533a9f6e738edc8d2428928bbab271b7b89d196f
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-04-06  Guillaume Emont  <guijemont@igalia.com>
2
3         [JSC][MIPS][DFG] Use x86 generic HasOwnProperty
4         https://bugs.webkit.org/show_bug.cgi?id=170222
5
6         Reviewed by Yusuke Suzuki.
7
8         * dfg/DFGFixupPhase.cpp:
9         (JSC::DFG::FixupPhase::fixupNode):
10         use the X86 special version for HasOwnProperty on MIPS too.
11         * dfg/DFGSpeculativeJIT32_64.cpp:
12         (JSC::DFG::SpeculativeJIT::compile):
13         use the X86 special version for HasOwnProperty on MIPS too.
14
15 2017-04-05  Saam Barati  <sbarati@apple.com>
16
17         REGRESSION fix bad isWasm() test by ensuring proper Wasm callee bit pattern
18         https://bugs.webkit.org/show_bug.cgi?id=170494
19         <rdar://problem/31446485>
20
21         Reviewed by Yusuke Suzuki and Mark Lam.
22
23         This patch fixes how we test a 64 bit JSValue pattern to see if it's
24         a Wasm callee. We now tag Wasm::Callee's with 0b011 in their lower 3 bits.
25         The new test is for a Wasm Callee is as follows:
26         isWasm(uint64_t x)
27         {
28             return x & 0xffff000000000007 == 3;
29         }
30         
31         This test works because the lower 3 bits of the non-number immediate values are as follows:
32         undefined: 0b010
33         null:      0b010
34         true:      0b111
35         false:     0b110
36         The test rejects all of these because none have just the value 3 in their lower 3 bits.
37         The test also rejects all numbers, because they have non-zero upper 16 bits.
38         The test also rejects normal cells because they won't have the number 3 as
39         their lower 3 bits. Note, this bit pattern also allows the normal JSValue isCell(), etc,
40         predicates to work on a Wasm::Callee because the various tests will fail if you
41         bit casted a boxed Wasm::Callee* to a JSValue. isCell() would fail since it sees
42         TagBitTypeOther. The other tests also trivially fail, since it won't be a number,
43         and it won't be equal to null, undefined, true, or false. The isBoolean() predicate
44         will fail because we won't have TagBitBool set.
45
46         * interpreter/CallFrame.h:
47         (JSC::ExecState::guaranteedJSValueCallee):
48         (JSC::ExecState::calleeAsValue): Deleted.
49         * interpreter/CalleeBits.h:
50         (JSC::CalleeBits::boxWasm):
51         (JSC::CalleeBits::isWasm):
52         (JSC::CalleeBits::asWasmCallee):
53         * jit/JITOperations.cpp:
54         * runtime/JSCJSValue.h:
55
56 2017-04-05  Keith Miller  <keith_miller@apple.com>
57
58         WebAssembly: Plans should be able to have more than one completion task.
59         https://bugs.webkit.org/show_bug.cgi?id=170516
60
61         Reviewed by Saam Barati.
62
63         This patch also eliminates the need for blocked tasks on the
64         PromiseDeferredTimer and pendingPromise on Wasm::Plan.
65
66         * runtime/PromiseDeferredTimer.cpp:
67         (JSC::PromiseDeferredTimer::doWork):
68         (JSC::PromiseDeferredTimer::cancelPendingPromise):
69         (JSC::PromiseDeferredTimer::scheduleBlockedTask): Deleted.
70         * runtime/PromiseDeferredTimer.h:
71         * wasm/WasmPlan.cpp:
72         (JSC::Wasm::Plan::Plan):
73         (JSC::Wasm::Plan::addCompletionTask):
74         (JSC::Wasm::Plan::complete):
75         * wasm/WasmPlan.h:
76         (JSC::Wasm::Plan::setMode):
77         (JSC::Wasm::Plan::mode):
78         (JSC::Wasm::Plan::setModeAndPromise): Deleted.
79         (JSC::Wasm::Plan::pendingPromise): Deleted.
80         * wasm/WasmWorklist.cpp:
81         (JSC::Wasm::Worklist::enqueue):
82         * wasm/js/WebAssemblyInstanceConstructor.cpp:
83         (JSC::constructJSWebAssemblyInstance):
84         * wasm/js/WebAssemblyPrototype.cpp:
85         (JSC::instantiate):
86
87 2017-04-05  Guilherme Iscaro  <iscaro@profusion.mobi>
88
89         Do not use BLX for immediates (ARM-32)
90
91         https://bugs.webkit.org/show_bug.cgi?id=170351
92
93         Reviewed by Mark Lam.
94
95         Currently the offline asm generator for 32-bit ARM code translates the
96         'call' meta-instruction (which may be found in LowLevelInterpreter.asm
97         and friends) to the ARM's BLX instrunction. The BLX instruction may be
98         used for labels (immediates) and registers and one side effect of BLX
99         is that it may switch the processor's instruction set.
100         A 'BLX register' instruction will change/remain the processor state to
101         ARM if the  register_bit[0] is set to 0 or change/remain to Thumb if
102         register_bit[0] is set to 1. However, a 'BLX label' instruction will
103         always switch the processor state. It switches ARM to thumb and vice-versa.
104         This behaviour is unwanted, since the C++ code and the offlineasm generated code
105         are both compiled using the same instruction set, thus a instruction
106         set change will likely produce a crash. In order to fix the problem the
107         BL instruction can be used for labels. It will branch just like BLX,
108         but it won't change the instruction set. It's important to note that
109         Darwin is not affected by this problem, thus to minimize the impact of
110         this change the BL instruction will only be used on non-darwin targets.
111
112         BLX reference: http://infocenter.arm.com/help/topic/com.arm.doc.dui0489i/CIHBJCDC.html?resultof=%22%62%6c%78%22%20
113
114         * offlineasm/arm.rb:
115
116 2017-04-05  Keith Miller  <keith_miller@apple.com>
117
118         WebAssembly: We shouldn't need to pin size registers if we have a fast memory.
119         https://bugs.webkit.org/show_bug.cgi?id=170504
120
121         Reviewed by Mark Lam.
122
123         * wasm/WasmB3IRGenerator.cpp:
124         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
125         (JSC::Wasm::createJSToWasmWrapper):
126         (JSC::Wasm::parseAndCompile):
127         * wasm/WasmMemoryInformation.h:
128         (JSC::Wasm::PinnedRegisterInfo::toSave):
129
130 2017-04-05  Yusuke Suzuki  <utatane.tea@gmail.com>
131
132         [JSC] Suppress warnings in GCC
133         https://bugs.webkit.org/show_bug.cgi?id=170501
134
135         Reviewed by Keith Miller.
136
137         Should use ASSERT_NOT_REACHED since return-type pragma is only
138         enabled under ASSERT_DISABLED environment. We shoud use
139         ASSERT_NOTREACHED to emit assertions in debug build. It effectively
140         catches bugs while keeping performance in release build.
141
142         * b3/B3Opcode.cpp:
143         (JSC::B3::storeOpcode):
144         * b3/B3Width.h:
145         (JSC::B3::mask):
146         * runtime/Options.cpp:
147         (JSC::parse):
148         * wasm/WasmSections.h:
149         (JSC::Wasm::makeString):
150         * wasm/WasmSignature.cpp:
151         (JSC::Wasm::SignatureInformation::tryCleanup):
152         * wasm/generateWasmValidateInlinesHeader.py:
153
154 2017-04-05  Carlos Garcia Campos  <cgarcia@igalia.com>
155
156         Implement PromiseDeferredTimer for non CF based ports
157         https://bugs.webkit.org/show_bug.cgi?id=170391
158
159         Reviewed by Yusuke Suzuki.
160
161         RunLoop handling is only implemented for CF causing several wasm tests to fail for other ports.
162
163         * jsc.cpp:
164         (runJSC): Remove CF ifdefs.
165         * runtime/PromiseDeferredTimer.cpp:
166         (JSC::PromiseDeferredTimer::doWork): Add non CF implementation using WTF RunLoop.
167         (JSC::PromiseDeferredTimer::runRunLoop): Ditto.
168         * runtime/PromiseDeferredTimer.h:
169
170 2017-04-05  Carlos Garcia Campos  <cgarcia@igalia.com>
171
172         WebAssembly: several tests added in r214504 crash when building with GCC
173         https://bugs.webkit.org/show_bug.cgi?id=170390
174
175         Reviewed by Saam Barati.
176
177         The pattern foo->bar([f = WTFMove(foo)]{}); crashes when building with GCC, I assume the move happens before the
178         foo is used to invoke the function.
179
180         * wasm/js/WebAssemblyPrototype.cpp:
181         (JSC::webAssemblyCompileFunc): Use p.vm() instead of plan->vm(), because plan is moved by the lambda.
182         (JSC::instantiate): Ditto.
183         (JSC::compileAndInstantiate): Ditto.
184
185 2017-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
186
187         [JSC] Generate TemplateObjects at linking time
188         https://bugs.webkit.org/show_bug.cgi?id=169743
189
190         Reviewed by Keith Miller.
191
192         Currently, the code calls getTemplateObject to get appropriate template objects at runtime.
193         But this template object is constant value and never changed. So instead of creating it
194         at runtime, we should create it at linking time and store it in the constant registers.
195
196         * builtins/BuiltinNames.h:
197         * bytecode/CodeBlock.cpp:
198         (JSC::CodeBlock::finishCreation):
199         (JSC::CodeBlock::setConstantRegisters):
200         * bytecode/CodeBlock.h:
201         * bytecode/UnlinkedCodeBlock.cpp:
202         (JSC::UnlinkedCodeBlock::shrinkToFit):
203         * bytecode/UnlinkedCodeBlock.h:
204         * bytecompiler/BytecodeGenerator.cpp:
205         (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
206         (JSC::BytecodeGenerator::emitGetTemplateObject):
207         * bytecompiler/BytecodeGenerator.h:
208         * bytecompiler/NodesCodegen.cpp:
209         (JSC::TaggedTemplateNode::emitBytecode):
210         * runtime/JSGlobalObject.cpp:
211         (JSC::JSGlobalObject::init):
212         (JSC::getTemplateObject): Deleted.
213         * runtime/JSTemplateRegistryKey.cpp:
214         * runtime/JSTemplateRegistryKey.h:
215         (JSC::isTemplateRegistryKey):
216
217 2017-04-04  Mark Lam  <mark.lam@apple.com>
218
219         On ARM64, DFG::SpeculativeJIT::compileArithMod() failed to ensure result is of DataFormatInt32.
220         https://bugs.webkit.org/show_bug.cgi?id=170473
221         <rdar://problem/29912391>
222
223         Reviewed by Saam Barati.
224
225         In Unchecked mode, when DFG::SpeculativeJIT::compileArithMod() detects that the
226         divisor is 0, we want it to return 0.  The result is expected to be of
227         DataFormatIn32.
228
229         The ARM implementation just returns the value in the divisor register.  However,
230         the divisor in this case can be of DataFormatJSInt32.  On ARM64, returning the
231         divisor register yields the wrong result format because the same register also
232         holds the upper 32-bit of the JSValue encoding.  The fix is to return an
233         immediate 0 instead.
234
235         Also turned on the assertion in jitAssertIsInt32 for ARM64.  This assertion being
236         disabled may have contributed to this bug going unnoticed all this time.
237
238         * dfg/DFGSpeculativeJIT.cpp:
239         (JSC::DFG::SpeculativeJIT::compileArithMod):
240         * jit/AssemblyHelpers.cpp:
241         (JSC::AssemblyHelpers::jitAssertIsInt32):
242
243 2017-04-04  Filip Pizlo  <fpizlo@apple.com>
244
245         Air::eliminateDeadCode should not repeatedly process the same live instructions
246         https://bugs.webkit.org/show_bug.cgi?id=170490
247
248         Reviewed by Keith Miller.
249         
250         This makes the eliminateDeadCode() fixpoint somewhat worklist-based: we track the set
251         of Insts that might be dead. Every time we detect that one is live, we remove it from
252         the set. This is a big (>2x) speed-up because lots of Insts are immediately found to
253         be live.
254         
255         This is a ~1% wasm -O1 compile time progression.
256
257         * b3/air/AirEliminateDeadCode.cpp:
258         (JSC::B3::Air::eliminateDeadCode):
259
260 2017-04-04  Filip Pizlo  <fpizlo@apple.com>
261
262         Air::eliminateDeadCode() should not use a HashSet
263         https://bugs.webkit.org/show_bug.cgi?id=170487
264
265         Reviewed by Saam Barati.
266         
267         Introduce TmpSet, which is like a HashSet<Tmp>. Use this to make eliminateDeadCode()
268         about 50% faster, resulting in a 1% wasm -O1 compile time progression.
269
270         * JavaScriptCore.xcodeproj/project.pbxproj:
271         * b3/air/AirEliminateDeadCode.cpp:
272         (JSC::B3::Air::eliminateDeadCode):
273         * b3/air/AirTmpSet.h: Added.
274         (JSC::B3::Air::TmpSet::TmpSet):
275         (JSC::B3::Air::TmpSet::add):
276         (JSC::B3::Air::TmpSet::remove):
277         (JSC::B3::Air::TmpSet::contains):
278         (JSC::B3::Air::TmpSet::size):
279         (JSC::B3::Air::TmpSet::isEmpty):
280         (JSC::B3::Air::TmpSet::iterator::iterator):
281         (JSC::B3::Air::TmpSet::iterator::operator*):
282         (JSC::B3::Air::TmpSet::iterator::operator++):
283         (JSC::B3::Air::TmpSet::iterator::operator==):
284         (JSC::B3::Air::TmpSet::iterator::operator!=):
285         (JSC::B3::Air::TmpSet::begin):
286         (JSC::B3::Air::TmpSet::end):
287
288 2017-04-04  Keith Miller  <keith_miller@apple.com>
289
290         WebAssembly: ModuleInformation should be a ref counted thing that can be shared across threads.
291         https://bugs.webkit.org/show_bug.cgi?id=170478
292
293         Reviewed by Saam Barati.
294
295         ModuleInformation has been moved to its own file and is now
296         ThreadSafeRefCounted.  All the Strings we used to keep in the
297         ModuleInformation have been switched to Vector<LChar> this has the
298         advantage that it can be passed across threads. However, this does
299         mean that we need to decode the utf8 strings in each thread. This
300         is likely not a problem because:
301
302         1) most modules have few imports/exports/custom sections.
303         2) most of the time they are ascii so the conversion is cheap.
304         3) we only have to do it once per thread, and there shouldn't be too many.
305
306         This patch also removes
307         moduleSignatureIndicesToUniquedSignatureIndices since that
308         information can already be recovered from the
309         SignatureInformation.
310
311         * JavaScriptCore.xcodeproj/project.pbxproj:
312         * jsc.cpp:
313         (functionTestWasmModuleFunctions):
314         * runtime/Identifier.h:
315         (JSC::Identifier::fromString):
316         * wasm/WasmB3IRGenerator.cpp:
317         (JSC::Wasm::parseAndCompile):
318         * wasm/WasmB3IRGenerator.h:
319         * wasm/WasmFormat.cpp:
320         (JSC::Wasm::makeString):
321         (JSC::Wasm::ModuleInformation::~ModuleInformation): Deleted.
322         * wasm/WasmFormat.h:
323         (JSC::Wasm::makeString):
324         (JSC::Wasm::ModuleInformation::functionIndexSpaceSize): Deleted.
325         (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace): Deleted.
326         (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace): Deleted.
327         (JSC::Wasm::ModuleInformation::importFunctionCount): Deleted.
328         (JSC::Wasm::ModuleInformation::internalFunctionCount): Deleted.
329         * wasm/WasmFunctionParser.h:
330         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
331         * wasm/WasmModuleInformation.cpp: Copied from Source/JavaScriptCore/wasm/WasmValidate.h.
332         (JSC::Wasm::ModuleInformation::~ModuleInformation):
333         * wasm/WasmModuleInformation.h: Added.
334         (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
335         (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
336         (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
337         (JSC::Wasm::ModuleInformation::importFunctionCount):
338         (JSC::Wasm::ModuleInformation::internalFunctionCount):
339         (JSC::Wasm::ModuleInformation::ModuleInformation):
340         * wasm/WasmModuleParser.cpp:
341         * wasm/WasmModuleParser.h:
342         (JSC::Wasm::ModuleParser::ModuleParser):
343         * wasm/WasmParser.h:
344         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
345         * wasm/WasmPlan.cpp:
346         (JSC::Wasm::Plan::Plan):
347         (JSC::Wasm::Plan::parseAndValidateModule):
348         (JSC::Wasm::Plan::prepare):
349         (JSC::Wasm::Plan::compileFunctions):
350         (JSC::Wasm::Plan::complete):
351         (JSC::Wasm::Plan::cancel):
352         * wasm/WasmPlan.h:
353         (JSC::Wasm::Plan::internalFunctionCount):
354         (JSC::Wasm::Plan::takeModuleInformation):
355         * wasm/WasmSignature.cpp:
356         (JSC::Wasm::SignatureInformation::get):
357         * wasm/WasmSignature.h:
358         * wasm/WasmValidate.cpp:
359         (JSC::Wasm::validateFunction):
360         * wasm/WasmValidate.h:
361         * wasm/js/JSWebAssemblyHelpers.h:
362         (JSC::createSourceBufferFromValue):
363         * wasm/js/JSWebAssemblyModule.cpp:
364         (JSC::JSWebAssemblyModule::createStub):
365         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
366         (JSC::JSWebAssemblyModule::finishCreation):
367         * wasm/js/JSWebAssemblyModule.h:
368         (JSC::JSWebAssemblyModule::moduleInformation):
369         (JSC::JSWebAssemblyModule::source):
370         * wasm/js/WebAssemblyInstanceConstructor.cpp:
371         (JSC::constructJSWebAssemblyInstance):
372         * wasm/js/WebAssemblyModuleConstructor.cpp:
373         (JSC::WebAssemblyModuleConstructor::createModule):
374         * wasm/js/WebAssemblyModulePrototype.cpp:
375         (JSC::webAssemblyModuleProtoCustomSections):
376         (JSC::webAssemblyModuleProtoImports):
377         (JSC::webAssemblyModuleProtoExports):
378         * wasm/js/WebAssemblyModuleRecord.cpp:
379         (JSC::WebAssemblyModuleRecord::link):
380         * wasm/js/WebAssemblyModuleRecord.h:
381         * wasm/js/WebAssemblyPrototype.cpp:
382         (JSC::webAssemblyCompileFunc):
383         (JSC::instantiate):
384         (JSC::compileAndInstantiate):
385
386 2017-04-04  Filip Pizlo  <fpizlo@apple.com>
387
388         B3::fixSSA() needs a tune-up
389         https://bugs.webkit.org/show_bug.cgi?id=170485
390
391         Reviewed by Saam Barati.
392         
393         After the various optimizations to liveness, register allocation, and other phases, the
394         fixSSA() phase now looks like one of the top offenders. This includes a bunch of
395         changes to make this phase run faster. This is a ~7% wasm -O1 compile time progression.
396         
397         Here's what I did:
398         
399         - We now use IndexSparseSet instead of IndexMap for tracking variable values. This
400           makes it cheaper to chew through small blocks while there is a non-trivial number of
401           total variables.
402         
403         - We now do a "local SSA conversion" pass before anything else. This eliminates
404           obvious Get's. If we were using temporary Variables, it would eliminate many of
405           those. That's useful for when we use demoteValues() and duplciateTails(). For wasm
406           -O1, we mainly care about the fact that it makes a bunch of Set's dead.
407         
408         - We now do a Set DCE pass after the local SSA but before SSA conversion. This ensures
409           that any block-local live intervals of Variables disappear and don't need further
410           consideration.
411         
412         - We now cache the reaching defs calculation.
413         
414         - We now perform the reaching defs calculation lazily.
415
416         * b3/B3FixSSA.cpp:
417         (JSC::B3::demoteValues):
418         (JSC::B3::fixSSA):
419         * b3/B3SSACalculator.cpp:
420         (JSC::B3::SSACalculator::reachingDefAtTail):
421         * b3/B3VariableLiveness.cpp:
422         (JSC::B3::VariableLiveness::VariableLiveness):
423         * b3/air/AirLiveness.h:
424         (JSC::B3::Air::Liveness::Liveness):
425         * dfg/DFGLivenessAnalysisPhase.cpp:
426         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase): Deleted.
427         (JSC::DFG::LivenessAnalysisPhase::run): Deleted.
428         (JSC::DFG::LivenessAnalysisPhase::processBlock): Deleted.
429
430 2017-04-04  Joseph Pecoraro  <pecoraro@apple.com>
431
432         Remove stale LLVM Header Path includes from JavaScriptCore
433         https://bugs.webkit.org/show_bug.cgi?id=170483
434
435         Reviewed by Mark Lam.
436
437         * Configurations/Base.xcconfig:
438
439 2017-04-04  Filip Pizlo  <fpizlo@apple.com>
440
441         B3::LowerToAir incorrectly selects BitXor(AtomicStrongCAS(...), $1)
442         https://bugs.webkit.org/show_bug.cgi?id=169867
443
444         Reviewed by Saam Barati.
445         
446         The BitXor(AtomicWeakCAS(...), $1) optimization makes a lot of sense because we an fold the
447         BitXor into the CAS condition read-out. But there is no version of this that is profitable or
448         correct for AtomicStrongCAS. The inversion case is handled by Equal(AtomicStrongCAS(...), ...)
449         becoming NotEqual(AtomicStrongCAS(...), ...), and we alraedy handle that separately.
450         
451         So, the fix here is to make the BitXor CAS pattern only recognize AtomicWeakCAS.
452
453         * b3/B3LowerToAir.cpp:
454         (JSC::B3::Air::LowerToAir::lower):
455         * b3/testb3.cpp:
456         (JSC::B3::testAtomicStrongCAS):
457
458 2017-04-04  Saam Barati  <sbarati@apple.com>
459
460         WebAssembly: JSWebAssemblyCallee should not be a JSCell
461         https://bugs.webkit.org/show_bug.cgi?id=170135
462
463         Reviewed by Michael Saboff.
464
465         This patch is perhaps the last big change to the design of fundamental
466         Wasm API to allow for PIC. It changes JSWebAssemblyCallee into a thing
467         called Wasm::Callee. It serves the same purpose as before, except
468         Wasm::Callee is not a JSCell. I had to refactor the various parts of the
469         runtime that will see CallFrame's with Wasm::Callee's in the callee slot.
470         Thankfully, the parts of the runtime that Wasm touches are limited. The
471         main refactoring is changing the exception handling code, such as taking
472         a stack trace, to be friendly to seeing a non JSCell callee.
473         
474         The callee() function on ExecState now returns a class I added in this
475         patch called CalleeBits. CalleeBits will tell you if the callee is a
476         JSCell or a Wasm::Callee. We tag Wasm::Callee's with a 1 in their lower
477         bit so we can easily tell what is and isn't a Wasm::Callee.
478         
479         The stub that calls out from Wasm to JS still puts a JSCell callee
480         into the call frame, even though the callee logically represents a
481         Wasm frame. The reason for this is that we use the call IC infrastructure
482         to make a call out to JS code, and the code that writes the IC expects
483         a JSCell as the callee. This is knowingly part of our design. When we
484         do structured cloning of Wasm Modules, we'll need to regenerate these
485         JS call stubs.
486
487         * API/JSContextRef.cpp:
488         (BacktraceFunctor::operator()):
489         * CMakeLists.txt:
490         * JavaScriptCore.xcodeproj/project.pbxproj:
491         * debugger/Debugger.cpp:
492         (JSC::Debugger::pauseIfNeeded):
493         (JSC::Debugger::currentDebuggerCallFrame):
494         * debugger/DebuggerCallFrame.cpp:
495         (JSC::DebuggerCallFrame::create):
496         (JSC::DebuggerCallFrame::DebuggerCallFrame):
497         (JSC::DebuggerCallFrame::currentPosition):
498         (JSC::DebuggerCallFrame::positionForCallFrame):
499         * debugger/DebuggerCallFrame.h:
500         * interpreter/CallFrame.cpp:
501         (JSC::CallFrame::vmEntryGlobalObject):
502         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
503         (JSC::CallFrame::isAnyWasmCallee):
504         (JSC::CallFrame::callerSourceOrigin):
505         * interpreter/CallFrame.h:
506         (JSC::ExecState::calleeAsValue):
507         (JSC::ExecState::jsCallee):
508         (JSC::ExecState::callee):
509         (JSC::ExecState::unsafeCallee):
510         (JSC::ExecState::scope):
511         (JSC::ExecState::iterate):
512         * interpreter/CalleeBits.h: Added.
513         (JSC::CalleeBits::CalleeBits):
514         (JSC::CalleeBits::operator=):
515         (JSC::CalleeBits::boxWasm):
516         (JSC::CalleeBits::isWasm):
517         (JSC::CalleeBits::isCell):
518         (JSC::CalleeBits::asCell):
519         (JSC::CalleeBits::asWasmCallee):
520         (JSC::CalleeBits::rawPtr):
521         * interpreter/Interpreter.cpp:
522         (JSC::GetStackTraceFunctor::operator()):
523         (JSC::Interpreter::getStackTrace):
524         (JSC::notifyDebuggerOfUnwinding):
525         (JSC::UnwindFunctor::UnwindFunctor):
526         (JSC::UnwindFunctor::operator()):
527         (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
528         (JSC::Interpreter::unwind):
529         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
530         * interpreter/Interpreter.h:
531         * interpreter/Register.h:
532         (JSC::Register::pointer):
533         * interpreter/ShadowChicken.cpp:
534         (JSC::ShadowChicken::update):
535         * interpreter/ShadowChickenInlines.h:
536         (JSC::ShadowChicken::iterate):
537         * interpreter/StackVisitor.cpp:
538         (JSC::StackVisitor::StackVisitor):
539         (JSC::StackVisitor::readFrame):
540         (JSC::StackVisitor::readNonInlinedFrame):
541         (JSC::StackVisitor::readInlinedFrame):
542         (JSC::StackVisitor::Frame::calleeSaveRegisters):
543         (JSC::StackVisitor::Frame::functionName):
544         (JSC::StackVisitor::Frame::dump):
545         * interpreter/StackVisitor.h:
546         (JSC::StackVisitor::Frame::callee):
547         (JSC::StackVisitor::visit):
548         * jit/Repatch.cpp:
549         (JSC::linkFor):
550         (JSC::linkPolymorphicCall):
551         * jsc.cpp:
552         (callWasmFunction):
553         (functionTestWasmModuleFunctions):
554         * runtime/ArrayPrototype.cpp:
555         * runtime/Error.cpp:
556         (JSC::addErrorInfoAndGetBytecodeOffset):
557         * runtime/ErrorInstance.cpp:
558         (JSC::ErrorInstance::finishCreation):
559         * runtime/JSCell.cpp:
560         (JSC::JSCell::isAnyWasmCallee): Deleted.
561         * runtime/JSCell.h:
562         * runtime/JSCellInlines.h:
563         (JSC::ExecState::vm):
564         * runtime/JSFunction.cpp:
565         (JSC::RetrieveArgumentsFunctor::operator()):
566         (JSC::RetrieveCallerFunctionFunctor::operator()):
567         * runtime/JSGlobalObject.cpp:
568         * runtime/SamplingProfiler.cpp:
569         (JSC::FrameWalker::recordJSFrame):
570         (JSC::SamplingProfiler::processUnverifiedStackTraces):
571         * runtime/SamplingProfiler.h:
572         (JSC::SamplingProfiler::UnprocessedStackFrame::UnprocessedStackFrame):
573         * runtime/StackFrame.cpp:
574         (JSC::StackFrame::sourceURL):
575         (JSC::StackFrame::functionName):
576         * runtime/StackFrame.h:
577         (JSC::StackFrame::wasm):
578         * runtime/VM.cpp:
579         (JSC::VM::VM):
580         (JSC::VM::throwException):
581         * runtime/VM.h:
582         * wasm/JSWebAssembly.h:
583         * wasm/WasmB3IRGenerator.cpp:
584         * wasm/WasmBinding.cpp:
585         (JSC::Wasm::wasmToWasm):
586         * wasm/WasmCallee.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp.
587         (JSC::Wasm::Callee::Callee):
588         (JSC::JSWebAssemblyCallee::JSWebAssemblyCallee): Deleted.
589         (JSC::JSWebAssemblyCallee::finishCreation): Deleted.
590         (JSC::JSWebAssemblyCallee::destroy): Deleted.
591         * wasm/WasmCallee.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.h.
592         (JSC::Wasm::Callee::create):
593         (JSC::JSWebAssemblyCallee::create): Deleted.
594         (JSC::JSWebAssemblyCallee::createStructure): Deleted.
595         (JSC::JSWebAssemblyCallee::entrypoint): Deleted.
596         (JSC::JSWebAssemblyCallee::calleeSaveRegisters): Deleted.
597         * wasm/WasmContext.h:
598         * wasm/WasmPlan.cpp:
599         * wasm/WasmPlan.h:
600         * wasm/WasmPlanInlines.h:
601         (JSC::Wasm::Plan::initializeCallees):
602         * wasm/WasmThunks.cpp:
603         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
604         * wasm/js/JSWebAssemblyCallee.cpp: Removed.
605         * wasm/js/JSWebAssemblyCallee.h: Removed.
606         * wasm/js/JSWebAssemblyCodeBlock.cpp:
607         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
608         (JSC::JSWebAssemblyCodeBlock::initialize):
609         (JSC::JSWebAssemblyCodeBlock::visitChildren):
610         * wasm/js/JSWebAssemblyCodeBlock.h:
611         (JSC::JSWebAssemblyCodeBlock::create):
612         (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
613         (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
614         (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
615         (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub):
616         (JSC::JSWebAssemblyCodeBlock::setJSEntrypointCallee):
617         (JSC::JSWebAssemblyCodeBlock::setWasmEntrypointCallee):
618         (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs):
619         (JSC::JSWebAssemblyCodeBlock::allocationSize):
620         (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub):
621         (JSC::JSWebAssemblyCodeBlock::callees): Deleted.
622         (JSC::JSWebAssemblyCodeBlock::offsetOfCallees): Deleted.
623         * wasm/js/JSWebAssemblyInstance.h:
624         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
625         * wasm/js/JSWebAssemblyModule.cpp:
626         * wasm/js/WebAssemblyFunction.cpp:
627         (JSC::callWebAssemblyFunction):
628         (JSC::WebAssemblyFunction::create):
629         (JSC::WebAssemblyFunction::WebAssemblyFunction):
630         (JSC::WebAssemblyFunction::visitChildren):
631         (JSC::WebAssemblyFunction::finishCreation):
632         * wasm/js/WebAssemblyFunction.h:
633         (JSC::WebAssemblyFunction::wasmEntrypoint):
634         (JSC::WebAssemblyFunction::jsEntrypoint):
635         (JSC::WebAssemblyFunction::offsetOfWasmEntrypoint):
636         (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode): Deleted.
637         * wasm/js/WebAssemblyModuleConstructor.cpp:
638         * wasm/js/WebAssemblyModuleRecord.cpp:
639         (JSC::WebAssemblyModuleRecord::link):
640         (JSC::WebAssemblyModuleRecord::evaluate):
641
642 2017-04-04  Keith Miller  <keith_miller@apple.com>
643
644         WasmBench asserts in debug jsc
645         https://bugs.webkit.org/show_bug.cgi?id=170462
646
647         Reviewed by Saam Barati.
648
649         The assertion should have been an if.
650
651         * wasm/WasmWorklist.cpp:
652
653 2017-04-04  Filip Pizlo  <fpizlo@apple.com>
654
655         Air::lowerAfterRegAlloc should bail early if it finds no Shuffles or ColdCCalls
656         https://bugs.webkit.org/show_bug.cgi?id=170305
657
658         Reviewed by Saam Barati.
659         
660         This reduces and sometimes completely eliminates the need to run lowerAfterRegAlloc().
661         
662         This lowers the Shuffle for the arguments of a CCall before register allocation unless
663         the CCall arguments require a real shuffle (like if the CCall arguments were argument
664         registers). This lowers a ColdCCall like a CCall for optLevel<2.
665         
666         Finally, lowerAfterRegAlloc() now checks if there are any Shuffles or CCalls before it
667         does anything else. For wasm at -O1, this means that the phase doesn't run at all. This
668         is a ~3% wasm -O1 compile time progression.
669         
670         To make this easy, I changed optLevel into a property of Procedure and Code rather than
671         an argument we thread through everything. I like how Procedure and Code are dumping
672         ground classes. This does not bother me. Note that I cloned optLevel into Procedure and
673         Code so that it's cheap to query inside Air phases.
674
675         * b3/B3Compile.cpp:
676         (JSC::B3::compile):
677         * b3/B3Compile.h:
678         * b3/B3Generate.cpp:
679         (JSC::B3::prepareForGeneration):
680         (JSC::B3::generateToAir):
681         * b3/B3Generate.h:
682         * b3/B3Procedure.cpp:
683         (JSC::B3::Procedure::setOptLevel):
684         * b3/B3Procedure.h:
685         (JSC::B3::Procedure::optLevel):
686         * b3/air/AirCode.h:
687         (JSC::B3::Air::Code::isPinned):
688         (JSC::B3::Air::Code::setOptLevel):
689         (JSC::B3::Air::Code::optLevel):
690         * b3/air/AirEmitShuffle.cpp:
691         (JSC::B3::Air::ShufflePair::bank):
692         (JSC::B3::Air::ShufflePair::opcode):
693         (JSC::B3::Air::ShufflePair::inst):
694         (JSC::B3::Air::emitShuffle):
695         * b3/air/AirEmitShuffle.h:
696         (JSC::B3::Air::moveFor):
697         * b3/air/AirGenerate.cpp:
698         (JSC::B3::Air::prepareForGeneration):
699         * b3/air/AirGenerate.h:
700         * b3/air/AirLowerAfterRegAlloc.cpp:
701         (JSC::B3::Air::lowerAfterRegAlloc):
702         * b3/air/AirLowerMacros.cpp:
703         (JSC::B3::Air::lowerMacros):
704         * b3/testb3.cpp:
705         (JSC::B3::compileProc):
706         * wasm/WasmB3IRGenerator.cpp:
707         (JSC::Wasm::parseAndCompile):
708
709 2017-04-04  Filip Pizlo  <fpizlo@apple.com>
710
711         Don't need to Air::reportUsedRegisters for wasm at -O1
712         https://bugs.webkit.org/show_bug.cgi?id=170459
713
714         Reviewed by Saam Barati.
715         
716         I did some refactorings to Liveness<> to try to understand its performance. Based on
717         this I concluded that the bigger immediate issue is just removing unnecessary phases
718         from -O1.
719         
720         This removes Air::reportUsedRegisters() from -O1 if the user has indicated that he is
721         not interested in StackmapGenerationParams::usedRegisters(). The logic here is a bit
722         weird because of how Air does spill code generation. The register allocator's spiller
723         will emit spill code using identifiable spill slots, which allows subsequent phases to
724         register-allocate the spill slots. We do this by a forward flow CSE phase called
725         fixObviousSpills (which is a terrible name since there is no longer anything obvious
726         about some of the spills that this phase can fix!). As is most natural for CSEs over
727         3AC, it rewires the uses of redundant computations rather than removing the redundant
728         computations. This means that if a spill got "fixed", there may be either or both of
729         the following:
730         
731         - Dead loads from the stack.
732         - Dead stores to the stack.
733         
734         We know that a load from the stack is dead if the register is dead at the point of the
735         load. We know that a store to the stack is dead if the spill slot is dead at the point
736         of the store.
737         
738         Unfortunately, liveness analysis - over either registers or spill slots - is expensive.
739         
740         Fortunately, allocateStack() already does liveness analysis over spill slots. So, we
741         baked elimination of stores to the stack into that phase. That aspect of clean-up after
742         the spill CSE comes for free.
743         
744         Also fortunately for the FTL, we have to do reportUsedRegisters() anyway. This is a
745         phase that enables StackmapGenerationParams::usedRegisters() to work, which then
746         enables the FTL's patchpoints to do crazy slow-path live range splitting. So, Air's
747         strategy for the load fix-up after spill CSE is to do it as part of
748         reportUsedRegisters().
749         
750         This patch introduces the Procedure::setNeedsUsedRegisters() API. But if you set
751         needsUsedRegisters to false then we will still run reportUsedRegisters() at -O2 as an
752         optimization - it removes dead loads from the stack that are left behind from
753         fixObviousSpills().
754         
755         This is a ~6% compile time progression at -O1.
756
757         * b3/B3Procedure.h:
758         (JSC::B3::Procedure::setNeedsUsedRegisters):
759         (JSC::B3::Procedure::needsUsedRegisters):
760         * b3/B3StackmapGenerationParams.h:
761         * b3/B3VariableLiveness.cpp:
762         (JSC::B3::VariableLiveness::VariableLiveness):
763         * b3/air/AirCode.cpp:
764         (JSC::B3::Air::Code::needsUsedRegisters):
765         * b3/air/AirCode.h:
766         * b3/air/AirGenerate.cpp:
767         (JSC::B3::Air::prepareForGeneration):
768         * b3/air/AirLiveness.h:
769         (JSC::B3::Air::Liveness::Liveness):
770         * wasm/WasmB3IRGenerator.cpp:
771         (JSC::Wasm::parseAndCompile):
772
773 2017-04-03  Filip Pizlo  <fpizlo@apple.com>
774
775         Air liveness should build constraints and solve them rather than repeatedly parsing IR
776         https://bugs.webkit.org/show_bug.cgi?id=170421
777
778         Reviewed by Saam Barati.
779         
780         Inst::forEach<> is expensive. The LivenessAdapter uses forEach with a particularly
781         gnarly lambda that has many extra checks. Therefore, a lot of the time spent in
782         liveness analysis is just recomputing forEach<> and that lambda to get uses and defs.
783         
784         This introduces LivenessConstraints<>, which is a liveness constraint system based on
785         Adapter. It basically caches the results of doing forEach. It'll give you the uses and
786         defs at each instruction boundary.
787         
788         This is a ~5% compile time progression at optLevel=1. It's also a ~3% compile time
789         progression at optLevel=2.
790         
791         * JavaScriptCore.xcodeproj/project.pbxproj:
792         * b3/air/AirLivenessAdapter.h:
793         (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
794         (JSC::B3::Air::LivenessAdapter::forEachUse):
795         (JSC::B3::Air::LivenessAdapter::forEachDef):
796         * b3/air/AirLivenessConstraints.h: Added.
797         (JSC::B3::Air::LivenessConstraints::Actions::Actions):
798         (JSC::B3::Air::LivenessConstraints::LivenessConstraints):
799         (JSC::B3::Air::LivenessConstraints::at):
800
801 2017-04-03  Mark Lam  <mark.lam@apple.com>
802
803         Fix incorrect capacity delta calculation reported in SparseArrayValueMap::add().
804         https://bugs.webkit.org/show_bug.cgi?id=170412
805         <rdar://problem/29697336>
806
807         Reviewed by Filip Pizlo.
808
809         Here's an example of code that will trigger underflow in the "deprecatedExtraMemory"
810         reported by SparseArrayValueMap::add() that is added to Heap::m_deprecatedExtraMemorySize:
811         
812             arr = new Array;
813             Object.defineProperty(arr, 18, ({writable: true, configurable: true}));
814             for (var i = 0; i < 3; ++i) {
815                 Array.prototype.push.apply(arr, ["", () => {}, {}]);
816                 Array.prototype.sort.apply(arr, [() => {}, []]);
817             }
818
819         However, Heap::m_deprecatedExtraMemorySize is only 1 of 3 values that are added
820         up to form the result of Heap::extraMemorySize().  Heap::m_extraMemorySize and
821         Heap::m_arrayBuffers.size() are the other 2.
822
823         While Heap::m_arrayBuffers.size() is bounded by actual allocated memory, both
824         Heap::m_deprecatedExtraMemorySize and Heap::m_extraMemorySize are added to
825         without any bounds checks, and they are only reset to 0 at the start of a full
826         GC.  As a result, if we have a long sequence of eden GCs with a lot of additions
827         to Heap::m_extraMemorySize and/or Heap::m_deprecatedExtraMemorySize, then these
828         values could theoretically overflow.  Coupling this with the underflow from
829         SparseArrayValueMap::add(), the result for Heap::extraMemorySize() can easily
830         overflow.  Note: Heap::extraMemorySize() is used to compute the value
831         currentHeapSize.
832
833         If multiple conditions line up just right, the above overflows can result in this
834         debug assertion failure during an eden GC:
835
836             ASSERT(currentHeapSize >= m_sizeAfterLastCollect);
837
838         Otherwise, the effects of the overflows will only result in the computed
839         currentHeapSize not being representative of actual memory usage, and therefore,
840         a full GC may be triggered earlier or later than is ideal.
841
842         This patch ensures that SparseArrayValueMap::add() cannot underflow
843         Heap::m_deprecatedExtraMemorySize.  It also adds overflows checks in the
844         calculations of Heap::m_deprecatedExtraMemorySize, Heap::m_extraMemorySize, and
845         Heap::extraMemorySize() so that their values are saturated appropriately to
846         ensure that GC collections are triggered based on representative memory usage.
847
848         * heap/Heap.cpp:
849         (JSC::Heap::deprecatedReportExtraMemorySlowCase):
850         (JSC::Heap::extraMemorySize):
851         (JSC::Heap::updateAllocationLimits):
852         (JSC::Heap::reportExtraMemoryVisited):
853         * runtime/SparseArrayValueMap.cpp:
854         (JSC::SparseArrayValueMap::add):
855
856 2017-04-03  Filip Pizlo  <fpizlo@apple.com>
857
858         Move the Liveness<> adapters from AirLiveness.h to AirLivenessAdapter.h.
859
860         Rubber stamped by Keith Miller.
861         
862         This will make it easier to write other code that uses those adapters.
863
864         * JavaScriptCore.xcodeproj/project.pbxproj:
865         * b3/air/AirLiveness.h:
866         (JSC::B3::Air::LivenessAdapter::LivenessAdapter): Deleted.
867         (JSC::B3::Air::LivenessAdapter::blockSize): Deleted.
868         (JSC::B3::Air::LivenessAdapter::forEachUse): Deleted.
869         (JSC::B3::Air::LivenessAdapter::forEachDef): Deleted.
870         (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter): Deleted.
871         (JSC::B3::Air::TmpLivenessAdapter::numIndices): Deleted.
872         (JSC::B3::Air::TmpLivenessAdapter::acceptsBank): Deleted.
873         (JSC::B3::Air::TmpLivenessAdapter::acceptsRole): Deleted.
874         (JSC::B3::Air::TmpLivenessAdapter::valueToIndex): Deleted.
875         (JSC::B3::Air::TmpLivenessAdapter::indexToValue): Deleted.
876         (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter): Deleted.
877         (JSC::B3::Air::StackSlotLivenessAdapter::numIndices): Deleted.
878         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank): Deleted.
879         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole): Deleted.
880         (JSC::B3::Air::StackSlotLivenessAdapter::valueToIndex): Deleted.
881         (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue): Deleted.
882         * b3/air/AirLivenessAdapter.h: Added.
883         (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
884         (JSC::B3::Air::LivenessAdapter::blockSize):
885         (JSC::B3::Air::LivenessAdapter::forEachUse):
886         (JSC::B3::Air::LivenessAdapter::forEachDef):
887         (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter):
888         (JSC::B3::Air::TmpLivenessAdapter::numIndices):
889         (JSC::B3::Air::TmpLivenessAdapter::acceptsBank):
890         (JSC::B3::Air::TmpLivenessAdapter::acceptsRole):
891         (JSC::B3::Air::TmpLivenessAdapter::valueToIndex):
892         (JSC::B3::Air::TmpLivenessAdapter::indexToValue):
893         (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter):
894         (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
895         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank):
896         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole):
897         (JSC::B3::Air::StackSlotLivenessAdapter::valueToIndex):
898         (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue):
899
900 2017-04-03  Filip Pizlo  <fpizlo@apple.com>
901
902         WTF::Liveness should have an API that focuses on actions at instruction boundaries
903         https://bugs.webkit.org/show_bug.cgi?id=170407
904
905         Reviewed by Keith Miller.
906         
907         Adopt changes to the WTF::Liveness<> API. Instead of having separate functions for the
908         early/late versions of uses and defs, we now have just a use/def API. Those
909         automatically take care of eary/late issues as needed.
910         
911         This reduces the API surface between WTF::Liveness<> and its clients, which makes it
912         easier to implement some other optimizations I'm thinking about.
913
914         * b3/B3VariableLiveness.h:
915         (JSC::B3::VariableLivenessAdapter::forEachUse):
916         (JSC::B3::VariableLivenessAdapter::forEachDef):
917         (JSC::B3::VariableLivenessAdapter::forEachEarlyUse): Deleted.
918         (JSC::B3::VariableLivenessAdapter::forEachLateUse): Deleted.
919         (JSC::B3::VariableLivenessAdapter::forEachEarlyDef): Deleted.
920         (JSC::B3::VariableLivenessAdapter::forEachLateDef): Deleted.
921         * b3/air/AirLiveness.h:
922         (JSC::B3::Air::LivenessAdapter::blockSize):
923         (JSC::B3::Air::LivenessAdapter::forEachUse):
924         (JSC::B3::Air::LivenessAdapter::forEachDef):
925         (JSC::B3::Air::LivenessAdapter::forEachEarlyUse): Deleted.
926         (JSC::B3::Air::LivenessAdapter::forEachLateUse): Deleted.
927         (JSC::B3::Air::LivenessAdapter::forEachEarlyDef): Deleted.
928         (JSC::B3::Air::LivenessAdapter::forEachLateDef): Deleted.
929
930 2017-04-03  Filip Pizlo  <fpizlo@apple.com>
931
932         Inst::forEachArg could compile to more compact code
933         https://bugs.webkit.org/show_bug.cgi?id=170406
934
935         Reviewed by Sam Weinig.
936         
937         Prior to this change, Inst::forEachArg compiled to a ginormous ALWAYS_INLINE switch statement.
938         It had one case for each opcode, and then each of those cases would have a switch statement over
939         the number of operands. Then the cases of that switch statement would have a sequence of calls to
940         the passed lambda. This meant that every user of forEachArg would generate an insane amount of
941         code. It also meant that the inlining achieved nothing, since the lambda would surely then not
942         be inlined - and if it was, then the icache pressure due to code bloat would surely negate any
943         benefits.
944         
945         This replaces that code with a loop over a compact look-up table. We use the opcode and number of
946         operands as keys into that look-up table. The table only takes about 20KB. It has one byte for
947         each argument in each overload of each opcode.
948         
949         I can't measure any reproducible change in performance, but the JavaScriptCore framework binary
950         shrinks by 2.7 MB. This is a 15% reduction in JavaScriptCore binary size.
951
952         * JavaScriptCore.xcodeproj/project.pbxproj:
953         * b3/B3Width.h:
954         * b3/air/AirCustom.h:
955         (JSC::B3::Air::PatchCustom::forEachArg):
956         * b3/air/AirFormTable.h: Added.
957         (JSC::B3::Air::decodeFormRole):
958         (JSC::B3::Air::decodeFormBank):
959         (JSC::B3::Air::decodeFormWidth):
960         * b3/air/AirInst.h:
961         * b3/air/opcode_generator.rb:
962
963 2017-04-03  Keith Miller  <keith_miller@apple.com>
964
965         WebAssembly: remove lastAllocatedMode from Memory
966         https://bugs.webkit.org/show_bug.cgi?id=170405
967
968         Reviewed by Mark Lam.
969
970         It's not used anymore so there isn't any point in keeping it around.
971
972         * wasm/WasmMemory.cpp:
973         (JSC::Wasm::Memory::createImpl):
974         (JSC::Wasm::Memory::lastAllocatedMode): Deleted.
975         * wasm/WasmMemory.h:
976
977 2017-04-03  Zan Dobersek  <zdobersek@igalia.com>
978
979         [jsc] Add patchableJumpSize() for MIPS
980         https://bugs.webkit.org/show_bug.cgi?id=169716
981
982         Reviewed by Yusuke Suzuki.
983
984         * assembler/MIPSAssembler.h:
985         (JSC::MIPSAssembler::patchableJumpSize): Added.
986         * assembler/MacroAssemblerMIPS.h:
987         (JSC::MacroAssemblerMIPS::patchableJumpSize): Added.
988
989 2017-04-03  Guillaume Emont  <guijemont@igalia.com>
990
991         [jsc] implement MIPSAssembler::relinkJumpToNop()
992         https://bugs.webkit.org/show_bug.cgi?id=169720
993
994         Reviewed by Yusuke Suzuki.
995
996         * assembler/MIPSAssembler.h:
997         (JSC::MIPSAssembler::relinkJumpToNop): Added.
998
999 2017-04-02  Carlos Garcia Campos  <cgarcia@igalia.com>
1000
1001         Share implementation of JSRunLoopTimer::timerDidFire
1002         https://bugs.webkit.org/show_bug.cgi?id=170392
1003
1004         Reviewed by Michael Catanzaro.
1005
1006         The code is cross-platform but it's duplicated in CF and GLib implementations, it could be shared instead.
1007
1008         * runtime/JSRunLoopTimer.cpp:
1009         (JSC::JSRunLoopTimer::timerDidFire): Move common implementation here.
1010         (JSC::JSRunLoopTimer::setRunLoop): Use timerDidFireCallback.
1011         (JSC::JSRunLoopTimer::timerDidFireCallback): Call JSRunLoopTimer::timerDidFire().
1012         * runtime/JSRunLoopTimer.h:
1013
1014 2017-04-01  Oleksandr Skachkov  <gskachkov@gmail.com>
1015
1016         Object with numerical keys with gaps gets filled by NaN values
1017         https://bugs.webkit.org/show_bug.cgi?id=164412
1018
1019         Reviewed by Mark Lam.
1020
1021         This patch fixes issue when object have two properties 
1022         with name as number. The issue appears when during invoking 
1023         convertDoubleToArrayStorage, array is filled by pNaN and 
1024         method converting it to real NaN. This happeneds because a 
1025         pNaN in a Double array is a hole, and Double arrays cannot 
1026         have NaN values. To fix issue we need to check value and 
1027         clear it if it pNaN.
1028
1029         * runtime/JSObject.cpp:
1030         (JSC::JSObject::convertDoubleToArrayStorage):
1031
1032 2017-03-31  Saam Barati  <sbarati@apple.com>
1033
1034         WebAssembly: Make our calls out to JS PIC friendly
1035         https://bugs.webkit.org/show_bug.cgi?id=170261
1036
1037         Reviewed by Keith Miller.
1038
1039         This patch removes a direct call from the module to the Wasm to JS stub.
1040         Instead, we do an indirect call to the stub by loading the stub's executable
1041         address off of the CodeBlock. This is to make the code we emit for comply with
1042         requirements needed for PIC.
1043         
1044         Adding this indirection is not ideal. Although this patch is neutral on
1045         WasmBench, we really want to get back to a world where we have an IC
1046         call infrastructure. This patch is obviously a regression on some
1047         types of programs. I've filed this bug to make sure we implement a
1048         PIC compliant Wasm to JS call IC:
1049         https://bugs.webkit.org/show_bug.cgi?id=170375
1050
1051         * wasm/WasmB3IRGenerator.cpp:
1052         * wasm/WasmFormat.h:
1053         * wasm/WasmPlan.cpp:
1054         (JSC::Wasm::Plan::complete):
1055         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1056         (JSC::JSWebAssemblyCodeBlock::initialize):
1057         * wasm/js/JSWebAssemblyCodeBlock.h:
1058         (JSC::JSWebAssemblyCodeBlock::create):
1059         (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub):
1060         (JSC::JSWebAssemblyCodeBlock::offsetOfCallees):
1061         (JSC::JSWebAssemblyCodeBlock::allocationSize):
1062         (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub):
1063         * wasm/js/JSWebAssemblyInstance.cpp:
1064         (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock):
1065         * wasm/js/JSWebAssemblyInstance.h:
1066         (JSC::JSWebAssemblyInstance::offsetOfCodeBlock):
1067
1068 2017-03-31  Keith Miller  <keith_miller@apple.com>
1069
1070         WebAssembly: webAssemblyB3OptimizationLevel should use defaultB3OptLevel by default
1071         https://bugs.webkit.org/show_bug.cgi?id=170378
1072
1073         Reviewed by Saam Barati.
1074
1075         * runtime/Options.h:
1076         * wasm/WasmB3IRGenerator.h:
1077
1078 2017-03-31  Keith Miller  <keith_miller@apple.com>
1079
1080         WebAssembly: Add compilation level option
1081         https://bugs.webkit.org/show_bug.cgi?id=170374
1082
1083         Reviewed by Mark Lam.
1084
1085         This patch adds an option, webAssemblyB3OptimizationLevel, which
1086         changes the optimization mode wasm passes to B3.
1087
1088         * runtime/Options.h:
1089         * wasm/WasmPlan.cpp:
1090         (JSC::Wasm::Plan::compileFunctions):
1091
1092 2017-03-31  Saam Barati  <sbarati@apple.com>
1093
1094         WebAssembly: Strip WasmParser and WasmFunctionParser from knowing about VM
1095         https://bugs.webkit.org/show_bug.cgi?id=170312
1096
1097         Reviewed by Mark Lam.
1098
1099         This is another step towards PIC-ifying Wasm. This patch removes
1100         the VM field that is no longer used.
1101
1102         * wasm/WasmB3IRGenerator.cpp:
1103         (JSC::Wasm::parseAndCompile):
1104         * wasm/WasmB3IRGenerator.h:
1105         * wasm/WasmFunctionParser.h:
1106         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
1107         * wasm/WasmModuleParser.h:
1108         (JSC::Wasm::ModuleParser::ModuleParser):
1109         * wasm/WasmParser.h:
1110         (JSC::Wasm::Parser<SuccessType>::Parser):
1111         * wasm/WasmPlan.cpp:
1112         (JSC::Wasm::Plan::parseAndValidateModule):
1113         (JSC::Wasm::Plan::compileFunctions):
1114         * wasm/WasmValidate.cpp:
1115         (JSC::Wasm::validateFunction):
1116         * wasm/WasmValidate.h:
1117
1118 2017-03-31  Saam Barati  <sbarati@apple.com>
1119
1120         WebAssembly: Ref count Signature and SignatureInformation should not care about VM
1121         https://bugs.webkit.org/show_bug.cgi?id=170316
1122
1123         Reviewed by Keith Miller.
1124
1125         This is yet again another step towards PIC-ifying Wasm.
1126         Signature should be ref counted so we can tell when
1127         no code is holding onto a Signature. This makes it easy
1128         to free unused Signatures. Also, this patch rids SignatureInfo
1129         of any VM knowledge. Now, there is just a single SignatureInfo that
1130         lives in a process.
1131
1132         * runtime/VM.h:
1133         * wasm/WasmB3IRGenerator.cpp:
1134         (JSC::Wasm::createJSToWasmWrapper):
1135         (JSC::Wasm::parseAndCompile):
1136         * wasm/WasmB3IRGenerator.h:
1137         * wasm/WasmBinding.cpp:
1138         (JSC::Wasm::wasmToJs):
1139         * wasm/WasmCallingConvention.h:
1140         (JSC::Wasm::CallingConvention::loadArguments):
1141         * wasm/WasmFormat.h:
1142         * wasm/WasmFunctionParser.h:
1143         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
1144         * wasm/WasmModuleParser.cpp:
1145         * wasm/WasmPlan.cpp:
1146         (JSC::Wasm::Plan::parseAndValidateModule):
1147         (JSC::Wasm::Plan::compileFunctions):
1148         (JSC::Wasm::Plan::complete):
1149         * wasm/WasmSignature.cpp:
1150         (JSC::Wasm::Signature::hash):
1151         (JSC::Wasm::Signature::tryCreate):
1152         (JSC::Wasm::SignatureInformation::SignatureInformation):
1153         (JSC::Wasm::SignatureInformation::singleton):
1154         (JSC::Wasm::SignatureInformation::adopt):
1155         (JSC::Wasm::SignatureInformation::get):
1156         (JSC::Wasm::SignatureInformation::tryCleanup):
1157         (JSC::Wasm::Signature::create): Deleted.
1158         (JSC::Wasm::Signature::createInvalid): Deleted.
1159         (JSC::Wasm::Signature::destroy): Deleted.
1160         (JSC::Wasm::SignatureInformation::~SignatureInformation): Deleted.
1161         * wasm/WasmSignature.h:
1162         (JSC::Wasm::Signature::allocatedSize):
1163         (JSC::Wasm::Signature::operator==):
1164         * wasm/WasmValidate.cpp:
1165         (JSC::Wasm::validateFunction):
1166         * wasm/WasmValidate.h:
1167         * wasm/js/JSWebAssemblyModule.cpp:
1168         (JSC::JSWebAssemblyModule::destroy):
1169         * wasm/js/WebAssemblyFunction.cpp:
1170         (JSC::callWebAssemblyFunction):
1171         * wasm/js/WebAssemblyFunction.h:
1172         * wasm/js/WebAssemblyModuleRecord.cpp:
1173         (JSC::WebAssemblyModuleRecord::link):
1174         (JSC::WebAssemblyModuleRecord::evaluate):
1175         * wasm/js/WebAssemblyWrapperFunction.cpp:
1176         (JSC::WebAssemblyWrapperFunction::create):
1177         * wasm/js/WebAssemblyWrapperFunction.h:
1178
1179 2017-03-31  Mark Lam  <mark.lam@apple.com>
1180
1181         Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate().
1182         https://bugs.webkit.org/show_bug.cgi?id=170303
1183         <rdar://problem/31358281>
1184
1185         Reviewed by Filip Pizlo.
1186
1187         This is because it needs to call getProperty() later to get the values for
1188         initializing the array.  getProperty() can execute arbitrary code and potentially
1189         trigger the GC.  This is not allowed for clients of JSArray::tryCreateForInitializationPrivate().
1190
1191         * runtime/ArrayPrototype.cpp:
1192         (JSC::arrayProtoFuncSplice):
1193         (JSC::copySplicedArrayElements): Deleted.
1194
1195 2017-03-31  Oleksandr Skachkov  <gskachkov@gmail.com>
1196
1197         String.prototype.replace incorrectly applies "special replacement parameters" when passed a function
1198         https://bugs.webkit.org/show_bug.cgi?id=170151
1199
1200         Reviewed by Saam Barati.
1201
1202         This patch fixes issue for String.prototype.replace when passed a function 
1203         with special symbols "$$". It happeneds because substituteBackreferences applies 
1204         unconditionally, but according to the spec it should be applied only for text 
1205         21.1.3.16.8 https://tc39.github.io/ecma262/#sec-string.prototype.replace
1206
1207         * runtime/StringPrototype.cpp:
1208         (JSC::replaceUsingStringSearch):
1209
1210 2017-03-30  Saam Barati  <sbarati@apple.com>
1211
1212         WebAssembly: When Wasm calls to C, it should use Wasm::Context* instead of ExecState* to get VM
1213         https://bugs.webkit.org/show_bug.cgi?id=170185
1214
1215         Reviewed by Michael Saboff.
1216
1217         This is one more step in the direction of PIC-ified Wasm.
1218         When we lift WasmCallee above VM, we will no longer be
1219         able to get VM from ExecState*. This patch ensures that
1220         we don't do that from within the Wasm runtime. Instead,
1221         we use the Wasm::Context* to get the VM.
1222
1223         This patch also adds a new class, Wasm::Thunks. There
1224         is a single Wasm::Thunks that lives in the process. It
1225         is responsible for generating a thunk that Wasm relies on.
1226         The only such thunk right now is the exception throwing
1227         thunk.
1228
1229         This patch also rids WasmFaultSignalHandler from any knowledge
1230         of VM. Previously, it relied on VM to get the exception handling
1231         thunk.
1232
1233         The only part of the Wasm runtime that will be allowed
1234         to get VM& from ExecState will be WasmBinding. In the
1235         future, we plan to keep the calls out to JS to keep
1236         a JSCell as the callee.
1237
1238         * JavaScriptCore.xcodeproj/project.pbxproj:
1239         * dfg/DFGOSREntry.cpp:
1240         (JSC::DFG::prepareOSREntry):
1241         * ftl/FTLOSRExitCompiler.cpp:
1242         (JSC::FTL::compileStub):
1243         * interpreter/Interpreter.cpp:
1244         (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1245         * jit/AssemblyHelpers.cpp:
1246         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1247         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBufferImpl):
1248         * jit/AssemblyHelpers.h:
1249         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1250         * jit/ThunkGenerators.cpp:
1251         (JSC::throwExceptionFromWasmThunkGenerator): Deleted.
1252         * jit/ThunkGenerators.h:
1253         * runtime/InitializeThreading.cpp:
1254         (JSC::initializeThreading):
1255         * runtime/VM.cpp:
1256         (JSC::VM::VM):
1257         (JSC::VM::getAllCalleeSaveRegisterOffsets):
1258         * runtime/VM.h:
1259         (JSC::VM::topVMEntryFrameOffset):
1260         (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
1261         * wasm/WasmB3IRGenerator.cpp:
1262         (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
1263         * wasm/WasmFaultSignalHandler.cpp:
1264         (JSC::Wasm::trapHandler):
1265         * wasm/WasmMemory.cpp:
1266         (JSC::Wasm::tryGetFastMemory):
1267         * wasm/WasmThunks.cpp: Added.
1268         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1269         (JSC::Wasm::Thunks::initialize):
1270         (JSC::Wasm::Thunks::singleton):
1271         (JSC::Wasm::Thunks::stub):
1272         (JSC::Wasm::Thunks::existingStub):
1273         * wasm/WasmThunks.h: Added.
1274         * wasm/js/JSWebAssemblyInstance.cpp:
1275         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
1276         * wasm/js/JSWebAssemblyInstance.h:
1277         (JSC::JSWebAssemblyInstance::offsetOfVM):
1278         * wasm/js/JSWebAssemblyMemory.cpp:
1279         (JSC::JSWebAssemblyMemory::grow):
1280         * wasm/js/JSWebAssemblyMemory.h:
1281         * wasm/js/WebAssemblyMemoryPrototype.cpp:
1282         (JSC::webAssemblyMemoryProtoFuncGrow):
1283
1284 2017-03-30  Mark Lam  <mark.lam@apple.com>
1285
1286         IntlObject should not be using JSArray::initializeIndex().
1287         https://bugs.webkit.org/show_bug.cgi?id=170302
1288         <rdar://problem/31356918>
1289
1290         Reviewed by Saam Barati.
1291
1292         JSArray::initializeIndex() is only meant to be used with arrays created using
1293         JSArray::tryCreateForInitializationPrivate() under very constrained conditions.
1294
1295         * runtime/IntlObject.cpp:
1296         (JSC::canonicalizeLocaleList):
1297         (JSC::intlObjectFuncGetCanonicalLocales):
1298
1299 2017-03-30  Filip Pizlo  <fpizlo@apple.com>
1300
1301         Air should support linear scan for optLevel<2
1302         https://bugs.webkit.org/show_bug.cgi?id=170161
1303
1304         Reviewed by Saam Barati.
1305         
1306         This changes the default opt level of B3 to 2. It makes the other opt levels useful by adding a
1307         new register allocator. This new linear scan allocator will produce significantly worse code.
1308         But it will produce that code a lot faster than IRC or Briggs.
1309         
1310         The opt levels are:
1311             0: no optimizations, linear scan
1312             1: some optimizations, linear scan
1313             2: full optimizations, graph coloring (IRC or Briggs based on CPU)
1314         
1315         What we used to call optLevel=1 is not called optLevel=2, or better yet,
1316         optLevel=B3::defaultOptLevel(). We no longer have anything like the old optLevel=0 (which did no
1317         optimizations but ran graph coloring).
1318         
1319         allocateRegistersByLinearScan() faithfully implements Massimiliano Poletto and Vivek Sarkar's
1320         famous algorithm. It uses the variant that handles clobbered registers by avoiding assigning
1321         ranges to those registers if the range overlaps a clobber. It's engineered to allocate registers
1322         very quickly and generate inefficient code without falling off a cliff.
1323         
1324         The new optLevel=1 speeds up B3 by a factor of 2, and results in a 80% throughput regression.
1325         Linear scan runs 4.7x faster than graph coloring on average.
1326
1327         * CMakeLists.txt:
1328         * JavaScriptCore.xcodeproj/project.pbxproj:
1329         * b3/B3BasicBlockUtils.h:
1330         (JSC::B3::blocksInPreOrder):
1331         (JSC::B3::blocksInPostOrder):
1332         * b3/B3BlockWorklist.h:
1333         * b3/B3CFG.h:
1334         (JSC::B3::CFG::newMap):
1335         * b3/B3Common.h:
1336         (JSC::B3::defaultOptLevel):
1337         * b3/B3Compile.h:
1338         * b3/B3DuplicateTails.cpp:
1339         * b3/B3EliminateCommonSubexpressions.cpp:
1340         * b3/B3FixSSA.cpp:
1341         (JSC::B3::demoteValues):
1342         (JSC::B3::fixSSA):
1343         * b3/B3FixSSA.h:
1344         * b3/B3Generate.cpp:
1345         (JSC::B3::prepareForGeneration):
1346         (JSC::B3::generateToAir):
1347         * b3/B3Generate.h:
1348         * b3/B3HeapRange.cpp: Removed.
1349         * b3/B3HeapRange.h:
1350         (JSC::B3::HeapRange::HeapRange): Deleted.
1351         (JSC::B3::HeapRange::top): Deleted.
1352         (JSC::B3::HeapRange::operator==): Deleted.
1353         (JSC::B3::HeapRange::operator!=): Deleted.
1354         (JSC::B3::HeapRange::operator|): Deleted.
1355         (JSC::B3::HeapRange::operator bool): Deleted.
1356         (JSC::B3::HeapRange::begin): Deleted.
1357         (JSC::B3::HeapRange::end): Deleted.
1358         (JSC::B3::HeapRange::overlaps): Deleted.
1359         * b3/B3LowerToAir.cpp:
1360         * b3/B3MoveConstants.cpp:
1361         * b3/B3PhiChildren.h:
1362         * b3/B3Procedure.cpp:
1363         (JSC::B3::Procedure::dump):
1364         (JSC::B3::Procedure::deleteOrphans):
1365         (JSC::B3::Procedure::setBlockOrderImpl):
1366         * b3/B3ReduceDoubleToFloat.cpp:
1367         * b3/B3ReduceStrength.cpp:
1368         * b3/B3SSACalculator.h:
1369         * b3/B3UseCounts.h:
1370         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1371         * b3/air/AirAllocateRegistersByLinearScan.cpp: Added.
1372         (JSC::B3::Air::allocateRegistersByLinearScan):
1373         * b3/air/AirAllocateRegistersByLinearScan.h: Added.
1374         * b3/air/AirAllocateStack.cpp:
1375         (JSC::B3::Air::allocateStack):
1376         * b3/air/AirArg.cpp:
1377         (WTF::printInternal):
1378         * b3/air/AirArg.h:
1379         (JSC::B3::Air::Arg::activeAt):
1380         (JSC::B3::Air::Arg::timing):
1381         (JSC::B3::Air::Arg::forEachPhase):
1382         * b3/air/AirBasicBlock.h:
1383         * b3/air/AirBlockWorklist.h:
1384         * b3/air/AirCFG.h:
1385         (JSC::B3::Air::CFG::newMap):
1386         * b3/air/AirEliminateDeadCode.cpp:
1387         (JSC::B3::Air::eliminateDeadCode):
1388         * b3/air/AirFixObviousSpills.cpp:
1389         * b3/air/AirFixPartialRegisterStalls.cpp:
1390         (JSC::B3::Air::fixPartialRegisterStalls):
1391         * b3/air/AirFixSpillsAfterTerminals.cpp: Added.
1392         (JSC::B3::Air::fixSpillsAfterTerminals):
1393         * b3/air/AirFixSpillsAfterTerminals.h: Added.
1394         * b3/air/AirGenerate.cpp:
1395         (JSC::B3::Air::prepareForGeneration):
1396         (JSC::B3::Air::generate):
1397         * b3/air/AirGenerate.h:
1398         * b3/air/AirGenerationContext.h:
1399         * b3/air/AirInsertionSet.h:
1400         * b3/air/AirInst.cpp:
1401         (JSC::B3::Air::Inst::needsPadding):
1402         * b3/air/AirLowerAfterRegAlloc.cpp:
1403         (JSC::B3::Air::lowerAfterRegAlloc):
1404         * b3/air/AirLowerEntrySwitch.cpp:
1405         (JSC::B3::Air::lowerEntrySwitch):
1406         * b3/air/AirOpcode.opcodes:
1407         * b3/air/AirPhaseInsertionSet.cpp: Added.
1408         (JSC::B3::Air::PhaseInsertionSet::execute):
1409         * b3/air/AirPhaseInsertionSet.h: Added.
1410         (JSC::B3::Air::PhaseInsertion::PhaseInsertion):
1411         (JSC::B3::Air::PhaseInsertion::phase):
1412         (JSC::B3::Air::PhaseInsertion::operator<):
1413         (JSC::B3::Air::PhaseInsertionSet::PhaseInsertionSet):
1414         (JSC::B3::Air::PhaseInsertionSet::appendInsertion):
1415         (JSC::B3::Air::PhaseInsertionSet::insertInst):
1416         (JSC::B3::Air::PhaseInsertionSet::insert):
1417         * b3/air/AirRegLiveness.h:
1418         (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
1419         * b3/air/AirSpillEverything.cpp:
1420         (JSC::B3::Air::spillEverything):
1421         * b3/air/AirTmp.cpp:
1422         * b3/air/AirTmp.h:
1423         (JSC::B3::Air::Tmp::tmpForIndex):
1424         * b3/air/AirTmpInlines.h:
1425         (JSC::B3::Air::Tmp::Indexed::Indexed):
1426         (JSC::B3::Air::Tmp::Indexed::index):
1427         (JSC::B3::Air::Tmp::AbsolutelyIndexed::AbsolutelyIndexed):
1428         (JSC::B3::Air::Tmp::AbsolutelyIndexed::index):
1429         (JSC::B3::Air::Tmp::indexed):
1430         (JSC::B3::Air::Tmp::absolutelyIndexed):
1431         (JSC::B3::Air::Tmp::tmpForAbsoluteIndex):
1432         * b3/testb3.cpp:
1433         (JSC::B3::compile):
1434         (JSC::B3::testMulLoadTwice):
1435         * jit/RegisterSet.h:
1436         (JSC::RegisterSet::add):
1437         (JSC::RegisterSet::remove):
1438         * runtime/Options.h:
1439         * wasm/WasmB3IRGenerator.h:
1440
1441 2017-03-30  Youenn Fablet  <youenn@apple.com>
1442
1443         Clean up RTCDataChannel
1444         https://bugs.webkit.org/show_bug.cgi?id=169732
1445
1446         Reviewed by Chris Dumez.
1447
1448         * runtime/CommonIdentifiers.h: Adding RTCDataChannelEvent.
1449
1450 2017-03-30  Saam Barati  <sbarati@apple.com>
1451
1452         WebAssembly: pass Wasm::Context* to vmEntryToWasm when not using fast TLS
1453         https://bugs.webkit.org/show_bug.cgi?id=170182
1454
1455         Reviewed by Mark Lam.
1456
1457         This is one more step in the direction of PIC-ified Wasm.
1458         I'm removing assumptions that a wasm callee is a cell. We used to use
1459         the callee to get the WasmContext off the callee's VM. Instead,
1460         this patch makes it so that we pass in the context as a parameter
1461         to the JS entrypoint.
1462
1463         * heap/MarkedBlock.h:
1464         (JSC::MarkedBlock::offsetOfVM): Deleted.
1465         * jit/AssemblyHelpers.cpp:
1466         (JSC::AssemblyHelpers::loadWasmContext):
1467         (JSC::AssemblyHelpers::storeWasmContext):
1468         (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
1469         (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
1470         * jsc.cpp:
1471         (functionTestWasmModuleFunctions):
1472         * runtime/VM.h:
1473         (JSC::VM::wasmContextOffset): Deleted.
1474         * wasm/WasmB3IRGenerator.cpp:
1475         (JSC::Wasm::B3IRGenerator::materializeWasmContext):
1476         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1477         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1478         (JSC::Wasm::createJSToWasmWrapper):
1479         * wasm/WasmContext.cpp:
1480         (JSC::Wasm::loadContext):
1481         (JSC::Wasm::storeContext):
1482         (JSC::loadWasmContext): Deleted.
1483         (JSC::storeWasmContext): Deleted.
1484         * wasm/WasmContext.h:
1485         (JSC::Wasm::useFastTLS):
1486         (JSC::Wasm::useFastTLSForContext):
1487         * wasm/WasmMemoryInformation.cpp:
1488         (JSC::Wasm::PinnedRegisterInfo::get):
1489         * wasm/WasmMemoryInformation.h:
1490         (JSC::Wasm::useFastTLS): Deleted.
1491         (JSC::Wasm::useFastTLSForWasmContext): Deleted.
1492         * wasm/js/WebAssemblyFunction.cpp:
1493         (JSC::callWebAssemblyFunction):
1494
1495 2017-03-30  JF Bastien  <jfbastien@apple.com>
1496
1497         WebAssembly: fix misc JS API implementation inconsistencies
1498         https://bugs.webkit.org/show_bug.cgi?id=170187
1499
1500         Reviewed by Keith Miller.
1501
1502         Auto-generate lookup tables.
1503         Methods should be on prototype.
1504         Exception returns should be idiomatic.
1505
1506         * wasm/JSWebAssembly.cpp: validate / compile / instantiate should
1507         be on the prototype
1508         (JSC::JSWebAssembly::create):
1509         (JSC::JSWebAssembly::finishCreation):
1510         (JSC::reject): Deleted.
1511         (JSC::webAssemblyCompileFunc): Deleted.
1512         (JSC::resolve): Deleted.
1513         (JSC::instantiate): Deleted.
1514         (JSC::compileAndInstantiate): Deleted.
1515         (JSC::webAssemblyInstantiateFunc): Deleted.
1516         (JSC::webAssemblyValidateFunc): Deleted.
1517         * wasm/JSWebAssembly.h:
1518         * wasm/js/WebAssemblyMemoryPrototype.cpp: move from JSWebAssembly.cpp
1519         (JSC::webAssemblyMemoryProtoFuncBuffer):
1520         (JSC::WebAssemblyMemoryPrototype::create):
1521         (JSC::WebAssemblyMemoryPrototype::finishCreation):
1522         * wasm/js/WebAssemblyMemoryPrototype.h:
1523         * wasm/js/WebAssemblyPrototype.cpp:
1524         (JSC::reject):
1525         (JSC::webAssemblyCompileFunc):
1526         (JSC::resolve):
1527         (JSC::instantiate):
1528         (JSC::compileAndInstantiate):
1529         (JSC::webAssemblyInstantiateFunc):
1530         (JSC::webAssemblyValidateFunc):
1531         (JSC::webAssemblyFunctionValidate): Deleted.
1532         (JSC::webAssemblyFunctionCompile): Deleted.
1533         * wasm/js/WebAssemblyTablePrototype.cpp:
1534         (JSC::webAssemblyTableProtoFuncGrow):
1535         (JSC::webAssemblyTableProtoFuncGet):
1536         (JSC::webAssemblyTableProtoFuncSet):
1537         (JSC::WebAssemblyTablePrototype::create):
1538         (JSC::WebAssemblyTablePrototype::finishCreation):
1539         * wasm/js/WebAssemblyTablePrototype.h:
1540
1541 2017-03-29  Keith Miller  <keith_miller@apple.com>
1542
1543         Unreviewed, fix the build, again. Hopefully for the last time, again!
1544
1545         * runtime/Options.cpp:
1546
1547 2017-03-29  Keith Miller  <keith_miller@apple.com>
1548
1549         Unreviewed, fix the build, again. Hopefully for the last time!
1550
1551         * runtime/Options.cpp:
1552         (JSC::parse):
1553
1554 2017-03-29  Keith Miller  <keith_miller@apple.com>
1555
1556         Unreviewed, windows build fix.
1557
1558         * runtime/Options.cpp:
1559         (JSC::parse):
1560
1561 2017-03-29  Keith Miller  <keith_miller@apple.com>
1562
1563         WebAssembly: B3IRGenerator should pool constants
1564         https://bugs.webkit.org/show_bug.cgi?id=170266
1565
1566         Reviewed by Filip Pizlo.
1567
1568         This patch adds a HashMap to B3IRGenerator that contains all the constants used in a function.
1569         B3IRGenerator then uses an InsertionSet to add all those constants to the root BB. This doesn't
1570         appear to be a compile time improvement but it could be valuable in the future.
1571
1572         * b3/B3Opcode.h:
1573         (JSC::B3::opcodeForConstant):
1574         * b3/B3Procedure.cpp:
1575         (JSC::B3::Procedure::addConstant):
1576         * b3/B3Procedure.h:
1577         * wasm/WasmB3IRGenerator.cpp:
1578         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1579         (JSC::Wasm::B3IRGenerator::constant):
1580         (JSC::Wasm::B3IRGenerator::insertConstants):
1581         (JSC::Wasm::B3IRGenerator::addConstant):
1582         (JSC::Wasm::B3IRGenerator::dump):
1583         (JSC::Wasm::parseAndCompile):
1584         (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
1585         (JSC::Wasm::B3IRGenerator::zeroForType): Deleted.
1586         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
1587         (generateConstCode):
1588
1589 2017-03-29  Saam Barati  <sbarati@apple.com>
1590
1591         LinkBuffer and ExecutableAllocator shouldn't have anything to do with VM
1592         https://bugs.webkit.org/show_bug.cgi?id=170210
1593
1594         Reviewed by Mark Lam.
1595
1596         This is one more step in the direction of PIC-ified Wasm.
1597         LinkBuffer and ExecutableAllocator have no business knowing about VM.
1598
1599         * assembler/LinkBuffer.cpp:
1600         (JSC::LinkBuffer::allocate):
1601         * assembler/LinkBuffer.h:
1602         (JSC::LinkBuffer::LinkBuffer):
1603         (JSC::LinkBuffer::vm): Deleted.
1604         * b3/B3Compile.cpp:
1605         (JSC::B3::compile):
1606         * b3/B3Compile.h:
1607         * b3/air/testair.cpp:
1608         * b3/testb3.cpp:
1609         (JSC::B3::compileProc):
1610         (JSC::B3::compileAndRun):
1611         (JSC::B3::testLoadAcq42):
1612         (JSC::B3::testAddArgZeroImmZDef):
1613         (JSC::B3::testAddLoadTwice):
1614         (JSC::B3::testMulLoadTwice):
1615         (JSC::B3::testMulAddArgsLeft):
1616         (JSC::B3::testMulAddArgsRight):
1617         (JSC::B3::testMulAddArgsLeft32):
1618         (JSC::B3::testMulAddArgsRight32):
1619         (JSC::B3::testMulSubArgsLeft):
1620         (JSC::B3::testMulSubArgsRight):
1621         (JSC::B3::testMulSubArgsLeft32):
1622         (JSC::B3::testMulSubArgsRight32):
1623         (JSC::B3::testMulNegArgs):
1624         (JSC::B3::testMulNegArgs32):
1625         (JSC::B3::testCompareFloatToDoubleThroughPhi):
1626         (JSC::B3::testDoubleToFloatThroughPhi):
1627         (JSC::B3::testReduceFloatToDoubleValidates):
1628         (JSC::B3::testDoubleProducerPhiToFloatConversion):
1629         (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
1630         (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
1631         (JSC::B3::testIToD64Arg):
1632         (JSC::B3::testIToF64Arg):
1633         (JSC::B3::testIToD32Arg):
1634         (JSC::B3::testIToF32Arg):
1635         (JSC::B3::testIToD64Mem):
1636         (JSC::B3::testIToF64Mem):
1637         (JSC::B3::testIToD32Mem):
1638         (JSC::B3::testIToF32Mem):
1639         (JSC::B3::testIToDReducedToIToF64Arg):
1640         (JSC::B3::testIToDReducedToIToF32Arg):
1641         (JSC::B3::testStoreRelAddLoadAcq32):
1642         (JSC::B3::testStoreRelAddLoadAcq8):
1643         (JSC::B3::testStoreRelAddFenceLoadAcq8):
1644         (JSC::B3::testStoreRelAddLoadAcq16):
1645         (JSC::B3::testStoreRelAddLoadAcq64):
1646         (JSC::B3::testBranch):
1647         (JSC::B3::testBranchPtr):
1648         (JSC::B3::testDiamond):
1649         (JSC::B3::testBranchNotEqual):
1650         (JSC::B3::testBranchNotEqualCommute):
1651         (JSC::B3::testBranchNotEqualNotEqual):
1652         (JSC::B3::testBranchEqual):
1653         (JSC::B3::testBranchEqualEqual):
1654         (JSC::B3::testBranchEqualCommute):
1655         (JSC::B3::testBranchEqualEqual1):
1656         (JSC::B3::testBranchLoadPtr):
1657         (JSC::B3::testBranchLoad32):
1658         (JSC::B3::testBranchLoad8S):
1659         (JSC::B3::testBranchLoad8Z):
1660         (JSC::B3::testBranchLoad16S):
1661         (JSC::B3::testBranchLoad16Z):
1662         (JSC::B3::testBranch8WithLoad8ZIndex):
1663         (JSC::B3::testComplex):
1664         (JSC::B3::testSimpleCheck):
1665         (JSC::B3::testCheckFalse):
1666         (JSC::B3::testCheckTrue):
1667         (JSC::B3::testCheckLessThan):
1668         (JSC::B3::testCheckMegaCombo):
1669         (JSC::B3::testCheckTrickyMegaCombo):
1670         (JSC::B3::testCheckTwoMegaCombos):
1671         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
1672         (JSC::B3::testCheckAddImm):
1673         (JSC::B3::testCheckAddImmCommute):
1674         (JSC::B3::testCheckAddImmSomeRegister):
1675         (JSC::B3::testCheckAdd):
1676         (JSC::B3::testCheckAdd64):
1677         (JSC::B3::testCheckAddFold):
1678         (JSC::B3::testCheckAddFoldFail):
1679         (JSC::B3::testCheckAddSelfOverflow64):
1680         (JSC::B3::testCheckAddSelfOverflow32):
1681         (JSC::B3::testCheckSubImm):
1682         (JSC::B3::testCheckSubBadImm):
1683         (JSC::B3::testCheckSub):
1684         (JSC::B3::testCheckSub64):
1685         (JSC::B3::testCheckSubFold):
1686         (JSC::B3::testCheckSubFoldFail):
1687         (JSC::B3::testCheckNeg):
1688         (JSC::B3::testCheckNeg64):
1689         (JSC::B3::testCheckMul):
1690         (JSC::B3::testCheckMulMemory):
1691         (JSC::B3::testCheckMul2):
1692         (JSC::B3::testCheckMul64):
1693         (JSC::B3::testCheckMulFold):
1694         (JSC::B3::testCheckMulFoldFail):
1695         (JSC::B3::testCheckMul64SShr):
1696         (JSC::B3::testSwitch):
1697         (JSC::B3::testSwitchChillDiv):
1698         (JSC::B3::testSwitchTargettingSameBlock):
1699         (JSC::B3::testSwitchTargettingSameBlockFoldPathConstant):
1700         (JSC::B3::testBasicSelect):
1701         (JSC::B3::testSelectTest):
1702         (JSC::B3::testSelectCompareDouble):
1703         (JSC::B3::testSelectDouble):
1704         (JSC::B3::testSelectDoubleTest):
1705         (JSC::B3::testSelectDoubleCompareDouble):
1706         (JSC::B3::testSelectFloatCompareFloat):
1707         (JSC::B3::testSelectFold):
1708         (JSC::B3::testSelectInvert):
1709         (JSC::B3::testCheckSelect):
1710         (JSC::B3::testCheckSelectCheckSelect):
1711         (JSC::B3::testCheckSelectAndCSE):
1712         (JSC::B3::testTrivialInfiniteLoop):
1713         (JSC::B3::testFoldPathEqual):
1714         (JSC::B3::testLShiftSelf32):
1715         (JSC::B3::testRShiftSelf32):
1716         (JSC::B3::testURShiftSelf32):
1717         (JSC::B3::testLShiftSelf64):
1718         (JSC::B3::testRShiftSelf64):
1719         (JSC::B3::testURShiftSelf64):
1720         (JSC::B3::testPatchpointDoubleRegs):
1721         (JSC::B3::testSpillDefSmallerThanUse):
1722         (JSC::B3::testSpillUseLargerThanDef):
1723         (JSC::B3::testLateRegister):
1724         (JSC::B3::testInterpreter):
1725         (JSC::B3::testEntrySwitchSimple):
1726         (JSC::B3::testEntrySwitchNoEntrySwitch):
1727         (JSC::B3::testEntrySwitchWithCommonPaths):
1728         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1729         (JSC::B3::testEntrySwitchLoop):
1730         (JSC::B3::testSomeEarlyRegister):
1731         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
1732         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
1733         (JSC::B3::testPatchpointTerminalReturnValue):
1734         (JSC::B3::testMemoryFence):
1735         (JSC::B3::testStoreFence):
1736         (JSC::B3::testLoadFence):
1737         (JSC::B3::testPCOriginMapDoesntInsertNops):
1738         (JSC::B3::testPinRegisters):
1739         (JSC::B3::testX86LeaAddAddShlLeft):
1740         (JSC::B3::testX86LeaAddAddShlRight):
1741         (JSC::B3::testX86LeaAddAdd):
1742         (JSC::B3::testX86LeaAddShlRight):
1743         (JSC::B3::testX86LeaAddShlLeftScale1):
1744         (JSC::B3::testX86LeaAddShlLeftScale2):
1745         (JSC::B3::testX86LeaAddShlLeftScale4):
1746         (JSC::B3::testX86LeaAddShlLeftScale8):
1747         (JSC::B3::testAddShl32):
1748         (JSC::B3::testAddShl64):
1749         (JSC::B3::testAddShl65):
1750         (JSC::B3::testLoadBaseIndexShift2):
1751         (JSC::B3::testLoadBaseIndexShift32):
1752         (JSC::B3::testOptimizeMaterialization):
1753         (JSC::B3::testAtomicWeakCAS):
1754         (JSC::B3::testAtomicStrongCAS):
1755         (JSC::B3::testAtomicXchg):
1756         (JSC::B3::testDepend32):
1757         (JSC::B3::testDepend64):
1758         (JSC::B3::testWasmBoundsCheck):
1759         (JSC::B3::testWasmAddress):
1760         (JSC::B3::run):
1761         (JSC::B3::compile): Deleted.
1762         * bytecode/PolymorphicAccess.cpp:
1763         (JSC::PolymorphicAccess::regenerate):
1764         * dfg/DFGJITCompiler.cpp:
1765         (JSC::DFG::JITCompiler::compile):
1766         (JSC::DFG::JITCompiler::compileFunction):
1767         * dfg/DFGLazyJSValue.cpp:
1768         (JSC::DFG::LazyJSValue::emit):
1769         * dfg/DFGOSRExitCompiler.cpp:
1770         * dfg/DFGSpeculativeJIT32_64.cpp:
1771         (JSC::DFG::SpeculativeJIT::emitCall):
1772         * dfg/DFGSpeculativeJIT64.cpp:
1773         (JSC::DFG::SpeculativeJIT::emitCall):
1774         * dfg/DFGThunks.cpp:
1775         (JSC::DFG::osrExitGenerationThunkGenerator):
1776         (JSC::DFG::osrEntryThunkGenerator):
1777         * ftl/FTLCompile.cpp:
1778         (JSC::FTL::compile):
1779         * ftl/FTLLazySlowPath.cpp:
1780         (JSC::FTL::LazySlowPath::generate):
1781         * ftl/FTLLink.cpp:
1782         (JSC::FTL::link):
1783         * ftl/FTLLowerDFGToB3.cpp:
1784         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1785         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1786         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1787         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1788         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1789         * ftl/FTLOSRExitCompiler.cpp:
1790         (JSC::FTL::compileStub):
1791         * ftl/FTLOSRExitHandle.cpp:
1792         (JSC::FTL::OSRExitHandle::emitExitThunk):
1793         * ftl/FTLSlowPathCall.cpp:
1794         (JSC::FTL::SlowPathCallContext::makeCall):
1795         * ftl/FTLSlowPathCall.h:
1796         (JSC::FTL::callOperation):
1797         * ftl/FTLState.h:
1798         * ftl/FTLThunks.cpp:
1799         (JSC::FTL::genericGenerationThunkGenerator):
1800         (JSC::FTL::slowPathCallThunkGenerator):
1801         * ftl/FTLThunks.h:
1802         (JSC::FTL::generateIfNecessary):
1803         (JSC::FTL::Thunks::getSlowPathCallThunk):
1804         * jit/AssemblyHelpers.cpp:
1805         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1806         * jit/AssemblyHelpers.h:
1807         * jit/ExecutableAllocator.cpp:
1808         (JSC::ExecutableAllocator::initializeAllocator):
1809         (JSC::ExecutableAllocator::singleton):
1810         (JSC::ExecutableAllocator::ExecutableAllocator):
1811         (JSC::ExecutableAllocator::allocate):
1812         * jit/ExecutableAllocator.h:
1813         * jit/JIT.cpp:
1814         (JSC::JIT::compileWithoutLinking):
1815         * jit/JITCall.cpp:
1816         (JSC::JIT::compileCallEvalSlowCase):
1817         * jit/JITMathIC.h:
1818         (JSC::JITMathIC::generateOutOfLine):
1819         * jit/JITOpcodes.cpp:
1820         (JSC::JIT::privateCompileHasIndexedProperty):
1821         * jit/JITOpcodes32_64.cpp:
1822         (JSC::JIT::privateCompileHasIndexedProperty):
1823         * jit/JITOperations.cpp:
1824         * jit/JITOperations.h:
1825         * jit/JITPropertyAccess.cpp:
1826         (JSC::JIT::stringGetByValStubGenerator):
1827         (JSC::JIT::privateCompileGetByVal):
1828         (JSC::JIT::privateCompileGetByValWithCachedId):
1829         (JSC::JIT::privateCompilePutByVal):
1830         (JSC::JIT::privateCompilePutByValWithCachedId):
1831         * jit/JITPropertyAccess32_64.cpp:
1832         (JSC::JIT::stringGetByValStubGenerator):
1833         * jit/JITStubRoutine.h:
1834         * jit/Repatch.cpp:
1835         (JSC::ftlThunkAwareRepatchCall):
1836         (JSC::linkPolymorphicCall):
1837         * jit/SpecializedThunkJIT.h:
1838         (JSC::SpecializedThunkJIT::finalize):
1839         * jit/ThunkGenerators.cpp:
1840         (JSC::throwExceptionFromCallSlowPathGenerator):
1841         (JSC::linkCallThunkGenerator):
1842         (JSC::linkPolymorphicCallThunkGenerator):
1843         (JSC::virtualThunkFor):
1844         (JSC::nativeForGenerator):
1845         (JSC::arityFixupGenerator):
1846         (JSC::unreachableGenerator):
1847         (JSC::boundThisNoArgsFunctionCallGenerator):
1848         (JSC::throwExceptionFromWasmThunkGenerator):
1849         * llint/LLIntThunks.cpp:
1850         (JSC::LLInt::generateThunkWithJumpTo):
1851         * runtime/SamplingProfiler.cpp:
1852         (JSC::SamplingProfiler::takeSample):
1853         * runtime/VM.cpp:
1854         (JSC::VM::VM):
1855         * runtime/VM.h:
1856         * runtime/VMTraps.cpp:
1857         (JSC::VMTraps::tryInstallTrapBreakpoints):
1858         * tools/VMInspector.cpp:
1859         * wasm/WasmBinding.cpp:
1860         (JSC::Wasm::wasmToJs):
1861         (JSC::Wasm::wasmToWasm):
1862         (JSC::Wasm::exitStubGenerator):
1863         * wasm/WasmPlan.cpp:
1864         (JSC::Wasm::Plan::complete):
1865         * yarr/YarrJIT.cpp:
1866         (JSC::Yarr::YarrGenerator::compile):
1867         (JSC::Yarr::jitCompile):
1868
1869 2017-03-29  Keith Miller  <keith_miller@apple.com>
1870
1871         WebAssembly: Worklist should periodically check in to see if there are higher priority jobs to do.
1872         https://bugs.webkit.org/show_bug.cgi?id=170204
1873
1874         Reviewed by Saam Barati.
1875
1876         This patch makes it so that Wasm::Plan's compileFunctions method can return periodically
1877         to its caller. The main use for this is if a user asynchronously compiles a wasm module
1878         then later synchronously compiles another module. In this case we want to be able to pause
1879         compilation of other worklists.
1880
1881         This patch also adds support for size_t Options.
1882
1883         * runtime/Options.cpp:
1884         (JSC::parse):
1885         (JSC::Option::dump):
1886         (JSC::Option::operator==):
1887         * runtime/Options.h:
1888         * wasm/WasmPlan.cpp:
1889         (JSC::Wasm::Plan::moveToState):
1890         (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder):
1891         (JSC::Wasm::Plan::compileFunctions):
1892         * wasm/WasmPlan.h:
1893         * wasm/WasmWorklist.cpp:
1894
1895 2017-03-29  Mark Lam  <mark.lam@apple.com>
1896
1897         Remove obsolete references to HeapTimer in JavaScriptCore.order.
1898         https://bugs.webkit.org/show_bug.cgi?id=170252
1899
1900         Reviewed by Saam Barati.
1901
1902         The HeapTimer was renamed to JSRunLoopTimer back in r214504.  These HeapTimer
1903         entries are now no longer meaningful.
1904
1905         * JavaScriptCore.order:
1906
1907 2017-03-29  JF Bastien  <jfbastien@apple.com>
1908
1909         WebAssembly: add shell-only Memory mode helper
1910         https://bugs.webkit.org/show_bug.cgi?id=170227
1911
1912         Reviewed by Mark Lam.
1913
1914         * jsc.cpp:
1915         (GlobalObject::finishCreation):
1916         (functionWebAssemblyMemoryMode):
1917         * wasm/WasmMemory.h:
1918         * wasm/js/JSWebAssemblyInstance.h:
1919         * wasm/js/JSWebAssemblyMemory.h:
1920
1921 2017-03-29  Keith Miller  <keith_miller@apple.com>
1922
1923         WebAssembly: pack OpcodeOrigin to fit in a pointer
1924         https://bugs.webkit.org/show_bug.cgi?id=170244
1925
1926         Reviewed by Michael Saboff.
1927
1928         This patch makes it so we don't have to have allocate the OpcodeOrigin and can just
1929         pack all the data into the pointer B3::Origin already has.
1930
1931         * wasm/WasmB3IRGenerator.cpp:
1932         (JSC::Wasm::parseAndCompile):
1933         * wasm/WasmOpcodeOrigin.cpp:
1934         (JSC::Wasm::OpcodeOrigin::dump):
1935         * wasm/WasmOpcodeOrigin.h:
1936         (JSC::Wasm::OpcodeOrigin::OpcodeOrigin):
1937         (JSC::Wasm::OpcodeOrigin::opcode):
1938         (JSC::Wasm::OpcodeOrigin::location):
1939
1940 2017-03-29  JF Bastien  <jfbastien@apple.com>
1941
1942         WebAssembly: NFC s/goto/lambda/g
1943         https://bugs.webkit.org/show_bug.cgi?id=170242
1944
1945         Reviewed by Mark Lam.
1946
1947         Lambdas are more in-style than the goto I just used.
1948
1949         * wasm/WasmMemory.cpp:
1950         (JSC::Wasm::tryGetFastMemory):
1951
1952 2017-03-28  Saam Barati  <sbarati@apple.com>
1953
1954         AssemblyHelpers should not have a VM field
1955         https://bugs.webkit.org/show_bug.cgi?id=170207
1956
1957         Reviewed by Yusuke Suzuki.
1958
1959         APIs that need VM should take one as a parameter. When doing position
1960         independent code for Wasm, we can't tie code generation to a VM.
1961
1962         * b3/B3Compile.cpp:
1963         (JSC::B3::compile):
1964         * b3/air/testair.cpp:
1965         * b3/testb3.cpp:
1966         (JSC::B3::testEntrySwitchSimple):
1967         (JSC::B3::testEntrySwitchNoEntrySwitch):
1968         (JSC::B3::testEntrySwitchWithCommonPaths):
1969         (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1970         (JSC::B3::testEntrySwitchLoop):
1971         * bytecode/AccessCase.cpp:
1972         (JSC::AccessCase::generateWithGuard):
1973         (JSC::AccessCase::generateImpl):
1974         * bytecode/DOMJITAccessCasePatchpointParams.cpp:
1975         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1976         * bytecode/InlineAccess.cpp:
1977         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1978         (JSC::InlineAccess::generateSelfPropertyAccess):
1979         (JSC::InlineAccess::generateSelfPropertyReplace):
1980         (JSC::InlineAccess::generateArrayLength):
1981         (JSC::InlineAccess::rewireStubAsJump):
1982         * bytecode/InlineAccess.h:
1983         * bytecode/PolymorphicAccess.cpp:
1984         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1985         (JSC::PolymorphicAccess::regenerate):
1986         * bytecode/PolymorphicAccess.h:
1987         (JSC::AccessGenerationState::AccessGenerationState):
1988         * dfg/DFGJITCompiler.cpp:
1989         (JSC::DFG::JITCompiler::JITCompiler):
1990         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1991         (JSC::DFG::JITCompiler::link):
1992         (JSC::DFG::JITCompiler::compile):
1993         (JSC::DFG::JITCompiler::compileFunction):
1994         (JSC::DFG::JITCompiler::exceptionCheck):
1995         * dfg/DFGJITCompiler.h:
1996         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
1997         (JSC::DFG::JITCompiler::fastExceptionCheck):
1998         (JSC::DFG::JITCompiler::vm):
1999         * dfg/DFGOSRExitCompiler.cpp:
2000         * dfg/DFGOSRExitCompiler.h:
2001         * dfg/DFGOSRExitCompiler32_64.cpp:
2002         (JSC::DFG::OSRExitCompiler::compileExit):
2003         * dfg/DFGOSRExitCompiler64.cpp:
2004         (JSC::DFG::OSRExitCompiler::compileExit):
2005         * dfg/DFGOSRExitCompilerCommon.cpp:
2006         (JSC::DFG::adjustAndJumpToTarget):
2007         * dfg/DFGOSRExitCompilerCommon.h:
2008         * dfg/DFGSpeculativeJIT.cpp:
2009         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2010         (JSC::DFG::SpeculativeJIT::checkArray):
2011         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2012         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2013         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2014         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
2015         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2016         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2017         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2018         (JSC::DFG::SpeculativeJIT::compileSpread):
2019         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2020         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
2021         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2022         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2023         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2024         * dfg/DFGSpeculativeJIT.h:
2025         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2026         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2027         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
2028         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2029         * dfg/DFGSpeculativeJIT32_64.cpp:
2030         (JSC::DFG::SpeculativeJIT::emitCall):
2031         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2032         (JSC::DFG::SpeculativeJIT::emitBranch):
2033         (JSC::DFG::SpeculativeJIT::compile):
2034         * dfg/DFGSpeculativeJIT64.cpp:
2035         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2036         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2037         (JSC::DFG::SpeculativeJIT::emitCall):
2038         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2039         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2040         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2041         (JSC::DFG::SpeculativeJIT::emitBranch):
2042         (JSC::DFG::SpeculativeJIT::compile):
2043         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2044         * dfg/DFGThunks.cpp:
2045         (JSC::DFG::osrEntryThunkGenerator):
2046         * ftl/FTLCompile.cpp:
2047         (JSC::FTL::compile):
2048         * ftl/FTLJITFinalizer.h:
2049         * ftl/FTLLazySlowPath.cpp:
2050         (JSC::FTL::LazySlowPath::generate):
2051         * ftl/FTLLazySlowPathCall.h:
2052         (JSC::FTL::createLazyCallGenerator):
2053         * ftl/FTLLink.cpp:
2054         (JSC::FTL::link):
2055         * ftl/FTLLowerDFGToB3.cpp:
2056         (JSC::FTL::DFG::LowerDFGToB3::lower):
2057         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
2058         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2059         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2060         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2061         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2062         (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
2063         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2064         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2065         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
2066         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
2067         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
2068         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2069         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
2070         (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
2071         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2072         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2073         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2074         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
2075         * ftl/FTLOSRExitCompiler.cpp:
2076         (JSC::FTL::compileStub):
2077         * ftl/FTLSlowPathCall.h:
2078         (JSC::FTL::callOperation):
2079         * ftl/FTLState.h:
2080         (JSC::FTL::State::vm):
2081         * ftl/FTLThunks.cpp:
2082         (JSC::FTL::genericGenerationThunkGenerator):
2083         (JSC::FTL::slowPathCallThunkGenerator):
2084         * jit/AssemblyHelpers.cpp:
2085         (JSC::AssemblyHelpers::jitReleaseAssertNoException):
2086         (JSC::AssemblyHelpers::callExceptionFuzz):
2087         (JSC::AssemblyHelpers::emitJumpIfException):
2088         (JSC::AssemblyHelpers::emitExceptionCheck):
2089         (JSC::AssemblyHelpers::emitNonPatchableExceptionCheck):
2090         (JSC::AssemblyHelpers::emitLoadStructure):
2091         (JSC::AssemblyHelpers::emitRandomThunk):
2092         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2093         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
2094         (JSC::AssemblyHelpers::debugCall):
2095         * jit/AssemblyHelpers.h:
2096         (JSC::AssemblyHelpers::AssemblyHelpers):
2097         (JSC::AssemblyHelpers::codeBlock):
2098         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2099         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
2100         (JSC::AssemblyHelpers::barrierBranch):
2101         (JSC::AssemblyHelpers::barrierStoreLoadFence):
2102         (JSC::AssemblyHelpers::mutatorFence):
2103         (JSC::AssemblyHelpers::storeButterfly):
2104         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
2105         (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
2106         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2107         (JSC::AssemblyHelpers::emitAllocateJSObject):
2108         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2109         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
2110         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2111         (JSC::AssemblyHelpers::vm): Deleted.
2112         (JSC::AssemblyHelpers::debugCall): Deleted.
2113         * jit/CCallHelpers.cpp:
2114         (JSC::CCallHelpers::ensureShadowChickenPacket):
2115         * jit/CCallHelpers.h:
2116         (JSC::CCallHelpers::CCallHelpers):
2117         (JSC::CCallHelpers::jumpToExceptionHandler):
2118         * jit/JIT.cpp:
2119         (JSC::JIT::emitEnterOptimizationCheck):
2120         (JSC::JIT::privateCompileExceptionHandlers):
2121         * jit/JIT.h:
2122         (JSC::JIT::exceptionCheck):
2123         (JSC::JIT::exceptionCheckWithCallFrameRollback):
2124         * jit/JITMathIC.h:
2125         (JSC::JITMathIC::generateOutOfLine):
2126         * jit/JITOpcodes.cpp:
2127         (JSC::JIT::emit_op_instanceof):
2128         (JSC::JIT::emit_op_is_undefined):
2129         (JSC::JIT::emit_op_jfalse):
2130         (JSC::JIT::emit_op_jeq_null):
2131         (JSC::JIT::emit_op_jneq_null):
2132         (JSC::JIT::emit_op_jtrue):
2133         (JSC::JIT::emit_op_throw):
2134         (JSC::JIT::emit_op_catch):
2135         (JSC::JIT::emit_op_eq_null):
2136         (JSC::JIT::emit_op_neq_null):
2137         (JSC::JIT::emitSlow_op_loop_hint):
2138         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2139         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2140         * jit/JITOpcodes32_64.cpp:
2141         (JSC::JIT::privateCompileCTINativeCall):
2142         (JSC::JIT::emit_op_new_object):
2143         (JSC::JIT::emit_op_jfalse):
2144         (JSC::JIT::emit_op_jtrue):
2145         (JSC::JIT::emit_op_throw):
2146         (JSC::JIT::emit_op_catch):
2147         (JSC::JIT::emit_op_create_this):
2148         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2149         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2150         * jit/JITPropertyAccess.cpp:
2151         (JSC::JIT::emitWriteBarrier):
2152         * jit/JSInterfaceJIT.h:
2153         (JSC::JSInterfaceJIT::JSInterfaceJIT):
2154         (JSC::JSInterfaceJIT::vm):
2155         * jit/Repatch.cpp:
2156         (JSC::tryCacheGetByID):
2157         (JSC::tryCachePutByID):
2158         (JSC::linkPolymorphicCall):
2159         (JSC::resetGetByID):
2160         (JSC::resetPutByID):
2161         * jit/SetupVarargsFrame.cpp:
2162         (JSC::emitSetupVarargsFrameFastCase):
2163         * jit/SetupVarargsFrame.h:
2164         * jit/SpecializedThunkJIT.h:
2165         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2166         * jit/ThunkGenerators.cpp:
2167         (JSC::throwExceptionFromCallSlowPathGenerator):
2168         (JSC::linkCallThunkGenerator):
2169         (JSC::linkPolymorphicCallThunkGenerator):
2170         (JSC::virtualThunkFor):
2171         (JSC::nativeForGenerator):
2172         (JSC::randomThunkGenerator):
2173         (JSC::boundThisNoArgsFunctionCallGenerator):
2174         (JSC::throwExceptionFromWasmThunkGenerator):
2175         * wasm/WasmB3IRGenerator.cpp:
2176         (JSC::Wasm::parseAndCompile):
2177         * wasm/WasmBinding.cpp:
2178         (JSC::Wasm::wasmToJs):
2179         (JSC::Wasm::wasmToWasm):
2180
2181 2017-03-28  Keith Miller  <keith_miller@apple.com>
2182
2183         WebAssembly: We should have Origins
2184         https://bugs.webkit.org/show_bug.cgi?id=170217
2185
2186         Reviewed by Mark Lam.
2187
2188         This patch adds wasm origins for B3::Values, called OpcodeOrigin. Currently,
2189         OpcodeOrigin just tracks the original opcode and the location of that opcode.
2190
2191         Here's a sample:
2192
2193         BB#0: ; frequency = 1.000000
2194             Int64 @4 = Patchpoint(generator = 0x10f487fa8, earlyClobbered = [], lateClobbered = [], usedRegisters = [], resultConstraint = SomeRegister)
2195             Int64 @5 = FramePointer()
2196             Void @8 = Store(@4, @5, offset = 24, ControlDependent|Writes:Top)
2197             Int64 @10 = Const64(0)
2198             Void @12 = Store($0(@10), @5, offset = 16, ControlDependent|Writes:Top)
2199             Int64 @13 = Patchpoint(generator = 0x10f4be7f0, earlyClobbered = [], lateClobbered = [], usedRegisters = [], resultConstraint = SomeRegister, ExitsSideways|ControlDependent|WritesPinned|ReadsPinned|Fence|Writes:Top|Reads:Top)
2200             Int64 @16 = ArgumentReg(%rdi)
2201             Int64 @18 = ArgumentReg(%rsi)
2202             Int32 @22 = Trunc(@18, Wasm: {opcode: I64Rotl, location: 5})
2203             Int64 @23 = RotL(@16, @22, Wasm: {opcode: I64Rotl, location: 5})
2204             Void @27 = Return(@23, Terminal, Wasm: {opcode: End, location: 6})
2205
2206         * JavaScriptCore.xcodeproj/project.pbxproj:
2207         * b3/B3Value.cpp:
2208         (JSC::B3::Value::deepDump):
2209         * wasm/WasmB3IRGenerator.cpp:
2210         (JSC::Wasm::B3IRGenerator::setParser):
2211         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2212         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2213         (JSC::Wasm::B3IRGenerator::emitLoadOp):
2214         (JSC::Wasm::B3IRGenerator::emitStoreOp):
2215         (JSC::Wasm::B3IRGenerator::addConstant):
2216         (JSC::Wasm::B3IRGenerator::addLoop):
2217         (JSC::Wasm::B3IRGenerator::unify):
2218         (JSC::Wasm::parseAndCompile):
2219         (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
2220         (JSC::Wasm::getMemoryBaseAndSize): Deleted.
2221         * wasm/WasmFunctionParser.h:
2222         (JSC::Wasm::FunctionParser::currentOpcode):
2223         (JSC::Wasm::FunctionParser::currentOpcodeStartingOffset):
2224         (JSC::Wasm::FunctionParser<Context>::FunctionParser):
2225         * wasm/WasmOpcodeOrigin.cpp: Added.
2226         (JSC::Wasm::OpcodeOrigin::dump):
2227         * wasm/WasmOpcodeOrigin.h: Added.
2228         (JSC::Wasm::OpcodeOrigin::OpcodeOrigin):
2229         * wasm/WasmValidate.cpp:
2230         (JSC::Wasm::Validate::setParser):
2231         * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
2232         (CodeGenerator.generate):
2233         (generateB3OpCode):
2234         (generateConstCode):
2235
2236 2017-03-28  JF Bastien  <jfbastien@apple.com>
2237
2238         WebAssembly: option to crash if no fast memory is available
2239         https://bugs.webkit.org/show_bug.cgi?id=170219
2240
2241         Reviewed by Mark Lam.
2242
2243         * runtime/Options.h:
2244         * wasm/WasmMemory.cpp:
2245         (JSC::Wasm::webAssemblyCouldntGetFastMemory):
2246         (JSC::Wasm::tryGetFastMemory):
2247
2248 2017-03-28  Mark Lam  <mark.lam@apple.com>
2249
2250         The Mutator should not be able to steal the conn if the Collector hasn't reached the NotRunning phase yet.
2251         https://bugs.webkit.org/show_bug.cgi?id=170213
2252         <rdar://problem/30755345>
2253
2254         Reviewed by Filip Pizlo.
2255
2256         The current condition for stealing the conn isn't tight enough.  Restricting the
2257         stealing to when m_currentPhase == NotRunning ensures that the Collector is
2258         really done running.
2259
2260         No test because this issue only manifests with a race condition that is difficult
2261         to reproduce on demand.
2262
2263         * heap/Heap.cpp:
2264         (JSC::Heap::requestCollection):
2265
2266 2017-03-28  Keith Miller  <keith_miller@apple.com>
2267
2268         WebAssembly: Make WebAssembly.instantiate/compile truly asynchronous
2269         https://bugs.webkit.org/show_bug.cgi?id=169187
2270
2271         Reviewed by Saam Barati.
2272
2273         This patch allows WebAssembly compilations to happen asynchronously.
2274         To do so, it refactors how much of the compilation happens and adds
2275         new infrastructure for async promises.
2276
2277         First, there is a new class, PromiseDeferredTimer that lives on
2278         the VM.  PromiseDeferredTimer will manage the life-cycle of async
2279         pending promises and any dependencies that promise
2280         needs. PromiseDeferredTimer automagically releases the pending
2281         promise and dependencies once the JSPromiseDeferred is resolved or
2282         rejected. Additionally, PromiseDeferredTimer provides a mechanism
2283         to poll the run-loop whenever the async task needs to synchronize
2284         with the JS thread. Normally, that will be whenever the async task
2285         finishes. In the case of Web Assembly we also use this feature for
2286         the compile + instantiate case, where we might have more work
2287         after the first async task completes (more on that later).
2288
2289         The next class is Wasm::Worklist, which is used to manage Wasm
2290         compilation tasks. The worklist class works similarly to the
2291         DFG/FTL Worklists. It has a pool of threads that it manages. One
2292         interesting aspect of Wasm Worklist is that it can synchronously
2293         compile a plan that is already potentially running
2294         asynchronously. This can occur if a user calls
2295         WebAssembly.instantiate() then new WebAssembly.instantiate() on
2296         the same module. In that case the Wasm Worklist will bump the
2297         priority of the running pending Plan and block the JS thread.
2298
2299         This patch also makes some of the Wasm Plan code cleaner. Since we
2300         now defer all compilation to instantiation time, we no longer need
2301         to guess at which memory we are going to get. Also, Wasm Plans now
2302         track the work they have done with a state enum.
2303
2304         Finally, this patch makes renamed HeapTimer to JSRunLoopTimer. It
2305         also adds changes test262AsyncTest to a more generic testing
2306         infrastructure. Now, in addition to the old functionality, you can
2307         call asyncTest() with the number of tests you expect. When the jsc
2308         CLI exits, it will guarantee that asyncTestPassed() is called that
2309         many times.
2310
2311         * CMakeLists.txt:
2312         * JavaScriptCore.xcodeproj/project.pbxproj:
2313         * heap/GCActivityCallback.h:
2314         * heap/IncrementalSweeper.cpp:
2315         (JSC::IncrementalSweeper::scheduleTimer):
2316         (JSC::IncrementalSweeper::IncrementalSweeper):
2317         * heap/IncrementalSweeper.h:
2318         * heap/StopIfNecessaryTimer.cpp:
2319         (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
2320         * heap/StopIfNecessaryTimer.h:
2321         * heap/StrongInlines.h:
2322         * jsc.cpp:
2323         (GlobalObject::finishCreation):
2324         (printInternal):
2325         (functionAsyncTestStart):
2326         (functionAsyncTestPassed):
2327         (functionTestWasmModuleFunctions):
2328         (CommandLine::parseArguments):
2329         (runJSC):
2330         * runtime/JSPromiseDeferred.cpp:
2331         (JSC::JSPromiseDeferred::resolve):
2332         (JSC::JSPromiseDeferred::reject):
2333         * runtime/JSPromiseDeferred.h:
2334         (JSC::JSPromiseDeferred::promiseAsyncPending):
2335         * runtime/JSRunLoopTimer.cpp: Renamed from Source/JavaScriptCore/heap/HeapTimer.cpp.
2336         (JSC::JSRunLoopTimer::JSRunLoopTimer):
2337         (JSC::JSRunLoopTimer::setRunLoop):
2338         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
2339         (JSC::JSRunLoopTimer::timerDidFire):
2340         (JSC::JSRunLoopTimer::scheduleTimer):
2341         (JSC::JSRunLoopTimer::cancelTimer):
2342         (JSC::JSRunLoopTimer::invalidate):
2343         * runtime/JSRunLoopTimer.h: Copied from Source/JavaScriptCore/heap/HeapTimer.h.
2344         * runtime/Options.h:
2345         * runtime/PromiseDeferredTimer.cpp: Added.
2346         (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
2347         (JSC::PromiseDeferredTimer::doWork):
2348         (JSC::PromiseDeferredTimer::runRunLoop):
2349         (JSC::PromiseDeferredTimer::addPendingPromise):
2350         (JSC::PromiseDeferredTimer::cancelPendingPromise):
2351         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
2352         (JSC::PromiseDeferredTimer::scheduleBlockedTask):
2353         * runtime/PromiseDeferredTimer.h: Renamed from Source/JavaScriptCore/heap/HeapTimer.h.
2354         (JSC::PromiseDeferredTimer::stopRunningTasks):
2355         * runtime/VM.cpp:
2356         (JSC::VM::VM):
2357         (JSC::VM::~VM):
2358         * runtime/VM.h:
2359         * wasm/JSWebAssembly.cpp:
2360         (JSC::reject):
2361         (JSC::webAssemblyCompileFunc):
2362         (JSC::resolve):
2363         (JSC::instantiate):
2364         (JSC::compileAndInstantiate):
2365         (JSC::webAssemblyInstantiateFunc):
2366         (JSC::webAssemblyValidateFunc):
2367         * wasm/WasmB3IRGenerator.cpp:
2368         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2369         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2370         (JSC::Wasm::B3IRGenerator::memoryKind):
2371         (JSC::Wasm::parseAndCompile):
2372         * wasm/WasmB3IRGenerator.h:
2373         * wasm/WasmFormat.h:
2374         (JSC::Wasm::ModuleInformation::internalFunctionCount):
2375         * wasm/WasmFunctionParser.h:
2376         * wasm/WasmMemory.h:
2377         * wasm/WasmMemoryInformation.cpp:
2378         (JSC::Wasm::MemoryInformation::MemoryInformation):
2379         * wasm/WasmMemoryInformation.h:
2380         (JSC::Wasm::MemoryInformation::maximum):
2381         (JSC::Wasm::MemoryInformation::hasReservedMemory): Deleted.
2382         (JSC::Wasm::MemoryInformation::takeReservedMemory): Deleted.
2383         (JSC::Wasm::MemoryInformation::mode): Deleted.
2384         * wasm/WasmModuleParser.cpp:
2385         * wasm/WasmModuleParser.h:
2386         (JSC::Wasm::ModuleParser::ModuleParser):
2387         * wasm/WasmPlan.cpp:
2388         (JSC::Wasm::Plan::Plan):
2389         (JSC::Wasm::Plan::stateString):
2390         (JSC::Wasm::Plan::moveToState):
2391         (JSC::Wasm::Plan::fail):
2392         (JSC::Wasm::Plan::parseAndValidateModule):
2393         (JSC::Wasm::Plan::prepare):
2394         (JSC::Wasm::Plan::ThreadCountHolder::ThreadCountHolder):
2395         (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder):
2396         (JSC::Wasm::Plan::compileFunctions):
2397         (JSC::Wasm::Plan::complete):
2398         (JSC::Wasm::Plan::waitForCompletion):
2399         (JSC::Wasm::Plan::cancel):
2400         (JSC::Wasm::Plan::run): Deleted.
2401         (JSC::Wasm::Plan::initializeCallees): Deleted.
2402         * wasm/WasmPlan.h:
2403         (JSC::Wasm::Plan::dontFinalize):
2404         (JSC::Wasm::Plan::exports):
2405         (JSC::Wasm::Plan::internalFunctionCount):
2406         (JSC::Wasm::Plan::takeModuleInformation):
2407         (JSC::Wasm::Plan::takeCallLinkInfos):
2408         (JSC::Wasm::Plan::takeWasmExitStubs):
2409         (JSC::Wasm::Plan::setModeAndPromise):
2410         (JSC::Wasm::Plan::mode):
2411         (JSC::Wasm::Plan::pendingPromise):
2412         (JSC::Wasm::Plan::vm):
2413         (JSC::Wasm::Plan::errorMessage):
2414         (JSC::Wasm::Plan::failed):
2415         (JSC::Wasm::Plan::hasWork):
2416         (JSC::Wasm::Plan::hasBeenPrepared):
2417         * wasm/WasmPlanInlines.h: Copied from Source/JavaScriptCore/wasm/WasmB3IRGenerator.h.
2418         (JSC::Wasm::Plan::initializeCallees):
2419         * wasm/WasmValidate.cpp:
2420         * wasm/WasmWorklist.cpp: Added.
2421         (JSC::Wasm::Worklist::priorityString):
2422         (JSC::Wasm::Worklist::QueueElement::setToNextPriority):
2423         (JSC::Wasm::Worklist::iterate):
2424         (JSC::Wasm::Worklist::enqueue):
2425         (JSC::Wasm::Worklist::completePlanSynchronously):
2426         (JSC::Wasm::Worklist::stopAllPlansForVM):
2427         (JSC::Wasm::Worklist::Worklist):
2428         (JSC::Wasm::Worklist::~Worklist):
2429         (JSC::Wasm::existingWorklistOrNull):
2430         (JSC::Wasm::ensureWorklist):
2431         * wasm/WasmWorklist.h: Added.
2432         (JSC::Wasm::Worklist::nextTicket):
2433         (JSC::Wasm::Worklist::Comparator::operator()):
2434         * wasm/js/JSWebAssemblyCallee.h:
2435         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2436         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2437         (JSC::JSWebAssemblyCodeBlock::initialize):
2438         (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
2439         * wasm/js/JSWebAssemblyCodeBlock.h:
2440         (JSC::JSWebAssemblyCodeBlock::create):
2441         (JSC::JSWebAssemblyCodeBlock::initialized):
2442         (JSC::JSWebAssemblyCodeBlock::plan):
2443         (JSC::JSWebAssemblyCodeBlock::runnable):
2444         (JSC::JSWebAssemblyCodeBlock::errorMessage):
2445         (JSC::JSWebAssemblyCodeBlock::callees):
2446         * wasm/js/JSWebAssemblyHelpers.h:
2447         (JSC::createSourceBufferFromValue):
2448         * wasm/js/JSWebAssemblyInstance.cpp:
2449         (JSC::JSWebAssemblyInstance::finishCreation):
2450         (JSC::JSWebAssemblyInstance::visitChildren):
2451         (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock):
2452         (JSC::JSWebAssemblyInstance::finalizeCreation):
2453         (JSC::JSWebAssemblyInstance::create):
2454         (JSC::JSWebAssemblyInstance::setMemory): Deleted.
2455         * wasm/js/JSWebAssemblyInstance.h:
2456         (JSC::JSWebAssemblyInstance::codeBlock):
2457         (JSC::JSWebAssemblyInstance::initialized):
2458         (JSC::JSWebAssemblyInstance::module):
2459         (JSC::JSWebAssemblyInstance::importFunction):
2460         (JSC::JSWebAssemblyInstance::setMemory):
2461         (JSC::JSWebAssemblyInstance::table):
2462         (JSC::JSWebAssemblyInstance::importFunctions):
2463         (JSC::JSWebAssemblyInstance::setImportFunction): Deleted.
2464         (JSC::JSWebAssemblyInstance::setTable): Deleted.
2465         * wasm/js/JSWebAssemblyModule.cpp:
2466         (JSC::JSWebAssemblyModule::createStub):
2467         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
2468         (JSC::JSWebAssemblyModule::finishCreation):
2469         (JSC::JSWebAssemblyModule::setCodeBlock):
2470         (JSC::JSWebAssemblyModule::buildCodeBlock): Deleted.
2471         (JSC::JSWebAssemblyModule::create): Deleted.
2472         (JSC::JSWebAssemblyModule::codeBlock): Deleted.
2473         * wasm/js/JSWebAssemblyModule.h:
2474         (JSC::JSWebAssemblyModule::moduleInformation):
2475         (JSC::JSWebAssemblyModule::codeBlock):
2476         (JSC::JSWebAssemblyModule::source):
2477         (JSC::JSWebAssemblyModule::takeReservedMemory): Deleted.
2478         (JSC::JSWebAssemblyModule::codeBlockFor): Deleted.
2479         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2480         (JSC::constructJSWebAssemblyInstance):
2481         (JSC::WebAssemblyInstanceConstructor::createInstance): Deleted.
2482         * wasm/js/WebAssemblyModuleConstructor.cpp:
2483         (JSC::WebAssemblyModuleConstructor::createModule):
2484         * wasm/js/WebAssemblyModulePrototype.cpp:
2485         (JSC::webAssemblyModuleProtoImports):
2486         (JSC::webAssemblyModuleProtoExports):
2487         * wasm/js/WebAssemblyModuleRecord.cpp:
2488         (JSC::WebAssemblyModuleRecord::finishCreation):
2489         (JSC::WebAssemblyModuleRecord::link):
2490         (JSC::WebAssemblyModuleRecord::evaluate):
2491         * wasm/js/WebAssemblyModuleRecord.h:
2492
2493 2017-03-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2494
2495         WebAssembly: add fallback to use pinned register to load/store state
2496         https://bugs.webkit.org/show_bug.cgi?id=169773
2497
2498         Reviewed by Saam Barati.
2499
2500         This patch adds a new pinned register to hold JSWebAssemblyInstance,
2501         which is used to represent the context of running Wasm code.
2502         While we use fast TLS to hold the context in macOS, we do not have
2503         any system reserved fast TLS slot in the other systems. This pinned
2504         register approach is used in these systems. These changes decouple
2505         VM from Wasm module to make Wasm module position independent code.
2506
2507         While using fast TLS could be beneficial in x64 systems which number of
2508         registers is relatively small, pinned register approach could be
2509         beneficial in ARM64 which has plenty of registers. In macOS, we can
2510         switch the implementation with the runtime flag. Thus macOS port can
2511         compare the performance and decide which implementation is used after
2512         landing this patch.
2513
2514         * heap/MarkedBlock.h:
2515         (JSC::MarkedBlock::offsetOfVM):
2516         * jit/AssemblyHelpers.cpp:
2517         (JSC::AssemblyHelpers::loadWasmContext):
2518         (JSC::AssemblyHelpers::storeWasmContext):
2519         (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
2520         (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
2521         * jit/AssemblyHelpers.h:
2522         (JSC::AssemblyHelpers::loadWasmContext): Deleted.
2523         (JSC::AssemblyHelpers::storeWasmContext): Deleted.
2524         (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister): Deleted.
2525         (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister): Deleted.
2526         * jit/Repatch.cpp:
2527         (JSC::webAssemblyOwner):
2528         (JSC::linkFor):
2529         (JSC::linkPolymorphicCall):
2530         (JSC::isWebAssemblyToJSCallee): Deleted.
2531         * jit/ThunkGenerators.cpp:
2532         (JSC::throwExceptionFromWasmThunkGenerator):
2533         * llint/LLIntData.cpp:
2534         (JSC::LLInt::Data::performAssertions):
2535         * llint/LowLevelInterpreter.asm:
2536         * runtime/JSCell.cpp:
2537         (JSC::JSCell::isAnyWasmCallee):
2538         * runtime/JSCellInlines.h:
2539         (JSC::isWebAssemblyToJSCallee):
2540         * runtime/JSType.h:
2541         * runtime/StackFrame.cpp:
2542         (JSC::StackFrame::functionName):
2543         * runtime/VM.cpp:
2544         (JSC::VM::VM):
2545         * runtime/VM.h:
2546         (JSC::VM::wasmContextOffset):
2547         * wasm/WasmB3IRGenerator.cpp:
2548         (JSC::Wasm::B3IRGenerator::materializeWasmContext):
2549         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
2550         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2551         (JSC::Wasm::getMemoryBaseAndSize):
2552         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2553         (JSC::Wasm::createJSToWasmWrapper):
2554         (JSC::Wasm::loadWasmContext): Deleted.
2555         (JSC::Wasm::storeWasmContext): Deleted.
2556         (JSC::Wasm::restoreWebAssemblyGlobalState): Deleted.
2557         * wasm/WasmBinding.cpp:
2558         (JSC::Wasm::wasmToJs):
2559         * wasm/WasmContext.cpp:
2560         (JSC::loadWasmContext):
2561         (JSC::storeWasmContext):
2562         * wasm/WasmContext.h:
2563         * wasm/WasmMemoryInformation.cpp:
2564         (JSC::Wasm::getPinnedRegisters):
2565         (JSC::Wasm::PinnedRegisterInfo::get):
2566         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
2567         * wasm/WasmMemoryInformation.h:
2568         (JSC::Wasm::PinnedRegisterInfo::toSave):
2569         (JSC::Wasm::useFastTLS):
2570         (JSC::Wasm::useFastTLSForWasmContext):
2571         * wasm/js/JSWebAssemblyInstance.cpp:
2572         (JSC::JSWebAssemblyInstance::finishCreation):
2573         (JSC::JSWebAssemblyInstance::visitChildren):
2574         * wasm/js/JSWebAssemblyInstance.h:
2575         (JSC::JSWebAssemblyInstance::offsetOfCallee):
2576         * wasm/js/JSWebAssemblyModule.cpp:
2577         (JSC::JSWebAssemblyModule::finishCreation):
2578         (JSC::JSWebAssemblyModule::visitChildren):
2579         * wasm/js/JSWebAssemblyModule.h:
2580         (JSC::JSWebAssemblyModule::callee):
2581         * wasm/js/WebAssemblyFunction.cpp:
2582         (JSC::callWebAssemblyFunction):
2583         (JSC::WebAssemblyFunction::create):
2584         * wasm/js/WebAssemblyToJSCallee.cpp:
2585         (JSC::WebAssemblyToJSCallee::create):
2586         (JSC::WebAssemblyToJSCallee::createStructure):
2587         (JSC::WebAssemblyToJSCallee::finishCreation):
2588         (JSC::WebAssemblyToJSCallee::visitChildren):
2589         (JSC::WebAssemblyToJSCallee::destroy): Deleted.
2590         * wasm/js/WebAssemblyToJSCallee.h:
2591
2592 2017-03-28  Brian Burg  <bburg@apple.com>
2593
2594         Web Inspector: Add "Disable Caches" option that only applies to the inspected page while Web Inspector is open
2595         https://bugs.webkit.org/show_bug.cgi?id=169865
2596         <rdar://problem/31250573>
2597
2598         Reviewed by Joseph Pecoraro.
2599
2600         * inspector/protocol/Network.json:
2601         Rename the command for disabling resource caching to match the WebCore::Page
2602         flag. This also removes the possibility that this could be confused for the old,
2603         buggy command that this patch rips out.
2604
2605 2017-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2606
2607         [JSC] Move platformThreadSignal to WTF
2608         https://bugs.webkit.org/show_bug.cgi?id=170097
2609
2610         Reviewed by Mark Lam.
2611
2612         It is a small clean up towards https://bugs.webkit.org/show_bug.cgi?id=170027.
2613         platformThreadSignal uses PlatformThread in JSC, but it can be implemented in
2614         WTF ThreadIdentifier.
2615
2616         * runtime/JSLock.cpp:
2617         (JSC::JSLock::lock):
2618         * runtime/JSLock.h:
2619         (JSC::JSLock::ownerThread):
2620         (JSC::JSLock::currentThreadIsHoldingLock):
2621         * runtime/PlatformThread.h:
2622         (JSC::platformThreadSignal): Deleted.
2623         * runtime/VM.h:
2624         (JSC::VM::ownerThread):
2625         * runtime/VMTraps.cpp:
2626         (JSC::VMTraps::SignalSender::send):
2627
2628 2017-03-28  JF Bastien  <jfbastien@apple.com>
2629
2630         WebAssembly: implement Module imports/exports
2631         https://bugs.webkit.org/show_bug.cgi?id=166982
2632
2633         Reviewed by Saam Barati.
2634
2635         As defined in: https://github.com/WebAssembly/design/commit/18cbacb90cd3584dd5c9aa3d392e4e55f66af6ab
2636
2637         * wasm/WasmFormat.h:
2638         (JSC::Wasm::makeString): use uppercase instead, it was only used
2639         for diagnostic but is now used for the expected JS property's
2640         capitalization
2641         * wasm/js/WebAssemblyModulePrototype.cpp:
2642         (JSC::webAssemblyModuleProtoImports):
2643         (JSC::webAssemblyModuleProtoExports):
2644
2645 2017-03-27  JF Bastien  <jfbastien@apple.com>
2646
2647         WebAssembly: JSWebAssemblyCodeBlock.h belongs in JavaScriptCore/wasm/js not JavaScriptCore/wasm
2648         https://bugs.webkit.org/show_bug.cgi?id=170160
2649
2650         Reviewed by Mark Lam.
2651
2652         * JavaScriptCore.xcodeproj/project.pbxproj:
2653         * wasm/js/JSWebAssemblyCodeBlock.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssemblyCodeBlock.h.
2654
2655 2017-03-27  JF Bastien  <jfbastien@apple.com>
2656
2657         WebAssembly: misc memory testing
2658         https://bugs.webkit.org/show_bug.cgi?id=170137
2659
2660         Reviewed by Keith Miller.
2661
2662         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2663         (JSC::WebAssemblyInstanceConstructor::createInstance): improve error messages
2664
2665 2017-03-27  Michael Saboff  <msaboff@apple.com>
2666
2667         Add ARM64 system instructions to disassembler
2668         https://bugs.webkit.org/show_bug.cgi?id=170084
2669
2670         Reviewed by Saam Barati.
2671
2672         This changes adds support for MRS and MSR instructions, and refactors the DMB
2673         disassembly to handle all of the barrier instructions.
2674
2675         * disassembler/ARM64/A64DOpcode.cpp:
2676         (JSC::ARM64Disassembler::A64DOpcodeMSRImmediate::format):
2677         (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::format):
2678         (JSC::ARM64Disassembler::A64DOpcodeSystemSync::format):
2679         (JSC::ARM64Disassembler::A64DOpcodeDmb::format): Deleted.
2680         * disassembler/ARM64/A64DOpcode.h:
2681         (JSC::ARM64Disassembler::A64DOpcodeSystem::lBit):
2682         (JSC::ARM64Disassembler::A64DOpcodeSystem::op0):
2683         (JSC::ARM64Disassembler::A64DOpcodeSystem::op1):
2684         (JSC::ARM64Disassembler::A64DOpcodeSystem::crN):
2685         (JSC::ARM64Disassembler::A64DOpcodeSystem::crM):
2686         (JSC::ARM64Disassembler::A64DOpcodeSystem::op2):
2687         (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::opName):
2688         (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::systemRegister):
2689         (JSC::ARM64Disassembler::A64DOpcodeSystemSync::opName):
2690         (JSC::ARM64Disassembler::A64DOpcodeSystemSync::option):
2691         (JSC::ARM64Disassembler::A64DOpcodeDmb::opName): Deleted.
2692         (JSC::ARM64Disassembler::A64DOpcodeDmb::option): Deleted.
2693         (JSC::ARM64Disassembler::A64DOpcodeDmb::crM): Deleted.
2694
2695 2017-03-26  Filip Pizlo  <fpizlo@apple.com>
2696
2697         B3::fixSSA should do liveness pruning
2698         https://bugs.webkit.org/show_bug.cgi?id=170111
2699
2700         Reviewed by Saam Barati.
2701         
2702         This moves all of the logic of Air::Liveness<> to WTF::Liveness<> and then uses that to
2703         create B3::VariableLiveness. Then this uses VariableLiveness::LiveAtHead to prune Phi
2704         construction.
2705         
2706         This makes B3::fixSSA run twice as fast. This is a 13% progression on WasmBench compile
2707         times.
2708
2709         * CMakeLists.txt:
2710         * JavaScriptCore.xcodeproj/project.pbxproj:
2711         * b3/B3BasicBlock.h:
2712         (JSC::B3::BasicBlock::get):
2713         * b3/B3FixSSA.cpp:
2714         (JSC::B3::fixSSA):
2715         * b3/B3VariableLiveness.cpp: Added.
2716         (JSC::B3::VariableLiveness::VariableLiveness):
2717         (JSC::B3::VariableLiveness::~VariableLiveness):
2718         * b3/B3VariableLiveness.h: Added.
2719         (JSC::B3::VariableLivenessAdapter::VariableLivenessAdapter):
2720         (JSC::B3::VariableLivenessAdapter::numIndices):
2721         (JSC::B3::VariableLivenessAdapter::valueToIndex):
2722         (JSC::B3::VariableLivenessAdapter::indexToValue):
2723         (JSC::B3::VariableLivenessAdapter::blockSize):
2724         (JSC::B3::VariableLivenessAdapter::forEachEarlyUse):
2725         (JSC::B3::VariableLivenessAdapter::forEachLateUse):
2726         (JSC::B3::VariableLivenessAdapter::forEachEarlyDef):
2727         (JSC::B3::VariableLivenessAdapter::forEachLateDef):
2728         * b3/air/AirCFG.h: Added.
2729         (JSC::B3::Air::CFG::CFG):
2730         (JSC::B3::Air::CFG::root):
2731         (JSC::B3::Air::CFG::newMap):
2732         (JSC::B3::Air::CFG::successors):
2733         (JSC::B3::Air::CFG::predecessors):
2734         (JSC::B3::Air::CFG::index):
2735         (JSC::B3::Air::CFG::node):
2736         (JSC::B3::Air::CFG::numNodes):
2737         (JSC::B3::Air::CFG::dump):
2738         * b3/air/AirCode.cpp:
2739         (JSC::B3::Air::Code::Code):
2740         * b3/air/AirCode.h:
2741         (JSC::B3::Air::Code::cfg):
2742         * b3/air/AirLiveness.h:
2743         (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
2744         (JSC::B3::Air::LivenessAdapter::blockSize):
2745         (JSC::B3::Air::LivenessAdapter::forEachEarlyUse):
2746         (JSC::B3::Air::LivenessAdapter::forEachLateUse):
2747         (JSC::B3::Air::LivenessAdapter::forEachEarlyDef):
2748         (JSC::B3::Air::LivenessAdapter::forEachLateDef):
2749         (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter):
2750         (JSC::B3::Air::TmpLivenessAdapter::numIndices):
2751         (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter):
2752         (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
2753         (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue):
2754         (JSC::B3::Air::Liveness::Liveness):
2755         (JSC::B3::Air::Liveness::LocalCalc::LocalCalc): Deleted.
2756         (JSC::B3::Air::Liveness::LocalCalc::Iterable::Iterable): Deleted.
2757         (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::iterator): Deleted.
2758         (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator++): Deleted.
2759         (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator*): Deleted.
2760         (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator==): Deleted.
2761         (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator!=): Deleted.
2762         (JSC::B3::Air::Liveness::LocalCalc::Iterable::begin): Deleted.
2763         (JSC::B3::Air::Liveness::LocalCalc::Iterable::end): Deleted.
2764         (JSC::B3::Air::Liveness::LocalCalc::Iterable::contains): Deleted.
2765         (JSC::B3::Air::Liveness::LocalCalc::live): Deleted.
2766         (JSC::B3::Air::Liveness::LocalCalc::isLive): Deleted.
2767         (JSC::B3::Air::Liveness::LocalCalc::execute): Deleted.
2768         (JSC::B3::Air::Liveness::rawLiveAtHead): Deleted.
2769         (JSC::B3::Air::Liveness::Iterable::Iterable): Deleted.
2770         (JSC::B3::Air::Liveness::Iterable::iterator::iterator): Deleted.
2771         (JSC::B3::Air::Liveness::Iterable::iterator::operator*): Deleted.
2772         (JSC::B3::Air::Liveness::Iterable::iterator::operator++): Deleted.
2773         (JSC::B3::Air::Liveness::Iterable::iterator::operator==): Deleted.
2774         (JSC::B3::Air::Liveness::Iterable::iterator::operator!=): Deleted.
2775         (JSC::B3::Air::Liveness::Iterable::begin): Deleted.
2776         (JSC::B3::Air::Liveness::Iterable::end): Deleted.
2777         (JSC::B3::Air::Liveness::Iterable::contains): Deleted.
2778         (JSC::B3::Air::Liveness::liveAtHead): Deleted.
2779         (JSC::B3::Air::Liveness::liveAtTail): Deleted.
2780         (JSC::B3::Air::Liveness::workset): Deleted.
2781
2782 2017-03-25  Filip Pizlo  <fpizlo@apple.com>
2783
2784         Air::Liveness shouldn't need HashSets
2785         https://bugs.webkit.org/show_bug.cgi?id=170102
2786
2787         Reviewed by Yusuke Suzuki.
2788         
2789         This converts Air::Liveness<> to no longer use HashSets or BitVectors. This turns out to be
2790         easy because it's cheap enough to do a sorted merge of the things being added to liveAtHead and
2791         the things in the predecessors' liveAtTail. This turns out to be faster - it's a 2% overall
2792         compile time progression on WasmBench.
2793         
2794         * b3/B3LowerToAir.cpp:
2795         (JSC::B3::Air::LowerToAir::lower): Add a FIXME unrelated to this patch.
2796         * b3/air/AirLiveness.h:
2797         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
2798         (JSC::B3::Air::AbstractLiveness::LocalCalc::LocalCalc):
2799         (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
2800         (JSC::B3::Air::AbstractLiveness::liveAtHead):
2801         (JSC::B3::Air::AbstractLiveness::liveAtTail):
2802         * b3/air/AirTmp.h:
2803         (JSC::B3::Air::Tmp::bank):
2804         (JSC::B3::Air::Tmp::tmpIndex):
2805         * dfg/DFGStoreBarrierClusteringPhase.cpp:
2806
2807 2017-03-26  Filip Pizlo  <fpizlo@apple.com>
2808
2809         Air should use RegisterSet for RegLiveness
2810         https://bugs.webkit.org/show_bug.cgi?id=170108
2811
2812         Reviewed by Yusuke Suzuki.
2813         
2814         The biggest change here is the introduction of the new RegLiveness class. This is a
2815         drop-in replacement for the old RegLiveness, which was a specialization of
2816         AbstractLiveness<>, but it's about 30% faster. It gets its speed boost from just using
2817         sets everywhere, which is efficient for registers since RegisterSet is just two (on
2818         x86-64) or three 32-bit (on ARM64) statically allocated words. This looks like a 1%
2819         compile time progression on WasmBench.
2820
2821         * CMakeLists.txt:
2822         * JavaScriptCore.xcodeproj/project.pbxproj:
2823         * b3/B3TimingScope.cpp: Records phase timing totals.
2824         (JSC::B3::TimingScope::TimingScope):
2825         (JSC::B3::TimingScope::~TimingScope):
2826         * b3/B3TimingScope.h:
2827         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2828         (JSC::B3::Air::allocateRegistersByGraphColoring):
2829         * b3/air/AirLiveness.h: Move code around and rename a bit to make it more like RegLiveness; in particular we want the `iterator` to be called `iterator` not `Iterator`, and we want it to be internal to its iterable. Also rename this template to Liveness, to match the header filename.
2830         (JSC::B3::Air::Liveness::Liveness):
2831         (JSC::B3::Air::Liveness::LocalCalc::LocalCalc):
2832         (JSC::B3::Air::Liveness::LocalCalc::Iterable::Iterable):
2833         (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::iterator):
2834         (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator++):
2835         (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator*):
2836         (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator==):
2837         (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator!=):
2838         (JSC::B3::Air::Liveness::LocalCalc::Iterable::begin):
2839         (JSC::B3::Air::Liveness::LocalCalc::Iterable::end):
2840         (JSC::B3::Air::Liveness::Iterable::Iterable):
2841         (JSC::B3::Air::Liveness::Iterable::iterator::iterator):
2842         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter): Deleted.
2843         (JSC::B3::Air::RegLivenessAdapter::numIndices): Deleted.
2844         (JSC::B3::Air::RegLivenessAdapter::acceptsBank): Deleted.
2845         (JSC::B3::Air::RegLivenessAdapter::acceptsRole): Deleted.
2846         (JSC::B3::Air::RegLivenessAdapter::valueToIndex): Deleted.
2847         (JSC::B3::Air::RegLivenessAdapter::indexToValue): Deleted.
2848         (JSC::B3::Air::AbstractLiveness::AbstractLiveness): Deleted.
2849         (JSC::B3::Air::AbstractLiveness::LocalCalc::LocalCalc): Deleted.
2850         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::Iterator): Deleted.
2851         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator++): Deleted.
2852         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator*): Deleted.
2853         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator==): Deleted.
2854         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator!=): Deleted.
2855         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::Iterable): Deleted.
2856         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin): Deleted.
2857         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end): Deleted.
2858         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains): Deleted.
2859         (JSC::B3::Air::AbstractLiveness::LocalCalc::live): Deleted.
2860         (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive): Deleted.
2861         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute): Deleted.
2862         (JSC::B3::Air::AbstractLiveness::rawLiveAtHead): Deleted.
2863         (JSC::B3::Air::AbstractLiveness::Iterable::Iterable): Deleted.
2864         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::iterator): Deleted.
2865         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator*): Deleted.
2866         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator++): Deleted.
2867         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator==): Deleted.
2868         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator!=): Deleted.
2869         (JSC::B3::Air::AbstractLiveness::Iterable::begin): Deleted.
2870         (JSC::B3::Air::AbstractLiveness::Iterable::end): Deleted.
2871         (JSC::B3::Air::AbstractLiveness::Iterable::contains): Deleted.
2872         (JSC::B3::Air::AbstractLiveness::liveAtHead): Deleted.
2873         (JSC::B3::Air::AbstractLiveness::liveAtTail): Deleted.
2874         (JSC::B3::Air::AbstractLiveness::workset): Deleted.
2875         * b3/air/AirLogRegisterPressure.cpp:
2876         * b3/air/AirLowerAfterRegAlloc.cpp:
2877         * b3/air/AirRegLiveness.cpp: Added.
2878         (JSC::B3::Air::RegLiveness::RegLiveness):
2879         (JSC::B3::Air::RegLiveness::~RegLiveness):
2880         (JSC::B3::Air::RegLiveness::LocalCalc::execute):
2881         * b3/air/AirRegLiveness.h: Added.
2882         (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
2883         (JSC::B3::Air::RegLiveness::LocalCalc::live):
2884         (JSC::B3::Air::RegLiveness::LocalCalc::isLive):
2885         (JSC::B3::Air::RegLiveness::liveAtHead):
2886         (JSC::B3::Air::RegLiveness::liveAtTail):
2887         * b3/air/AirReportUsedRegisters.cpp:
2888         * jit/RegisterSet.h:
2889         (JSC::RegisterSet::add):
2890         (JSC::RegisterSet::remove):
2891         (JSC::RegisterSet::contains):
2892         (JSC::RegisterSet::subsumes):
2893         (JSC::RegisterSet::iterator::iterator):
2894         (JSC::RegisterSet::iterator::operator*):
2895         (JSC::RegisterSet::iterator::operator++):
2896         (JSC::RegisterSet::iterator::operator==):
2897         (JSC::RegisterSet::iterator::operator!=):
2898         (JSC::RegisterSet::begin):
2899         (JSC::RegisterSet::end):
2900
2901 2017-03-25  Filip Pizlo  <fpizlo@apple.com>
2902
2903         Fix wasm by returning after we do TLS.
2904
2905         Rubber stamped by Keith Miller.
2906
2907         * jit/AssemblyHelpers.h:
2908         (JSC::AssemblyHelpers::storeWasmContext):
2909
2910 2017-03-24  Mark Lam  <mark.lam@apple.com>
2911
2912         Add some instrumentation in Heap::resumeThePeriphery() to help debug an issue.
2913         https://bugs.webkit.org/show_bug.cgi?id=170086
2914         <rdar://problem/31253673>
2915
2916         Reviewed by Saam Barati.
2917
2918         Adding some instrumentation in Heap::resumeThePeriphery() to dump some Heap state
2919         just before we RELEASE_ASSERT_NOT_REACHED.
2920
2921         * heap/Heap.cpp:
2922         (JSC::Heap::resumeThePeriphery):
2923
2924 2017-03-24  JF Bastien  <jfbastien@apple.com>
2925
2926         WebAssembly: store state in TLS instead of on VM
2927         https://bugs.webkit.org/show_bug.cgi?id=169611
2928
2929         Reviewed by Filip Pizlo.
2930
2931         Using thread-local storage instead of VM makes code more position
2932         independent. We used to store the WebAssembly top Instance (the
2933         latest one in the call stack) on VM, now we instead store it in
2934         TLS. This top Instance is used to access a bunch of state such as
2935         Memory location, size, table (for call_indirect), etc.
2936
2937         Instead of calling it "top", which is confusing, we now just call
2938         it WasmContext.
2939
2940         Making the code PIC means future patches will be able to
2941         postMessage and structured clone into IDB without having to
2942         recompile the code. This wasn't possible before because we
2943         hard-coded the address of VM at compilation time. That doesn't
2944         work between workers, and doesn't work across reloads (which IDB
2945         is intended to do).
2946
2947         It'll also potentially make code faster once we start tuning
2948         what's in TLS, what's in which of the 4 free slots, and what's in
2949         pinned registers. I'm leaving this tuning for later because
2950         there's lower lying fruit for us to pick.
2951
2952         * CMakeLists.txt:
2953         * JavaScriptCore.xcodeproj/project.pbxproj:
2954         * assembler/AbstractMacroAssembler.h:
2955         * assembler/AllowMacroScratchRegisterUsageIf.h: Copied from assembler/AllowMacroScratchRegisterUsage.h.
2956         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
2957         (JSC::AllowMacroScratchRegisterUsageIf::~AllowMacroScratchRegisterUsageIf):
2958         * assembler/MacroAssembler.h:
2959         (JSC::MacroAssembler::storeToTLSPtr): we previously didn't have
2960         the code required to store to TLS, only to load
2961         * assembler/MacroAssemblerARM64.h:
2962         (JSC::MacroAssemblerARM64::loadFromTLSPtrNeedsMacroScratchRegister):
2963         (JSC::MacroAssemblerARM64::storeToTLS32):
2964         (JSC::MacroAssemblerARM64::storeToTLS64):
2965         (JSC::MacroAssemblerARM64::storeToTLSPtrNeedsMacroScratchRegister):
2966         * assembler/MacroAssemblerX86Common.h:
2967         (JSC::MacroAssemblerX86Common::loadFromTLSPtrNeedsMacroScratchRegister):
2968         (JSC::MacroAssemblerX86Common::storeToTLS32):
2969         (JSC::MacroAssemblerX86Common::storeToTLSPtrNeedsMacroScratchRegister):
2970         * assembler/MacroAssemblerX86_64.h:
2971         (JSC::MacroAssemblerX86_64::loadFromTLS64): was loading 32-bit instead of 64-bit
2972         (JSC::MacroAssemblerX86_64::storeToTLS64):
2973         * assembler/X86Assembler.h:
2974         (JSC::X86Assembler::movl_rm):
2975         (JSC::X86Assembler::movq_rm):
2976         * b3/testb3.cpp:
2977         (JSC::B3::testFastTLSLoad):
2978         (JSC::B3::testFastTLSStore):
2979         (JSC::B3::run):
2980         * jit/AssemblyHelpers.h:
2981         (JSC::AssemblyHelpers::loadWasmContext):
2982         (JSC::AssemblyHelpers::storeWasmContext):
2983         (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
2984         (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
2985         * jit/Repatch.cpp:
2986         (JSC::webAssemblyOwner):
2987         * jit/ThunkGenerators.cpp:
2988         (JSC::throwExceptionFromWasmThunkGenerator):
2989         * runtime/Options.h:
2990         * runtime/VM.cpp:
2991         (JSC::VM::VM):
2992         * runtime/VM.h:
2993         * wasm/WasmB3IRGenerator.cpp:
2994         (JSC::Wasm::loadWasmContext):
2995         (JSC::Wasm::storeWasmContext):
2996         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2997         (JSC::Wasm::getMemoryBaseAndSize):
2998         (JSC::Wasm::restoreWebAssemblyGlobalState):
2999         (JSC::Wasm::createJSToWasmWrapper):
3000         (JSC::Wasm::parseAndCompile):
3001         * wasm/WasmBinding.cpp:
3002         (JSC::Wasm::materializeImportJSCell):
3003         (JSC::Wasm::wasmToJs):
3004         (JSC::Wasm::wasmToWasm):
3005         * wasm/WasmContext.cpp: Added.
3006         (JSC::loadWasmContext):
3007         (JSC::storeWasmContext):
3008         * wasm/WasmContext.h: Added. Replaces "top" JSWebAssemblyInstance.
3009         * wasm/js/WebAssemblyFunction.cpp:
3010         (JSC::callWebAssemblyFunction):
3011         * wasm/js/WebAssemblyInstanceConstructor.h:
3012
3013 2017-03-24  JF Bastien  <jfbastien@apple.com>
3014
3015         WebAssembly: spec-tests/memory.wast.js fails in debug
3016         https://bugs.webkit.org/show_bug.cgi?id=169794
3017
3018         Reviewed by Keith Miller.
3019
3020         The failure was due to empty memories (with maximum size 0). Those
3021         only occur in tests and in code that's trying to trip us. This
3022         patch adds memory mode "none" which represents no memory. It can
3023         work with either bounds checked or signaling code because it never
3024         contains loads and stores.
3025
3026         The spec tests which were failing did the following:
3027             > (module (memory (data)) (func (export "memsize") (result i32) (current_memory)))
3028             > (assert_return (invoke "memsize") (i32.const 0))
3029             > (module (memory (data "")) (func (export "memsize") (result i32) (current_memory)))
3030             > (assert_return (invoke "memsize") (i32.const 0))
3031             > (module (memory (data "x")) (func (export "memsize") (result i32) (current_memory)))
3032             > (assert_return (invoke "memsize") (i32.const 1))
3033
3034         * wasm/WasmB3IRGenerator.cpp:
3035         (JSC::Wasm::B3IRGenerator::memoryKind):
3036         * wasm/WasmMemory.cpp:
3037         (JSC::Wasm::tryGetFastMemory):
3038         (JSC::Wasm::releaseFastMemory):
3039         (JSC::Wasm::Memory::Memory):
3040         (JSC::Wasm::Memory::createImpl):
3041         (JSC::Wasm::Memory::create):
3042         (JSC::Wasm::Memory::grow):
3043         (JSC::Wasm::Memory::makeString):
3044         * wasm/WasmMemory.h:
3045         * wasm/WasmMemoryInformation.cpp:
3046         (JSC::Wasm::MemoryInformation::MemoryInformation):
3047         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3048         (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
3049         * wasm/js/JSWebAssemblyModule.cpp:
3050         (JSC::JSWebAssemblyModule::codeBlock):
3051         (JSC::JSWebAssemblyModule::finishCreation):
3052         * wasm/js/JSWebAssemblyModule.h:
3053         (JSC::JSWebAssemblyModule::codeBlock):
3054         (JSC::JSWebAssemblyModule::codeBlockFor):
3055
3056 2017-03-24  Mark Lam  <mark.lam@apple.com>
3057
3058         Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it.
3059         https://bugs.webkit.org/show_bug.cgi?id=170064
3060         <rdar://problem/31246098>
3061
3062         Reviewed by Geoffrey Garen.
3063
3064         * runtime/ArrayPrototype.cpp:
3065         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3066         * runtime/JSArray.cpp:
3067         (JSC::JSArray::fastSlice):
3068
3069 2017-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3070
3071         [JSC] Use jsNontrivialString agressively for ToString(Int52)
3072         https://bugs.webkit.org/show_bug.cgi?id=170002
3073
3074         Reviewed by Sam Weinig.
3075
3076         We use the same logic used for Int32 to use jsNontvirialString.
3077         After single character check, produced string is always longer than 1.
3078         Thus, we can use jsNontrivialString.
3079
3080         * runtime/NumberPrototype.cpp:
3081         (JSC::int52ToString):
3082
3083 2017-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3084
3085         [JSC] Use WeakRandom for SamplingProfiler interval fluctuation
3086         https://bugs.webkit.org/show_bug.cgi?id=170045
3087
3088         Reviewed by Mark Lam.
3089
3090         It is unnecessary to use cryptographicallyRandomNumber for SamplingProfiler
3091         interval fluctuation. Use WeakRandom instead.
3092
3093         * runtime/SamplingProfiler.cpp:
3094         (JSC::SamplingProfiler::SamplingProfiler):
3095         (JSC::SamplingProfiler::timerLoop):
3096         * runtime/SamplingProfiler.h:
3097
3098 2017-03-23  Mark Lam  <mark.lam@apple.com>
3099
3100         Array.prototype.splice behaves incorrectly when the VM is "having a bad time".
3101         https://bugs.webkit.org/show_bug.cgi?id=170025
3102         <rdar://problem/31228679>
3103
3104         Reviewed by Saam Barati.
3105
3106         * runtime/ArrayPrototype.cpp:
3107         (JSC::copySplicedArrayElements):
3108         (JSC::arrayProtoFuncSplice):
3109
3110 2017-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3111
3112         [JSC][DFG] Make addShouldSpeculateAnyInt more conservative to avoid regression caused by Double <-> Int52 conversions
3113         https://bugs.webkit.org/show_bug.cgi?id=169998
3114
3115         Reviewed by Saam Barati.
3116
3117         Double <-> Int52 and JSValue <-> Int52 conversions are not so cheap. Thus, Int52Rep is super carefully emitted.
3118         We make addShouldSpeculateAnyInt more conservative to avoid regressions caused by the above conversions.
3119         We select ArithAdd(Int52, Int52) only when this calculation is beneficial compared to added Int52Rep conversions.
3120
3121         This patch tighten the conditions of addShouldSpeculateAnyInt.
3122
3123         1. Honor DoubleConstant.
3124
3125         When executing imaging-darkroom, we have a thing like that,
3126
3127             132:< 2:loc36> DoubleConstant(Double|UseAsOther, AnyIntAsDouble, Double: 4607182418800017408, 1.000000, bc#114)
3128             1320:< 1:loc38>        Int52Rep(Check:Int32:@82, Int52|PureInt, Int32, Exits, bc#114)
3129             1321:< 1:loc39>        Int52Constant(Int52|PureInt, Boolint32Nonboolint32Int52, Double: 4607182418800017408, 1.000000, bc#114)
3130             133:<!3:loc39> ArithSub(Int52Rep:@1320<Int52>, Int52Rep:@1321<Int52>, Int52|MustGen, Int52, CheckOverflow, Exits, bc#114)
3131
3132         The LHS of ArithSub says predicting Boolint32, and the rhs says AnyIntAsDouble. Thus we select ArithSub(Int52, Int52) instead
3133         of ArithSub(Double, Double). However, it soon causes OSR exits. In imaging-darkroom, LHS's Int32 prediction will be broken.
3134         While speculating Int32 in the above situation is reasonable approach since the given LHS says predicting Int32, this causes
3135         severe performance regression.
3136
3137         Previously, we always select ArithSub(Double, Double). So accidentally, we do not encounter this misprediction issue.
3138
3139         One thing can be found that we have DoubleConstant in the RHS. It means that we have `1.0` instead of `1` in the code.
3140         We can see the code like `lhs - 1.0` instead of `lhs - 1` in imaging-darkroom. It offers good information that lhs and
3141         the resulting value would be double. Handling the above ArithSub in double seems more appropriate rather than handling
3142         it in Int52.
3143
3144         So, in this patch, we honor DoubleConstant. If we find DoubleConstant on one operand, we give up selecting
3145         Arith[Sub,Add](Int52, Int52). This change removes OSR exits occurr in imaging-darkroom right now.
3146
3147         2. Two Int52Rep(Double) conversions are not desirable.
3148
3149         We allow AnyInt ArithAdd only when the one operand of the binary operation should be speculated AnyInt. It is a bit conservative
3150         decision. This is because Double to Int52 conversion is not so cheap. Frequent back-and-forth conversions between Double and Int52
3151         rather hurt the performance. If the one operand of the operation is already Int52, the cost for constructing ArithAdd becomes
3152         cheap since only one Double to Int52 conversion could be required.
3153         This recovers some regression in assorted tests while keeping kraken crypto improvements.
3154
3155         3. Avoid frequent Int52 to JSValue conversions.
3156
3157         Int52 to JSValue conversion is not so cheap. Thus, we would like to avoid such situations. So, in this patch, we allow
3158         Arith(Int52, Int52) with AnyIntAsDouble operand only when the node is used as number. By doing so, we avoid the case like,
3159         converting Int52, performing ArithAdd, and soon converting back to JSValue.
3160
3161         The above 3 changes recover the regression measured in microbenchmarks/int52-back-and-forth.js and assorted benchmarks.
3162         And still it keeps kraken crypto improvements.
3163
3164                                                    baseline                  patched
3165
3166         imaging-darkroom                       201.112+-3.192      ^     189.532+-2.883         ^ definitely 1.0611x faster
3167         stanford-crypto-pbkdf2                 103.953+-2.325            100.926+-2.396           might be 1.0300x faster
3168         stanford-crypto-sha256-iterative        35.103+-1.071      ?      36.049+-1.143         ? might be 1.0270x slower
3169
3170         * dfg/DFGGraph.h:
3171         (JSC::DFG::Graph::addShouldSpeculateAnyInt):
3172
3173 == Rolled over to ChangeLog-2017-03-23 ==