::BuiltinNames):
2627         (JSC::BuiltinNames::polyProtoName const):
2628         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
2629         * bytecode/ObjectAllocationProfile.h:
2630         (JSC::ObjectAllocationProfile::prototype):
2631         (JSC::ObjectAllocationProfile::clear):
2632         (JSC::ObjectAllocationProfile::visitAggregate):
2633         * bytecode/ObjectAllocationProfileInlines.h:
2634         (JSC::ObjectAllocationProfile::initializeProfile):
2635         * dfg/DFGAbstractInterpreterInlines.h:
2636         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2637         * dfg/DFGByteCodeParser.cpp:
2638         (JSC::DFG::ByteCodeParser::parseBlock):
2639         * dfg/DFGConstantFoldingPhase.cpp:
2640         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2641         * dfg/DFGOperations.cpp:
2642         * runtime/CommonSlowPaths.cpp:
2643         (JSC::SLOW_PATH_DECL):
2644         * runtime/FunctionRareData.h:
2645         * runtime/Structure.cpp:
2646         (JSC::Structure::create):
2647
2648 2018-05-03  Michael Saboff  <msaboff@apple.com>
2649
2650         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
2651         https://bugs.webkit.org/show_bug.cgi?id=185281
2652
2653         Reviewed by Saam Barati.
2654
2655         When we compute bytecode block reachability, we need to take into account blocks
2656         containing try/catch.
2657
2658         * jit/JIT.cpp:
2659         (JSC::JIT::privateCompileMainPass):
2660
2661 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2662
2663         ARM: Wrong offset for operand rt in disassembler
2664         https://bugs.webkit.org/show_bug.cgi?id=184083
2665
2666         Reviewed by Yusuke Suzuki.
2667
2668         * disassembler/ARMv7/ARMv7DOpcode.h:
2669         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
2670         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
2671
2672 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2673
2674         ARM: Support vstr in disassembler
2675         https://bugs.webkit.org/show_bug.cgi?id=184084
2676
2677         Reviewed by Yusuke Suzuki.
2678
2679         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2680         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
2681         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
2682         * disassembler/ARMv7/ARMv7DOpcode.h:
2683         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
2684         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
2685         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
2686         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
2687         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
2688         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
2689         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
2690
2691 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2692
2693         Invoke ensureArrayStorage for all arguments
2694         https://bugs.webkit.org/show_bug.cgi?id=185247
2695
2696         Reviewed by Yusuke Suzuki.
2697
2698         ensureArrayStorage was only invoked for first argument in each loop iteration.
2699
2700         * jsc.cpp:
2701         (functionEnsureArrayStorage):
2702
2703 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2704
2705         Make it easy to log compile times for all optimizing tiers
2706         https://bugs.webkit.org/show_bug.cgi?id=185270
2707
2708         Reviewed by Keith Miller.
2709         
2710         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
2711         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
2712         it.
2713         
2714         This should help us reduce compile times by telling us where to look. So, far, it looks like
2715         CFA is the worst.
2716
2717         * JavaScriptCore.xcodeproj/project.pbxproj:
2718         * Sources.txt:
2719         * b3/B3Common.cpp:
2720         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
2721         * b3/B3Common.h:
2722         * b3/B3TimingScope.cpp: Removed.
2723         * b3/B3TimingScope.h:
2724         (JSC::B3::TimingScope::TimingScope):
2725         * dfg/DFGPhase.h:
2726         (JSC::DFG::runAndLog):
2727         * dfg/DFGPlan.cpp:
2728         (JSC::DFG::Plan::compileInThread):
2729         * tools/CompilerTimingScope.cpp: Added.
2730         (JSC::CompilerTimingScope::CompilerTimingScope):
2731         (JSC::CompilerTimingScope::~CompilerTimingScope):
2732         * tools/CompilerTimingScope.h: Added.
2733         * runtime/Options.cpp:
2734         (JSC::recomputeDependentOptions):
2735         * runtime/Options.h:
2736
2737 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2738
2739         Strings should not be allocated in a gigacage
2740         https://bugs.webkit.org/show_bug.cgi?id=185218
2741
2742         Reviewed by Saam Barati.
2743
2744         * runtime/JSBigInt.cpp:
2745         (JSC::JSBigInt::toStringGeneric):
2746         * runtime/JSString.cpp:
2747         (JSC::JSRopeString::resolveRopeToAtomicString const):
2748         (JSC::JSRopeString::resolveRope const):
2749         * runtime/JSString.h:
2750         (JSC::JSString::create):
2751         (JSC::JSString::createHasOtherOwner):
2752         * runtime/VM.h:
2753         (JSC::VM::gigacageAuxiliarySpace):
2754
2755 2018-05-03  Keith Miller  <keith_miller@apple.com>
2756
2757         Unreviewed, fix 32-bit profile offset for change in bytecode
2758         length of the get_by_id and get_array_length opcodes.
2759
2760         * llint/LowLevelInterpreter32_64.asm:
2761
2762 2018-05-03  Michael Saboff  <msaboff@apple.com>
2763
2764         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
2765         https://bugs.webkit.org/show_bug.cgi?id=185231
2766
2767         Reviewed by Saam Barati.
2768
2769         We weren't clearing the scratch register cache when switching back and forth between 
2770         allowing scratch register usage.  We disallow scratch register usage when we are in
2771         code that will freely allocate and use any register.  Such usage can change the
2772         contents of scratch registers.  For ARM64, where we cache the contents of scratch
2773         registers to reuse some or all of the contained values, we need to invalidate these
2774         caches.  We do this when re-enabling scratch register usage, that is when we transition
2775         from disallow to allow scratch register usage.
2776
2777         Added a new Air regression test.
2778
2779         * assembler/AllowMacroScratchRegisterUsage.h:
2780         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
2781         * assembler/AllowMacroScratchRegisterUsageIf.h:
2782         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
2783         * assembler/DisallowMacroScratchRegisterUsage.h:
2784         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
2785         * b3/air/testair.cpp:
2786
2787 2018-05-03  Keith Miller  <keith_miller@apple.com>
2788
2789         Remove the prototype caching for get_by_id in the LLInt
2790         https://bugs.webkit.org/show_bug.cgi?id=185226
2791
2792         Reviewed by Michael Saboff.
2793
2794         There is no evidence that this is actually a speedup and we keep
2795         getting bugs with it. At this point it seems like we should just
2796         remove this code.
2797
2798         * CMakeLists.txt:
2799         * JavaScriptCore.xcodeproj/project.pbxproj:
2800         * Sources.txt:
2801         * bytecode/BytecodeDumper.cpp:
2802         (JSC::BytecodeDumper<Block>::printGetByIdOp):
2803         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
2804         (JSC::BytecodeDumper<Block>::dumpBytecode):
2805         * bytecode/BytecodeList.json:
2806         * bytecode/BytecodeUseDef.h:
2807         (JSC::computeUsesForBytecodeOffset):
2808         (JSC::computeDefsForBytecodeOffset):
2809         * bytecode/CodeBlock.cpp:
2810         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2811         * bytecode/CodeBlock.h:
2812         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
2813         * bytecode/GetByIdStatus.cpp:
2814         (JSC::GetByIdStatus::computeFromLLInt):
2815         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
2816         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
2817         * bytecompiler/BytecodeGenerator.cpp:
2818         (JSC::BytecodeGenerator::emitGetById):
2819         * dfg/DFGByteCodeParser.cpp:
2820         (JSC::DFG::ByteCodeParser::parseBlock):
2821         * dfg/DFGCapabilities.cpp:
2822         (JSC::DFG::capabilityLevel):
2823         * jit/JIT.cpp:
2824         (JSC::JIT::privateCompileMainPass):
2825         (JSC::JIT::privateCompileSlowCases):
2826         * llint/LLIntSlowPaths.cpp:
2827         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2828         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
2829         * llint/LowLevelInterpreter32_64.asm:
2830         * llint/LowLevelInterpreter64.asm:
2831         * runtime/Options.h:
2832
2833 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
2834
2835         Unreviewed, rolling out r231197.
2836
2837         The test added with this change crashes on the 32-bit JSC bot.
2838
2839         Reverted changeset:
2840
2841         "Correctly detect string overflow when using the 'Function'
2842         constructor"
2843         https://bugs.webkit.org/show_bug.cgi?id=184883
2844         https://trac.webkit.org/changeset/231197
2845
2846 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2847
2848         Disable usage of fused multiply-add instructions for JSC with compiler flag
2849         https://bugs.webkit.org/show_bug.cgi?id=184909
2850
2851         Reviewed by Yusuke Suzuki.
2852
2853         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
2854         like parseInt() do not return slightly different results depending on whether the
2855         compiler was able to use fused multiply-add instructions or not.
2856
2857         * CMakeLists.txt:
2858
2859 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2860
2861         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
2862         https://bugs.webkit.org/show_bug.cgi?id=185192
2863
2864         compareDouble relies on MacroAssembler::invert function.
2865
2866         * assembler/MacroAssembler.h:
2867         (JSC::MacroAssembler::compareDouble):
2868         * assembler/MacroAssemblerARM.h:
2869         (JSC::MacroAssemblerARM::compareDouble): Deleted.
2870         * assembler/MacroAssemblerARMv7.h:
2871         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
2872         * assembler/MacroAssemblerMIPS.h:
2873         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
2874
2875 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2876
2877         [JSC] Add MacroAssembler::and16 and store16
2878         https://bugs.webkit.org/show_bug.cgi?id=185188
2879
2880         Reviewed by Mark Lam.
2881
2882         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
2883         This patch adds these methods for ARM.
2884
2885         * assembler/MacroAssemblerARM.h:
2886         (JSC::MacroAssemblerARM::and16):
2887         (JSC::MacroAssemblerARM::store16):
2888
2889 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2890
2891         [DFG] Unify compare related code in 32bit and 64bit
2892         https://bugs.webkit.org/show_bug.cgi?id=185189
2893
2894         Reviewed by Mark Lam.
2895
2896         This patch unifies some part of compare related code in 32bit and 64bit
2897         to reduce the size of 32bit specific DFG code.
2898
2899         * dfg/DFGSpeculativeJIT.cpp:
2900         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
2901         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
2902         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2903         * dfg/DFGSpeculativeJIT32_64.cpp:
2904         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2905         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2906         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2907         * dfg/DFGSpeculativeJIT64.cpp:
2908         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2909         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2910         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2911
2912 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2913
2914         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
2915         https://bugs.webkit.org/show_bug.cgi?id=185192
2916
2917         Reviewed by Mark Lam.
2918
2919         Now Object.is starts using compareDouble. So we would like to have
2920         efficient implementation for compareDouble and compareFloat for
2921         major architectures, ARM64, X86, and X86_64.
2922
2923         This patch adds compareDouble and compareFloat implementations for
2924         these architectures. And generic implementation is moved to each
2925         architecture's MacroAssembler implementation.
2926
2927         We also add tests for them in testmasm. To implement this test
2928         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
2929         major architectures.
2930
2931         * assembler/MacroAssembler.h:
2932         (JSC::MacroAssembler::compareDouble): Deleted.
2933         (JSC::MacroAssembler::compareFloat): Deleted.
2934         * assembler/MacroAssemblerARM.h:
2935         (JSC::MacroAssemblerARM::compareDouble):
2936         * assembler/MacroAssemblerARM64.h:
2937         (JSC::MacroAssemblerARM64::compareDouble):
2938         (JSC::MacroAssemblerARM64::compareFloat):
2939         (JSC::MacroAssemblerARM64::loadFloat):
2940         (JSC::MacroAssemblerARM64::floatingPointCompare):
2941         * assembler/MacroAssemblerARMv7.h:
2942         (JSC::MacroAssemblerARMv7::compareDouble):
2943         * assembler/MacroAssemblerMIPS.h:
2944         (JSC::MacroAssemblerMIPS::compareDouble):
2945         * assembler/MacroAssemblerX86Common.h:
2946         (JSC::MacroAssemblerX86Common::loadFloat):
2947         (JSC::MacroAssemblerX86Common::compareDouble):
2948         (JSC::MacroAssemblerX86Common::compareFloat):
2949         (JSC::MacroAssemblerX86Common::floatingPointCompare):
2950         * assembler/X86Assembler.h:
2951         (JSC::X86Assembler::movss_mr):
2952         (JSC::X86Assembler::movss_rm):
2953         * assembler/testmasm.cpp:
2954         (JSC::floatOperands):
2955         (JSC::testCompareFloat):
2956         (JSC::run):
2957
2958 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2959
2960         Unreviewed, fix 32bit DFG code
2961         https://bugs.webkit.org/show_bug.cgi?id=185065
2962
2963         * dfg/DFGSpeculativeJIT.cpp:
2964         (JSC::DFG::SpeculativeJIT::compileSameValue):
2965
2966 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
2967
2968         JSC should know how to cache custom getter accesses on the prototype chain
2969         https://bugs.webkit.org/show_bug.cgi?id=185213
2970
2971         Reviewed by Keith Miller.
2972
2973         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
2974
2975         * jit/Repatch.cpp:
2976         (JSC::tryCacheGetByID):
2977
2978 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
2979
2980         JSC should be able to cache custom setter calls on the prototype chain
2981         https://bugs.webkit.org/show_bug.cgi?id=185174
2982
2983         Reviewed by Saam Barati.
2984
2985         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
2986         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
2987         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
2988         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
2989         custom accessors because it won't find the custom property in the structure.
2990
2991         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
2992
2993         This is a 4x speed-up on assign-custom-setter.js.
2994
2995         * bytecode/AccessCase.cpp:
2996         (JSC::AccessCase::hasAlternateBase const):
2997         (JSC::AccessCase::alternateBase const):
2998         (JSC::AccessCase::generateImpl):
2999         * bytecode/AccessCase.h:
3000         (JSC::AccessCase::alternateBase const): Deleted.
3001         * bytecode/GetterSetterAccessCase.cpp:
3002         (JSC::GetterSetterAccessCase::hasAlternateBase const):
3003         (JSC::GetterSetterAccessCase::alternateBase const):
3004         * bytecode/GetterSetterAccessCase.h:
3005         * bytecode/ObjectPropertyConditionSet.cpp:
3006         (JSC::generateConditionsForPrototypePropertyHitCustom):
3007         * bytecode/ObjectPropertyConditionSet.h:
3008         * jit/Repatch.cpp:
3009         (JSC::tryCacheGetByID):
3010         (JSC::tryCachePutByID):
3011
3012 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
3013
3014         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
3015         https://bugs.webkit.org/show_bug.cgi?id=185195
3016
3017         Reviewed by Mark Lam.
3018
3019         This implements the given function for MIPS, such that it builds again.
3020
3021         * assembler/MacroAssemblerMIPS.h:
3022         (JSC::MacroAssemblerMIPS::and16):
3023         (JSC::MacroAssemblerMIPS::store16):
3024
3025 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
3026
3027         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
3028         https://bugs.webkit.org/show_bug.cgi?id=185043
3029
3030         Reviewed by Filip Pizlo.
3031
3032         * jsc.cpp:
3033         (GlobalObject::finishCreation):
3034         (functionDollarAgentMonotonicNow):
3035
3036 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
3037
3038         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
3039         https://bugs.webkit.org/show_bug.cgi?id=185196
3040
3041         Reviewed by Mark Lam.
3042
3043         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
3044
3045         * assembler/MacroAssemblerARMv7.h:
3046         (JSC::MacroAssemblerARMv7::and16):
3047         (JSC::MacroAssemblerARMv7::store16):
3048
3049 2018-05-02  Robin Morisset  <rmorisset@apple.com>
3050
3051         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
3052         https://bugs.webkit.org/show_bug.cgi?id=183172
3053
3054         Reviewed by Filip Pizlo.
3055
3056         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
3057         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
3058
3059         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
3060         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
3061         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
3062
3063         * dfg/DFGArgumentsEliminationPhase.cpp:
3064         * dfg/DFGArgumentsUtilities.cpp:
3065         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3066
3067 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3068
3069         Unreviewed, stackPointer signature is different from declaration
3070         https://bugs.webkit.org/show_bug.cgi?id=184790
3071
3072         * runtime/MachineContext.h:
3073         (JSC::MachineContext::stackPointer):
3074
3075 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3076
3077         [JSC] Add SameValue DFG node
3078         https://bugs.webkit.org/show_bug.cgi?id=185065
3079
3080         Reviewed by Saam Barati.
3081
3082         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
3083         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
3084         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
3085         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
3086         implementations for these SameValue nodes.
3087
3088         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
3089         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
3090         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
3091         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
3092         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
3093         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
3094
3095         Added microbenchmark shows performance improvement.
3096
3097             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
3098
3099         * assembler/MacroAssembler.h:
3100         * assembler/MacroAssemblerX86Common.h:
3101         (JSC::MacroAssemblerX86Common::compareDouble):
3102         * assembler/MacroAssemblerX86_64.h:
3103         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
3104         * assembler/testmasm.cpp:
3105         (JSC::doubleOperands):
3106         (JSC::testCompareDouble):
3107         (JSC::run):
3108         * dfg/DFGAbstractInterpreterInlines.h:
3109         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3110         * dfg/DFGByteCodeParser.cpp:
3111         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3112         * dfg/DFGClobberize.h:
3113         (JSC::DFG::clobberize):
3114         * dfg/DFGConstantFoldingPhase.cpp:
3115         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3116         * dfg/DFGDoesGC.cpp:
3117         (JSC::DFG::doesGC):
3118         * dfg/DFGFixupPhase.cpp:
3119         (JSC::DFG::FixupPhase::fixupNode):
3120         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
3121         * dfg/DFGNodeType.h:
3122         * dfg/DFGOperations.cpp:
3123         * dfg/DFGOperations.h:
3124         * dfg/DFGPredictionPropagationPhase.cpp:
3125         * dfg/DFGSafeToExecute.h:
3126         (JSC::DFG::safeToExecute):
3127         * dfg/DFGSpeculativeJIT.cpp:
3128         (JSC::DFG::SpeculativeJIT::compileSameValue):
3129         * dfg/DFGSpeculativeJIT.h:
3130         * dfg/DFGSpeculativeJIT32_64.cpp:
3131         (JSC::DFG::SpeculativeJIT::compile):
3132         * dfg/DFGSpeculativeJIT64.cpp:
3133         (JSC::DFG::SpeculativeJIT::compile):
3134         * dfg/DFGValidate.cpp:
3135         * ftl/FTLCapabilities.cpp:
3136         (JSC::FTL::canCompile):
3137         * ftl/FTLLowerDFGToB3.cpp:
3138         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3139         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
3140         * runtime/Intrinsic.cpp:
3141         (JSC::intrinsicName):
3142         * runtime/Intrinsic.h:
3143         * runtime/ObjectConstructor.cpp:
3144
3145 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
3146
3147         B3::demoteValues should be able to handle patchpoint terminals
3148         https://bugs.webkit.org/show_bug.cgi?id=185151
3149
3150         Reviewed by Saam Barati.
3151         
3152         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
3153         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
3154         longer the last thing in the block.
3155         
3156         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
3157         really do that because demotion happens as a prerequisite to other transformations.
3158         
3159         One solution might have been to make demoteValues insert a basic block whenever it encounters
3160         this problem. But that would break clients that do CFG analysis before demoteValues and use
3161         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
3162         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
3163         so it's not bad to introduce that requirement.
3164         
3165         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
3166         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
3167         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
3168         successors of the patchpoint terminal.
3169         
3170         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
3171         a unit test in testb3.
3172
3173         * b3/B3BreakCriticalEdges.cpp:
3174         (JSC::B3::breakCriticalEdges):
3175         * b3/B3BreakCriticalEdges.h:
3176         * b3/B3FixSSA.cpp:
3177         (JSC::B3::demoteValues):
3178         (JSC::B3::fixSSA):
3179         * b3/B3FixSSA.h:
3180         * b3/B3Value.cpp:
3181         (JSC::B3::Value::foldIdentity const):
3182         (JSC::B3::Value::performSubstitution):
3183         * b3/B3Value.h:
3184         * b3/testb3.cpp:
3185         (JSC::B3::testDemotePatchpointTerminal):
3186         (JSC::B3::run):
3187
3188 2018-05-01  Robin Morisset  <rmorisset@apple.com>
3189
3190         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
3191         https://bugs.webkit.org/show_bug.cgi?id=184772
3192         <rdar://problem/39146327>
3193
3194         Reviewed by Filip Pizlo.
3195
3196         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
3197         This patch now makes sure that the check correctly detects if there is an integer overflow.
3198
3199         * runtime/JSArray.cpp:
3200         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3201
3202 2018-05-01  Robin Morisset  <rmorisset@apple.com>
3203
3204         Correctly detect string overflow when using the 'Function' constructor
3205         https://bugs.webkit.org/show_bug.cgi?id=184883
3206         <rdar://problem/36320331>
3207
3208         Reviewed by Filip Pizlo.
3209
3210         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
3211         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
3212
3213         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
3214         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
3215         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
3216
3217         * runtime/FunctionConstructor.cpp:
3218         (JSC::constructFunctionSkippingEvalEnabledCheck):
3219         * runtime/JSONObject.cpp:
3220         (JSC::Stringifier::appendStringifiedValue):
3221
3222 2018-05-01  Robin Morisset  <rmorisset@apple.com>
3223
3224         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
3225         https://bugs.webkit.org/show_bug.cgi?id=185162
3226
3227         Reviewed by Filip Pizlo.
3228
3229         * runtime/IntlObject.cpp:
3230         (JSC::removeUnicodeLocaleExtension):
3231
3232 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
3233
3234         Add SetCallee as DFG-Operation
3235         https://bugs.webkit.org/show_bug.cgi?id=184582
3236
3237         Reviewed by Filip Pizlo.
3238
3239         For recursive tail calls not only the argument count can change but also the
3240         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
3241         Also update the callee when optimizing a recursive tail call.
3242         Enable recursive tail call optimization also for closures.
3243
3244         * dfg/DFGAbstractInterpreterInlines.h:
3245         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3246         * dfg/DFGByteCodeParser.cpp:
3247         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3248         (JSC::DFG::ByteCodeParser::handleCallVariant):
3249         * dfg/DFGClobberize.h:
3250         (JSC::DFG::clobberize):
3251         * dfg/DFGDoesGC.cpp:
3252         (JSC::DFG::doesGC):
3253         * dfg/DFGFixupPhase.cpp:
3254         (JSC::DFG::FixupPhase::fixupNode):
3255         * dfg/DFGMayExit.cpp:
3256         * dfg/DFGNodeType.h:
3257         * dfg/DFGPredictionPropagationPhase.cpp:
3258         * dfg/DFGSafeToExecute.h:
3259         (JSC::DFG::safeToExecute):
3260         * dfg/DFGSpeculativeJIT.cpp:
3261         (JSC::DFG::SpeculativeJIT::compileSetCallee):
3262         * dfg/DFGSpeculativeJIT.h:
3263         * dfg/DFGSpeculativeJIT32_64.cpp:
3264         (JSC::DFG::SpeculativeJIT::compile):
3265         * dfg/DFGSpeculativeJIT64.cpp:
3266         (JSC::DFG::SpeculativeJIT::compile):
3267         * ftl/FTLCapabilities.cpp:
3268         (JSC::FTL::canCompile):
3269         * ftl/FTLLowerDFGToB3.cpp:
3270         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3271         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
3272
3273 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
3274
3275         WebAssembly: add support for stream APIs - JavaScript API
3276         https://bugs.webkit.org/show_bug.cgi?id=183442
3277
3278         Reviewed by Yusuke Suzuki and JF Bastien.
3279
3280         Add WebAssembly stream API. Current patch only add functions
3281         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
3282         does not add streaming way of the implementation. So in current version it
3283         only wait for load whole module, than start to parse.
3284
3285         * CMakeLists.txt:
3286         * Configurations/FeatureDefines.xcconfig:
3287         * DerivedSources.make:
3288         * JavaScriptCore.xcodeproj/project.pbxproj:
3289         * builtins/BuiltinNames.h:
3290         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
3291         (compileStreaming):
3292         (instantiateStreaming):
3293         * jsc.cpp:
3294         * runtime/JSGlobalObject.cpp:
3295         (JSC::JSGlobalObject::init):
3296         * runtime/JSGlobalObject.h:
3297         * runtime/Options.h:
3298         * runtime/PromiseDeferredTimer.cpp:
3299         (JSC::PromiseDeferredTimer::hasPendingPromise):
3300         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
3301         * runtime/PromiseDeferredTimer.h:
3302         * wasm/js/WebAssemblyPrototype.cpp:
3303         (JSC::webAssemblyModuleValidateAsyncInternal):
3304         (JSC::webAssemblyCompileFunc):
3305         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
3306         (JSC::webAssemblyModuleInstantinateAsyncInternal):
3307         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
3308         (JSC::webAssemblyCompileStreamingInternal):
3309         (JSC::webAssemblyInstantiateStreamingInternal):
3310         (JSC::WebAssemblyPrototype::create):
3311         (JSC::WebAssemblyPrototype::finishCreation):
3312         * wasm/js/WebAssemblyPrototype.h:
3313
3314 2018-04-30  Saam Barati  <sbarati@apple.com>
3315
3316         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
3317         https://bugs.webkit.org/show_bug.cgi?id=185149
3318         <rdar://problem/39455917>
3319
3320         Reviewed by Filip Pizlo.
3321
3322         The bug was that we were deleting checks that we shouldn't have deleted.
3323         This patch makes a helper inside strength reduction that converts to
3324         a LazyJSConstant while maintaining checks, and switches users of the
3325         node API inside strength reduction to instead call the helper function.
3326         
3327         This patch also fixes a potential bug where StringReplace and
3328         StringReplaceRegExp may not preserve all their checks.
3329
3330
3331         * dfg/DFGStrengthReductionPhase.cpp:
3332         (JSC::DFG::StrengthReductionPhase::handleNode):
3333         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
3334
3335 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
3336
3337         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
3338         https://bugs.webkit.org/show_bug.cgi?id=185126
3339
3340         Reviewed by Saam Barati.
3341         
3342         This change is just restoring functionality that we've already had for a while. It had been
3343         accidentally broken due to an unrelated CodeBlock refactoring.
3344
3345         * dfg/DFGLICMPhase.cpp:
3346         (JSC::DFG::LICMPhase::attemptHoist):
3347
3348 2018-04-30  Mark Lam  <mark.lam@apple.com>
3349
3350         Apply PtrTags to the MetaAllocator and friends.
3351         https://bugs.webkit.org/show_bug.cgi?id=185110
3352         <rdar://problem/39533895>
3353
3354         Reviewed by Saam Barati.
3355
3356         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
3357         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
3358            and add a sanity check to verify that allocated code buffers are within those
3359            bounds.
3360
3361         * assembler/LinkBuffer.cpp:
3362         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
3363         (JSC::LinkBuffer::copyCompactAndLinkCode):
3364         (JSC::LinkBuffer::linkCode):
3365         (JSC::LinkBuffer::allocate):
3366         * assembler/LinkBuffer.h:
3367         (JSC::LinkBuffer::LinkBuffer):
3368         (JSC::LinkBuffer::debugAddress):
3369         (JSC::LinkBuffer::code):
3370         * assembler/MacroAssemblerCodeRef.h:
3371         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3372         * bytecode/InlineAccess.cpp:
3373         (JSC::linkCodeInline):
3374         (JSC::InlineAccess::rewireStubAsJump):
3375         * dfg/DFGJITCode.cpp:
3376         (JSC::DFG::JITCode::findPC):
3377         * ftl/FTLJITCode.cpp:
3378         (JSC::FTL::JITCode::findPC):
3379         * jit/ExecutableAllocator.cpp:
3380         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
3381         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
3382         (JSC::ExecutableAllocator::allocate):
3383         * jit/ExecutableAllocator.h: