50e98d9efaa2660bf842db5e9ea6940798db735b
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-27  Mark Lam  <mark.lam@apple.com>
2
3         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
4         https://bugs.webkit.org/show_bug.cgi?id=177584
5         <rdar://problem/34463903>
6
7         Reviewed by Saam Barati.
8
9         If the source and destination arrays are the same, we may be copying overlapping
10         regions.  Hence, we need to take the slow path.
11
12         * runtime/JSArrayInlines.h:
13         (JSC::JSArray::canFastCopy):
14
15 2017-09-27  Saam Barati  <sbarati@apple.com>
16
17         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
18         https://bugs.webkit.org/show_bug.cgi?id=177523
19
20         Reviewed by Mark Lam.
21
22         There was a bug in Structure's transition constructor where it didn't
23         propagate forward the hasBeenFlattenedBefore bit. In practice, this meant
24         that every time we asked a dictionary structure if it has been flattened
25         before, it would return false. This patch fixes this bug. It also fixes
26         a bug that this uncovers in our for-in implementation. Our implementation
27         would cache the property name enumerator even when the prototype chain
28         included a structure that is as dictionary. This is wrong because that
29         prototype object may add properties without transitioning, and the for-in
30         loop would vend a stale set of prototype properties.
31
32         * jit/JITOperations.cpp:
33         * runtime/JSPropertyNameEnumerator.h:
34         (JSC::propertyNameEnumerator):
35         * runtime/Structure.cpp:
36         (JSC::Structure::Structure):
37         (JSC::Structure::canCachePropertyNameEnumerator const):
38
39 2017-09-27  Mark Lam  <mark.lam@apple.com>
40
41         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
42         https://bugs.webkit.org/show_bug.cgi?id=177423
43         <rdar://problem/34621320>
44
45         Reviewed by Keith Miller.
46
47         * yarr/YarrParser.h:
48         (JSC::Yarr::Parser::tryConsumeGroupName):
49
50 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
51
52         Unreviewed, fix x86 breaking due to exhausted registers
53         https://bugs.webkit.org/show_bug.cgi?id=175823
54
55         * dfg/DFGByteCodeParser.cpp:
56         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
57
58 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
59
60         Unreviewed, build fix after r222563
61         https://bugs.webkit.org/show_bug.cgi?id=175823
62
63         * runtime/JSArrayInlines.h:
64
65 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
66
67         Add Above/Below comparisons for UInt32 patterns
68         https://bugs.webkit.org/show_bug.cgi?id=177281
69
70         Reviewed by Saam Barati.
71
72         Sometimes, we would like to have UInt32 operations in JS. While VM does
73         not support UInt32 nicely, VM supports efficient Int32 operations. As long
74         as signedness does not matter, we can just perform Int32 operations instead
75         and recognize its bit pattern as UInt32.
76
77         But of course, some operations respect signedness. The most frequently
78         used one is comparison. Octane/zlib performs UInt32 comparison by performing
79         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
80         UInt32 in Int32 form. And op_unsigned will generate Double value if
81         the generated Int32 is < 0 (which should be UInt32).
82
83         There is a chance for optimization. The given code pattern is the following.
84
85             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
86
87         This can be converted to the following.
88
89             op_urshift(@1) below:< op_urshift(@2)
90
91         The above conversion is nice since
92
93         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
94         this check depends on the value of Int32, dropping this check is not as easy as
95         removing Int32 edge filters.
96
97         2. We can perform unsigned comparison in Int32 form. We do not need to convert
98         them to DoubleRep.
99
100         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
101         op_unsigned offers huge win.
102
103         At first, my patch attempts to convert the above thing in DFG pipeline.
104         However it poses several problems.
105
106         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
107         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
108
109             2: UInt32ToNumber(@0)
110             3: MovHint(@2, xxx)
111             4: UInt32ToNumber(@1)
112             5: MovHint(@1, xxx)
113
114         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
115
116         So, instead, we start introducing a simple optimization in the bytecode compiler.
117         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
118         We adds op_below and op_above families to bytecodes. They only accept Int32 and
119         perform unsigned comparison.
120
121         This offers 4% performance improvement in Octane/zlib.
122
123                                     baseline                  patched
124
125         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
126
127         * bytecode/BytecodeDumper.cpp:
128         (JSC::BytecodeDumper<Block>::printCompareJump):
129         (JSC::BytecodeDumper<Block>::dumpBytecode):
130         * bytecode/BytecodeDumper.h:
131         * bytecode/BytecodeList.json:
132         * bytecode/BytecodeUseDef.h:
133         (JSC::computeUsesForBytecodeOffset):
134         (JSC::computeDefsForBytecodeOffset):
135         * bytecode/Opcode.h:
136         (JSC::isBranch):
137         * bytecode/PreciseJumpTargetsInlines.h:
138         (JSC::extractStoredJumpTargetsForBytecodeOffset):
139         * bytecompiler/BytecodeGenerator.cpp:
140         (JSC::BytecodeGenerator::emitJumpIfTrue):
141         (JSC::BytecodeGenerator::emitJumpIfFalse):
142         * bytecompiler/NodesCodegen.cpp:
143         (JSC::BinaryOpNode::emitBytecode):
144         * dfg/DFGAbstractInterpreterInlines.h:
145         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
146         * dfg/DFGByteCodeParser.cpp:
147         (JSC::DFG::ByteCodeParser::parseBlock):
148         * dfg/DFGCapabilities.cpp:
149         (JSC::DFG::capabilityLevel):
150         * dfg/DFGClobberize.h:
151         (JSC::DFG::clobberize):
152         * dfg/DFGDoesGC.cpp:
153         (JSC::DFG::doesGC):
154         * dfg/DFGFixupPhase.cpp:
155         (JSC::DFG::FixupPhase::fixupNode):
156         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
157         * dfg/DFGNodeType.h:
158         * dfg/DFGPredictionPropagationPhase.cpp:
159         * dfg/DFGSafeToExecute.h:
160         (JSC::DFG::safeToExecute):
161         * dfg/DFGSpeculativeJIT.cpp:
162         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
163         * dfg/DFGSpeculativeJIT.h:
164         * dfg/DFGSpeculativeJIT32_64.cpp:
165         (JSC::DFG::SpeculativeJIT::compile):
166         * dfg/DFGSpeculativeJIT64.cpp:
167         (JSC::DFG::SpeculativeJIT::compile):
168         * dfg/DFGStrengthReductionPhase.cpp:
169         (JSC::DFG::StrengthReductionPhase::handleNode):
170         * dfg/DFGValidate.cpp:
171         * ftl/FTLCapabilities.cpp:
172         (JSC::FTL::canCompile):
173         * ftl/FTLLowerDFGToB3.cpp:
174         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
175         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
176         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
177         * jit/JIT.cpp:
178         (JSC::JIT::privateCompileMainPass):
179         * jit/JIT.h:
180         * jit/JITArithmetic.cpp:
181         (JSC::JIT::emit_op_below):
182         (JSC::JIT::emit_op_beloweq):
183         (JSC::JIT::emit_op_jbelow):
184         (JSC::JIT::emit_op_jbeloweq):
185         (JSC::JIT::emit_compareUnsignedAndJump):
186         (JSC::JIT::emit_compareUnsigned):
187         * jit/JITArithmetic32_64.cpp:
188         (JSC::JIT::emit_compareUnsignedAndJump):
189         (JSC::JIT::emit_compareUnsigned):
190         * llint/LowLevelInterpreter.asm:
191         * llint/LowLevelInterpreter32_64.asm:
192         * llint/LowLevelInterpreter64.asm:
193         * parser/Nodes.h:
194         (JSC::ExpressionNode::isBinaryOpNode const):
195
196 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
197
198         [DFG] Support ArrayPush with multiple args
199         https://bugs.webkit.org/show_bug.cgi?id=175823
200
201         Reviewed by Saam Barati.
202
203         This patch implements ArrayPush(with multiple arguments) in DFG and FTL. Previously, they are not handled
204         by ArrayPush. Then they go to generic direct call to Array#push and it does in slow path. This patch
205         extends ArrayPush to push multiple arguments in a bulk push manner.
206
207         The problem of ArrayPush is that we need to perform ArrayPush atomically: If OSR exit occurs in the middle
208         of ArrayPush, we incorrectly push pushed elements twice. Once we start pushing values, we should not exit.
209         But we do not want to iterate elements twice, once for type checks and once for actually pushing it. It
210         could move elements between registers and memory back and forth.
211
212         This patch achieves the above goal by separating type checks from ArrayPush. When starting ArrayPush, type
213         checks for elements are already done by separately emitted Check nodes.
214
215         We also add JSArray::pushInline for DFG operations just calling JSArray::push. And we also use it in
216         arrayProtoFuncPush's fast path.
217
218         This patch significantly improves performance of `push(multiple args)`.
219
220                                             baseline                  patched
221             Microbenchmarks:
222                 array-push-0            461.8455+-28.9995    ^    151.3438+-6.5653        ^ definitely 3.0516x faster
223                 array-push-1            133.8845+-7.0349     ?    136.1775+-5.8327        ? might be 1.0171x slower
224                 array-push-2            675.6555+-13.4645    ^    145.8747+-6.4621        ^ definitely 4.6318x faster
225                 array-push-3            849.5284+-15.2540    ^    253.4421+-9.1249        ^ definitely 3.3520x faster
226
227                                             baseline                  patched
228             SixSpeed:
229                 spread-literal.es5       90.3482+-6.6514     ^     24.8123+-2.3304        ^ definitely 3.6413x faster
230
231         * dfg/DFGByteCodeParser.cpp:
232         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
233         * dfg/DFGFixupPhase.cpp:
234         (JSC::DFG::FixupPhase::fixupNode):
235         * dfg/DFGNodeType.h:
236         * dfg/DFGOperations.cpp:
237         * dfg/DFGOperations.h:
238         * dfg/DFGSpeculativeJIT.cpp:
239         (JSC::DFG::SpeculativeJIT::compileArrayPush):
240         * dfg/DFGSpeculativeJIT.h:
241         (JSC::DFG::SpeculativeJIT::callOperation):
242         * dfg/DFGSpeculativeJIT32_64.cpp:
243         (JSC::DFG::SpeculativeJIT::compile):
244         * dfg/DFGSpeculativeJIT64.cpp:
245         (JSC::DFG::SpeculativeJIT::compile):
246         * dfg/DFGStoreBarrierInsertionPhase.cpp:
247         * ftl/FTLLowerDFGToB3.cpp:
248         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
249         * jit/JITOperations.h:
250         * runtime/ArrayPrototype.cpp:
251         (JSC::arrayProtoFuncPush):
252         * runtime/JSArray.cpp:
253         (JSC::JSArray::push):
254         * runtime/JSArray.h:
255         * runtime/JSArrayInlines.h:
256         (JSC::JSArray::pushInline):
257
258 2017-09-26  Joseph Pecoraro  <pecoraro@apple.com>
259
260         Web Inspector: Remove unused parameter of Page.reload
261         https://bugs.webkit.org/show_bug.cgi?id=177522
262
263         Reviewed by Matt Baker.
264
265         * inspector/protocol/Page.json:
266
267 2017-09-26  Filip Pizlo  <fpizlo@apple.com>
268
269         Put g_gigacageBasePtr into its own page and make it read-only
270         https://bugs.webkit.org/show_bug.cgi?id=174972
271
272         Reviewed by Michael Saboff.
273         
274         C++ code doesn't have to know about this change. That includes C++ code that generates JIT code.
275         
276         But the offline assembler now needs to know about how to load from offsets of global variables.
277         This turned out to be easy to support by extending the existing expression support.
278
279         * llint/LowLevelInterpreter64.asm:
280         * offlineasm/ast.rb:
281         * offlineasm/parser.rb:
282         * offlineasm/transform.rb:
283         * offlineasm/x86.rb:
284
285 2017-09-26  Commit Queue  <commit-queue@webkit.org>
286
287         Unreviewed, rolling out r222518.
288         https://bugs.webkit.org/show_bug.cgi?id=177507
289
290         Break the High Sierra build (Requested by yusukesuzuki on
291         #webkit).
292
293         Reverted changeset:
294
295         "Add Above/Below comparisons for UInt32 patterns"
296         https://bugs.webkit.org/show_bug.cgi?id=177281
297         http://trac.webkit.org/changeset/222518
298
299 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
300
301         Add Above/Below comparisons for UInt32 patterns
302         https://bugs.webkit.org/show_bug.cgi?id=177281
303
304         Reviewed by Saam Barati.
305
306         Sometimes, we would like to have UInt32 operations in JS. While VM does
307         not support UInt32 nicely, VM supports efficient Int32 operations. As long
308         as signedness does not matter, we can just perform Int32 operations instead
309         and recognize its bit pattern as UInt32.
310
311         But of course, some operations respect signedness. The most frequently
312         used one is comparison. Octane/zlib performs UInt32 comparison by performing
313         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
314         UInt32 in Int32 form. And op_unsigned will generate Double value if
315         the generated Int32 is < 0 (which should be UInt32).
316
317         There is a chance for optimization. The given code pattern is the following.
318
319             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
320
321         This can be converted to the following.
322
323             op_urshift(@1) below:< op_urshift(@2)
324
325         The above conversion is nice since
326
327         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
328         this check depends on the value of Int32, dropping this check is not as easy as
329         removing Int32 edge filters.
330
331         2. We can perform unsigned comparison in Int32 form. We do not need to convert
332         them to DoubleRep.
333
334         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
335         op_unsigned offers huge win.
336
337         At first, my patch attempts to convert the above thing in DFG pipeline.
338         However it poses several problems.
339
340         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
341         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
342
343             2: UInt32ToNumber(@0)
344             3: MovHint(@2, xxx)
345             4: UInt32ToNumber(@1)
346             5: MovHint(@1, xxx)
347
348         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
349
350         So, instead, we start introducing a simple optimization in the bytecode compiler.
351         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
352         We adds op_below and op_above families to bytecodes. They only accept Int32 and
353         perform unsigned comparison.
354
355         This offers 4% performance improvement in Octane/zlib.
356
357                                     baseline                  patched
358
359         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
360
361         * bytecode/BytecodeDumper.cpp:
362         (JSC::BytecodeDumper<Block>::printCompareJump):
363         (JSC::BytecodeDumper<Block>::dumpBytecode):
364         * bytecode/BytecodeDumper.h:
365         * bytecode/BytecodeList.json:
366         * bytecode/BytecodeUseDef.h:
367         (JSC::computeUsesForBytecodeOffset):
368         (JSC::computeDefsForBytecodeOffset):
369         * bytecode/Opcode.h:
370         (JSC::isBranch):
371         * bytecode/PreciseJumpTargetsInlines.h:
372         (JSC::extractStoredJumpTargetsForBytecodeOffset):
373         * bytecompiler/BytecodeGenerator.cpp:
374         (JSC::BytecodeGenerator::emitJumpIfTrue):
375         (JSC::BytecodeGenerator::emitJumpIfFalse):
376         * bytecompiler/NodesCodegen.cpp:
377         (JSC::BinaryOpNode::emitBytecode):
378         * dfg/DFGAbstractInterpreterInlines.h:
379         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
380         * dfg/DFGByteCodeParser.cpp:
381         (JSC::DFG::ByteCodeParser::parseBlock):
382         * dfg/DFGCapabilities.cpp:
383         (JSC::DFG::capabilityLevel):
384         * dfg/DFGClobberize.h:
385         (JSC::DFG::clobberize):
386         * dfg/DFGDoesGC.cpp:
387         (JSC::DFG::doesGC):
388         * dfg/DFGFixupPhase.cpp:
389         (JSC::DFG::FixupPhase::fixupNode):
390         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
391         * dfg/DFGNodeType.h:
392         * dfg/DFGPredictionPropagationPhase.cpp:
393         * dfg/DFGSafeToExecute.h:
394         (JSC::DFG::safeToExecute):
395         * dfg/DFGSpeculativeJIT.cpp:
396         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
397         * dfg/DFGSpeculativeJIT.h:
398         * dfg/DFGSpeculativeJIT32_64.cpp:
399         (JSC::DFG::SpeculativeJIT::compile):
400         * dfg/DFGSpeculativeJIT64.cpp:
401         (JSC::DFG::SpeculativeJIT::compile):
402         * dfg/DFGStrengthReductionPhase.cpp:
403         (JSC::DFG::StrengthReductionPhase::handleNode):
404         * dfg/DFGValidate.cpp:
405         * ftl/FTLCapabilities.cpp:
406         (JSC::FTL::canCompile):
407         * ftl/FTLLowerDFGToB3.cpp:
408         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
409         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
410         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
411         * jit/JIT.cpp:
412         (JSC::JIT::privateCompileMainPass):
413         * jit/JIT.h:
414         * jit/JITArithmetic.cpp:
415         (JSC::JIT::emit_op_below):
416         (JSC::JIT::emit_op_beloweq):
417         (JSC::JIT::emit_op_jbelow):
418         (JSC::JIT::emit_op_jbeloweq):
419         (JSC::JIT::emit_compareUnsignedAndJump):
420         (JSC::JIT::emit_compareUnsigned):
421         * jit/JITArithmetic32_64.cpp:
422         (JSC::JIT::emit_compareUnsignedAndJump):
423         (JSC::JIT::emit_compareUnsigned):
424         * llint/LowLevelInterpreter.asm:
425         * llint/LowLevelInterpreter32_64.asm:
426         * llint/LowLevelInterpreter64.asm:
427         * parser/Nodes.h:
428         (JSC::ExpressionNode::isBinaryOpNode const):
429
430 2017-09-24  Keith Miller  <keith_miller@apple.com>
431
432         JSC build should use unified sources for derived sources
433         https://bugs.webkit.org/show_bug.cgi?id=177421
434
435         Reviewed by JF Bastien.
436
437         This patch make a couple of changes:
438
439         1) Make derived sources added to relevant bundles. I was going to add JSCBuiltins.cpp
440         to runtime but that kept breaking the windows build. I'll get back to it later
441         2) Move the derived location of some sources both for clarity and for ease of use.
442         3) Make auto generator scripts able to create directories if needed.
443         4) Move some scripts from the top level of the JavaScriptCore directory to a
444         more appropriate directory.
445         5) Move some CMake generation commands around for clarity.
446
447         * CMakeLists.txt:
448         * DerivedSources.make:
449         * JavaScriptCore.xcodeproj/project.pbxproj:
450         * Scripts/lazywriter.py:
451         (LazyFileWriter.close):
452         * Sources.txt:
453         * inspector/scripts/generate-inspector-protocol-bindings.py:
454         (IncrementalFileWriter.close):
455         * yarr/create_regex_tables: Renamed from Source/JavaScriptCore/create_regex_tables.
456         * yarr/generateYarrCanonicalizeUnicode: Renamed from Source/JavaScriptCore/generateYarrCanonicalizeUnicode.
457
458 2017-09-26  Zan Dobersek  <zdobersek@igalia.com>
459
460         Support building JavaScriptCore with the Bionic C library
461         https://bugs.webkit.org/show_bug.cgi?id=177427
462
463         Reviewed by Michael Catanzaro.
464
465         When compiling with the Bionic C library, the MachineContext.h header
466         should enable the same code paths that are enabled for the GNU C library.
467
468         The Bionic C library defines the __BIONIC__ macro, but unlike other C
469         libraries that mimic the GNU one, it doesn't define __GLIBC__. So the
470         __BIONIC__ macro checks have to match the __GLIBC__ ones.
471
472         * runtime/MachineContext.h:
473         (JSC::MachineContext::stackPointer):
474         (JSC::MachineContext::framePointer):
475         (JSC::MachineContext::instructionPointer):
476         (JSC::MachineContext::argumentPointer<1>):
477         (JSC::MachineContext::llintInstructionPointer):
478
479 2017-09-25  Devin Rousso  <webkit@devinrousso.com>
480
481         Web Inspector: move Console.addInspectedNode to DOM.setInspectedNode
482         https://bugs.webkit.org/show_bug.cgi?id=176827
483
484         Reviewed by Joseph Pecoraro.
485
486         * inspector/agents/InspectorConsoleAgent.h:
487
488         * inspector/agents/JSGlobalObjectConsoleAgent.h:
489         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
490         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode): Deleted.
491
492         * inspector/protocol/Console.json:
493         * inspector/protocol/DOM.json:
494
495 2017-09-25  Ryan Haddad  <ryanhaddad@apple.com>
496
497         Unreviewed, rebaseline builtins generator tests after r222473.
498
499         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
500
501 2017-09-25  Alex Christensen  <achristensen@webkit.org>
502
503         Make Attribute an enum class
504         https://bugs.webkit.org/show_bug.cgi?id=177414
505
506         Reviewed by Yusuke Suzuki.
507
508         I've had enough of these naming collisions.  This is what enum classes are for.
509         Unfortunately a lot of static_cast<unsigned> is necessary until those functions take
510         an OptionSet<Attribute> instead of an unsigned parameter, but this is a big step
511         towards where we ought to be.
512
513         * API/JSCallbackObjectFunctions.h:
514         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
515         * API/JSObjectRef.cpp:
516         (JSObjectMakeConstructor):
517         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
518         (BuiltinsInternalsWrapperImplementationGenerator.property_macro):
519         * bytecode/GetByIdStatus.cpp:
520         (JSC::GetByIdStatus::computeFromLLInt):
521         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
522         (JSC::GetByIdStatus::computeFor):
523         * bytecode/PropertyCondition.cpp:
524         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
525         (JSC::PropertyCondition::isValidValueForAttributes):
526         * bytecode/PutByIdStatus.cpp:
527         (JSC::PutByIdStatus::computeFor):
528         * bytecompiler/BytecodeGenerator.cpp:
529         (JSC::BytecodeGenerator::instantiateLexicalVariables):
530         (JSC::BytecodeGenerator::variable):
531         * bytecompiler/BytecodeGenerator.h:
532         (JSC::Variable::isReadOnly const):
533         (JSC::Variable::setIsReadOnly):
534         * bytecompiler/NodesCodegen.cpp:
535         (JSC::PropertyListNode::emitBytecode):
536         * create_hash_table:
537         * debugger/DebuggerScope.cpp:
538         (JSC::DebuggerScope::getOwnPropertySlot):
539         * dfg/DFGOperations.cpp:
540         * inspector/JSInjectedScriptHostPrototype.cpp:
541         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
542         * inspector/JSJavaScriptCallFramePrototype.cpp:
543         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
544         * jit/Repatch.cpp:
545         (JSC::tryCacheGetByID):
546         * jsc.cpp:
547         (WTF::CustomGetter::getOwnPropertySlot):
548         (WTF::RuntimeArray::getOwnPropertySlot):
549         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
550         (WTF::DOMJITGetter::finishCreation):
551         (WTF::DOMJITGetterComplex::finishCreation):
552         (WTF::DOMJITFunctionObject::finishCreation):
553         (WTF::DOMJITCheckSubClassObject::finishCreation):
554         (GlobalObject::finishCreation):
555         * runtime/ArrayConstructor.cpp:
556         (JSC::ArrayConstructor::finishCreation):
557         * runtime/ArrayIteratorPrototype.cpp:
558         (JSC::ArrayIteratorPrototype::finishCreation):
559         * runtime/ArrayPrototype.cpp:
560         (JSC::ArrayPrototype::finishCreation):
561         * runtime/AsyncFromSyncIteratorPrototype.cpp:
562         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
563         * runtime/AsyncFunctionConstructor.cpp:
564         (JSC::AsyncFunctionConstructor::finishCreation):
565         * runtime/AsyncFunctionPrototype.cpp:
566         (JSC::AsyncFunctionPrototype::finishCreation):
567         * runtime/AsyncGeneratorFunctionConstructor.cpp:
568         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
569         * runtime/AsyncGeneratorFunctionPrototype.cpp:
570         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
571         * runtime/AsyncGeneratorPrototype.cpp:
572         (JSC::AsyncGeneratorPrototype::finishCreation):
573         * runtime/AsyncIteratorPrototype.cpp:
574         (JSC::AsyncIteratorPrototype::finishCreation):
575         * runtime/AtomicsObject.cpp:
576         (JSC::AtomicsObject::finishCreation):
577         * runtime/BooleanConstructor.cpp:
578         (JSC::BooleanConstructor::finishCreation):
579         * runtime/ClonedArguments.cpp:
580         (JSC::ClonedArguments::createStructure):
581         (JSC::ClonedArguments::getOwnPropertySlot):
582         (JSC::ClonedArguments::materializeSpecials):
583         * runtime/CommonSlowPaths.cpp:
584         (JSC::SLOW_PATH_DECL):
585         * runtime/ConsoleObject.cpp:
586         (JSC::ConsoleObject::finishCreation):
587         * runtime/DateConstructor.cpp:
588         (JSC::DateConstructor::finishCreation):
589         * runtime/DatePrototype.cpp:
590         (JSC::DatePrototype::finishCreation):
591         * runtime/DirectArguments.cpp:
592         (JSC::DirectArguments::overrideThings):
593         * runtime/Error.cpp:
594         (JSC::addErrorInfo):
595         * runtime/ErrorConstructor.cpp:
596         (JSC::ErrorConstructor::finishCreation):
597         * runtime/ErrorInstance.cpp:
598         (JSC::ErrorInstance::finishCreation):
599         * runtime/ErrorPrototype.cpp:
600         (JSC::ErrorPrototype::finishCreation):
601         * runtime/FunctionConstructor.cpp:
602         (JSC::FunctionConstructor::finishCreation):
603         * runtime/FunctionPrototype.cpp:
604         (JSC::FunctionPrototype::finishCreation):
605         (JSC::FunctionPrototype::addFunctionProperties):
606         (JSC::FunctionPrototype::initRestrictedProperties):
607         * runtime/GeneratorFunctionConstructor.cpp:
608         (JSC::GeneratorFunctionConstructor::finishCreation):
609         * runtime/GeneratorFunctionPrototype.cpp:
610         (JSC::GeneratorFunctionPrototype::finishCreation):
611         * runtime/GeneratorPrototype.cpp:
612         (JSC::GeneratorPrototype::finishCreation):
613         * runtime/GenericArgumentsInlines.h:
614         (JSC::GenericArguments<Type>::getOwnPropertySlot):
615         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
616         * runtime/InternalFunction.cpp:
617         (JSC::InternalFunction::finishCreation):
618         * runtime/IntlCollatorConstructor.cpp:
619         (JSC::IntlCollatorConstructor::finishCreation):
620         * runtime/IntlDateTimeFormatConstructor.cpp:
621         (JSC::IntlDateTimeFormatConstructor::finishCreation):
622         * runtime/IntlDateTimeFormatPrototype.cpp:
623         (JSC::IntlDateTimeFormatPrototype::finishCreation):
624         * runtime/IntlNumberFormatConstructor.cpp:
625         (JSC::IntlNumberFormatConstructor::finishCreation):
626         * runtime/IntlObject.cpp:
627         (JSC::IntlObject::finishCreation):
628         * runtime/IteratorPrototype.cpp:
629         (JSC::IteratorPrototype::finishCreation):
630         * runtime/JSArray.cpp:
631         (JSC::JSArray::getOwnPropertySlot):
632         (JSC::JSArray::setLengthWithArrayStorage):
633         * runtime/JSArrayBufferConstructor.cpp:
634         (JSC::JSArrayBufferConstructor::finishCreation):
635         * runtime/JSArrayBufferPrototype.cpp:
636         (JSC::JSArrayBufferPrototype::finishCreation):
637         * runtime/JSBoundFunction.cpp:
638         (JSC::JSBoundFunction::finishCreation):
639         * runtime/JSCJSValue.cpp:
640         (JSC::JSValue::putToPrimitive):
641         * runtime/JSDataView.cpp:
642         (JSC::JSDataView::getOwnPropertySlot):
643         * runtime/JSDataViewPrototype.cpp:
644         (JSC::JSDataViewPrototype::finishCreation):
645         * runtime/JSFunction.cpp:
646         (JSC::JSFunction::finishCreation):
647         (JSC::JSFunction::getOwnPropertySlot):
648         (JSC::JSFunction::defineOwnProperty):
649         (JSC::JSFunction::reifyLength):
650         (JSC::JSFunction::reifyName):
651         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
652         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
653         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
654         * runtime/JSGenericTypedArrayViewInlines.h:
655         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
656         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
657         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
658         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
659         * runtime/JSGlobalObject.cpp:
660         (JSC::JSGlobalObject::init):
661         (JSC::JSGlobalObject::addStaticGlobals):
662         * runtime/JSLexicalEnvironment.cpp:
663         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
664         * runtime/JSModuleNamespaceObject.cpp:
665         (JSC::JSModuleNamespaceObject::finishCreation):
666         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
667         * runtime/JSONObject.cpp:
668         (JSC::JSONObject::finishCreation):
669         * runtime/JSObject.cpp:
670         (JSC::getClassPropertyNames):
671         (JSC::JSObject::getOwnPropertySlotByIndex):
672         (JSC::ordinarySetSlow):
673         (JSC::JSObject::putInlineSlow):
674         (JSC::JSObject::putGetter):
675         (JSC::JSObject::putSetter):
676         (JSC::JSObject::putDirectAccessor):
677         (JSC::JSObject::putDirectCustomAccessor):
678         (JSC::JSObject::putDirectNonIndexAccessor):
679         (JSC::JSObject::deleteProperty):
680         (JSC::JSObject::deletePropertyByIndex):
681         (JSC::JSObject::getOwnPropertyNames):
682         (JSC::JSObject::putIndexedDescriptor):
683         (JSC::JSObject::defineOwnIndexedProperty):
684         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
685         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
686         (JSC::JSObject::getOwnPropertyDescriptor):
687         (JSC::putDescriptor):
688         (JSC::validateAndApplyPropertyDescriptor):
689         * runtime/JSObject.h:
690         (JSC::JSObject::putDirect):
691         * runtime/JSObjectInlines.h:
692         (JSC::JSObject::putDirectWithoutTransition):
693         (JSC::JSObject::putDirectInternal):
694         * runtime/JSPromiseConstructor.cpp:
695         (JSC::JSPromiseConstructor::finishCreation):
696         (JSC::JSPromiseConstructor::addOwnInternalSlots):
697         * runtime/JSPromisePrototype.cpp:
698         (JSC::JSPromisePrototype::finishCreation):
699         (JSC::JSPromisePrototype::addOwnInternalSlots):
700         * runtime/JSString.cpp:
701         (JSC::JSString::getStringPropertyDescriptor):
702         * runtime/JSString.h:
703         (JSC::JSString::getStringPropertySlot):
704         * runtime/JSSymbolTableObject.cpp:
705         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
706         * runtime/JSSymbolTableObject.h:
707         (JSC::symbolTableGet):
708         * runtime/JSTypedArrayViewConstructor.cpp:
709         (JSC::JSTypedArrayViewConstructor::finishCreation):
710         * runtime/JSTypedArrayViewPrototype.cpp:
711         (JSC::JSTypedArrayViewPrototype::finishCreation):
712         * runtime/LazyClassStructure.cpp:
713         (JSC::LazyClassStructure::Initializer::setConstructor):
714         * runtime/Lookup.cpp:
715         (JSC::reifyStaticAccessor):
716         (JSC::setUpStaticFunctionSlot):
717         * runtime/Lookup.h:
718         (JSC::HashTableValue::intrinsic const):
719         (JSC::HashTableValue::builtinGenerator const):
720         (JSC::HashTableValue::function const):
721         (JSC::HashTableValue::functionLength const):
722         (JSC::HashTableValue::propertyGetter const):
723         (JSC::HashTableValue::propertyPutter const):
724         (JSC::HashTableValue::domJIT const):
725         (JSC::HashTableValue::signature const):
726         (JSC::HashTableValue::accessorGetter const):
727         (JSC::HashTableValue::accessorSetter const):
728         (JSC::HashTableValue::constantInteger const):
729         (JSC::HashTableValue::lazyCellPropertyOffset const):
730         (JSC::HashTableValue::lazyClassStructureOffset const):
731         (JSC::HashTableValue::lazyPropertyCallback const):
732         (JSC::HashTableValue::builtinAccessorGetterGenerator const):
733         (JSC::HashTableValue::builtinAccessorSetterGenerator const):
734         (JSC::getStaticPropertySlotFromTable):
735         (JSC::putEntry):
736         (JSC::reifyStaticProperty):
737         * runtime/MapConstructor.cpp:
738         (JSC::MapConstructor::finishCreation):
739         * runtime/MapIteratorPrototype.cpp:
740         (JSC::MapIteratorPrototype::finishCreation):
741         * runtime/MapPrototype.cpp:
742         (JSC::MapPrototype::finishCreation):
743         * runtime/MathObject.cpp:
744         (JSC::MathObject::finishCreation):
745         * runtime/NativeErrorConstructor.cpp:
746         (JSC::NativeErrorConstructor::finishCreation):
747         * runtime/NativeErrorPrototype.cpp:
748         (JSC::NativeErrorPrototype::finishCreation):
749         * runtime/NumberConstructor.cpp:
750         (JSC::NumberConstructor::finishCreation):
751         * runtime/NumberPrototype.cpp:
752         (JSC::NumberPrototype::finishCreation):
753         * runtime/ObjectConstructor.cpp:
754         (JSC::ObjectConstructor::finishCreation):
755         (JSC::objectConstructorAssign):
756         (JSC::objectConstructorValues):
757         (JSC::objectConstructorDefineProperty):
758         * runtime/ObjectPrototype.cpp:
759         (JSC::ObjectPrototype::finishCreation):
760         (JSC::objectProtoFuncLookupGetter):
761         (JSC::objectProtoFuncLookupSetter):
762         * runtime/ProgramExecutable.cpp:
763         (JSC::ProgramExecutable::initializeGlobalProperties):
764         * runtime/PropertyDescriptor.cpp:
765         (JSC::PropertyDescriptor::writable const):
766         (JSC::PropertyDescriptor::enumerable const):
767         (JSC::PropertyDescriptor::configurable const):
768         (JSC::PropertyDescriptor::setUndefined):
769         (JSC::PropertyDescriptor::setDescriptor):
770         (JSC::PropertyDescriptor::setCustomDescriptor):
771         (JSC::PropertyDescriptor::setAccessorDescriptor):
772         (JSC::PropertyDescriptor::setWritable):
773         (JSC::PropertyDescriptor::setEnumerable):
774         (JSC::PropertyDescriptor::setConfigurable):
775         (JSC::PropertyDescriptor::setSetter):
776         (JSC::PropertyDescriptor::setGetter):
777         (JSC::PropertyDescriptor::attributesEqual const):
778         (JSC::PropertyDescriptor::attributesOverridingCurrent const):
779         * runtime/PropertySlot.cpp:
780         (JSC::PropertySlot::customGetter const):
781         * runtime/PropertySlot.h:
782         (JSC::operator| ):
783         (JSC::operator&):
784         (JSC::operator<):
785         (JSC::operator~):
786         (JSC::operator|=):
787         (JSC::PropertySlot::setUndefined):
788         * runtime/ProxyConstructor.cpp:
789         (JSC::makeRevocableProxy):
790         (JSC::ProxyConstructor::finishCreation):
791         * runtime/ProxyObject.cpp:
792         (JSC::ProxyObject::performHasProperty):
793         * runtime/ProxyRevoke.cpp:
794         (JSC::ProxyRevoke::finishCreation):
795         * runtime/ReflectObject.cpp:
796         (JSC::ReflectObject::finishCreation):
797         (JSC::reflectObjectDefineProperty):
798         * runtime/RegExpConstructor.cpp:
799         (JSC::RegExpConstructor::finishCreation):
800         * runtime/RegExpObject.cpp:
801         (JSC::RegExpObject::getOwnPropertySlot):
802         * runtime/RegExpPrototype.cpp:
803         (JSC::RegExpPrototype::finishCreation):
804         * runtime/ScopedArguments.cpp:
805         (JSC::ScopedArguments::overrideThings):
806         * runtime/SetConstructor.cpp:
807         (JSC::SetConstructor::finishCreation):
808         * runtime/SetIteratorPrototype.cpp:
809         (JSC::SetIteratorPrototype::finishCreation):
810         * runtime/SetPrototype.cpp:
811         (JSC::SetPrototype::finishCreation):
812         * runtime/SparseArrayValueMap.cpp:
813         (JSC::SparseArrayValueMap::putDirect):
814         (JSC::SparseArrayEntry::put):
815         * runtime/StringConstructor.cpp:
816         (JSC::StringConstructor::finishCreation):
817         * runtime/StringIteratorPrototype.cpp:
818         (JSC::StringIteratorPrototype::finishCreation):
819         * runtime/StringPrototype.cpp:
820         (JSC::StringPrototype::finishCreation):
821         * runtime/Structure.cpp:
822         (JSC::Structure::nonPropertyTransition):
823         (JSC::Structure::isSealed):
824         (JSC::Structure::isFrozen):
825         (JSC::Structure::getPropertyNamesFromStructure):
826         (JSC::Structure::prototypeChainMayInterceptStoreTo):
827         * runtime/StructureInlines.h:
828         (JSC::Structure::add):
829         * runtime/SymbolConstructor.cpp:
830         (JSC::SymbolConstructor::finishCreation):
831         * runtime/SymbolPrototype.cpp:
832         (JSC::SymbolPrototype::finishCreation):
833         * runtime/SymbolTable.h:
834         (JSC::SymbolTableEntry::Fast::getAttributes const):
835         (JSC::SymbolTableEntry::SymbolTableEntry):
836         (JSC::SymbolTableEntry::setAttributes):
837         * runtime/TemplateRegistry.cpp:
838         (JSC::TemplateRegistry::getTemplateObject):
839         * runtime/WeakMapConstructor.cpp:
840         (JSC::WeakMapConstructor::finishCreation):
841         * runtime/WeakMapPrototype.cpp:
842         (JSC::WeakMapPrototype::finishCreation):
843         * runtime/WeakSetConstructor.cpp:
844         (JSC::WeakSetConstructor::finishCreation):
845         * runtime/WeakSetPrototype.cpp:
846         (JSC::WeakSetPrototype::finishCreation):
847         * tools/JSDollarVMPrototype.cpp:
848         (JSC::JSDollarVMPrototype::finishCreation):
849         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
850         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
851         * wasm/js/WebAssemblyInstanceConstructor.cpp:
852         (JSC::WebAssemblyInstanceConstructor::finishCreation):
853         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
854         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
855         * wasm/js/WebAssemblyMemoryConstructor.cpp:
856         (JSC::WebAssemblyMemoryConstructor::finishCreation):
857         * wasm/js/WebAssemblyMemoryPrototype.cpp:
858         * wasm/js/WebAssemblyModuleConstructor.cpp:
859         (JSC::WebAssemblyModuleConstructor::finishCreation):
860         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
861         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
862         * wasm/js/WebAssemblyTableConstructor.cpp:
863         (JSC::WebAssemblyTableConstructor::finishCreation):
864
865 2017-09-23  Oleksandr Skachkov  <gskachkov@gmail.com>
866
867         [ESNext] Async iteration - Implement Async Generator - optimization
868         https://bugs.webkit.org/show_bug.cgi?id=175891
869
870         Reviewed by Yusuke Suzuki.
871
872         Add small optimization for async generators:
873         1. merging async generator queue to async generator itself
874         generator.@first / generator.@last is enough, by doing so,
875           we remove one unnecessary object alloc.
876         2. merging request with queue.
877
878         * builtins/AsyncGeneratorPrototype.js:
879         (globalPrivate.asyncGeneratorQueueIsEmpty):
880         (globalPrivate.asyncGeneratorQueueCreateItem):
881         (globalPrivate.asyncGeneratorQueueEnqueue):
882         (globalPrivate.asyncGeneratorQueueDequeue):
883         (globalPrivate.asyncGeneratorDequeue):
884         (globalPrivate.isSuspendYieldState):
885         (globalPrivate.asyncGeneratorEnqueue):
886         * builtins/BuiltinNames.h:
887         * bytecompiler/BytecodeGenerator.cpp:
888         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
889         * bytecompiler/BytecodeGenerator.h:
890         * bytecompiler/NodesCodegen.cpp:
891         (JSC::FunctionNode::emitBytecode):
892
893 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
894
895         test262: $.agent became $262.agent in test262 update
896         https://bugs.webkit.org/show_bug.cgi?id=177407
897
898         Reviewed by Yusuke Suzuki.
899
900         * jsc.cpp:
901         (GlobalObject::finishCreation):
902         Alias `$` and `$262` for now.
903
904 2017-09-22  Keith Miller  <keith_miller@apple.com>
905
906         Speculatively change iteration protocall to use the same next function
907         https://bugs.webkit.org/show_bug.cgi?id=175653
908
909         Reviewed by Saam Barati.
910
911         This patch speculatively makes a change to the iteration protocall to fetch the next
912         property immediately after calling the Symbol.iterator function. This is, in theory,
913         a breaking change, so we will see if this breaks things (most likely it won't as this
914         is a relatively subtle point).
915
916         See: https://github.com/tc39/ecma262/issues/976
917
918         * builtins/IteratorHelpers.js:
919         (performIteration):
920         * bytecompiler/BytecodeGenerator.cpp:
921         (JSC::BytecodeGenerator::emitEnumeration):
922         (JSC::BytecodeGenerator::emitIteratorNext):
923         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
924         (JSC::BytecodeGenerator::emitDelegateYield):
925         * bytecompiler/BytecodeGenerator.h:
926         * bytecompiler/NodesCodegen.cpp:
927         (JSC::ArrayPatternNode::bindValue const):
928         * inspector/JSInjectedScriptHost.cpp:
929         (Inspector::JSInjectedScriptHost::iteratorEntries):
930         * runtime/IteratorOperations.cpp:
931         (JSC::iteratorNext):
932         (JSC::iteratorStep):
933         (JSC::iteratorClose):
934         (JSC::iteratorForIterable):
935         * runtime/IteratorOperations.h:
936         (JSC::forEachInIterable):
937         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
938         (JSC::constructGenericTypedArrayViewFromIterator):
939         (JSC::constructGenericTypedArrayViewWithArguments):
940
941 2017-09-22  Fujii Hironori  <Hironori.Fujii@sony.com>
942
943         [Win64] Crashes in Yarr JIT compiled code
944         https://bugs.webkit.org/show_bug.cgi?id=177293
945
946         Reviewed by Yusuke Suzuki.
947
948         In x64 Windows, rcx register is used for the address of allocated
949         space for the return value. But, rcx is used for regT1 since
950         r221052. Save rcx in the stack.
951
952         * yarr/YarrJIT.cpp:
953         (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
954         (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
955
956 2017-09-22  Saam Barati  <sbarati@apple.com>
957
958         Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
959         https://bugs.webkit.org/show_bug.cgi?id=177368
960
961         Reviewed by Keith Miller.
962
963         * runtime/ErrorInstance.cpp:
964         (JSC::ErrorInstance::finishCreation):
965         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
966         (JSC::ErrorInstance::visitChildren):
967
968 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
969
970         [DFG][FTL] Profile array vector length for array allocation
971         https://bugs.webkit.org/show_bug.cgi?id=177051
972
973         Reviewed by Saam Barati.
974
975         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
976         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
977         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
978         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
979
980             empty array allocation,
981
982             var array = [];
983             array.push(0);
984             array.push(1);
985             array.push(2);
986             array.push(3);
987             array.push(4);
988
989             v.s. new_array_buffer case,
990
991             var array = [0];
992             array.push(1);
993             array.push(2);
994             array.push(3);
995             array.push(4);
996
997         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
998         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
999
1000         We select 25 to make it fit to one of size classes.
1001
1002         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
1003         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
1004         is larger than 25, we just use it for allocation as before.
1005
1006         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
1007
1008             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
1009             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
1010
1011         * bytecode/ArrayAllocationProfile.cpp:
1012         (JSC::ArrayAllocationProfile::updateProfile):
1013         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
1014         * bytecode/ArrayAllocationProfile.h:
1015         (JSC::ArrayAllocationProfile::selectIndexingType):
1016         (JSC::ArrayAllocationProfile::vectorLengthHint):
1017         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
1018         * bytecode/CodeBlock.cpp:
1019         (JSC::CodeBlock::updateAllArrayPredictions):
1020         * dfg/DFGByteCodeParser.cpp:
1021         (JSC::DFG::ByteCodeParser::parseBlock):
1022         * dfg/DFGGraph.cpp:
1023         (JSC::DFG::Graph::dump):
1024         * dfg/DFGNode.h:
1025         (JSC::DFG::Node::vectorLengthHint):
1026         * dfg/DFGOperations.cpp:
1027         * dfg/DFGOperations.h:
1028         * dfg/DFGSpeculativeJIT64.cpp:
1029         (JSC::DFG::SpeculativeJIT::compile):
1030         * ftl/FTLLowerDFGToB3.cpp:
1031         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1032         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1033         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1034         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1035         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
1036         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
1037         * runtime/ArrayConventions.h:
1038         * runtime/JSArray.h:
1039         (JSC::JSArray::tryCreate):
1040
1041 2017-09-22  Commit Queue  <commit-queue@webkit.org>
1042
1043         Unreviewed, rolling out r222380.
1044         https://bugs.webkit.org/show_bug.cgi?id=177352
1045
1046         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
1047         #webkit).
1048
1049         Reverted changeset:
1050
1051         "[DFG][FTL] Profile array vector length for array allocation"
1052         https://bugs.webkit.org/show_bug.cgi?id=177051
1053         http://trac.webkit.org/changeset/222380
1054
1055 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1056
1057         [DFG][FTL] Profile array vector length for array allocation
1058         https://bugs.webkit.org/show_bug.cgi?id=177051
1059
1060         Reviewed by Saam Barati.
1061
1062         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
1063         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
1064         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
1065         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
1066
1067             empty array allocation,
1068
1069             var array = [];
1070             array.push(0);
1071             array.push(1);
1072             array.push(2);
1073             array.push(3);
1074             array.push(4);
1075
1076             v.s. new_array_buffer case,
1077
1078             var array = [0];
1079             array.push(1);
1080             array.push(2);
1081             array.push(3);
1082             array.push(4);
1083
1084         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
1085         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
1086
1087         We select 25 to make it fit to one of size classes.
1088
1089         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
1090         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
1091         is larger than 25, we just use it for allocation as before.
1092
1093         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
1094
1095             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
1096             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
1097
1098         * bytecode/ArrayAllocationProfile.cpp:
1099         (JSC::ArrayAllocationProfile::updateProfile):
1100         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
1101         * bytecode/ArrayAllocationProfile.h:
1102         (JSC::ArrayAllocationProfile::selectIndexingType):
1103         (JSC::ArrayAllocationProfile::vectorLengthHint):
1104         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
1105         * bytecode/CodeBlock.cpp:
1106         (JSC::CodeBlock::updateAllArrayPredictions):
1107         * dfg/DFGByteCodeParser.cpp:
1108         (JSC::DFG::ByteCodeParser::parseBlock):
1109         * dfg/DFGGraph.cpp:
1110         (JSC::DFG::Graph::dump):
1111         * dfg/DFGNode.h:
1112         (JSC::DFG::Node::vectorLengthHint):
1113         * dfg/DFGOperations.cpp:
1114         * dfg/DFGOperations.h:
1115         * dfg/DFGSpeculativeJIT64.cpp:
1116         (JSC::DFG::SpeculativeJIT::compile):
1117         * ftl/FTLLowerDFGToB3.cpp:
1118         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1119         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1120         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1121         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1122         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
1123         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
1124         * runtime/ArrayConventions.h:
1125         * runtime/JSArray.h:
1126         (JSC::JSArray::tryCreate):
1127
1128 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
1129
1130         Web Inspector: Remove support for CSS Regions
1131         https://bugs.webkit.org/show_bug.cgi?id=177287
1132
1133         Reviewed by Matt Baker.
1134
1135         * inspector/protocol/CSS.json:
1136         * inspector/protocol/OverlayTypes.json:
1137
1138 2017-09-21  Brian Burg  <bburg@apple.com>
1139
1140         Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
1141         https://bugs.webkit.org/show_bug.cgi?id=177010
1142         <rdar://problem/33134548>
1143
1144         Reviewed by Joseph Pecoraro.
1145
1146         Use "reload from origin" nomenclature instead of "reload ignoring cache".
1147
1148         * inspector/protocol/Page.json: Improve the comment, but don't change the
1149         parameter name since this would be a divergence from legacy protocols.
1150
1151 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
1152
1153         test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
1154         https://bugs.webkit.org/show_bug.cgi?id=177307
1155
1156         Reviewed by Michael Saboff.
1157
1158         * runtime/RegExpPrototype.cpp:
1159         In r221160 we added support for the new RegExp flag (dotAll).
1160         We needed to make space for it in FlagsString.
1161
1162 2017-09-20  Keith Miller  <keith_miller@apple.com>
1163
1164         JSC should use unified sources for platform specific files.
1165         https://bugs.webkit.org/show_bug.cgi?id=177290
1166
1167         Reviewed by Michael Saboff.
1168
1169         Add a list of platform specific source files and update the
1170         Generate Unified Sources phase of the Xcode build. I skipped WPE
1171         since that seems to have failed for some reason that I didn't
1172         fully understand. See:
1173         https://webkit-queues.webkit.org/results/4611260
1174
1175         Also, fix duplicate symbols in Glib remote inspector files.
1176
1177         * CMakeLists.txt:
1178         * JavaScriptCore.xcodeproj/project.pbxproj:
1179         * PlatformGTK.cmake:
1180         * PlatformMac.cmake:
1181         * SourcesGTK.txt: Added.
1182         * SourcesMac.txt: Added.
1183         * inspector/remote/glib/RemoteInspectorServer.cpp:
1184         (Inspector::RemoteInspectorServer::interfaceInfo):
1185         (Inspector::RemoteInspectorServer::setTargetList):
1186         (Inspector::RemoteInspectorServer::setupInspectorClient):
1187         (Inspector::RemoteInspectorServer::setup):
1188         (Inspector::RemoteInspectorServer::close):
1189         (Inspector::RemoteInspectorServer::connectionClosed):
1190         (Inspector::RemoteInspectorServer::sendMessageToBackend):
1191         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
1192         (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
1193
1194 2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>
1195
1196         [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
1197         https://bugs.webkit.org/show_bug.cgi?id=177017
1198
1199         Reviewed by Alex Christensen.
1200
1201         * API/JSRemoteInspector.cpp:
1202         (JSRemoteInspectorSetParentProcessInformation):
1203         * API/JSRemoteInspector.h:
1204         * inspector/remote/RemoteInspector.h:
1205
1206 2017-09-20  Keith Miller  <keith_miller@apple.com>
1207
1208         Rename source list file to Sources.txt
1209         https://bugs.webkit.org/show_bug.cgi?id=177283
1210
1211         Reviewed by Saam Barati.
1212
1213         * CMakeLists.txt:
1214         * JavaScriptCore.xcodeproj/project.pbxproj:
1215         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
1216
1217 2017-09-20  Keith Miller  <keith_miller@apple.com>
1218
1219         Unreviewed, fix string capitalization
1220
1221         * JavaScriptCore.xcodeproj/project.pbxproj:
1222
1223 2017-09-20  Keith Miller  <keith_miller@apple.com>
1224
1225         JSC Xcode build should use unified sources for platform independent files
1226         https://bugs.webkit.org/show_bug.cgi?id=177190
1227
1228         Reviewed by Saam Barati.
1229
1230         This patch changes the Xcode build to use unified sources. The
1231         main difference from a development perspective is that instead of
1232         added source files to Xcode they need to be added to the shared
1233         sources.txt. For now, platform specific files are still added
1234         to the JavaScriptCore target.
1235
1236         Because Xcode needs to know about all the files before we generate
1237         them all the unified source files need to be added to the
1238         JavaScriptCore framework target. As a result, if we run out of
1239         bundle files more will need to be added to the project. Currently,
1240         there are no spare files. If adding more bundle files becomes
1241         problematic we can change this.
1242
1243         LowLevelInterpreter.cpp can't be added to the unified source list yet
1244         due to a clang bug.
1245
1246         * CMakeLists.txt:
1247         * JavaScriptCore.xcodeproj/project.pbxproj:
1248         * sources.txt: Added.
1249
1250 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
1251
1252         [Win] Cannot find script to generate unified sources.
1253         https://bugs.webkit.org/show_bug.cgi?id=177014
1254
1255         Reviewed by Keith Miller.
1256
1257         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
1258
1259         * CMakeLists.txt:
1260         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1261
1262 2017-09-20  Alberto Garcia  <berto@igalia.com>
1263
1264         Fix HPPA and Alpha builds
1265         https://bugs.webkit.org/show_bug.cgi?id=177224
1266
1267         Reviewed by Alex Christensen.
1268
1269         * CMakeLists.txt:
1270
1271 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
1272
1273         ErrorInstance and Exception need destroy methods
1274         https://bugs.webkit.org/show_bug.cgi?id=177095
1275
1276         Reviewed by Saam Barati.
1277         
1278         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
1279         follow that type's protocol.
1280
1281         * runtime/ErrorInstance.cpp:
1282         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
1283         * runtime/ErrorInstance.h:
1284         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
1285
1286 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1287
1288         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
1289         https://bugs.webkit.org/show_bug.cgi?id=177070
1290
1291         Reviewed by Saam Barati.
1292
1293         Due to the security reason, our global object is immutable prototype exotic object.
1294         It prevents users from injecting proxies into the prototype chain of the global object[1].
1295         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
1296         of the global object after instantiating it.
1297
1298         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
1299         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
1300         edge cases.
1301
1302         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
1303
1304         * API/JSObjectRef.cpp:
1305         (JSObjectSetPrototype):
1306         * API/tests/CustomGlobalObjectClassTest.c:
1307         (globalObjectSetPrototypeTest):
1308
1309 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1310
1311         [DFG] Remove ToThis more aggressively
1312         https://bugs.webkit.org/show_bug.cgi?id=177056
1313
1314         Reviewed by Saam Barati.
1315
1316         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
1317         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
1318         and attempts to fold/convert to efficient nodes.
1319
1320         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
1321         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
1322
1323         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
1324         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
1325
1326         This removes GetGlobalThis from ES6 generators in common cases.
1327
1328         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
1329
1330         * dfg/DFGAbstractInterpreterInlines.h:
1331         (JSC::DFG::isToThisAnIdentity):
1332         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1333         * dfg/DFGClobberize.h:
1334         (JSC::DFG::clobberize):
1335         * dfg/DFGConstantFoldingPhase.cpp:
1336         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1337         * dfg/DFGDoesGC.cpp:
1338         (JSC::DFG::doesGC):
1339         * dfg/DFGFixupPhase.cpp:
1340         (JSC::DFG::FixupPhase::fixupNode):
1341         * dfg/DFGNode.h:
1342         (JSC::DFG::Node::convertToGetGlobalThis):
1343         * dfg/DFGNodeType.h:
1344         * dfg/DFGPredictionPropagationPhase.cpp:
1345         * dfg/DFGSafeToExecute.h:
1346         (JSC::DFG::safeToExecute):
1347         * dfg/DFGSpeculativeJIT.cpp:
1348         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
1349         * dfg/DFGSpeculativeJIT.h:
1350         * dfg/DFGSpeculativeJIT32_64.cpp:
1351         (JSC::DFG::SpeculativeJIT::compile):
1352         * dfg/DFGSpeculativeJIT64.cpp:
1353         (JSC::DFG::SpeculativeJIT::compile):
1354         * ftl/FTLCapabilities.cpp:
1355         (JSC::FTL::canCompile):
1356         * ftl/FTLLowerDFGToB3.cpp:
1357         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1358         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
1359         * runtime/JSGlobalLexicalEnvironment.cpp:
1360         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
1361         * runtime/JSGlobalLexicalEnvironment.h:
1362         * runtime/JSGlobalObject.cpp:
1363         (JSC::JSGlobalObject::toThis): Deleted.
1364         * runtime/JSGlobalObject.h:
1365         (JSC::JSGlobalObject::addressOfGlobalThis):
1366         * runtime/JSLexicalEnvironment.cpp:
1367         (JSC::JSLexicalEnvironment::toThis): Deleted.
1368         * runtime/JSLexicalEnvironment.h:
1369         * runtime/JSScope.cpp:
1370         (JSC::JSScope::toThis):
1371         * runtime/JSScope.h:
1372         * runtime/StrictEvalActivation.cpp:
1373         (JSC::StrictEvalActivation::toThis): Deleted.
1374         * runtime/StrictEvalActivation.h:
1375
1376 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1377
1378         Merge JSLexicalEnvironment and JSEnvironmentRecord
1379         https://bugs.webkit.org/show_bug.cgi?id=175492
1380
1381         Reviewed by Saam Barati.
1382
1383         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
1384         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
1385
1386         * CMakeLists.txt:
1387         * JavaScriptCore.xcodeproj/project.pbxproj:
1388         * dfg/DFGSpeculativeJIT.cpp:
1389         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1390         * dfg/DFGSpeculativeJIT32_64.cpp:
1391         (JSC::DFG::SpeculativeJIT::compile):
1392         * dfg/DFGSpeculativeJIT64.cpp:
1393         (JSC::DFG::SpeculativeJIT::compile):
1394         * ftl/FTLAbstractHeapRepository.h:
1395         * ftl/FTLLowerDFGToB3.cpp:
1396         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1397         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1398         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
1399         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
1400         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1401         * jit/JITPropertyAccess.cpp:
1402         (JSC::JIT::emitGetClosureVar):
1403         (JSC::JIT::emitPutClosureVar):
1404         (JSC::JIT::emitScopedArgumentsGetByVal):
1405         * jit/JITPropertyAccess32_64.cpp:
1406         (JSC::JIT::emitGetClosureVar):
1407         (JSC::JIT::emitPutClosureVar):
1408         * llint/LLIntOffsetsExtractor.cpp:
1409         * llint/LowLevelInterpreter.asm:
1410         * llint/LowLevelInterpreter32_64.asm:
1411         * llint/LowLevelInterpreter64.asm:
1412         * runtime/JSEnvironmentRecord.cpp: Removed.
1413         * runtime/JSEnvironmentRecord.h: Removed.
1414         * runtime/JSLexicalEnvironment.cpp:
1415         (JSC::JSLexicalEnvironment::visitChildren):
1416         (JSC::JSLexicalEnvironment::heapSnapshot):
1417         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1418         * runtime/JSLexicalEnvironment.h:
1419         (JSC::JSLexicalEnvironment::subspaceFor):
1420         (JSC::JSLexicalEnvironment::variables):
1421         (JSC::JSLexicalEnvironment::isValidScopeOffset):
1422         (JSC::JSLexicalEnvironment::variableAt):
1423         (JSC::JSLexicalEnvironment::offsetOfVariables):
1424         (JSC::JSLexicalEnvironment::offsetOfVariable):
1425         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
1426         (JSC::JSLexicalEnvironment::allocationSize):
1427         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
1428         (JSC::JSLexicalEnvironment::finishCreation):
1429         * runtime/JSModuleEnvironment.cpp:
1430         (JSC::JSModuleEnvironment::create):
1431         * runtime/JSObject.h:
1432         (JSC::JSObject::isEnvironment const):
1433         (JSC::JSObject::isEnvironmentRecord const): Deleted.
1434         * runtime/JSSegmentedVariableObject.h:
1435         * runtime/StringPrototype.cpp:
1436         (JSC::checkObjectCoercible):
1437
1438 2017-09-15  Saam Barati  <sbarati@apple.com>
1439
1440         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
1441         https://bugs.webkit.org/show_bug.cgi?id=176981
1442
1443         Reviewed by Yusuke Suzuki.
1444
1445         This patch makes inline arity fixup happen in two phases:
1446         1. We get all the values we need and MovHint them to the expected locals.
1447         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
1448            frame is already set up. If any SetLocal exits, we have a valid exit state.
1449            This is required because if we didn't do this in two phases, we may exit in
1450            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
1451            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
1452            of the frame right before exiting. For example, consider if we need to pad two args:
1453            [arg3][arg2][arg1][arg0]
1454            [fix ][fix ][arg3][arg2][arg1][arg0]
1455            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
1456            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
1457            [arg3][arg2][arg1][arg2][arg1][arg0]
1458            And the caller would then just end up thinking its argument are:
1459            [arg3][arg2][arg1][arg2]
1460            which is incorrect.
1461        
1462        
1463         This patch also fixes a couple of bugs in IdentitiyWithProfile:
1464         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
1465            It needed to store the result of evaluating its argument in a temporary that
1466            it creates. Otherwise, it might try to simply overwrite a constant
1467            or a register that it didn't own.
1468         2. We weren't eliminating this node in CSE inside the DFG.
1469
1470         * bytecompiler/NodesCodegen.cpp:
1471         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1472         * dfg/DFGByteCodeParser.cpp:
1473         (JSC::DFG::ByteCodeParser::inlineCall):
1474         * dfg/DFGCSEPhase.cpp:
1475
1476 2017-09-15  JF Bastien  <jfbastien@apple.com>
1477
1478         WTF: use Forward.h when appropriate instead of Vector.h
1479         https://bugs.webkit.org/show_bug.cgi?id=176984
1480
1481         Reviewed by Saam Barati.
1482
1483         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
1484
1485         * bytecode/HandlerInfo.h:
1486         * heap/GCIncomingRefCounted.h:
1487         * heap/GCSegmentedArray.h:
1488         * wasm/js/JSWebAssemblyModule.h:
1489
1490 2017-09-14  Saam Barati  <sbarati@apple.com>
1491
1492         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
1493         https://bugs.webkit.org/show_bug.cgi?id=176863
1494
1495         Reviewed by Keith Miller.
1496
1497         * CMakeLists.txt:
1498         * JavaScriptCore.xcodeproj/project.pbxproj:
1499         * runtime/ProxyObject.cpp:
1500         (JSC::performProxyGet):
1501         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1502         (JSC::ProxyObject::performHasProperty):
1503         (JSC::ProxyObject::getOwnPropertySlotCommon):
1504         (JSC::ProxyObject::performPut):
1505         (JSC::performProxyCall):
1506         (JSC::performProxyConstruct):
1507         (JSC::ProxyObject::performDelete):
1508         (JSC::ProxyObject::performPreventExtensions):
1509         (JSC::ProxyObject::performIsExtensible):
1510         (JSC::ProxyObject::performDefineOwnProperty):
1511         (JSC::ProxyObject::performGetOwnPropertyNames):
1512         (JSC::ProxyObject::performSetPrototype):
1513         (JSC::ProxyObject::performGetPrototype):
1514
1515 2017-09-14  Saam Barati  <sbarati@apple.com>
1516
1517         Make dumping the graph print when both when exitOK and !exitOK
1518         https://bugs.webkit.org/show_bug.cgi?id=176954
1519
1520         Reviewed by Keith Miller.
1521
1522         * dfg/DFGGraph.cpp:
1523         (JSC::DFG::Graph::dump):
1524
1525 2017-09-14  Saam Barati  <sbarati@apple.com>
1526
1527         It should be valid to exit before each set when doing arity fixup when inlining
1528         https://bugs.webkit.org/show_bug.cgi?id=176948
1529
1530         Reviewed by Keith Miller.
1531
1532         This patch makes it so that we can exit before each SetLocal when doing arity
1533         fixup during inlining. This is OK because if we exit at any of these SetLocals,
1534         we will simply exit to the beginning of the call instruction.
1535         
1536         Not doing this led to a bug where FixupPhase would insert a ValueRep of
1537         a node before the actual node. This is obviously invalid IR. I've added
1538         a new validation rule to catch this malformed IR.
1539
1540         * dfg/DFGByteCodeParser.cpp:
1541         (JSC::DFG::ByteCodeParser::inliningCost):
1542         (JSC::DFG::ByteCodeParser::inlineCall):
1543         * dfg/DFGValidate.cpp:
1544         * runtime/Options.h:
1545
1546 2017-09-14  Mark Lam  <mark.lam@apple.com>
1547
1548         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
1549         https://bugs.webkit.org/show_bug.cgi?id=176874
1550         <rdar://problem/34436415>
1551
1552         Reviewed by Saam Barati.
1553
1554         1. Make Probe::Stack play nice with ASan by:
1555
1556            a. using a local memcpy implementation that suppresses ASan on ASan builds.
1557               We don't want to use std:memcpy() which validates stack memory because
1558               we are intentionally copying stack memory beyond the current frame.
1559
1560            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
1561               This ensures that Page::flushWrites() only writes stack memory that was
1562               modified by a probe.  The probes should only modify stack memory that
1563               belongs to JSC stack data structures.  We don't want to inadvertently
1564               modify adjacent words that may belong to ASan (which may happen if
1565               s_chunkSize is larger than sizeof(uintptr_t)).
1566
1567            c. fixing a bug in Page dirtyBits management for when the size of the value to
1568               write is greater than s_chunkSize.  The fix in generic, but in practice,
1569               this currently only manifests on 32-bit ASan builds because
1570               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
1571               values.
1572
1573            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
1574               s_chunksPerPage we can have even on ASan builds.
1575
1576         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
1577            std::memcpy to avoid strict aliasing issues.
1578
1579         3. Optimized the implementation of Page::physicalAddressFor().
1580
1581         4. Optimized the implementation of Stack::set() in the recording of the low
1582            watermark.  We just record the lowest raw pointer now, and only compute the
1583            alignment to its chuck boundary later when the low watermark is requested.
1584
1585         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
1586
1587         No new test needed because this is already covered by testmasm with ASan enabled.
1588
1589         * assembler/ProbeContext.h:
1590         (JSC::Probe::CPUState::gpr const):
1591         (JSC::Probe::CPUState::spr const):
1592         (JSC::Probe::Context::gpr):
1593         (JSC::Probe::Context::spr):
1594         (JSC::Probe::Context::fpr):
1595         (JSC::Probe::Context::gprName):
1596         (JSC::Probe::Context::sprName):
1597         (JSC::Probe::Context::fprName):
1598         (JSC::Probe::Context::gpr const):
1599         (JSC::Probe::Context::spr const):
1600         (JSC::Probe::Context::fpr const):
1601         (JSC::Probe::Context::pc):
1602         (JSC::Probe::Context::fp):
1603         (JSC::Probe::Context::sp):
1604         (JSC::Probe:: const): Deleted.
1605         * assembler/ProbeStack.cpp:
1606         (JSC::Probe::copyStackPage):
1607         (JSC::Probe::Page::Page):
1608         (JSC::Probe::Page::flushWrites):
1609         * assembler/ProbeStack.h:
1610         (JSC::Probe::Page::get):
1611         (JSC::Probe::Page::set):
1612         (JSC::Probe::Page::dirtyBitFor):
1613         (JSC::Probe::Page::physicalAddressFor):
1614         (JSC::Probe::Stack::lowWatermark):
1615         (JSC::Probe::Stack::get):
1616         (JSC::Probe::Stack::set):
1617         * assembler/testmasm.cpp:
1618         (JSC::testProbeModifiesStackValues):
1619
1620 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1621
1622         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
1623         https://bugs.webkit.org/show_bug.cgi?id=176917
1624
1625         Reviewed by Saam Barati.
1626
1627         * dfg/DFGByteCodeParser.cpp:
1628         (JSC::DFG::ByteCodeParser::inliningCost):
1629         * runtime/Options.h:
1630
1631 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1632
1633         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
1634         https://bugs.webkit.org/show_bug.cgi?id=176867
1635
1636         Reviewed by Sam Weinig.
1637
1638         We rarely require private symbols when enumerating property names.
1639         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
1640         is specified, PropertyNameArray does not include private symbols.
1641         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
1642
1643         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
1644         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
1645
1646         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
1647
1648         * API/JSObjectRef.cpp:
1649         (JSObjectCopyPropertyNames):
1650         * bindings/ScriptValue.cpp:
1651         (Inspector::jsToInspectorValue):
1652         * bytecode/ObjectAllocationProfile.h:
1653         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1654         * runtime/EnumerationMode.h:
1655         * runtime/IntlObject.cpp:
1656         (JSC::supportedLocales):
1657         * runtime/JSONObject.cpp:
1658         (JSC::Stringifier::Stringifier):
1659         (JSC::Stringifier::Holder::appendNextProperty):
1660         (JSC::Walker::walk):
1661         * runtime/JSPropertyNameEnumerator.cpp:
1662         (JSC::JSPropertyNameEnumerator::create):
1663         * runtime/JSPropertyNameEnumerator.h:
1664         (JSC::propertyNameEnumerator):
1665         * runtime/ObjectConstructor.cpp:
1666         (JSC::objectConstructorGetOwnPropertyDescriptors):
1667         (JSC::objectConstructorAssign):
1668         (JSC::objectConstructorValues):
1669         (JSC::defineProperties):
1670         (JSC::setIntegrityLevel):
1671         (JSC::testIntegrityLevel):
1672         (JSC::ownPropertyKeys):
1673         * runtime/PropertyNameArray.h:
1674         (JSC::PropertyNameArray::PropertyNameArray):
1675         (JSC::PropertyNameArray::propertyNameMode const):
1676         (JSC::PropertyNameArray::privateSymbolMode const):
1677         (JSC::PropertyNameArray::addUncheckedInternal):
1678         (JSC::PropertyNameArray::addUnchecked):
1679         (JSC::PropertyNameArray::add):
1680         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
1681         (JSC::PropertyNameArray::includeSymbolProperties const):
1682         (JSC::PropertyNameArray::includeStringProperties const):
1683         (JSC::PropertyNameArray::mode const): Deleted.
1684         * runtime/ProxyObject.cpp:
1685         (JSC::ProxyObject::performGetOwnPropertyNames):
1686
1687 2017-09-13  Mark Lam  <mark.lam@apple.com>
1688
1689         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
1690         https://bugs.webkit.org/show_bug.cgi?id=176888
1691         <rdar://problem/34381832>
1692
1693         Not reviewed.
1694
1695         * JavaScriptCore.xcodeproj/project.pbxproj:
1696         * assembler/MacroAssembler.cpp:
1697         (JSC::stdFunctionCallback):
1698         * assembler/MacroAssemblerPrinter.cpp:
1699         (JSC::Printer::printCallback):
1700         * assembler/ProbeContext.h:
1701         (JSC::Probe:: const):
1702         (JSC::Probe::Context::Context):
1703         (JSC::Probe::Context::gpr):
1704         (JSC::Probe::Context::spr):
1705         (JSC::Probe::Context::fpr):
1706         (JSC::Probe::Context::gprName):
1707         (JSC::Probe::Context::sprName):
1708         (JSC::Probe::Context::fprName):
1709         (JSC::Probe::Context::pc):
1710         (JSC::Probe::Context::fp):
1711         (JSC::Probe::Context::sp):
1712         (JSC::Probe::CPUState::gpr const): Deleted.
1713         (JSC::Probe::CPUState::spr const): Deleted.
1714         (JSC::Probe::Context::arg): Deleted.
1715         (JSC::Probe::Context::gpr const): Deleted.
1716         (JSC::Probe::Context::spr const): Deleted.
1717         (JSC::Probe::Context::fpr const): Deleted.
1718         * assembler/ProbeFrame.h: Removed.
1719         * assembler/ProbeStack.cpp:
1720         (JSC::Probe::Page::Page):
1721         * assembler/ProbeStack.h:
1722         (JSC::Probe::Page::get):
1723         (JSC::Probe::Page::set):
1724         (JSC::Probe::Page::physicalAddressFor):
1725         (JSC::Probe::Stack::lowWatermark):
1726         (JSC::Probe::Stack::get):
1727         (JSC::Probe::Stack::set):
1728         * bytecode/ArithProfile.cpp:
1729         * bytecode/ArithProfile.h:
1730         * bytecode/ArrayProfile.h:
1731         (JSC::ArrayProfile::observeArrayMode): Deleted.
1732         * bytecode/CodeBlock.cpp:
1733         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
1734         * bytecode/CodeBlock.h:
1735         (JSC::CodeBlock::addressOfOSRExitCounter):
1736         * bytecode/ExecutionCounter.h:
1737         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
1738         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
1739         * bytecode/MethodOfGettingAValueProfile.cpp:
1740         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
1741         * bytecode/MethodOfGettingAValueProfile.h:
1742         * dfg/DFGDriver.cpp:
1743         (JSC::DFG::compileImpl):
1744         * dfg/DFGJITCode.cpp:
1745         (JSC::DFG::JITCode::findPC):
1746         * dfg/DFGJITCode.h:
1747         * dfg/DFGJITCompiler.cpp:
1748         (JSC::DFG::JITCompiler::linkOSRExits):
1749         (JSC::DFG::JITCompiler::link):
1750         * dfg/DFGOSRExit.cpp:
1751         (JSC::DFG::OSRExit::setPatchableCodeOffset):
1752         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
1753         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1754         (JSC::DFG::OSRExit::correctJump):
1755         (JSC::DFG::OSRExit::emitRestoreArguments):
1756         (JSC::DFG::OSRExit::compileOSRExit):
1757         (JSC::DFG::OSRExit::compileExit):
1758         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1759         (JSC::DFG::jsValueFor): Deleted.
1760         (JSC::DFG::restoreCalleeSavesFor): Deleted.
1761         (JSC::DFG::saveCalleeSavesFor): Deleted.
1762         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
1763         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
1764         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
1765         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
1766         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
1767         (JSC::DFG::emitRestoreArguments): Deleted.
1768         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
1769         (JSC::DFG::reifyInlinedCallFrames): Deleted.
1770         (JSC::DFG::adjustAndJumpToTarget): Deleted.
1771         (JSC::DFG::printOSRExit): Deleted.
1772         * dfg/DFGOSRExit.h:
1773         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
1774         * dfg/DFGOSRExitCompilerCommon.cpp:
1775         * dfg/DFGOSRExitCompilerCommon.h:
1776         * dfg/DFGOperations.cpp:
1777         * dfg/DFGOperations.h:
1778         * dfg/DFGThunks.cpp:
1779         (JSC::DFG::osrExitGenerationThunkGenerator):
1780         (JSC::DFG::osrExitThunkGenerator): Deleted.
1781         * dfg/DFGThunks.h:
1782         * jit/AssemblyHelpers.cpp:
1783         (JSC::AssemblyHelpers::debugCall):
1784         * jit/AssemblyHelpers.h:
1785         * jit/JITOperations.cpp:
1786         * jit/JITOperations.h:
1787         * profiler/ProfilerOSRExit.h:
1788         (JSC::Profiler::OSRExit::incCount): Deleted.
1789         * runtime/JSCJSValue.h:
1790         * runtime/JSCJSValueInlines.h:
1791         * runtime/VM.h:
1792
1793 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1794
1795         [JSC] Move class/struct used in other class' member out of anonymous namespace
1796         https://bugs.webkit.org/show_bug.cgi?id=176876
1797
1798         Reviewed by Saam Barati.
1799
1800         GCC warns if a class has a base or field whose type uses the anonymous namespace
1801         and it is defined in an included file. This is because this possibly violates
1802         one definition rule (ODR): if an included file has the anonymous namespace, each
1803         translation unit creates its private anonymous namespace. Thus, each type
1804         inside the anonymous namespace becomes different in each translation unit if
1805         the file is included in multiple translation units.
1806
1807         While the current use in JSC is not violating ODR since these cpp files are included
1808         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
1809         the actual bugs. So, in this patch, we just move related classes/structs out of
1810         the anonymous namespace.
1811
1812         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1813         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
1814         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
1815         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
1816         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
1817         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
1818         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
1819         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
1820         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
1821         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
1822         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
1823         * dfg/DFGLICMPhase.cpp:
1824
1825 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
1826
1827         Web Inspector: Event Listeners section does not update when listeners are added/removed
1828         https://bugs.webkit.org/show_bug.cgi?id=170570
1829         <rdar://problem/31501645>
1830
1831         Reviewed by Joseph Pecoraro.
1832
1833         * inspector/protocol/DOM.json:
1834         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
1835         contain any information about the event listeners that were added/removed. They serve more
1836         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
1837
1838 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1839
1840         [JSC] Fix Array allocation in Object.keys
1841         https://bugs.webkit.org/show_bug.cgi?id=176826
1842
1843         Reviewed by Saam Barati.
1844
1845         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
1846         We check isHavingABadTime() in ownPropertyKeys fast path.
1847         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
1848
1849         * runtime/ObjectConstructor.cpp:
1850         (JSC::ownPropertyKeys):
1851
1852 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1853
1854         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
1855         https://bugs.webkit.org/show_bug.cgi?id=176010
1856
1857         Reviewed by Filip Pizlo.
1858
1859         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
1860         It is used for meta property for objects (see peekMeta function in Ember.js).
1861
1862         This patch optimizes WeakMap#get.
1863
1864         1. We use inlineGet to inline WeakMap#get operation in the native function.
1865         Since this native function itself is very small, we should inline HashMap#get
1866         entirely in this function.
1867
1868         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
1869         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
1870         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
1871         ObjectUse, and Int32Use.
1872
1873         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
1874         calculate hash value for the key's Object and use this hash value to look up value from
1875         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
1876         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
1877         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
1878         patches.
1879
1880         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
1881         not used in Ember.js right now.
1882
1883         This patch optimizes WeakMap#get by 50%.
1884
1885                                  baseline                  patched
1886
1887         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
1888
1889         * bytecode/DirectEvalCodeCache.h:
1890         (JSC::DirectEvalCodeCache::tryGet):
1891         * bytecode/SpeculatedType.cpp:
1892         (JSC::dumpSpeculation):
1893         (JSC::speculationFromClassInfo):
1894         (JSC::speculationFromJSType):
1895         (JSC::speculationFromString):
1896         * bytecode/SpeculatedType.h:
1897         * dfg/DFGAbstractInterpreterInlines.h:
1898         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1899         * dfg/DFGByteCodeParser.cpp:
1900         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1901         * dfg/DFGClobberize.h:
1902         (JSC::DFG::clobberize):
1903         * dfg/DFGDoesGC.cpp:
1904         (JSC::DFG::doesGC):
1905         * dfg/DFGFixupPhase.cpp:
1906         (JSC::DFG::FixupPhase::fixupNode):
1907         * dfg/DFGHeapLocation.cpp:
1908         (WTF::printInternal):
1909         * dfg/DFGHeapLocation.h:
1910         * dfg/DFGNode.h:
1911         (JSC::DFG::Node::hasHeapPrediction):
1912         * dfg/DFGNodeType.h:
1913         * dfg/DFGOperations.cpp:
1914         * dfg/DFGOperations.h:
1915         * dfg/DFGPredictionPropagationPhase.cpp:
1916         * dfg/DFGSafeToExecute.h:
1917         (JSC::DFG::SafeToExecuteEdge::operator()):
1918         (JSC::DFG::safeToExecute):
1919         * dfg/DFGSpeculativeJIT.cpp:
1920         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1921         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1922         (JSC::DFG::SpeculativeJIT::speculate):
1923         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1924         * dfg/DFGSpeculativeJIT.h:
1925         (JSC::DFG::SpeculativeJIT::callOperation):
1926         * dfg/DFGSpeculativeJIT32_64.cpp:
1927         (JSC::DFG::SpeculativeJIT::compile):
1928         * dfg/DFGSpeculativeJIT64.cpp:
1929         (JSC::DFG::SpeculativeJIT::compile):
1930         * dfg/DFGUseKind.cpp:
1931         (WTF::printInternal):
1932         * dfg/DFGUseKind.h:
1933         (JSC::DFG::typeFilterFor):
1934         (JSC::DFG::isCell):
1935         * ftl/FTLCapabilities.cpp:
1936         (JSC::FTL::canCompile):
1937         * ftl/FTLLowerDFGToB3.cpp:
1938         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1939         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1940         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1941         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1942         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1943         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1944         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1945         * jit/JITOperations.h:
1946         * runtime/HashMapImpl.h:
1947         (JSC::WeakMapHash::hash):
1948         (JSC::WeakMapHash::equal):
1949         * runtime/Intrinsic.cpp:
1950         (JSC::intrinsicName):
1951         * runtime/Intrinsic.h:
1952         * runtime/JSType.h:
1953         * runtime/JSWeakMap.h:
1954         (JSC::isJSWeakMap):
1955         * runtime/JSWeakSet.h:
1956         (JSC::isJSWeakSet):
1957         * runtime/WeakMapBase.cpp:
1958         (JSC::WeakMapBase::get):
1959         * runtime/WeakMapBase.h:
1960         (JSC::WeakMapBase::HashTranslator::hash):
1961         (JSC::WeakMapBase::HashTranslator::equal):
1962         (JSC::WeakMapBase::inlineGet):
1963         * runtime/WeakMapPrototype.cpp:
1964         (JSC::WeakMapPrototype::finishCreation):
1965         (JSC::getWeakMap):
1966         (JSC::protoFuncWeakMapGet):
1967         * runtime/WeakSetPrototype.cpp:
1968         (JSC::getWeakSet):
1969
1970 2017-09-12  Keith Miller  <keith_miller@apple.com>
1971
1972         Rename JavaScriptCore CMake unifiable sources list
1973         https://bugs.webkit.org/show_bug.cgi?id=176823
1974
1975         Reviewed by Joseph Pecoraro.
1976
1977         This patch also changes the error message when the unified source
1978         bundler fails to be more accurate.
1979
1980         * CMakeLists.txt:
1981
1982 2017-09-12  Keith Miller  <keith_miller@apple.com>
1983
1984         Do unified source builds for JSC
1985         https://bugs.webkit.org/show_bug.cgi?id=176076
1986
1987         Reviewed by Geoffrey Garen.
1988
1989         This patch switches the CMake JavaScriptCore build to use unified sources.
1990         The Xcode build will be upgraded in a follow up patch.
1991
1992         Most of the source changes in this patch are fixing static
1993         variable/functions name collisions. The most common collisions
1994         were from our use of "static const bool verbose" and "using
1995         namespace ...". I fixed all the verbose cases and fixed the "using
1996         namespace" issues that occurred under the current bundling
1997         strategy. It's likely that more of the "using namespace" issues
1998         will need to be resolved in the future, particularly in the FTL.
1999
2000         I don't expect either of these problems will apply to other parts
2001         of the project nearly as much as in JSC. Using a verbose variable
2002         is a JSC idiom and JSC tends use the same, canonical, class name
2003         in multiple parts of the engine.
2004
2005         * CMakeLists.txt:
2006         * b3/B3CheckSpecial.cpp:
2007         (JSC::B3::CheckSpecial::forEachArg):
2008         (JSC::B3::CheckSpecial::generate):
2009         (JSC::B3::Air::numB3Args): Deleted.
2010         * b3/B3DuplicateTails.cpp:
2011         * b3/B3EliminateCommonSubexpressions.cpp:
2012         * b3/B3FixSSA.cpp:
2013         (JSC::B3::demoteValues):
2014         * b3/B3FoldPathConstants.cpp:
2015         * b3/B3InferSwitches.cpp:
2016         * b3/B3LowerMacrosAfterOptimizations.cpp:
2017         (): Deleted.
2018         * b3/B3LowerToAir.cpp:
2019         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
2020         (JSC::B3::Air::LowerToAir::run): Deleted.
2021         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
2022         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
2023         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
2024         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
2025         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
2026         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
2027         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
2028         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
2029         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
2030         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
2031         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
2032         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
2033         (JSC::B3::Air::LowerToAir::tmp): Deleted.
2034         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
2035         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
2036         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
2037         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
2038         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
2039         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
2040         (JSC::B3::Air::LowerToAir::addr): Deleted.
2041         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
2042         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
2043         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
2044         (JSC::B3::Air::LowerToAir::imm): Deleted.
2045         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
2046         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
2047         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
2048         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
2049         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
2050         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
2051         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
2052         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
2053         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
2054         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
2055         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
2056         (JSC::B3::Air::LowerToAir::createStore): Deleted.
2057         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
2058         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
2059         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
2060         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
2061         (JSC::B3::Air::LowerToAir::print): Deleted.
2062         (JSC::B3::Air::LowerToAir::append): Deleted.
2063         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
2064         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
2065         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
2066         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
2067         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
2068         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
2069         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
2070         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
2071         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
2072         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
2073         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
2074         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
2075         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
2076         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
2077         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
2078         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
2079         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
2080         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
2081         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
2082         (JSC::B3::Air::LowerToAir::lower): Deleted.
2083         * b3/B3PatchpointSpecial.cpp:
2084         (JSC::B3::PatchpointSpecial::generate):
2085         * b3/B3ReduceDoubleToFloat.cpp:
2086         (JSC::B3::reduceDoubleToFloat):
2087         * b3/B3ReduceStrength.cpp:
2088         * b3/B3StackmapGenerationParams.cpp:
2089         * b3/B3StackmapSpecial.cpp:
2090         (JSC::B3::StackmapSpecial::repsImpl):
2091         (JSC::B3::StackmapSpecial::repForArg):
2092         * b3/air/AirAllocateStackByGraphColoring.cpp:
2093         (JSC::B3::Air::allocateStackByGraphColoring):
2094         * b3/air/AirEmitShuffle.cpp:
2095         (JSC::B3::Air::emitShuffle):
2096         * b3/air/AirFixObviousSpills.cpp:
2097         * b3/air/AirLowerAfterRegAlloc.cpp:
2098         (JSC::B3::Air::lowerAfterRegAlloc):
2099         * b3/air/AirStackAllocation.cpp:
2100         (JSC::B3::Air::attemptAssignment):
2101         (JSC::B3::Air::assign):
2102         * bytecode/AccessCase.cpp:
2103         (JSC::AccessCase::generateImpl):
2104         * bytecode/CallLinkStatus.cpp:
2105         (JSC::CallLinkStatus::computeDFGStatuses):
2106         * bytecode/GetterSetterAccessCase.cpp:
2107         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2108         * bytecode/ObjectPropertyConditionSet.cpp:
2109         * bytecode/PolymorphicAccess.cpp:
2110         (JSC::PolymorphicAccess::addCases):
2111         (JSC::PolymorphicAccess::regenerate):
2112         * bytecode/PropertyCondition.cpp:
2113         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2114         * bytecode/StructureStubInfo.cpp:
2115         (JSC::StructureStubInfo::addAccessCase):
2116         * dfg/DFGArgumentsEliminationPhase.cpp:
2117         * dfg/DFGByteCodeParser.cpp:
2118         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
2119         (JSC::DFG::ByteCodeParser::inliningCost):
2120         (JSC::DFG::ByteCodeParser::inlineCall):
2121         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2122         (JSC::DFG::ByteCodeParser::handleInlining):
2123         (JSC::DFG::ByteCodeParser::planLoad):
2124         (JSC::DFG::ByteCodeParser::store):
2125         (JSC::DFG::ByteCodeParser::parseBlock):
2126         (JSC::DFG::ByteCodeParser::linkBlock):
2127         (JSC::DFG::ByteCodeParser::linkBlocks):
2128         * dfg/DFGCSEPhase.cpp:
2129         * dfg/DFGInPlaceAbstractState.cpp:
2130         (JSC::DFG::InPlaceAbstractState::merge):
2131         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2132         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
2133         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2134         * dfg/DFGMovHintRemovalPhase.cpp:
2135         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2136         * dfg/DFGPhantomInsertionPhase.cpp:
2137         * dfg/DFGPutStackSinkingPhase.cpp:
2138         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2139         * dfg/DFGVarargsForwardingPhase.cpp:
2140         * ftl/FTLAbstractHeap.cpp:
2141         (JSC::FTL::AbstractHeap::compute):
2142         * ftl/FTLAbstractHeapRepository.cpp:
2143         (JSC::FTL::AbstractHeapRepository::decorateMemory):
2144         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
2145         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
2146         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
2147         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
2148         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
2149         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
2150         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
2151         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
2152         * ftl/FTLLink.cpp:
2153         (JSC::FTL::link):
2154         * heap/MarkingConstraintSet.cpp:
2155         (JSC::MarkingConstraintSet::add):
2156         * interpreter/ShadowChicken.cpp:
2157         (JSC::ShadowChicken::update):
2158         * jit/BinarySwitch.cpp:
2159         (JSC::BinarySwitch::BinarySwitch):
2160         (JSC::BinarySwitch::build):
2161         * llint/LLIntData.cpp:
2162         (JSC::LLInt::Data::loadStats):
2163         (JSC::LLInt::Data::saveStats):
2164         * runtime/ArrayPrototype.cpp:
2165         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2166         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2167         * runtime/ErrorInstance.cpp:
2168         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
2169         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
2170         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
2171         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
2172         * runtime/IntlDateTimeFormat.cpp:
2173         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2174         * runtime/PromiseDeferredTimer.cpp:
2175         (JSC::PromiseDeferredTimer::doWork):
2176         (JSC::PromiseDeferredTimer::addPendingPromise):
2177         (JSC::PromiseDeferredTimer::cancelPendingPromise):
2178         * runtime/TypeProfiler.cpp:
2179         (JSC::TypeProfiler::insertNewLocation):
2180         * runtime/TypeProfilerLog.cpp:
2181         (JSC::TypeProfilerLog::processLogEntries):
2182         * runtime/WeakMapPrototype.cpp:
2183         (JSC::protoFuncWeakMapDelete):
2184         (JSC::protoFuncWeakMapGet):
2185         (JSC::protoFuncWeakMapHas):
2186         (JSC::protoFuncWeakMapSet):
2187         (JSC::getWeakMapData): Deleted.
2188         * runtime/WeakSetPrototype.cpp:
2189         (JSC::protoFuncWeakSetDelete):
2190         (JSC::protoFuncWeakSetHas):
2191         (JSC::protoFuncWeakSetAdd):
2192         (JSC::getWeakMapData): Deleted.
2193         * testRegExp.cpp:
2194         (testOneRegExp):
2195         (runFromFiles):
2196         * wasm/WasmB3IRGenerator.cpp:
2197         (JSC::Wasm::parseAndCompile):
2198         * wasm/WasmBBQPlan.cpp:
2199         (JSC::Wasm::BBQPlan::moveToState):
2200         (JSC::Wasm::BBQPlan::parseAndValidateModule):
2201         (JSC::Wasm::BBQPlan::prepare):
2202         (JSC::Wasm::BBQPlan::compileFunctions):
2203         (JSC::Wasm::BBQPlan::complete):
2204         * wasm/WasmFaultSignalHandler.cpp:
2205         (JSC::Wasm::trapHandler):
2206         * wasm/WasmOMGPlan.cpp:
2207         (JSC::Wasm::OMGPlan::OMGPlan):
2208         (JSC::Wasm::OMGPlan::work):
2209         * wasm/WasmPlan.cpp:
2210         (JSC::Wasm::Plan::fail):
2211         * wasm/WasmSignature.cpp:
2212         (JSC::Wasm::SignatureInformation::adopt):
2213         * wasm/WasmWorklist.cpp:
2214         (JSC::Wasm::Worklist::enqueue):
2215
2216 2017-09-12  Michael Saboff  <msaboff@apple.com>
2217
2218         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
2219         https://bugs.webkit.org/show_bug.cgi?id=176814
2220
2221         Reviewed by Mark Lam.
2222
2223         The copy and advance indices where off by one and needed a little fine tuning.
2224
2225         * runtime/StringPrototype.cpp:
2226         (JSC::substituteBackreferencesSlow):
2227
2228 2017-09-11  Mark Lam  <mark.lam@apple.com>
2229
2230         More exception check book-keeping needed found by 32-bit JSC test failures.
2231         https://bugs.webkit.org/show_bug.cgi?id=176742
2232
2233         Reviewed by Michael Saboff and Keith Miller.
2234
2235         * dfg/DFGOperations.cpp:
2236
2237 2017-09-11  Mark Lam  <mark.lam@apple.com>
2238
2239         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
2240         https://bugs.webkit.org/show_bug.cgi?id=176722
2241
2242         Reviewed by Saam Barati.
2243
2244         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
2245         in effect when jsc is invoked.
2246
2247         * jsc.cpp:
2248         (CommandLine::parseArguments):
2249
2250 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
2251
2252         Unreviewed, rolling out r221854.
2253
2254         The test added with this change fails on 32-bit JSC bots.
2255
2256         Reverted changeset:
2257
2258         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
2259         https://bugs.webkit.org/show_bug.cgi?id=176010
2260         http://trac.webkit.org/changeset/221854
2261
2262 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2263
2264         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
2265         https://bugs.webkit.org/show_bug.cgi?id=176010
2266
2267         Reviewed by Filip Pizlo.
2268
2269         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
2270         It is used for meta property for objects (see peekMeta function in Ember.js).
2271
2272         This patch optimizes WeakMap#get.
2273
2274         1. We use inlineGet to inline WeakMap#get operation in the native function.
2275         Since this native function itself is very small, we should inline HashMap#get
2276         entirely in this function.
2277
2278         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
2279         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
2280         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
2281         ObjectUse, and Int32Use.
2282
2283         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
2284         calculate hash value for the key's Object and use this hash value to look up value from
2285         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
2286         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
2287         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
2288         patches.
2289
2290         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
2291         not used in Ember.js right now.
2292
2293         This patch optimizes WeakMap#get by 50%.
2294
2295                                  baseline                  patched
2296
2297         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
2298
2299         * bytecode/DirectEvalCodeCache.h:
2300         (JSC::DirectEvalCodeCache::tryGet):
2301         * bytecode/SpeculatedType.cpp:
2302         (JSC::dumpSpeculation):
2303         (JSC::speculationFromClassInfo):
2304         (JSC::speculationFromJSType):
2305         (JSC::speculationFromString):
2306         * bytecode/SpeculatedType.h:
2307         * dfg/DFGAbstractInterpreterInlines.h:
2308         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2309         * dfg/DFGByteCodeParser.cpp:
2310         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2311         * dfg/DFGClobberize.h:
2312         (JSC::DFG::clobberize):
2313         * dfg/DFGDoesGC.cpp:
2314         (JSC::DFG::doesGC):
2315         * dfg/DFGFixupPhase.cpp:
2316         (JSC::DFG::FixupPhase::fixupNode):
2317         * dfg/DFGHeapLocation.cpp:
2318         (WTF::printInternal):
2319         * dfg/DFGHeapLocation.h:
2320         * dfg/DFGNode.h:
2321         (JSC::DFG::Node::hasHeapPrediction):
2322         * dfg/DFGNodeType.h:
2323         * dfg/DFGOperations.cpp:
2324         * dfg/DFGOperations.h:
2325         * dfg/DFGPredictionPropagationPhase.cpp:
2326         * dfg/DFGSafeToExecute.h:
2327         (JSC::DFG::SafeToExecuteEdge::operator()):
2328         (JSC::DFG::safeToExecute):
2329         * dfg/DFGSpeculativeJIT.cpp:
2330         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
2331         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
2332         (JSC::DFG::SpeculativeJIT::speculate):
2333         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
2334         * dfg/DFGSpeculativeJIT.h:
2335         (JSC::DFG::SpeculativeJIT::callOperation):
2336         * dfg/DFGSpeculativeJIT32_64.cpp:
2337         (JSC::DFG::SpeculativeJIT::compile):
2338         * dfg/DFGSpeculativeJIT64.cpp:
2339         (JSC::DFG::SpeculativeJIT::compile):
2340         * dfg/DFGUseKind.cpp:
2341         (WTF::printInternal):
2342         * dfg/DFGUseKind.h:
2343         (JSC::DFG::typeFilterFor):
2344         (JSC::DFG::isCell):
2345         * ftl/FTLCapabilities.cpp:
2346         (JSC::FTL::canCompile):
2347         * ftl/FTLLowerDFGToB3.cpp:
2348         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2349         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
2350         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
2351         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
2352         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2353         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
2354         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
2355         * jit/JITOperations.h:
2356         * runtime/Intrinsic.cpp:
2357         (JSC::intrinsicName):
2358         * runtime/Intrinsic.h:
2359         * runtime/JSType.h:
2360         * runtime/JSWeakMap.h:
2361         (JSC::isJSWeakMap):
2362         * runtime/JSWeakSet.h:
2363         (JSC::isJSWeakSet):
2364         * runtime/WeakMapBase.cpp:
2365         (JSC::WeakMapBase::get):
2366         * runtime/WeakMapBase.h:
2367         (JSC::WeakMapBase::HashTranslator::hash):
2368         (JSC::WeakMapBase::HashTranslator::equal):
2369         (JSC::WeakMapBase::inlineGet):
2370         * runtime/WeakMapPrototype.cpp:
2371         (JSC::WeakMapPrototype::finishCreation):
2372         (JSC::getWeakMap):
2373         (JSC::protoFuncWeakMapGet):
2374         * runtime/WeakSetPrototype.cpp:
2375         (JSC::getWeakSet):
2376
2377 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2378
2379         [JSC] Optimize Object.keys by using careful array allocation
2380         https://bugs.webkit.org/show_bug.cgi?id=176654
2381
2382         Reviewed by Darin Adler.
2383
2384         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
2385         function in JS apps. Luckily Object.keys has several good features.
2386
2387         1. Once PropertyNameArray is allocated, we know the length of the result array since
2388         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
2389         but it rarely appears. ProxyObject case goes to the generic path.
2390
2391         2. Object.keys does not need to access object after listing PropertyNameArray. It means
2392         that we do not need to worry about enumeration attribute change by touching object.
2393
2394         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
2395         with the size and ArrayContiguous indexing shape.
2396
2397         This further improves SixSpeed object-assign.es5 by 13%.
2398
2399                                             baseline                  patched
2400         Microbenchmarks:
2401            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
2402            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
2403
2404                                             baseline                  patched
2405         SixSpeed:
2406            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
2407
2408         BTW, the further optimization of Object.keys can be considered: introducing own property keys
2409         cache which is similar to the current enumeration cache. But this patch is orthogonal to
2410         this optimization!
2411
2412         * runtime/ObjectConstructor.cpp:
2413         (JSC::objectConstructorValues):
2414         (JSC::ownPropertyKeys):
2415         * runtime/ObjectConstructor.h:
2416
2417 2017-09-10  Mark Lam  <mark.lam@apple.com>
2418
2419         Fix all ExceptionScope verification failures in JavaScriptCore.
2420         https://bugs.webkit.org/show_bug.cgi?id=176662
2421         <rdar://problem/34352085>
2422
2423         Reviewed by Filip Pizlo.
2424
2425         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
2426            verification for release builds too (though this requires manually setting
2427            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
2428
2429            This is useful because it allows us to run the tests more quickly to check
2430            if any regressions have occurred.  Debug builds run so much slower and not
2431            good for a quick turn around.  Debug builds are necessary though to get
2432            trace information without inlining by the C++ compiler.  This is necessary to
2433            diagnose where the missing exception check is.
2434
2435         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
2436            simulated throw when an exception scope verification fails.
2437
2438            Previously, this option dumps the stack trace on all simulated throws.  That
2439            turned out to not be very useful, and slows down the debugging process.
2440            Instead, the new implementation captures the stack trace and only dumps it
2441            if we have a verification failure.
2442
2443         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
2444            to pass with JSC_validateExceptionChecks=true.
2445
2446         * bytecode/CodeBlock.cpp:
2447         (JSC::CodeBlock::finishCreation):
2448         * dfg/DFGOSRExit.cpp:
2449         (JSC::DFG::OSRExit::executeOSRExit):
2450         * dfg/DFGOperations.cpp:
2451         * interpreter/Interpreter.cpp:
2452         (JSC::eval):
2453         (JSC::loadVarargs):
2454         (JSC::Interpreter::unwind):
2455         (JSC::Interpreter::executeProgram):
2456         (JSC::Interpreter::executeCall):
2457         (JSC::Interpreter::executeConstruct):
2458         (JSC::Interpreter::prepareForRepeatCall):
2459         (JSC::Interpreter::execute):
2460         (JSC::Interpreter::executeModuleProgram):
2461         * jit/JITOperations.cpp:
2462         (JSC::getByVal):
2463         * jsc.cpp:
2464         (WTF::CustomGetter::customGetterAcessor):
2465         (GlobalObject::moduleLoaderImportModule):
2466         (GlobalObject::moduleLoaderResolve):
2467         * llint/LLIntSlowPaths.cpp:
2468         (JSC::LLInt::getByVal):
2469         (JSC::LLInt::setUpCall):
2470         * parser/Parser.h:
2471         (JSC::Parser::popScopeInternal):
2472         * runtime/AbstractModuleRecord.cpp:
2473         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2474         (JSC::AbstractModuleRecord::resolveImport):
2475         (JSC::AbstractModuleRecord::resolveExportImpl):
2476         (JSC::getExportedNames):
2477         (JSC::AbstractModuleRecord::getModuleNamespace):
2478         * runtime/ArrayPrototype.cpp:
2479         (JSC::getProperty):
2480         (JSC::unshift):
2481         (JSC::arrayProtoFuncToString):
2482         (JSC::arrayProtoFuncToLocaleString):
2483         (JSC::arrayProtoFuncJoin):
2484         (JSC::arrayProtoFuncPop):
2485         (JSC::arrayProtoFuncPush):
2486         (JSC::arrayProtoFuncReverse):
2487         (JSC::arrayProtoFuncShift):
2488         (JSC::arrayProtoFuncSlice):
2489         (JSC::arrayProtoFuncSplice):
2490         (JSC::arrayProtoFuncUnShift):
2491         (JSC::arrayProtoFuncIndexOf):
2492         (JSC::arrayProtoFuncLastIndexOf):
2493         (JSC::concatAppendOne):
2494         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2495         (JSC::arrayProtoPrivateFuncAppendMemcpy):
2496         * runtime/CatchScope.h:
2497         * runtime/CommonSlowPaths.cpp:
2498         (JSC::SLOW_PATH_DECL):
2499         * runtime/DatePrototype.cpp:
2500         (JSC::dateProtoFuncSetTime):
2501         (JSC::setNewValueFromTimeArgs):
2502         * runtime/DirectArguments.h:
2503         (JSC::DirectArguments::length const):
2504         * runtime/ErrorPrototype.cpp:
2505         (JSC::errorProtoFuncToString):
2506         * runtime/ExceptionFuzz.cpp:
2507         (JSC::doExceptionFuzzing):
2508         * runtime/ExceptionScope.h:
2509         (JSC::ExceptionScope::needExceptionCheck):
2510         (JSC::ExceptionScope::assertNoException):
2511         * runtime/GenericArgumentsInlines.h:
2512         (JSC::GenericArguments<Type>::defineOwnProperty):
2513         * runtime/HashMapImpl.h:
2514         (JSC::HashMapImpl::rehash):
2515         * runtime/IntlDateTimeFormat.cpp:
2516         (JSC::IntlDateTimeFormat::formatToParts):
2517         * runtime/JSArray.cpp:
2518         (JSC::JSArray::defineOwnProperty):
2519         (JSC::JSArray::put):
2520         * runtime/JSCJSValue.cpp:
2521         (JSC::JSValue::putToPrimitive):
2522         (JSC::JSValue::putToPrimitiveByIndex):
2523         * runtime/JSCJSValueInlines.h:
2524         (JSC::JSValue::toIndex const):
2525         (JSC::JSValue::get const):
2526         (JSC::JSValue::getPropertySlot const):
2527         (JSC::JSValue::equalSlowCaseInline):
2528         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2529         (JSC::constructGenericTypedArrayViewFromIterator):
2530         (JSC::constructGenericTypedArrayViewWithArguments):
2531         * runtime/JSGenericTypedArrayViewInlines.h:
2532         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2533         * runtime/JSGlobalObject.cpp:
2534         (JSC::JSGlobalObject::put):
2535         * runtime/JSGlobalObjectFunctions.cpp:
2536         (JSC::decode):
2537         (JSC::globalFuncEval):
2538         (JSC::globalFuncProtoGetter):
2539         (JSC::globalFuncProtoSetter):
2540         (JSC::globalFuncImportModule):
2541         * runtime/JSInternalPromise.cpp:
2542         (JSC::JSInternalPromise::then):
2543         * runtime/JSInternalPromiseDeferred.cpp:
2544         (JSC::JSInternalPromiseDeferred::create):
2545         * runtime/JSJob.cpp:
2546         (JSC::JSJobMicrotask::run):
2547         * runtime/JSModuleEnvironment.cpp:
2548         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2549         (JSC::JSModuleEnvironment::put):
2550         (JSC::JSModuleEnvironment::deleteProperty):
2551         * runtime/JSModuleLoader.cpp:
2552         (JSC::JSModuleLoader::provide):
2553         (JSC::JSModuleLoader::loadAndEvaluateModule):
2554         (JSC::JSModuleLoader::loadModule):
2555         (JSC::JSModuleLoader::linkAndEvaluateModule):
2556         (JSC::JSModuleLoader::requestImportModule):
2557         * runtime/JSModuleRecord.cpp:
2558         (JSC::JSModuleRecord::link):
2559         (JSC::JSModuleRecord::instantiateDeclarations):
2560         * runtime/JSONObject.cpp:
2561         (JSC::Stringifier::stringify):
2562         (JSC::Stringifier::toJSON):
2563         (JSC::JSONProtoFuncParse):
2564         * runtime/JSObject.cpp:
2565         (JSC::JSObject::calculatedClassName):
2566         (JSC::ordinarySetSlow):
2567         (JSC::JSObject::putInlineSlow):
2568         (JSC::JSObject::ordinaryToPrimitive const):
2569         (JSC::JSObject::toPrimitive const):
2570         (JSC::JSObject::hasInstance):
2571         (JSC::JSObject::getPropertyNames):
2572         (JSC::JSObject::toNumber const):
2573         (JSC::JSObject::defineOwnIndexedProperty):
2574         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2575         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2576         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2577         (JSC::validateAndApplyPropertyDescriptor):
2578         (JSC::JSObject::defineOwnNonIndexProperty):
2579         (JSC::JSObject::getGenericPropertyNames):
2580         * runtime/JSObject.h:
2581         (JSC::JSObject::get const):
2582         * runtime/JSObjectInlines.h:
2583         (JSC::JSObject::getPropertySlot const):
2584         (JSC::JSObject::getPropertySlot):
2585         (JSC::JSObject::getNonIndexPropertySlot):
2586         (JSC::JSObject::putInlineForJSObject):
2587         * runtime/JSPromiseConstructor.cpp:
2588         (JSC::constructPromise):
2589         * runtime/JSPromiseDeferred.cpp:
2590         (JSC::JSPromiseDeferred::create):
2591         * runtime/JSScope.cpp:
2592         (JSC::abstractAccess):
2593         (JSC::JSScope::resolve):
2594         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
2595         (JSC::JSScope::abstractResolve):
2596         * runtime/LiteralParser.cpp:
2597         (JSC::LiteralParser<CharType>::tryJSONPParse):
2598         (JSC::LiteralParser<CharType>::parse):
2599         * runtime/Lookup.h:
2600         (JSC::putEntry):
2601         * runtime/MapConstructor.cpp:
2602         (JSC::constructMap):
2603         * runtime/NumberPrototype.cpp:
2604         (JSC::numberProtoFuncToString):
2605         * runtime/ObjectConstructor.cpp:
2606         (JSC::objectConstructorSetPrototypeOf):
2607         (JSC::objectConstructorGetOwnPropertyDescriptor):
2608         (JSC::objectConstructorGetOwnPropertyDescriptors):
2609         (JSC::objectConstructorAssign):
2610         (JSC::objectConstructorValues):
2611         (JSC::toPropertyDescriptor):
2612         (JSC::objectConstructorDefineProperty):
2613         (JSC::defineProperties):
2614         (JSC::objectConstructorDefineProperties):
2615         (JSC::ownPropertyKeys):
2616         * runtime/ObjectPrototype.cpp:
2617         (JSC::objectProtoFuncHasOwnProperty):
2618         (JSC::objectProtoFuncIsPrototypeOf):
2619         (JSC::objectProtoFuncLookupGetter):
2620         (JSC::objectProtoFuncLookupSetter):
2621         (JSC::objectProtoFuncToLocaleString):
2622         (JSC::objectProtoFuncToString):
2623         * runtime/Options.h:
2624         * runtime/ParseInt.h:
2625         (JSC::toStringView):
2626         * runtime/ProxyObject.cpp:
2627         (JSC::performProxyGet):
2628         (JSC::ProxyObject::performPut):
2629         * runtime/ReflectObject.cpp:
2630         (JSC::reflectObjectDefineProperty):
2631         * runtime/RegExpConstructor.cpp:
2632         (JSC::toFlags):
2633         (JSC::regExpCreate):
2634         (JSC::constructRegExp):
2635         * runtime/RegExpObject.cpp:
2636         (JSC::collectMatches):
2637         * runtime/RegExpObjectInlines.h:
2638         (JSC::RegExpObject::execInline):
2639         (JSC::RegExpObject::matchInline):
2640         * runtime/RegExpPrototype.cpp:
2641         (JSC::regExpProtoFuncTestFast):
2642         (JSC::regExpProtoFuncExec):
2643         (JSC::regExpProtoFuncMatchFast):
2644         (JSC::regExpProtoFuncToString):
2645         (JSC::regExpProtoFuncSplitFast):
2646         * runtime/ScriptExecutable.cpp:
2647         (JSC::ScriptExecutable::newCodeBlockFor):
2648         (JSC::ScriptExecutable::prepareForExecutionImpl):
2649         * runtime/SetConstructor.cpp:
2650         (JSC::constructSet):
2651         * runtime/ThrowScope.cpp:
2652         (JSC::ThrowScope::simulateThrow):
2653         * runtime/VM.cpp:
2654         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
2655         * runtime/VM.h:
2656         * runtime/WeakMapPrototype.cpp:
2657         (JSC::protoFuncWeakMapSet):
2658         * runtime/WeakSetPrototype.cpp:
2659         (JSC::protoFuncWeakSetAdd):
2660         * wasm/js/WebAssemblyModuleConstructor.cpp:
2661         (JSC::WebAssemblyModuleConstructor::createModule):
2662         * wasm/js/WebAssemblyModuleRecord.cpp:
2663         (JSC::WebAssemblyModuleRecord::link):
2664         * wasm/js/WebAssemblyPrototype.cpp:
2665         (JSC::reject):
2666         (JSC::webAssemblyCompileFunc):
2667         (JSC::resolve):
2668         (JSC::webAssemblyInstantiateFunc):
2669
2670 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
2671
2672         Error should compute .stack and friends lazily
2673         https://bugs.webkit.org/show_bug.cgi?id=176645
2674
2675         Reviewed by Saam Barati.
2676         
2677         Building the string portion of the stack trace after we walk the stack accounts for most of
2678         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
2679         Vector<StackFrame> so that it can build the string only once it's really needed.
2680         
2681         This is an enormous speed-up for programs that allocate and throw exceptions.
2682         
2683         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
2684         
2685         It's a 2.2x speed-up for throwing and catching an Error.
2686         
2687         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
2688         
2689         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
2690         delta-blue-try-catch is 1.16x faster.
2691
2692         * interpreter/Interpreter.cpp:
2693         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
2694         (JSC::GetStackTraceFunctor::operator() const):
2695         (JSC::Interpreter::getStackTrace):
2696         * interpreter/Interpreter.h:
2697         * runtime/Error.cpp:
2698         (JSC::getStackTrace):
2699         (JSC::getBytecodeOffset):
2700         (JSC::addErrorInfo):
2701         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
2702         * runtime/Error.h:
2703         * runtime/ErrorInstance.cpp:
2704         (JSC::ErrorInstance::ErrorInstance):
2705         (JSC::ErrorInstance::finishCreation):
2706         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2707         (JSC::ErrorInstance::visitChildren):
2708         (JSC::ErrorInstance::getOwnPropertySlot):
2709         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
2710         (JSC::ErrorInstance::defineOwnProperty):
2711         (JSC::ErrorInstance::put):
2712         (JSC::ErrorInstance::deleteProperty):
2713         * runtime/ErrorInstance.h:
2714         * runtime/Exception.cpp:
2715         (JSC::Exception::visitChildren):
2716         (JSC::Exception::finishCreation):
2717         * runtime/Exception.h:
2718         * runtime/StackFrame.cpp:
2719         (JSC::StackFrame::visitChildren):
2720         * runtime/StackFrame.h:
2721         (JSC::StackFrame::StackFrame):
2722
2723 2017-09-09  Mark Lam  <mark.lam@apple.com>
2724
2725         [Re-landing] Use JIT probes for DFG OSR exit.
2726         https://bugs.webkit.org/show_bug.cgi?id=175144
2727         <rdar://problem/33437050>
2728
2729         Not reviewed.  Original patch reviewed by Saam Barati.
2730
2731         Relanding r221774.
2732
2733         * JavaScriptCore.xcodeproj/project.pbxproj:
2734         * assembler/MacroAssembler.cpp:
2735         (JSC::stdFunctionCallback):
2736         * assembler/MacroAssemblerPrinter.cpp:
2737         (JSC::Printer::printCallback):
2738         * assembler/ProbeContext.h:
2739         (JSC::Probe::CPUState::gpr const):
2740         (JSC::Probe::CPUState::spr const):
2741         (JSC::Probe::Context::Context):
2742         (JSC::Probe::Context::arg):
2743         (JSC::Probe::Context::gpr):
2744         (JSC::Probe::Context::spr):
2745         (JSC::Probe::Context::fpr):
2746         (JSC::Probe::Context::gprName):
2747         (JSC::Probe::Context::sprName):
2748         (JSC::Probe::Context::fprName):
2749         (JSC::Probe::Context::gpr const):
2750         (JSC::Probe::Context::spr const):
2751         (JSC::Probe::Context::fpr const):
2752         (JSC::Probe::Context::pc):
2753         (JSC::Probe::Context::fp):
2754         (JSC::Probe::Context::sp):
2755         (JSC::Probe:: const): Deleted.
2756         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
2757         * assembler/ProbeStack.cpp:
2758         (JSC::Probe::Page::Page):
2759         * assembler/ProbeStack.h:
2760         (JSC::Probe::Page::get):
2761         (JSC::Probe::Page::set):
2762         (JSC::Probe::Page::physicalAddressFor):
2763         (JSC::Probe::Stack::lowWatermark):
2764         (JSC::Probe::Stack::get):
2765         (JSC::Probe::Stack::set):
2766         * bytecode/ArithProfile.cpp:
2767         * bytecode/ArithProfile.h:
2768         * bytecode/ArrayProfile.h:
2769         (JSC::ArrayProfile::observeArrayMode):
2770         * bytecode/CodeBlock.cpp:
2771         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
2772         * bytecode/CodeBlock.h:
2773         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
2774         * bytecode/ExecutionCounter.h:
2775         (JSC::ExecutionCounter::hasCrossedThreshold const):
2776         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
2777         * bytecode/MethodOfGettingAValueProfile.cpp:
2778         (JSC::MethodOfGettingAValueProfile::reportValue):
2779         * bytecode/MethodOfGettingAValueProfile.h:
2780         * dfg/DFGDriver.cpp:
2781         (JSC::DFG::compileImpl):
2782         * dfg/DFGJITCode.cpp:
2783         (JSC::DFG::JITCode::findPC): Deleted.
2784         * dfg/DFGJITCode.h:
2785         * dfg/DFGJITCompiler.cpp:
2786         (JSC::DFG::JITCompiler::linkOSRExits):
2787         (JSC::DFG::JITCompiler::link):
2788         * dfg/DFGOSRExit.cpp:
2789         (JSC::DFG::jsValueFor):
2790         (JSC::DFG::restoreCalleeSavesFor):
2791         (JSC::DFG::saveCalleeSavesFor):
2792         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2793         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2794         (JSC::DFG::saveOrCopyCalleeSavesFor):
2795         (JSC::DFG::createDirectArgumentsDuringExit):
2796         (JSC::DFG::createClonedArgumentsDuringExit):
2797         (JSC::DFG::OSRExit::OSRExit):
2798         (JSC::DFG::emitRestoreArguments):
2799         (JSC::DFG::OSRExit::executeOSRExit):
2800         (JSC::DFG::reifyInlinedCallFrames):
2801         (JSC::DFG::adjustAndJumpToTarget):
2802         (JSC::DFG::printOSRExit):
2803         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2804         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2805         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
2806         (JSC::DFG::OSRExit::correctJump): Deleted.
2807         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
2808         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
2809         (JSC::DFG::OSRExit::compileExit): Deleted.
2810         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2811         * dfg/DFGOSRExit.h:
2812         (JSC::DFG::OSRExitState::OSRExitState):
2813         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2814         * dfg/DFGOSRExitCompilerCommon.cpp:
2815         * dfg/DFGOSRExitCompilerCommon.h:
2816         * dfg/DFGOperations.cpp:
2817         * dfg/DFGOperations.h:
2818         * dfg/DFGThunks.cpp:
2819         (JSC::DFG::osrExitThunkGenerator):
2820         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2821         * dfg/DFGThunks.h:
2822         * jit/AssemblyHelpers.cpp:
2823         (JSC::AssemblyHelpers::debugCall): Deleted.
2824         * jit/AssemblyHelpers.h:
2825         * jit/JITOperations.cpp:
2826         * jit/JITOperations.h:
2827         * profiler/ProfilerOSRExit.h:
2828         (JSC::Profiler::OSRExit::incCount):
2829         * runtime/JSCJSValue.h:
2830         * runtime/JSCJSValueInlines.h:
2831         * runtime/VM.h:
2832
2833 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
2834
2835         Unreviewed, rolling out r221774.
2836
2837         This change introduced three debug JSC test timeouts.
2838
2839         Reverted changeset:
2840
2841         "Use JIT probes for DFG OSR exit."
2842         https://bugs.webkit.org/show_bug.cgi?id=175144
2843         http://trac.webkit.org/changeset/221774
2844
2845 2017-09-09  Mark Lam  <mark.lam@apple.com>
2846
2847         Avoid duplicate computations of ExecState::vm().
2848         https://bugs.webkit.org/show_bug.cgi?id=176647
2849
2850         Reviewed by Saam Barati.
2851
2852         Because while computing ExecState::vm() is cheap, it is not free.
2853
2854         This patch also:
2855         1. gets rids of some convenience methods in CallFrame that implicitly does a
2856            ExecState::vm() computation.  This minimizes the chance of us accidentally
2857            computing ExecState::vm() more than necessary.
2858         2. passes vm (when available) to methodTable().
2859         3. passes vm (when available) to JSLockHolder.
2860
2861         * API/JSBase.cpp:
2862         (JSCheckScriptSyntax):
2863         (JSGarbageCollect):
2864         (JSReportExtraMemoryCost):
2865         (JSSynchronousGarbageCollectForDebugging):
2866         (JSSynchronousEdenCollectForDebugging):
2867         * API/JSCallbackConstructor.h:
2868         (JSC::JSCallbackConstructor::create):
2869         * API/JSCallbackObject.h:
2870         (JSC::JSCallbackObject::create):
2871         * API/JSContext.mm:
2872         (-[JSContext setException:]):
2873         * API/JSContextRef.cpp:
2874         (JSContextGetGlobalObject):
2875         (JSContextCreateBacktrace):
2876         * API/JSManagedValue.mm:
2877         (-[JSManagedValue value]):
2878         * API/JSObjectRef.cpp:
2879         (JSObjectMake):
2880         (JSObjectMakeFunctionWithCallback):
2881         (JSObjectMakeConstructor):
2882         (JSObjectMakeFunction):
2883         (JSObjectSetPrototype):
2884         (JSObjectHasProperty):
2885         (JSObjectGetProperty):
2886         (JSObjectSetProperty):
2887         (JSObjectSetPropertyAtIndex):
2888         (JSObjectDeleteProperty):
2889         (JSObjectGetPrivateProperty):
2890         (JSObjectSetPrivateProperty):
2891         (JSObjectDeletePrivateProperty):
2892         (JSObjectIsFunction):
2893         (JSObjectCallAsFunction):
2894         (JSObjectCallAsConstructor):
2895         (JSObjectCopyPropertyNames):
2896         (JSPropertyNameAccumulatorAddName):
2897         * API/JSScriptRef.cpp:
2898         * API/JSTypedArray.cpp:
2899         (JSValueGetTypedArrayType):
2900         (JSObjectMakeTypedArrayWithArrayBuffer):
2901         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
2902         (JSObjectGetTypedArrayBytesPtr):
2903         (JSObjectGetTypedArrayBuffer):
2904         (JSObjectMakeArrayBufferWithBytesNoCopy):
2905         (JSObjectGetArrayBufferBytesPtr):
2906         * API/JSWeakObjectMapRefPrivate.cpp:
2907         * API/JSWrapperMap.mm:
2908         (constructorHasInstance):
2909         (makeWrapper):
2910         * API/ObjCCallbackFunction.mm:
2911         (objCCallbackFunctionForInvocation):
2912         * bytecode/CodeBlock.cpp:
2913         (JSC::CodeBlock::CodeBlock):
2914         (JSC::CodeBlock::jettison):
2915         * bytecode/CodeBlock.h:
2916         (JSC::CodeBlock::addConstant):
2917         (JSC::CodeBlock::replaceConstant):
2918         * bytecode/PutByIdStatus.cpp:
2919         (JSC::PutByIdStatus::computeFromLLInt):
2920         (JSC::PutByIdStatus::computeFor):
2921         * dfg/DFGDesiredWatchpoints.cpp:
2922         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2923         * dfg/DFGGraph.h:
2924         (JSC::DFG::Graph::globalThisObjectFor):
2925         * dfg/DFGOperations.cpp:
2926         * ftl/FTLOSRExitCompiler.cpp:
2927         (JSC::FTL::compileFTLOSRExit):
2928         * ftl/FTLOperations.cpp:
2929         (JSC::FTL::operationPopulateObjectInOSR):
2930         (JSC::FTL::operationMaterializeObjectInOSR):
2931         * heap/GCAssertions.h:
2932         * inspector/InjectedScriptHost.cpp:
2933         (Inspector::InjectedScriptHost::wrapper):
2934         * inspector/JSInjectedScriptHost.cpp:
2935         (Inspector::JSInjectedScriptHost::subtype):
2936         (Inspector::constructInternalProperty):
2937         (Inspector::JSInjectedScriptHost::getInternalProperties):
2938         (Inspector::JSInjectedScriptHost::weakMapEntries):
2939         (Inspector::JSInjectedScriptHost::weakSetEntries):
2940         (Inspector::JSInjectedScriptHost::iteratorEntries):
2941         * inspector/JSJavaScriptCallFrame.cpp:
2942         (Inspector::valueForScopeLocation):
2943         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2944         (Inspector::toJS):
2945         * inspector/ScriptCallStackFactory.cpp:
2946         (Inspector::extractSourceInformationFromException):
2947         (Inspector::createScriptArguments):
2948         * interpreter/CachedCall.h:
2949         (JSC::CachedCall::CachedCall):
2950         * interpreter/CallFrame.h:
2951         (JSC::ExecState::atomicStringTable const): Deleted.
2952         (JSC::ExecState::propertyNames const): Deleted.
2953         (JSC::ExecState::emptyList const): Deleted.
2954         (JSC::ExecState::interpreter): Deleted.
2955         (JSC::ExecState::heap): Deleted.
2956         * interpreter/Interpreter.cpp:
2957         (JSC::Interpreter::executeProgram):
2958         (JSC::Interpreter::execute):
2959         (JSC::Interpreter::executeModuleProgram):
2960         * jit/JIT.cpp:
2961         (JSC::JIT::privateCompileMainPass):
2962         * jit/JITOperations.cpp:
2963         * jit/JITWorklist.cpp:
2964         (JSC::JITWorklist::compileNow):
2965         * jsc.cpp:
2966         (WTF::RuntimeArray::create):
2967         (WTF::RuntimeArray::getOwnPropertySlot):
2968         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2969         (WTF::DOMJITFunctionObject::unsafeFunction):
2970         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2971         (GlobalObject::moduleLoaderFetch):
2972         (functionDumpCallFrame):
2973         (functionCreateRoot):
2974         (functionGetElement):
2975         (functionSetElementRoot):
2976         (functionCreateSimpleObject):
2977         (functionSetHiddenValue):
2978         (functionCreateProxy):
2979         (functionCreateImpureGetter):
2980         (functionCreateCustomGetterObject):
2981         (functionCreateDOMJITNodeObject):
2982         (functionCreateDOMJITGetterObject):
2983         (functionCreateDOMJITGetterComplexObject):
2984         (functionCreateDOMJITFunctionObject):
2985         (functionCreateDOMJITCheckSubClassObject):
2986         (functionGCAndSweep):
2987         (functionFullGC):
2988         (functionEdenGC):
2989         (functionHeapSize):
2990         (functionShadowChickenFunctionsOnStack):
2991         (functionSetGlobalConstRedeclarationShouldNotThrow):
2992         (functionJSCOptions):
2993         (functionFailNextNewCodeBlock):
2994         (functionMakeMasquerader):
2995         (functionDumpTypesForAllVariables):
2996         (functionFindTypeForExpression):
2997         (functionReturnTypeFor):
2998         (functionDumpBasicBlockExecutionRanges):
2999         (functionBasicBlockExecutionCount):
3000         (functionDrainMicrotasks):
3001         (functionGenerateHeapSnapshot):
3002         (functionEnsureArrayStorage):
3003         (functionStartSamplingProfiler):
3004         (runInteractive):
3005         * llint/LLIntSlowPaths.cpp:
3006         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3007         * parser/ModuleAnalyzer.cpp:
3008         (JSC::ModuleAnalyzer::ModuleAnalyzer):
3009         * profiler/ProfilerBytecode.cpp:
3010         (JSC::Profiler::Bytecode::toJS const):
3011         * profiler/ProfilerBytecodeSequence.cpp:
3012         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
3013         * profiler/ProfilerBytecodes.cpp:
3014         (JSC::Profiler::Bytecodes::toJS const):
3015         * profiler/ProfilerCompilation.cpp:
3016         (JSC::Profiler::Compilation::toJS const):
3017         * profiler/ProfilerCompiledBytecode.cpp:
3018         (JSC::Profiler::CompiledBytecode::toJS const):
3019         * profiler/ProfilerDatabase.cpp:
3020         (JSC::Profiler::Database::toJS const):
3021         * profiler/ProfilerEvent.cpp:
3022         (JSC::Profiler::Event::toJS const):
3023         * profiler/ProfilerOSRExit.cpp:
3024         (JSC::Profiler::OSRExit::toJS const):
3025         * profiler/ProfilerOrigin.cpp:
3026         (JSC::Profiler::Origin::toJS const):
3027         * profiler/ProfilerProfiledBytecodes.cpp:
3028         (JSC::Profiler::ProfiledBytecodes::toJS const):
3029         * runtime/AbstractModuleRecord.cpp:
3030         (JSC::identifierToJSValue):
3031         (JSC::AbstractModuleRecord::resolveExportImpl):
3032         (JSC::getExportedNames):
3033         * runtime/ArrayPrototype.cpp:
3034         (JSC::arrayProtoFuncToString):
3035         (JSC::arrayProtoFuncToLocaleString):
3036         * runtime/BooleanConstructor.cpp:
3037         (JSC::constructBooleanFromImmediateBoolean):
3038         * runtime/CallData.cpp:
3039         (JSC::call):
3040         * runtime/CommonSlowPaths.cpp:
3041         (JSC::SLOW_PATH_DECL):
3042         * runtime/CommonSlowPaths.h:
3043         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3044         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
3045         * runtime/Completion.cpp:
3046         (JSC::checkSyntax):
3047         (JSC::evaluate):
3048         (JSC::loadAndEvaluateModule):
3049         (JSC::loadModule):
3050         (JSC::linkAndEvaluateModule):
3051         (JSC::importModule):
3052         * runtime/ConstructData.cpp:
3053         (JSC::construct):
3054         * runtime/DatePrototype.cpp:
3055         (JSC::dateProtoFuncToJSON):
3056         * runtime/DirectArguments.h:
3057         (JSC::DirectArguments::length const):
3058         * runtime/DirectEvalExecutable.cpp:
3059         (JSC::DirectEvalExecutable::create):
3060         * runtime/ErrorPrototype.cpp:
3061         (JSC::errorProtoFuncToString):
3062         * runtime/ExceptionHelpers.cpp:
3063         (JSC::createUndefinedVariableError):
3064         (JSC::errorDescriptionForValue):
3065         * runtime/FunctionConstructor.cpp:
3066         (JSC::constructFunction):
3067         * runtime/GenericArgumentsInlines.h:
3068         (JSC::GenericArguments<Type>::getOwnPropertyNames):
3069         * runtime/IdentifierInlines.h:
3070         (JSC::Identifier::add):
3071         * runtime/IndirectEvalExecutable.cpp:
3072         (JSC::IndirectEvalExecutable::create):
3073         * runtime/InternalFunction.cpp:
3074         (JSC::InternalFunction::finishCreation):
3075         (JSC::InternalFunction::createSubclassStructureSlow):
3076         * runtime/JSArray.cpp:
3077         (JSC::JSArray::getOwnPropertySlot):
3078         (JSC::JSArray::put):
3079         (JSC::JSArray::deleteProperty):
3080         (JSC::JSArray::getOwnNonIndexPropertyNames):
3081         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
3082         * runtime/JSArray.h:
3083         (JSC::JSArray::shiftCountForShift):
3084         * runtime/JSCJSValue.cpp:
3085         (JSC::JSValue::dumpForBacktrace const):
3086         * runtime/JSDataView.cpp:
3087         (JSC::JSDataView::getOwnPropertySlot):
3088         (JSC::JSDataView::deleteProperty):
3089         (JSC::JSDataView::getOwnNonIndexPropertyNames):
3090         * runtime/JSFunction.cpp:
3091         (JSC::JSFunction::getOwnPropertySlot):
3092         (JSC::JSFunction::deleteProperty):
3093         (JSC::JSFunction::reifyName):
3094         * runtime/JSGlobalObjectFunctions.cpp:
3095         (JSC::globalFuncEval):
3096         * runtime/JSInternalPromise.cpp:
3097         (JSC::JSInternalPromise::then):
3098         * runtime/JSLexicalEnvironment.cpp:
3099         (JSC::JSLexicalEnvironment::deleteProperty):
3100         * runtime/JSMap.cpp:
3101         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
3102         * runtime/JSMapIterator.h:
3103         (JSC::JSMapIterator::advanceIter):
3104         * runtime/JSModuleEnvironment.cpp:
3105         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
3106         * runtime/JSModuleLoader.cpp:
3107         (JSC::printableModuleKey):
3108         (JSC::JSModuleLoader::provide):
3109         (JSC::JSModuleLoader::loadAndEvaluateModule):
3110         (JSC::JSModuleLoader::loadModule):
3111         (JSC::JSModuleLoader::linkAndEvaluateModule):
3112         (JSC::JSModuleLoader::requestImportModule):
3113         * runtime/JSModuleNamespaceObject.h:
3114         * runtime/JSModuleRecord.cpp:
3115         (JSC::JSModuleRecord::evaluate):
3116         * runtime/JSONObject.cpp:
3117         (JSC::Stringifier::Stringifier):
3118         (JSC::Stringifier::appendStringifiedValue):
3119         (JSC::Stringifier::Holder::appendNextProperty):
3120         * runtime/JSObject.cpp:
3121         (JSC::JSObject::calculatedClassName):
3122         (JSC::JSObject::putByIndex):
3123         (JSC::JSObject::ordinaryToPrimitive const):
3124         (JSC::JSObject::toPrimitive const):
3125         (JSC::JSObject::hasInstance):
3126         (JSC::JSObject::getOwnPropertyNames):
3127         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3128         (JSC::getCustomGetterSetterFunctionForGetterSetter):
3129         (JSC::JSObject::getOwnPropertyDescriptor):
3130         (JSC::JSObject::getMethod):
3131         * runtime/JSObject.h:
3132         (JSC::JSObject::createRawObject):
3133         (JSC::JSFinalObject::create):
3134         * runtime/JSObjectInlines.h:
3135         (JSC::JSObject::canPerformFastPutInline):
3136         (JSC::JSObject::putInlineForJSObject):
3137         (JSC::JSObject::hasOwnProperty const):
3138         * runtime/JSScope.cpp:
3139         (JSC::isUnscopable):
3140         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
3141         * runtime/JSSet.cpp:
3142         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
3143         * runtime/JSSetIterator.h:
3144         (JSC::JSSetIterator::advanceIter):
3145         * runtime/JSString.cpp:
3146         (JSC::JSString::getStringPropertyDescriptor):
3147         * runtime/JSString.h:
3148         (JSC::JSString::getStringPropertySlot):
3149         * runtime/MapConstructor.cpp:
3150         (JSC::constructMap):
3151         * runtime/ModuleProgramExecutable.cpp:
3152         (JSC::ModuleProgramExecutable::create):
3153         * runtime/ObjectPrototype.cpp:
3154         (JSC::objectProtoFuncToLocaleString):
3155         * runtime/ProgramExecutable.h:
3156         * runtime/RegExpObject.cpp:
3157         (JSC::RegExpObject::getOwnPropertySlot):
3158         (JSC::RegExpObject::deleteProperty):
3159         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
3160         (JSC::RegExpObject::getPropertyNames):
3161         (JSC::RegExpObject::getGenericPropertyNames):
3162         (JSC::RegExpObject::put):
3163         * runtime/ScopedArguments.h:
3164         (JSC::ScopedArguments::length const):
3165         * runtime/StrictEvalActivation.h:
3166         (JSC::StrictEvalActivation::create):
3167         * runtime/StringObject.cpp:
3168         (JSC::isStringOwnProperty):
3169         (JSC::StringObject::deleteProperty):
3170         (JSC::StringObject::getOwnNonIndexPropertyNames):
3171         * tools/JSDollarVMPrototype.cpp:
3172         (JSC::JSDollarVMPrototype::gc):
3173         (JSC::JSDollarVMPrototype::edenGC):
3174         * wasm/js/WebAssemblyModuleRecord.cpp:
3175         (JSC::WebAssemblyModuleRecord::evaluate):
3176
3177 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3178
3179         [DFG] NewArrayWithSize(size)'s size does not care negative zero
3180         https://bugs.webkit.org/show_bug.cgi?id=176300
3181
3182         Reviewed by Saam Barati.
3183
3184         NewArrayWithSize(size)'s size does not care negative zero as
3185         is the same to NewTypedArray. We propagate this information
3186         in DFGBackwardsPropagationPhase. This removes negative zero
3187         check in kraken fft's deinterleave function.
3188
3189         * dfg/DFGBackwardsPropagationPhase.cpp:
3190         (JSC::DFG::BackwardsPropagationPhase::propagate):
3191
3192 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3193
3194         [DFG] PutByVal with Array::Generic is too generic
3195         https://bugs.webkit.org/show_bug.cgi?id=176345
3196
3197         Reviewed by Filip Pizlo.
3198
3199         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
3200         We could have the case like,
3201
3202             dst[key] = src[key];
3203
3204         with string or symbol keys. But they are handled in slow path.
3205         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
3206         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
3207
3208         This improves SixSpeed object-assign.es5 by 9.1%.
3209
3210         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
3211
3212         * dfg/DFGFixupPhase.cpp:
3213         (JSC::DFG::FixupPhase::fixupNode):
3214         * dfg/DFGOperations.cpp:
3215         (JSC::DFG::putByVal):
3216         (JSC::DFG::putByValInternal):
3217         (JSC::DFG::putByValCellInternal):
3218         (JSC::DFG::putByValCellStringInternal):
3219         (JSC::DFG::operationPutByValInternal): Deleted.
3220         * dfg/DFGOperations.h:
3221         * dfg/DFGSpeculativeJIT.cpp:
3222         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
3223         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
3224         * dfg/DFGSpeculativeJIT.h:
3225         (JSC::DFG::SpeculativeJIT::callOperation):
3226         * dfg/DFGSpeculativeJIT32_64.cpp:
3227         (JSC::DFG::SpeculativeJIT::compile):
3228         * dfg/DFGSpeculativeJIT64.cpp:
3229         (JSC::DFG::SpeculativeJIT::compile):
3230         * ftl/FTLLowerDFGToB3.cpp:
3231         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
3232         * jit/JITOperations.h:
3233
3234 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3235
3236         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
3237         https://bugs.webkit.org/show_bug.cgi?id=176590
3238
3239         Reviewed by Saam Barati.
3240
3241         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
3242
3243                                          baseline                  patched
3244
3245         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
3246         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
3247
3248         * dfg/DFGFixupPhase.cpp:
3249         (JSC::DFG::FixupPhase::fixupNode):
3250         * dfg/DFGOperations.cpp:
3251         (JSC::DFG::getByValObject):
3252         * dfg/DFGOperations.h:
3253         * dfg/DFGSpeculativeJIT.cpp:
3254         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
3255         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
3256         * dfg/DFGSpeculativeJIT.h:
3257         * dfg/DFGSpeculativeJIT32_64.cpp:
3258         (JSC::DFG::SpeculativeJIT::compile):
3259         * dfg/DFGSpeculativeJIT64.cpp:
3260         (JSC::DFG::SpeculativeJIT::compile):
3261         * ftl/FTLLowerDFGToB3.cpp:
3262         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3263
3264 2017-09-07  Mark Lam  <mark.lam@apple.com>
3265
3266         Use JIT probes for DFG OSR exit.
3267         https://bugs.webkit.org/show_bug.cgi?id=175144
3268         <rdar://problem/33437050>
3269
3270         Reviewed by Saam Barati.
3271
3272         This patch does the following:
3273         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
3274            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
3275            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
3276            generates a thunk that just executes the OSR exit.
3277
3278            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
3279            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
3280            CPU registers, and providing the Probe::Stack mechanism for modifying the
3281            stack frame.
3282
3283            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
3284            OSRExit::compileExit().  It is basically a re-write of those functions to
3285            execute the OSR exit work instead of compiling code to execute the work.
3286
3287            As a result, we get the following savings:
3288            a. no more OSR exit ramp compilation time.
3289            b. no use of JIT executable memory for storing each unique OSR exit ramp.
3290
3291            On the negative side, we incur these costs:
3292
3293            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
3294               version of the ramp.  However, OSR exits are rare.  Hence, this small
3295               difference should not matter much.  It is also offset by the savings from
3296               (a).
3297
3298            d. the Probe::Stack allocates 1K pages for memory for buffering stack
3299               modifcations.  The number of these pages depends on the span of stack memory
3300               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
3301               tends to only modify values in the current DFG frame and the current
3302               VMEntryRecord, the number of pages tends to only be 1 or 2.
3303
3304               Using the jsc tests as a workload, the vast majority of tests that do OSR
3305               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
3306               A few tests that are pathological uses up to 14 pages, and one particularly
3307               bad test (function-apply-many-args.js) uses 513 pages.
3308
3309            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
3310            only executed once to compute some values for the exit site that is used by
3311            all exit operations from that site, and a 2nd part to execute the exit.  The
3312            1st part is protected by a checking if exit.exitState has already been
3313            initialized.  The computed values are cached in exit.exitState.
3314
3315            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
3316            longer need the facility to patch the site that jumps to the OSR exit ramp.
3317            The DFG::JITCompiler has been modified to remove this patching code.
3318
3319         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
3320            std::memcpy to avoid strict aliasing issues.
3321
3322            Also optimized the implementation of Probe::Stack::physicalAddressFor().
3323
3324         3. Miscellaneous convenience methods added to make the Probe::Context easier of
3325            use.
3326
3327         4. Added a Probe::Frame class that makes it easier to get/set operands and
3328            arguments in a given frame using the deferred write properties of the
3329            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
3330            the OSR exit ramp.
3331
3332         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
3333            JIT versions of these functions are still left in place because they are still
3334            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
3335            These functions include:
3336
3337            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
3338                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
3339            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
3340                DFGOSRExit.cpp's reifyInlinedCallFrames()
3341            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
3342                DFGOSRExit.cpp's adjustAndJumpToTarget()
3343
3344            MethodOfGettingAValueProfile::emitReportValue() ==>
3345                MethodOfGettingAValueProfile::reportValue()
3346
3347            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
3348                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
3349            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
3350                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
3351
3352         * JavaScriptCore.xcodeproj/project.pbxproj:
3353         * assembler/MacroAssembler.cpp:
3354         (JSC::stdFunctionCallback):
3355         * assembler/MacroAssemblerPrinter.cpp:
3356         (JSC::Printer::printCallback):
3357         * assembler/ProbeContext.h:
3358         (JSC::Probe::CPUState::gpr const):
3359         (JSC::Probe::CPUState::spr const):
3360         (JSC::Probe::Context::Context):
3361         (JSC::Probe::Context::arg):
3362         (JSC::Probe::Context::gpr):
3363         (JSC::Probe::Context::spr):
3364         (JSC::Probe::Context::fpr):
3365         (JSC::Probe::Context::gprName):
3366         (JSC::Probe::Context::sprName):
3367         (JSC::Probe::Context::fprName):
3368         (JSC::Probe::Context::gpr const):
3369         (JSC::Probe::Context::spr const):
3370         (JSC::Probe::Context::fpr const):
3371         (JSC::Probe::Context::pc):
3372         (JSC::Probe::Context::fp):
3373         (JSC::Probe::Context::sp):
3374         (JSC::Probe:: const): Deleted.
3375         * assembler/ProbeFrame.h: Added.
3376         (JSC::Probe::Frame::Frame):
3377         (JSC::Probe::Frame::getArgument):
3378         (JSC::Probe::Frame::getOperand):
3379         (JSC::Probe::Frame::get):
3380         (JSC::Probe::Frame::setArgument):
3381         (JSC::Probe::Frame::setOperand):
3382         (JSC::Probe::Frame::set):
3383         * assembler/ProbeStack.cpp:
3384         (JSC::Probe::Page::Page):
3385         * assembler/ProbeStack.h:
3386         (JSC::Probe::Page::get):
3387         (JSC::Probe::Page::set):
3388         (JSC::Probe::Page::physicalAddressFor):
3389         (JSC::Probe::Stack::lowWatermark):
3390         (JSC::Probe::Stack::get):
3391         (JSC::Probe::Stack::set):
3392         * bytecode/ArithProfile.cpp:
3393         * bytecode/ArithProfile.h:
3394         * bytecode/ArrayProfile.h:
3395         (JSC::ArrayProfile::observeArrayMode):
3396         * bytecode/CodeBlock.cpp:
3397         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
3398         * bytecode/CodeBlock.h:
3399         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
3400         * bytecode/ExecutionCounter.h:
3401         (JSC::ExecutionCounter::hasCrossedThreshold const):
3402         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
3403         * bytecode/MethodOfGettingAValueProfile.cpp:
3404         (JSC::MethodOfGettingAValueProfile::reportValue):
3405         * bytecode/MethodOfGettingAValueProfile.h:
3406         * dfg/DFGDriver.cpp:
3407         (JSC::DFG::compileImpl):
3408         * dfg/DFGJITCode.cpp:
3409         (JSC::DFG::JITCode::findPC): Deleted.
3410         * dfg/DFGJITCode.h:
3411         * dfg/DFGJITCompiler.cpp:
3412         (JSC::DFG::JITCompiler::linkOSRExits):
3413         (JSC::DFG::JITCompiler::link):
3414         * dfg/DFGOSRExit.cpp:
3415         (JSC::DFG::jsValueFor):
3416         (JSC::DFG::restoreCalleeSavesFor):
3417         (JSC::DFG::saveCalleeSavesFor):
3418         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3419         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3420         (JSC::DFG::saveOrCopyCalleeSavesFor):
3421         (JSC::DFG::createDirectArgumentsDuringExit):
3422         (JSC::DFG::createClonedArgumentsDuringExit):
3423         (JSC::DFG::OSRExit::OSRExit):
3424         (JSC::DFG::emitRestoreArguments):
3425         (JSC::DFG::OSRExit::executeOSRExit):
3426         (JSC::DFG::reifyInlinedCallFrames):
3427         (JSC::DFG::adjustAndJumpToTarget):
3428         (JSC::DFG::printOSRExit):
3429         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
3430         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
3431         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
3432         (JSC::DFG::OSRExit::correctJump): Deleted.
3433         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
3434         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
3435         (JSC::DFG::OSRExit::compileExit): Deleted.
3436         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
3437         * dfg/DFGOSRExit.h:
3438         (JSC::DFG::OSRExitState::OSRExitState):
3439         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
3440         * dfg/DFGOSRExitCompilerCommon.cpp:
3441         * dfg/DFGOSRExitCompilerCommon.h:
3442         * dfg/DFGOperations.cpp:
3443         * dfg/DFGOperations.h:
3444         * dfg/DFGThunks.cpp:
3445         (JSC::DFG::osrExitThunkGenerator):
3446         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
3447         * dfg/DFGThunks.h:
3448         * jit/AssemblyHelpers.cpp:
3449         (JSC::AssemblyHelpers::debugCall): Deleted.
3450         * jit/AssemblyHelpers.h:
3451         * jit/JITOperations.cpp:
3452         * jit/JITOperations.h:
3453         * profiler/ProfilerOSRExit.h:
3454         (JSC::Profiler::OSRExit::incCount):
3455         * runtime/JSCJSValue.h:
3456         * runtime/JSCJSValueInlines.h:
3457         * runtime/VM.h:
3458
3459 2017-09-07  Michael Saboff  <msaboff@apple.com>
3460
3461         Add support for RegExp named capture groups
3462         https://bugs.webkit.org/show_bug.cgi?id=176435
3463
3464         Reviewed by Filip Pizlo.
3465
3466         Added parsing for both naming a captured parenthesis as well and using a named group in
3467         a back reference.  Also added support for using named groups with String.prototype.replace().
3468
3469         This patch does not throw Syntax Errors as described in the current spec text for the two
3470         cases of malformed back references in String.prototype.replace() as I believe that it
3471         is inconsistent with the current semantics for handling of other malformed replacement
3472         tokens.  I filed an issue for the requested change to the proposed spec and also filed
3473         a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
3474
3475         This patch does not implement strength reduction in the optimizing JITs for named capture
3476         groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
3477
3478         * dfg/DFGAbstractInterpreterInlines.h:
3479         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3480         * dfg/DFGStrengthReductionPhase.cpp:
3481         (JSC::DFG::StrengthReductionPhase::handleNode):
3482         * runtime/CommonIdentifiers.h:
3483         * runtime/JSGlobalObject.cpp:
3484         (JSC::JSGlobalObject::init):
3485         (JSC::JSGlobalObject::haveABadTime):
3486         * runtime/JSGlobalObject.h:
3487         (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
3488         * runtime/RegExp.cpp:
3489         (JSC::RegExp::finishCreation):
3490         * runtime/RegExp.h:
3491         * runtime/RegExpMatchesArray.cpp:
3492         (JSC::createStructureImpl):
3493         (JSC::createRegExpMatchesArrayWithGroupsStructure):
3494         (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
3495         * runtime/RegExpMatchesArray.h:
3496         (JSC::createRegExpMatchesArray):
3497         * runtime/StringPrototype.cpp:
3498         (JSC::substituteBackreferencesSlow):
3499         (JSC::replaceUsingRegExpSearch):
3500         * yarr/YarrParser.h:
3501         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
3502         (JSC::Yarr::Parser::parseEscape):
3503         (JSC::Yarr::Parser::parseParenthesesBegin):
3504         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
3505         (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
3506         (JSC::Yarr::Parser::isIdentifierStart):
3507         (JSC::Yarr::Parser::isIdentifierPart):
3508         (JSC::Yarr::Parser::tryConsumeGroupName):
3509         * yarr/YarrPattern.cpp:
3510         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
3511         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
3512         (JSC::Yarr::YarrPattern::errorMessage):
3513         * yarr/YarrPattern.h:
3514         (JSC::Yarr::YarrPattern::reset):
3515         * yarr/YarrSyntaxChecker.cpp:
3516         (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
3517         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
3518
3519 2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>
3520
3521         [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
3522         https://bugs.webkit.org/show_bug.cgi?id=176561
3523
3524         Reviewed by Brent Fulgham.
3525
3526         * runtime/IntlObject.cpp:
3527         (JSC::defaultLocale):
3528
3529 2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>
3530
3531         Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
3532         https://bugs.webkit.org/show_bug.cgi?id=176563
3533         <rdar://problem/19639583>
3534
3535         Reviewed by Matt Baker.
3536
3537         * inspector/protocol/DOM.json:
3538         Add an event that is useful for augmented inspectors to inspect
3539         a node. Web pages will still prefer Inspector.inspect.
3540
3541 2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3542
3543         [JSC] Remove "malloc" and "free" from JSC/API
3544         https://bugs.webkit.org/show_bug.cgi?id=176331
3545
3546         Reviewed by Keith Miller.
3547
3548         Remove "malloc" and "free" manual calls in JSC/API.
3549
3550         * API/JSValue.mm:
3551         (createStructHandlerMap):
3552         * API/JSWrapperMap.mm:
3553         (parsePropertyAttributes):
3554         (makeSetterName):
3555         (copyPrototypeProperties):
3556         Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
3557
3558         * API/ObjcRuntimeExtras.h:
3559         (adoptSystem):
3560         Add adoptSystem to automate calling system free().
3561
3562         (protocolImplementsProtocol):
3563         (forEachProtocolImplementingProtocol):
3564         (forEachMethodInClass):
3565         (forEachMethodInProtocol):
3566         (forEachPropertyInProtocol):
3567         (StringRange::StringRange):
3568         (StringRange::operator const char* const):
3569         (StringRange::get const):
3570         Use CString for backend.
3571
3572         (StructBuffer::StructBuffer):
3573         (StructBuffer::~StructBuffer):
3574         (StringRange::~StringRange): Deleted.
3575         Use fastAlignedMalloc/astAlignedFree to get aligned memory.
3576
3577 2017-09-06  Mark Lam  <mark.lam@apple.com>
3578
3579         constructGenericTypedArrayViewWithArguments() is missing an exception check.
3580         https://bugs.webkit.org/show_bug.cgi?id=176485
3581         <rdar://problem/33898874>
3582
3583         Reviewed by Keith Miller.
3584
3585         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3586         (JSC::constructGenericTypedArrayViewWithArguments):
3587
3588 2017-09-06  Saam Barati  <sbarati@apple.com>
3589
3590         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
3591         https://bugs.webkit.org/show_bug.cgi?id=176346
3592
3593         Reviewed by Mark Lam.
3594
3595         * b3/B3Procedure.cpp:
3596         (JSC::B3::Procedure::Procedure):
3597         (JSC::B3::Procedure::setNumEntrypoints):
3598         * b3/B3Procedure.h:
3599         (JSC::B3::Procedure::setNumEntrypoints): Deleted.
3600         * b3/air/AirCode.cpp:
3601         (JSC::B3::Air::defaultPrologueGenerator):
3602         (JSC::B3::Air::Code::Code):
3603         (JSC::B3::Air::Code::setNumEntrypoints):
3604         * b3/air/AirCode.h:
3605         (JSC::B3::Air::Code::setPrologueForEntrypoint):
3606         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
3607         (JSC::B3::Air::Code::setEntrypoints):
3608         (JSC::B3::Air::Code::setEntrypointLabels):
3609         * b3/air/AirGenerate.cpp:
3610         (JSC::B3::Air::generate):
3611         * ftl/FTLLowerDFGToB3.cpp:
3612         (JSC::FTL::DFG::LowerDFGToB3::lower):
3613
3614 2017-09-06  Saam Barati  <sbarati@apple.com>
3615
3616         ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
3617         https://bugs.webkit.org/show_bug.cgi?id=176470
3618
3619         Reviewed by Mark Lam.
3620
3621         Update Node::convertToCheckStructureImmediate's assertion to allow
3622         the node to either be a CheckStructure or CheckStructureOrEmpty.
3623
3624         * dfg/DFGNode.h:
3625         (JSC::DFG::Node::convertToCheckStructureImmediate):
3626
3627 2017-09-05  Saam Barati  <sbarati@apple.com>
3628
3629         isNotCellSpeculation is wrong with respect to SpecEmpty
3630         https://bugs.webkit.org/show_bug.cgi?id=176429
3631
3632         Reviewed by Michael Saboff.
3633
3634         The isNotCellSpeculation(SpeculatedType t) function was not taking into account
3635         SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
3636         the empty value will fail a NotCell check. This bug would cause us to erroneously
3637         generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
3638
3639         * bytecode/SpeculatedType.h:
3640         (JSC::isNotCellSpeculation):
3641
3642 2017-09-05  Saam Barati  <sbarati@apple.com>
3643
3644         Make the distinction between entrypoints and CFG roots more clear by naming things better
3645         https://bugs.webkit.org/show_bug.cgi?id=176336
3646
3647         Reviewed by Mark Lam and Keith Miller and Michael Saboff.
3648
3649         This patch does renaming to make the distinction between Graph::m_entrypoints
3650         and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
3651         Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
3652         Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
3653         size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
3654         to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
3655         field to m_rootToArguments.
3656         
3657         Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
3658         when compiling with EntrySwitch. It represents the logical number of entrypoints
3659         the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
3660         cases.
3661
3662         * dfg/DFGByteCodeParser.cpp:
3663         (JSC::DFG::ByteCodeParser::parseBlock):
3664         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3665         * dfg/DFGCFG.h:
3666         (JSC::DFG::CFG::roots):
3667         (JSC::DFG::CPSCFG::CPSCFG):
3668         * dfg/DFGCPSRethreadingPhase.cpp:
3669         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
3670         * dfg/DFGDCEPhase.cpp:
3671         (JSC::DFG::DCEPhase::run):
3672         * dfg/DFGGraph.cpp:
3673         (JSC::DFG::Graph::dump):
3674         (JSC::DFG::Graph::determineReachability):
3675         (JSC::DFG::Graph::blocksInPreOrder):
3676         (JSC::DFG::Graph::blocksInPostOrder):
3677         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3678         * dfg/DFGGraph.h:
3679         (JSC::DFG::Graph::isRoot):
3680         (JSC::DFG::Graph::isEntrypoint): Deleted.
3681         * dfg/DFGInPlaceAbstractState.cpp:
3682         (JSC::DFG::InPlaceAbstractState::initialize):
3683         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3684         (JSC::DFG::createPreHeader):
3685         * dfg/DFGMaximalFlushInsertionPhase.cpp:
3686         (JSC::DFG::MaximalFlushInsertionPhase::run):
3687         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
3688         * dfg/DFGOSREntrypointCreationPhase.cpp:
3689         (JSC::DFG::OSREntrypointCreationPhase::run):
3690         * dfg/DFGPredictionInjectionPhase.cpp:
3691         (JSC::DFG::PredictionInjectionPhase::run):
3692         * dfg/DFGSSAConversionPhase.cpp:
3693         (JSC::DFG::SSAConversionPhase::run):
3694         * dfg/DFGSpeculativeJIT.cpp:
3695         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3696         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3697         * dfg/DFGTypeCheckHoistingPhase.cpp:
3698         (JSC::DFG::TypeCheckHoistingPhase::run):
3699         * dfg/DFGValidate.cpp:
3700
3701 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3702
3703         test262: Completion values for control flow do not match the spec
3704         https://bugs.webkit.org/show_bug.cgi?id=171265
3705
3706         Reviewed by Saam Barati.
3707
3708         * bytecompiler/BytecodeGenerator.h:
3709         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
3710         When we care about having proper completion values (global code
3711         in programs, modules, and eval) insert undefined results for
3712         control flow statements.
3713
3714         * bytecompiler/NodesCodegen.cpp:
3715         (JSC::SourceElements::emitBytecode):
3716         Reduce writing a default `undefined` value to the completion result to
3717         only once before the last statement we know will produce a value.
3718
3719         (JSC::IfElseNode::emitBytecode):
3720         (JSC::WithNode::emitBytecode):
3721         (JSC::WhileNode::emitBytecode):
3722         (JSC::ForNode::emitBytecode):
3723         (JSC::ForInNode::emitBytecode):
3724         (JSC::ForOfNode::emitBytecode):
3725         (JSC::SwitchNode::emitBytecode):
3726         Insert an undefined to handle cases where code may break out of an
3727         if/else or with statement (break/continue).
3728
3729         (JSC::TryNode::emitBytecode):
3730         Same handling for break cases. Also, finally block statement completion
3731         values are always ignored for the try statement result.
3732
3733         (JSC::ClassDeclNode::emitBytecode):
3734         Class declarations, like function declarations, produce an empty result.
3735
3736         * parser/Nodes.cpp:
3737         (JSC::SourceElements::lastStatement):
3738         (JSC::SourceElements::hasCompletionValue):
3739         (JSC::SourceElements::hasEarlyBreakOrContinue):
3740         (JSC::BlockNode::lastStatement):
3741         (JSC::BlockNode::singleStatement):
3742         (JSC::BlockNode::hasCompletionValue):
3743         (JSC::BlockNode::hasEarlyBreakOrContinue):
3744         (JSC::ScopeNode::singleStatement):
3745         (JSC::ScopeNode::hasCompletionValue):
3746         (JSC::ScopeNode::hasEarlyBreakOrContinue):
3747         The only non-trivial cases need to loop through their list of statements
3748         to determine if this has a completion value or not. Likewise for
3749         determining if there is an early break / continue, meaning a break or
3750         continue statement with no preceding statement that has a completion value.
3751
3752         * parser/Nodes.h:
3753         (JSC::StatementNode::next):
3754         (JSC::StatementNode::hasCompletionValue):
3755         Helper to check if a statement nodes produces a completion value or not.
3756
3757 2017-09-04  Saam Barati  <sbarati@apple.com>
3758
3759         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
3760         https://bugs.webkit.org/show_bug.cgi?id=176317
3761
3762         Reviewed by Keith Miller.
3763
3764         It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
3765         the SetLocal of a particular value where the value is the empty JSValue.
3766         On 64-bit platforms, the empty value is zero. This means that the empty value
3767         passes a cell check. This will lead to a crash when we dereference null to load
3768         the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
3769         in the structure checks it hoists. On 64-bit platforms, instead of emitting a
3770         CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
3771         the empty value to flow through. If the value isn't empty, it'll perform the normal
3772         structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
3773         on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
3774         value to flow through.
3775
3776         * dfg/DFGAbstractInterpreterInlines.h:
3777         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3778         * dfg/DFGArgumentsEliminationPhase.cpp:
3779         * dfg/DFGClobberize.h:
3780         (JSC::DFG::clobberize):
3781         * dfg/DFGConstantFoldingPhase.cpp:
3782         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3783         * dfg/DFGDoesGC.cpp:
3784         (JSC::DFG::doesGC):
3785         * dfg/DFGFixupPhase.cpp:
3786         (JSC::DFG::FixupPhase::fixupNode):
3787         * dfg/DFGNode.h:
3788         (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
3789         (JSC::DFG::Node::hasStructureSet):
3790         * dfg/DFGNodeType.h:
3791         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3792         * dfg/DFGPredictionPropagationPhase.cpp:
3793         * dfg/DFGSafeToExecute.h:
3794         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
3795         (JSC::DFG::SafeToExecuteEdge::operator()):
3796         (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
3797         (JSC::DFG::safeToExecute):
3798         * dfg/DFGSpeculativeJIT.cpp:
3799         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
3800         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
3801         * dfg/DFGSpeculativeJIT.h:
3802         * dfg/DFGSpeculativeJIT32_64.cpp:
3803         (JSC::DFG::SpeculativeJIT::compile):
3804         * dfg/DFGSpeculativeJIT64.cpp:
3805         (JSC::DFG::SpeculativeJIT::compile):
3806         * dfg/DFGTypeCheckHoistingPhase.cpp:
3807         (JSC::DFG::TypeCheckHoistingPhase::run):
3808         * dfg/DFGValidate.cpp:
3809         * ftl/FTLCapabilities.cpp:
3810         (JSC::FTL::canCompile):
3811         * ftl/FTLLowerDFGToB3.cpp:
3812         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3813         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
3814
3815 2017-09-04  Saam Barati  <sbarati@apple.com>
3816
3817         Support compiling catch in the FTL
3818         https://bugs.webkit.org/show_bug.cgi?id=175396
3819
3820         Reviewed by Filip Pizlo.
3821
3822         This patch implements op_catch in the FTL. It extends the DFG implementation
3823         by supporting multiple entrypoints in DFG-SSA. This patch implements this
3824         by introducing an EntrySwitch node. When converting to SSA, we introduce a new
3825         root block with an EntrySwitch that has the previous DFG entrypoints as its
3826         successors. By convention, we pick the zeroth entry point index to be the
3827         op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
3828         switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
3829         simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
3830         SSAConversion creates can not exit because we would both not know where to exit
3831         to in the program: we would not have valid OSR exit state. This design also
3832         mandates that anything we hoist above EntrySwitch in the new root block
3833         can not exit since they also do not have valid OSR exit state.
3834         
3835         This patch also adds a new metadata node named InitializeEntrypointArguments.
3836         InitializeEntrypointArguments is a metadata node that initializes the flush format for
3837         the arguments at a given entrypoint. For a given entrypoint index, this node
3838         tells AI and OSRAvailabilityAnalysis what the flush format for each argument
3839         is. This allows each individual entrypoint to have an independent set of
3840         argument types. Currently, this won't happen in practice because ArgumentPosition
3841         unifies flush formats, but this is an implementation detail we probably want
3842         to modify in the future. SSAConversion will add InitializeEntrypointArguments
3843         to the beginning of each of the original DFG entrypoint blocks.
3844         
3845         This patch also adds the ability to specify custom prologue code generators in Air.
3846         This allows the FTL to specify a custom prologue for catch entrypoints that
3847         matches the op_catch OSR entry calling convention that the DFG uses. This way,
3848         the baseline JIT code OSR enters into op_catch the same way both in the DFG
3849         and the FTL. In the future, we can use this same mechanism to perform stack
3850         overflow checks instead of using a patchpoint.
3851
3852         * b3/air/AirCode.cpp:
3853         (JSC::B3::Air::Code::isEntrypoint):
3854         (JSC::B3::Air::Code::entrypointIndex):
3855         * b3/air/AirCode.h:
3856         (JSC::B3::Air::Code::setPrologueForEntrypoint):
3857         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
3858         * b3/air/AirGenerate.cpp:
3859         (JSC::B3::Air::generate):
3860         * dfg/DFGAbstractInterpreterInlines.h:
3861         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3862         * dfg/DFGBasicBlock.h:
3863         * dfg/DFGByteCodeParser.cpp:
3864         (JSC::DFG::ByteCodeParser::parseBlock):
3865         (JSC::DFG::ByteCodeParser::parse):
3866         * dfg/DFGCFG.h:
3867         (JSC::DFG::selectCFG):
3868         * dfg/DFGClobberize.h:
3869         (JSC::DFG::clobberize):
3870         * dfg/DFGClobbersExitState.cpp:
3871         (JSC::DFG::clobbersExitState):
3872         * dfg/DFGCommonData.cpp:
3873         (JSC::DFG::CommonData::shrinkToFit):
3874         (JSC::DFG::CommonData::finalizeCatchEntrypoints):
3875         * dfg/DFGCommonData.h:
3876         (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
3877         (JSC::DFG::CommonData::appendCatchEntrypoint):
3878         * dfg/DFGDoesGC.cpp:
3879         (JSC::DFG::doesGC):
3880         * dfg/DFGFixupPhase.cpp:
3881         (JSC::DFG::FixupPhase::fixupNode):
3882         * dfg/DFGGraph.cpp:
3883         (JSC::DFG::Graph::dump):
3884         (JSC::DFG::Graph::invalidateCFG):
3885         (JSC::DFG::Graph::ensureCPSCFG):
3886         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3887         * dfg/DFGGraph.h:
3888         (JSC::DFG::Graph::isEntrypoint):
3889         * dfg/DFGInPlaceAbstractState.cpp:
3890         (JSC::DFG::InPlaceAbstractState::initialize):
3891         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3892         * dfg/DFGJITCode.cpp:
3893       &nb