Remove missing files from JavaScriptCore Xcode project
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-06-04  Keith Miller  <keith_miller@apple.com>
2
3         Remove missing files from JavaScriptCore Xcode project
4         https://bugs.webkit.org/show_bug.cgi?id=186297
5
6         Reviewed by Saam Barati.
7
8         * JavaScriptCore.xcodeproj/project.pbxproj:
9
10 2018-06-04  Keith Miller  <keith_miller@apple.com>
11
12         Add test for CoW conversions in the DFG/FTL
13         https://bugs.webkit.org/show_bug.cgi?id=186295
14
15         Reviewed by Saam Barati.
16
17         Add a function to $vm that returns a JSString containing the
18         dataLog dump of the indexingMode of an Object.
19
20         * tools/JSDollarVM.cpp:
21         (JSC::functionIndexingMode):
22         (JSC::JSDollarVM::finishCreation):
23
24 2018-06-04  Saam Barati  <sbarati@apple.com>
25
26         Set the activeLength of all ScratchBuffers to zero when exiting the VM
27         https://bugs.webkit.org/show_bug.cgi?id=186284
28         <rdar://problem/40780738>
29
30         Reviewed by Keith Miller.
31
32         Simon recently found instances where we leak global objects from the
33         ScratchBuffer. Yusuke found that we forgot to set the active length
34         back to zero when doing catch OSR entry in the DFG/FTL. His solution
35         to this was adding a node that cleared the active length. This is
36         a good node to have, but it's not a complete solution: the DFG/FTL
37         could OSR exit before that node executes, which would cause us to leak
38         the data in it.
39         
40         This patch makes it so that we set each scratch buffer's active length
41         to zero on VM exit. This helps prevent leaks for JS code that eventually
42         exits the VM (which is essentially all code on the web and all API users).
43
44         * runtime/VM.cpp:
45         (JSC::VM::clearScratchBuffers):
46         * runtime/VM.h:
47         * runtime/VMEntryScope.cpp:
48         (JSC::VMEntryScope::~VMEntryScope):
49
50 2018-06-04  Keith Miller  <keith_miller@apple.com>
51
52         JSLock should clear last exception when releasing the lock
53         https://bugs.webkit.org/show_bug.cgi?id=186277
54
55         Reviewed by Mark Lam.
56
57         If we don't clear the last exception we essentially leak the
58         object and everything referenced by it until another exception is
59         thrown.
60
61         * runtime/JSLock.cpp:
62         (JSC::JSLock::willReleaseLock):
63
64 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
65
66         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
67         https://bugs.webkit.org/show_bug.cgi?id=180248
68
69         Reviewed by Sam Weinig.
70
71         As a final step, this patch removes ListableHandler from JSC.
72         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
73
74         * CMakeLists.txt:
75         * JavaScriptCore.xcodeproj/project.pbxproj:
76         * heap/Heap.h:
77         * heap/ListableHandler.h: Removed.
78
79 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
80
81         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
82         https://bugs.webkit.org/show_bug.cgi?id=186223
83
84         Reviewed by Keith Miller.
85
86         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
87         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
88
89         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
90         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
91         this ClearCatchLocals valid.
92
93         The existing tests for ExtractCatchLocal just pass.
94
95         * dfg/DFGAbstractHeap.h:
96         * dfg/DFGAbstractInterpreterInlines.h:
97         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
98         * dfg/DFGByteCodeParser.cpp:
99         (JSC::DFG::ByteCodeParser::parseBlock):
100         * dfg/DFGClobberize.h:
101         (JSC::DFG::clobberize):
102         * dfg/DFGDoesGC.cpp:
103         (JSC::DFG::doesGC):
104         * dfg/DFGFixupPhase.cpp:
105         (JSC::DFG::FixupPhase::fixupNode):
106         * dfg/DFGMayExit.cpp:
107         * dfg/DFGNodeType.h:
108         * dfg/DFGOSREntry.cpp:
109         (JSC::DFG::prepareCatchOSREntry):
110         * dfg/DFGPredictionPropagationPhase.cpp:
111         * dfg/DFGSafeToExecute.h:
112         (JSC::DFG::safeToExecute):
113         * dfg/DFGSpeculativeJIT.cpp:
114         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
115         * dfg/DFGSpeculativeJIT.h:
116         * dfg/DFGSpeculativeJIT32_64.cpp:
117         (JSC::DFG::SpeculativeJIT::compile):
118         * dfg/DFGSpeculativeJIT64.cpp:
119         (JSC::DFG::SpeculativeJIT::compile):
120         * ftl/FTLCapabilities.cpp:
121         (JSC::FTL::canCompile):
122         * ftl/FTLLowerDFGToB3.cpp:
123         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
124         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
125
126 2018-06-02  Darin Adler  <darin@apple.com>
127
128         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
129         https://bugs.webkit.org/show_bug.cgi?id=186227
130
131         Reviewed by Dan Bernstein.
132
133         * API/JSContext.mm:
134         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
135         * API/JSValue.mm:
136         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
137         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
138         ARC-compatible, but more efficient.
139         (valueToString): Use CFBridgingRelease instead of autorelease.
140
141 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
142
143         [ESNext][BigInt] Implement support for addition operations
144         https://bugs.webkit.org/show_bug.cgi?id=179002
145
146         Reviewed by Yusuke Suzuki.
147
148         This patch is implementing support to BigInt Operands into binary "+"
149         and binary "-" operators. Right now, we have limited support to DFG
150         and FTL JIT layers, but we plan to fix this support in future
151         patches.
152
153         * jit/JITOperations.cpp:
154         * runtime/CommonSlowPaths.cpp:
155         (JSC::SLOW_PATH_DECL):
156         * runtime/JSBigInt.cpp:
157         (JSC::JSBigInt::parseInt):
158         (JSC::JSBigInt::stringToBigInt):
159         (JSC::JSBigInt::toString):
160         (JSC::JSBigInt::multiply):
161         (JSC::JSBigInt::divide):
162         (JSC::JSBigInt::remainder):
163         (JSC::JSBigInt::add):
164         (JSC::JSBigInt::sub):
165         (JSC::JSBigInt::absoluteAdd):
166         (JSC::JSBigInt::absoluteSub):
167         (JSC::JSBigInt::toStringGeneric):
168         (JSC::JSBigInt::allocateFor):
169         (JSC::JSBigInt::toNumber const):
170         (JSC::JSBigInt::getPrimitiveNumber const):
171         * runtime/JSBigInt.h:
172         * runtime/JSCJSValueInlines.h:
173         * runtime/Operations.cpp:
174         (JSC::jsAddSlowCase):
175         * runtime/Operations.h:
176         (JSC::jsSub):
177
178 2018-06-02  Commit Queue  <commit-queue@webkit.org>
179
180         Unreviewed, rolling out r232439.
181         https://bugs.webkit.org/show_bug.cgi?id=186238
182
183         It breaks gtk-linux-32-release (Requested by caiolima on
184         #webkit).
185
186         Reverted changeset:
187
188         "[ESNext][BigInt] Implement support for addition operations"
189         https://bugs.webkit.org/show_bug.cgi?id=179002
190         https://trac.webkit.org/changeset/232439
191
192 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
193
194         Baseline op_jtrue emits an insane amount of code
195         https://bugs.webkit.org/show_bug.cgi?id=185708
196
197         Reviewed by Filip Pizlo.
198
199         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
200
201         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
202            to jump directly. This tightens the code.
203
204         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
205
206         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
207
208         [  12] jtrue             arg1, 6(->18)
209               0x7f233170162c: mov 0x30(%rbp), %rax
210               0x7f2331701630: mov %rax, %rsi
211               0x7f2331701633: xor $0x6, %rsi
212               0x7f2331701637: test $0xfffffffffffffffe, %rsi
213               0x7f233170163e: jnz 0x7f2331701654
214               0x7f2331701644: cmp $0x7, %eax
215               0x7f2331701647: setz %sil
216               0x7f233170164b: movzx %sil, %esi
217               0x7f233170164f: jmp 0x7f2331701705
218               0x7f2331701654: test %rax, %r14
219               0x7f2331701657: jz 0x7f233170169c
220               0x7f233170165d: cmp %r14, %rax
221               0x7f2331701660: jb 0x7f2331701675
222               0x7f2331701666: test %eax, %eax
223               0x7f2331701668: setnz %sil
224               0x7f233170166c: movzx %sil, %esi
225               0x7f2331701670: jmp 0x7f2331701705
226               0x7f2331701675: lea (%r14,%rax), %rsi
227               0x7f2331701679: movq %rsi, %xmm0
228               0x7f233170167e: xorps %xmm1, %xmm1
229               0x7f2331701681: ucomisd %xmm1, %xmm0
230               0x7f2331701685: jz 0x7f2331701695
231               0x7f233170168b: mov $0x1, %esi
232               0x7f2331701690: jmp 0x7f2331701705
233               0x7f2331701695: xor %esi, %esi
234               0x7f2331701697: jmp 0x7f2331701705
235               0x7f233170169c: test %rax, %r15
236               0x7f233170169f: jnz 0x7f2331701703
237               0x7f23317016a5: cmp $0x1, 0x5(%rax)
238               0x7f23317016a9: jnz 0x7f23317016c1
239               0x7f23317016af: mov 0x8(%rax), %esi
240               0x7f23317016b2: test %esi, %esi
241               0x7f23317016b4: setnz %sil
242               0x7f23317016b8: movzx %sil, %esi
243               0x7f23317016bc: jmp 0x7f2331701705
244               0x7f23317016c1: test $0x1, 0x6(%rax)
245               0x7f23317016c5: jz 0x7f23317016f9
246               0x7f23317016cb: mov (%rax), %esi
247               0x7f23317016cd: mov $0x7f23315000c8, %rdx
248               0x7f23317016d7: mov (%rdx), %rdx
249               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
250               0x7f23317016de: mov $0x7f2330de0000, %rdx
251               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
252               0x7f23317016ec: jnz 0x7f23317016f9
253               0x7f23317016f2: xor %esi, %esi
254               0x7f23317016f4: jmp 0x7f2331701705
255               0x7f23317016f9: mov $0x1, %esi
256               0x7f23317016fe: jmp 0x7f2331701705
257               0x7f2331701703: xor %esi, %esi
258               0x7f2331701705: test %esi, %esi
259               0x7f2331701707: jnz 0x7f233170171b
260
261         [  12] jtrue             arg1, 6(->18)
262               0x7f6c8710156c: mov 0x30(%rbp), %rax
263               0x7f6c87101570: test %rax, %r15
264               0x7f6c87101573: jnz 0x7f6c871015c8
265               0x7f6c87101579: cmp $0x1, 0x5(%rax)
266               0x7f6c8710157d: jnz 0x7f6c87101592
267               0x7f6c87101583: cmp $0x0, 0x8(%rax)
268               0x7f6c87101587: jnz 0x7f6c87101623
269               0x7f6c8710158d: jmp 0x7f6c87101615
270               0x7f6c87101592: test $0x1, 0x6(%rax)
271               0x7f6c87101596: jz 0x7f6c87101623
272               0x7f6c8710159c: mov (%rax), %esi
273               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
274               0x7f6c871015a8: mov (%rdx), %rdx
275               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
276               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
277               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
278               0x7f6c871015bd: jnz 0x7f6c87101623
279               0x7f6c871015c3: jmp 0x7f6c87101615
280               0x7f6c871015c8: cmp %r14, %rax
281               0x7f6c871015cb: jb 0x7f6c871015de
282               0x7f6c871015d1: test %eax, %eax
283               0x7f6c871015d3: jnz 0x7f6c87101623
284               0x7f6c871015d9: jmp 0x7f6c87101615
285               0x7f6c871015de: test %rax, %r14
286               0x7f6c871015e1: jz 0x7f6c87101602
287               0x7f6c871015e7: lea (%r14,%rax), %rsi
288               0x7f6c871015eb: movq %rsi, %xmm0
289               0x7f6c871015f0: xorps %xmm1, %xmm1
290               0x7f6c871015f3: ucomisd %xmm1, %xmm0
291               0x7f6c871015f7: jz 0x7f6c87101615
292               0x7f6c871015fd: jmp 0x7f6c87101623
293               0x7f6c87101602: mov $0x7, %r11
294               0x7f6c8710160c: cmp %r11, %rax
295               0x7f6c8710160f: jz 0x7f6c87101623
296
297         * dfg/DFGSpeculativeJIT32_64.cpp:
298         (JSC::DFG::SpeculativeJIT::emitBranch):
299         * dfg/DFGSpeculativeJIT64.cpp:
300         (JSC::DFG::SpeculativeJIT::emitBranch):
301         * jit/AssemblyHelpers.cpp:
302         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
303         (JSC::AssemblyHelpers::branchIfValue):
304         * jit/AssemblyHelpers.h:
305         (JSC::AssemblyHelpers::branchIfTruthy):
306         (JSC::AssemblyHelpers::branchIfFalsey):
307         * jit/JIT.h:
308         * jit/JITInlines.h:
309         (JSC::JIT::addJump):
310         * jit/JITOpcodes.cpp:
311         (JSC::JIT::emit_op_jfalse):
312         (JSC::JIT::emit_op_jtrue):
313         * jit/JITOpcodes32_64.cpp:
314         (JSC::JIT::emit_op_jfalse):
315         (JSC::JIT::emit_op_jtrue):
316
317 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
318
319         [JSC] Remove WeakReferenceHarvester
320         https://bugs.webkit.org/show_bug.cgi?id=186102
321
322         Reviewed by Filip Pizlo.
323
324         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
325         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
326         by using output constraints & Subspace iteration.
327
328         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
329         output constraint set iterates marked JSWeakMap by using Subspace.
330
331         And we also add locking for JSWeakMap's rehash and output constraint visiting.
332
333         Attached microbenchmark does not show any regression.
334
335         * API/JSAPIWrapperObject.h:
336         * CMakeLists.txt:
337         * JavaScriptCore.xcodeproj/project.pbxproj:
338         * heap/Heap.cpp:
339         (JSC::Heap::endMarking):
340         (JSC::Heap::addCoreConstraints):
341         * heap/Heap.h:
342         * heap/SlotVisitor.cpp:
343         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
344         * heap/SlotVisitor.h:
345         * heap/WeakReferenceHarvester.h: Removed.
346         * runtime/WeakMapImpl.cpp:
347         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
348         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
349         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
350         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
351         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
352         * runtime/WeakMapImpl.h:
353         (JSC::WeakMapImpl::WeakMapImpl):
354         (JSC::WeakMapImpl::finishCreation):
355         (JSC::WeakMapImpl::rehash):
356         (JSC::WeakMapImpl::makeAndSetNewBuffer):
357         (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
358
359 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
360
361         [JSC] Object.create should have intrinsic
362         https://bugs.webkit.org/show_bug.cgi?id=186200
363
364         Reviewed by Filip Pizlo.
365
366         Object.create is used in various JS code. `Object.create(null)` is particularly used
367         to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
368         call in ARES-6/Babylon code.
369
370         This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
371         DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
372         object is null. It offers significant performance boost for `Object.create(null)`.
373
374                                                          baseline                  patched
375
376         object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
377         object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
378         object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
379
380         * dfg/DFGAbstractInterpreterInlines.h:
381         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
382         * dfg/DFGByteCodeParser.cpp:
383         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
384         * dfg/DFGClobberize.h:
385         (JSC::DFG::clobberize):
386         * dfg/DFGConstantFoldingPhase.cpp:
387         (JSC::DFG::ConstantFoldingPhase::foldConstants):
388         * dfg/DFGDoesGC.cpp:
389         (JSC::DFG::doesGC):
390         * dfg/DFGFixupPhase.cpp:
391         (JSC::DFG::FixupPhase::fixupNode):
392         * dfg/DFGNode.h:
393         (JSC::DFG::Node::convertToNewObject):
394         * dfg/DFGNodeType.h:
395         * dfg/DFGOperations.cpp:
396         * dfg/DFGOperations.h:
397         * dfg/DFGPredictionPropagationPhase.cpp:
398         * dfg/DFGSafeToExecute.h:
399         (JSC::DFG::safeToExecute):
400         * dfg/DFGSpeculativeJIT.cpp:
401         (JSC::DFG::SpeculativeJIT::compileObjectCreate):
402         * dfg/DFGSpeculativeJIT.h:
403         * dfg/DFGSpeculativeJIT32_64.cpp:
404         (JSC::DFG::SpeculativeJIT::compile):
405         * dfg/DFGSpeculativeJIT64.cpp:
406         (JSC::DFG::SpeculativeJIT::compile):
407         * ftl/FTLCapabilities.cpp:
408         (JSC::FTL::canCompile):
409         * ftl/FTLLowerDFGToB3.cpp:
410         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
411         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
412         * runtime/Intrinsic.cpp:
413         (JSC::intrinsicName):
414         * runtime/Intrinsic.h:
415         * runtime/JSGlobalObject.cpp:
416         (JSC::JSGlobalObject::init):
417         (JSC::JSGlobalObject::visitChildren):
418         * runtime/JSGlobalObject.h:
419         (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
420         * runtime/ObjectConstructor.cpp:
421
422 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
423
424         [ESNext][BigInt] Implement support for addition operations
425         https://bugs.webkit.org/show_bug.cgi?id=179002
426
427         Reviewed by Yusuke Suzuki.
428
429         This patch is implementing support to BigInt Operands into binary "+"
430         and binary "-" operators. Right now, we have limited support to DFG
431         and FTL JIT layers, but we plan to fix this support in future
432         patches.
433
434         * jit/JITOperations.cpp:
435         * runtime/CommonSlowPaths.cpp:
436         (JSC::SLOW_PATH_DECL):
437         * runtime/JSBigInt.cpp:
438         (JSC::JSBigInt::parseInt):
439         (JSC::JSBigInt::stringToBigInt):
440         (JSC::JSBigInt::toString):
441         (JSC::JSBigInt::multiply):
442         (JSC::JSBigInt::divide):
443         (JSC::JSBigInt::remainder):
444         (JSC::JSBigInt::add):
445         (JSC::JSBigInt::sub):
446         (JSC::JSBigInt::absoluteAdd):
447         (JSC::JSBigInt::absoluteSub):
448         (JSC::JSBigInt::toStringGeneric):
449         (JSC::JSBigInt::allocateFor):
450         (JSC::JSBigInt::toNumber const):
451         (JSC::JSBigInt::getPrimitiveNumber const):
452         * runtime/JSBigInt.h:
453         * runtime/JSCJSValueInlines.h:
454         * runtime/Operations.cpp:
455         (JSC::jsAddSlowCase):
456         * runtime/Operations.h:
457         (JSC::jsSub):
458
459 2018-06-01  Wenson Hsieh  <wenson_hsieh@apple.com>
460
461         Fix the watchOS build after r232385
462         https://bugs.webkit.org/show_bug.cgi?id=186203
463
464         Reviewed by Keith Miller.
465
466         Add a missing header include for JSImmutableButterfly.
467
468         * runtime/ArrayPrototype.cpp:
469
470 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
471
472         [JSC] Add Symbol.prototype.description getter
473         https://bugs.webkit.org/show_bug.cgi?id=186053
474
475         Reviewed by Keith Miller.
476
477         Symbol.prototype.description accessor  is now stage 3[1].
478         This adds a getter to retrieve [[Description]] value from Symbol.
479         Previously, Symbol#toString() returns `Symbol(${description})` value.
480         So users need to extract `description` part if they want it.
481
482         [1]: https://tc39.github.io/proposal-Symbol-description/
483
484         * runtime/Symbol.cpp:
485         (JSC::Symbol::description const):
486         * runtime/Symbol.h:
487         * runtime/SymbolPrototype.cpp:
488         (JSC::tryExtractSymbol):
489         (JSC::symbolProtoGetterDescription):
490         (JSC::symbolProtoFuncToString):
491         (JSC::symbolProtoFuncValueOf):
492
493 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
494
495         [JSC] Correct values and members of JSBigInt appropriately
496         https://bugs.webkit.org/show_bug.cgi?id=186196
497
498         Reviewed by Darin Adler.
499
500         This patch cleans up a bit to select more appropriate values and members of JSBigInt.
501
502         1. JSBigInt's structure should be StructureIsImmortal.
503         2. JSBigInt::allocationSize should be annotated with `inline`.
504         3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
505         4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
506
507         * runtime/JSBigInt.cpp:
508         (JSC::JSBigInt::allocationSize):
509         (JSC::JSBigInt::allocateFor):
510         (JSC::JSBigInt::compareToDouble):
511         (JSC::JSBigInt::visitChildren): Deleted.
512         (JSC::JSBigInt::finishCreation): Deleted.
513         * runtime/JSBigInt.h:
514
515 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
516
517         [DFG] InById should be converted to MatchStructure
518         https://bugs.webkit.org/show_bug.cgi?id=185803
519
520         Reviewed by Keith Miller.
521
522         MatchStructure is introduced for instanceof optimization. But this node
523         is also useful for InById node. This patch converts InById to MatchStructure
524         node with CheckStructures if possible by using InByIdStatus.
525
526         Added microbenchmarks show improvements.
527
528                                    baseline                  patched
529
530         in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
531         in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
532
533         * JavaScriptCore.xcodeproj/project.pbxproj:
534         * Sources.txt:
535         * bytecode/InByIdStatus.cpp: Added.
536         (JSC::InByIdStatus::appendVariant):
537         (JSC::InByIdStatus::computeFor):
538         (JSC::InByIdStatus::hasExitSite):
539         (JSC::InByIdStatus::computeForStubInfo):
540         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
541         (JSC::InByIdStatus::filter):
542         (JSC::InByIdStatus::dump const):
543         * bytecode/InByIdStatus.h: Added.
544         (JSC::InByIdStatus::InByIdStatus):
545         (JSC::InByIdStatus::state const):
546         (JSC::InByIdStatus::isSet const):
547         (JSC::InByIdStatus::operator bool const):
548         (JSC::InByIdStatus::isSimple const):
549         (JSC::InByIdStatus::numVariants const):
550         (JSC::InByIdStatus::variants const):
551         (JSC::InByIdStatus::at const):
552         (JSC::InByIdStatus::operator[] const):
553         (JSC::InByIdStatus::takesSlowPath const):
554         * bytecode/InByIdVariant.cpp: Added.
555         (JSC::InByIdVariant::InByIdVariant):
556         (JSC::InByIdVariant::attemptToMerge):
557         (JSC::InByIdVariant::dump const):
558         (JSC::InByIdVariant::dumpInContext const):
559         * bytecode/InByIdVariant.h: Added.
560         (JSC::InByIdVariant::isSet const):
561         (JSC::InByIdVariant::operator bool const):
562         (JSC::InByIdVariant::structureSet const):
563         (JSC::InByIdVariant::structureSet):
564         (JSC::InByIdVariant::conditionSet const):
565         (JSC::InByIdVariant::offset const):
566         (JSC::InByIdVariant::isHit const):
567         * bytecode/PolyProtoAccessChain.h:
568         * dfg/DFGByteCodeParser.cpp:
569         (JSC::DFG::ByteCodeParser::parseBlock):
570
571 2018-06-01  Keith Miller  <keith_miller@apple.com>
572
573         move should only emit the move if it's actually needed
574         https://bugs.webkit.org/show_bug.cgi?id=186123
575
576         Reviewed by Saam Barati.
577
578         This patch relpaces move with moveToDestinationIfNeeded. This
579         will prevent us from emiting moves to the same location. The old
580         move, has been renamed to emitMove and made private.
581
582         * bytecompiler/BytecodeGenerator.cpp:
583         (JSC::BytecodeGenerator::BytecodeGenerator):
584         (JSC::BytecodeGenerator::emitMove):
585         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
586         (JSC::BytecodeGenerator::emitGetAsyncIterator):
587         (JSC::BytecodeGenerator::move): Deleted.
588         * bytecompiler/BytecodeGenerator.h:
589         (JSC::BytecodeGenerator::move):
590         (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
591         * bytecompiler/NodesCodegen.cpp:
592         (JSC::ThisNode::emitBytecode):
593         (JSC::SuperNode::emitBytecode):
594         (JSC::NewTargetNode::emitBytecode):
595         (JSC::ResolveNode::emitBytecode):
596         (JSC::TaggedTemplateNode::emitBytecode):
597         (JSC::ArrayNode::emitBytecode):
598         (JSC::ObjectLiteralNode::emitBytecode):
599         (JSC::EvalFunctionCallNode::emitBytecode):
600         (JSC::FunctionCallResolveNode::emitBytecode):
601         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
602         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
603         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
604         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
605         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
606         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
607         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
608         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
609         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
610         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
611         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
612         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
613         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
614         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
615         (JSC::CallFunctionCallDotNode::emitBytecode):
616         (JSC::ApplyFunctionCallDotNode::emitBytecode):
617         (JSC::emitPostIncOrDec):
618         (JSC::PostfixNode::emitBracket):
619         (JSC::PostfixNode::emitDot):
620         (JSC::PrefixNode::emitResolve):
621         (JSC::PrefixNode::emitBracket):
622         (JSC::PrefixNode::emitDot):
623         (JSC::LogicalOpNode::emitBytecode):
624         (JSC::ReadModifyResolveNode::emitBytecode):
625         (JSC::AssignResolveNode::emitBytecode):
626         (JSC::AssignDotNode::emitBytecode):
627         (JSC::AssignBracketNode::emitBytecode):
628         (JSC::FunctionNode::emitBytecode):
629         (JSC::ClassExprNode::emitBytecode):
630         (JSC::DestructuringAssignmentNode::emitBytecode):
631         (JSC::ArrayPatternNode::emitDirectBinding):
632         (JSC::ObjectPatternNode::bindValue const):
633         (JSC::AssignmentElementNode::bindValue const):
634         (JSC::ObjectSpreadExpressionNode::emitBytecode):
635
636 2018-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
637
638         [Baseline] Store constant directly in emit_op_mov
639         https://bugs.webkit.org/show_bug.cgi?id=186182
640
641         Reviewed by Saam Barati.
642
643         In the old code, we first move a constant to a register and store it to the specified address.
644         But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
645         generated code size. Since the old code was emitting a constant in a code anyway, this change
646         never increases the size of the generated code.
647
648         * jit/JITInlines.h:
649         (JSC::JIT::emitGetVirtualRegister):
650         We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
651         from the stack. If we transfer values in registers without loading values from the stack, it
652         breaks this assumption.
653
654         * jit/JITOpcodes.cpp:
655         (JSC::JIT::emit_op_mov):
656
657 2018-05-31  Caio Lima  <ticaiolima@gmail.com>
658
659         [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
660         https://bugs.webkit.org/show_bug.cgi?id=185929
661
662         Reviewed by Yusuke Suzuki.
663
664         This patch is introducing support to BigInt operands into ">=" and
665         "<=" operators.
666         Here we introduce ```bigIntCompareResult``` that is a helper function
667         to reuse code between "less than" and "less than or equal" operators.
668
669         * runtime/JSBigInt.h:
670         * runtime/Operations.h:
671         (JSC::bigIntCompareResult):
672         (JSC::bigIntCompare):
673         (JSC::jsLess):
674         (JSC::jsLessEq):
675         (JSC::bigIntCompareLess): Deleted.
676
677 2018-05-31  Saam Barati  <sbarati@apple.com>
678
679         Cache toString results for CoW arrays
680         https://bugs.webkit.org/show_bug.cgi?id=186160
681
682         Reviewed by Keith Miller.
683
684         This patch makes it so that we cache the result of toString on
685         arrays with a CoW butterfly. This cache lives on Heap and is
686         cleared after every GC. We only cache the toString result when
687         the CoW butterfly doesn't have a hole (currently, all CoW arrays
688         have a hole, but this isn't an invariant we want to rely on). The
689         reason for this is that if there is a hole, the value may be loaded
690         from the prototype, and the cache may produce a stale result.
691         
692         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
693         progression on ARES.
694
695         * heap/Heap.cpp:
696         (JSC::Heap::finalize):
697         (JSC::Heap::addCoreConstraints):
698         * heap/Heap.h:
699         * runtime/ArrayPrototype.cpp:
700         (JSC::canUseFastJoin):
701         (JSC::holesMustForwardToPrototype):
702         (JSC::isHole):
703         (JSC::containsHole):
704         (JSC::fastJoin):
705         (JSC::arrayProtoFuncToString):
706
707 2018-05-31  Saam Barati  <sbarati@apple.com>
708
709         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
710         https://bugs.webkit.org/show_bug.cgi?id=186169
711
712         Reviewed by Mark Lam.
713
714         If we don't do this, the CFA validation rule about StructureID being
715         clobbered but AI not clobbering or folding a clobber will cause us
716         to crash. Simon was running into this yesterday on arstechnica.com.
717         I couldn't come up with a test case for this, but it's obvious
718         what the issue is by looking at the IR dump at the time of the crash.
719
720         * dfg/DFGAbstractInterpreterInlines.h:
721         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
722
723 2018-05-31  Saam Barati  <sbarati@apple.com>
724
725         JSImmutableButterfly should align its variable storage
726         https://bugs.webkit.org/show_bug.cgi?id=186159
727
728         Reviewed by Mark Lam.
729
730         I'm also making the use of reinterpret_cast and bitwise_cast consistent
731         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
732
733         * runtime/JSImmutableButterfly.h:
734         (JSC::JSImmutableButterfly::toButterfly const):
735         (JSC::JSImmutableButterfly::fromButterfly):
736         (JSC::JSImmutableButterfly::offsetOfData):
737         (JSC::JSImmutableButterfly::allocationSize):
738
739 2018-05-31  Keith Miller  <keith_miller@apple.com>
740
741         DFGArrayModes needs to know more about CoW arrays
742         https://bugs.webkit.org/show_bug.cgi?id=186162
743
744         Reviewed by Filip Pizlo.
745
746         This patch fixes two issues in DFGArrayMode.
747
748         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
749         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
750         to vend an accurate original structure.
751
752         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
753         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
754         action it is expecting when being dumped.
755
756         * bytecode/ArrayProfile.h:
757         (JSC::hasSeenWritableArray):
758         * dfg/DFGArrayMode.cpp:
759         (JSC::DFG::ArrayMode::fromObserved):
760         (JSC::DFG::ArrayMode::refine const):
761         (JSC::DFG::ArrayMode::originalArrayStructure const):
762         (JSC::DFG::arrayActionToString):
763         (JSC::DFG::arrayClassToString):
764         (JSC::DFG::ArrayMode::dump const):
765         (WTF::printInternal):
766         * dfg/DFGArrayMode.h:
767         (JSC::DFG::ArrayMode::withProfile const):
768         (JSC::DFG::ArrayMode::isJSArray const):
769         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
770         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
771         * dfg/DFGByteCodeParser.cpp:
772         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
773         (JSC::DFG::ByteCodeParser::parseBlock):
774         * dfg/DFGFixupPhase.cpp:
775         (JSC::DFG::FixupPhase::fixupNode):
776         * dfg/DFGSpeculativeJIT.cpp:
777         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
778         * ftl/FTLLowerDFGToB3.cpp:
779         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
780
781 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
782
783         [JSC] Pass VM& parameter as much as possible
784         https://bugs.webkit.org/show_bug.cgi?id=186085
785
786         Reviewed by Saam Barati.
787
788         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
789         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
790         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
791         This patch attempts to pass VM& parameter to such functions as much as possible.
792
793         * API/APICast.h:
794         (toJS):
795         (toJSForGC):
796         * API/JSCallbackObjectFunctions.h:
797         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
798         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
799         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
800         * API/JSObjectRef.cpp:
801         (JSObjectIsConstructor):
802         * API/JSTypedArray.cpp:
803         (JSObjectGetTypedArrayBuffer):
804         * API/JSValueRef.cpp:
805         (JSValueIsInstanceOfConstructor):
806         * bindings/ScriptFunctionCall.cpp:
807         (Deprecated::ScriptFunctionCall::call):
808         * bindings/ScriptValue.cpp:
809         (Inspector::jsToInspectorValue):
810         * bytecode/AccessCase.cpp:
811         (JSC::AccessCase::generateImpl):
812         * bytecode/CodeBlock.cpp:
813         (JSC::CodeBlock::CodeBlock):
814         * bytecode/ObjectAllocationProfileInlines.h:
815         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
816         * bytecode/ObjectPropertyConditionSet.cpp:
817         (JSC::generateConditionsForInstanceOf):
818         * bytecode/PropertyCondition.cpp:
819         (JSC::PropertyCondition::isWatchableWhenValid const):
820         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
821         * bytecode/StructureStubClearingWatchpoint.cpp:
822         (JSC::StructureStubClearingWatchpoint::fireInternal):
823         * debugger/Debugger.cpp:
824         (JSC::Debugger::detach):
825         * debugger/DebuggerScope.cpp:
826         (JSC::DebuggerScope::create):
827         (JSC::DebuggerScope::put):
828         (JSC::DebuggerScope::deleteProperty):
829         (JSC::DebuggerScope::getOwnPropertyNames):
830         (JSC::DebuggerScope::defineOwnProperty):
831         * dfg/DFGAbstractInterpreterInlines.h:
832         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
833         * dfg/DFGAbstractValue.cpp:
834         (JSC::DFG::AbstractValue::mergeOSREntryValue):
835         * dfg/DFGArgumentsEliminationPhase.cpp:
836         * dfg/DFGArrayMode.cpp:
837         (JSC::DFG::ArrayMode::refine const):
838         * dfg/DFGByteCodeParser.cpp:
839         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
840         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
841         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
842         (JSC::DFG::ByteCodeParser::check):
843         * dfg/DFGConstantFoldingPhase.cpp:
844         (JSC::DFG::ConstantFoldingPhase::foldConstants):
845         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
846         * dfg/DFGFixupPhase.cpp:
847         (JSC::DFG::FixupPhase::fixupNode):
848         * dfg/DFGGraph.cpp:
849         (JSC::DFG::Graph::tryGetConstantProperty):
850         * dfg/DFGOperations.cpp:
851         * dfg/DFGSpeculativeJIT.cpp:
852         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
853         * dfg/DFGStrengthReductionPhase.cpp:
854         (JSC::DFG::StrengthReductionPhase::handleNode):
855         * ftl/FTLLowerDFGToB3.cpp:
856         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
857         * ftl/FTLOperations.cpp:
858         (JSC::FTL::operationPopulateObjectInOSR):
859         * inspector/InjectedScriptManager.cpp:
860         (Inspector::InjectedScriptManager::createInjectedScript):
861         * inspector/JSJavaScriptCallFrame.cpp:
862         (Inspector::JSJavaScriptCallFrame::caller const):
863         (Inspector::JSJavaScriptCallFrame::scopeChain const):
864         * interpreter/CallFrame.cpp:
865         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
866         * interpreter/Interpreter.cpp:
867         (JSC::Interpreter::executeProgram):
868         (JSC::Interpreter::executeCall):
869         (JSC::Interpreter::executeConstruct):
870         (JSC::Interpreter::execute):
871         (JSC::Interpreter::executeModuleProgram):
872         * jit/JITOperations.cpp:
873         (JSC::getByVal):
874         * jit/Repatch.cpp:
875         (JSC::tryCacheInByID):
876         * jsc.cpp:
877         (functionDollarAgentReceiveBroadcast):
878         (functionHasCustomProperties):
879         * llint/LLIntSlowPaths.cpp:
880         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
881         (JSC::LLInt::setupGetByIdPrototypeCache):
882         (JSC::LLInt::getByVal):
883         (JSC::LLInt::handleHostCall):
884         (JSC::LLInt::llint_throw_stack_overflow_error):
885         * runtime/AbstractModuleRecord.cpp:
886         (JSC::AbstractModuleRecord::finishCreation):
887         * runtime/ArrayConstructor.cpp:
888         (JSC::constructArrayWithSizeQuirk):
889         * runtime/ArrayPrototype.cpp:
890         (JSC::speciesWatchpointIsValid):
891         (JSC::arrayProtoFuncToString):
892         (JSC::arrayProtoFuncToLocaleString):
893         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
894         * runtime/AsyncFunctionConstructor.cpp:
895         (JSC::callAsyncFunctionConstructor):
896         (JSC::constructAsyncFunctionConstructor):
897         * runtime/AsyncGeneratorFunctionConstructor.cpp:
898         (JSC::callAsyncGeneratorFunctionConstructor):
899         (JSC::constructAsyncGeneratorFunctionConstructor):
900         * runtime/BooleanConstructor.cpp:
901         (JSC::constructWithBooleanConstructor):
902         * runtime/ClonedArguments.cpp:
903         (JSC::ClonedArguments::createEmpty):
904         (JSC::ClonedArguments::createWithInlineFrame):
905         (JSC::ClonedArguments::createWithMachineFrame):
906         (JSC::ClonedArguments::createByCopyingFrom):
907         (JSC::ClonedArguments::getOwnPropertySlot):
908         (JSC::ClonedArguments::materializeSpecials):
909         * runtime/CommonSlowPaths.cpp:
910         (JSC::SLOW_PATH_DECL):
911         * runtime/CommonSlowPaths.h:
912         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
913         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
914         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
915         * runtime/ConstructData.cpp:
916         (JSC::construct):
917         * runtime/DateConstructor.cpp:
918         (JSC::constructWithDateConstructor):
919         * runtime/DatePrototype.cpp:
920         (JSC::dateProtoFuncToJSON):
921         * runtime/DirectArguments.cpp:
922         (JSC::DirectArguments::overrideThings):
923         * runtime/Error.cpp:
924         (JSC::getStackTrace):
925         * runtime/ErrorConstructor.cpp:
926         (JSC::Interpreter::constructWithErrorConstructor):
927         (JSC::Interpreter::callErrorConstructor):
928         * runtime/FunctionConstructor.cpp:
929         (JSC::constructWithFunctionConstructor):
930         (JSC::callFunctionConstructor):
931         * runtime/GeneratorFunctionConstructor.cpp:
932         (JSC::callGeneratorFunctionConstructor):
933         (JSC::constructGeneratorFunctionConstructor):
934         * runtime/GenericArgumentsInlines.h:
935         (JSC::GenericArguments<Type>::getOwnPropertySlot):
936         * runtime/InferredStructureWatchpoint.cpp:
937         (JSC::InferredStructureWatchpoint::fireInternal):
938         * runtime/InferredType.cpp:
939         (JSC::InferredType::removeStructure):
940         * runtime/InferredType.h:
941         * runtime/InferredTypeInlines.h:
942         (JSC::InferredType::finalizeUnconditionally):
943         * runtime/IntlCollator.cpp:
944         (JSC::IntlCollator::initializeCollator):
945         * runtime/IntlCollatorConstructor.cpp:
946         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
947         * runtime/IntlCollatorPrototype.cpp:
948         (JSC::IntlCollatorPrototypeGetterCompare):
949         * runtime/IntlDateTimeFormat.cpp:
950         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
951         (JSC::IntlDateTimeFormat::formatToParts):
952         * runtime/IntlDateTimeFormatConstructor.cpp:
953         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
954         * runtime/IntlDateTimeFormatPrototype.cpp:
955         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
956         * runtime/IntlNumberFormat.cpp:
957         (JSC::IntlNumberFormat::initializeNumberFormat):
958         (JSC::IntlNumberFormat::formatToParts):
959         * runtime/IntlNumberFormatConstructor.cpp:
960         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
961         * runtime/IntlNumberFormatPrototype.cpp:
962         (JSC::IntlNumberFormatPrototypeGetterFormat):
963         * runtime/IntlObject.cpp:
964         (JSC::canonicalizeLocaleList):
965         (JSC::defaultLocale):
966         (JSC::lookupSupportedLocales):
967         (JSC::intlObjectFuncGetCanonicalLocales):
968         * runtime/IntlPluralRules.cpp:
969         (JSC::IntlPluralRules::initializePluralRules):
970         (JSC::IntlPluralRules::resolvedOptions):
971         * runtime/IntlPluralRulesConstructor.cpp:
972         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
973         * runtime/IteratorOperations.cpp:
974         (JSC::iteratorNext):
975         (JSC::iteratorClose):
976         (JSC::iteratorForIterable):
977         * runtime/JSArray.cpp:
978         (JSC::JSArray::shiftCountWithArrayStorage):
979         (JSC::JSArray::unshiftCountWithArrayStorage):
980         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
981         * runtime/JSArrayBufferConstructor.cpp:
982         (JSC::JSArrayBufferConstructor::finishCreation):
983         (JSC::constructArrayBuffer):
984         * runtime/JSArrayBufferPrototype.cpp:
985         (JSC::arrayBufferProtoFuncSlice):
986         * runtime/JSArrayBufferView.cpp:
987         (JSC::JSArrayBufferView::unsharedJSBuffer):
988         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
989         * runtime/JSAsyncFunction.cpp:
990         (JSC::JSAsyncFunction::createImpl):
991         (JSC::JSAsyncFunction::create):
992         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
993         * runtime/JSAsyncGeneratorFunction.cpp:
994         (JSC::JSAsyncGeneratorFunction::createImpl):
995         (JSC::JSAsyncGeneratorFunction::create):
996         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
997         * runtime/JSBoundFunction.cpp:
998         (JSC::boundThisNoArgsFunctionCall):
999         (JSC::boundFunctionCall):
1000         (JSC::boundThisNoArgsFunctionConstruct):
1001         (JSC::boundFunctionConstruct):
1002         (JSC::getBoundFunctionStructure):
1003         (JSC::JSBoundFunction::create):
1004         (JSC::JSBoundFunction::boundArgsCopy):
1005         * runtime/JSCJSValue.cpp:
1006         (JSC::JSValue::putToPrimitive):
1007         * runtime/JSCellInlines.h:
1008         (JSC::JSCell::setStructure):
1009         (JSC::JSCell::methodTable const):
1010         (JSC::JSCell::toBoolean const):
1011         * runtime/JSFunction.h:
1012         (JSC::JSFunction::createImpl):
1013         * runtime/JSGeneratorFunction.cpp:
1014         (JSC::JSGeneratorFunction::createImpl):
1015         (JSC::JSGeneratorFunction::create):
1016         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1017         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1018         (JSC::constructGenericTypedArrayViewWithArguments):
1019         (JSC::constructGenericTypedArrayView):
1020         * runtime/JSGenericTypedArrayViewInlines.h:
1021         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1022         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
1023         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
1024         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1025         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1026         (JSC::genericTypedArrayViewProtoFuncSlice):
1027         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1028         * runtime/JSGlobalObject.cpp:
1029         (JSC::JSGlobalObject::init):
1030         (JSC::JSGlobalObject::exposeDollarVM):
1031         (JSC::JSGlobalObject::finishCreation):
1032         * runtime/JSGlobalObject.h:
1033         * runtime/JSGlobalObjectFunctions.cpp:
1034         (JSC::globalFuncEval):
1035         * runtime/JSInternalPromise.cpp:
1036         (JSC::JSInternalPromise::then):
1037         * runtime/JSInternalPromiseConstructor.cpp:
1038         (JSC::constructPromise):
1039         * runtime/JSJob.cpp:
1040         (JSC::JSJobMicrotask::run):
1041         * runtime/JSLexicalEnvironment.cpp:
1042         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1043         (JSC::JSLexicalEnvironment::put):
1044         * runtime/JSMap.cpp:
1045         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1046         * runtime/JSMapIterator.cpp:
1047         (JSC::JSMapIterator::createPair):
1048         * runtime/JSModuleLoader.cpp:
1049         (JSC::JSModuleLoader::provideFetch):
1050         (JSC::JSModuleLoader::loadAndEvaluateModule):
1051         (JSC::JSModuleLoader::loadModule):
1052         (JSC::JSModuleLoader::linkAndEvaluateModule):
1053         (JSC::JSModuleLoader::requestImportModule):
1054         * runtime/JSONObject.cpp:
1055         (JSC::JSONProtoFuncParse):
1056         * runtime/JSObject.cpp:
1057         (JSC::JSObject::putInlineSlow):
1058         (JSC::JSObject::putByIndex):
1059         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1060         (JSC::JSObject::createInitialIndexedStorage):
1061         (JSC::JSObject::createArrayStorage):
1062         (JSC::JSObject::convertUndecidedToArrayStorage):
1063         (JSC::JSObject::convertInt32ToArrayStorage):
1064         (JSC::JSObject::convertDoubleToArrayStorage):
1065         (JSC::JSObject::convertContiguousToArrayStorage):
1066         (JSC::JSObject::convertFromCopyOnWrite):
1067         (JSC::JSObject::ensureWritableInt32Slow):
1068         (JSC::JSObject::ensureWritableDoubleSlow):
1069         (JSC::JSObject::ensureWritableContiguousSlow):
1070         (JSC::JSObject::ensureArrayStorageSlow):
1071         (JSC::JSObject::setPrototypeDirect):
1072         (JSC::JSObject::deleteProperty):
1073         (JSC::callToPrimitiveFunction):
1074         (JSC::JSObject::hasInstance):
1075         (JSC::JSObject::getOwnNonIndexPropertyNames):
1076         (JSC::JSObject::preventExtensions):
1077         (JSC::JSObject::isExtensible):
1078         (JSC::JSObject::reifyAllStaticProperties):
1079         (JSC::JSObject::fillGetterPropertySlot):
1080         (JSC::JSObject::defineOwnIndexedProperty):
1081         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1082         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1083         (JSC::JSObject::putByIndexBeyondVectorLength):
1084         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1085         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1086         (JSC::JSObject::getNewVectorLength):
1087         (JSC::JSObject::increaseVectorLength):
1088         (JSC::JSObject::reallocateAndShrinkButterfly):
1089         (JSC::JSObject::shiftButterflyAfterFlattening):
1090         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
1091         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
1092         (JSC::JSObject::needsSlowPutIndexing const):
1093         (JSC::JSObject::suggestedArrayStorageTransition const):
1094         * runtime/JSObject.h:
1095         (JSC::JSObject::mayInterceptIndexedAccesses):
1096         (JSC::JSObject::hasIndexingHeader const):
1097         (JSC::JSObject::hasCustomProperties):
1098         (JSC::JSObject::hasGetterSetterProperties):
1099         (JSC::JSObject::hasCustomGetterSetterProperties):
1100         (JSC::JSObject::isExtensibleImpl):
1101         (JSC::JSObject::isStructureExtensible):
1102         (JSC::JSObject::indexingShouldBeSparse):
1103         (JSC::JSObject::staticPropertiesReified):
1104         (JSC::JSObject::globalObject const):
1105         (JSC::JSObject::finishCreation):
1106         (JSC::JSNonFinalObject::finishCreation):
1107         (JSC::getCallData):
1108         (JSC::getConstructData):
1109         (JSC::JSObject::getOwnNonIndexPropertySlot):
1110         (JSC::JSObject::putOwnDataProperty):
1111         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
1112         (JSC::JSObject::butterflyPreCapacity):
1113         (JSC::JSObject::butterflyTotalSize):
1114         * runtime/JSObjectInlines.h:
1115         (JSC::JSObject::putDirectInternal):
1116         * runtime/JSPromise.cpp:
1117         (JSC::JSPromise::initialize):
1118         (JSC::JSPromise::resolve):
1119         * runtime/JSPromiseConstructor.cpp:
1120         (JSC::constructPromise):
1121         * runtime/JSPromiseDeferred.cpp:
1122         (JSC::newPromiseCapability):
1123         (JSC::callFunction):
1124         * runtime/JSScope.cpp:
1125         (JSC::abstractAccess):
1126         * runtime/JSScope.h:
1127         (JSC::JSScope::globalObject): Deleted.
1128         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
1129
1130         * runtime/JSSet.cpp:
1131         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
1132         * runtime/JSSetIterator.cpp:
1133         (JSC::JSSetIterator::createPair):
1134         * runtime/JSStringIterator.cpp:
1135         (JSC::JSStringIterator::clone):
1136         * runtime/Lookup.cpp:
1137         (JSC::reifyStaticAccessor):
1138         (JSC::setUpStaticFunctionSlot):
1139         * runtime/Lookup.h:
1140         (JSC::getStaticPropertySlotFromTable):
1141         (JSC::replaceStaticPropertySlot):
1142         (JSC::reifyStaticProperty):
1143         * runtime/MapConstructor.cpp:
1144         (JSC::constructMap):
1145         * runtime/NumberConstructor.cpp:
1146         (JSC::NumberConstructor::finishCreation):
1147         * runtime/ObjectConstructor.cpp:
1148         (JSC::constructObject):
1149         (JSC::objectConstructorAssign):
1150         (JSC::toPropertyDescriptor):
1151         * runtime/ObjectPrototype.cpp:
1152         (JSC::objectProtoFuncDefineGetter):
1153         (JSC::objectProtoFuncDefineSetter):
1154         (JSC::objectProtoFuncToLocaleString):
1155         * runtime/Operations.cpp:
1156         (JSC::jsIsFunctionType): Deleted.
1157         Replace it with JSValue::isFunction(VM&).
1158
1159         * runtime/Operations.h:
1160         * runtime/ProgramExecutable.cpp:
1161         (JSC::ProgramExecutable::initializeGlobalProperties):
1162         * runtime/RegExpConstructor.cpp:
1163         (JSC::constructWithRegExpConstructor):
1164         (JSC::callRegExpConstructor):
1165         * runtime/SamplingProfiler.cpp:
1166         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1167         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
1168         * runtime/ScopedArguments.cpp:
1169         (JSC::ScopedArguments::overrideThings):
1170         * runtime/ScriptExecutable.cpp:
1171         (JSC::ScriptExecutable::newCodeBlockFor):
1172         (JSC::ScriptExecutable::prepareForExecutionImpl):
1173         * runtime/SetConstructor.cpp:
1174         (JSC::constructSet):
1175         * runtime/SparseArrayValueMap.cpp:
1176         (JSC::SparseArrayValueMap::putEntry):
1177         (JSC::SparseArrayValueMap::putDirect):
1178         * runtime/StringConstructor.cpp:
1179         (JSC::constructWithStringConstructor):
1180         * runtime/StringPrototype.cpp:
1181         (JSC::replaceUsingRegExpSearch):
1182         (JSC::replaceUsingStringSearch):
1183         (JSC::stringProtoFuncIterator):
1184         * runtime/Structure.cpp:
1185         (JSC::Structure::materializePropertyTable):
1186         (JSC::Structure::willStoreValueSlow):
1187         * runtime/StructureCache.cpp:
1188         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
1189         * runtime/StructureInlines.h:
1190         (JSC::Structure::get):
1191         * runtime/WeakMapConstructor.cpp:
1192         (JSC::constructWeakMap):
1193         * runtime/WeakSetConstructor.cpp:
1194         (JSC::constructWeakSet):
1195         * tools/HeapVerifier.cpp:
1196         (JSC::HeapVerifier::reportCell):
1197         * tools/JSDollarVM.cpp:
1198         (JSC::functionGlobalObjectForObject):
1199         (JSC::JSDollarVM::finishCreation):
1200         * wasm/js/JSWebAssemblyInstance.cpp:
1201         (JSC::JSWebAssemblyInstance::finalizeCreation):
1202         * wasm/js/WasmToJS.cpp:
1203         (JSC::Wasm::handleBadI64Use):
1204         (JSC::Wasm::wasmToJSException):
1205         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1206         (JSC::constructJSWebAssemblyCompileError):
1207         (JSC::callJSWebAssemblyCompileError):
1208         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1209         (JSC::constructJSWebAssemblyLinkError):
1210         (JSC::callJSWebAssemblyLinkError):
1211         * wasm/js/WebAssemblyModuleRecord.cpp:
1212         (JSC::WebAssemblyModuleRecord::evaluate):
1213         * wasm/js/WebAssemblyPrototype.cpp:
1214         (JSC::instantiate):
1215         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1216         (JSC::constructJSWebAssemblyRuntimeError):
1217         (JSC::callJSWebAssemblyRuntimeError):
1218         * wasm/js/WebAssemblyToJSCallee.cpp:
1219         (JSC::WebAssemblyToJSCallee::create):
1220
1221 2018-05-30  Saam Barati  <sbarati@apple.com>
1222
1223         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
1224         https://bugs.webkit.org/show_bug.cgi?id=186121
1225         <rdar://problem/39377796>
1226
1227         Reviewed by Keith Miller.
1228
1229         DFG's combined liveness was reporting that the machine CodeBlock's |this|
1230         argument was dead at certain points in the program. However, a CodeBlock's
1231         arguments are considered live for the entire function. This fixes a bug
1232         where object allocation sinking phase skipped materializing an allocation
1233         because it thought that the argument it was associated with, |this|, was dead.
1234
1235         * dfg/DFGCombinedLiveness.cpp:
1236         (JSC::DFG::liveNodesAtHead):
1237
1238 2018-05-30  Daniel Bates  <dabates@apple.com>
1239
1240         Web Inspector: Annotate Same-Site cookies
1241         https://bugs.webkit.org/show_bug.cgi?id=184897
1242         <rdar://problem/35178209>
1243
1244         Reviewed by Brian Burg.
1245
1246         Update protocol to include cookie Same-Site policy.
1247
1248         * inspector/protocol/Page.json:
1249
1250 2018-05-29  Keith Miller  <keith_miller@apple.com>
1251
1252         Error instances should not strongly hold onto StackFrames
1253         https://bugs.webkit.org/show_bug.cgi?id=185996
1254
1255         Reviewed by Mark Lam.
1256
1257         Previously, we would hold onto all the StackFrames until the the user
1258         looked at one of the properties on the Error object. This patch makes us
1259         only weakly retain the StackFrames and collect all the information
1260         if we are about to collect any frame.
1261
1262         This patch also adds a method to $vm that returns the heaps count
1263         of live global objects.
1264
1265         * heap/Heap.cpp:
1266         (JSC::Heap::finalizeUnconditionalFinalizers):
1267         * interpreter/Interpreter.cpp:
1268         (JSC::Interpreter::stackTraceAsString):
1269         * interpreter/Interpreter.h:
1270         * runtime/Error.cpp:
1271         (JSC::addErrorInfo):
1272         * runtime/ErrorInstance.cpp:
1273         (JSC::ErrorInstance::finalizeUnconditionally):
1274         (JSC::ErrorInstance::computeErrorInfo):
1275         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1276         (JSC::ErrorInstance::visitChildren): Deleted.
1277         * runtime/ErrorInstance.h:
1278         (JSC::ErrorInstance::subspaceFor):
1279         * runtime/JSFunction.cpp:
1280         (JSC::getCalculatedDisplayName):
1281         * runtime/StackFrame.h:
1282         (JSC::StackFrame::isMarked const):
1283         * runtime/VM.cpp:
1284         (JSC::VM::VM):
1285         * runtime/VM.h:
1286         * tools/JSDollarVM.cpp:
1287         (JSC::functionGlobalObjectCount):
1288         (JSC::JSDollarVM::finishCreation):
1289
1290 2018-05-30  Keith Miller  <keith_miller@apple.com>
1291
1292         LLInt get_by_id prototype caching doesn't properly handle changes
1293         https://bugs.webkit.org/show_bug.cgi?id=186112
1294
1295         Reviewed by Filip Pizlo.
1296
1297         The caching would sometimes fail to track that a prototype had changed
1298         and wouldn't update its set of watchpoints.
1299
1300         * bytecode/CodeBlock.cpp:
1301         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1302         * bytecode/CodeBlock.h:
1303         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
1304         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
1305         * bytecode/ObjectPropertyConditionSet.h:
1306         (JSC::ObjectPropertyConditionSet::size const):
1307         * bytecode/Watchpoint.h:
1308         (JSC::Watchpoint::Watchpoint): Deleted.
1309         * llint/LLIntSlowPaths.cpp:
1310         (JSC::LLInt::setupGetByIdPrototypeCache):
1311
1312 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
1313
1314         [ESNext][BigInt] Implement support for "%" operation
1315         https://bugs.webkit.org/show_bug.cgi?id=184327
1316
1317         Reviewed by Yusuke Suzuki.
1318
1319         We are introducing the support of BigInt into remainder (a.k.a mod)
1320         operation.
1321
1322         * runtime/CommonSlowPaths.cpp:
1323         (JSC::SLOW_PATH_DECL):
1324         * runtime/JSBigInt.cpp:
1325         (JSC::JSBigInt::remainder):
1326         (JSC::JSBigInt::rightTrim):
1327         * runtime/JSBigInt.h:
1328
1329 2018-05-30  Saam Barati  <sbarati@apple.com>
1330
1331         AI for Atomics.load() is too conservative in always clobbering world
1332         https://bugs.webkit.org/show_bug.cgi?id=185738
1333         <rdar://problem/40342214>
1334
1335         Reviewed by Yusuke Suzuki.
1336
1337         It fails the assertion that Fil added for catching disagreements between
1338         AI and clobberize. This patch fixes that. You'd run into this if you
1339         manually enabled SAB in a build and ran any SAB tests.
1340
1341         * dfg/DFGAbstractInterpreterInlines.h:
1342         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1343
1344 2018-05-30  Michael Saboff  <msaboff@apple.com>
1345
1346         REGRESSION(r232212): Broke Win32 Builds
1347         https://bugs.webkit.org/show_bug.cgi?id=186061
1348
1349         Reviewed by Yusuke Suzuki.
1350
1351         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
1352         instead of LowLevelInterpreterWin.asm.
1353
1354         * CMakeLists.txt:
1355
1356 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
1357
1358         [MIPS] Fix build on MIPS32r1
1359         https://bugs.webkit.org/show_bug.cgi?id=185944
1360
1361         Reviewed by Yusuke Suzuki.
1362
1363         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
1364         on MIPS32r1.
1365
1366         * offlineasm/mips.rb:
1367
1368 2018-05-29  Saam Barati  <sbarati@apple.com>
1369
1370         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
1371         https://bugs.webkit.org/show_bug.cgi?id=186064
1372
1373         Reviewed by Mark Lam.
1374
1375         shrinkFootprint was implemented as:
1376         ```
1377         sanitizeStackForVM(this);
1378         deleteAllCode(DeleteAllCodeIfNotCollecting);
1379         heap.collectNow(Synchronousness::Sync);
1380         WTF::releaseFastMallocFreeMemory();
1381         ```
1382         
1383         However, for correctness reasons, deleteAllCode is implemented to do
1384         work when the VM is idle: no JS is running on the stack. This means
1385         that if shrinkFootprint is called when JS is running on the stack, it
1386         ends up freeing less memory than it could have if it waited to run until
1387         the VM goes idle.
1388         
1389         This patch makes it so we wait until idle before doing work. I'm seeing a
1390         10% footprint progression when testing this against a client of the JSC SPI.
1391         
1392         Because this is a semantic change in how the SPI works, this patch
1393         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
1394         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
1395         Once that happens, we will delete shrinkFootprint. Until then,
1396         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
1397
1398         * API/JSVirtualMachine.mm:
1399         (-[JSVirtualMachine shrinkFootprint]):
1400         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
1401         * API/JSVirtualMachinePrivate.h:
1402         * runtime/VM.cpp:
1403         (JSC::VM::shrinkFootprintWhenIdle):
1404         (JSC::VM::shrinkFootprint): Deleted.
1405         * runtime/VM.h:
1406
1407 2018-05-29  Saam Barati  <sbarati@apple.com>
1408
1409         shrinkFootprint needs to request a full collection
1410         https://bugs.webkit.org/show_bug.cgi?id=186069
1411
1412         Reviewed by Mark Lam.
1413
1414         * runtime/VM.cpp:
1415         (JSC::VM::shrinkFootprint):
1416
1417 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
1418
1419         [ESNext][BigInt] Implement support for "<" and ">" relational operation
1420         https://bugs.webkit.org/show_bug.cgi?id=185379
1421
1422         Reviewed by Yusuke Suzuki.
1423
1424         This patch is changing the ``jsLess``` operation to follow the
1425         semantics of Abstract Relational Comparison[1] that supports BigInt.
1426         For that, we create 2 new helper functions ```bigIntCompareLess``` and
1427         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
1428         compared.
1429
1430         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
1431
1432         * runtime/JSBigInt.cpp:
1433         (JSC::JSBigInt::unequalSign):
1434         (JSC::JSBigInt::absoluteGreater):
1435         (JSC::JSBigInt::absoluteLess):
1436         (JSC::JSBigInt::compare):
1437         (JSC::JSBigInt::absoluteCompare):
1438         * runtime/JSBigInt.h:
1439         * runtime/JSCJSValueInlines.h:
1440         (JSC::JSValue::isPrimitive const):
1441         * runtime/Operations.h:
1442         (JSC::bigIntCompareLess):
1443         (JSC::toPrimitiveNumeric):
1444         (JSC::jsLess):
1445
1446 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1447
1448         [Baseline] Merge loading functionalities
1449         https://bugs.webkit.org/show_bug.cgi?id=185907
1450
1451         Reviewed by Saam Barati.
1452
1453         This patch unifies emitXXXLoad functions in 32bit and 64bit.
1454
1455         * jit/JITInlines.h:
1456         (JSC::JIT::emitDoubleGetByVal):
1457         * jit/JITPropertyAccess.cpp:
1458         (JSC::JIT::emitDoubleLoad):
1459         (JSC::JIT::emitContiguousLoad):
1460         (JSC::JIT::emitArrayStorageLoad):
1461         (JSC::JIT::emitIntTypedArrayGetByVal):
1462         (JSC::JIT::emitFloatTypedArrayGetByVal):
1463         Define register usage first, and share the same code in 32bit and 64bit.
1464
1465         * jit/JITPropertyAccess32_64.cpp:
1466         (JSC::JIT::emitSlow_op_put_by_val):
1467         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
1468         We can remove this special handling.
1469
1470         (JSC::JIT::emitContiguousLoad): Deleted.
1471         (JSC::JIT::emitDoubleLoad): Deleted.
1472         (JSC::JIT::emitArrayStorageLoad): Deleted.
1473
1474 2018-05-29  Saam Barati  <sbarati@apple.com>
1475
1476         JSC should put bmalloc's scavenger into mini mode
1477         https://bugs.webkit.org/show_bug.cgi?id=185988
1478
1479         Reviewed by Michael Saboff.
1480
1481         When we InitializeThreading, we'll now enable bmalloc's mini mode
1482         if the VM is in mini mode. This is an 8-10% progression on the footprint
1483         at end score in run-testmem, making it a 4-5% memory score progression.
1484         It's between a 0-1% regression in its time score.
1485
1486         * runtime/InitializeThreading.cpp:
1487         (JSC::initializeThreading):
1488
1489 2018-05-29  Caitlin Potter  <caitp@igalia.com>
1490
1491         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
1492         https://bugs.webkit.org/show_bug.cgi?id=184267
1493
1494         Reviewed by Saam Barati.
1495
1496         Before this patch, the fast case for Array.prototype.concat was taken if
1497         there was a single argument passed to the function, which is either a
1498         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
1499         This incorrectly prevented Proxy objects from being spread when
1500         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
1501
1502         * builtins/ArrayPrototype.js:
1503         (concat):
1504
1505 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1506
1507         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
1508         https://bugs.webkit.org/show_bug.cgi?id=186022
1509
1510         Reviewed by Darin Adler.
1511
1512         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
1513         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
1514         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
1515         in asm.
1516
1517         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
1518         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
1519         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
1520         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
1521         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
1522         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
1523
1524         This patch also fixes naming convention for constant values.
1525
1526         * runtime/JSBigInt.cpp:
1527         (JSC::JSBigInt::digitMul):
1528         (JSC::JSBigInt::digitDiv):
1529         * runtime/JSBigInt.h:
1530
1531 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1532
1533         [WTF] Add clz32 / clz64 for MSVC
1534         https://bugs.webkit.org/show_bug.cgi?id=186023
1535
1536         Reviewed by Daniel Bates.
1537
1538         Move clz32 and clz64 to WTF.
1539
1540         * runtime/MathCommon.h:
1541         (JSC::clz32): Deleted.
1542         (JSC::clz64): Deleted.
1543
1544 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
1545
1546         [ESNext][BigInt] Implement "+" and "-" unary operation
1547         https://bugs.webkit.org/show_bug.cgi?id=182214
1548
1549         Reviewed by Yusuke Suzuki.
1550
1551         This Patch is implementing support to "-" unary operation on BigInt.
1552         It is also changing the logic of ASTBuilder::makeNegateNode to
1553         calculate BigInt literals with properly sign, avoiding
1554         unecessary operation. It required a refactoring into
1555         JSBigInt::parseInt to consider the sign as parameter.
1556
1557         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
1558         operations. With the introduction of BigInt, it is not true
1559         that every negate operation returns a Number. As ArithNegate is a
1560         node that considers its result is always a Number, like all other
1561         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
1562         speculation indicates that the operand is a BigInt.
1563         This design is following the same distinction between ArithAdd and
1564         ValueAdd. Also, this new node will make simpler the introduction of
1565         optimizations when we create speculation paths for BigInt in future
1566         patches.
1567
1568         In the case of "+" unary operation on BigInt, the current semantic we already have
1569         is correctly, since it needs to throw TypeError because of ToNumber call[1].
1570         In such case, we are adding tests to verify other edge cases.
1571
1572         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
1573
1574         * bytecompiler/BytecodeGenerator.cpp:
1575         (JSC::BytecodeGenerator::addBigIntConstant):
1576         * bytecompiler/BytecodeGenerator.h:
1577         * bytecompiler/NodesCodegen.cpp:
1578         (JSC::BigIntNode::jsValue const):
1579         * dfg/DFGAbstractInterpreterInlines.h:
1580         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1581         * dfg/DFGByteCodeParser.cpp:
1582         (JSC::DFG::ByteCodeParser::makeSafe):
1583         (JSC::DFG::ByteCodeParser::parseBlock):
1584         * dfg/DFGClobberize.h:
1585         (JSC::DFG::clobberize):
1586         * dfg/DFGDoesGC.cpp:
1587         (JSC::DFG::doesGC):
1588         * dfg/DFGFixupPhase.cpp:
1589         (JSC::DFG::FixupPhase::fixupNode):
1590         * dfg/DFGNode.h:
1591         (JSC::DFG::Node::arithNodeFlags):
1592         * dfg/DFGNodeType.h:
1593         * dfg/DFGPredictionPropagationPhase.cpp:
1594         * dfg/DFGSafeToExecute.h:
1595         (JSC::DFG::safeToExecute):
1596         * dfg/DFGSpeculativeJIT.cpp:
1597         (JSC::DFG::SpeculativeJIT::compileValueNegate):
1598         (JSC::DFG::SpeculativeJIT::compileArithNegate):
1599         * dfg/DFGSpeculativeJIT.h:
1600         * dfg/DFGSpeculativeJIT32_64.cpp:
1601         (JSC::DFG::SpeculativeJIT::compile):
1602         * dfg/DFGSpeculativeJIT64.cpp:
1603         (JSC::DFG::SpeculativeJIT::compile):
1604         * ftl/FTLCapabilities.cpp:
1605         (JSC::FTL::canCompile):
1606         * ftl/FTLLowerDFGToB3.cpp:
1607         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1608         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
1609         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
1610         * jit/JITOperations.cpp:
1611         * parser/ASTBuilder.h:
1612         (JSC::ASTBuilder::createBigIntWithSign):
1613         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
1614         (JSC::ASTBuilder::makeNegateNode):
1615         * parser/NodeConstructors.h:
1616         (JSC::BigIntNode::BigIntNode):
1617         * parser/Nodes.h:
1618         * runtime/CommonSlowPaths.cpp:
1619         (JSC::updateArithProfileForUnaryArithOp):
1620         (JSC::SLOW_PATH_DECL):
1621         * runtime/JSBigInt.cpp:
1622         (JSC::JSBigInt::parseInt):
1623         * runtime/JSBigInt.h:
1624         * runtime/JSCJSValueInlines.h:
1625         (JSC::JSValue::strictEqualSlowCaseInline):
1626
1627 2018-05-27  Dan Bernstein  <mitz@apple.com>
1628
1629         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
1630
1631         * jit/JITOperations.cpp:
1632
1633 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1634
1635         [JSC] Rename Array#flatten to flat
1636         https://bugs.webkit.org/show_bug.cgi?id=186012
1637
1638         Reviewed by Saam Barati.
1639
1640         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
1641         conflicts with the mootools' function name.
1642
1643         * builtins/ArrayPrototype.js:
1644         (globalPrivate.flatIntoArray):
1645         (flat):
1646         (globalPrivate.flatIntoArrayWithCallback):
1647         (flatMap):
1648         (globalPrivate.flattenIntoArray): Deleted.
1649         (flatten): Deleted.
1650         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
1651         * runtime/ArrayPrototype.cpp:
1652         (JSC::ArrayPrototype::finishCreation):
1653
1654 2018-05-25  Mark Lam  <mark.lam@apple.com>
1655
1656         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
1657         https://bugs.webkit.org/show_bug.cgi?id=185995
1658         <rdar://problem/40173142>
1659
1660         Reviewed by Saam Barati.
1661
1662         This is because there's no guarantee that any of the loop bodies will be
1663         executed.  Hence, there's no guarantee that the TDZ variables will have been
1664         initialized after each loop body.
1665
1666         * bytecompiler/BytecodeGenerator.cpp:
1667         (JSC::BytecodeGenerator::preserveTDZStack):
1668         (JSC::BytecodeGenerator::restoreTDZStack):
1669         * bytecompiler/BytecodeGenerator.h:
1670         * bytecompiler/NodesCodegen.cpp:
1671         (JSC::ForInNode::emitBytecode):
1672
1673 2018-05-25  Mark Lam  <mark.lam@apple.com>
1674
1675         MachineContext's instructionPointer() should handle null PCs correctly.
1676         https://bugs.webkit.org/show_bug.cgi?id=186004
1677         <rdar://problem/40570067>
1678
1679         Reviewed by Saam Barati.
1680
1681         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
1682         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
1683         assert accordingly with a debug ASSERT.  This is inconsequential for release
1684         builds, but to avoid this assertion failure, we should check for a null PC and
1685         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
1686         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
1687
1688         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
1689         for null pointers, but I rather not do that yet.  In general,
1690         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
1691         leave it that way for now.
1692
1693         Note: this assertion failure only manifests when we have signal traps enabled,
1694         and encounter a null pointer deref.
1695
1696         * runtime/MachineContext.h:
1697         (JSC::MachineContext::instructionPointer):
1698
1699 2018-05-25  Mark Lam  <mark.lam@apple.com>
1700
1701         Enforce invariant that GetterSetter objects are invariant.
1702         https://bugs.webkit.org/show_bug.cgi?id=185968
1703         <rdar://problem/40541416>
1704
1705         Reviewed by Saam Barati.
1706
1707         The code already assumes the invariant that GetterSetter objects are immutable.
1708         For example, the use of @tryGetById in builtins expect this invariant to be true.
1709         The existing code mostly enforces this except for one case: JSObject's
1710         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
1711         object.
1712
1713         This patch enforces this invariant by removing the setGetter and setSetter methods
1714         of GetterSetter, and requiring the getter/setter callback functions to be
1715         specified at construction time.
1716
1717         * jit/JITOperations.cpp:
1718         * llint/LLIntSlowPaths.cpp:
1719         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1720         * runtime/GetterSetter.cpp:
1721         (JSC::GetterSetter::withGetter): Deleted.
1722         (JSC::GetterSetter::withSetter): Deleted.
1723         * runtime/GetterSetter.h:
1724         * runtime/JSGlobalObject.cpp:
1725         (JSC::JSGlobalObject::init):
1726         * runtime/JSObject.cpp:
1727         (JSC::JSObject::putIndexedDescriptor):
1728         (JSC::JSObject::putDirectNativeIntrinsicGetter):
1729         (JSC::putDescriptor):
1730         (JSC::validateAndApplyPropertyDescriptor):
1731         * runtime/JSTypedArrayViewPrototype.cpp:
1732         (JSC::JSTypedArrayViewPrototype::finishCreation):
1733         * runtime/Lookup.cpp:
1734         (JSC::reifyStaticAccessor):
1735         * runtime/PropertyDescriptor.cpp:
1736         (JSC::PropertyDescriptor::slowGetterSetter):
1737
1738 2018-05-25  Saam Barati  <sbarati@apple.com>
1739
1740         Make JSC have a mini mode that kicks in when the JIT is disabled
1741         https://bugs.webkit.org/show_bug.cgi?id=185931
1742
1743         Reviewed by Mark Lam.
1744
1745         This patch makes JSC have a mini VM mode. This currently only kicks in
1746         when the process can't JIT. Mini VM now means a few things:
1747         - We always use a 1.27x heap growth factor. This number was the best tradeoff
1748           between memory use progression and time regression in run-testmem. We may
1749           want to tune this more in the future as we make other mini VM changes.
1750         - We always sweep synchronously.
1751         - We disable generational GC.
1752         
1753         I'm going to continue to extend what mini VM mode means in future changes.
1754         
1755         This patch is a 50% memory progression and an ~8-9% time regression
1756         on run-testmem when running in mini VM mode with the JIT disabled.
1757
1758         * heap/Heap.cpp:
1759         (JSC::Heap::collectNow):
1760         (JSC::Heap::finalize):
1761         (JSC::Heap::useGenerationalGC):
1762         (JSC::Heap::shouldSweepSynchronously):
1763         (JSC::Heap::shouldDoFullCollection):
1764         * heap/Heap.h:
1765         * runtime/Options.h:
1766         * runtime/VM.cpp:
1767         (JSC::VM::isInMiniMode):
1768         * runtime/VM.h:
1769
1770 2018-05-25  Saam Barati  <sbarati@apple.com>
1771
1772         Have a memory test where we can validate JSCs mini memory mode
1773         https://bugs.webkit.org/show_bug.cgi?id=185932
1774
1775         Reviewed by Mark Lam.
1776
1777         This patch adds the testmem CLI. It takes as input a file to run
1778         and the number of iterations to run it (by default it runs it
1779         20 times). Each iteration runs in a new JSContext. Each JSContext
1780         belongs to a VM that is created once. When finished, the CLI dumps
1781         out the peak memory usage of the process, the memory usage at the end
1782         of running all the iterations of the process, and the total time it
1783         took to run all the iterations.
1784
1785         * JavaScriptCore.xcodeproj/project.pbxproj:
1786         * testmem: Added.
1787         * testmem/testmem.mm: Added.
1788         (description):
1789         (Footprint::now):
1790         (main):
1791
1792 2018-05-25  David Kilzer  <ddkilzer@apple.com>
1793
1794         Fix issues with -dealloc methods found by clang static analyzer
1795         <https://webkit.org/b/185887>
1796
1797         Reviewed by Joseph Pecoraro.
1798
1799         * API/JSValue.mm:
1800         (-[JSValue dealloc]):
1801         (-[JSValue description]):
1802         - Move method implementations from (Internal) category to the
1803           main category since these are public API.  This fixes the
1804           false positive warning about a missing -dealloc method.
1805
1806 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1807
1808         [Baseline] Remove a hack for DCE removal of NewFunction
1809         https://bugs.webkit.org/show_bug.cgi?id=185945
1810
1811         Reviewed by Saam Barati.
1812
1813         This `undefined` check in baseline is originally introduced in r177871. The problem was,
1814         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
1815         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
1816         retrieve this into the stack since the scope is not referenced from anywhere.
1817
1818         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
1819         implementation. But rather than that, just emitting `Phantom` for this scope is clean
1820         and consistent to the other DFG nodes like GetClosureVar.
1821
1822         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
1823         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
1824         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
1825         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
1826         since it conservatively guards the scope, and it does not introduce any additional overhead
1827         compared to the current status.
1828
1829         * dfg/DFGByteCodeParser.cpp:
1830         (JSC::DFG::ByteCodeParser::parseBlock):
1831         * jit/JITOpcodes.cpp:
1832         (JSC::JIT::emitNewFuncExprCommon):
1833
1834 2018-05-23  Keith Miller  <keith_miller@apple.com>
1835
1836         Expose $vm if window.internals is exposed
1837         https://bugs.webkit.org/show_bug.cgi?id=185900
1838
1839         Reviewed by Mark Lam.
1840
1841         This is useful for testing vm internals when running LayoutTests.
1842
1843         * runtime/JSGlobalObject.cpp:
1844         (JSC::JSGlobalObject::init):
1845         (JSC::JSGlobalObject::visitChildren):
1846         (JSC::JSGlobalObject::exposeDollarVM):
1847         * runtime/JSGlobalObject.h:
1848
1849 2018-05-23  Keith Miller  <keith_miller@apple.com>
1850
1851         Define length on CoW array should properly convert to writable
1852         https://bugs.webkit.org/show_bug.cgi?id=185927
1853
1854         Reviewed by Yusuke Suzuki.
1855
1856         * runtime/JSArray.cpp:
1857         (JSC::JSArray::setLength):
1858
1859 2018-05-23  Keith Miller  <keith_miller@apple.com>
1860
1861         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
1862         https://bugs.webkit.org/show_bug.cgi?id=185923
1863
1864         Reviewed by Saam Barati.
1865
1866         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
1867         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
1868
1869         Block 1:
1870         @1: GetLocal(loc42, FlushedInt32);
1871         @2: PutStructure(Check: Cell: @1);
1872         @3: Jump(Block 1);
1873
1874         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
1875         the type of an local cannot change without writing to it.
1876
1877         This fixes a crash in destructuring-rest-element.js
1878
1879         * dfg/DFGInPlaceAbstractState.cpp:
1880         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1881
1882 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
1883
1884         Speed up JetStream/base64
1885         https://bugs.webkit.org/show_bug.cgi?id=185914
1886
1887         Reviewed by Michael Saboff.
1888         
1889         Make allocation fast paths ALWAYS_INLINE.
1890         
1891         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
1892         ~6%.
1893
1894         * CMakeLists.txt:
1895         * JavaScriptCore.xcodeproj/project.pbxproj:
1896         * heap/AllocatorInlines.h:
1897         (JSC::Allocator::allocate const):
1898         * heap/CompleteSubspace.cpp:
1899         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
1900         * heap/CompleteSubspace.h:
1901         * heap/CompleteSubspaceInlines.h: Added.
1902         (JSC::CompleteSubspace::allocateNonVirtual):
1903         * heap/FreeListInlines.h:
1904         (JSC::FreeList::allocate):
1905         * heap/IsoSubspace.cpp:
1906         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
1907         * heap/IsoSubspace.h:
1908         (JSC::IsoSubspace::allocatorForNonVirtual):
1909         * heap/IsoSubspaceInlines.h: Added.
1910         (JSC::IsoSubspace::allocateNonVirtual):
1911         * runtime/JSCellInlines.h:
1912         * runtime/VM.h:
1913
1914 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
1915
1916         Conversion misspelled "Convertion" in error message string
1917         https://bugs.webkit.org/show_bug.cgi?id=185436
1918
1919         Reviewed by Saam Barati, Michael Saboff
1920
1921         * runtime/JSBigInt.cpp:
1922         (JSC::JSBigInt::toNumber const):
1923
1924 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1925
1926         [JSC] Clean up stringGetByValStubGenerator
1927         https://bugs.webkit.org/show_bug.cgi?id=185864
1928
1929         Reviewed by Saam Barati.
1930
1931         We clean up stringGetByValStubGenerator.
1932
1933         1. Unify 32bit and 64bit implementations.
1934         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
1935         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
1936         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
1937         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
1938
1939         * jit/JIT.h:
1940         * jit/JITPropertyAccess.cpp:
1941         (JSC::JIT::emitSlow_op_get_by_val):
1942         (JSC::JIT::stringGetByValStubGenerator): Deleted.
1943         * jit/JITPropertyAccess32_64.cpp:
1944         (JSC::JIT::emit_op_get_by_val):
1945         (JSC::JIT::emitSlow_op_get_by_val):
1946         (JSC::JIT::stringGetByValStubGenerator): Deleted.
1947         * jit/ThunkGenerators.cpp:
1948         (JSC::stringGetByValGenerator):
1949         * jit/ThunkGenerators.h:
1950
1951 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1952
1953         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
1954         https://bugs.webkit.org/show_bug.cgi?id=185810
1955
1956         Reviewed by Saam Barati.
1957
1958         Let's use branchIfString/branchIfNotString helper functions instead of
1959         checking structure with jsString's structure. It's easy to read. And
1960         it emits less code since we do not need to embed string structure's
1961         raw pointer in 32bit environment.
1962
1963         * jit/JIT.h:
1964         * jit/JITInlines.h:
1965         (JSC::JIT::emitLoadCharacterString):
1966         (JSC::JIT::checkStructure): Deleted.
1967         * jit/JITOpcodes32_64.cpp:
1968         (JSC::JIT::emitSlow_op_eq):
1969         (JSC::JIT::compileOpEqJumpSlow):
1970         (JSC::JIT::emitSlow_op_neq):
1971         * jit/JITPropertyAccess.cpp:
1972         (JSC::JIT::stringGetByValStubGenerator):
1973         (JSC::JIT::emitSlow_op_get_by_val):
1974         (JSC::JIT::emitByValIdentifierCheck):
1975         * jit/JITPropertyAccess32_64.cpp:
1976         (JSC::JIT::stringGetByValStubGenerator):
1977         (JSC::JIT::emitSlow_op_get_by_val):
1978         * jit/JSInterfaceJIT.h:
1979         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
1980         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
1981         * jit/SpecializedThunkJIT.h:
1982         (JSC::SpecializedThunkJIT::loadJSStringArgument):
1983         * jit/ThunkGenerators.cpp:
1984         (JSC::stringCharLoad):
1985         (JSC::charCodeAtThunkGenerator):
1986         (JSC::charAtThunkGenerator):
1987         * runtime/JSString.h:
1988
1989 2018-05-22  Mark Lam  <mark.lam@apple.com>
1990
1991         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
1992         https://bugs.webkit.org/show_bug.cgi?id=185896
1993         <rdar://problem/40471403>
1994
1995         Reviewed by Saam Barati.
1996
1997         * bytecode/BytecodeGeneratorification.cpp:
1998         (JSC::BytecodeGeneratorification::run):
1999
2000 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2001
2002         [JSC] Fix CachedCall's argument count if RegExp has named captures
2003         https://bugs.webkit.org/show_bug.cgi?id=185587
2004
2005         Reviewed by Mark Lam.
2006
2007         If the given RegExp has named captures, the argument count of CachedCall in String#replace
2008         should be increased by one. This causes crash with assertion in test262. This patch corrects
2009         the argument count.
2010
2011         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
2012         the same.
2013
2014         * runtime/StringPrototype.cpp:
2015         (JSC::replaceUsingRegExpSearch):
2016
2017 2018-05-22  Mark Lam  <mark.lam@apple.com>
2018
2019         StringImpl utf8 conversion should not fail silently.
2020         https://bugs.webkit.org/show_bug.cgi?id=185888
2021         <rdar://problem/40464506>
2022
2023         Reviewed by Filip Pizlo.
2024
2025         * dfg/DFGLazyJSValue.cpp:
2026         (JSC::DFG::LazyJSValue::dumpInContext const):
2027         * runtime/DateConstructor.cpp:
2028         (JSC::constructDate):
2029         (JSC::dateParse):
2030         * runtime/JSDateMath.cpp:
2031         (JSC::parseDate):
2032         * runtime/JSDateMath.h:
2033
2034 2018-05-22  Keith Miller  <keith_miller@apple.com>
2035
2036         Remove the UnconditionalFinalizer class
2037         https://bugs.webkit.org/show_bug.cgi?id=185881
2038
2039         Reviewed by Filip Pizlo.
2040
2041         The only remaining user of this API is
2042         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
2043         to use the newer template based API and removes the old class.
2044
2045         * JavaScriptCore.xcodeproj/project.pbxproj:
2046         * bytecode/CodeBlock.h:
2047         * heap/Heap.cpp:
2048         (JSC::Heap::finalizeUnconditionalFinalizers):
2049         * heap/Heap.h:
2050         * heap/SlotVisitor.cpp:
2051         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
2052         * heap/SlotVisitor.h:
2053         * heap/UnconditionalFinalizer.h: Removed.
2054         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2055         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2056         (JSC::JSWebAssemblyCodeBlock::visitChildren):
2057         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
2058         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
2059         * wasm/js/JSWebAssemblyCodeBlock.h:
2060         * wasm/js/JSWebAssemblyModule.h:
2061
2062         * CMakeLists.txt:
2063         * JavaScriptCore.xcodeproj/project.pbxproj:
2064         * bytecode/CodeBlock.h:
2065         * heap/Heap.cpp:
2066         (JSC::Heap::finalizeUnconditionalFinalizers):
2067         * heap/Heap.h:
2068         * heap/SlotVisitor.cpp:
2069         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
2070         * heap/SlotVisitor.h:
2071         * heap/UnconditionalFinalizer.h: Removed.
2072         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2073         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2074         (JSC::JSWebAssemblyCodeBlock::visitChildren):
2075         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
2076         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
2077         * wasm/js/JSWebAssemblyCodeBlock.h:
2078         * wasm/js/JSWebAssemblyModule.h:
2079
2080 2018-05-22  Keith Miller  <keith_miller@apple.com>
2081
2082         Unreviewed, fix internal build.
2083
2084         * runtime/JSImmutableButterfly.cpp:
2085
2086 2018-05-22  Saam Barati  <sbarati@apple.com>
2087
2088         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
2089         https://bugs.webkit.org/show_bug.cgi?id=144525
2090
2091         Reviewed by Filip Pizlo.
2092
2093         This patch teaches LICM to fall back to hoisting a node's type checks when
2094         hoisting the entire node fails.
2095         
2096         This patch follow the same principles we use when deciding to hoist nodes in general:
2097         - If the pre header is control equivalent to where the current check is, we
2098         go ahead and hoist the check.
2099         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
2100         hoist the check. If hoisting failed in the past, we will not hoist the check.
2101
2102         * dfg/DFGLICMPhase.cpp:
2103         (JSC::DFG::LICMPhase::attemptHoist):
2104         * dfg/DFGUseKind.h:
2105         (JSC::DFG::checkMayCrashIfInputIsEmpty):
2106
2107 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
2108
2109         Get rid of TLCs
2110         https://bugs.webkit.org/show_bug.cgi?id=185846
2111
2112         Rubber stamped by Geoffrey Garen.
2113         
2114         This removes support for thread-local caches from the GC in order to speed up allocation a
2115         bit.
2116         
2117         We added TLCs as part of Spectre mitigations, which we have since removed.
2118         
2119         We will want some kind of TLCs eventually, since they allow us to:
2120         
2121         - have a global GC, which may be a perf optimization at some point.
2122         - allocate objects from JIT threads, which we've been wanting to do for a while.
2123         
2124         This change keeps the most interesting aspect of TLCs, which is the
2125         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
2126         TLCs again in the future if we wanted this feature.
2127         
2128         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
2129         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
2130         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
2131         you can directly use it to allocate. This removes two loads and a check from the allocation
2132         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
2133         allowed us to have a statically known set of LocalAllocators. This would have removed the
2134         bounds check (one load and one branch) and it would have made it possible to CSE the load of
2135         the TLC data structure, since that would no longer resize. But that's a harder change that
2136         this patch, and we don't need it right now.
2137         
2138         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
2139         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
2140         that check already. Previously, the TLC bounds check doubled as this check.
2141         
2142         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
2143         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
2144         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
2145         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
2146
2147         * JavaScriptCore.xcodeproj/project.pbxproj:
2148         * Sources.txt:
2149         * bytecode/ObjectAllocationProfileInlines.h:
2150         (JSC::ObjectAllocationProfile::initializeProfile):
2151         * dfg/DFGSpeculativeJIT.cpp:
2152         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2153         * ftl/FTLLowerDFGToB3.cpp:
2154         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2155         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2156         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2157         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2158         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2159         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2160         * heap/Allocator.cpp:
2161         (JSC::Allocator::cellSize const):
2162         * heap/Allocator.h:
2163         (JSC::Allocator::Allocator):
2164         (JSC::Allocator::localAllocator const):
2165         (JSC::Allocator::operator== const):
2166         (JSC::Allocator::offset const): Deleted.
2167         * heap/AllocatorInlines.h:
2168         (JSC::Allocator::allocate const):
2169         (JSC::Allocator::tryAllocate const): Deleted.
2170         * heap/BlockDirectory.cpp:
2171         (JSC::BlockDirectory::BlockDirectory):
2172         (JSC::BlockDirectory::~BlockDirectory):
2173         * heap/BlockDirectory.h:
2174         (JSC::BlockDirectory::allocator const): Deleted.
2175         * heap/CompleteSubspace.cpp:
2176         (JSC::CompleteSubspace::allocateNonVirtual):
2177         (JSC::CompleteSubspace::allocatorForSlow):
2178         (JSC::CompleteSubspace::tryAllocateSlow):
2179         * heap/CompleteSubspace.h:
2180         * heap/Heap.cpp:
2181         (JSC::Heap::Heap):
2182         * heap/Heap.h:
2183         (JSC::Heap::threadLocalCacheLayout): Deleted.
2184         * heap/IsoSubspace.cpp:
2185         (JSC::IsoSubspace::IsoSubspace):
2186         (JSC::IsoSubspace::allocateNonVirtual):
2187         * heap/IsoSubspace.h:
2188         (JSC::IsoSubspace::allocatorForNonVirtual):
2189         * heap/LocalAllocator.cpp:
2190         (JSC::LocalAllocator::LocalAllocator):
2191         (JSC::LocalAllocator::~LocalAllocator):
2192         * heap/LocalAllocator.h:
2193         (JSC::LocalAllocator::cellSize const):
2194         (JSC::LocalAllocator::tlc const): Deleted.
2195         * heap/ThreadLocalCache.cpp: Removed.
2196         * heap/ThreadLocalCache.h: Removed.
2197         * heap/ThreadLocalCacheInlines.h: Removed.
2198         * heap/ThreadLocalCacheLayout.cpp: Removed.
2199         * heap/ThreadLocalCacheLayout.h: Removed.
2200         * jit/AssemblyHelpers.cpp:
2201         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2202         (JSC::AssemblyHelpers::emitAllocate):
2203         (JSC::AssemblyHelpers::emitAllocateVariableSized):
2204         * jit/JITOpcodes.cpp:
2205         (JSC::JIT::emit_op_create_this):
2206         * runtime/JSLock.cpp:
2207         (JSC::JSLock::didAcquireLock):
2208         * runtime/VM.cpp:
2209         (JSC::VM::VM):
2210         (JSC::VM::~VM):
2211         * runtime/VM.h:
2212         * runtime/VMEntryScope.cpp:
2213         (JSC::VMEntryScope::~VMEntryScope):
2214         * runtime/VMEntryScope.h:
2215
2216 2018-05-22  Keith Miller  <keith_miller@apple.com>
2217
2218         We should have a CoW storage for NewArrayBuffer arrays.
2219         https://bugs.webkit.org/show_bug.cgi?id=185003
2220
2221         Reviewed by Filip Pizlo.
2222
2223         This patch adds copy on write storage for new array buffers. In
2224         order to do this there needed to be significant changes to the
2225         layout of IndexingType. The new indexing type has the following
2226         shape:
2227
2228         struct IndexingTypeAndMisc {
2229             struct IndexingModeIncludingHistory {
2230                 struct IndexingMode {
2231                     struct IndexingType {
2232                         uint8_t isArray:1;          // bit 0
2233                         uint8_t shape:3;            // bit 1 - 3
2234                     };
2235                     uint8_t copyOnWrite:1;          // bit 4
2236                 };
2237                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
2238             };
2239             uint8_t cellLockBits:2;                 // bit 6 - 7
2240         };
2241
2242         For simplicity ArrayStorage shapes cannot be CoW. So the only
2243         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
2244         ArrayWithContiguous.
2245
2246         The backing store for a CoW array is a new class
2247         JSImmutableButterfly, which looks exactly the same as a normal
2248         butterfly except that it has a JSCell header. Like other
2249         butterflies, JSImmutableButterfies are allocated out of the
2250         Auxiliary Gigacage and are pointed to by JSCells in the same
2251         way. However, when marking JSImmutableButterflies they are marked
2252         as if they were a property.
2253
2254         With CoW arrays, the new_array_buffer bytecode will reallocate the
2255         shared JSImmutableButterfly if it sees from the allocation profile
2256         that the last array it allocated has transitioned to a different
2257         indexing type. From then on, all arrays created by that
2258         new_array_buffer bytecode will have the promoted indexing
2259         type. This is more or less the same as what we used to do. The
2260         only difference is that we don't promote all the way to array
2261         storage even if we have seen it before.
2262
2263         Transitioning from a CoW indexing mode occurs whenever someone
2264         tries to store to an element, grow the array, or add properties.
2265         Storing or growing the array will call into code that does the
2266         stupid thing of copying the butterfly then continue into the old
2267         code. This doesn't end up costing us as future allocations will
2268         use any upgraded indexing shape.  We get adding properties for
2269         free by just changing the indexing mode on transition (our C++
2270         code always updates the indexing mode).
2271
2272         * JavaScriptCore.xcodeproj/project.pbxproj:
2273         * Sources.txt:
2274         * bytecode/ArrayAllocationProfile.cpp:
2275         (JSC::ArrayAllocationProfile::updateProfile):
2276         * bytecode/ArrayAllocationProfile.h:
2277         (JSC::ArrayAllocationProfile::initializeIndexingMode):
2278         * bytecode/ArrayProfile.cpp:
2279         (JSC::dumpArrayModes):
2280         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2281         * bytecode/ArrayProfile.h:
2282         (JSC::asArrayModes):
2283         (JSC::arrayModeFromStructure):
2284         (JSC::arrayModesInclude):
2285         (JSC::hasSeenCopyOnWriteArray):
2286         * bytecode/BytecodeList.json:
2287         * bytecode/CodeBlock.cpp:
2288         (JSC::CodeBlock::finishCreation):
2289         * bytecode/InlineAccess.cpp:
2290         (JSC::InlineAccess::generateArrayLength):
2291         * bytecode/UnlinkedCodeBlock.h:
2292         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
2293         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2294         * bytecompiler/BytecodeGenerator.cpp:
2295         (JSC::BytecodeGenerator::newArrayAllocationProfile):
2296         (JSC::BytecodeGenerator::emitNewArrayBuffer):
2297         (JSC::BytecodeGenerator::emitNewArray):
2298         (JSC::BytecodeGenerator::emitNewArrayWithSize):
2299         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
2300         * bytecompiler/BytecodeGenerator.h:
2301         * bytecompiler/NodesCodegen.cpp:
2302         (JSC::ArrayNode::emitBytecode):
2303         (JSC::ArrayPatternNode::bindValue const):
2304         (JSC::ArrayPatternNode::emitDirectBinding):
2305         * dfg/DFGAbstractInterpreterInlines.h:
2306         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2307         * dfg/DFGArgumentsEliminationPhase.cpp:
2308         * dfg/DFGArgumentsUtilities.cpp:
2309         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2310         * dfg/DFGArrayMode.cpp:
2311         (JSC::DFG::ArrayMode::fromObserved):
2312         (JSC::DFG::ArrayMode::refine const):
2313         (JSC::DFG::ArrayMode::alreadyChecked const):
2314         * dfg/DFGArrayMode.h:
2315         (JSC::DFG::ArrayMode::ArrayMode):
2316         (JSC::DFG::ArrayMode::action const):
2317         (JSC::DFG::ArrayMode::withSpeculation const):
2318         (JSC::DFG::ArrayMode::withArrayClass const):
2319         (JSC::DFG::ArrayMode::withType const):
2320         (JSC::DFG::ArrayMode::withConversion const):
2321         (JSC::DFG::ArrayMode::withTypeAndConversion const):
2322         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
2323         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
2324         * dfg/DFGByteCodeParser.cpp:
2325         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2326         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
2327         (JSC::DFG::ByteCodeParser::parseBlock):
2328         * dfg/DFGClobberize.h:
2329         (JSC::DFG::clobberize):
2330         * dfg/DFGConstantFoldingPhase.cpp:
2331         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2332         * dfg/DFGFixupPhase.cpp:
2333         (JSC::DFG::FixupPhase::fixupNode):
2334         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
2335         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2336         * dfg/DFGGraph.cpp:
2337         (JSC::DFG::Graph::dump):
2338         * dfg/DFGNode.h:
2339         (JSC::DFG::Node::indexingType):
2340         (JSC::DFG::Node::indexingMode):
2341         * dfg/DFGOSRExit.cpp:
2342         (JSC::DFG::OSRExit::compileExit):
2343         * dfg/DFGOperations.cpp:
2344         * dfg/DFGOperations.h:
2345         * dfg/DFGSpeculativeJIT.cpp:
2346         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2347         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2348         (JSC::DFG::SpeculativeJIT::arrayify):
2349         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2350         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2351         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2352         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2353         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2354         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2355         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
2356         * dfg/DFGSpeculativeJIT32_64.cpp:
2357         (JSC::DFG::SpeculativeJIT::compile):
2358         * dfg/DFGSpeculativeJIT64.cpp:
2359         (JSC::DFG::SpeculativeJIT::compile):
2360         * dfg/DFGValidate.cpp:
2361         * ftl/FTLAbstractHeapRepository.h:
2362         * ftl/FTLLowerDFGToB3.cpp:
2363         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
2364         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2365         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2366         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2367         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2368         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
2369         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
2370         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2371         * ftl/FTLOperations.cpp:
2372         (JSC::FTL::operationMaterializeObjectInOSR):
2373         * generate-bytecode-files:
2374         * interpreter/Interpreter.cpp:
2375         (JSC::sizeOfVarargs):
2376         (JSC::loadVarargs):
2377         * jit/AssemblyHelpers.cpp:
2378         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2379         * jit/AssemblyHelpers.h:
2380         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2381         * jit/JITOperations.cpp:
2382         * jit/JITPropertyAccess.cpp:
2383         (JSC::JIT::emit_op_put_by_val):
2384         (JSC::JIT::emitSlow_op_put_by_val):
2385         * jit/Repatch.cpp:
2386         (JSC::tryCachePutByID):
2387         * llint/LowLevelInterpreter.asm:
2388         * llint/LowLevelInterpreter32_64.asm:
2389         * llint/LowLevelInterpreter64.asm:
2390         * runtime/Butterfly.h:
2391         (JSC::ContiguousData::Data::Data):
2392         (JSC::ContiguousData::Data::operator bool const):
2393         (JSC::ContiguousData::Data::operator=):
2394         (JSC::ContiguousData::Data::operator const T& const):
2395         (JSC::ContiguousData::Data::set):
2396         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
2397         (JSC::ContiguousData::Data::clear):
2398         (JSC::ContiguousData::Data::get const):
2399         (JSC::ContiguousData::atUnsafe):
2400         (JSC::ContiguousData::at const): Deleted.
2401         (JSC::ContiguousData::at): Deleted.
2402         * runtime/ButterflyInlines.h:
2403         (JSC::ContiguousData<T>::at const):
2404         (JSC::ContiguousData<T>::at):
2405         * runtime/ClonedArguments.cpp:
2406         (JSC::ClonedArguments::createEmpty):
2407         * runtime/CommonSlowPaths.cpp:
2408         (JSC::SLOW_PATH_DECL):
2409         * runtime/CommonSlowPaths.h:
2410         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
2411         * runtime/IndexingType.cpp:
2412         (JSC::leastUpperBoundOfIndexingTypeAndType):
2413         (JSC::leastUpperBoundOfIndexingTypeAndValue):
2414         (JSC::dumpIndexingType):
2415         * runtime/IndexingType.h:
2416         (JSC::hasIndexedProperties):
2417         (JSC::hasUndecided):
2418         (JSC::hasInt32):
2419         (JSC::hasDouble):
2420         (JSC::hasContiguous):
2421         (JSC::hasArrayStorage):
2422         (JSC::hasAnyArrayStorage):
2423         (JSC::hasSlowPutArrayStorage):
2424         (JSC::shouldUseSlowPut):
2425         (JSC::isCopyOnWrite):
2426         (JSC::arrayIndexFromIndexingType):
2427         * runtime/JSArray.cpp:
2428         (JSC::JSArray::tryCreateUninitializedRestricted):
2429         (JSC::JSArray::put):
2430         (JSC::JSArray::appendMemcpy):
2431         (JSC::JSArray::setLength):
2432         (JSC::JSArray::pop):
2433         (JSC::JSArray::fastSlice):
2434         (JSC::JSArray::shiftCountWithAnyIndexingType):
2435         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2436         (JSC::JSArray::fillArgList):
2437         (JSC::JSArray::copyToArguments):
2438         * runtime/JSArrayInlines.h:
2439         (JSC::JSArray::pushInline):
2440         * runtime/JSCell.h:
2441         * runtime/JSCellInlines.h:
2442         (JSC::JSCell::JSCell):
2443         (JSC::JSCell::finishCreation):
2444         (JSC::JSCell::indexingType const):
2445         (JSC::JSCell::indexingMode const):
2446         (JSC::JSCell::setStructure):
2447         * runtime/JSFixedArray.h:
2448         * runtime/JSGlobalObject.cpp:
2449         (JSC::JSGlobalObject::init):
2450         (JSC::JSGlobalObject::haveABadTime):
2451         (JSC::JSGlobalObject::visitChildren):
2452         * runtime/JSGlobalObject.h:
2453         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
2454         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
2455         (JSC::JSGlobalObject::isOriginalArrayStructure):
2456         * runtime/JSImmutableButterfly.cpp: Added.
2457         (JSC::JSImmutableButterfly::visitChildren):
2458         (JSC::JSImmutableButterfly::copyToArguments):
2459         * runtime/JSImmutableButterfly.h: Added.
2460         (JSC::JSImmutableButterfly::createStructure):
2461         (JSC::JSImmutableButterfly::tryCreate):
2462         (JSC::JSImmutableButterfly::create):
2463         (JSC::JSImmutableButterfly::publicLength const):
2464         (JSC::JSImmutableButterfly::vectorLength const):
2465         (JSC::JSImmutableButterfly::length const):
2466         (JSC::JSImmutableButterfly::toButterfly const):
2467         (JSC::JSImmutableButterfly::fromButterfly):
2468         (JSC::JSImmutableButterfly::get const):
2469         (JSC::JSImmutableButterfly::subspaceFor):
2470         (JSC::JSImmutableButterfly::setIndex):
2471         (JSC::JSImmutableButterfly::allocationSize):
2472         (JSC::JSImmutableButterfly::JSImmutableButterfly):
2473         * runtime/JSObject.cpp:
2474         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
2475         (JSC::JSObject::visitButterflyImpl):
2476         (JSC::JSObject::getOwnPropertySlotByIndex):
2477         (JSC::JSObject::putByIndex):
2478         (JSC::JSObject::createInitialInt32):
2479         (JSC::JSObject::createInitialDouble):
2480         (JSC::JSObject::createInitialContiguous):
2481         (JSC::JSObject::convertUndecidedToInt32):
2482         (JSC::JSObject::convertUndecidedToDouble):
2483         (JSC::JSObject::convertUndecidedToContiguous):
2484         (JSC::JSObject::convertInt32ToDouble):
2485         (JSC::JSObject::convertInt32ToArrayStorage):
2486         (JSC::JSObject::convertDoubleToContiguous):
2487         (JSC::JSObject::convertDoubleToArrayStorage):
2488         (JSC::JSObject::convertContiguousToArrayStorage):
2489         (JSC::JSObject::createInitialForValueAndSet):
2490         (JSC::JSObject::convertInt32ForValue):
2491         (JSC::JSObject::convertFromCopyOnWrite):
2492         (JSC::JSObject::ensureWritableInt32Slow):
2493         (JSC::JSObject::ensureWritableDoubleSlow):
2494         (JSC::JSObject::ensureWritableContiguousSlow):
2495         (JSC::JSObject::ensureArrayStorageSlow):
2496         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2497         (JSC::JSObject::switchToSlowPutArrayStorage):
2498         (JSC::JSObject::deletePropertyByIndex):
2499         (JSC::JSObject::getOwnPropertyNames):
2500         (JSC::canDoFastPutDirectIndex):
2501         (JSC::JSObject::defineOwnIndexedProperty):
2502         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2503         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2504         (JSC::JSObject::putByIndexBeyondVectorLength):
2505         (JSC::JSObject::countElements):
2506         (JSC::JSObject::ensureLengthSlow):
2507         (JSC::JSObject::getEnumerableLength):
2508         (JSC::JSObject::ensureInt32Slow): Deleted.
2509         (JSC::JSObject::ensureDoubleSlow): Deleted.
2510         (JSC::JSObject::ensureContiguousSlow): Deleted.
2511         * runtime/JSObject.h:
2512         (JSC::JSObject::putDirectIndex):
2513         (JSC::JSObject::canGetIndexQuickly):
2514         (JSC::JSObject::getIndexQuickly):
2515         (JSC::JSObject::tryGetIndexQuickly const):
2516         (JSC::JSObject::canSetIndexQuickly):
2517         (JSC::JSObject::setIndexQuickly):
2518         (JSC::JSObject::initializeIndex):
2519         (JSC::JSObject::initializeIndexWithoutBarrier):
2520         (JSC::JSObject::ensureWritableInt32):
2521         (JSC::JSObject::ensureWritableDouble):
2522         (JSC::JSObject::ensureWritableContiguous):
2523         (JSC::JSObject::ensureLength):
2524         (JSC::JSObject::ensureInt32): Deleted.
2525         (JSC::JSObject::ensureDouble): Deleted.
2526         (JSC::JSObject::ensureContiguous): Deleted.
2527         * runtime/JSObjectInlines.h:
2528         (JSC::JSObject::putDirectInternal):
2529         * runtime/JSType.h:
2530         * runtime/RegExpMatchesArray.h:
2531         (JSC::tryCreateUninitializedRegExpMatchesArray):
2532         * runtime/Structure.cpp:
2533         (JSC::Structure::Structure):
2534         (JSC::Structure::addNewPropertyTransition):
2535         (JSC::Structure::nonPropertyTransition):
2536         * runtime/Structure.h:
2537         * runtime/StructureIDBlob.h:
2538         (JSC::StructureIDBlob::StructureIDBlob):
2539         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
2540         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
2541         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
2542         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
2543         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
2544         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
2545         * runtime/StructureTransitionTable.h:
2546         (JSC::newIndexingType):
2547         * runtime/VM.cpp:
2548         (JSC::VM::VM):
2549         * runtime/VM.h:
2550
2551 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
2552
2553         Unreviewed, rolling out r232052.
2554
2555         Breaks internal builds.
2556
2557         Reverted changeset:
2558
2559         "Use more C++17"
2560         https://bugs.webkit.org/show_bug.cgi?id=185176
2561         https://trac.webkit.org/changeset/232052
2562
2563 2018-05-22  Alberto Garcia  <berto@igalia.com>
2564
2565         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
2566         https://bugs.webkit.org/show_bug.cgi?id=182622
2567         <rdar://problem/40292317>
2568
2569         Reviewed by Michael Catanzaro.
2570
2571         We were linking JavaScriptCore against libatomic in MIPS because
2572         in that architecture __atomic_fetch_add_8() is not a compiler
2573         intrinsic and is provided by that library instead. However other
2574         architectures (e.g armel) are in the same situation, so we need a
2575         generic test.
2576
2577         That test already exists in WebKit/CMakeLists.txt, so we just have
2578         to move it to a common file (WebKitCompilerFlags.cmake) and use
2579         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
2580
2581         * CMakeLists.txt:
2582
2583 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
2584
2585         Unreviewed, rolling out r231843.
2586
2587         Broke cross build
2588
2589         Reverted changeset:
2590
2591         "[CMake] Properly detect compiler flags, needed libs, and
2592         fallbacks for usage of 64-bit atomic operations"
2593         https://bugs.webkit.org/show_bug.cgi?id=182622
2594         https://trac.webkit.org/changeset/231843
2595
2596 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2597
2598         Use more C++17
2599         https://bugs.webkit.org/show_bug.cgi?id=185176
2600
2601         Reviewed by JF Bastien.
2602
2603         * Configurations/Base.xcconfig:
2604
2605 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2606
2607         [JSC] Remove duplicate methods in JSInterfaceJIT
2608         https://bugs.webkit.org/show_bug.cgi?id=185813
2609
2610         Reviewed by Saam Barati.
2611
2612         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
2613         This patch removes these ones and use AssemblyHelpers' ones instead.
2614
2615         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
2616
2617         * jit/AssemblyHelpers.h:
2618         (JSC::AssemblyHelpers::tagFor):
2619         (JSC::AssemblyHelpers::payloadFor):
2620         * jit/JIT.h:
2621         * jit/JITArithmetic.cpp:
2622         (JSC::JIT::emit_op_unsigned):
2623         (JSC::JIT::emit_compareUnsigned):
2624         (JSC::JIT::emit_op_inc):
2625         (JSC::JIT::emit_op_dec):
2626         (JSC::JIT::emit_op_mod):
2627         * jit/JITCall32_64.cpp:
2628         (JSC::JIT::compileOpCall):
2629         * jit/JITInlines.h:
2630         (JSC::JIT::emitPutIntToCallFrameHeader):
2631         (JSC::JIT::updateTopCallFrame):
2632         (JSC::JIT::emitInitRegister):
2633         (JSC::JIT::emitLoad):
2634         (JSC::JIT::emitStore):
2635         (JSC::JIT::emitStoreInt32):
2636         (JSC::JIT::emitStoreCell):
2637         (JSC::JIT::emitStoreBool):
2638         (JSC::JIT::emitGetVirtualRegister):
2639         (JSC::JIT::emitPutVirtualRegister):
2640         (JSC::JIT::emitTagBool): Deleted.
2641         * jit/JITOpcodes.cpp:
2642         (JSC::JIT::emit_op_overrides_has_instance):
2643         (JSC::JIT::emit_op_is_empty):
2644         (JSC::JIT::emit_op_is_undefined):
2645         (JSC::JIT::emit_op_is_boolean):
2646         (JSC::JIT::emit_op_is_number):
2647         (JSC::JIT::emit_op_is_cell_with_type):
2648         (JSC::JIT::emit_op_is_object):
2649         (JSC::JIT::emit_op_eq):
2650         (JSC::JIT::emit_op_neq):
2651         (JSC::JIT::compileOpStrictEq):
2652         (JSC::JIT::emit_op_eq_null):
2653         (JSC::JIT::emit_op_neq_null):
2654         (JSC::JIT::emitSlow_op_eq):
2655         (JSC::JIT::emitSlow_op_neq):
2656         (JSC::JIT::emitSlow_op_instanceof_custom):
2657         (JSC::JIT::emitNewFuncExprCommon):
2658         * jit/JSInterfaceJIT.h:
2659         (JSC::JSInterfaceJIT::emitLoadInt32):
2660         (JSC::JSInterfaceJIT::emitLoadDouble):
2661         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
2662         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
2663         (JSC::JSInterfaceJIT::tagFor): Deleted.
2664         (JSC::JSInterfaceJIT::payloadFor): Deleted.
2665         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
2666         (JSC::JSInterfaceJIT::intTagFor): Deleted.
2667         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
2668         (JSC::JSInterfaceJIT::addressFor): Deleted.
2669         * jit/SpecializedThunkJIT.h:
2670         (JSC::SpecializedThunkJIT::returnDouble):
2671         * jit/ThunkGenerators.cpp:
2672         (JSC::nativeForGenerator):
2673         (JSC::arityFixupGenerator):
2674
2675 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2676
2677         Unreviewed, reland InById cache
2678         https://bugs.webkit.org/show_bug.cgi?id=185682
2679
2680         Includes Dominik's 32bit fix.
2681
2682         * bytecode/AccessCase.cpp:
2683         (JSC::AccessCase::fromStructureStubInfo):
2684         (JSC::AccessCase::generateWithGuard):
2685         (JSC::AccessCase::generateImpl):
2686         * bytecode/BytecodeDumper.cpp:
2687         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
2688         (JSC::BytecodeDumper<Block>::dumpBytecode):
2689         * bytecode/BytecodeDumper.h:
2690         * bytecode/BytecodeList.json:
2691         * bytecode/BytecodeUseDef.h:
2692         (JSC::computeUsesForBytecodeOffset):
2693         (JSC::computeDefsForBytecodeOffset):
2694         * bytecode/CodeBlock.cpp:
2695         (JSC::CodeBlock::finishCreation):
2696         * bytecode/InlineAccess.cpp:
2697         (JSC::InlineAccess::generateSelfInAccess):
2698         * bytecode/InlineAccess.h:
2699         * bytecode/StructureStubInfo.cpp:
2700         (JSC::StructureStubInfo::initInByIdSelf):
2701         (JSC::StructureStubInfo::deref):
2702         (JSC::StructureStubInfo::aboutToDie):
2703         (JSC::StructureStubInfo::reset):
2704         (JSC::StructureStubInfo::visitWeakReferences):
2705         (JSC::StructureStubInfo::propagateTransitions):
2706         * bytecode/StructureStubInfo.h:
2707         (JSC::StructureStubInfo::patchableJump):
2708         * bytecompiler/BytecodeGenerator.cpp:
2709         (JSC::BytecodeGenerator::emitInByVal):
2710         (JSC::BytecodeGenerator::emitInById):
2711         (JSC::BytecodeGenerator::emitIn): Deleted.
2712         * bytecompiler/BytecodeGenerator.h:
2713         * bytecompiler/NodesCodegen.cpp:
2714         (JSC::InNode::emitBytecode):
2715         * dfg/DFGAbstractInterpreterInlines.h:
2716         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2717         * dfg/DFGByteCodeParser.cpp:
2718         (JSC::DFG::ByteCodeParser::parseBlock):
2719         * dfg/DFGCapabilities.cpp:
2720         (JSC::DFG::capabilityLevel):
2721         * dfg/DFGClobberize.h:
2722         (JSC::DFG::clobberize):
2723         * dfg/DFGConstantFoldingPhase.cpp:
2724         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2725         * dfg/DFGDoesGC.cpp:
2726         (JSC::DFG::doesGC):
2727         * dfg/DFGFixupPhase.cpp:
2728         (JSC::DFG::FixupPhase::fixupNode):
2729         * dfg/DFGJITCompiler.cpp:
2730         (JSC::DFG::JITCompiler::link):
2731         * dfg/DFGJITCompiler.h:
2732         (JSC::DFG::JITCompiler::addInById):
2733         (JSC::DFG::InRecord::InRecord): Deleted.
2734         (JSC::DFG::JITCompiler::addIn): Deleted.
2735         * dfg/DFGNode.h:
2736         (JSC::DFG::Node::convertToInById):
2737         (JSC::DFG::Node::hasIdentifier):
2738         (JSC::DFG::Node::hasArrayMode):
2739         * dfg/DFGNodeType.h:
2740         * dfg/DFGPredictionPropagationPhase.cpp:
2741         * dfg/DFGSafeToExecute.h:
2742         (JSC::DFG::safeToExecute):
2743         * dfg/DFGSpeculativeJIT.cpp:
2744         (JSC::DFG::SpeculativeJIT::compileInById):
2745         (JSC::DFG::SpeculativeJIT::compileInByVal):
2746         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
2747         * dfg/DFGSpeculativeJIT.h:
2748         * dfg/DFGSpeculativeJIT32_64.cpp:
2749         (JSC::DFG::SpeculativeJIT::compile):
2750         * dfg/DFGSpeculativeJIT64.cpp:
2751         (JSC::DFG::SpeculativeJIT::compile):
2752         * ftl/FTLCapabilities.cpp:
2753         (JSC::FTL::canCompile):
2754         * ftl/FTLLowerDFGToB3.cpp:
2755         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2756         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
2757         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
2758         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
2759         * jit/AssemblyHelpers.h:
2760         (JSC::AssemblyHelpers::boxBoolean):
2761         * jit/ICStats.h:
2762         * jit/JIT.cpp:
2763         (JSC::JIT::JIT):
2764         (JSC::JIT::privateCompileMainPass):
2765         (JSC::JIT::privateCompileSlowCases):
2766         (JSC::JIT::link):
2767         * jit/JIT.h:
2768         * jit/JITInlineCacheGenerator.cpp:
2769         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2770         (JSC::JITInByIdGenerator::generateFastPath):
2771         * jit/JITInlineCacheGenerator.h:
2772         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2773         * jit/JITOperations.cpp:
2774         * jit/JITOperations.h:
2775         * jit/JITPropertyAccess.cpp:
2776         (JSC::JIT::emit_op_in_by_id):
2777         (JSC::JIT::emitSlow_op_in_by_id):
2778         * jit/JITPropertyAccess32_64.cpp:
2779         (JSC::JIT::emit_op_in_by_id):
2780         (JSC::JIT::emitSlow_op_in_by_id):
2781         * jit/Repatch.cpp:
2782         (JSC::tryCacheInByID):
2783         (JSC::repatchInByID):
2784         (JSC::resetInByID):
2785         (JSC::tryCacheIn): Deleted.
2786         (JSC::repatchIn): Deleted.
2787         (JSC::resetIn): Deleted.
2788         * jit/Repatch.h:
2789         * llint/LowLevelInterpreter.asm:
2790         * llint/LowLevelInterpreter64.asm:
2791         * parser/NodeConstructors.h:
2792         (JSC::InNode::InNode):
2793         * runtime/CommonSlowPaths.cpp:
2794         (JSC::SLOW_PATH_DECL):
2795         * runtime/CommonSlowPaths.h:
2796         (JSC::CommonSlowPaths::opInByVal):
2797         (JSC::CommonSlowPaths::opIn): Deleted.
2798
2799 2018-05-21  Commit Queue  <commit-queue@webkit.org>
2800
2801         Unreviewed, rolling out r231998 and r232017.
2802         https://bugs.webkit.org/show_bug.cgi?id=185842
2803
2804         causes crashes on 32 JSC bot (Requested by realdawei on
2805         #webkit).
2806
2807         Reverted changesets:
2808
2809         "[JSC] JSC should have consistent InById IC"
2810         https://bugs.webkit.org/show_bug.cgi?id=185682
2811         https://trac.webkit.org/changeset/231998
2812
2813         "Unreviewed, fix 32bit and scope release"
2814         https://bugs.webkit.org/show_bug.cgi?id=185682
2815         https://trac.webkit.org/changeset/232017
2816
2817 2018-05-21  Jer Noble  <jer.noble@apple.com>
2818
2819         Complete fix for enabling modern EME by default
2820         https://bugs.webkit.org/show_bug.cgi?id=185770
2821         <rdar://problem/40368220>
2822
2823         Reviewed by Eric Carlson.
2824
2825         * Configurations/FeatureDefines.xcconfig:
2826
2827 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2828
2829         Unreviewed, fix 32bit and scope release
2830         https://bugs.webkit.org/show_bug.cgi?id=185682
2831
2832         * jit/JITOperations.cpp:
2833         * jit/JITPropertyAccess32_64.cpp:
2834         (JSC::JIT::emitSlow_op_in_by_id):
2835
2836 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
2837
2838         Revert the B3 compiler pipeline's treatment of taildup
2839         https://bugs.webkit.org/show_bug.cgi?id=185808
2840
2841         Reviewed by Yusuke Suzuki.
2842         
2843         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
2844         But then path specialization turned out to be a negative result. This reverts the pipeline to the
2845         way it was before that work.
2846         
2847         1.5% progression on V8Spider-CompileTime.
2848
2849         * b3/B3Generate.cpp:
2850         (JSC::B3::generateToAir):
2851
2852 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2853
2854         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
2855         https://bugs.webkit.org/show_bug.cgi?id=185802
2856
2857         Reviewed by Saam Barati.
2858
2859         * dfg/DFGConstantFoldingPhase.cpp:
2860         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2861
2862 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
2863
2864         DFG should inline InstanceOf ICs
2865         https://bugs.webkit.org/show_bug.cgi?id=185695
2866
2867         Reviewed by Yusuke Suzuki.
2868         
2869         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
2870         be folded to a CheckStructure + JSConstant.
2871         
2872         In the process of testing this, I found a bug where LICM was not hoisting things that
2873         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
2874         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
2875         
2876         This is a ~5% speed-up on boyer.
2877         
2878         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
2879         instanceof-sometimes-hit microbenchmarks.
2880
2881         * JavaScriptCore.xcodeproj/project.pbxproj:
2882         * Sources.txt:
2883         * bytecode/GetByIdStatus.cpp:
2884         (JSC::GetByIdStatus::appendVariant):
2885         (JSC::GetByIdStatus::filter):
2886         * bytecode/GetByIdStatus.h:
2887         (JSC::GetByIdStatus::operator bool const):
2888         (JSC::GetByIdStatus::operator! const): Deleted.
2889         * bytecode/GetByIdVariant.h:
2890         (JSC::GetByIdVariant::operator bool const):
2891         (JSC::GetByIdVariant::operator! const): Deleted.
2892         * bytecode/ICStatusUtils.h: Added.
2893         (JSC::appendICStatusVariant):
2894         (JSC::filterICStatusVariants):
2895         * bytecode/InstanceOfStatus.cpp: Added.
2896         (JSC::InstanceOfStatus::appendVariant):
2897         (JSC::InstanceOfStatus::computeFor):
2898         (JSC::InstanceOfStatus::computeForStubInfo):
2899         (JSC::InstanceOfStatus::commonPrototype const):
2900         (JSC::InstanceOfStatus::filter):
2901         * bytecode/InstanceOfStatus.h: Added.
2902         (JSC::InstanceOfStatus::InstanceOfStatus):
2903         (JSC::InstanceOfStatus::state const):
2904         (JSC::InstanceOfStatus::isSet const):
2905         (JSC::InstanceOfStatus::operator bool const):
2906         (JSC::InstanceOfStatus::isSimple const):
2907         (JSC::InstanceOfStatus::takesSlowPath const):
2908         (JSC::InstanceOfStatus::numVariants const):
2909         (JSC::InstanceOfStatus::variants const):
2910         (JSC::InstanceOfStatus::at const):
2911         (JSC::InstanceOfStatus::operator[] const):
2912         * bytecode/InstanceOfVariant.cpp: Added.
2913         (JSC::InstanceOfVariant::InstanceOfVariant):
2914         (JSC::InstanceOfVariant::attemptToMerge):
2915         (JSC::InstanceOfVariant::dump const):
2916         (JSC::InstanceOfVariant::dumpInContext const):
2917         * bytecode/InstanceOfVariant.h: Added.
2918         (JSC::InstanceOfVariant::InstanceOfVariant):
2919         (JSC::InstanceOfVariant::operator bool const):
2920         (JSC::InstanceOfVariant::structureSet const):
2921         (JSC::InstanceOfVariant::structureSet):
2922         (JSC::InstanceOfVariant::conditionSet const):
2923         (JSC::InstanceOfVariant::prototype const):
2924         (JSC::InstanceOfVariant::isHit const):
2925         * bytecode/StructureStubInfo.cpp:
2926         (JSC::StructureStubInfo::StructureStubInfo):
2927         * bytecode/StructureStubInfo.h:
2928         (JSC::StructureStubInfo::considerCaching):
2929         * dfg/DFGAbstractInterpreterInlines.h:
2930         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2931         * dfg/DFGByteCodeParser.cpp:
2932         (JSC::DFG::ByteCodeParser::parseBlock):
2933         * dfg/DFGClobberize.h:
2934         (JSC::DFG::clobberize):
2935         * dfg/DFGConstantFoldingPhase.cpp:
2936         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2937         * dfg/DFGDoesGC.cpp:
2938         (JSC::DFG::doesGC):
2939         * dfg/DFGFixupPhase.cpp:
2940         (JSC::DFG::FixupPhase::fixupNode):
2941         * dfg/DFGGraph.cpp:
2942         (JSC::DFG::Graph::dump):
2943         * dfg/DFGGraph.h:
2944         * dfg/DFGLICMPhase.cpp:
2945         (JSC::DFG::LICMPhase::attemptHoist):
2946         * dfg/DFGNode.cpp:
2947         (JSC::DFG::Node::remove):
2948         * dfg/DFGNode.h:
2949         (JSC::DFG::Node::hasMatchStructureData):
2950         (JSC::DFG::Node::matchStructureData):
2951         * dfg/DFGNodeType.h:
2952         * dfg/DFGSafeToExecute.h:
2953         (JSC::DFG::safeToExecute):
2954         * dfg/DFGSpeculativeJIT.cpp:
2955         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
2956         * dfg/DFGSpeculativeJIT.h:
2957         * dfg/DFGSpeculativeJIT32_64.cpp:
2958         (JSC::DFG::SpeculativeJIT::compile):
2959         * dfg/DFGSpeculativeJIT64.cpp:
2960         (JSC::DFG::SpeculativeJIT::compile):
2961         * ftl/FTLCapabilities.cpp:
2962         (JSC::FTL::canCompile):
2963         * ftl/FTLLowerDFGToB3.cpp:
2964         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2965         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
2966
2967 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2968
2969         [JSC] JSC should have consistent InById IC
2970         https://bugs.webkit.org/show_bug.cgi?id=185682
2971
2972         Reviewed by Filip Pizlo.
2973
2974         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
2975         when we found that DFG::In's parameter is constant string. We should
2976         align this IC to the other ById ICs to clean up and remove adhoc code
2977         in DFG and FTL.
2978
2979         This patch cleans up our "In" IC by aligning it to the other ById ICs.
2980         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
2981         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
2982         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
2983         has a inline access cache for own property case, which is the same to
2984         JITGetByIdGenerator.
2985
2986         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
2987         to the original In DFG node. DFG AI attempts to lower InByVal to InById
2988         if AI figured out that the property name is a constant string. And in
2989         InById node, we use JITInByIdGenerator code.
2990
2991         This patch cleans up DFG and FTL's adhoc In IC code.
2992
2993         In a subsequent patch, we should introduce InByIdStatus to optimize
2994         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
2995         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
2996         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
2997
2998         * bytecode/AccessCase.cpp:
2999         (JSC::AccessCase::fromStructureStubInfo):
3000         (JSC::AccessCase::generateWithGuard):
3001         * bytecode/BytecodeDumper.cpp:
3002         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
3003         (JSC::BytecodeDumper<Block>::dumpBytecode):
3004         * bytecode/BytecodeDumper.h:
3005         * bytecode/BytecodeList.json:
3006         * bytecode/BytecodeUseDef.h:
3007         (JSC::computeUsesForBytecodeOffset):
3008         (JSC::computeDefsForBytecodeOffset):
3009         * bytecode/CodeBlock.cpp:
3010         (JSC::CodeBlock::finishCreation):
3011         * bytecode/InlineAccess.cpp:
3012         (JSC::InlineAccess::generateSelfInAccess):
3013         * bytecode/InlineAccess.h:
3014         * bytecode/StructureStubInfo.cpp:
3015         (JSC::StructureStubInfo::initInByIdSelf):
3016         (JSC::StructureStubInfo::deref):
3017         (JSC::StructureStubInfo::aboutToDie):
3018         (JSC::StructureStubInfo::reset):
3019         (JSC::StructureStubInfo::visitWeakReferences):
3020         (JSC::StructureStubInfo::propagateTransitions):
3021         * bytecode/StructureStubInfo.h:
3022         (JSC::StructureStubInfo::patchableJump):
3023         * bytecompiler/BytecodeGenerator.cpp:
3024         (JSC::BytecodeGenerator::emitInByVal):
3025         (JSC::BytecodeGenerator::emitInById):
3026         (JSC::BytecodeGenerator::emitIn): Deleted.
3027         * bytecompiler/BytecodeGenerator.h:
3028         * bytecompiler/NodesCodegen.cpp:
3029         (JSC::InNode::emitBytecode):
3030         * dfg/DFGAbstractInterpreterInlines.h:
3031         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3032         * dfg/DFGByteCodeParser.cpp:
3033         (JSC::DFG::ByteCodeParser::parseBlock):
3034         * dfg/DFGCapabilities.cpp:
3035         (JSC::DFG::capabilityLevel):
3036         * dfg/DFGClobberize.h:
3037         (JSC::DFG::clobberize):
3038         * dfg/DFGConstantFoldingPhase.cpp:
3039         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3040         * dfg/DFGDoesGC.cpp:
3041         (JSC::DFG::doesGC):
3042         * dfg/DFGFixupPhase.cpp:
3043         (JSC::DFG::FixupPhase::fixupNode):
3044         * dfg/DFGJITCompiler.cpp:
3045         (JSC::DFG::JITCompiler::link):
3046         * dfg/DFGJITCompiler.h:
3047         (JSC::DFG::JITCompiler::addInById):
3048         (JSC::DFG::InRecord::InRecord): Deleted.
3049         (JSC::DFG::JITCompiler::addIn): Deleted.
3050         * dfg/DFGNode.h:
3051         (JSC::DFG::Node::convertToInById):
3052         (JSC::DFG::Node::hasIdentifier):
3053         (JSC::DFG::Node::hasArrayMode):
3054         * dfg/DFGNodeType.h:
3055         * dfg/DFGPredictionPropagationPhase.cpp:
3056         * dfg/DFGSafeToExecute.h:
3057         (JSC::DFG::safeToExecute):
3058         * dfg/DFGSpeculativeJIT.cpp:
3059         (JSC::DFG::SpeculativeJIT::compileInById):
3060         (JSC::DFG::SpeculativeJIT::compileInByVal):
3061         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
3062         * dfg/DFGSpeculativeJIT.h:
3063         * dfg/DFGSpeculativeJIT32_64.cpp:
3064         (JSC::DFG::SpeculativeJIT::compile):
3065         * dfg/DFGSpeculativeJIT64.cpp:
3066         (JSC::DFG::SpeculativeJIT::compile):
3067         * ftl/FTLCapabilities.cpp:
3068         (JSC::FTL::canCompile):
3069         * ftl/FTLLowerDFGToB3.cpp:
3070         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3071         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
3072         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
3073         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
3074         * jit/ICStats.h:
3075         * jit/JIT.cpp:
3076         (JSC::JIT::JIT):
3077         (JSC::JIT::privateCompileMainPass):
3078         (JSC::JIT::privateCompileSlowCases):
3079         (JSC::JIT::link):
3080         * jit/JIT.h:
3081         * jit/JITInlineCacheGenerator.cpp:
3082         (JSC::JITInByIdGenerator::JITInByIdGenerator):
3083         (JSC::JITInByIdGenerator::generateFastPath):
3084         * jit/JITInlineCacheGenerator.h:
3085         (JSC::JITInByIdGenerator::JITInByIdGenerator):
3086         * jit/JITOperations.cpp:
3087         * jit/JITOperations.h:
3088         * jit/JITPropertyAccess.cpp:
3089         (JSC::JIT::emit_op_in_by_id):
3090         (JSC::JIT::emitSlow_op_in_by_id):
3091         * jit/JITPropertyAccess32_64.cpp:
3092         (JSC::JIT::emit_op_in_by_id):
3093         (JSC::JIT::emitSlow_op_in_by_id):
3094         * jit/Repatch.cpp:
3095         (JSC::tryCacheInByID):
3096         (JSC::repatchInByID):
3097         (JSC::resetInByID):
3098         (JSC::tryCacheIn): Deleted.
3099         (JSC::repatchIn): Deleted.
3100         (JSC::resetIn): Deleted.
3101         * jit/Repatch.h:
3102         * llint/LowLevelInterpreter.asm:
3103         * llint/LowLevelInterpreter64.asm:
3104         * parser/NodeConstructors.h:
3105         (JSC::InNode::InNode):
3106         * runtime/CommonSlowPaths.cpp:
3107         (JSC::SLOW_PATH_DECL):
3108         * runtime/CommonSlowPaths.h:
3109         (JSC::CommonSlowPaths::opInByVal):
3110         (JSC::CommonSlowPaths::opIn): Deleted.
3111
3112 2018-05-18  Commit Queue  <commit-queue@webkit.org>
3113
3114         Unreviewed, rolling out r231982.
3115         https://bugs.webkit.org/show_bug.cgi?id=185793
3116
3117         Caused layout test failures (Requested by realdawei on
3118         #webkit).
3119
3120         Reverted changeset:
3121
3122         "Complete fix for enabling modern EME by default"
3123         https://bugs.webkit.org/show_bug.cgi?id=185770
3124         https://trac.webkit.org/changeset/231982
3125
3126 2018-05-18  Keith Miller  <keith_miller@apple.com>
3127
3128         op_in should mark if it sees out of bounds accesses
3129         https://bugs.webkit.org/show_bug.cgi?id=185792
3130
3131         Reviewed by Filip Pizlo.
3132
3133         This would used to cause us to OSR loop since we would always speculate
3134         we were in bounds in HasIndexedProperty.
3135
3136         * bytecode/ArrayProfile.cpp:
3137         (JSC::ArrayProfile::observeIndexedRead):
3138         * bytecode/ArrayProfile.h:
3139         * runtime/CommonSlowPaths.h:
3140         (JSC::CommonSlowPaths::opIn):
3141
3142 2018-05-18  Mark Lam  <mark.lam@apple.com>
3143
3144         Add missing exception check.
3145         https://bugs.webkit.org/show_bug.cgi?id=185786
3146         <rdar://problem/35686560>
3147
3148         Reviewed by Michael Saboff.
3149
3150         * runtime/JSPropertyNameEnumerator.h:
3151         (JSC::propertyNameEnumerator):
3152
3153 2018-05-18  Jer Noble  <jer.noble@apple.com>
3154
3155         Complete fix for enabling modern EME by default
3156         https://bugs.webkit.org/show_bug.cgi?id=185770
3157         <rdar://problem/40368220>
3158
3159         Reviewed by Eric Carlson.
3160
3161         * Configurations/FeatureDefines.xcconfig:
3162
3163 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3164
3165         Unreviewed, fix exception checking, part 2
3166         https://bugs.webkit.org/show_bug.cgi?id=185350
3167
3168         * dfg/DFGOperations.cpp:
3169         (JSC::DFG::putByValInternal):
3170         * jit/JITOperations.cpp:
3171         * runtime/CommonSlowPaths.h:
3172         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
3173
3174 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
3175
3176         JSC should have InstanceOf inline caching
3177         https://bugs.webkit.org/show_bug.cgi?id=185652
3178
3179         Reviewed by Saam Barati.
3180         
3181         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
3182         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
3183         too many cases, we emit the generic instanceof implementation instead.
3184         
3185         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
3186         abstraction.
3187         
3188         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
3189         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
3190
3191         * API/tests/testapi.mm:
3192         (testObjectiveCAPIMain):
3193         * JavaScriptCore.xcodeproj/project.pbxproj:
3194         * Sources.txt:
3195         * b3/B3Effects.h:
3196         (JSC::B3::Effects::forReadOnlyCall):
3197         * bytecode/AccessCase.cpp:
3198         (JSC::AccessCase::guardedByStructureCheck const):
3199         (JSC::AccessCase::canReplace const):
3200         (JSC::AccessCase::visitWeak const):
3201         (JSC::AccessCase::generateWithGuard):
3202         (JSC::AccessCase::generateImpl):
3203         * bytecode/AccessCase.h:
3204         * bytecode/InstanceOfAccessCase.cpp: Added.
3205         (JSC::InstanceOfAccessCase::create):
3206         (JSC::InstanceOfAccessCase::dumpImpl const):
3207         (JSC::InstanceOfAccessCase::clone const):
3208         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
3209         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
3210         * bytecode/InstanceOfAccessCase.h: Added.
3211         (JSC::InstanceOfAccessCase::prototype const):
3212         * bytecode/ObjectPropertyCondition.h:
3213         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
3214         (JSC::ObjectPropertyCondition::hasPrototype):
3215         * bytecode/ObjectPropertyConditionSet.cpp:
3216         (JSC::generateConditionsForInstanceOf):
3217         * bytecode/ObjectPropertyConditionSet.h:
3218         * bytecode/PolymorphicAccess.cpp:
3219         (JSC::PolymorphicAccess::addCases):
3220         (JSC::PolymorphicAccess::regenerate):
3221         (WTF::printInternal):
3222         * bytecode/PropertyCondition.cpp:
3223         (JSC::PropertyCondition::dumpInContext const):
3224         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
3225         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
3226         (WTF::printInternal):
3227         * bytecode/PropertyCondition.h:
3228         (JSC::PropertyCondition::absenceWithoutBarrier):
3229         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
3230         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
3231         (JSC::PropertyCondition::hasPrototype):
3232         (JSC::PropertyCondition::hasPrototype const):
3233         (JSC::PropertyCondition::prototype const):
3234         (JSC::PropertyCondition::hash const):
3235         (JSC::PropertyCondition::operator== const):
3236         * bytecode/StructureStubInfo.cpp:
3237         (JSC::StructureStubInfo::StructureStubInfo):
3238         (JSC::StructureStubInfo::reset):
3239         * bytecode/StructureStubInfo.h:
3240         (JSC::StructureStubInfo::considerCaching):
3241         * dfg/DFGByteCodeParser.cpp:
3242         (JSC::DFG::ByteCodeParser::parseBlock):
3243         * dfg/DFGFixupPhase.cpp:
3244         (JSC::DFG::FixupPhase::fixupNode):
3245         * dfg/DFGInlineCacheWrapper.h:
3246         * dfg/DFGInlineCacheWrapperInlines.h:
3247         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
3248         * dfg/DFGJITCompiler.cpp:
3249         (JSC::DFG::JITCompiler::link):
3250         * dfg/DFGJITCompiler.h:
3251         (JSC::DFG::JITCompiler::addInstanceOf):
3252         * dfg/DFGOperations.cpp:
3253         * dfg/DFGSpeculativeJIT.cpp:
3254         (JSC::DFG::SpeculativeJIT::usedRegisters):
3255         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
3256         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
3257         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
3258         * dfg/DFGSpeculativeJIT.h:
3259         * dfg/DFGSpeculativeJIT64.cpp:
3260         (JSC::DFG::SpeculativeJIT::cachedGetById):
3261         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3262         * ftl/FTLLowerDFGToB3.cpp:
3263         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
3264         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
3265         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
3266         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3267         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3268         (JSC::FTL::DFG::LowerDFGToB3::getById):
3269         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
3270         * jit/ICStats.h:
3271         * jit/JIT.cpp:
3272         (JSC::JIT::privateCompileSlowCases):
3273         (JSC::JIT::link):
3274         * jit/JIT.h:
3275         * jit/JITInlineCacheGenerator.cpp:
3276         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
3277         (JSC::JITInlineCacheGenerator::finalize):
3278         (JSC::JITByIdGenerator::JITByIdGenerator):
3279         (JSC::JITByIdGenerator::finalize):
3280         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
3281         (JSC::JITInstanceOfGenerator::generateFastPath):
3282         (JSC::JITInstanceOfGenerator::finalize):
3283         * jit/JITInlineCacheGenerator.h:
3284         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
3285         (JSC::JITInlineCacheGenerator::slowPathBegin const):
3286         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
3287         (JSC::finalizeInlineCaches):
3288         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
3289         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
3290         * jit/JITOpcodes.cpp:
3291         (JSC::JIT::emit_op_instanceof):
3292         (JSC::JIT::emitSlow_op_instanceof):
3293         * jit/JITOperations.cpp:
3294         * jit/JITOperations.h:
3295         * jit/JITPropertyAccess.cpp:
3296         (JSC::JIT::privateCompileGetByValWithCachedId):
3297         (JSC::JIT::privateCompilePutByValWithCachedId):
3298         * jit/RegisterSet.cpp:
3299         (JSC::RegisterSet::stubUnavailableRegisters):
3300         * jit/Repatch.cpp:
3301         (JSC::tryCacheIn):
3302         (JSC::tryCacheInstanceOf):
3303         (JSC::repatchInstanceOf):
3304         (JSC::resetPatchableJump):
3305         (JSC::resetIn):
3306         (JSC::resetInstanceOf):
3307         * jit/Repatch.h:
3308         * runtime/Options.h:
3309         * runtime/Structure.h:
3310
3311 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3312
3313         Unreviewed, fix exception checking
3314         https://bugs.webkit.org/show_bug.cgi?id=185350
3315
3316         * runtime/CommonSlowPaths.h:
3317         (JSC::CommonSlowPaths::putDirectWithReify):
3318         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
3319
3320 2018-05-17  Michael Saboff  <msaboff@apple.com>
3321
3322         We don't throw SyntaxErrors for runtime generated regular expressions with errors
3323         https://bugs.webkit.org/show_bug.cgi?id=185755
3324
3325         Reviewed by Keith Miller.
3326
3327         Added a new helper that creates the correct exception to throw for each type of error when
3328         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
3329         where we create a new RegExp from an existing one.  Also refactored other places that we
3330         throw SyntaxErrors after a failed RegExp compile to use the new helper.
3331
3332         * runtime/RegExp.h:
3333         * runtime/RegExpConstructor.cpp:
3334         (JSC::regExpCreate):
3335         (JSC::constructRegExp):
3336         * runtime/RegExpPrototype.cpp:
3337         (JSC::regExpProtoFuncCompile):
3338         * yarr/YarrErrorCode.cpp:
3339         (JSC::Yarr::errorToThrow):
3340         * yarr/YarrErrorCode.h:
3341
3342 2018-05-17  Saam Barati  <sbarati@apple.com>
3343
3344         Remove shrinkFootprint test from apitests since it's flaky
3345         https://bugs.webkit.org/show_bug.cgi?id=185754
3346
3347         Reviewed by Mark Lam.
3348
3349         This test is flaky as it keeps failing on certain people's machines.
3350         Having a test about OS footprint seems like it'll forever be doomed
3351         to being flaky.
3352
3353         * API/tests/testapi.mm:
3354         (testObjectiveCAPIMain):
3355
3356 2018-05-17  Saam Barati  <sbarati@apple.com>
3357
3358         defaultConstructorSourceCode needs to makeSource every time it's called
3359         https://bugs.webkit.org/show_bug.cgi?id=185753
3360
3361         Rubber-stamped by Mark Lam.
3362
3363         The bug here is multiple VMs can be running concurrently to one another
3364         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
3365         if we copy a static SourceCode. instead, we create a new one each time
3366         this function is called.
3367
3368         * builtins/BuiltinExecutables.cpp:
3369         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
3370
3371 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3372
3373         [JSC] Use AssemblyHelpers' type checking functions as much as possible
3374         https://bugs.webkit.org/show_bug.cgi?id=185730
3375
3376         Reviewed by Saam Barati.
3377
3378         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex