5fadeac5d2bbfee728ea290d2b3727d679916d74
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-10-03  Jon Davis  <jond@apple.com>
2
3         Update WebAssembly to "Supported"
4         https://bugs.webkit.org/show_bug.cgi?id=177831
5
6         Reviewed by Alexey Proskuryakov.
7         
8         Cleaned up Async Iteration and Object rest/spread to use "In Development" 
9         instead of "In development". 
10
11         * features.json: 
12
13 2017-10-03  Saam Barati  <sbarati@apple.com>
14
15         Implement polymorphic prototypes
16         https://bugs.webkit.org/show_bug.cgi?id=176391
17
18         Reviewed by Filip Pizlo.
19
20         This patch changes JSC's object model with respect to where the prototype
21         of an object is stored. Previously, it was always stored as
22         a constant value inside Structure. So an object's structure used to
23         always tell you what its prototype is. Anytime an object changed
24         its prototype, it would do a structure transition. This enables
25         a large class of optimizations: just by doing a structure check,
26         we know what the prototype is.
27         
28         However, this design falls down when you have many objects that
29         have the same shape, but only differ in what their prototype value
30         is. This arises in many JS programs. A simple, and probably common, example
31         is when the program has a constructor inside of a function:
32         ```
33         function foo() {
34             class C {
35                 constructor() { this.field1 = 42; ...; this.fieldN = 42; }
36                 method1() { doStuffWith(this.field); }
37                 method2() { doStuffWith(this.field); }
38             }
39             let c = new C;
40             do things with c;
41             }
42         repeatedly call foo() here.
43         ```
44         
45         Before this patch, in the above program, each time `new C` created an
46         object, it would create an object with a different structure. The
47         reason for this is that each time foo is called, there is a new
48         instance of C.prototype. However, each `new C` that was created
49         with have identical shape sans its prototype value. This would
50         cause all ICs that used `c` to quickly give up on any form of caching
51         because they would see too many structures and give up and permanently
52         divert control flow to the slow path.
53         
54         This patch fixes this issue by expanding the notion of where the prototype
55         of an object is stored. There are now two notions of where the prototype
56         is stored. A Structure can now be in two modes:
57         1. Mono proto mode. This is the same mode as we used to have. It means
58         the structure itself has a constant prototype value.
59         2. Poly proto mode. This means the structure knows nothing about the
60         prototype value itself. Objects with this structure store their prototype
61         in normal object field storage. The structure will tell you the offset of
62         this prototype inside the object's storage. As of today, we only reserve
63         inline slots for the prototype field because poly proto only occurs
64         for JSFinalObject. However, this will be expanded to support out of line
65         offsets in a future patch when we extend poly proto to work when we inherit
66         from builtin types like Map and Array.
67         
68         In this initial patch, we do poly proto style inline caching whenever
69         we see an object that is poly proto or if an object in its prototype lookup
70         chain is poly proto. Poly proto ICs work by verifying the lookup chain
71         at runtime. This essentially boils down to performing structure checks
72         up the prototype chain. In a future patch, we're going to extend object
73         property condition set to work with objects that don't have poly proto bases.
74         
75         Initially, accesses that have poly proto access chains will always turn
76         into GetById/PutById in the DFG. In a future patch, I'm going to teach
77         the DFG how to inline certain accesses that have poly proto in the access
78         chain.
79         
80         One of most interesting parts about this patch is how we decide when to go
81         poly proto. This patch uses a profiling based approach. An IC will inform
82         a watchpoint that it sees an opportunity when two Structure's are structurally
83         the same, sans the base object's prototype. This means that two structures
84         have equivalent shapes all the way up the prototype chain. To support fast
85         structural comparison, we compute a hash for a structure based on the properties
86         it has. We compute this hash as we add properties to the structure. This
87         computation is nearly free since we always add UniquedStringImpl*'s which
88         already have their hashes computed. To compare structural equivalence, we
89         just compare hash values all the way up the prototype chain. This means we
90         can get hash conflicts between two structures, but it's extremely rare. First,
91         it'll be rare for two structures to have the same hash. Secondly, we only
92         consider structures originating from the same executable.
93         
94         How we set up this poly proto watchpoint is crucial to its design. When we create_this
95         an object originating from some executable, that executable will create a Box<InlineWatchpointSet>.
96         Each structure that originates from this executable will get a copy of that
97         Box<InlineWatchpointSet>. As that structure transitions to new structures,
98         they too will get a copy of that Box<InilneWatchpointSet>. Therefore, when
99         invalidating an arbitrary structure's poly proto watchpoint, we will know
100         the next time we create_this from that executable that it had been
101         invalidated, and that we should create an object with a poly proto
102         structure. We also use the pointer value of this Box<InlineWatchpointSet>
103         to determine if two structures originated from the same executable. This
104         pruning will severely limit the chances of getting a hash conflict in practice.
105         
106         This patch is neutral on my MBP on traditional JS benchmarks like Octane/Kraken/Sunspider.
107         It may be a 1-2% ARES-6 progression.
108         
109         This patch is between neutral and a 9x progression on the various tests
110         I added. Most of the microbenchmarks are progressed by at least 50%.
111
112         * JavaScriptCore.xcodeproj/project.pbxproj:
113         * Sources.txt:
114         * builtins/BuiltinNames.cpp:
115         * builtins/BuiltinNames.h:
116         (JSC::BuiltinNames::BuiltinNames):
117         (JSC::BuiltinNames::underscoreProtoPrivateName const):
118         * bytecode/AccessCase.cpp:
119         (JSC::AccessCase::AccessCase):
120         (JSC::AccessCase::create):
121         (JSC::AccessCase::commit):
122         (JSC::AccessCase::guardedByStructureCheck const):
123         (JSC::AccessCase::canReplace const):
124         (JSC::AccessCase::dump const):
125         (JSC::AccessCase::visitWeak const):
126         (JSC::AccessCase::propagateTransitions const):
127         (JSC::AccessCase::generateWithGuard):
128         (JSC::AccessCase::generateImpl):
129         * bytecode/AccessCase.h:
130         (JSC::AccessCase::usesPolyProto const):
131         (JSC::AccessCase::AccessCase):
132         * bytecode/CodeBlock.cpp:
133         (JSC::CodeBlock::finishCreation):
134         * bytecode/GetByIdStatus.cpp:
135         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
136         * bytecode/GetterSetterAccessCase.cpp:
137         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
138         (JSC::GetterSetterAccessCase::create):
139         * bytecode/GetterSetterAccessCase.h:
140         * bytecode/InternalFunctionAllocationProfile.h:
141         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
142         * bytecode/IntrinsicGetterAccessCase.cpp:
143         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
144         * bytecode/IntrinsicGetterAccessCase.h:
145         * bytecode/ModuleNamespaceAccessCase.cpp:
146         (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
147         * bytecode/ObjectAllocationProfile.cpp: Added.
148         (JSC::ObjectAllocationProfile::initializeProfile):
149         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
150         * bytecode/ObjectAllocationProfile.h:
151         (JSC::ObjectAllocationProfile::clear):
152         (JSC::ObjectAllocationProfile::initialize): Deleted.
153         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): Deleted.
154         * bytecode/ObjectPropertyConditionSet.cpp:
155         * bytecode/PolyProtoAccessChain.cpp: Added.
156         (JSC::PolyProtoAccessChain::create):
157         (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const):
158         (JSC::PolyProtoAccessChain::operator== const):
159         (JSC::PolyProtoAccessChain::dump const):
160         * bytecode/PolyProtoAccessChain.h: Added.
161         (JSC::PolyProtoAccessChain::clone):
162         (JSC::PolyProtoAccessChain:: const):
163         (JSC::PolyProtoAccessChain::operator!= const):
164         (JSC::PolyProtoAccessChain::forEach const):
165         * bytecode/PolymorphicAccess.cpp:
166         (JSC::PolymorphicAccess::addCases):
167         (JSC::PolymorphicAccess::regenerate):
168         (WTF::printInternal):
169         * bytecode/PolymorphicAccess.h:
170         (JSC::AccessGenerationResult::shouldResetStub const):
171         (JSC::AccessGenerationState::AccessGenerationState):
172         * bytecode/PropertyCondition.cpp:
173         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
174         * bytecode/ProxyableAccessCase.cpp:
175         (JSC::ProxyableAccessCase::ProxyableAccessCase):
176         (JSC::ProxyableAccessCase::create):
177         * bytecode/ProxyableAccessCase.h:
178         * bytecode/PutByIdStatus.cpp:
179         (JSC::PutByIdStatus::computeForStubInfo):
180         * bytecode/StructureStubInfo.cpp:
181         (JSC::StructureStubInfo::addAccessCase):
182         * dfg/DFGByteCodeParser.cpp:
183         (JSC::DFG::ByteCodeParser::load):
184         (JSC::DFG::ByteCodeParser::parseBlock):
185         * dfg/DFGGraph.cpp:
186         (JSC::DFG::Graph::canDoFastSpread):
187         * dfg/DFGOperations.cpp:
188         * dfg/DFGSpeculativeJIT.cpp:
189         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
190         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
191         * dfg/DFGSpeculativeJIT.h:
192         * dfg/DFGSpeculativeJIT64.cpp:
193         (JSC::DFG::SpeculativeJIT::compile):
194         * ftl/FTLLowerDFGToB3.cpp:
195         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
196         * jit/JITOpcodes.cpp:
197         (JSC::JIT::emit_op_instanceof):
198         * jit/JITOpcodes32_64.cpp:
199         (JSC::JIT::emit_op_instanceof):
200         * jit/Repatch.cpp:
201         (JSC::tryCacheGetByID):
202         (JSC::tryCachePutByID):
203         (JSC::tryRepatchIn):
204         * jsc.cpp:
205         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
206         (WTF::DOMJITGetterBaseJSObject::createStructure):
207         (WTF::DOMJITGetterBaseJSObject::create):
208         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
209         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
210         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
211         (WTF::DOMJITGetterBaseJSObject::customGetter):
212         (WTF::DOMJITGetterBaseJSObject::finishCreation):
213         (GlobalObject::finishCreation):
214         (functionCreateDOMJITGetterBaseJSObject):
215         * llint/LLIntSlowPaths.cpp:
216         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
217         * runtime/ArrayPrototype.cpp:
218         (JSC::holesMustForwardToPrototype):
219         (JSC::fastJoin):
220         (JSC::arrayProtoFuncReverse):
221         (JSC::moveElements):
222         * runtime/ClonedArguments.cpp:
223         (JSC::ClonedArguments::createEmpty):
224         (JSC::ClonedArguments::createWithInlineFrame):
225         (JSC::ClonedArguments::createWithMachineFrame):
226         (JSC::ClonedArguments::createByCopyingFrom):
227         * runtime/CommonSlowPaths.cpp:
228         (JSC::SLOW_PATH_DECL):
229         * runtime/FunctionExecutable.cpp:
230         (JSC::FunctionExecutable::visitChildren):
231         * runtime/FunctionExecutable.h:
232         * runtime/FunctionRareData.cpp:
233         (JSC::FunctionRareData::initializeObjectAllocationProfile):
234         * runtime/FunctionRareData.h:
235         * runtime/InternalFunction.cpp:
236         (JSC::InternalFunction::createSubclassStructureSlow):
237         * runtime/JSArray.cpp:
238         (JSC::JSArray::fastSlice):
239         (JSC::JSArray::shiftCountWithArrayStorage):
240         (JSC::JSArray::shiftCountWithAnyIndexingType):
241         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
242         * runtime/JSArrayInlines.h:
243         (JSC::JSArray::canFastCopy):
244         * runtime/JSCJSValue.cpp:
245         (JSC::JSValue::dumpInContextAssumingStructure const):
246         * runtime/JSFunction.cpp:
247         (JSC::JSFunction::prototypeForConstruction):
248         (JSC::JSFunction::allocateAndInitializeRareData):
249         (JSC::JSFunction::initializeRareData):
250         (JSC::JSFunction::getOwnPropertySlot):
251         * runtime/JSFunction.h:
252         * runtime/JSMap.cpp:
253         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
254         (JSC::JSMap::canCloneFastAndNonObservable):
255         * runtime/JSObject.cpp:
256         (JSC::JSObject::putInlineSlow):
257         (JSC::JSObject::createInitialIndexedStorage):
258         (JSC::JSObject::createArrayStorage):
259         (JSC::JSObject::convertUndecidedToArrayStorage):
260         (JSC::JSObject::convertInt32ToArrayStorage):
261         (JSC::JSObject::convertDoubleToArrayStorage):
262         (JSC::JSObject::convertContiguousToArrayStorage):
263         (JSC::JSObject::ensureInt32Slow):
264         (JSC::JSObject::ensureDoubleSlow):
265         (JSC::JSObject::ensureContiguousSlow):
266         (JSC::JSObject::ensureArrayStorageSlow):
267         (JSC::JSObject::setPrototypeDirect):
268         (JSC::JSObject::ordinaryToPrimitive const):
269         (JSC::JSObject::putByIndexBeyondVectorLength):
270         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
271         (JSC::JSObject::getEnumerableLength):
272         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
273         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
274         (JSC::JSObject::needsSlowPutIndexing const):
275         (JSC::JSObject::suggestedArrayStorageTransition const):
276         * runtime/JSObject.h:
277         (JSC::JSObject::finishCreation):
278         (JSC::JSObject::getPrototypeDirect const):
279         (JSC::JSObject::getPropertySlot):
280         * runtime/JSObjectInlines.h:
281         (JSC::JSObject::getPropertySlot):
282         (JSC::JSObject::getNonIndexPropertySlot):
283         (JSC::JSObject::putInlineForJSObject):
284         * runtime/JSPropertyNameEnumerator.h:
285         (JSC::propertyNameEnumerator):
286         * runtime/JSSet.cpp:
287         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
288         (JSC::JSSet::canCloneFastAndNonObservable):
289         * runtime/LazyClassStructure.h:
290         (JSC::LazyClassStructure::prototypeConcurrently const): Deleted.
291         * runtime/Operations.cpp:
292         (JSC::normalizePrototypeChain):
293         * runtime/Operations.h:
294         * runtime/Options.h:
295         * runtime/PrototypeMap.cpp:
296         (JSC::PrototypeMap::createEmptyStructure):
297         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
298         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
299         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
300         * runtime/PrototypeMap.h:
301         * runtime/Structure.cpp:
302         (JSC::Structure::Structure):
303         (JSC::Structure::create):
304         (JSC::Structure::holesMustForwardToPrototype const):
305         (JSC::Structure::changePrototypeTransition):
306         (JSC::Structure::isCheapDuringGC):
307         (JSC::Structure::toStructureShape):
308         (JSC::Structure::dump const):
309         (JSC::Structure::canCachePropertyNameEnumerator const):
310         (JSC::Structure::anyObjectInChainMayInterceptIndexedAccesses const): Deleted.
311         (JSC::Structure::needsSlowPutIndexing const): Deleted.
312         (JSC::Structure::suggestedArrayStorageTransition const): Deleted.
313         (JSC::Structure::prototypeForLookup const): Deleted.
314         (JSC::Structure::prototypeChainMayInterceptStoreTo): Deleted.
315         (JSC::Structure::canUseForAllocationsOf): Deleted.
316         * runtime/Structure.h:
317         * runtime/StructureChain.h:
318         * runtime/StructureInlines.h:
319         (JSC::Structure::create):
320         (JSC::Structure::storedPrototypeObject const):
321         (JSC::Structure::storedPrototypeStructure const):
322         (JSC::Structure::storedPrototype const):
323         (JSC::prototypeForLookupPrimitiveImpl):
324         (JSC::Structure::prototypeForLookup const):
325         (JSC::Structure::prototypeChain const):
326         (JSC::Structure::isValid const):
327         (JSC::Structure::add):
328         (JSC::Structure::setPropertyTable):
329         (JSC::Structure::shouldConvertToPolyProto):
330         * runtime/StructureRareData.h:
331         * runtime/TypeProfilerLog.cpp:
332         (JSC::TypeProfilerLog::processLogEntries):
333         * runtime/TypeSet.cpp:
334         (JSC::TypeSet::addTypeInformation):
335         * runtime/TypeSet.h:
336         * runtime/WriteBarrier.h:
337         (JSC::WriteBarrierBase<Unknown>::isInt32 const):
338
339 2017-10-03  JF Bastien  <jfbastien@apple.com>
340
341         WebAssembly: no VM / JS version of everything but Instance
342         https://bugs.webkit.org/show_bug.cgi?id=177473
343
344         Reviewed by Filip Pizlo.
345
346         This change entails cleaning up and splitting a bunch of code which we had
347         intertwined between C++ classes which represent JS objects, and pure C++
348         implementation objects. This specific change goes most of the way towards
349         allowing JSC's WebAssembly to work without VM / JS, up to but excluding
350         JSWebAssemblyInstance (there's Wasm::Instance, but it's not *the* thing
351         yet). Because of this we still have a few FIXME identifying places that need to
352         change. A follow-up change will go the rest of the way.
353
354         I went about this change in the simplest way possible: grep the
355         JavaScriptCore/wasm directory for "JS[^C_]" as well as "VM" and exclude the /js/
356         sub-directory (which contains the JS implementation of WebAssembly).
357
358         None of this change removes the need for a JIT entitlement to be able to use
359         WebAssembly. We don't have an interpreter, the process therefore still needs to
360         be allowed to JIT to use these pure-C++ APIs.
361
362         Interesting things to note:
363
364           - Remove VM from Plan and associated places. It can just live as a capture in
365             the callback lambda if it's needed.
366           - Wasm::Memory shouldn't require a VM. It was only used to ask the GC to
367             collect. We now instead pass two lambdas at construction time for this
368             purpose: one to notify of memory pressure, and the other to ask for
369             syncrhonous memory reclamation. This allows whoever creates the memory to
370             dictate how to react to both these cases, and for a JS embedding that's to
371             call the GC (async or sync, respectively).
372           - Move grow logic from JSWebAssemblyMemory to Wasm::Memory::grow. Use Expected
373             there, with an enum class for failure types.
374           - Exceeding max on memory growth now returns a range error as per spec. This
375             is a (very minor) breaking change: it used to throw OOM error. Update the
376             corresponding test.
377           - When generating the grow_memory opcode, no need to get the VM. Instead,
378             reach directly for Wasm::Memory and grow it.
379           - JSWebAssemblyMemory::grow can now always throw on failure, because it's only
380             ever called from JS (not from grow_memory as before).
381           - Wasm::Memory now takes a callback for successful growth. This allows JS
382             wrappers to register themselves when growth succeeds without Wasm::Memory
383             knowning anything about JS. It'll also allow creating a list of callbacks
384             for when we add thread support (we'll want to notify many wrappers, all
385             under a lock).
386           - Wasm::Memory is now back to being the source of truth about address / size,
387             used directly by generated code instead of JSWebAssemblyMemory.
388           - Move wasmToJS from the general WasmBinding header to its own header under
389             wasm/js. It's only used by wasm/js/JSWebAssemblyCodeBlock.cpp, and uses VM,
390             and therefore isn't general WebAssembly.
391           - Make Wasm::Context an actual type (just a struct holding a
392             JSWebAssemlyInstance for now) instead of an alias for that. Notably this
393             doesn't add anything to the Context and doesn't change what actually gets
394             passed around in JIT code (fast TLS or registers) because these changes
395             potentially impact performance. The entire purpose of this change is to
396             allow passing Wasm::Context around without having to know about VM. Since VM
397             contains a Wasm::Context the JS embedding is effectively the same, but with
398             this setup a non-JS embedding is much better off.
399           - Move JSWebAssembly into the JS folder.
400           - OMGPlan: use Wasm::CodeBlock directly instead of JSWebAssemblyCodeBlock.
401           - wasm->JS stubs are now on Wasm::CodeBlock's tail as raw pointers, instead of
402             being on JSWebAssemblyCodeBlock, and are now called wasm->Embedder
403             stubs. The owned reference is still on JSWebAssemblyCodeBlock, and is still
404             called wasm->JS stub. This move means that the embedder must, after creating
405             a Wasm::CodeBlock, somehow create the stubs to call back into the
406             embedder. This isn't adding any indirection to the generated code because
407             the B3 IR generator now reaches for Wasm::CodeBlock instead of
408             JSWebAssemblyCodeBlock.
409           - Move more CodeBlock things. Compilation completion is now marked by its own
410             atomic<bool> flag instead of a nullptr plan: that required using a lock, and
411             was causing a deadlock in stack-trace.js because before my changes
412             JSWebAssemblyCodeBlock did its own completion checking separately from
413             Wasm::CodeBlock, without getting the lock. Now that everything points to
414             Wasm::CodeBlock and there's no cached completion marker, the lock was being
415             acquired in a sanity-check assertion.
416           - Embedder -> Wasm wrappers are now generated through a function that's passed
417             in at compilation time, instead of being hard-coded as a JS -> Wasm wrapper.
418           - WasmMemory doens't need to know about fault handling thunks. Only the IR
419             generator should know, and should make sure that the exception throwing
420             thunk is generated if any memory is present (note: with signal handling not
421             all of them generate an exception check).
422           - Make exception throwing pluggable: instead of having a hard-coded
423             JS-specific lambda we now have a regular C++ function being called from JIT
424             code when a WebAssembly exception is thrown. This allows any embedder to get
425             called as they wish. For now a process can only have a single of these
426             functions (i.e. only one embedder per process) because the trap handler is a
427             singleton. That can be fixed in in #177475.
428           - Create WasmEmbedder.h where all embedder plugging will live.
429           - Split up JSWebAssemblyTable into Wasm::Table which is
430             refcounted. JSWebAssemblyTable now only contains the JS functions in the
431             table, and Wasm::Table is what's used by the JIT code to lookup where to
432             call and do the instance check (for context switch). Note that this creates
433             an extra allocation for all the instances in Wasm::Table, and in exchange
434             removes an indirection in JIT code because the instance used to be obtained
435             off of the JS function. Also note that it's the embedder than keeps the
436             instances alive, not Wasm::Table (which holds a dumb pointer to the
437             instance), because doing otherwise would cause reference cycles.
438           - Add WasmInstance. It doesn't do much for now, owns globals.
439           - JSWebAssembly instance now doesn't just contain the imported functions as
440             JSObjects, it also has the corresponding import's instance and wasm
441             entrypoint. This triples the space allocated per instance's imported
442             function, but there shouldn't be that many imports. This has two upsides: it
443             creates smaller and faster code, and makes is easier to disassociate
444             embedder-specific things from embedder-neutral things. The small / faster
445             win is in two places: B3 IR generator only needs offsetOfImportFunction for
446             the call opcode (when the called index is an import) to know whether the
447             import is wasm->wasm or wasm->embedder (this isn't known at compile-time
448             because it's dependent on the import object), this is now done by seeing if
449             that import function has an associated target instance (only wasm->wasm
450             does); the other place is wasmBinding which uses offsetOfImportFunction to
451             figure out the wasm->wasm target instance, and then gets
452             WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation to do a tail
453             call. The disassociation comes because the target instance can be
454             Wasm::Instance once we change what the Context is, and
455             WasmEntrypointLoadLocation is already embedder-independent. As a next step I
456             can move this tail allocation from JSWebAssemblyInstance to Wasm::Instance,
457             and leave importFunction in as an opaque pointer which is embedder-specific,
458             and in JS will remain WriteBarrier<JSObject>.
459           - Rename VMEntryFrame to EntryFrame, and in many places pass a pointer to it
460             around instead of VM. This is a first step in allowing entry frames which
461             aren't stored on VM, but which are instead stored in an embedder-specific
462             location. That change won't really affect JS except through code churn, but
463             will allow WebAssembly to use some machinery in a generic manner without
464             having a VM.
465
466         * JavaScriptCore.xcodeproj/project.pbxproj:
467         * Sources.txt:
468         * bytecode/PolymorphicAccess.cpp:
469         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
470         * debugger/Debugger.cpp:
471         (JSC::Debugger::stepOutOfFunction):
472         (JSC::Debugger::returnEvent):
473         (JSC::Debugger::unwindEvent):
474         (JSC::Debugger::didExecuteProgram):
475         * dfg/DFGJITCompiler.cpp:
476         (JSC::DFG::JITCompiler::compileExceptionHandlers):
477         * dfg/DFGOSREntry.cpp:
478         (JSC::DFG::prepareOSREntry):
479         * dfg/DFGOSRExit.cpp:
480         (JSC::DFG::OSRExit::compileOSRExit):
481         (JSC::DFG::OSRExit::compileExit):
482         * dfg/DFGThunks.cpp:
483         (JSC::DFG::osrEntryThunkGenerator):
484         * ftl/FTLCompile.cpp:
485         (JSC::FTL::compile):
486         * ftl/FTLLink.cpp:
487         (JSC::FTL::link):
488         * ftl/FTLLowerDFGToB3.cpp:
489         (JSC::FTL::DFG::LowerDFGToB3::lower):
490         * ftl/FTLOSRExitCompiler.cpp:
491         (JSC::FTL::compileStub):
492         * interpreter/CallFrame.cpp:
493         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
494         (JSC::CallFrame::callerFrame):
495         (JSC::CallFrame::unsafeCallerFrame):
496         * interpreter/CallFrame.h:
497         (JSC::ExecState::callerFrame const):
498         (JSC::ExecState::callerFrameOrEntryFrame const):
499         (JSC::ExecState::unsafeCallerFrameOrEntryFrame const):
500         * interpreter/FrameTracers.h:
501         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
502         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
503         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
504         * interpreter/Interpreter.cpp:
505         (JSC::UnwindFunctor::operator() const):
506         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
507         (JSC::Interpreter::unwind):
508         * interpreter/StackVisitor.cpp:
509         (JSC::StackVisitor::StackVisitor):
510         (JSC::StackVisitor::gotoNextFrame):
511         (JSC::StackVisitor::readNonInlinedFrame):
512         (JSC::StackVisitor::Frame::dump const):
513         * interpreter/StackVisitor.h:
514         (JSC::StackVisitor::Frame::callerIsEntryFrame const):
515         * interpreter/VMEntryRecord.h:
516         (JSC::VMEntryRecord::prevTopEntryFrame):
517         (JSC::VMEntryRecord::unsafePrevTopEntryFrame):
518         (JSC::EntryFrame::vmEntryRecordOffset):
519         * jit/AssemblyHelpers.cpp:
520         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
521         (JSC::AssemblyHelpers::loadWasmContextInstance):
522         (JSC::AssemblyHelpers::storeWasmContextInstance):
523         (JSC::AssemblyHelpers::loadWasmContextInstanceNeedsMacroScratchRegister):
524         (JSC::AssemblyHelpers::storeWasmContextInstanceNeedsMacroScratchRegister):
525         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
526         * jit/AssemblyHelpers.h:
527         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
528         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
529         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
530         * jit/JIT.cpp:
531         (JSC::JIT::emitEnterOptimizationCheck):
532         (JSC::JIT::privateCompileExceptionHandlers):
533         * jit/JITExceptions.cpp:
534         (JSC::genericUnwind):
535         * jit/JITOpcodes.cpp:
536         (JSC::JIT::emit_op_throw):
537         (JSC::JIT::emit_op_catch):
538         (JSC::JIT::emitSlow_op_loop_hint):
539         * jit/JITOpcodes32_64.cpp:
540         (JSC::JIT::emit_op_throw):
541         (JSC::JIT::emit_op_catch):
542         * jit/JITOperations.cpp:
543         * jit/ThunkGenerators.cpp:
544         (JSC::throwExceptionFromCallSlowPathGenerator):
545         (JSC::nativeForGenerator):
546         * jsc.cpp:
547         (functionDumpCallFrame):
548         * llint/LLIntSlowPaths.cpp:
549         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
550         * llint/LLIntThunks.cpp:
551         (JSC::vmEntryRecord):
552         * llint/LowLevelInterpreter.asm:
553         * llint/LowLevelInterpreter32_64.asm:
554         * llint/LowLevelInterpreter64.asm:
555         * runtime/Options.cpp:
556         (JSC::recomputeDependentOptions):
557         * runtime/Options.h:
558         * runtime/SamplingProfiler.cpp:
559         (JSC::FrameWalker::FrameWalker):
560         (JSC::FrameWalker::advanceToParentFrame):
561         (JSC::SamplingProfiler::processUnverifiedStackTraces):
562         * runtime/ThrowScope.cpp:
563         (JSC::ThrowScope::~ThrowScope):
564         * runtime/VM.cpp:
565         (JSC::VM::VM):
566         (JSC::VM::~VM):
567         * runtime/VM.h:
568         (JSC::VM::topEntryFrameOffset):
569         * runtime/VMTraps.cpp:
570         (JSC::isSaneFrame):
571         (JSC::VMTraps::tryInstallTrapBreakpoints):
572         (JSC::VMTraps::invalidateCodeBlocksOnStack):
573         * wasm/WasmB3IRGenerator.cpp:
574         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
575         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
576         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
577         (JSC::Wasm::B3IRGenerator::addGrowMemory):
578         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
579         (JSC::Wasm::B3IRGenerator::addCall):
580         (JSC::Wasm::B3IRGenerator::addCallIndirect):
581         (JSC::Wasm::parseAndCompile):
582         * wasm/WasmB3IRGenerator.h:
583         * wasm/WasmBBQPlan.cpp:
584         (JSC::Wasm::BBQPlan::BBQPlan):
585         (JSC::Wasm::BBQPlan::compileFunctions):
586         (JSC::Wasm::BBQPlan::complete):
587         * wasm/WasmBBQPlan.h:
588         * wasm/WasmBBQPlanInlines.h:
589         (JSC::Wasm::BBQPlan::initializeCallees):
590         * wasm/WasmBinding.cpp:
591         (JSC::Wasm::wasmToWasm):
592         * wasm/WasmBinding.h:
593         * wasm/WasmCodeBlock.cpp:
594         (JSC::Wasm::CodeBlock::create):
595         (JSC::Wasm::CodeBlock::CodeBlock):
596         (JSC::Wasm::CodeBlock::compileAsync):
597         (JSC::Wasm::CodeBlock::setCompilationFinished):
598         * wasm/WasmCodeBlock.h:
599         (JSC::Wasm::CodeBlock::offsetOfImportStubs):
600         (JSC::Wasm::CodeBlock::allocationSize):
601         (JSC::Wasm::CodeBlock::importWasmToEmbedderStub):
602         (JSC::Wasm::CodeBlock::offsetOfImportWasmToEmbedderStub):
603         (JSC::Wasm::CodeBlock::wasmToJSCallStubForImport):
604         (JSC::Wasm::CodeBlock::compilationFinished):
605         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
606         (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
607         * wasm/WasmContext.cpp:
608         (JSC::Wasm::Context::useFastTLS):
609         (JSC::Wasm::Context::load const):
610         (JSC::Wasm::Context::store):
611         * wasm/WasmContext.h:
612         * wasm/WasmEmbedder.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
613         * wasm/WasmFaultSignalHandler.cpp:
614         * wasm/WasmFaultSignalHandler.h:
615         * wasm/WasmFormat.h:
616         * wasm/WasmInstance.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
617         (JSC::Wasm::Instance::Instance):
618         (JSC::Wasm::Instance::~Instance):
619         (JSC::Wasm::Instance::extraMemoryAllocated const):
620         * wasm/WasmInstance.h: Added.
621         (JSC::Wasm::Instance::create):
622         (JSC::Wasm::Instance::finalizeCreation):
623         (JSC::Wasm::Instance::module):
624         (JSC::Wasm::Instance::codeBlock):
625         (JSC::Wasm::Instance::memory):
626         (JSC::Wasm::Instance::table):
627         (JSC::Wasm::Instance::loadI32Global const):
628         (JSC::Wasm::Instance::loadI64Global const):
629         (JSC::Wasm::Instance::loadF32Global const):
630         (JSC::Wasm::Instance::loadF64Global const):
631         (JSC::Wasm::Instance::setGlobal):
632         (JSC::Wasm::Instance::offsetOfCachedStackLimit):
633         (JSC::Wasm::Instance::cachedStackLimit const):
634         (JSC::Wasm::Instance::setCachedStackLimit):
635         * wasm/WasmMemory.cpp:
636         (JSC::Wasm::Memory::Memory):
637         (JSC::Wasm::Memory::create):
638         (JSC::Wasm::Memory::~Memory):
639         (JSC::Wasm::Memory::grow):
640         * wasm/WasmMemory.h:
641         (JSC::Wasm::Memory::offsetOfMemory):
642         (JSC::Wasm::Memory::offsetOfSize):
643         * wasm/WasmMemoryInformation.cpp:
644         (JSC::Wasm::PinnedRegisterInfo::get):
645         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
646         * wasm/WasmMemoryInformation.h:
647         (JSC::Wasm::PinnedRegisterInfo::toSave const):
648         * wasm/WasmMemoryMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
649         (JSC::Wasm::makeString):
650         * wasm/WasmMemoryMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
651         * wasm/WasmModule.cpp:
652         (JSC::Wasm::makeValidationCallback):
653         (JSC::Wasm::Module::validateSync):
654         (JSC::Wasm::Module::validateAsync):
655         (JSC::Wasm::Module::getOrCreateCodeBlock):
656         (JSC::Wasm::Module::compileSync):
657         (JSC::Wasm::Module::compileAsync):
658         * wasm/WasmModule.h:
659         * wasm/WasmModuleParser.cpp:
660         (JSC::Wasm::ModuleParser::parseTableHelper):
661         * wasm/WasmOMGPlan.cpp:
662         (JSC::Wasm::OMGPlan::OMGPlan):
663         (JSC::Wasm::OMGPlan::runForIndex):
664         * wasm/WasmOMGPlan.h:
665         * wasm/WasmPageCount.h:
666         (JSC::Wasm::PageCount::isValid const):
667         * wasm/WasmPlan.cpp:
668         (JSC::Wasm::Plan::Plan):
669         (JSC::Wasm::Plan::runCompletionTasks):
670         (JSC::Wasm::Plan::addCompletionTask):
671         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
672         * wasm/WasmPlan.h:
673         (JSC::Wasm::Plan::dontFinalize):
674         * wasm/WasmSignature.cpp:
675         * wasm/WasmSignature.h:
676         * wasm/WasmTable.cpp: Added.
677         (JSC::Wasm::Table::create):
678         (JSC::Wasm::Table::~Table):
679         (JSC::Wasm::Table::Table):
680         (JSC::Wasm::Table::grow):
681         (JSC::Wasm::Table::clearFunction):
682         (JSC::Wasm::Table::setFunction):
683         * wasm/WasmTable.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h.
684         (JSC::Wasm::Table::maximum const):
685         (JSC::Wasm::Table::size const):
686         (JSC::Wasm::Table::offsetOfSize):
687         (JSC::Wasm::Table::offsetOfFunctions):
688         (JSC::Wasm::Table::offsetOfInstances):
689         (JSC::Wasm::Table::isValidSize):
690         * wasm/WasmThunks.cpp:
691         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
692         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
693         (JSC::Wasm::Thunks::setThrowWasmException):
694         (JSC::Wasm::Thunks::throwWasmException):
695         * wasm/WasmThunks.h:
696         * wasm/WasmWorklist.cpp:
697         (JSC::Wasm::Worklist::stopAllPlansForContext):
698         * wasm/WasmWorklist.h:
699         * wasm/js/JSToWasm.cpp: Added.
700         (JSC::Wasm::createJSToWasmWrapper):
701         * wasm/js/JSToWasm.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
702         * wasm/js/JSWebAssembly.cpp: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.cpp.
703         * wasm/js/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.h.
704         * wasm/js/JSWebAssemblyCodeBlock.cpp:
705         (JSC::JSWebAssemblyCodeBlock::create):
706         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
707         * wasm/js/JSWebAssemblyCodeBlock.h:
708         * wasm/js/JSWebAssemblyInstance.cpp:
709         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
710         (JSC::JSWebAssemblyInstance::finishCreation):
711         (JSC::JSWebAssemblyInstance::visitChildren):
712         (JSC::JSWebAssemblyInstance::finalizeCreation):
713         (JSC::JSWebAssemblyInstance::create):
714         * wasm/js/JSWebAssemblyInstance.h:
715         (JSC::JSWebAssemblyInstance::instance):
716         (JSC::JSWebAssemblyInstance::context const):
717         (JSC::JSWebAssemblyInstance::table):
718         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
719         (JSC::JSWebAssemblyInstance::setMemory):
720         (JSC::JSWebAssemblyInstance::offsetOfTail):
721         (JSC::JSWebAssemblyInstance::importFunctionInfo):
722         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance):
723         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint):
724         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
725         (JSC::JSWebAssemblyInstance::importFunction):
726         (JSC::JSWebAssemblyInstance::internalMemory):
727         (JSC::JSWebAssemblyInstance::wasmCodeBlock const):
728         (JSC::JSWebAssemblyInstance::offsetOfWasmTable):
729         (JSC::JSWebAssemblyInstance::offsetOfCallee):
730         (JSC::JSWebAssemblyInstance::offsetOfGlobals):
731         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock):
732         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory):
733         (JSC::JSWebAssemblyInstance::cachedStackLimit const):
734         (JSC::JSWebAssemblyInstance::setCachedStackLimit):
735         (JSC::JSWebAssemblyInstance::wasmMemory):
736         (JSC::JSWebAssemblyInstance::wasmModule):
737         (JSC::JSWebAssemblyInstance::allocationSize):
738         (JSC::JSWebAssemblyInstance::module const):
739         * wasm/js/JSWebAssemblyMemory.cpp:
740         (JSC::JSWebAssemblyMemory::create):
741         (JSC::JSWebAssemblyMemory::adopt):
742         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
743         (JSC::JSWebAssemblyMemory::grow):
744         (JSC::JSWebAssemblyMemory::growSuccessCallback):
745         * wasm/js/JSWebAssemblyMemory.h:
746         * wasm/js/JSWebAssemblyModule.cpp:
747         (JSC::JSWebAssemblyModule::moduleInformation const):
748         (JSC::JSWebAssemblyModule::exportSymbolTable const):
749         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace const):
750         (JSC::JSWebAssemblyModule::callee const):
751         (JSC::JSWebAssemblyModule::codeBlock):
752         (JSC::JSWebAssemblyModule::module):
753         * wasm/js/JSWebAssemblyModule.h:
754         * wasm/js/JSWebAssemblyTable.cpp:
755         (JSC::JSWebAssemblyTable::create):
756         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
757         (JSC::JSWebAssemblyTable::visitChildren):
758         (JSC::JSWebAssemblyTable::grow):
759         (JSC::JSWebAssemblyTable::getFunction):
760         (JSC::JSWebAssemblyTable::clearFunction):
761         (JSC::JSWebAssemblyTable::setFunction):
762         * wasm/js/JSWebAssemblyTable.h:
763         (JSC::JSWebAssemblyTable::isValidSize):
764         (JSC::JSWebAssemblyTable::maximum const):
765         (JSC::JSWebAssemblyTable::size const):
766         (JSC::JSWebAssemblyTable::table):
767         * wasm/js/WasmToJS.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.cpp.
768         (JSC::Wasm::materializeImportJSCell):
769         (JSC::Wasm::wasmToJS):
770         (JSC::Wasm::wasmToJSException):
771         * wasm/js/WasmToJS.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
772         * wasm/js/WebAssemblyFunction.cpp:
773         (JSC::callWebAssemblyFunction):
774         * wasm/js/WebAssemblyInstanceConstructor.cpp:
775         (JSC::constructJSWebAssemblyInstance):
776         * wasm/js/WebAssemblyMemoryConstructor.cpp:
777         (JSC::constructJSWebAssemblyMemory):
778         * wasm/js/WebAssemblyMemoryPrototype.cpp:
779         (JSC::webAssemblyMemoryProtoFuncGrow):
780         * wasm/js/WebAssemblyModuleConstructor.cpp:
781         (JSC::constructJSWebAssemblyModule):
782         (JSC::WebAssemblyModuleConstructor::createModule):
783         * wasm/js/WebAssemblyModuleConstructor.h:
784         * wasm/js/WebAssemblyModuleRecord.cpp:
785         (JSC::WebAssemblyModuleRecord::link):
786         (JSC::WebAssemblyModuleRecord::evaluate):
787         * wasm/js/WebAssemblyPrototype.cpp:
788         (JSC::webAssemblyCompileFunc):
789         (JSC::instantiate):
790         (JSC::compileAndInstantiate):
791         (JSC::webAssemblyValidateFunc):
792         * wasm/js/WebAssemblyTableConstructor.cpp:
793         (JSC::constructJSWebAssemblyTable):
794         * wasm/js/WebAssemblyWrapperFunction.cpp:
795         (JSC::WebAssemblyWrapperFunction::create):
796
797 2017-10-02  Keith Miller  <keith_miller@apple.com>
798
799         VMTraps shouldn't crash if it sees an exception it doesn't understand.
800         https://bugs.webkit.org/show_bug.cgi?id=177780
801
802         Reviewed by Mark Lam.
803
804         VMTraps could see a JIT breakpoint (SegV) for any number of
805         reasons it doesn't understand. e.g.  a bug in JIT code, Wasm OOB,
806         etc. This patch makes it handle that case gracefully. It's worth
807         noting that this means there's no way to know if, due to a bug, we
808         didn't accurately track all the VMTraps we installed. I'm not sure
809         if there is a good solution to that problem though.
810
811         * runtime/VMTraps.cpp:
812
813 2017-10-02  Saam Barati  <sbarati@apple.com>
814
815         Unreviewed. Add missing exception check for the custom-get-set-inline-caching-one-level-up-proto-chain.js
816         test that I added. It uncovered a pre-existing missing exception check.
817
818         * runtime/JSObject.cpp:
819         (JSC::JSObject::putInlineSlow):
820
821 2017-10-02  Joseph Pecoraro  <pecoraro@apple.com>
822
823         Web Inspector: Include Beacon and Ping requests in Network tab
824         https://bugs.webkit.org/show_bug.cgi?id=177641
825         <rdar://problem/33086839>
826
827         Reviewed by Chris Dumez.
828
829         * inspector/protocol/Page.json:
830         Include new "Beacon" and "Ping" resource types.
831
832 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
833
834         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
835         https://bugs.webkit.org/show_bug.cgi?id=175642
836
837         Reviewed by Darin Adler.
838
839         According JS spec, the ToLength operation[1] has a range of 0..(2^53)
840         - 1. In Interpreter.cpp::sizeFrameForVarargs, the call to
841         sizeOfVarargs() was being assigned to "unsigned length", forcing a
842         type cast that results in different value among architectures JSC supports.
843         For instance, in x86_64 "4294967295 + 1" results in 0, while in ARMv6 it
844         results 4294967295. This patch is changing "sizeOfVarargs" to clamp the
845         result from "toLength" to unsigned and then get desired behavior for
846         all supported platforms.
847
848         [1] - https://tc39.github.io/ecma262/#sec-tolength
849
850         * interpreter/Interpreter.cpp:
851         (JSC::sizeOfVarargs):
852         * interpreter/Interpreter.h:
853
854 2017-10-02  Saam Barati  <sbarati@apple.com>
855
856         Unreviewed. Fix debug assertion after r222671. 
857
858         JSTestCustomGetterSetter::finishCreation needs to call its base's finishCreation implementation.
859
860         * jsc.cpp:
861         (JSTestCustomGetterSetter::finishCreation):
862
863 2017-10-01  Commit Queue  <commit-queue@webkit.org>
864
865         Unreviewed, rolling out r222564.
866         https://bugs.webkit.org/show_bug.cgi?id=177720
867
868         "It regressed JetStream by 2% on iOS caused by a 50%
869         regression on the bigfib subtest" (Requested by saamyjoon on
870         #webkit).
871
872         Reverted changeset:
873
874         "Add Above/Below comparisons for UInt32 patterns"
875         https://bugs.webkit.org/show_bug.cgi?id=177281
876         http://trac.webkit.org/changeset/222564
877
878 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
879
880         [DFG] Support ArrayPush with multiple args
881         https://bugs.webkit.org/show_bug.cgi?id=175823
882
883         Reviewed by Saam Barati.
884
885         Reviewed by Saam Barati.
886
887         This patch implements ArrayPush(with multiple arguments) in DFG and FTL. Previously, they are not handled
888         by ArrayPush. Then they go to generic direct call to Array#push and it does in slow path. This patch
889         extends ArrayPush to push multiple arguments in a bulk push manner.
890
891         The problem of ArrayPush is that we need to perform ArrayPush atomically: If OSR exit occurs in the middle
892         of ArrayPush, we incorrectly push pushed elements twice. Once we start pushing values, we should not exit.
893         But we do not want to iterate elements twice, once for type checks and once for actually pushing it. It
894         could move elements between registers and memory back and forth.
895
896         This patch achieves the above goal by separating type checks from ArrayPush. When starting ArrayPush, type
897         checks for elements are already done by separately emitted Check nodes.
898
899         We also add JSArray::pushInline for DFG operations just calling JSArray::push. And we also use it in
900         arrayProtoFuncPush's fast path.
901
902         This patch significantly improves performance of `push(multiple args)`.
903
904                                             baseline                  patched
905             Microbenchmarks:
906                 array-push-0            461.8455+-28.9995    ^    151.3438+-6.5653        ^ definitely 3.0516x faster
907                 array-push-1            133.8845+-7.0349     ?    136.1775+-5.8327        ? might be 1.0171x slower
908                 array-push-2            675.6555+-13.4645    ^    145.8747+-6.4621        ^ definitely 4.6318x faster
909                 array-push-3            849.5284+-15.2540    ^    253.4421+-9.1249        ^ definitely 3.3520x faster
910
911                                             baseline                  patched
912             SixSpeed:
913                 spread-literal.es5       90.3482+-6.6514     ^     24.8123+-2.3304        ^ definitely 3.6413x faster
914
915         * dfg/DFGByteCodeParser.cpp:
916         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
917         * dfg/DFGFixupPhase.cpp:
918         (JSC::DFG::FixupPhase::fixupNode):
919         * dfg/DFGNodeType.h:
920         * dfg/DFGOperations.cpp:
921         * dfg/DFGOperations.h:
922         * dfg/DFGSpeculativeJIT.cpp:
923         (JSC::DFG::SpeculativeJIT::compileArrayPush):
924         * dfg/DFGSpeculativeJIT.h:
925         (JSC::DFG::SpeculativeJIT::callOperation):
926         * dfg/DFGSpeculativeJIT32_64.cpp:
927         (JSC::DFG::SpeculativeJIT::compile):
928         * dfg/DFGSpeculativeJIT64.cpp:
929         (JSC::DFG::SpeculativeJIT::compile):
930         * dfg/DFGStoreBarrierInsertionPhase.cpp:
931         * ftl/FTLLowerDFGToB3.cpp:
932         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
933         * jit/JITOperations.h:
934         * runtime/ArrayPrototype.cpp:
935         (JSC::arrayProtoFuncPush):
936         * runtime/JSArray.cpp:
937         (JSC::JSArray::push):
938         * runtime/JSArray.h:
939         * runtime/JSArrayInlines.h:
940         (JSC::JSArray::pushInline):
941
942 2017-09-29  Saam Barati  <sbarati@apple.com>
943
944         Custom GetterSetterAccessCase does not use the correct slotBase when making call
945         https://bugs.webkit.org/show_bug.cgi?id=177639
946
947         Reviewed by Geoffrey Garen.
948
949         The bug occurred when you had a custom set value. Custom set/get
950         values are passed the property holder, not the base of the access.
951         If we had an object chain like this:
952         o = {__proto__: thingWithCustomSetValue}
953         
954         We would end up not providing thingWithCustomSetValue as the argument
955         to the PutValueFunc. The reason is, we would use generateConditionsForPrototypePropertyHitCustom
956         for custom sets. This would return to us an empty ConditionSet, because
957         the property holder was only one level up the prototype chain. The reason
958         is, it didn't generate a condition for the slot holder, because the
959         protocol for custom set/get is that if an object responds to a custom
960         setter/getter, it will continue to respond to that getter/setter for
961         the lifetime of that object. Therefore, it's not strictly necessary to
962         generate an OPC for the slot base for custom accesses. However, AccessCase
963         uses !m_conditionSet.isEmtpy() to indicate that the IC is doing a prototype
964         access. With the above object "o", we were doing a prototype access, but we
965         had an empty condition set. This lead us to passing the base instead of
966         the property holder to the custom set value function, which is incorrect.
967         
968         With custom getters, we never called to into the generateConditionsForPrototypePropertyHitCustom
969         API. Gets would always call into generateConditionsForPrototypePropertyHit, which
970         will generate an OPC on the slot base, even if it isn't strictly necessary for custom accessors.
971         This patch simply removes generateConditionsForPrototypePropertyHitCustom
972         and aligns the set case with the get case. It makes us properly detect
973         when we're doing a prototype access with the above object "o". If we find
974         that generateConditionsForPrototypePropertyHitCustom was a worthwhile
975         optimization to have, we can re-introduce it. We'll just need to pipe through
976         a new notion of when we're doing prototype accesses that doesn't rely solely
977         on !m_conditionSet.isEmpty().
978
979         * bytecode/ObjectPropertyConditionSet.cpp:
980         (JSC::generateConditionsForPrototypePropertyHitCustom): Deleted.
981         * bytecode/ObjectPropertyConditionSet.h:
982         * jit/Repatch.cpp:
983         (JSC::tryCachePutByID):
984         * jsc.cpp:
985         (JSTestCustomGetterSetter::JSTestCustomGetterSetter):
986         (JSTestCustomGetterSetter::create):
987         (JSTestCustomGetterSetter::createStructure):
988         (customGetAccessor):
989         (customGetValue):
990         (customSetAccessor):
991         (customSetValue):
992         (JSTestCustomGetterSetter::finishCreation):
993         (GlobalObject::finishCreation):
994         (functionLoadGetterFromGetterSetter):
995         (functionCreateCustomTestGetterSetter):
996         * runtime/PropertySlot.h:
997         (JSC::PropertySlot::setCustomGetterSetter):
998
999 2017-09-29  Commit Queue  <commit-queue@webkit.org>
1000
1001         Unreviewed, rolling out r222563, r222565, and r222581.
1002         https://bugs.webkit.org/show_bug.cgi?id=177675
1003
1004         "It causes a crash when playing youtube videos" (Requested by
1005         saamyjoon on #webkit).
1006
1007         Reverted changesets:
1008
1009         "[DFG] Support ArrayPush with multiple args"
1010         https://bugs.webkit.org/show_bug.cgi?id=175823
1011         http://trac.webkit.org/changeset/222563
1012
1013         "Unreviewed, build fix after r222563"
1014         https://bugs.webkit.org/show_bug.cgi?id=175823
1015         http://trac.webkit.org/changeset/222565
1016
1017         "Unreviewed, fix x86 breaking due to exhausted registers"
1018         https://bugs.webkit.org/show_bug.cgi?id=175823
1019         http://trac.webkit.org/changeset/222581
1020
1021 2017-09-29  Commit Queue  <commit-queue@webkit.org>
1022
1023         Unreviewed, rolling out r222625.
1024         https://bugs.webkit.org/show_bug.cgi?id=177664
1025
1026         causes crashes on iOS (Requested by pizlo-mbp on #webkit).
1027
1028         Reverted changeset:
1029
1030         "Enable gigacage on iOS"
1031         https://bugs.webkit.org/show_bug.cgi?id=177586
1032         http://trac.webkit.org/changeset/222625
1033
1034 2017-09-28  Mark Lam  <mark.lam@apple.com>
1035
1036         test262: Unexpected passes after r222617 and r222618.
1037         https://bugs.webkit.org/show_bug.cgi?id=177622
1038         <rdar://problem/34725960>
1039
1040         Reviewed by Saam Barati.
1041
1042         Now that these tests are marked as "normal", we will run them and discover a few
1043         missing exception checks.  This patch also adds those missing exception checks.
1044
1045         * runtime/DatePrototype.cpp:
1046         (JSC::fillStructuresUsingDateArgs):
1047
1048 2017-09-28  Filip Pizlo  <fpizlo@apple.com>
1049
1050         Enable gigacage on iOS
1051         https://bugs.webkit.org/show_bug.cgi?id=177586
1052
1053         Reviewed by Michael Saboff.
1054         
1055         The hardest part of enabling Gigacage on iOS is that it requires loading global variables whil
1056         executing JS, so the LLInt needs to know how to load from global variables on all platforms that
1057         have Gigacage. So, this teaches ARM64 how to load from global variables.
1058
1059         * offlineasm/arm64.rb:
1060         * offlineasm/asm.rb:
1061         * offlineasm/instructions.rb:
1062
1063 2017-09-28  Mark Lam  <mark.lam@apple.com>
1064
1065         Add missing exception checks and book-keeping for exception check validation.
1066         https://bugs.webkit.org/show_bug.cgi?id=177609
1067         <rdar://problem/34717972>
1068
1069         Reviewed by Keith Miller.
1070
1071         This resolves exception check validation failures when running test262 tests and
1072         a few other tests.
1073
1074         * API/APIUtils.h:
1075         (handleExceptionIfNeeded):
1076         * API/JSObjectRef.cpp:
1077         (JSObjectMakeFunction):
1078         (JSObjectMakeArray):
1079         (JSObjectMakeDate):
1080         (JSObjectMakeError):
1081         (JSObjectMakeRegExp):
1082         (JSObjectSetPrototype):
1083         (JSObjectGetProperty):
1084         (JSObjectSetProperty):
1085         (JSObjectGetPropertyAtIndex):
1086         (JSObjectSetPropertyAtIndex):
1087         (JSObjectDeleteProperty):
1088         (JSObjectCallAsFunction):
1089         (JSObjectCallAsConstructor):
1090         * API/JSTypedArray.cpp:
1091         (JSObjectMakeTypedArray):
1092         (JSObjectMakeTypedArrayWithBytesNoCopy):
1093         (JSObjectMakeTypedArrayWithArrayBuffer):
1094         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
1095         (JSObjectMakeArrayBufferWithBytesNoCopy):
1096         * API/JSValueRef.cpp:
1097         (JSValueIsEqual):
1098         (JSValueIsInstanceOfConstructor):
1099         (JSValueCreateJSONString):
1100         (JSValueToNumber):
1101         (JSValueToStringCopy):
1102         (JSValueToObject):
1103         * interpreter/Interpreter.cpp:
1104         (JSC::Interpreter::executeProgram):
1105         * llint/LLIntSlowPaths.cpp:
1106         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1107         * runtime/ArrayPrototype.cpp:
1108         (JSC::arrayProtoFuncIndexOf):
1109         (JSC::arrayProtoFuncLastIndexOf):
1110         * runtime/DatePrototype.cpp:
1111         (JSC::fillStructuresUsingTimeArgs):
1112         (JSC::setNewValueFromDateArgs):
1113         (JSC::dateProtoFuncSetYear):
1114         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1115         (JSC::constructGenericTypedArrayViewWithArguments):
1116         * runtime/JSModuleEnvironment.cpp:
1117         (JSC::JSModuleEnvironment::put):
1118         * runtime/ProgramExecutable.cpp:
1119         (JSC::ProgramExecutable::initializeGlobalProperties):
1120         * runtime/ProxyObject.cpp:
1121         (JSC::ProxyObject::toStringName):
1122         * runtime/StringPrototype.cpp:
1123         (JSC::stringProtoFuncCharAt):
1124         (JSC::stringProtoFuncCharCodeAt):
1125         (JSC::stringProtoFuncIndexOf):
1126         (JSC::stringProtoFuncLastIndexOf):
1127         (JSC::stringProtoFuncSlice):
1128         (JSC::stringProtoFuncSplitFast):
1129         (JSC::stringProtoFuncSubstr):
1130
1131 2017-09-27  Michael Saboff  <msaboff@apple.com>
1132
1133         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
1134         https://bugs.webkit.org/show_bug.cgi?id=177570
1135
1136         Reviewed by Filip Pizlo.
1137
1138         The change in r210837 neglected to change the check in Interpreter::backtrackParentheses() that
1139         greedy parenthesis have backtracked as far as possible.  Prior to r210837, non-zero minimum greedy
1140         parenthesis were factored into a fixed component and a zero-based variable component.  After
1141         r210837, the variable component is not zero based and the check needs to compare the
1142         backTrack->matchAmount with the quantity iminimum count.
1143
1144         * yarr/YarrInterpreter.cpp:
1145         (JSC::Yarr::Interpreter::backtrackParentheses):
1146
1147 2017-09-28  Michael Saboff  <msaboff@apple.com>
1148
1149         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
1150         https://bugs.webkit.org/show_bug.cgi?id=177423
1151
1152         Reviewed by Mark Lam.
1153
1154         Updated fix that restructures that changes the do ... while to a while and adds another
1155         atEndOfPattern() check before looking for the first named group identifier character.
1156
1157         * yarr/YarrParser.h:
1158         (JSC::Yarr::Parser::tryConsumeGroupName):
1159
1160 2017-09-27  Mark Lam  <mark.lam@apple.com>
1161
1162         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
1163         https://bugs.webkit.org/show_bug.cgi?id=177584
1164         <rdar://problem/34463903>
1165
1166         Reviewed by Saam Barati.
1167
1168         If the source and destination arrays are the same, we may be copying overlapping
1169         regions.  Hence, we need to take the slow path.
1170
1171         * runtime/JSArrayInlines.h:
1172         (JSC::JSArray::canFastCopy):
1173
1174 2017-09-27  Saam Barati  <sbarati@apple.com>
1175
1176         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
1177         https://bugs.webkit.org/show_bug.cgi?id=177523
1178
1179         Reviewed by Mark Lam.
1180
1181         There was a bug in Structure's transition constructor where it didn't
1182         propagate forward the hasBeenFlattenedBefore bit. In practice, this meant
1183         that every time we asked a dictionary structure if it has been flattened
1184         before, it would return false. This patch fixes this bug. It also fixes
1185         a bug that this uncovers in our for-in implementation. Our implementation
1186         would cache the property name enumerator even when the prototype chain
1187         included a structure that is as dictionary. This is wrong because that
1188         prototype object may add properties without transitioning, and the for-in
1189         loop would vend a stale set of prototype properties.
1190
1191         * jit/JITOperations.cpp:
1192         * runtime/JSPropertyNameEnumerator.h:
1193         (JSC::propertyNameEnumerator):
1194         * runtime/Structure.cpp:
1195         (JSC::Structure::Structure):
1196         (JSC::Structure::canCachePropertyNameEnumerator const):
1197
1198 2017-09-27  Mark Lam  <mark.lam@apple.com>
1199
1200         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
1201         https://bugs.webkit.org/show_bug.cgi?id=177423
1202         <rdar://problem/34621320>
1203
1204         Reviewed by Keith Miller.
1205
1206         * yarr/YarrParser.h:
1207         (JSC::Yarr::Parser::tryConsumeGroupName):
1208
1209 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1210
1211         Unreviewed, fix x86 breaking due to exhausted registers
1212         https://bugs.webkit.org/show_bug.cgi?id=175823
1213
1214         * dfg/DFGByteCodeParser.cpp:
1215         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1216
1217 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1218
1219         Unreviewed, build fix after r222563
1220         https://bugs.webkit.org/show_bug.cgi?id=175823
1221
1222         * runtime/JSArrayInlines.h:
1223
1224 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1225
1226         Add Above/Below comparisons for UInt32 patterns
1227         https://bugs.webkit.org/show_bug.cgi?id=177281
1228
1229         Reviewed by Saam Barati.
1230
1231         Sometimes, we would like to have UInt32 operations in JS. While VM does
1232         not support UInt32 nicely, VM supports efficient Int32 operations. As long
1233         as signedness does not matter, we can just perform Int32 operations instead
1234         and recognize its bit pattern as UInt32.
1235
1236         But of course, some operations respect signedness. The most frequently
1237         used one is comparison. Octane/zlib performs UInt32 comparison by performing
1238         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
1239         UInt32 in Int32 form. And op_unsigned will generate Double value if
1240         the generated Int32 is < 0 (which should be UInt32).
1241
1242         There is a chance for optimization. The given code pattern is the following.
1243
1244             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
1245
1246         This can be converted to the following.
1247
1248             op_urshift(@1) below:< op_urshift(@2)
1249
1250         The above conversion is nice since
1251
1252         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
1253         this check depends on the value of Int32, dropping this check is not as easy as
1254         removing Int32 edge filters.
1255
1256         2. We can perform unsigned comparison in Int32 form. We do not need to convert
1257         them to DoubleRep.
1258
1259         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
1260         op_unsigned offers huge win.
1261
1262         At first, my patch attempts to convert the above thing in DFG pipeline.
1263         However it poses several problems.
1264
1265         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
1266         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
1267
1268             2: UInt32ToNumber(@0)
1269             3: MovHint(@2, xxx)
1270             4: UInt32ToNumber(@1)
1271             5: MovHint(@1, xxx)
1272
1273         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
1274
1275         So, instead, we start introducing a simple optimization in the bytecode compiler.
1276         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
1277         We adds op_below and op_above families to bytecodes. They only accept Int32 and
1278         perform unsigned comparison.
1279
1280         This offers 4% performance improvement in Octane/zlib.
1281
1282                                     baseline                  patched
1283
1284         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
1285
1286         * bytecode/BytecodeDumper.cpp:
1287         (JSC::BytecodeDumper<Block>::printCompareJump):
1288         (JSC::BytecodeDumper<Block>::dumpBytecode):
1289         * bytecode/BytecodeDumper.h:
1290         * bytecode/BytecodeList.json:
1291         * bytecode/BytecodeUseDef.h:
1292         (JSC::computeUsesForBytecodeOffset):
1293         (JSC::computeDefsForBytecodeOffset):
1294         * bytecode/Opcode.h:
1295         (JSC::isBranch):
1296         * bytecode/PreciseJumpTargetsInlines.h:
1297         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1298         * bytecompiler/BytecodeGenerator.cpp:
1299         (JSC::BytecodeGenerator::emitJumpIfTrue):
1300         (JSC::BytecodeGenerator::emitJumpIfFalse):
1301         * bytecompiler/NodesCodegen.cpp:
1302         (JSC::BinaryOpNode::emitBytecode):
1303         * dfg/DFGAbstractInterpreterInlines.h:
1304         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1305         * dfg/DFGByteCodeParser.cpp:
1306         (JSC::DFG::ByteCodeParser::parseBlock):
1307         * dfg/DFGCapabilities.cpp:
1308         (JSC::DFG::capabilityLevel):
1309         * dfg/DFGClobberize.h:
1310         (JSC::DFG::clobberize):
1311         * dfg/DFGDoesGC.cpp:
1312         (JSC::DFG::doesGC):
1313         * dfg/DFGFixupPhase.cpp:
1314         (JSC::DFG::FixupPhase::fixupNode):
1315         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1316         * dfg/DFGNodeType.h:
1317         * dfg/DFGPredictionPropagationPhase.cpp:
1318         * dfg/DFGSafeToExecute.h:
1319         (JSC::DFG::safeToExecute):
1320         * dfg/DFGSpeculativeJIT.cpp:
1321         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
1322         * dfg/DFGSpeculativeJIT.h:
1323         * dfg/DFGSpeculativeJIT32_64.cpp:
1324         (JSC::DFG::SpeculativeJIT::compile):
1325         * dfg/DFGSpeculativeJIT64.cpp:
1326         (JSC::DFG::SpeculativeJIT::compile):
1327         * dfg/DFGStrengthReductionPhase.cpp:
1328         (JSC::DFG::StrengthReductionPhase::handleNode):
1329         * dfg/DFGValidate.cpp:
1330         * ftl/FTLCapabilities.cpp:
1331         (JSC::FTL::canCompile):
1332         * ftl/FTLLowerDFGToB3.cpp:
1333         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1334         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
1335         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
1336         * jit/JIT.cpp:
1337         (JSC::JIT::privateCompileMainPass):
1338         * jit/JIT.h:
1339         * jit/JITArithmetic.cpp:
1340         (JSC::JIT::emit_op_below):
1341         (JSC::JIT::emit_op_beloweq):
1342         (JSC::JIT::emit_op_jbelow):
1343         (JSC::JIT::emit_op_jbeloweq):
1344         (JSC::JIT::emit_compareUnsignedAndJump):
1345         (JSC::JIT::emit_compareUnsigned):
1346         * jit/JITArithmetic32_64.cpp:
1347         (JSC::JIT::emit_compareUnsignedAndJump):
1348         (JSC::JIT::emit_compareUnsigned):
1349         * llint/LowLevelInterpreter.asm:
1350         * llint/LowLevelInterpreter32_64.asm:
1351         * llint/LowLevelInterpreter64.asm:
1352         * parser/Nodes.h:
1353         (JSC::ExpressionNode::isBinaryOpNode const):
1354
1355 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1356
1357         [DFG] Support ArrayPush with multiple args
1358         https://bugs.webkit.org/show_bug.cgi?id=175823
1359
1360         Reviewed by Saam Barati.
1361
1362         This patch implements ArrayPush(with multiple arguments) in DFG and FTL. Previously, they are not handled
1363         by ArrayPush. Then they go to generic direct call to Array#push and it does in slow path. This patch
1364         extends ArrayPush to push multiple arguments in a bulk push manner.
1365
1366         The problem of ArrayPush is that we need to perform ArrayPush atomically: If OSR exit occurs in the middle
1367         of ArrayPush, we incorrectly push pushed elements twice. Once we start pushing values, we should not exit.
1368         But we do not want to iterate elements twice, once for type checks and once for actually pushing it. It
1369         could move elements between registers and memory back and forth.
1370
1371         This patch achieves the above goal by separating type checks from ArrayPush. When starting ArrayPush, type
1372         checks for elements are already done by separately emitted Check nodes.
1373
1374         We also add JSArray::pushInline for DFG operations just calling JSArray::push. And we also use it in
1375         arrayProtoFuncPush's fast path.
1376
1377         This patch significantly improves performance of `push(multiple args)`.
1378
1379                                             baseline                  patched
1380             Microbenchmarks:
1381                 array-push-0            461.8455+-28.9995    ^    151.3438+-6.5653        ^ definitely 3.0516x faster
1382                 array-push-1            133.8845+-7.0349     ?    136.1775+-5.8327        ? might be 1.0171x slower
1383                 array-push-2            675.6555+-13.4645    ^    145.8747+-6.4621        ^ definitely 4.6318x faster
1384                 array-push-3            849.5284+-15.2540    ^    253.4421+-9.1249        ^ definitely 3.3520x faster
1385
1386                                             baseline                  patched
1387             SixSpeed:
1388                 spread-literal.es5       90.3482+-6.6514     ^     24.8123+-2.3304        ^ definitely 3.6413x faster
1389
1390         * dfg/DFGByteCodeParser.cpp:
1391         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1392         * dfg/DFGFixupPhase.cpp:
1393         (JSC::DFG::FixupPhase::fixupNode):
1394         * dfg/DFGNodeType.h:
1395         * dfg/DFGOperations.cpp:
1396         * dfg/DFGOperations.h:
1397         * dfg/DFGSpeculativeJIT.cpp:
1398         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1399         * dfg/DFGSpeculativeJIT.h:
1400         (JSC::DFG::SpeculativeJIT::callOperation):
1401         * dfg/DFGSpeculativeJIT32_64.cpp:
1402         (JSC::DFG::SpeculativeJIT::compile):
1403         * dfg/DFGSpeculativeJIT64.cpp:
1404         (JSC::DFG::SpeculativeJIT::compile):
1405         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1406         * ftl/FTLLowerDFGToB3.cpp:
1407         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
1408         * jit/JITOperations.h:
1409         * runtime/ArrayPrototype.cpp:
1410         (JSC::arrayProtoFuncPush):
1411         * runtime/JSArray.cpp:
1412         (JSC::JSArray::push):
1413         * runtime/JSArray.h:
1414         * runtime/JSArrayInlines.h:
1415         (JSC::JSArray::pushInline):
1416
1417 2017-09-26  Joseph Pecoraro  <pecoraro@apple.com>
1418
1419         Web Inspector: Remove unused parameter of Page.reload
1420         https://bugs.webkit.org/show_bug.cgi?id=177522
1421
1422         Reviewed by Matt Baker.
1423
1424         * inspector/protocol/Page.json:
1425
1426 2017-09-26  Filip Pizlo  <fpizlo@apple.com>
1427
1428         Put g_gigacageBasePtr into its own page and make it read-only
1429         https://bugs.webkit.org/show_bug.cgi?id=174972
1430
1431         Reviewed by Michael Saboff.
1432         
1433         C++ code doesn't have to know about this change. That includes C++ code that generates JIT code.
1434         
1435         But the offline assembler now needs to know about how to load from offsets of global variables.
1436         This turned out to be easy to support by extending the existing expression support.
1437
1438         * llint/LowLevelInterpreter64.asm:
1439         * offlineasm/ast.rb:
1440         * offlineasm/parser.rb:
1441         * offlineasm/transform.rb:
1442         * offlineasm/x86.rb:
1443
1444 2017-09-26  Commit Queue  <commit-queue@webkit.org>
1445
1446         Unreviewed, rolling out r222518.
1447         https://bugs.webkit.org/show_bug.cgi?id=177507
1448
1449         Break the High Sierra build (Requested by yusukesuzuki on
1450         #webkit).
1451
1452         Reverted changeset:
1453
1454         "Add Above/Below comparisons for UInt32 patterns"
1455         https://bugs.webkit.org/show_bug.cgi?id=177281
1456         http://trac.webkit.org/changeset/222518
1457
1458 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1459
1460         Add Above/Below comparisons for UInt32 patterns
1461         https://bugs.webkit.org/show_bug.cgi?id=177281
1462
1463         Reviewed by Saam Barati.
1464
1465         Sometimes, we would like to have UInt32 operations in JS. While VM does
1466         not support UInt32 nicely, VM supports efficient Int32 operations. As long
1467         as signedness does not matter, we can just perform Int32 operations instead
1468         and recognize its bit pattern as UInt32.
1469
1470         But of course, some operations respect signedness. The most frequently
1471         used one is comparison. Octane/zlib performs UInt32 comparison by performing
1472         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
1473         UInt32 in Int32 form. And op_unsigned will generate Double value if
1474         the generated Int32 is < 0 (which should be UInt32).
1475
1476         There is a chance for optimization. The given code pattern is the following.
1477
1478             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
1479
1480         This can be converted to the following.
1481
1482             op_urshift(@1) below:< op_urshift(@2)
1483
1484         The above conversion is nice since
1485
1486         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
1487         this check depends on the value of Int32, dropping this check is not as easy as
1488         removing Int32 edge filters.
1489
1490         2. We can perform unsigned comparison in Int32 form. We do not need to convert
1491         them to DoubleRep.
1492
1493         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
1494         op_unsigned offers huge win.
1495
1496         At first, my patch attempts to convert the above thing in DFG pipeline.
1497         However it poses several problems.
1498
1499         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
1500         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
1501
1502             2: UInt32ToNumber(@0)
1503             3: MovHint(@2, xxx)
1504             4: UInt32ToNumber(@1)
1505             5: MovHint(@1, xxx)
1506
1507         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
1508
1509         So, instead, we start introducing a simple optimization in the bytecode compiler.
1510         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
1511         We adds op_below and op_above families to bytecodes. They only accept Int32 and
1512         perform unsigned comparison.
1513
1514         This offers 4% performance improvement in Octane/zlib.
1515
1516                                     baseline                  patched
1517
1518         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
1519
1520         * bytecode/BytecodeDumper.cpp:
1521         (JSC::BytecodeDumper<Block>::printCompareJump):
1522         (JSC::BytecodeDumper<Block>::dumpBytecode):
1523         * bytecode/BytecodeDumper.h:
1524         * bytecode/BytecodeList.json:
1525         * bytecode/BytecodeUseDef.h:
1526         (JSC::computeUsesForBytecodeOffset):
1527         (JSC::computeDefsForBytecodeOffset):
1528         * bytecode/Opcode.h:
1529         (JSC::isBranch):
1530         * bytecode/PreciseJumpTargetsInlines.h:
1531         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1532         * bytecompiler/BytecodeGenerator.cpp:
1533         (JSC::BytecodeGenerator::emitJumpIfTrue):
1534         (JSC::BytecodeGenerator::emitJumpIfFalse):
1535         * bytecompiler/NodesCodegen.cpp:
1536         (JSC::BinaryOpNode::emitBytecode):
1537         * dfg/DFGAbstractInterpreterInlines.h:
1538         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1539         * dfg/DFGByteCodeParser.cpp:
1540         (JSC::DFG::ByteCodeParser::parseBlock):
1541         * dfg/DFGCapabilities.cpp:
1542         (JSC::DFG::capabilityLevel):
1543         * dfg/DFGClobberize.h:
1544         (JSC::DFG::clobberize):
1545         * dfg/DFGDoesGC.cpp:
1546         (JSC::DFG::doesGC):
1547         * dfg/DFGFixupPhase.cpp:
1548         (JSC::DFG::FixupPhase::fixupNode):
1549         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1550         * dfg/DFGNodeType.h:
1551         * dfg/DFGPredictionPropagationPhase.cpp:
1552         * dfg/DFGSafeToExecute.h:
1553         (JSC::DFG::safeToExecute):
1554         * dfg/DFGSpeculativeJIT.cpp:
1555         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
1556         * dfg/DFGSpeculativeJIT.h:
1557         * dfg/DFGSpeculativeJIT32_64.cpp:
1558         (JSC::DFG::SpeculativeJIT::compile):
1559         * dfg/DFGSpeculativeJIT64.cpp:
1560         (JSC::DFG::SpeculativeJIT::compile):
1561         * dfg/DFGStrengthReductionPhase.cpp:
1562         (JSC::DFG::StrengthReductionPhase::handleNode):
1563         * dfg/DFGValidate.cpp:
1564         * ftl/FTLCapabilities.cpp:
1565         (JSC::FTL::canCompile):
1566         * ftl/FTLLowerDFGToB3.cpp:
1567         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1568         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
1569         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
1570         * jit/JIT.cpp:
1571         (JSC::JIT::privateCompileMainPass):
1572         * jit/JIT.h:
1573         * jit/JITArithmetic.cpp:
1574         (JSC::JIT::emit_op_below):
1575         (JSC::JIT::emit_op_beloweq):
1576         (JSC::JIT::emit_op_jbelow):
1577         (JSC::JIT::emit_op_jbeloweq):
1578         (JSC::JIT::emit_compareUnsignedAndJump):
1579         (JSC::JIT::emit_compareUnsigned):
1580         * jit/JITArithmetic32_64.cpp:
1581         (JSC::JIT::emit_compareUnsignedAndJump):
1582         (JSC::JIT::emit_compareUnsigned):
1583         * llint/LowLevelInterpreter.asm:
1584         * llint/LowLevelInterpreter32_64.asm:
1585         * llint/LowLevelInterpreter64.asm:
1586         * parser/Nodes.h:
1587         (JSC::ExpressionNode::isBinaryOpNode const):
1588
1589 2017-09-24  Keith Miller  <keith_miller@apple.com>
1590
1591         JSC build should use unified sources for derived sources
1592         https://bugs.webkit.org/show_bug.cgi?id=177421
1593
1594         Reviewed by JF Bastien.
1595
1596         This patch make a couple of changes:
1597
1598         1) Make derived sources added to relevant bundles. I was going to add JSCBuiltins.cpp
1599         to runtime but that kept breaking the windows build. I'll get back to it later
1600         2) Move the derived location of some sources both for clarity and for ease of use.
1601         3) Make auto generator scripts able to create directories if needed.
1602         4) Move some scripts from the top level of the JavaScriptCore directory to a
1603         more appropriate directory.
1604         5) Move some CMake generation commands around for clarity.
1605
1606         * CMakeLists.txt:
1607         * DerivedSources.make:
1608         * JavaScriptCore.xcodeproj/project.pbxproj:
1609         * Scripts/lazywriter.py:
1610         (LazyFileWriter.close):
1611         * Sources.txt:
1612         * inspector/scripts/generate-inspector-protocol-bindings.py:
1613         (IncrementalFileWriter.close):
1614         * yarr/create_regex_tables: Renamed from Source/JavaScriptCore/create_regex_tables.
1615         * yarr/generateYarrCanonicalizeUnicode: Renamed from Source/JavaScriptCore/generateYarrCanonicalizeUnicode.
1616
1617 2017-09-26  Zan Dobersek  <zdobersek@igalia.com>
1618
1619         Support building JavaScriptCore with the Bionic C library
1620         https://bugs.webkit.org/show_bug.cgi?id=177427
1621
1622         Reviewed by Michael Catanzaro.
1623
1624         When compiling with the Bionic C library, the MachineContext.h header
1625         should enable the same code paths that are enabled for the GNU C library.
1626
1627         The Bionic C library defines the __BIONIC__ macro, but unlike other C
1628         libraries that mimic the GNU one, it doesn't define __GLIBC__. So the
1629         __BIONIC__ macro checks have to match the __GLIBC__ ones.
1630
1631         * runtime/MachineContext.h:
1632         (JSC::MachineContext::stackPointer):
1633         (JSC::MachineContext::framePointer):
1634         (JSC::MachineContext::instructionPointer):
1635         (JSC::MachineContext::argumentPointer<1>):
1636         (JSC::MachineContext::llintInstructionPointer):
1637
1638 2017-09-25  Devin Rousso  <webkit@devinrousso.com>
1639
1640         Web Inspector: move Console.addInspectedNode to DOM.setInspectedNode
1641         https://bugs.webkit.org/show_bug.cgi?id=176827
1642
1643         Reviewed by Joseph Pecoraro.
1644
1645         * inspector/agents/InspectorConsoleAgent.h:
1646
1647         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1648         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
1649         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode): Deleted.
1650
1651         * inspector/protocol/Console.json:
1652         * inspector/protocol/DOM.json:
1653
1654 2017-09-25  Ryan Haddad  <ryanhaddad@apple.com>
1655
1656         Unreviewed, rebaseline builtins generator tests after r222473.
1657
1658         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1659
1660 2017-09-25  Alex Christensen  <achristensen@webkit.org>
1661
1662         Make Attribute an enum class
1663         https://bugs.webkit.org/show_bug.cgi?id=177414
1664
1665         Reviewed by Yusuke Suzuki.
1666
1667         I've had enough of these naming collisions.  This is what enum classes are for.
1668         Unfortunately a lot of static_cast<unsigned> is necessary until those functions take
1669         an OptionSet<Attribute> instead of an unsigned parameter, but this is a big step
1670         towards where we ought to be.
1671
1672         * API/JSCallbackObjectFunctions.h:
1673         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1674         * API/JSObjectRef.cpp:
1675         (JSObjectMakeConstructor):
1676         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
1677         (BuiltinsInternalsWrapperImplementationGenerator.property_macro):
1678         * bytecode/GetByIdStatus.cpp:
1679         (JSC::GetByIdStatus::computeFromLLInt):
1680         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1681         (JSC::GetByIdStatus::computeFor):
1682         * bytecode/PropertyCondition.cpp:
1683         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1684         (JSC::PropertyCondition::isValidValueForAttributes):
1685         * bytecode/PutByIdStatus.cpp:
1686         (JSC::PutByIdStatus::computeFor):
1687         * bytecompiler/BytecodeGenerator.cpp:
1688         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1689         (JSC::BytecodeGenerator::variable):
1690         * bytecompiler/BytecodeGenerator.h:
1691         (JSC::Variable::isReadOnly const):
1692         (JSC::Variable::setIsReadOnly):
1693         * bytecompiler/NodesCodegen.cpp:
1694         (JSC::PropertyListNode::emitBytecode):
1695         * create_hash_table:
1696         * debugger/DebuggerScope.cpp:
1697         (JSC::DebuggerScope::getOwnPropertySlot):
1698         * dfg/DFGOperations.cpp:
1699         * inspector/JSInjectedScriptHostPrototype.cpp:
1700         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1701         * inspector/JSJavaScriptCallFramePrototype.cpp:
1702         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
1703         * jit/Repatch.cpp:
1704         (JSC::tryCacheGetByID):
1705         * jsc.cpp:
1706         (WTF::CustomGetter::getOwnPropertySlot):
1707         (WTF::RuntimeArray::getOwnPropertySlot):
1708         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
1709         (WTF::DOMJITGetter::finishCreation):
1710         (WTF::DOMJITGetterComplex::finishCreation):
1711         (WTF::DOMJITFunctionObject::finishCreation):
1712         (WTF::DOMJITCheckSubClassObject::finishCreation):
1713         (GlobalObject::finishCreation):
1714         * runtime/ArrayConstructor.cpp:
1715         (JSC::ArrayConstructor::finishCreation):
1716         * runtime/ArrayIteratorPrototype.cpp:
1717         (JSC::ArrayIteratorPrototype::finishCreation):
1718         * runtime/ArrayPrototype.cpp:
1719         (JSC::ArrayPrototype::finishCreation):
1720         * runtime/AsyncFromSyncIteratorPrototype.cpp:
1721         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
1722         * runtime/AsyncFunctionConstructor.cpp:
1723         (JSC::AsyncFunctionConstructor::finishCreation):
1724         * runtime/AsyncFunctionPrototype.cpp:
1725         (JSC::AsyncFunctionPrototype::finishCreation):
1726         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1727         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
1728         * runtime/AsyncGeneratorFunctionPrototype.cpp:
1729         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
1730         * runtime/AsyncGeneratorPrototype.cpp:
1731         (JSC::AsyncGeneratorPrototype::finishCreation):
1732         * runtime/AsyncIteratorPrototype.cpp:
1733         (JSC::AsyncIteratorPrototype::finishCreation):
1734         * runtime/AtomicsObject.cpp:
1735         (JSC::AtomicsObject::finishCreation):
1736         * runtime/BooleanConstructor.cpp:
1737         (JSC::BooleanConstructor::finishCreation):
1738         * runtime/ClonedArguments.cpp:
1739         (JSC::ClonedArguments::createStructure):
1740         (JSC::ClonedArguments::getOwnPropertySlot):
1741         (JSC::ClonedArguments::materializeSpecials):
1742         * runtime/CommonSlowPaths.cpp:
1743         (JSC::SLOW_PATH_DECL):
1744         * runtime/ConsoleObject.cpp:
1745         (JSC::ConsoleObject::finishCreation):
1746         * runtime/DateConstructor.cpp:
1747         (JSC::DateConstructor::finishCreation):
1748         * runtime/DatePrototype.cpp:
1749         (JSC::DatePrototype::finishCreation):
1750         * runtime/DirectArguments.cpp:
1751         (JSC::DirectArguments::overrideThings):
1752         * runtime/Error.cpp:
1753         (JSC::addErrorInfo):
1754         * runtime/ErrorConstructor.cpp:
1755         (JSC::ErrorConstructor::finishCreation):
1756         * runtime/ErrorInstance.cpp:
1757         (JSC::ErrorInstance::finishCreation):
1758         * runtime/ErrorPrototype.cpp:
1759         (JSC::ErrorPrototype::finishCreation):
1760         * runtime/FunctionConstructor.cpp:
1761         (JSC::FunctionConstructor::finishCreation):
1762         * runtime/FunctionPrototype.cpp:
1763         (JSC::FunctionPrototype::finishCreation):
1764         (JSC::FunctionPrototype::addFunctionProperties):
1765         (JSC::FunctionPrototype::initRestrictedProperties):
1766         * runtime/GeneratorFunctionConstructor.cpp:
1767         (JSC::GeneratorFunctionConstructor::finishCreation):
1768         * runtime/GeneratorFunctionPrototype.cpp:
1769         (JSC::GeneratorFunctionPrototype::finishCreation):
1770         * runtime/GeneratorPrototype.cpp:
1771         (JSC::GeneratorPrototype::finishCreation):
1772         * runtime/GenericArgumentsInlines.h:
1773         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1774         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1775         * runtime/InternalFunction.cpp:
1776         (JSC::InternalFunction::finishCreation):
1777         * runtime/IntlCollatorConstructor.cpp:
1778         (JSC::IntlCollatorConstructor::finishCreation):
1779         * runtime/IntlDateTimeFormatConstructor.cpp:
1780         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1781         * runtime/IntlDateTimeFormatPrototype.cpp:
1782         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1783         * runtime/IntlNumberFormatConstructor.cpp:
1784         (JSC::IntlNumberFormatConstructor::finishCreation):
1785         * runtime/IntlObject.cpp:
1786         (JSC::IntlObject::finishCreation):
1787         * runtime/IteratorPrototype.cpp:
1788         (JSC::IteratorPrototype::finishCreation):
1789         * runtime/JSArray.cpp:
1790         (JSC::JSArray::getOwnPropertySlot):
1791         (JSC::JSArray::setLengthWithArrayStorage):
1792         * runtime/JSArrayBufferConstructor.cpp:
1793         (JSC::JSArrayBufferConstructor::finishCreation):
1794         * runtime/JSArrayBufferPrototype.cpp:
1795         (JSC::JSArrayBufferPrototype::finishCreation):
1796         * runtime/JSBoundFunction.cpp:
1797         (JSC::JSBoundFunction::finishCreation):
1798         * runtime/JSCJSValue.cpp:
1799         (JSC::JSValue::putToPrimitive):
1800         * runtime/JSDataView.cpp:
1801         (JSC::JSDataView::getOwnPropertySlot):
1802         * runtime/JSDataViewPrototype.cpp:
1803         (JSC::JSDataViewPrototype::finishCreation):
1804         * runtime/JSFunction.cpp:
1805         (JSC::JSFunction::finishCreation):
1806         (JSC::JSFunction::getOwnPropertySlot):
1807         (JSC::JSFunction::defineOwnProperty):
1808         (JSC::JSFunction::reifyLength):
1809         (JSC::JSFunction::reifyName):
1810         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1811         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1812         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
1813         * runtime/JSGenericTypedArrayViewInlines.h:
1814         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1815         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1816         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
1817         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
1818         * runtime/JSGlobalObject.cpp:
1819         (JSC::JSGlobalObject::init):
1820         (JSC::JSGlobalObject::addStaticGlobals):
1821         * runtime/JSLexicalEnvironment.cpp:
1822         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1823         * runtime/JSModuleNamespaceObject.cpp:
1824         (JSC::JSModuleNamespaceObject::finishCreation):
1825         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
1826         * runtime/JSONObject.cpp:
1827         (JSC::JSONObject::finishCreation):
1828         * runtime/JSObject.cpp:
1829         (JSC::getClassPropertyNames):
1830         (JSC::JSObject::getOwnPropertySlotByIndex):
1831         (JSC::ordinarySetSlow):
1832         (JSC::JSObject::putInlineSlow):
1833         (JSC::JSObject::putGetter):
1834         (JSC::JSObject::putSetter):
1835         (JSC::JSObject::putDirectAccessor):
1836         (JSC::JSObject::putDirectCustomAccessor):
1837         (JSC::JSObject::putDirectNonIndexAccessor):
1838         (JSC::JSObject::deleteProperty):
1839         (JSC::JSObject::deletePropertyByIndex):
1840         (JSC::JSObject::getOwnPropertyNames):
1841         (JSC::JSObject::putIndexedDescriptor):
1842         (JSC::JSObject::defineOwnIndexedProperty):
1843         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1844         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1845         (JSC::JSObject::getOwnPropertyDescriptor):
1846         (JSC::putDescriptor):
1847         (JSC::validateAndApplyPropertyDescriptor):
1848         * runtime/JSObject.h:
1849         (JSC::JSObject::putDirect):
1850         * runtime/JSObjectInlines.h:
1851         (JSC::JSObject::putDirectWithoutTransition):
1852         (JSC::JSObject::putDirectInternal):
1853         * runtime/JSPromiseConstructor.cpp:
1854         (JSC::JSPromiseConstructor::finishCreation):
1855         (JSC::JSPromiseConstructor::addOwnInternalSlots):
1856         * runtime/JSPromisePrototype.cpp:
1857         (JSC::JSPromisePrototype::finishCreation):
1858         (JSC::JSPromisePrototype::addOwnInternalSlots):
1859         * runtime/JSString.cpp:
1860         (JSC::JSString::getStringPropertyDescriptor):
1861         * runtime/JSString.h:
1862         (JSC::JSString::getStringPropertySlot):
1863         * runtime/JSSymbolTableObject.cpp:
1864         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1865         * runtime/JSSymbolTableObject.h:
1866         (JSC::symbolTableGet):
1867         * runtime/JSTypedArrayViewConstructor.cpp:
1868         (JSC::JSTypedArrayViewConstructor::finishCreation):
1869         * runtime/JSTypedArrayViewPrototype.cpp:
1870         (JSC::JSTypedArrayViewPrototype::finishCreation):
1871         * runtime/LazyClassStructure.cpp:
1872         (JSC::LazyClassStructure::Initializer::setConstructor):
1873         * runtime/Lookup.cpp:
1874         (JSC::reifyStaticAccessor):
1875         (JSC::setUpStaticFunctionSlot):
1876         * runtime/Lookup.h:
1877         (JSC::HashTableValue::intrinsic const):
1878         (JSC::HashTableValue::builtinGenerator const):
1879         (JSC::HashTableValue::function const):
1880         (JSC::HashTableValue::functionLength const):
1881         (JSC::HashTableValue::propertyGetter const):
1882         (JSC::HashTableValue::propertyPutter const):
1883         (JSC::HashTableValue::domJIT const):
1884         (JSC::HashTableValue::signature const):
1885         (JSC::HashTableValue::accessorGetter const):
1886         (JSC::HashTableValue::accessorSetter const):
1887         (JSC::HashTableValue::constantInteger const):
1888         (JSC::HashTableValue::lazyCellPropertyOffset const):
1889         (JSC::HashTableValue::lazyClassStructureOffset const):
1890         (JSC::HashTableValue::lazyPropertyCallback const):
1891         (JSC::HashTableValue::builtinAccessorGetterGenerator const):
1892         (JSC::HashTableValue::builtinAccessorSetterGenerator const):
1893         (JSC::getStaticPropertySlotFromTable):
1894         (JSC::putEntry):
1895         (JSC::reifyStaticProperty):
1896         * runtime/MapConstructor.cpp:
1897         (JSC::MapConstructor::finishCreation):
1898         * runtime/MapIteratorPrototype.cpp:
1899         (JSC::MapIteratorPrototype::finishCreation):
1900         * runtime/MapPrototype.cpp:
1901         (JSC::MapPrototype::finishCreation):
1902         * runtime/MathObject.cpp:
1903         (JSC::MathObject::finishCreation):
1904         * runtime/NativeErrorConstructor.cpp:
1905         (JSC::NativeErrorConstructor::finishCreation):
1906         * runtime/NativeErrorPrototype.cpp:
1907         (JSC::NativeErrorPrototype::finishCreation):
1908         * runtime/NumberConstructor.cpp:
1909         (JSC::NumberConstructor::finishCreation):
1910         * runtime/NumberPrototype.cpp:
1911         (JSC::NumberPrototype::finishCreation):
1912         * runtime/ObjectConstructor.cpp:
1913         (JSC::ObjectConstructor::finishCreation):
1914         (JSC::objectConstructorAssign):
1915         (JSC::objectConstructorValues):
1916         (JSC::objectConstructorDefineProperty):
1917         * runtime/ObjectPrototype.cpp:
1918         (JSC::ObjectPrototype::finishCreation):
1919         (JSC::objectProtoFuncLookupGetter):
1920         (JSC::objectProtoFuncLookupSetter):
1921         * runtime/ProgramExecutable.cpp:
1922         (JSC::ProgramExecutable::initializeGlobalProperties):
1923         * runtime/PropertyDescriptor.cpp:
1924         (JSC::PropertyDescriptor::writable const):
1925         (JSC::PropertyDescriptor::enumerable const):
1926         (JSC::PropertyDescriptor::configurable const):
1927         (JSC::PropertyDescriptor::setUndefined):
1928         (JSC::PropertyDescriptor::setDescriptor):
1929         (JSC::PropertyDescriptor::setCustomDescriptor):
1930         (JSC::PropertyDescriptor::setAccessorDescriptor):
1931         (JSC::PropertyDescriptor::setWritable):
1932         (JSC::PropertyDescriptor::setEnumerable):
1933         (JSC::PropertyDescriptor::setConfigurable):
1934         (JSC::PropertyDescriptor::setSetter):
1935         (JSC::PropertyDescriptor::setGetter):
1936         (JSC::PropertyDescriptor::attributesEqual const):
1937         (JSC::PropertyDescriptor::attributesOverridingCurrent const):
1938         * runtime/PropertySlot.cpp:
1939         (JSC::PropertySlot::customGetter const):
1940         * runtime/PropertySlot.h:
1941         (JSC::operator| ):
1942         (JSC::operator&):
1943         (JSC::operator<):
1944         (JSC::operator~):
1945         (JSC::operator|=):
1946         (JSC::PropertySlot::setUndefined):
1947         * runtime/ProxyConstructor.cpp:
1948         (JSC::makeRevocableProxy):
1949         (JSC::ProxyConstructor::finishCreation):
1950         * runtime/ProxyObject.cpp:
1951         (JSC::ProxyObject::performHasProperty):
1952         * runtime/ProxyRevoke.cpp:
1953         (JSC::ProxyRevoke::finishCreation):
1954         * runtime/ReflectObject.cpp:
1955         (JSC::ReflectObject::finishCreation):
1956         (JSC::reflectObjectDefineProperty):
1957         * runtime/RegExpConstructor.cpp:
1958         (JSC::RegExpConstructor::finishCreation):
1959         * runtime/RegExpObject.cpp:
1960         (JSC::RegExpObject::getOwnPropertySlot):
1961         * runtime/RegExpPrototype.cpp:
1962         (JSC::RegExpPrototype::finishCreation):
1963         * runtime/ScopedArguments.cpp:
1964         (JSC::ScopedArguments::overrideThings):
1965         * runtime/SetConstructor.cpp:
1966         (JSC::SetConstructor::finishCreation):
1967         * runtime/SetIteratorPrototype.cpp:
1968         (JSC::SetIteratorPrototype::finishCreation):
1969         * runtime/SetPrototype.cpp:
1970         (JSC::SetPrototype::finishCreation):
1971         * runtime/SparseArrayValueMap.cpp:
1972         (JSC::SparseArrayValueMap::putDirect):
1973         (JSC::SparseArrayEntry::put):
1974         * runtime/StringConstructor.cpp:
1975         (JSC::StringConstructor::finishCreation):
1976         * runtime/StringIteratorPrototype.cpp:
1977         (JSC::StringIteratorPrototype::finishCreation):
1978         * runtime/StringPrototype.cpp:
1979         (JSC::StringPrototype::finishCreation):
1980         * runtime/Structure.cpp:
1981         (JSC::Structure::nonPropertyTransition):
1982         (JSC::Structure::isSealed):
1983         (JSC::Structure::isFrozen):
1984         (JSC::Structure::getPropertyNamesFromStructure):
1985         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1986         * runtime/StructureInlines.h:
1987         (JSC::Structure::add):
1988         * runtime/SymbolConstructor.cpp:
1989         (JSC::SymbolConstructor::finishCreation):
1990         * runtime/SymbolPrototype.cpp:
1991         (JSC::SymbolPrototype::finishCreation):
1992         * runtime/SymbolTable.h:
1993         (JSC::SymbolTableEntry::Fast::getAttributes const):
1994         (JSC::SymbolTableEntry::SymbolTableEntry):
1995         (JSC::SymbolTableEntry::setAttributes):
1996         * runtime/TemplateRegistry.cpp:
1997         (JSC::TemplateRegistry::getTemplateObject):
1998         * runtime/WeakMapConstructor.cpp:
1999         (JSC::WeakMapConstructor::finishCreation):
2000         * runtime/WeakMapPrototype.cpp:
2001         (JSC::WeakMapPrototype::finishCreation):
2002         * runtime/WeakSetConstructor.cpp:
2003         (JSC::WeakSetConstructor::finishCreation):
2004         * runtime/WeakSetPrototype.cpp:
2005         (JSC::WeakSetPrototype::finishCreation):
2006         * tools/JSDollarVMPrototype.cpp:
2007         (JSC::JSDollarVMPrototype::finishCreation):
2008         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2009         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
2010         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2011         (JSC::WebAssemblyInstanceConstructor::finishCreation):
2012         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2013         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
2014         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2015         (JSC::WebAssemblyMemoryConstructor::finishCreation):
2016         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2017         * wasm/js/WebAssemblyModuleConstructor.cpp:
2018         (JSC::WebAssemblyModuleConstructor::finishCreation):
2019         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2020         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
2021         * wasm/js/WebAssemblyTableConstructor.cpp:
2022         (JSC::WebAssemblyTableConstructor::finishCreation):
2023
2024 2017-09-23  Oleksandr Skachkov  <gskachkov@gmail.com>
2025
2026         [ESNext] Async iteration - Implement Async Generator - optimization
2027         https://bugs.webkit.org/show_bug.cgi?id=175891
2028
2029         Reviewed by Yusuke Suzuki.
2030
2031         Add small optimization for async generators:
2032         1. merging async generator queue to async generator itself
2033         generator.@first / generator.@last is enough, by doing so,
2034           we remove one unnecessary object alloc.
2035         2. merging request with queue.
2036
2037         * builtins/AsyncGeneratorPrototype.js:
2038         (globalPrivate.asyncGeneratorQueueIsEmpty):
2039         (globalPrivate.asyncGeneratorQueueCreateItem):
2040         (globalPrivate.asyncGeneratorQueueEnqueue):
2041         (globalPrivate.asyncGeneratorQueueDequeue):
2042         (globalPrivate.asyncGeneratorDequeue):
2043         (globalPrivate.isSuspendYieldState):
2044         (globalPrivate.asyncGeneratorEnqueue):
2045         * builtins/BuiltinNames.h:
2046         * bytecompiler/BytecodeGenerator.cpp:
2047         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
2048         * bytecompiler/BytecodeGenerator.h:
2049         * bytecompiler/NodesCodegen.cpp:
2050         (JSC::FunctionNode::emitBytecode):
2051
2052 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
2053
2054         test262: $.agent became $262.agent in test262 update
2055         https://bugs.webkit.org/show_bug.cgi?id=177407
2056
2057         Reviewed by Yusuke Suzuki.
2058
2059         * jsc.cpp:
2060         (GlobalObject::finishCreation):
2061         Alias `$` and `$262` for now.
2062
2063 2017-09-22  Keith Miller  <keith_miller@apple.com>
2064
2065         Speculatively change iteration protocall to use the same next function
2066         https://bugs.webkit.org/show_bug.cgi?id=175653
2067
2068         Reviewed by Saam Barati.
2069
2070         This patch speculatively makes a change to the iteration protocall to fetch the next
2071         property immediately after calling the Symbol.iterator function. This is, in theory,
2072         a breaking change, so we will see if this breaks things (most likely it won't as this
2073         is a relatively subtle point).
2074
2075         See: https://github.com/tc39/ecma262/issues/976
2076
2077         * builtins/IteratorHelpers.js:
2078         (performIteration):
2079         * bytecompiler/BytecodeGenerator.cpp:
2080         (JSC::BytecodeGenerator::emitEnumeration):
2081         (JSC::BytecodeGenerator::emitIteratorNext):
2082         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
2083         (JSC::BytecodeGenerator::emitDelegateYield):
2084         * bytecompiler/BytecodeGenerator.h:
2085         * bytecompiler/NodesCodegen.cpp:
2086         (JSC::ArrayPatternNode::bindValue const):
2087         * inspector/JSInjectedScriptHost.cpp:
2088         (Inspector::JSInjectedScriptHost::iteratorEntries):
2089         * runtime/IteratorOperations.cpp:
2090         (JSC::iteratorNext):
2091         (JSC::iteratorStep):
2092         (JSC::iteratorClose):
2093         (JSC::iteratorForIterable):
2094         * runtime/IteratorOperations.h:
2095         (JSC::forEachInIterable):
2096         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2097         (JSC::constructGenericTypedArrayViewFromIterator):
2098         (JSC::constructGenericTypedArrayViewWithArguments):
2099
2100 2017-09-22  Fujii Hironori  <Hironori.Fujii@sony.com>
2101
2102         [Win64] Crashes in Yarr JIT compiled code
2103         https://bugs.webkit.org/show_bug.cgi?id=177293
2104
2105         Reviewed by Yusuke Suzuki.
2106
2107         In x64 Windows, rcx register is used for the address of allocated
2108         space for the return value. But, rcx is used for regT1 since
2109         r221052. Save rcx in the stack.
2110
2111         * yarr/YarrJIT.cpp:
2112         (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
2113         (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
2114
2115 2017-09-22  Saam Barati  <sbarati@apple.com>
2116
2117         Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
2118         https://bugs.webkit.org/show_bug.cgi?id=177368
2119
2120         Reviewed by Keith Miller.
2121
2122         * runtime/ErrorInstance.cpp:
2123         (JSC::ErrorInstance::finishCreation):
2124         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2125         (JSC::ErrorInstance::visitChildren):
2126
2127 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2128
2129         [DFG][FTL] Profile array vector length for array allocation
2130         https://bugs.webkit.org/show_bug.cgi?id=177051
2131
2132         Reviewed by Saam Barati.
2133
2134         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
2135         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
2136         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
2137         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
2138
2139             empty array allocation,
2140
2141             var array = [];
2142             array.push(0);
2143             array.push(1);
2144             array.push(2);
2145             array.push(3);
2146             array.push(4);
2147
2148             v.s. new_array_buffer case,
2149
2150             var array = [0];
2151             array.push(1);
2152             array.push(2);
2153             array.push(3);
2154             array.push(4);
2155
2156         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
2157         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
2158
2159         We select 25 to make it fit to one of size classes.
2160
2161         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
2162         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
2163         is larger than 25, we just use it for allocation as before.
2164
2165         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
2166
2167             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
2168             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
2169
2170         * bytecode/ArrayAllocationProfile.cpp:
2171         (JSC::ArrayAllocationProfile::updateProfile):
2172         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
2173         * bytecode/ArrayAllocationProfile.h:
2174         (JSC::ArrayAllocationProfile::selectIndexingType):
2175         (JSC::ArrayAllocationProfile::vectorLengthHint):
2176         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
2177         * bytecode/CodeBlock.cpp:
2178         (JSC::CodeBlock::updateAllArrayPredictions):
2179         * dfg/DFGByteCodeParser.cpp:
2180         (JSC::DFG::ByteCodeParser::parseBlock):
2181         * dfg/DFGGraph.cpp:
2182         (JSC::DFG::Graph::dump):
2183         * dfg/DFGNode.h:
2184         (JSC::DFG::Node::vectorLengthHint):
2185         * dfg/DFGOperations.cpp:
2186         * dfg/DFGOperations.h:
2187         * dfg/DFGSpeculativeJIT64.cpp:
2188         (JSC::DFG::SpeculativeJIT::compile):
2189         * ftl/FTLLowerDFGToB3.cpp:
2190         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2191         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2192         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2193         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2194         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
2195         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
2196         * runtime/ArrayConventions.h:
2197         * runtime/JSArray.h:
2198         (JSC::JSArray::tryCreate):
2199
2200 2017-09-22  Commit Queue  <commit-queue@webkit.org>
2201
2202         Unreviewed, rolling out r222380.
2203         https://bugs.webkit.org/show_bug.cgi?id=177352
2204
2205         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
2206         #webkit).
2207
2208         Reverted changeset:
2209
2210         "[DFG][FTL] Profile array vector length for array allocation"
2211         https://bugs.webkit.org/show_bug.cgi?id=177051
2212         http://trac.webkit.org/changeset/222380
2213
2214 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2215
2216         [DFG][FTL] Profile array vector length for array allocation
2217         https://bugs.webkit.org/show_bug.cgi?id=177051
2218
2219         Reviewed by Saam Barati.
2220
2221         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
2222         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
2223         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
2224         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
2225
2226             empty array allocation,
2227
2228             var array = [];
2229             array.push(0);
2230             array.push(1);
2231             array.push(2);
2232             array.push(3);
2233             array.push(4);
2234
2235             v.s. new_array_buffer case,
2236
2237             var array = [0];
2238             array.push(1);
2239             array.push(2);
2240             array.push(3);
2241             array.push(4);
2242
2243         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
2244         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
2245
2246         We select 25 to make it fit to one of size classes.
2247
2248         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
2249         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
2250         is larger than 25, we just use it for allocation as before.
2251
2252         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
2253
2254             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
2255             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
2256
2257         * bytecode/ArrayAllocationProfile.cpp:
2258         (JSC::ArrayAllocationProfile::updateProfile):
2259         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
2260         * bytecode/ArrayAllocationProfile.h:
2261         (JSC::ArrayAllocationProfile::selectIndexingType):
2262         (JSC::ArrayAllocationProfile::vectorLengthHint):
2263         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
2264         * bytecode/CodeBlock.cpp:
2265         (JSC::CodeBlock::updateAllArrayPredictions):
2266         * dfg/DFGByteCodeParser.cpp:
2267         (JSC::DFG::ByteCodeParser::parseBlock):
2268         * dfg/DFGGraph.cpp:
2269         (JSC::DFG::Graph::dump):
2270         * dfg/DFGNode.h:
2271         (JSC::DFG::Node::vectorLengthHint):
2272         * dfg/DFGOperations.cpp:
2273         * dfg/DFGOperations.h:
2274         * dfg/DFGSpeculativeJIT64.cpp:
2275         (JSC::DFG::SpeculativeJIT::compile):
2276         * ftl/FTLLowerDFGToB3.cpp:
2277         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2278         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2279         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2280         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2281         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
2282         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
2283         * runtime/ArrayConventions.h:
2284         * runtime/JSArray.h:
2285         (JSC::JSArray::tryCreate):
2286
2287 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
2288
2289         Web Inspector: Remove support for CSS Regions
2290         https://bugs.webkit.org/show_bug.cgi?id=177287
2291
2292         Reviewed by Matt Baker.
2293
2294         * inspector/protocol/CSS.json:
2295         * inspector/protocol/OverlayTypes.json:
2296
2297 2017-09-21  Brian Burg  <bburg@apple.com>
2298
2299         Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
2300         https://bugs.webkit.org/show_bug.cgi?id=177010
2301         <rdar://problem/33134548>
2302
2303         Reviewed by Joseph Pecoraro.
2304
2305         Use "reload from origin" nomenclature instead of "reload ignoring cache".
2306
2307         * inspector/protocol/Page.json: Improve the comment, but don't change the
2308         parameter name since this would be a divergence from legacy protocols.
2309
2310 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
2311
2312         test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
2313         https://bugs.webkit.org/show_bug.cgi?id=177307
2314
2315         Reviewed by Michael Saboff.
2316
2317         * runtime/RegExpPrototype.cpp:
2318         In r221160 we added support for the new RegExp flag (dotAll).
2319         We needed to make space for it in FlagsString.
2320
2321 2017-09-20  Keith Miller  <keith_miller@apple.com>
2322
2323         JSC should use unified sources for platform specific files.
2324         https://bugs.webkit.org/show_bug.cgi?id=177290
2325
2326         Reviewed by Michael Saboff.
2327
2328         Add a list of platform specific source files and update the
2329         Generate Unified Sources phase of the Xcode build. I skipped WPE
2330         since that seems to have failed for some reason that I didn't
2331         fully understand. See:
2332         https://webkit-queues.webkit.org/results/4611260
2333
2334         Also, fix duplicate symbols in Glib remote inspector files.
2335
2336         * CMakeLists.txt:
2337         * JavaScriptCore.xcodeproj/project.pbxproj:
2338         * PlatformGTK.cmake:
2339         * PlatformMac.cmake:
2340         * SourcesGTK.txt: Added.
2341         * SourcesMac.txt: Added.
2342         * inspector/remote/glib/RemoteInspectorServer.cpp:
2343         (Inspector::RemoteInspectorServer::interfaceInfo):
2344         (Inspector::RemoteInspectorServer::setTargetList):
2345         (Inspector::RemoteInspectorServer::setupInspectorClient):
2346         (Inspector::RemoteInspectorServer::setup):
2347         (Inspector::RemoteInspectorServer::close):
2348         (Inspector::RemoteInspectorServer::connectionClosed):
2349         (Inspector::RemoteInspectorServer::sendMessageToBackend):
2350         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
2351         (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
2352
2353 2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>
2354
2355         [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
2356         https://bugs.webkit.org/show_bug.cgi?id=177017
2357
2358         Reviewed by Alex Christensen.
2359
2360         * API/JSRemoteInspector.cpp:
2361         (JSRemoteInspectorSetParentProcessInformation):
2362         * API/JSRemoteInspector.h:
2363         * inspector/remote/RemoteInspector.h:
2364
2365 2017-09-20  Keith Miller  <keith_miller@apple.com>
2366
2367         Rename source list file to Sources.txt
2368         https://bugs.webkit.org/show_bug.cgi?id=177283
2369
2370         Reviewed by Saam Barati.
2371
2372         * CMakeLists.txt:
2373         * JavaScriptCore.xcodeproj/project.pbxproj:
2374         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
2375
2376 2017-09-20  Keith Miller  <keith_miller@apple.com>
2377
2378         Unreviewed, fix string capitalization
2379
2380         * JavaScriptCore.xcodeproj/project.pbxproj:
2381
2382 2017-09-20  Keith Miller  <keith_miller@apple.com>
2383
2384         JSC Xcode build should use unified sources for platform independent files
2385         https://bugs.webkit.org/show_bug.cgi?id=177190
2386
2387         Reviewed by Saam Barati.
2388
2389         This patch changes the Xcode build to use unified sources. The
2390         main difference from a development perspective is that instead of
2391         added source files to Xcode they need to be added to the shared
2392         sources.txt. For now, platform specific files are still added
2393         to the JavaScriptCore target.
2394
2395         Because Xcode needs to know about all the files before we generate
2396         them all the unified source files need to be added to the
2397         JavaScriptCore framework target. As a result, if we run out of
2398         bundle files more will need to be added to the project. Currently,
2399         there are no spare files. If adding more bundle files becomes
2400         problematic we can change this.
2401
2402         LowLevelInterpreter.cpp can't be added to the unified source list yet
2403         due to a clang bug.
2404
2405         * CMakeLists.txt:
2406         * JavaScriptCore.xcodeproj/project.pbxproj:
2407         * sources.txt: Added.
2408
2409 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
2410
2411         [Win] Cannot find script to generate unified sources.
2412         https://bugs.webkit.org/show_bug.cgi?id=177014
2413
2414         Reviewed by Keith Miller.
2415
2416         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
2417
2418         * CMakeLists.txt:
2419         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2420
2421 2017-09-20  Alberto Garcia  <berto@igalia.com>
2422
2423         Fix HPPA and Alpha builds
2424         https://bugs.webkit.org/show_bug.cgi?id=177224
2425
2426         Reviewed by Alex Christensen.
2427
2428         * CMakeLists.txt:
2429
2430 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
2431
2432         ErrorInstance and Exception need destroy methods
2433         https://bugs.webkit.org/show_bug.cgi?id=177095
2434
2435         Reviewed by Saam Barati.
2436         
2437         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
2438         follow that type's protocol.
2439
2440         * runtime/ErrorInstance.cpp:
2441         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
2442         * runtime/ErrorInstance.h:
2443         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
2444
2445 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2446
2447         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
2448         https://bugs.webkit.org/show_bug.cgi?id=177070
2449
2450         Reviewed by Saam Barati.
2451
2452         Due to the security reason, our global object is immutable prototype exotic object.
2453         It prevents users from injecting proxies into the prototype chain of the global object[1].
2454         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
2455         of the global object after instantiating it.
2456
2457         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
2458         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
2459         edge cases.
2460
2461         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
2462
2463         * API/JSObjectRef.cpp:
2464         (JSObjectSetPrototype):
2465         * API/tests/CustomGlobalObjectClassTest.c:
2466         (globalObjectSetPrototypeTest):
2467
2468 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2469
2470         [DFG] Remove ToThis more aggressively
2471         https://bugs.webkit.org/show_bug.cgi?id=177056
2472
2473         Reviewed by Saam Barati.
2474
2475         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
2476         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
2477         and attempts to fold/convert to efficient nodes.
2478
2479         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
2480         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
2481
2482         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
2483         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
2484
2485         This removes GetGlobalThis from ES6 generators in common cases.
2486
2487         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
2488
2489         * dfg/DFGAbstractInterpreterInlines.h:
2490         (JSC::DFG::isToThisAnIdentity):
2491         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2492         * dfg/DFGClobberize.h:
2493         (JSC::DFG::clobberize):
2494         * dfg/DFGConstantFoldingPhase.cpp:
2495         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2496         * dfg/DFGDoesGC.cpp:
2497         (JSC::DFG::doesGC):
2498         * dfg/DFGFixupPhase.cpp:
2499         (JSC::DFG::FixupPhase::fixupNode):
2500         * dfg/DFGNode.h:
2501         (JSC::DFG::Node::convertToGetGlobalThis):
2502         * dfg/DFGNodeType.h:
2503         * dfg/DFGPredictionPropagationPhase.cpp:
2504         * dfg/DFGSafeToExecute.h:
2505         (JSC::DFG::safeToExecute):
2506         * dfg/DFGSpeculativeJIT.cpp:
2507         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
2508         * dfg/DFGSpeculativeJIT.h:
2509         * dfg/DFGSpeculativeJIT32_64.cpp:
2510         (JSC::DFG::SpeculativeJIT::compile):
2511         * dfg/DFGSpeculativeJIT64.cpp:
2512         (JSC::DFG::SpeculativeJIT::compile):
2513         * ftl/FTLCapabilities.cpp:
2514         (JSC::FTL::canCompile):
2515         * ftl/FTLLowerDFGToB3.cpp:
2516         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2517         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
2518         * runtime/JSGlobalLexicalEnvironment.cpp:
2519         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
2520         * runtime/JSGlobalLexicalEnvironment.h:
2521         * runtime/JSGlobalObject.cpp:
2522         (JSC::JSGlobalObject::toThis): Deleted.
2523         * runtime/JSGlobalObject.h:
2524         (JSC::JSGlobalObject::addressOfGlobalThis):
2525         * runtime/JSLexicalEnvironment.cpp:
2526         (JSC::JSLexicalEnvironment::toThis): Deleted.
2527         * runtime/JSLexicalEnvironment.h:
2528         * runtime/JSScope.cpp:
2529         (JSC::JSScope::toThis):
2530         * runtime/JSScope.h:
2531         * runtime/StrictEvalActivation.cpp:
2532         (JSC::StrictEvalActivation::toThis): Deleted.
2533         * runtime/StrictEvalActivation.h:
2534
2535 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2536
2537         Merge JSLexicalEnvironment and JSEnvironmentRecord
2538         https://bugs.webkit.org/show_bug.cgi?id=175492
2539
2540         Reviewed by Saam Barati.
2541
2542         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
2543         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
2544
2545         * CMakeLists.txt:
2546         * JavaScriptCore.xcodeproj/project.pbxproj:
2547         * dfg/DFGSpeculativeJIT.cpp:
2548         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2549         * dfg/DFGSpeculativeJIT32_64.cpp:
2550         (JSC::DFG::SpeculativeJIT::compile):
2551         * dfg/DFGSpeculativeJIT64.cpp:
2552         (JSC::DFG::SpeculativeJIT::compile):
2553         * ftl/FTLAbstractHeapRepository.h:
2554         * ftl/FTLLowerDFGToB3.cpp:
2555         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2556         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
2557         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
2558         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
2559         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
2560         * jit/JITPropertyAccess.cpp:
2561         (JSC::JIT::emitGetClosureVar):
2562         (JSC::JIT::emitPutClosureVar):
2563         (JSC::JIT::emitScopedArgumentsGetByVal):
2564         * jit/JITPropertyAccess32_64.cpp:
2565         (JSC::JIT::emitGetClosureVar):
2566         (JSC::JIT::emitPutClosureVar):
2567         * llint/LLIntOffsetsExtractor.cpp:
2568         * llint/LowLevelInterpreter.asm:
2569         * llint/LowLevelInterpreter32_64.asm:
2570         * llint/LowLevelInterpreter64.asm:
2571         * runtime/JSEnvironmentRecord.cpp: Removed.
2572         * runtime/JSEnvironmentRecord.h: Removed.
2573         * runtime/JSLexicalEnvironment.cpp:
2574         (JSC::JSLexicalEnvironment::visitChildren):
2575         (JSC::JSLexicalEnvironment::heapSnapshot):
2576         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2577         * runtime/JSLexicalEnvironment.h:
2578         (JSC::JSLexicalEnvironment::subspaceFor):
2579         (JSC::JSLexicalEnvironment::variables):
2580         (JSC::JSLexicalEnvironment::isValidScopeOffset):
2581         (JSC::JSLexicalEnvironment::variableAt):
2582         (JSC::JSLexicalEnvironment::offsetOfVariables):
2583         (JSC::JSLexicalEnvironment::offsetOfVariable):
2584         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
2585         (JSC::JSLexicalEnvironment::allocationSize):
2586         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
2587         (JSC::JSLexicalEnvironment::finishCreation):
2588         * runtime/JSModuleEnvironment.cpp:
2589         (JSC::JSModuleEnvironment::create):
2590         * runtime/JSObject.h:
2591         (JSC::JSObject::isEnvironment const):
2592         (JSC::JSObject::isEnvironmentRecord const): Deleted.
2593         * runtime/JSSegmentedVariableObject.h:
2594         * runtime/StringPrototype.cpp:
2595         (JSC::checkObjectCoercible):
2596
2597 2017-09-15  Saam Barati  <sbarati@apple.com>
2598
2599         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
2600         https://bugs.webkit.org/show_bug.cgi?id=176981
2601
2602         Reviewed by Yusuke Suzuki.
2603
2604         This patch makes inline arity fixup happen in two phases:
2605         1. We get all the values we need and MovHint them to the expected locals.
2606         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
2607            frame is already set up. If any SetLocal exits, we have a valid exit state.
2608            This is required because if we didn't do this in two phases, we may exit in
2609            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
2610            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
2611            of the frame right before exiting. For example, consider if we need to pad two args:
2612            [arg3][arg2][arg1][arg0]
2613            [fix ][fix ][arg3][arg2][arg1][arg0]
2614            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
2615            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
2616            [arg3][arg2][arg1][arg2][arg1][arg0]
2617            And the caller would then just end up thinking its argument are:
2618            [arg3][arg2][arg1][arg2]
2619            which is incorrect.
2620        
2621        
2622         This patch also fixes a couple of bugs in IdentitiyWithProfile:
2623         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
2624            It needed to store the result of evaluating its argument in a temporary that
2625            it creates. Otherwise, it might try to simply overwrite a constant
2626            or a register that it didn't own.
2627         2. We weren't eliminating this node in CSE inside the DFG.
2628
2629         * bytecompiler/NodesCodegen.cpp:
2630         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
2631         * dfg/DFGByteCodeParser.cpp:
2632         (JSC::DFG::ByteCodeParser::inlineCall):
2633         * dfg/DFGCSEPhase.cpp:
2634
2635 2017-09-15  JF Bastien  <jfbastien@apple.com>
2636
2637         WTF: use Forward.h when appropriate instead of Vector.h
2638         https://bugs.webkit.org/show_bug.cgi?id=176984
2639
2640         Reviewed by Saam Barati.
2641
2642         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
2643
2644         * bytecode/HandlerInfo.h:
2645         * heap/GCIncomingRefCounted.h:
2646         * heap/GCSegmentedArray.h:
2647         * wasm/js/JSWebAssemblyModule.h:
2648
2649 2017-09-14  Saam Barati  <sbarati@apple.com>
2650
2651         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
2652         https://bugs.webkit.org/show_bug.cgi?id=176863
2653
2654         Reviewed by Keith Miller.
2655
2656         * CMakeLists.txt:
2657         * JavaScriptCore.xcodeproj/project.pbxproj:
2658         * runtime/ProxyObject.cpp:
2659         (JSC::performProxyGet):
2660         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2661         (JSC::ProxyObject::performHasProperty):
2662         (JSC::ProxyObject::getOwnPropertySlotCommon):
2663         (JSC::ProxyObject::performPut):
2664         (JSC::performProxyCall):
2665         (JSC::performProxyConstruct):
2666         (JSC::ProxyObject::performDelete):
2667         (JSC::ProxyObject::performPreventExtensions):
2668         (JSC::ProxyObject::performIsExtensible):
2669         (JSC::ProxyObject::performDefineOwnProperty):
2670         (JSC::ProxyObject::performGetOwnPropertyNames):
2671         (JSC::ProxyObject::performSetPrototype):
2672         (JSC::ProxyObject::performGetPrototype):
2673
2674 2017-09-14  Saam Barati  <sbarati@apple.com>
2675
2676         Make dumping the graph print when both when exitOK and !exitOK
2677         https://bugs.webkit.org/show_bug.cgi?id=176954
2678
2679         Reviewed by Keith Miller.
2680
2681         * dfg/DFGGraph.cpp:
2682         (JSC::DFG::Graph::dump):
2683
2684 2017-09-14  Saam Barati  <sbarati@apple.com>
2685
2686         It should be valid to exit before each set when doing arity fixup when inlining
2687         https://bugs.webkit.org/show_bug.cgi?id=176948
2688
2689         Reviewed by Keith Miller.
2690
2691         This patch makes it so that we can exit before each SetLocal when doing arity
2692         fixup during inlining. This is OK because if we exit at any of these SetLocals,
2693         we will simply exit to the beginning of the call instruction.
2694         
2695         Not doing this led to a bug where FixupPhase would insert a ValueRep of
2696         a node before the actual node. This is obviously invalid IR. I've added
2697         a new validation rule to catch this malformed IR.
2698
2699         * dfg/DFGByteCodeParser.cpp:
2700         (JSC::DFG::ByteCodeParser::inliningCost):
2701         (JSC::DFG::ByteCodeParser::inlineCall):
2702         * dfg/DFGValidate.cpp:
2703         * runtime/Options.h:
2704
2705 2017-09-14  Mark Lam  <mark.lam@apple.com>
2706
2707         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
2708         https://bugs.webkit.org/show_bug.cgi?id=176874
2709         <rdar://problem/34436415>
2710
2711         Reviewed by Saam Barati.
2712
2713         1. Make Probe::Stack play nice with ASan by:
2714
2715            a. using a local memcpy implementation that suppresses ASan on ASan builds.
2716               We don't want to use std:memcpy() which validates stack memory because
2717               we are intentionally copying stack memory beyond the current frame.
2718
2719            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
2720               This ensures that Page::flushWrites() only writes stack memory that was
2721               modified by a probe.  The probes should only modify stack memory that
2722               belongs to JSC stack data structures.  We don't want to inadvertently
2723               modify adjacent words that may belong to ASan (which may happen if
2724               s_chunkSize is larger than sizeof(uintptr_t)).
2725
2726            c. fixing a bug in Page dirtyBits management for when the size of the value to
2727               write is greater than s_chunkSize.  The fix in generic, but in practice,
2728               this currently only manifests on 32-bit ASan builds because
2729               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
2730               values.
2731
2732            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
2733               s_chunksPerPage we can have even on ASan builds.
2734
2735         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
2736            std::memcpy to avoid strict aliasing issues.
2737
2738         3. Optimized the implementation of Page::physicalAddressFor().
2739
2740         4. Optimized the implementation of Stack::set() in the recording of the low
2741            watermark.  We just record the lowest raw pointer now, and only compute the
2742            alignment to its chuck boundary later when the low watermark is requested.
2743
2744         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
2745
2746         No new test needed because this is already covered by testmasm with ASan enabled.
2747
2748         * assembler/ProbeContext.h:
2749         (JSC::Probe::CPUState::gpr const):
2750         (JSC::Probe::CPUState::spr const):
2751         (JSC::Probe::Context::gpr):
2752         (JSC::Probe::Context::spr):
2753         (JSC::Probe::Context::fpr):
2754         (JSC::Probe::Context::gprName):
2755         (JSC::Probe::Context::sprName):
2756         (JSC::Probe::Context::fprName):
2757         (JSC::Probe::Context::gpr const):
2758         (JSC::Probe::Context::spr const):
2759         (JSC::Probe::Context::fpr const):
2760         (JSC::Probe::Context::pc):
2761         (JSC::Probe::Context::fp):
2762         (JSC::Probe::Context::sp):
2763         (JSC::Probe:: const): Deleted.
2764         * assembler/ProbeStack.cpp:
2765         (JSC::Probe::copyStackPage):
2766         (JSC::Probe::Page::Page):
2767         (JSC::Probe::Page::flushWrites):
2768         * assembler/ProbeStack.h:
2769         (JSC::Probe::Page::get):
2770         (JSC::Probe::Page::set):
2771         (JSC::Probe::Page::dirtyBitFor):
2772         (JSC::Probe::Page::physicalAddressFor):
2773         (JSC::Probe::Stack::lowWatermark):
2774         (JSC::Probe::Stack::get):
2775         (JSC::Probe::Stack::set):
2776         * assembler/testmasm.cpp:
2777         (JSC::testProbeModifiesStackValues):
2778
2779 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2780
2781         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
2782         https://bugs.webkit.org/show_bug.cgi?id=176917
2783
2784         Reviewed by Saam Barati.
2785
2786         * dfg/DFGByteCodeParser.cpp:
2787         (JSC::DFG::ByteCodeParser::inliningCost):
2788         * runtime/Options.h:
2789
2790 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2791
2792         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
2793         https://bugs.webkit.org/show_bug.cgi?id=176867
2794
2795         Reviewed by Sam Weinig.
2796
2797         We rarely require private symbols when enumerating property names.
2798         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
2799         is specified, PropertyNameArray does not include private symbols.
2800         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
2801
2802         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
2803         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
2804
2805         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
2806
2807         * API/JSObjectRef.cpp:
2808         (JSObjectCopyPropertyNames):
2809         * bindings/ScriptValue.cpp:
2810         (Inspector::jsToInspectorValue):
2811         * bytecode/ObjectAllocationProfile.h:
2812         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2813         * runtime/EnumerationMode.h:
2814         * runtime/IntlObject.cpp:
2815         (JSC::supportedLocales):
2816         * runtime/JSONObject.cpp:
2817         (JSC::Stringifier::Stringifier):
2818         (JSC::Stringifier::Holder::appendNextProperty):
2819         (JSC::Walker::walk):
2820         * runtime/JSPropertyNameEnumerator.cpp:
2821         (JSC::JSPropertyNameEnumerator::create):
2822         * runtime/JSPropertyNameEnumerator.h:
2823         (JSC::propertyNameEnumerator):
2824         * runtime/ObjectConstructor.cpp:
2825         (JSC::objectConstructorGetOwnPropertyDescriptors):
2826         (JSC::objectConstructorAssign):
2827         (JSC::objectConstructorValues):
2828         (JSC::defineProperties):
2829         (JSC::setIntegrityLevel):
2830         (JSC::testIntegrityLevel):
2831         (JSC::ownPropertyKeys):
2832         * runtime/PropertyNameArray.h:
2833         (JSC::PropertyNameArray::PropertyNameArray):
2834         (JSC::PropertyNameArray::propertyNameMode const):
2835         (JSC::PropertyNameArray::privateSymbolMode const):
2836         (JSC::PropertyNameArray::addUncheckedInternal):
2837         (JSC::PropertyNameArray::addUnchecked):
2838         (JSC::PropertyNameArray::add):
2839         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
2840         (JSC::PropertyNameArray::includeSymbolProperties const):
2841         (JSC::PropertyNameArray::includeStringProperties const):
2842         (JSC::PropertyNameArray::mode const): Deleted.
2843         * runtime/ProxyObject.cpp:
2844         (JSC::ProxyObject::performGetOwnPropertyNames):
2845
2846 2017-09-13  Mark Lam  <mark.lam@apple.com>
2847
2848         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
2849         https://bugs.webkit.org/show_bug.cgi?id=176888
2850         <rdar://problem/34381832>
2851
2852         Not reviewed.
2853
2854         * JavaScriptCore.xcodeproj/project.pbxproj:
2855         * assembler/MacroAssembler.cpp:
2856         (JSC::stdFunctionCallback):
2857         * assembler/MacroAssemblerPrinter.cpp:
2858         (JSC::Printer::printCallback):
2859         * assembler/ProbeContext.h:
2860         (JSC::Probe:: const):
2861         (JSC::Probe::Context::Context):
2862         (JSC::Probe::Context::gpr):
2863         (JSC::Probe::Context::spr):
2864         (JSC::Probe::Context::fpr):
2865         (JSC::Probe::Context::gprName):
2866         (JSC::Probe::Context::sprName):
2867         (JSC::Probe::Context::fprName):
2868         (JSC::Probe::Context::pc):
2869         (JSC::Probe::Context::fp):
2870         (JSC::Probe::Context::sp):
2871         (JSC::Probe::CPUState::gpr const): Deleted.
2872         (JSC::Probe::CPUState::spr const): Deleted.
2873         (JSC::Probe::Context::arg): Deleted.
2874         (JSC::Probe::Context::gpr const): Deleted.
2875         (JSC::Probe::Context::spr const): Deleted.
2876         (JSC::Probe::Context::fpr const): Deleted.
2877         * assembler/ProbeFrame.h: Removed.
2878         * assembler/ProbeStack.cpp:
2879         (JSC::Probe::Page::Page):
2880         * assembler/ProbeStack.h:
2881         (JSC::Probe::Page::get):
2882         (JSC::Probe::Page::set):
2883         (JSC::Probe::Page::physicalAddressFor):
2884         (JSC::Probe::Stack::lowWatermark):
2885         (JSC::Probe::Stack::get):
2886         (JSC::Probe::Stack::set):
2887         * bytecode/ArithProfile.cpp:
2888         * bytecode/ArithProfile.h:
2889         * bytecode/ArrayProfile.h:
2890         (JSC::ArrayProfile::observeArrayMode): Deleted.
2891         * bytecode/CodeBlock.cpp:
2892         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
2893         * bytecode/CodeBlock.h:
2894         (JSC::CodeBlock::addressOfOSRExitCounter):
2895         * bytecode/ExecutionCounter.h:
2896         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
2897         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
2898         * bytecode/MethodOfGettingAValueProfile.cpp:
2899         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
2900         * bytecode/MethodOfGettingAValueProfile.h:
2901         * dfg/DFGDriver.cpp:
2902         (JSC::DFG::compileImpl):
2903         * dfg/DFGJITCode.cpp:
2904         (JSC::DFG::JITCode::findPC):
2905         * dfg/DFGJITCode.h:
2906         * dfg/DFGJITCompiler.cpp:
2907         (JSC::DFG::JITCompiler::linkOSRExits):
2908         (JSC::DFG::JITCompiler::link):
2909         * dfg/DFGOSRExit.cpp:
2910         (JSC::DFG::OSRExit::setPatchableCodeOffset):
2911         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
2912         (JSC::DFG::OSRExit::codeLocationForRepatch const):
2913         (JSC::DFG::OSRExit::correctJump):
2914         (JSC::DFG::OSRExit::emitRestoreArguments):
2915         (JSC::DFG::OSRExit::compileOSRExit):
2916         (JSC::DFG::OSRExit::compileExit):
2917         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2918         (JSC::DFG::jsValueFor): Deleted.
2919         (JSC::DFG::restoreCalleeSavesFor): Deleted.
2920         (JSC::DFG::saveCalleeSavesFor): Deleted.
2921         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
2922         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
2923         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
2924         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
2925         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
2926         (JSC::DFG::emitRestoreArguments): Deleted.
2927         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
2928         (JSC::DFG::reifyInlinedCallFrames): Deleted.
2929         (JSC::DFG::adjustAndJumpToTarget): Deleted.
2930         (JSC::DFG::printOSRExit): Deleted.
2931         * dfg/DFGOSRExit.h:
2932         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
2933         * dfg/DFGOSRExitCompilerCommon.cpp:
2934         * dfg/DFGOSRExitCompilerCommon.h:
2935         * dfg/DFGOperations.cpp:
2936         * dfg/DFGOperations.h:
2937         * dfg/DFGThunks.cpp:
2938         (JSC::DFG::osrExitGenerationThunkGenerator):
2939         (JSC::DFG::osrExitThunkGenerator): Deleted.
2940         * dfg/DFGThunks.h:
2941         * jit/AssemblyHelpers.cpp:
2942         (JSC::AssemblyHelpers::debugCall):
2943         * jit/AssemblyHelpers.h:
2944         * jit/JITOperations.cpp:
2945         * jit/JITOperations.h:
2946         * profiler/ProfilerOSRExit.h:
2947         (JSC::Profiler::OSRExit::incCount): Deleted.
2948         * runtime/JSCJSValue.h:
2949         * runtime/JSCJSValueInlines.h:
2950         * runtime/VM.h:
2951
2952 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2953
2954         [JSC] Move class/struct used in other class' member out of anonymous namespace
2955         https://bugs.webkit.org/show_bug.cgi?id=176876
2956
2957         Reviewed by Saam Barati.
2958
2959         GCC warns if a class has a base or field whose type uses the anonymous namespace
2960         and it is defined in an included file. This is because this possibly violates
2961         one definition rule (ODR): if an included file has the anonymous namespace, each
2962         translation unit creates its private anonymous namespace. Thus, each type
2963         inside the anonymous namespace becomes different in each translation unit if
2964         the file is included in multiple translation units.
2965
2966         While the current use in JSC is not violating ODR since these cpp files are included
2967         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
2968         the actual bugs. So, in this patch, we just move related classes/structs out of
2969         the anonymous namespace.
2970
2971         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2972         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
2973         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
2974         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
2975         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
2976         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
2977         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
2978         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
2979         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
2980         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
2981         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
2982         * dfg/DFGLICMPhase.cpp:
2983
2984 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
2985
2986         Web Inspector: Event Listeners section does not update when listeners are added/removed
2987         https://bugs.webkit.org/show_bug.cgi?id=170570
2988         <rdar://problem/31501645>
2989
2990         Reviewed by Joseph Pecoraro.
2991
2992         * inspector/protocol/DOM.json:
2993         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
2994         contain any information about the event listeners that were added/removed. They serve more
2995         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
2996
2997 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2998
2999         [JSC] Fix Array allocation in Object.keys
3000         https://bugs.webkit.org/show_bug.cgi?id=176826
3001
3002         Reviewed by Saam Barati.
3003
3004         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
3005         We check isHavingABadTime() in ownPropertyKeys fast path.
3006         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
3007
3008         * runtime/ObjectConstructor.cpp:
3009         (JSC::ownPropertyKeys):
3010
3011 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3012
3013         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3014         https://bugs.webkit.org/show_bug.cgi?id=176010
3015
3016         Reviewed by Filip Pizlo.
3017
3018         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
3019         It is used for meta property for objects (see peekMeta function in Ember.js).
3020
3021         This patch optimizes WeakMap#get.
3022
3023         1. We use inlineGet to inline WeakMap#get operation in the native function.
3024         Since this native function itself is very small, we should inline HashMap#get
3025         entirely in this function.
3026
3027         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
3028         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
3029         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
3030         ObjectUse, and Int32Use.
3031
3032         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
3033         calculate hash value for the key's Object and use this hash value to look up value from
3034         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
3035         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
3036         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
3037         patches.
3038
3039         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
3040         not used in Ember.js right now.
3041
3042         This patch optimizes WeakMap#get by 50%.
3043
3044                                  baseline                  patched
3045
3046         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
3047
3048         * bytecode/DirectEvalCodeCache.h:
3049         (JSC::DirectEvalCodeCache::tryGet):
3050         * bytecode/SpeculatedType.cpp:
3051         (JSC::dumpSpeculation):
3052         (JSC::speculationFromClassInfo):
3053         (JSC::speculationFromJSType):
3054         (JSC::speculationFromString):
3055         * bytecode/SpeculatedType.h:
3056         * dfg/DFGAbstractInterpreterInlines.h:
3057         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3058         * dfg/DFGByteCodeParser.cpp:
3059         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3060         * dfg/DFGClobberize.h:
3061         (JSC::DFG::clobberize):
3062         * dfg/DFGDoesGC.cpp:
3063         (JSC::DFG::doesGC):
3064         * dfg/DFGFixupPhase.cpp:
3065         (JSC::DFG::FixupPhase::fixupNode):
3066         * dfg/DFGHeapLocation.cpp:
3067         (WTF::printInternal):
3068         * dfg/DFGHeapLocation.h:
3069         * dfg/DFGNode.h:
3070         (JSC::DFG::Node::hasHeapPrediction):
3071         * dfg/DFGNodeType.h:
3072         * dfg/DFGOperations.cpp:
3073         * dfg/DFGOperations.h:
3074         * dfg/DFGPredictionPropagationPhase.cpp:
3075         * dfg/DFGSafeToExecute.h:
3076         (JSC::DFG::SafeToExecuteEdge::operator()):
3077         (JSC::DFG::safeToExecute):
3078         * dfg/DFGSpeculativeJIT.cpp:
3079         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
3080         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
3081         (JSC::DFG::SpeculativeJIT::speculate):
3082         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
3083         * dfg/DFGSpeculativeJIT.h:
3084         (JSC::DFG::SpeculativeJIT::callOperation):
3085         * dfg/DFGSpeculativeJIT32_64.cpp:
3086         (JSC::DFG::SpeculativeJIT::compile):
3087         * dfg/DFGSpeculativeJIT64.cpp:
3088         (JSC::DFG::SpeculativeJIT::compile):
3089         * dfg/DFGUseKind.cpp:
3090         (WTF::printInternal):
3091         * dfg/DFGUseKind.h:
3092         (JSC::DFG::typeFilterFor):
3093         (JSC::DFG::isCell):
3094         * ftl/FTLCapabilities.cpp:
3095         (JSC::FTL::canCompile):
3096         * ftl/FTLLowerDFGToB3.cpp:
3097         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3098         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
3099         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
3100         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
3101         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3102         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
3103         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
3104         * jit/JITOperations.h:
3105         * runtime/HashMapImpl.h:
3106         (JSC::WeakMapHash::hash):
3107         (JSC::WeakMapHash::equal):
3108         * runtime/Intrinsic.cpp:
3109         (JSC::intrinsicName):
3110         * runtime/Intrinsic.h:
3111         * runtime/JSType.h:
3112         * runtime/JSWeakMap.h:
3113         (JSC::isJSWeakMap):
3114         * runtime/JSWeakSet.h:
3115         (JSC::isJSWeakSet):
3116         * runtime/WeakMapBase.cpp:
3117         (JSC::WeakMapBase::get):
3118         * runtime/WeakMapBase.h:
3119         (JSC::WeakMapBase::HashTranslator::hash):
3120         (JSC::WeakMapBase::HashTranslator::equal):
3121         (JSC::WeakMapBase::inlineGet):
3122         * runtime/WeakMapPrototype.cpp:
3123         (JSC::WeakMapPrototype::finishCreation):
3124         (JSC::getWeakMap):
3125         (JSC::protoFuncWeakMapGet):
3126         * runtime/WeakSetPrototype.cpp:
3127         (JSC::getWeakSet):
3128
3129 2017-09-12  Keith Miller  <keith_miller@apple.com>
3130
3131         Rename JavaScriptCore CMake unifiable sources list
3132         https://bugs.webkit.org/show_bug.cgi?id=176823
3133
3134         Reviewed by Joseph Pecoraro.
3135
3136         This patch also changes the error message when the unified source
3137         bundler fails to be more accurate.
3138
3139         * CMakeLists.txt:
3140
3141 2017-09-12  Keith Miller  <keith_miller@apple.com>
3142
3143         Do unified source builds for JSC
3144         https://bugs.webkit.org/show_bug.cgi?id=176076
3145
3146         Reviewed by Geoffrey Garen.
3147
3148         This patch switches the CMake JavaScriptCore build to use unified sources.
3149         The Xcode build will be upgraded in a follow up patch.
3150
3151         Most of the source changes in this patch are fixing static
3152         variable/functions name collisions. The most common collisions
3153         were from our use of "static const bool verbose" and "using
3154         namespace ...". I fixed all the verbose cases and fixed the "using
3155         namespace" issues that occurred under the current bundling
3156         strategy. It's likely that more of the "using namespace" issues
3157         will need to be resolved in the future, particularly in the FTL.
3158
3159         I don't expect either of these problems will apply to other parts
3160         of the project nearly as much as in JSC. Using a verbose variable
3161         is a JSC idiom and JSC tends use the same, canonical, class name
3162         in multiple parts of the engine.
3163
3164         * CMakeLists.txt:
3165         * b3/B3CheckSpecial.cpp:
3166         (JSC::B3::CheckSpecial::forEachArg):
3167         (JSC::B3::CheckSpecial::generate):
3168         (JSC::B3::Air::numB3Args): Deleted.
3169         * b3/B3DuplicateTails.cpp:
3170         * b3/B3EliminateCommonSubexpressions.cpp:
3171         * b3/B3FixSSA.cpp:
3172         (JSC::B3::demoteValues):
3173         * b3/B3FoldPathConstants.cpp:
3174         * b3/B3InferSwitches.cpp:
3175         * b3/B3LowerMacrosAfterOptimizations.cpp:
3176         (): Deleted.
3177         * b3/B3LowerToAir.cpp:
3178         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
3179         (JSC::B3::Air::LowerToAir::run): Deleted.
3180         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
3181         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
3182         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
3183         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
3184         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
3185         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
3186         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
3187         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
3188         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
3189         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
3190         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
3191         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
3192         (JSC::B3::Air::LowerToAir::tmp): Deleted.
3193         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
3194         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
3195         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
3196         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
3197         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
3198         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
3199         (JSC::B3::Air::LowerToAir::addr): Deleted.
3200         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
3201         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
3202         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
3203         (JSC::B3::Air::LowerToAir::imm): Deleted.
3204         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
3205         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
3206         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
3207         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
3208         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
3209         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
3210         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
3211         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
3212         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
3213         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
3214         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
3215         (JSC::B3::Air::LowerToAir::createStore): Deleted.
3216         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
3217         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
3218         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
3219         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
3220         (JSC::B3::Air::LowerToAir::print): Deleted.
3221         (JSC::B3::Air::LowerToAir::append): Deleted.
3222         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
3223         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
3224         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
3225         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
3226         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
3227         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
3228         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
3229         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
3230         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
3231         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
3232         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
3233         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
3234         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
3235         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
3236         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
3237         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
3238         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
3239         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
3240         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
3241         (JSC::B3::Air::LowerToAir::lower): Deleted.
3242         * b3/B3PatchpointSpecial.cpp:
3243         (JSC::B3::PatchpointSpecial::generate):
3244         * b3/B3ReduceDoubleToFloat.cpp:
3245         (JSC::B3::reduceDoubleToFloat):
3246         * b3/B3ReduceStrength.cpp:
3247         * b3/B3StackmapGenerationParams.cpp:
3248         * b3/B3StackmapSpecial.cpp:
3249         (JSC::B3::StackmapSpecial::repsImpl):
3250         (JSC::B3::StackmapSpecial::repForArg):
3251         * b3/air/AirAllocateStackByGraphColoring.cpp:
3252         (JSC::B3::Air::allocateStackByGraphColoring):
3253         * b3/air/AirEmitShuffle.cpp:
3254         (JSC::B3::Air::emitShuffle):
3255         * b3/air/AirFixObviousSpills.cpp:
3256         * b3/air/AirLowerAfterRegAlloc.cpp:
3257         (JSC::B3::Air::lowerAfterRegAlloc):
3258         * b3/air/AirStackAllocation.cpp:
3259         (JSC::B3::Air::attemptAssignment):
3260         (JSC::B3::Air::assign):
3261         * bytecode/AccessCase.cpp:
3262         (JSC::AccessCase::generateImpl):
3263         * bytecode/CallLinkStatus.cpp:
3264         (JSC::CallLinkStatus::computeDFGStatuses):
3265         * bytecode/GetterSetterAccessCase.cpp:
3266         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3267         * bytecode/ObjectPropertyConditionSet.cpp:
3268         * bytecode/PolymorphicAccess.cpp:
3269         (JSC::PolymorphicAccess::addCases):
3270         (JSC::PolymorphicAccess::regenerate):
3271         * bytecode/PropertyCondition.cpp:
3272         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
3273         * bytecode/StructureStubInfo.cpp:
3274         (JSC::StructureStubInfo::addAccessCase):
3275         * dfg/DFGArgumentsEliminationPhase.cpp:
3276         * dfg/DFGByteCodeParser.cpp:
3277         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
3278         (JSC::DFG::ByteCodeParser::inliningCost):
3279         (JSC::DFG::ByteCodeParser::inlineCall):
3280         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3281         (JSC::DFG::ByteCodeParser::handleInlining):
3282         (JSC::DFG::ByteCodeParser::planLoad):
3283         (JSC::DFG::ByteCodeParser::store):
3284         (JSC::DFG::ByteCodeParser::parseBlock):
3285         (JSC::DFG::ByteCodeParser::linkBlock):
3286         (JSC::DFG::ByteCodeParser::linkBlocks):
3287         * dfg/DFGCSEPhase.cpp:
3288         * dfg/DFGInPlaceAbstractState.cpp:
3289         (JSC::DFG::InPlaceAbstractState::merge):
3290         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3291         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
3292         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
3293         * dfg/DFGMovHintRemovalPhase.cpp:
3294         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3295         * dfg/DFGPhantomInsertionPhase.cpp:
3296         * dfg/DFGPutStackSinkingPhase.cpp:
3297         * dfg/DFGStoreBarrierInsertionPhase.cpp:
3298         * dfg/DFGVarargsForwardingPhase.cpp:
3299         * ftl/FTLAbstractHeap.cpp:
3300         (JSC::FTL::AbstractHeap::compute):
3301         * ftl/FTLAbstractHeapRepository.cpp:
3302         (JSC::FTL::AbstractHeapRepository::decorateMemory):
3303         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
3304         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
3305         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
3306         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
3307         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
3308         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
3309         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
3310         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
3311         * ftl/FTLLink.cpp:
3312         (JSC::FTL::link):
3313         * heap/MarkingConstraintSet.cpp:
3314         (JSC::MarkingConstraintSet::add):
3315         * interpreter/ShadowChicken.cpp:
3316         (JSC::ShadowChicken::update):
3317         * jit/BinarySwitch.cpp:
3318         (JSC::BinarySwitch::BinarySwitch):
3319         (JSC::BinarySwitch::build):
3320         * llint/LLIntData.cpp:
3321         (JSC::LLInt::Data::loadStats):
3322         (JSC::LLInt::Data::saveStats):
3323         * runtime/ArrayPrototype.cpp:
3324         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
3325         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
3326         * runtime/ErrorInstance.cpp:
3327         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
3328         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
3329         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
3330         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
3331         * runtime/IntlDateTimeFormat.cpp:
3332         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3333         * runtime/PromiseDeferredTimer.cpp:
3334         (JSC::PromiseDeferredTimer::doWork):
3335         (JSC::PromiseDeferredTimer::addPendingPromise):
3336         (JSC::PromiseDeferredTimer::cancelPendingPromise):
3337         * runtime/TypeProfiler.cpp:
3338         (JSC::TypeProfiler::insertNewLocation):
3339         * runtime/TypeProfilerLog.cpp:
3340         (JSC::TypeProfilerLog::processLogEntries):
3341         * runtime/WeakMapPrototype.cpp:
3342         (JSC::protoFuncWeakMapDelete):
3343         (JSC::protoFuncWeakMapGet):
3344         (JSC::protoFuncWeakMapHas):
3345         (JSC::protoFuncWeakMapSet):
3346         (JSC::getWeakMapData): Deleted.
3347         * runtime/WeakSetPrototype.cpp:
3348         (JSC::protoFuncWeakSetDelete):
3349         (JSC::protoFuncWeakSetHas):
3350         (JSC::protoFuncWeakSetAdd):
3351         (JSC::getWeakMapData): Deleted.
3352         * testRegExp.cpp:
3353         (testOneRegExp):
3354         (runFromFiles):
3355         * wasm/WasmB3IRGenerator.cpp:
3356         (JSC::Wasm::parseAndCompile):
3357         * wasm/WasmBBQPlan.cpp:
3358         (JSC::Wasm::BBQPlan::moveToState):
3359         (JSC::Wasm::BBQPlan::parseAndValidateModule):
3360         (JSC::Wasm::BBQPlan::prepare):
3361         (JSC::Wasm::BBQPlan::compileFunctions):
3362         (JSC::Wasm::BBQPlan::complete):
3363         * wasm/WasmFaultSignalHandler.cpp:
3364         (JSC::Wasm::trapHandler):
3365         * wasm/WasmOMGPlan.cpp:
3366         (JSC::Wasm::OMGPlan::OMGPlan):
3367         (JSC::Wasm::OMGPlan::work):
3368         * wasm/WasmPlan.cpp:
3369         (JSC::Wasm::Plan::fail):
3370         * wasm/WasmSignature.cpp:
3371         (JSC::Wasm::SignatureInformation::adopt):
3372         * wasm/WasmWorklist.cpp:
3373         (JSC::Wasm::Worklist::enqueue):
3374
3375 2017-09-12  Michael Saboff  <msaboff@apple.com>
3376
3377         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
3378         https://bugs.webkit.org/show_bug.cgi?id=176814
3379
3380         Reviewed by Mark Lam.
3381
3382         The copy and advance indices where off by one and needed a little fine tuning.
3383
3384         * runtime/StringPrototype.cpp:
3385         (JSC::substituteBackreferencesSlow):
3386
3387 2017-09-11  Mark Lam  <mark.lam@apple.com>
3388
3389         More exception check book-keeping needed found by 32-bit JSC test failures.
3390         https://bugs.webkit.org/show_bug.cgi?id=176742
3391
3392         Reviewed by Michael Saboff and Keith Miller.
3393
3394         * dfg/DFGOperations.cpp:
3395
3396 2017-09-11  Mark Lam  <mark.lam@apple.com>
3397
3398         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
3399         https://bugs.webkit.org/show_bug.cgi?id=176722
3400
3401         Reviewed by Saam Barati.
3402
3403         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
3404         in effect when jsc is invoked.
3405
3406         * jsc.cpp:
3407         (CommandLine::parseArguments):
3408
3409 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
3410
3411         Unreviewed, rolling out r221854.
3412
3413         The test added with this change fails on 32-bit JSC bots.
3414
3415         Reverted changeset:
3416
3417         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
3418         https://bugs.webkit.org/show_bug.cgi?id=176010
3419         http://trac.webkit.org/changeset/221854
3420
3421 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3422
3423         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3424         https://bugs.webkit.org/show_bug.cgi?id=176010
3425
3426         Reviewed by Filip Pizlo.
3427
3428         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
3429         It is used for meta property for objects (see peekMeta function in Ember.js).
3430
3431         This patch optimizes WeakMap#get.
3432
3433         1. We use inlineGet to inline WeakMap#get operation in the native function.
3434         Since this native function itself is very small, we should inline HashMap#get
3435         entirely in this function.
3436
3437         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
3438         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
3439         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
3440         ObjectUse, and Int32Use.
3441
3442         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
3443         calculate hash value for the key's Object and use this hash value to look up value from
3444         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
3445         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
3446         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
3447         patches.
3448
3449         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
3450         not used in Ember.js right now.
3451
3452         This patch optimizes WeakMap#get by 50%.
3453
3454                                  baseline                  patched
3455
3456         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
3457
3458         * bytecode/DirectEvalCodeCache.h:
3459         (JSC::DirectEvalCodeCache::tryGet):
3460         * bytecode/SpeculatedType.cpp:
3461         (JSC::dumpSpeculation):
3462         (JSC::speculationFromClassInfo):
3463         (JSC::speculationFromJSType):
3464         (JSC::speculationFromString):
3465         * bytecode/SpeculatedType.h:
3466         * dfg/DFGAbstractInterpreterInlines.h:
3467         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3468         * dfg/DFGByteCodeParser.cpp:
3469         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3470         * dfg/DFGClobberize.h:
3471         (JSC::DFG::clobberize):
3472         * dfg/DFGDoesGC.cpp:
3473         (JSC::DFG::doesGC):
3474         * dfg/DFGFixupPhase.cpp:
3475         (JSC::DFG::FixupPhase::fixupNode):
3476         * dfg/DFGHeapLocation.cpp:
3477         (WTF::printInternal):
3478         * dfg/DFGHeapLocation.h:
3479         * dfg/DFGNode.h:
3480         (JSC::DFG::Node::hasHeapPrediction):
3481         * dfg/DFGNodeType.h:
3482         * dfg/DFGOperations.cpp:
3483         * dfg/DFGOperations.h:
3484         * dfg/DFGPredictionPropagationPhase.cpp:
3485         * dfg/DFGSafeToExecute.h:
3486         (JSC::DFG::SafeToExecuteEdge::operator()):
3487         (JSC::DFG::safeToExecute):
3488         * dfg/DFGSpeculativeJIT.cpp:
3489         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
3490         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
3491         (JSC::DFG::SpeculativeJIT::speculate):
3492         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
3493         * dfg/DFGSpeculativeJIT.h:
3494         (JSC::DFG::SpeculativeJIT::callOperation):
3495         * dfg/DFGSpeculativeJIT32_64.cpp:
3496         (JSC::DFG::SpeculativeJIT::compile):
3497         * dfg/DFGSpeculativeJIT64.cpp:
3498         (JSC::DFG::SpeculativeJIT::compile):
3499         * dfg/DFGUseKind.cpp:
3500         (WTF::printInternal):
3501         * dfg/DFGUseKind.h:
3502         (JSC::DFG::typeFilterFor):
3503         (JSC::DFG::isCell):
3504         * ftl/FTLCapabilities.cpp:
3505         (JSC::FTL::canCompile):
3506         * ftl/FTLLowerDFGToB3.cpp:
3507         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3508         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
3509         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
3510         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
3511         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3512         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
3513         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
3514         * jit/JITOperations.h:
3515         * runtime/Intrinsic.cpp:
3516         (JSC::intrinsicName):
3517         * runtime/Intrinsic.h:
3518         * runtime/JSType.h:
3519         * runtime/JSWeakMap.h:
3520         (JSC::isJSWeakMap):
3521         * runtime/JSWeakSet.h:
3522         (JSC::isJSWeakSet):
3523         * runtime/WeakMapBase.cpp:
3524         (JSC::WeakMapBase::get):
3525         * runtime/WeakMapBase.h:
3526         (JSC::WeakMapBase::HashTranslator::hash):
3527         (JSC::WeakMapBase::HashTranslator::equal):
3528         (JSC::WeakMapBase::inlineGet):
3529         * runtime/WeakMapPrototype.cpp:
3530         (JSC::WeakMapPrototype::finishCreation):
3531         (JSC::getWeakMap):
3532         (JSC::protoFuncWeakMapGet):
3533         * runtime/WeakSetPrototype.cpp:
3534         (JSC::getWeakSet):
3535
3536 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3537
3538         [JSC] Optimize Object.keys by using careful array allocation
3539         https://bugs.webkit.org/show_bug.cgi?id=176654
3540
3541         Reviewed by Darin Adler.
3542
3543         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
3544         function in JS apps. Luckily Object.keys has several good features.
3545
3546         1. Once PropertyNameArray is allocated, we know the length of the result array since
3547         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
3548         but it rarely appears. ProxyObject case goes to the generic path.
3549
3550         2. Object.keys does not need to access object after listing PropertyNameArray. It means
3551         that we do not need to worry about enumeration attribute change by touching object.
3552
3553         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
3554         with the size and ArrayContiguous indexing shape.
3555
3556         This further improves SixSpeed object-assign.es5 by 13%.
3557
3558                                             baseline                  patched
3559         Microbenchmarks:
3560            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
3561            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
3562
3563                                             baseline                  patched
3564         SixSpeed:
3565            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
3566
3567         BTW, the further optimization of Object.keys can be considered: introducing own property keys
3568         cache which is similar to the current enumeration cache. But this patch is orthogonal to
3569         this optimization!
3570
3571         * runtime/ObjectConstructor.cpp:
3572         (JSC::objectConstructorValues):
3573         (JSC::ownPropertyKeys):
3574         * runtime/ObjectConstructor.h:
3575
3576 2017-09-10  Mark Lam  <mark.lam@apple.com>
3577
3578         Fix all ExceptionScope verification failures in JavaScriptCore.
3579         https://bugs.webkit.org/show_bug.cgi?id=176662
3580         <rdar://problem/34352085>
3581
3582         Reviewed by Filip Pizlo.
3583
3584         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
3585            verification for release builds too (though this requires manually setting
3586            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
3587
3588            This is useful because it allows us to run the tests more quickly to check
3589            if any regressions have occurred.  Debug builds run so much slower and not
3590            good for a quick turn around.  Debug builds are necessary though to get
3591            trace information without inlining by the C++ compiler.  This is necessary to
3592            diagnose where the missing exception check is.
3593
3594         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
3595            simulated throw when an exception scope verification fails.
3596
3597            Previously, this option dumps the stack trace on all simulated throws.  That
3598            turned out to not be very useful, and slows down the debugging process.
3599            Instead, the new implementation captures the stack trace and only dumps it
3600            if we have a verification failure.
3601
3602         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
3603            to pass with JSC_validateExceptionChecks=true.
3604
3605         * bytecode/CodeBlock.cpp:
3606         (JSC::CodeBlock::finishCreation):
3607         * dfg/DFGOSRExit.cpp:
3608         (JSC::DFG::OSRExit::executeOSRExit):
3609         * dfg/DFGOperations.cpp:
3610         * interpreter/Interpreter.cpp:
3611         (JSC::eval):
3612         (JSC::loadVarargs):
3613         (JSC::Interpreter::unwind):
3614         (JSC::Interpreter::executeProgram):
3615         (JSC::Interpreter::executeCall):
3616         (JSC::Interpreter::executeConstruct):
3617         (JSC::Interpreter::prepareForRepeatCall):
3618         (JSC::Interpreter::execute):
3619         (JSC::Interpreter::executeModuleProgram):
3620         * jit/JITOperations.cpp:
3621         (JSC::getByVal):
3622         * jsc.cpp:
3623         (WTF::CustomGetter::customGetterAcessor):
3624         (GlobalObject::moduleLoaderImportModule):
3625         (GlobalObject::moduleLoaderResolve):
3626         * llint/LLIntSlowPaths.cpp:
3627         (JSC::LLInt::getByVal):
3628         (JSC::LLInt::setUpCall):
3629         * parser/Parser.h:
3630         (JSC::Parser::popScopeInternal):
3631         * runtime/AbstractModuleRecord.cpp:
3632         (JSC::AbstractModuleRecord::hostResolveImportedModule):
3633         (JSC::AbstractModuleRecord::resolveImport):
3634         (JSC::AbstractModuleRecord::resolveExportImpl):
3635         (JSC::getExportedNames):
3636         (JSC::AbstractModuleRecord::getModuleNamespace):
3637         * runtime/ArrayPrototype.cpp:
3638         (JSC::getProperty):
3639         (JSC::unshift):
3640         (JSC::arrayProtoFuncToString):
3641         (JSC::arrayProtoFuncToLocaleString):
3642         (JSC::arrayProtoFuncJoin):
3643         (JSC::arrayProtoFuncPop):
3644         (JSC::arrayProtoFuncPush):
3645         (JSC::arrayProtoFuncReverse):
3646         (JSC::arrayProtoFuncShift):
3647         (JSC::arrayProtoFuncSlice):
3648         (JSC::arrayProtoFuncSplice):
3649         (JSC::arrayProtoFuncUnShift):
3650         (JSC::arrayProtoFuncIndexOf):
3651         (JSC::arrayProtoFuncLastIndexOf):
3652         (JSC::concatAppendOne):
3653         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3654         (JSC::arrayProtoPrivateFuncAppendMemcpy):
3655         * runtime/CatchScope.h:
3656         * runtime/CommonSlowPaths.cpp:
3657         (JSC::SLOW_PATH_DECL):
3658         * runtime/DatePrototype.cpp:
3659         (JSC::dateProtoFuncSetTime):
3660         (JSC::setNewValueFromTimeArgs):
3661         * runtime/DirectArguments.h:
3662         (JSC::DirectArguments::length const):
3663         * runtime/ErrorPrototype.cpp:
3664         (JSC::errorProtoFuncToString):
3665         * runtime/ExceptionFuzz.cpp:
3666         (JSC::doExceptionFuzzing):
3667         * runtime/ExceptionScope.h:
3668         (JSC::ExceptionScope::needExceptionCheck):
3669         (JSC::ExceptionScope::assertNoException):
3670         * runtime/GenericArgumentsInlines.h:
3671         (JSC::GenericArguments<Type>::defineOwnProperty):
3672         * runtime/HashMapImpl.h:
3673         (JSC::HashMapImpl::rehash):
3674         * runtime/IntlDateTimeFormat.cpp:
3675         (JSC::IntlDateTimeFormat::formatToParts):
3676         * runtime/JSArray.cpp:
3677         (JSC::JSArray::defineOwnProperty):
3678         (JSC::JSArray::put):
3679         * runtime/JSCJSValue.cpp:
3680         (JSC::JSValue::putToPrimitive):
3681         (JSC::JSValue::putToPrimitiveByIndex):
3682         * runtime/JSCJSValueInlines.h:
3683         (JSC::JSValue::toIndex const):
3684         (JSC::JSValue::get const):
3685         (JSC::JSValue::getPropertySlot const):
3686         (JSC::JSValue::equalSlowCaseInline):
3687         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3688         (JSC::constructGenericTypedArrayViewFromIterator):
3689         (JSC::constructGenericTypedArrayViewWithArguments):
3690         * runtime/JSGenericTypedArrayViewInlines.h:
3691         (JSC::JSGenericTypedArrayView<Adaptor>::set):
3692         * runtime/JSGlobalObject.cpp:
3693         (JSC::JSGlobalObject::put):
3694         * runtime/JSGlobalObjectFunctions.cpp:
3695         (JSC::decode):
3696         (JSC::globalFuncEval):
3697         (JSC::globalFuncProtoGetter):
3698         (JSC::globalFuncProtoSetter):
3699         (JSC::globalFuncImportModule):
3700         * runtime/JSInternalPromise.cpp:
3701         (JSC::JSInternalPromise::then):
3702         * runtime/JSInternalPromiseDeferred.cpp:
3703         (JSC::JSInternalPromiseDeferred::create):
3704         * runtime/JSJob.cpp:
3705         (JSC::JSJobMicrotask::run):
3706         * runtime/JSModuleEnvironment.cpp:
3707         (JSC::JSModuleEnvironment::getOwnPropertySlot):
3708         (JSC::JSModuleEnvironment::put):
3709         (JSC::JSModuleEnvironment::deleteProperty):
3710         * runtime/JSModuleLoader.cpp:
3711         (JSC::JSModuleLoader::provide):
3712         (JSC::JSModuleLoader::loadAndEvaluateModule):
3713         (JSC::JSModuleLoader::loadModule):
3714         (JSC::JSModuleLoader::linkAndEvaluateModule):
3715         (JSC::JSModuleLoader::requestImportModule):
3716         * runtime/JSModuleRecord.cpp:
3717         (JSC::JSModuleRecord::link):
3718         (JSC::JSModuleRecord::instantiateDeclarations):
3719         * runtime/JSONObject.cpp:
3720         (JSC::Stringifier::stringify):
3721         (JSC::Stringifier::toJSON):
3722         (JSC::JSONProtoFuncParse):
3723         * runtime/JSObject.cpp:
3724         (JSC::JSObject::calculatedClassName):
3725         (JSC::ordinarySetSlow):
3726         (JSC::JSObject::putInlineSlow):
3727         (JSC::JSObject::ordinaryToPrimitive const):
3728         (JSC::JSObject::toPrimitive const):
3729         (JSC::JSObject::hasInstance):
3730         (JSC::JSObject::getPropertyNames):
3731         (JSC::JSObject::toNumber const):
3732         (JSC::JSObject::defineOwnIndexedProperty):
3733         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3734         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3735         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3736         (JSC::validateAndApplyPropertyDescriptor):
3737         (JSC::JSObject::defineOwnNonIndexProperty):
3738         (JSC::JSObject::getGenericPropertyNames):
3739         * runtime/JSObject.h:
3740         (JSC::JSObject::get const):
3741         * runtime/JSObjectInlines.h:
3742         (JSC::JSObject::getPropertySlot const):
3743         (JSC::JSObject::getPropertySlot):
3744         (JSC::JSObject::getNonIndexPropertySlot):
3745         (JSC::JSObject::putInlineForJSObject):
3746         * runtime/JSPromiseConstructor.cpp:
3747         (JSC::constructPromise):
3748         * runtime/JSPromiseDeferred.cpp:
3749         (JSC::JSPromiseDeferred::create):
3750         * runtime/JSScope.cpp:
3751         (JSC::abstractAccess):
3752         (JSC::JSScope::resolve):
3753         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
3754         (JSC::JSScope::abstractResolve):
3755         * runtime/LiteralParser.cpp:
3756         (JSC::LiteralParser<CharType>::tryJSONPParse):
3757         (JSC::LiteralParser<CharType>::parse):
3758         * runtime/Lookup.h:
3759         (JSC::putEntry):
3760         * runtime/MapConstructor.cpp:
3761         (JSC::constructMap):
3762         * runtime/NumberPrototype.cpp:
3763         (JSC::numberProtoFuncToString):
3764         * runtime/ObjectConstructor.cpp:
3765         (JSC::objectConstructorSetPrototypeOf):
3766         (JSC::objectConstructorGetOwnPropertyDescriptor):
3767         (JSC::objectConstructorGetOwnPropertyDescriptors):
3768         (JSC::objectConstructorAssign):
3769         (JSC::objectConstructorValues):
3770         (JSC::toPropertyDescriptor):
3771         (JSC::objectConstructorDefineProperty):
3772         (JSC::defineProperties):
3773         (JSC::objectConstructorDefineProperties):
3774         (JSC::ownPropertyKeys):
3775         * runtime/ObjectPrototype.cpp:
3776         (JSC::objectProtoFuncHasOwnProperty):
3777         (JSC::objectProtoFuncIsPrototypeOf):
3778         (JSC::objectProtoFuncLookupGetter):
3779         (JSC::objectProtoFuncLookupSetter):
3780         (JSC::objectProtoFuncToLocaleString):
3781         (JSC::objectProtoFuncToString):
3782         * runtime/Options.h:
3783         * runtime/ParseInt.h:
3784         (JSC::toStringView):
3785         * runtime/ProxyObject.cpp:
3786         (JSC::performProxyGet):
3787         (JSC::ProxyObject::performPut):
3788         * runtime/ReflectObject.cpp:
3789         (JSC::reflectObjectDefineProperty):
3790         * runtime/RegExpConstructor.cpp:
3791         (JSC::toFlags):
3792         (JSC::regExpCreate):
3793         (JSC::constructRegExp):
3794         * runtime/RegExpObject.cpp:
3795         (JSC::collectMatches):
3796         * runtime/RegExpObjectInlines.h:
3797         (JSC::RegExpObject::execInline):
3798         (JSC::RegExpObject::matchInline):
3799         * runtime/RegExpPrototype.cpp:
3800         (JSC::regExpProtoFuncTestFast):
3801         (JSC::regExpProtoFuncExec):
3802         (JSC::regExpProtoFuncMatchFast):
3803         (JSC::regExpProtoFuncToString):
3804         (JSC::regExpProtoFuncSplitFast):
3805         * runtime/ScriptExecutable.cpp:
3806         (JSC::ScriptExecutable::newCodeBlockFor):
3807         (JSC::ScriptExecutable::prepareForExecutionImpl):
3808         * runtime/SetConstructor.cpp:
3809         (JSC::constructSet):
3810         * runtime/ThrowScope.cpp:
3811         (JSC::ThrowScope::simulateThrow):
3812         * runtime/VM.cpp:
3813         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
3814         * runtime/VM.h:
3815         * runtime/WeakMapPrototype.cpp:
3816         (JSC::protoFuncWeakMapSet):
3817         * runtime/WeakSetPrototype.cpp:
3818         (JSC::protoFuncWeakSetAdd):
3819         * wasm/js/WebAssemblyModuleConstructor.cpp:
3820         (JSC::WebAssemblyModuleConstructor::createModule):
3821         * wasm/js/WebAssemblyModuleRecord.cpp:
3822         (JSC::WebAssemblyModuleRecord::link):
3823         * wasm/js/WebAssemblyPrototype.cpp:
3824         (JSC::reject):
3825         (JSC::webAssemblyCompileFunc):
3826         (JSC::resolve):
3827         (JSC::webAssemblyInstantiateFunc):
3828
3829 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
3830
3831         Error should compute .stack and friends lazily
3832         https://bugs.webkit.org/show_bug.cgi?id=176645
3833
3834         Reviewed by Saam Barati.
3835         
3836         Building the string portion of the stack trace after we walk the stack accounts for most of
3837         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the