Speculatively change iteration protocall to use the same next function
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-22  Keith Miller  <keith_miller@apple.com>
2
3         Speculatively change iteration protocall to use the same next function
4         https://bugs.webkit.org/show_bug.cgi?id=175653
5
6         Reviewed by Saam Barati.
7
8         This patch speculatively makes a change to the iteration protocall to fetch the next
9         property immediately after calling the Symbol.iterator function. This is, in theory,
10         a breaking change, so we will see if this breaks things (most likely it won't as this
11         is a relatively subtle point).
12
13         See: https://github.com/tc39/ecma262/issues/976
14
15         * builtins/IteratorHelpers.js:
16         (performIteration):
17         * bytecompiler/BytecodeGenerator.cpp:
18         (JSC::BytecodeGenerator::emitEnumeration):
19         (JSC::BytecodeGenerator::emitIteratorNext):
20         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
21         (JSC::BytecodeGenerator::emitDelegateYield):
22         * bytecompiler/BytecodeGenerator.h:
23         * bytecompiler/NodesCodegen.cpp:
24         (JSC::ArrayPatternNode::bindValue const):
25         * inspector/JSInjectedScriptHost.cpp:
26         (Inspector::JSInjectedScriptHost::iteratorEntries):
27         * runtime/IteratorOperations.cpp:
28         (JSC::iteratorNext):
29         (JSC::iteratorStep):
30         (JSC::iteratorClose):
31         (JSC::iteratorForIterable):
32         * runtime/IteratorOperations.h:
33         (JSC::forEachInIterable):
34         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
35         (JSC::constructGenericTypedArrayViewFromIterator):
36         (JSC::constructGenericTypedArrayViewWithArguments):
37
38 2017-09-22  Fujii Hironori  <Hironori.Fujii@sony.com>
39
40         [Win64] Crashes in Yarr JIT compiled code
41         https://bugs.webkit.org/show_bug.cgi?id=177293
42
43         Reviewed by Yusuke Suzuki.
44
45         In x64 Windows, rcx register is used for the address of allocated
46         space for the return value. But, rcx is used for regT1 since
47         r221052. Save rcx in the stack.
48
49         * yarr/YarrJIT.cpp:
50         (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
51         (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
52
53 2017-09-22  Saam Barati  <sbarati@apple.com>
54
55         Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
56         https://bugs.webkit.org/show_bug.cgi?id=177368
57
58         Reviewed by Keith Miller.
59
60         * runtime/ErrorInstance.cpp:
61         (JSC::ErrorInstance::finishCreation):
62         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
63         (JSC::ErrorInstance::visitChildren):
64
65 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
66
67         [DFG][FTL] Profile array vector length for array allocation
68         https://bugs.webkit.org/show_bug.cgi?id=177051
69
70         Reviewed by Saam Barati.
71
72         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
73         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
74         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
75         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
76
77             empty array allocation,
78
79             var array = [];
80             array.push(0);
81             array.push(1);
82             array.push(2);
83             array.push(3);
84             array.push(4);
85
86             v.s. new_array_buffer case,
87
88             var array = [0];
89             array.push(1);
90             array.push(2);
91             array.push(3);
92             array.push(4);
93
94         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
95         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
96
97         We select 25 to make it fit to one of size classes.
98
99         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
100         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
101         is larger than 25, we just use it for allocation as before.
102
103         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
104
105             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
106             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
107
108         * bytecode/ArrayAllocationProfile.cpp:
109         (JSC::ArrayAllocationProfile::updateProfile):
110         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
111         * bytecode/ArrayAllocationProfile.h:
112         (JSC::ArrayAllocationProfile::selectIndexingType):
113         (JSC::ArrayAllocationProfile::vectorLengthHint):
114         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
115         * bytecode/CodeBlock.cpp:
116         (JSC::CodeBlock::updateAllArrayPredictions):
117         * dfg/DFGByteCodeParser.cpp:
118         (JSC::DFG::ByteCodeParser::parseBlock):
119         * dfg/DFGGraph.cpp:
120         (JSC::DFG::Graph::dump):
121         * dfg/DFGNode.h:
122         (JSC::DFG::Node::vectorLengthHint):
123         * dfg/DFGOperations.cpp:
124         * dfg/DFGOperations.h:
125         * dfg/DFGSpeculativeJIT64.cpp:
126         (JSC::DFG::SpeculativeJIT::compile):
127         * ftl/FTLLowerDFGToB3.cpp:
128         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
129         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
130         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
131         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
132         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
133         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
134         * runtime/ArrayConventions.h:
135         * runtime/JSArray.h:
136         (JSC::JSArray::tryCreate):
137
138 2017-09-22  Commit Queue  <commit-queue@webkit.org>
139
140         Unreviewed, rolling out r222380.
141         https://bugs.webkit.org/show_bug.cgi?id=177352
142
143         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
144         #webkit).
145
146         Reverted changeset:
147
148         "[DFG][FTL] Profile array vector length for array allocation"
149         https://bugs.webkit.org/show_bug.cgi?id=177051
150         http://trac.webkit.org/changeset/222380
151
152 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
153
154         [DFG][FTL] Profile array vector length for array allocation
155         https://bugs.webkit.org/show_bug.cgi?id=177051
156
157         Reviewed by Saam Barati.
158
159         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
160         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
161         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
162         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
163
164             empty array allocation,
165
166             var array = [];
167             array.push(0);
168             array.push(1);
169             array.push(2);
170             array.push(3);
171             array.push(4);
172
173             v.s. new_array_buffer case,
174
175             var array = [0];
176             array.push(1);
177             array.push(2);
178             array.push(3);
179             array.push(4);
180
181         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
182         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
183
184         We select 25 to make it fit to one of size classes.
185
186         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
187         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
188         is larger than 25, we just use it for allocation as before.
189
190         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
191
192             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
193             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
194
195         * bytecode/ArrayAllocationProfile.cpp:
196         (JSC::ArrayAllocationProfile::updateProfile):
197         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
198         * bytecode/ArrayAllocationProfile.h:
199         (JSC::ArrayAllocationProfile::selectIndexingType):
200         (JSC::ArrayAllocationProfile::vectorLengthHint):
201         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
202         * bytecode/CodeBlock.cpp:
203         (JSC::CodeBlock::updateAllArrayPredictions):
204         * dfg/DFGByteCodeParser.cpp:
205         (JSC::DFG::ByteCodeParser::parseBlock):
206         * dfg/DFGGraph.cpp:
207         (JSC::DFG::Graph::dump):
208         * dfg/DFGNode.h:
209         (JSC::DFG::Node::vectorLengthHint):
210         * dfg/DFGOperations.cpp:
211         * dfg/DFGOperations.h:
212         * dfg/DFGSpeculativeJIT64.cpp:
213         (JSC::DFG::SpeculativeJIT::compile):
214         * ftl/FTLLowerDFGToB3.cpp:
215         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
216         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
217         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
218         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
219         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
220         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
221         * runtime/ArrayConventions.h:
222         * runtime/JSArray.h:
223         (JSC::JSArray::tryCreate):
224
225 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
226
227         Web Inspector: Remove support for CSS Regions
228         https://bugs.webkit.org/show_bug.cgi?id=177287
229
230         Reviewed by Matt Baker.
231
232         * inspector/protocol/CSS.json:
233         * inspector/protocol/OverlayTypes.json:
234
235 2017-09-21  Brian Burg  <bburg@apple.com>
236
237         Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
238         https://bugs.webkit.org/show_bug.cgi?id=177010
239         <rdar://problem/33134548>
240
241         Reviewed by Joseph Pecoraro.
242
243         Use "reload from origin" nomenclature instead of "reload ignoring cache".
244
245         * inspector/protocol/Page.json: Improve the comment, but don't change the
246         parameter name since this would be a divergence from legacy protocols.
247
248 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
249
250         test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
251         https://bugs.webkit.org/show_bug.cgi?id=177307
252
253         Reviewed by Michael Saboff.
254
255         * runtime/RegExpPrototype.cpp:
256         In r221160 we added support for the new RegExp flag (dotAll).
257         We needed to make space for it in FlagsString.
258
259 2017-09-20  Keith Miller  <keith_miller@apple.com>
260
261         JSC should use unified sources for platform specific files.
262         https://bugs.webkit.org/show_bug.cgi?id=177290
263
264         Reviewed by Michael Saboff.
265
266         Add a list of platform specific source files and update the
267         Generate Unified Sources phase of the Xcode build. I skipped WPE
268         since that seems to have failed for some reason that I didn't
269         fully understand. See:
270         https://webkit-queues.webkit.org/results/4611260
271
272         Also, fix duplicate symbols in Glib remote inspector files.
273
274         * CMakeLists.txt:
275         * JavaScriptCore.xcodeproj/project.pbxproj:
276         * PlatformGTK.cmake:
277         * PlatformMac.cmake:
278         * SourcesGTK.txt: Added.
279         * SourcesMac.txt: Added.
280         * inspector/remote/glib/RemoteInspectorServer.cpp:
281         (Inspector::RemoteInspectorServer::interfaceInfo):
282         (Inspector::RemoteInspectorServer::setTargetList):
283         (Inspector::RemoteInspectorServer::setupInspectorClient):
284         (Inspector::RemoteInspectorServer::setup):
285         (Inspector::RemoteInspectorServer::close):
286         (Inspector::RemoteInspectorServer::connectionClosed):
287         (Inspector::RemoteInspectorServer::sendMessageToBackend):
288         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
289         (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
290
291 2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>
292
293         [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
294         https://bugs.webkit.org/show_bug.cgi?id=177017
295
296         Reviewed by Alex Christensen.
297
298         * API/JSRemoteInspector.cpp:
299         (JSRemoteInspectorSetParentProcessInformation):
300         * API/JSRemoteInspector.h:
301         * inspector/remote/RemoteInspector.h:
302
303 2017-09-20  Keith Miller  <keith_miller@apple.com>
304
305         Rename source list file to Sources.txt
306         https://bugs.webkit.org/show_bug.cgi?id=177283
307
308         Reviewed by Saam Barati.
309
310         * CMakeLists.txt:
311         * JavaScriptCore.xcodeproj/project.pbxproj:
312         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
313
314 2017-09-20  Keith Miller  <keith_miller@apple.com>
315
316         Unreviewed, fix string capitalization
317
318         * JavaScriptCore.xcodeproj/project.pbxproj:
319
320 2017-09-20  Keith Miller  <keith_miller@apple.com>
321
322         JSC Xcode build should use unified sources for platform independent files
323         https://bugs.webkit.org/show_bug.cgi?id=177190
324
325         Reviewed by Saam Barati.
326
327         This patch changes the Xcode build to use unified sources. The
328         main difference from a development perspective is that instead of
329         added source files to Xcode they need to be added to the shared
330         sources.txt. For now, platform specific files are still added
331         to the JavaScriptCore target.
332
333         Because Xcode needs to know about all the files before we generate
334         them all the unified source files need to be added to the
335         JavaScriptCore framework target. As a result, if we run out of
336         bundle files more will need to be added to the project. Currently,
337         there are no spare files. If adding more bundle files becomes
338         problematic we can change this.
339
340         LowLevelInterpreter.cpp can't be added to the unified source list yet
341         due to a clang bug.
342
343         * CMakeLists.txt:
344         * JavaScriptCore.xcodeproj/project.pbxproj:
345         * sources.txt: Added.
346
347 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
348
349         [Win] Cannot find script to generate unified sources.
350         https://bugs.webkit.org/show_bug.cgi?id=177014
351
352         Reviewed by Keith Miller.
353
354         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
355
356         * CMakeLists.txt:
357         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
358
359 2017-09-20  Alberto Garcia  <berto@igalia.com>
360
361         Fix HPPA and Alpha builds
362         https://bugs.webkit.org/show_bug.cgi?id=177224
363
364         Reviewed by Alex Christensen.
365
366         * CMakeLists.txt:
367
368 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
369
370         ErrorInstance and Exception need destroy methods
371         https://bugs.webkit.org/show_bug.cgi?id=177095
372
373         Reviewed by Saam Barati.
374         
375         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
376         follow that type's protocol.
377
378         * runtime/ErrorInstance.cpp:
379         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
380         * runtime/ErrorInstance.h:
381         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
382
383 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
384
385         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
386         https://bugs.webkit.org/show_bug.cgi?id=177070
387
388         Reviewed by Saam Barati.
389
390         Due to the security reason, our global object is immutable prototype exotic object.
391         It prevents users from injecting proxies into the prototype chain of the global object[1].
392         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
393         of the global object after instantiating it.
394
395         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
396         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
397         edge cases.
398
399         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
400
401         * API/JSObjectRef.cpp:
402         (JSObjectSetPrototype):
403         * API/tests/CustomGlobalObjectClassTest.c:
404         (globalObjectSetPrototypeTest):
405
406 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
407
408         [DFG] Remove ToThis more aggressively
409         https://bugs.webkit.org/show_bug.cgi?id=177056
410
411         Reviewed by Saam Barati.
412
413         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
414         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
415         and attempts to fold/convert to efficient nodes.
416
417         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
418         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
419
420         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
421         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
422
423         This removes GetGlobalThis from ES6 generators in common cases.
424
425         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
426
427         * dfg/DFGAbstractInterpreterInlines.h:
428         (JSC::DFG::isToThisAnIdentity):
429         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
430         * dfg/DFGClobberize.h:
431         (JSC::DFG::clobberize):
432         * dfg/DFGConstantFoldingPhase.cpp:
433         (JSC::DFG::ConstantFoldingPhase::foldConstants):
434         * dfg/DFGDoesGC.cpp:
435         (JSC::DFG::doesGC):
436         * dfg/DFGFixupPhase.cpp:
437         (JSC::DFG::FixupPhase::fixupNode):
438         * dfg/DFGNode.h:
439         (JSC::DFG::Node::convertToGetGlobalThis):
440         * dfg/DFGNodeType.h:
441         * dfg/DFGPredictionPropagationPhase.cpp:
442         * dfg/DFGSafeToExecute.h:
443         (JSC::DFG::safeToExecute):
444         * dfg/DFGSpeculativeJIT.cpp:
445         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
446         * dfg/DFGSpeculativeJIT.h:
447         * dfg/DFGSpeculativeJIT32_64.cpp:
448         (JSC::DFG::SpeculativeJIT::compile):
449         * dfg/DFGSpeculativeJIT64.cpp:
450         (JSC::DFG::SpeculativeJIT::compile):
451         * ftl/FTLCapabilities.cpp:
452         (JSC::FTL::canCompile):
453         * ftl/FTLLowerDFGToB3.cpp:
454         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
455         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
456         * runtime/JSGlobalLexicalEnvironment.cpp:
457         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
458         * runtime/JSGlobalLexicalEnvironment.h:
459         * runtime/JSGlobalObject.cpp:
460         (JSC::JSGlobalObject::toThis): Deleted.
461         * runtime/JSGlobalObject.h:
462         (JSC::JSGlobalObject::addressOfGlobalThis):
463         * runtime/JSLexicalEnvironment.cpp:
464         (JSC::JSLexicalEnvironment::toThis): Deleted.
465         * runtime/JSLexicalEnvironment.h:
466         * runtime/JSScope.cpp:
467         (JSC::JSScope::toThis):
468         * runtime/JSScope.h:
469         * runtime/StrictEvalActivation.cpp:
470         (JSC::StrictEvalActivation::toThis): Deleted.
471         * runtime/StrictEvalActivation.h:
472
473 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
474
475         Merge JSLexicalEnvironment and JSEnvironmentRecord
476         https://bugs.webkit.org/show_bug.cgi?id=175492
477
478         Reviewed by Saam Barati.
479
480         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
481         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
482
483         * CMakeLists.txt:
484         * JavaScriptCore.xcodeproj/project.pbxproj:
485         * dfg/DFGSpeculativeJIT.cpp:
486         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
487         * dfg/DFGSpeculativeJIT32_64.cpp:
488         (JSC::DFG::SpeculativeJIT::compile):
489         * dfg/DFGSpeculativeJIT64.cpp:
490         (JSC::DFG::SpeculativeJIT::compile):
491         * ftl/FTLAbstractHeapRepository.h:
492         * ftl/FTLLowerDFGToB3.cpp:
493         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
494         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
495         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
496         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
497         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
498         * jit/JITPropertyAccess.cpp:
499         (JSC::JIT::emitGetClosureVar):
500         (JSC::JIT::emitPutClosureVar):
501         (JSC::JIT::emitScopedArgumentsGetByVal):
502         * jit/JITPropertyAccess32_64.cpp:
503         (JSC::JIT::emitGetClosureVar):
504         (JSC::JIT::emitPutClosureVar):
505         * llint/LLIntOffsetsExtractor.cpp:
506         * llint/LowLevelInterpreter.asm:
507         * llint/LowLevelInterpreter32_64.asm:
508         * llint/LowLevelInterpreter64.asm:
509         * runtime/JSEnvironmentRecord.cpp: Removed.
510         * runtime/JSEnvironmentRecord.h: Removed.
511         * runtime/JSLexicalEnvironment.cpp:
512         (JSC::JSLexicalEnvironment::visitChildren):
513         (JSC::JSLexicalEnvironment::heapSnapshot):
514         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
515         * runtime/JSLexicalEnvironment.h:
516         (JSC::JSLexicalEnvironment::subspaceFor):
517         (JSC::JSLexicalEnvironment::variables):
518         (JSC::JSLexicalEnvironment::isValidScopeOffset):
519         (JSC::JSLexicalEnvironment::variableAt):
520         (JSC::JSLexicalEnvironment::offsetOfVariables):
521         (JSC::JSLexicalEnvironment::offsetOfVariable):
522         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
523         (JSC::JSLexicalEnvironment::allocationSize):
524         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
525         (JSC::JSLexicalEnvironment::finishCreation):
526         * runtime/JSModuleEnvironment.cpp:
527         (JSC::JSModuleEnvironment::create):
528         * runtime/JSObject.h:
529         (JSC::JSObject::isEnvironment const):
530         (JSC::JSObject::isEnvironmentRecord const): Deleted.
531         * runtime/JSSegmentedVariableObject.h:
532         * runtime/StringPrototype.cpp:
533         (JSC::checkObjectCoercible):
534
535 2017-09-15  Saam Barati  <sbarati@apple.com>
536
537         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
538         https://bugs.webkit.org/show_bug.cgi?id=176981
539
540         Reviewed by Yusuke Suzuki.
541
542         This patch makes inline arity fixup happen in two phases:
543         1. We get all the values we need and MovHint them to the expected locals.
544         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
545            frame is already set up. If any SetLocal exits, we have a valid exit state.
546            This is required because if we didn't do this in two phases, we may exit in
547            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
548            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
549            of the frame right before exiting. For example, consider if we need to pad two args:
550            [arg3][arg2][arg1][arg0]
551            [fix ][fix ][arg3][arg2][arg1][arg0]
552            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
553            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
554            [arg3][arg2][arg1][arg2][arg1][arg0]
555            And the caller would then just end up thinking its argument are:
556            [arg3][arg2][arg1][arg2]
557            which is incorrect.
558        
559        
560         This patch also fixes a couple of bugs in IdentitiyWithProfile:
561         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
562            It needed to store the result of evaluating its argument in a temporary that
563            it creates. Otherwise, it might try to simply overwrite a constant
564            or a register that it didn't own.
565         2. We weren't eliminating this node in CSE inside the DFG.
566
567         * bytecompiler/NodesCodegen.cpp:
568         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
569         * dfg/DFGByteCodeParser.cpp:
570         (JSC::DFG::ByteCodeParser::inlineCall):
571         * dfg/DFGCSEPhase.cpp:
572
573 2017-09-15  JF Bastien  <jfbastien@apple.com>
574
575         WTF: use Forward.h when appropriate instead of Vector.h
576         https://bugs.webkit.org/show_bug.cgi?id=176984
577
578         Reviewed by Saam Barati.
579
580         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
581
582         * bytecode/HandlerInfo.h:
583         * heap/GCIncomingRefCounted.h:
584         * heap/GCSegmentedArray.h:
585         * wasm/js/JSWebAssemblyModule.h:
586
587 2017-09-14  Saam Barati  <sbarati@apple.com>
588
589         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
590         https://bugs.webkit.org/show_bug.cgi?id=176863
591
592         Reviewed by Keith Miller.
593
594         * CMakeLists.txt:
595         * JavaScriptCore.xcodeproj/project.pbxproj:
596         * runtime/ProxyObject.cpp:
597         (JSC::performProxyGet):
598         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
599         (JSC::ProxyObject::performHasProperty):
600         (JSC::ProxyObject::getOwnPropertySlotCommon):
601         (JSC::ProxyObject::performPut):
602         (JSC::performProxyCall):
603         (JSC::performProxyConstruct):
604         (JSC::ProxyObject::performDelete):
605         (JSC::ProxyObject::performPreventExtensions):
606         (JSC::ProxyObject::performIsExtensible):
607         (JSC::ProxyObject::performDefineOwnProperty):
608         (JSC::ProxyObject::performGetOwnPropertyNames):
609         (JSC::ProxyObject::performSetPrototype):
610         (JSC::ProxyObject::performGetPrototype):
611
612 2017-09-14  Saam Barati  <sbarati@apple.com>
613
614         Make dumping the graph print when both when exitOK and !exitOK
615         https://bugs.webkit.org/show_bug.cgi?id=176954
616
617         Reviewed by Keith Miller.
618
619         * dfg/DFGGraph.cpp:
620         (JSC::DFG::Graph::dump):
621
622 2017-09-14  Saam Barati  <sbarati@apple.com>
623
624         It should be valid to exit before each set when doing arity fixup when inlining
625         https://bugs.webkit.org/show_bug.cgi?id=176948
626
627         Reviewed by Keith Miller.
628
629         This patch makes it so that we can exit before each SetLocal when doing arity
630         fixup during inlining. This is OK because if we exit at any of these SetLocals,
631         we will simply exit to the beginning of the call instruction.
632         
633         Not doing this led to a bug where FixupPhase would insert a ValueRep of
634         a node before the actual node. This is obviously invalid IR. I've added
635         a new validation rule to catch this malformed IR.
636
637         * dfg/DFGByteCodeParser.cpp:
638         (JSC::DFG::ByteCodeParser::inliningCost):
639         (JSC::DFG::ByteCodeParser::inlineCall):
640         * dfg/DFGValidate.cpp:
641         * runtime/Options.h:
642
643 2017-09-14  Mark Lam  <mark.lam@apple.com>
644
645         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
646         https://bugs.webkit.org/show_bug.cgi?id=176874
647         <rdar://problem/34436415>
648
649         Reviewed by Saam Barati.
650
651         1. Make Probe::Stack play nice with ASan by:
652
653            a. using a local memcpy implementation that suppresses ASan on ASan builds.
654               We don't want to use std:memcpy() which validates stack memory because
655               we are intentionally copying stack memory beyond the current frame.
656
657            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
658               This ensures that Page::flushWrites() only writes stack memory that was
659               modified by a probe.  The probes should only modify stack memory that
660               belongs to JSC stack data structures.  We don't want to inadvertently
661               modify adjacent words that may belong to ASan (which may happen if
662               s_chunkSize is larger than sizeof(uintptr_t)).
663
664            c. fixing a bug in Page dirtyBits management for when the size of the value to
665               write is greater than s_chunkSize.  The fix in generic, but in practice,
666               this currently only manifests on 32-bit ASan builds because
667               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
668               values.
669
670            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
671               s_chunksPerPage we can have even on ASan builds.
672
673         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
674            std::memcpy to avoid strict aliasing issues.
675
676         3. Optimized the implementation of Page::physicalAddressFor().
677
678         4. Optimized the implementation of Stack::set() in the recording of the low
679            watermark.  We just record the lowest raw pointer now, and only compute the
680            alignment to its chuck boundary later when the low watermark is requested.
681
682         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
683
684         No new test needed because this is already covered by testmasm with ASan enabled.
685
686         * assembler/ProbeContext.h:
687         (JSC::Probe::CPUState::gpr const):
688         (JSC::Probe::CPUState::spr const):
689         (JSC::Probe::Context::gpr):
690         (JSC::Probe::Context::spr):
691         (JSC::Probe::Context::fpr):
692         (JSC::Probe::Context::gprName):
693         (JSC::Probe::Context::sprName):
694         (JSC::Probe::Context::fprName):
695         (JSC::Probe::Context::gpr const):
696         (JSC::Probe::Context::spr const):
697         (JSC::Probe::Context::fpr const):
698         (JSC::Probe::Context::pc):
699         (JSC::Probe::Context::fp):
700         (JSC::Probe::Context::sp):
701         (JSC::Probe:: const): Deleted.
702         * assembler/ProbeStack.cpp:
703         (JSC::Probe::copyStackPage):
704         (JSC::Probe::Page::Page):
705         (JSC::Probe::Page::flushWrites):
706         * assembler/ProbeStack.h:
707         (JSC::Probe::Page::get):
708         (JSC::Probe::Page::set):
709         (JSC::Probe::Page::dirtyBitFor):
710         (JSC::Probe::Page::physicalAddressFor):
711         (JSC::Probe::Stack::lowWatermark):
712         (JSC::Probe::Stack::get):
713         (JSC::Probe::Stack::set):
714         * assembler/testmasm.cpp:
715         (JSC::testProbeModifiesStackValues):
716
717 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
718
719         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
720         https://bugs.webkit.org/show_bug.cgi?id=176917
721
722         Reviewed by Saam Barati.
723
724         * dfg/DFGByteCodeParser.cpp:
725         (JSC::DFG::ByteCodeParser::inliningCost):
726         * runtime/Options.h:
727
728 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
729
730         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
731         https://bugs.webkit.org/show_bug.cgi?id=176867
732
733         Reviewed by Sam Weinig.
734
735         We rarely require private symbols when enumerating property names.
736         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
737         is specified, PropertyNameArray does not include private symbols.
738         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
739
740         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
741         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
742
743         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
744
745         * API/JSObjectRef.cpp:
746         (JSObjectCopyPropertyNames):
747         * bindings/ScriptValue.cpp:
748         (Inspector::jsToInspectorValue):
749         * bytecode/ObjectAllocationProfile.h:
750         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
751         * runtime/EnumerationMode.h:
752         * runtime/IntlObject.cpp:
753         (JSC::supportedLocales):
754         * runtime/JSONObject.cpp:
755         (JSC::Stringifier::Stringifier):
756         (JSC::Stringifier::Holder::appendNextProperty):
757         (JSC::Walker::walk):
758         * runtime/JSPropertyNameEnumerator.cpp:
759         (JSC::JSPropertyNameEnumerator::create):
760         * runtime/JSPropertyNameEnumerator.h:
761         (JSC::propertyNameEnumerator):
762         * runtime/ObjectConstructor.cpp:
763         (JSC::objectConstructorGetOwnPropertyDescriptors):
764         (JSC::objectConstructorAssign):
765         (JSC::objectConstructorValues):
766         (JSC::defineProperties):
767         (JSC::setIntegrityLevel):
768         (JSC::testIntegrityLevel):
769         (JSC::ownPropertyKeys):
770         * runtime/PropertyNameArray.h:
771         (JSC::PropertyNameArray::PropertyNameArray):
772         (JSC::PropertyNameArray::propertyNameMode const):
773         (JSC::PropertyNameArray::privateSymbolMode const):
774         (JSC::PropertyNameArray::addUncheckedInternal):
775         (JSC::PropertyNameArray::addUnchecked):
776         (JSC::PropertyNameArray::add):
777         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
778         (JSC::PropertyNameArray::includeSymbolProperties const):
779         (JSC::PropertyNameArray::includeStringProperties const):
780         (JSC::PropertyNameArray::mode const): Deleted.
781         * runtime/ProxyObject.cpp:
782         (JSC::ProxyObject::performGetOwnPropertyNames):
783
784 2017-09-13  Mark Lam  <mark.lam@apple.com>
785
786         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
787         https://bugs.webkit.org/show_bug.cgi?id=176888
788         <rdar://problem/34381832>
789
790         Not reviewed.
791
792         * JavaScriptCore.xcodeproj/project.pbxproj:
793         * assembler/MacroAssembler.cpp:
794         (JSC::stdFunctionCallback):
795         * assembler/MacroAssemblerPrinter.cpp:
796         (JSC::Printer::printCallback):
797         * assembler/ProbeContext.h:
798         (JSC::Probe:: const):
799         (JSC::Probe::Context::Context):
800         (JSC::Probe::Context::gpr):
801         (JSC::Probe::Context::spr):
802         (JSC::Probe::Context::fpr):
803         (JSC::Probe::Context::gprName):
804         (JSC::Probe::Context::sprName):
805         (JSC::Probe::Context::fprName):
806         (JSC::Probe::Context::pc):
807         (JSC::Probe::Context::fp):
808         (JSC::Probe::Context::sp):
809         (JSC::Probe::CPUState::gpr const): Deleted.
810         (JSC::Probe::CPUState::spr const): Deleted.
811         (JSC::Probe::Context::arg): Deleted.
812         (JSC::Probe::Context::gpr const): Deleted.
813         (JSC::Probe::Context::spr const): Deleted.
814         (JSC::Probe::Context::fpr const): Deleted.
815         * assembler/ProbeFrame.h: Removed.
816         * assembler/ProbeStack.cpp:
817         (JSC::Probe::Page::Page):
818         * assembler/ProbeStack.h:
819         (JSC::Probe::Page::get):
820         (JSC::Probe::Page::set):
821         (JSC::Probe::Page::physicalAddressFor):
822         (JSC::Probe::Stack::lowWatermark):
823         (JSC::Probe::Stack::get):
824         (JSC::Probe::Stack::set):
825         * bytecode/ArithProfile.cpp:
826         * bytecode/ArithProfile.h:
827         * bytecode/ArrayProfile.h:
828         (JSC::ArrayProfile::observeArrayMode): Deleted.
829         * bytecode/CodeBlock.cpp:
830         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
831         * bytecode/CodeBlock.h:
832         (JSC::CodeBlock::addressOfOSRExitCounter):
833         * bytecode/ExecutionCounter.h:
834         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
835         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
836         * bytecode/MethodOfGettingAValueProfile.cpp:
837         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
838         * bytecode/MethodOfGettingAValueProfile.h:
839         * dfg/DFGDriver.cpp:
840         (JSC::DFG::compileImpl):
841         * dfg/DFGJITCode.cpp:
842         (JSC::DFG::JITCode::findPC):
843         * dfg/DFGJITCode.h:
844         * dfg/DFGJITCompiler.cpp:
845         (JSC::DFG::JITCompiler::linkOSRExits):
846         (JSC::DFG::JITCompiler::link):
847         * dfg/DFGOSRExit.cpp:
848         (JSC::DFG::OSRExit::setPatchableCodeOffset):
849         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
850         (JSC::DFG::OSRExit::codeLocationForRepatch const):
851         (JSC::DFG::OSRExit::correctJump):
852         (JSC::DFG::OSRExit::emitRestoreArguments):
853         (JSC::DFG::OSRExit::compileOSRExit):
854         (JSC::DFG::OSRExit::compileExit):
855         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
856         (JSC::DFG::jsValueFor): Deleted.
857         (JSC::DFG::restoreCalleeSavesFor): Deleted.
858         (JSC::DFG::saveCalleeSavesFor): Deleted.
859         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
860         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
861         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
862         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
863         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
864         (JSC::DFG::emitRestoreArguments): Deleted.
865         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
866         (JSC::DFG::reifyInlinedCallFrames): Deleted.
867         (JSC::DFG::adjustAndJumpToTarget): Deleted.
868         (JSC::DFG::printOSRExit): Deleted.
869         * dfg/DFGOSRExit.h:
870         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
871         * dfg/DFGOSRExitCompilerCommon.cpp:
872         * dfg/DFGOSRExitCompilerCommon.h:
873         * dfg/DFGOperations.cpp:
874         * dfg/DFGOperations.h:
875         * dfg/DFGThunks.cpp:
876         (JSC::DFG::osrExitGenerationThunkGenerator):
877         (JSC::DFG::osrExitThunkGenerator): Deleted.
878         * dfg/DFGThunks.h:
879         * jit/AssemblyHelpers.cpp:
880         (JSC::AssemblyHelpers::debugCall):
881         * jit/AssemblyHelpers.h:
882         * jit/JITOperations.cpp:
883         * jit/JITOperations.h:
884         * profiler/ProfilerOSRExit.h:
885         (JSC::Profiler::OSRExit::incCount): Deleted.
886         * runtime/JSCJSValue.h:
887         * runtime/JSCJSValueInlines.h:
888         * runtime/VM.h:
889
890 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
891
892         [JSC] Move class/struct used in other class' member out of anonymous namespace
893         https://bugs.webkit.org/show_bug.cgi?id=176876
894
895         Reviewed by Saam Barati.
896
897         GCC warns if a class has a base or field whose type uses the anonymous namespace
898         and it is defined in an included file. This is because this possibly violates
899         one definition rule (ODR): if an included file has the anonymous namespace, each
900         translation unit creates its private anonymous namespace. Thus, each type
901         inside the anonymous namespace becomes different in each translation unit if
902         the file is included in multiple translation units.
903
904         While the current use in JSC is not violating ODR since these cpp files are included
905         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
906         the actual bugs. So, in this patch, we just move related classes/structs out of
907         the anonymous namespace.
908
909         * dfg/DFGIntegerCheckCombiningPhase.cpp:
910         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
911         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
912         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
913         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
914         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
915         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
916         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
917         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
918         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
919         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
920         * dfg/DFGLICMPhase.cpp:
921
922 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
923
924         Web Inspector: Event Listeners section does not update when listeners are added/removed
925         https://bugs.webkit.org/show_bug.cgi?id=170570
926         <rdar://problem/31501645>
927
928         Reviewed by Joseph Pecoraro.
929
930         * inspector/protocol/DOM.json:
931         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
932         contain any information about the event listeners that were added/removed. They serve more
933         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
934
935 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
936
937         [JSC] Fix Array allocation in Object.keys
938         https://bugs.webkit.org/show_bug.cgi?id=176826
939
940         Reviewed by Saam Barati.
941
942         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
943         We check isHavingABadTime() in ownPropertyKeys fast path.
944         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
945
946         * runtime/ObjectConstructor.cpp:
947         (JSC::ownPropertyKeys):
948
949 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
950
951         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
952         https://bugs.webkit.org/show_bug.cgi?id=176010
953
954         Reviewed by Filip Pizlo.
955
956         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
957         It is used for meta property for objects (see peekMeta function in Ember.js).
958
959         This patch optimizes WeakMap#get.
960
961         1. We use inlineGet to inline WeakMap#get operation in the native function.
962         Since this native function itself is very small, we should inline HashMap#get
963         entirely in this function.
964
965         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
966         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
967         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
968         ObjectUse, and Int32Use.
969
970         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
971         calculate hash value for the key's Object and use this hash value to look up value from
972         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
973         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
974         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
975         patches.
976
977         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
978         not used in Ember.js right now.
979
980         This patch optimizes WeakMap#get by 50%.
981
982                                  baseline                  patched
983
984         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
985
986         * bytecode/DirectEvalCodeCache.h:
987         (JSC::DirectEvalCodeCache::tryGet):
988         * bytecode/SpeculatedType.cpp:
989         (JSC::dumpSpeculation):
990         (JSC::speculationFromClassInfo):
991         (JSC::speculationFromJSType):
992         (JSC::speculationFromString):
993         * bytecode/SpeculatedType.h:
994         * dfg/DFGAbstractInterpreterInlines.h:
995         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
996         * dfg/DFGByteCodeParser.cpp:
997         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
998         * dfg/DFGClobberize.h:
999         (JSC::DFG::clobberize):
1000         * dfg/DFGDoesGC.cpp:
1001         (JSC::DFG::doesGC):
1002         * dfg/DFGFixupPhase.cpp:
1003         (JSC::DFG::FixupPhase::fixupNode):
1004         * dfg/DFGHeapLocation.cpp:
1005         (WTF::printInternal):
1006         * dfg/DFGHeapLocation.h:
1007         * dfg/DFGNode.h:
1008         (JSC::DFG::Node::hasHeapPrediction):
1009         * dfg/DFGNodeType.h:
1010         * dfg/DFGOperations.cpp:
1011         * dfg/DFGOperations.h:
1012         * dfg/DFGPredictionPropagationPhase.cpp:
1013         * dfg/DFGSafeToExecute.h:
1014         (JSC::DFG::SafeToExecuteEdge::operator()):
1015         (JSC::DFG::safeToExecute):
1016         * dfg/DFGSpeculativeJIT.cpp:
1017         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1018         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1019         (JSC::DFG::SpeculativeJIT::speculate):
1020         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1021         * dfg/DFGSpeculativeJIT.h:
1022         (JSC::DFG::SpeculativeJIT::callOperation):
1023         * dfg/DFGSpeculativeJIT32_64.cpp:
1024         (JSC::DFG::SpeculativeJIT::compile):
1025         * dfg/DFGSpeculativeJIT64.cpp:
1026         (JSC::DFG::SpeculativeJIT::compile):
1027         * dfg/DFGUseKind.cpp:
1028         (WTF::printInternal):
1029         * dfg/DFGUseKind.h:
1030         (JSC::DFG::typeFilterFor):
1031         (JSC::DFG::isCell):
1032         * ftl/FTLCapabilities.cpp:
1033         (JSC::FTL::canCompile):
1034         * ftl/FTLLowerDFGToB3.cpp:
1035         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1036         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1037         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1038         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1039         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1040         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1041         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1042         * jit/JITOperations.h:
1043         * runtime/HashMapImpl.h:
1044         (JSC::WeakMapHash::hash):
1045         (JSC::WeakMapHash::equal):
1046         * runtime/Intrinsic.cpp:
1047         (JSC::intrinsicName):
1048         * runtime/Intrinsic.h:
1049         * runtime/JSType.h:
1050         * runtime/JSWeakMap.h:
1051         (JSC::isJSWeakMap):
1052         * runtime/JSWeakSet.h:
1053         (JSC::isJSWeakSet):
1054         * runtime/WeakMapBase.cpp:
1055         (JSC::WeakMapBase::get):
1056         * runtime/WeakMapBase.h:
1057         (JSC::WeakMapBase::HashTranslator::hash):
1058         (JSC::WeakMapBase::HashTranslator::equal):
1059         (JSC::WeakMapBase::inlineGet):
1060         * runtime/WeakMapPrototype.cpp:
1061         (JSC::WeakMapPrototype::finishCreation):
1062         (JSC::getWeakMap):
1063         (JSC::protoFuncWeakMapGet):
1064         * runtime/WeakSetPrototype.cpp:
1065         (JSC::getWeakSet):
1066
1067 2017-09-12  Keith Miller  <keith_miller@apple.com>
1068
1069         Rename JavaScriptCore CMake unifiable sources list
1070         https://bugs.webkit.org/show_bug.cgi?id=176823
1071
1072         Reviewed by Joseph Pecoraro.
1073
1074         This patch also changes the error message when the unified source
1075         bundler fails to be more accurate.
1076
1077         * CMakeLists.txt:
1078
1079 2017-09-12  Keith Miller  <keith_miller@apple.com>
1080
1081         Do unified source builds for JSC
1082         https://bugs.webkit.org/show_bug.cgi?id=176076
1083
1084         Reviewed by Geoffrey Garen.
1085
1086         This patch switches the CMake JavaScriptCore build to use unified sources.
1087         The Xcode build will be upgraded in a follow up patch.
1088
1089         Most of the source changes in this patch are fixing static
1090         variable/functions name collisions. The most common collisions
1091         were from our use of "static const bool verbose" and "using
1092         namespace ...". I fixed all the verbose cases and fixed the "using
1093         namespace" issues that occurred under the current bundling
1094         strategy. It's likely that more of the "using namespace" issues
1095         will need to be resolved in the future, particularly in the FTL.
1096
1097         I don't expect either of these problems will apply to other parts
1098         of the project nearly as much as in JSC. Using a verbose variable
1099         is a JSC idiom and JSC tends use the same, canonical, class name
1100         in multiple parts of the engine.
1101
1102         * CMakeLists.txt:
1103         * b3/B3CheckSpecial.cpp:
1104         (JSC::B3::CheckSpecial::forEachArg):
1105         (JSC::B3::CheckSpecial::generate):
1106         (JSC::B3::Air::numB3Args): Deleted.
1107         * b3/B3DuplicateTails.cpp:
1108         * b3/B3EliminateCommonSubexpressions.cpp:
1109         * b3/B3FixSSA.cpp:
1110         (JSC::B3::demoteValues):
1111         * b3/B3FoldPathConstants.cpp:
1112         * b3/B3InferSwitches.cpp:
1113         * b3/B3LowerMacrosAfterOptimizations.cpp:
1114         (): Deleted.
1115         * b3/B3LowerToAir.cpp:
1116         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
1117         (JSC::B3::Air::LowerToAir::run): Deleted.
1118         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
1119         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
1120         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
1121         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
1122         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
1123         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
1124         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
1125         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
1126         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
1127         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
1128         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
1129         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
1130         (JSC::B3::Air::LowerToAir::tmp): Deleted.
1131         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
1132         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
1133         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
1134         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
1135         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
1136         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1137         (JSC::B3::Air::LowerToAir::addr): Deleted.
1138         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
1139         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
1140         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
1141         (JSC::B3::Air::LowerToAir::imm): Deleted.
1142         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
1143         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
1144         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
1145         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
1146         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
1147         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
1148         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
1149         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
1150         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
1151         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
1152         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
1153         (JSC::B3::Air::LowerToAir::createStore): Deleted.
1154         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
1155         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
1156         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
1157         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
1158         (JSC::B3::Air::LowerToAir::print): Deleted.
1159         (JSC::B3::Air::LowerToAir::append): Deleted.
1160         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
1161         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
1162         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
1163         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
1164         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
1165         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
1166         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
1167         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
1168         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
1169         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
1170         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
1171         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
1172         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
1173         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
1174         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
1175         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
1176         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
1177         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
1178         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
1179         (JSC::B3::Air::LowerToAir::lower): Deleted.
1180         * b3/B3PatchpointSpecial.cpp:
1181         (JSC::B3::PatchpointSpecial::generate):
1182         * b3/B3ReduceDoubleToFloat.cpp:
1183         (JSC::B3::reduceDoubleToFloat):
1184         * b3/B3ReduceStrength.cpp:
1185         * b3/B3StackmapGenerationParams.cpp:
1186         * b3/B3StackmapSpecial.cpp:
1187         (JSC::B3::StackmapSpecial::repsImpl):
1188         (JSC::B3::StackmapSpecial::repForArg):
1189         * b3/air/AirAllocateStackByGraphColoring.cpp:
1190         (JSC::B3::Air::allocateStackByGraphColoring):
1191         * b3/air/AirEmitShuffle.cpp:
1192         (JSC::B3::Air::emitShuffle):
1193         * b3/air/AirFixObviousSpills.cpp:
1194         * b3/air/AirLowerAfterRegAlloc.cpp:
1195         (JSC::B3::Air::lowerAfterRegAlloc):
1196         * b3/air/AirStackAllocation.cpp:
1197         (JSC::B3::Air::attemptAssignment):
1198         (JSC::B3::Air::assign):
1199         * bytecode/AccessCase.cpp:
1200         (JSC::AccessCase::generateImpl):
1201         * bytecode/CallLinkStatus.cpp:
1202         (JSC::CallLinkStatus::computeDFGStatuses):
1203         * bytecode/GetterSetterAccessCase.cpp:
1204         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1205         * bytecode/ObjectPropertyConditionSet.cpp:
1206         * bytecode/PolymorphicAccess.cpp:
1207         (JSC::PolymorphicAccess::addCases):
1208         (JSC::PolymorphicAccess::regenerate):
1209         * bytecode/PropertyCondition.cpp:
1210         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1211         * bytecode/StructureStubInfo.cpp:
1212         (JSC::StructureStubInfo::addAccessCase):
1213         * dfg/DFGArgumentsEliminationPhase.cpp:
1214         * dfg/DFGByteCodeParser.cpp:
1215         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1216         (JSC::DFG::ByteCodeParser::inliningCost):
1217         (JSC::DFG::ByteCodeParser::inlineCall):
1218         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1219         (JSC::DFG::ByteCodeParser::handleInlining):
1220         (JSC::DFG::ByteCodeParser::planLoad):
1221         (JSC::DFG::ByteCodeParser::store):
1222         (JSC::DFG::ByteCodeParser::parseBlock):
1223         (JSC::DFG::ByteCodeParser::linkBlock):
1224         (JSC::DFG::ByteCodeParser::linkBlocks):
1225         * dfg/DFGCSEPhase.cpp:
1226         * dfg/DFGInPlaceAbstractState.cpp:
1227         (JSC::DFG::InPlaceAbstractState::merge):
1228         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1229         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1230         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1231         * dfg/DFGMovHintRemovalPhase.cpp:
1232         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1233         * dfg/DFGPhantomInsertionPhase.cpp:
1234         * dfg/DFGPutStackSinkingPhase.cpp:
1235         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1236         * dfg/DFGVarargsForwardingPhase.cpp:
1237         * ftl/FTLAbstractHeap.cpp:
1238         (JSC::FTL::AbstractHeap::compute):
1239         * ftl/FTLAbstractHeapRepository.cpp:
1240         (JSC::FTL::AbstractHeapRepository::decorateMemory):
1241         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
1242         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
1243         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
1244         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
1245         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
1246         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
1247         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
1248         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
1249         * ftl/FTLLink.cpp:
1250         (JSC::FTL::link):
1251         * heap/MarkingConstraintSet.cpp:
1252         (JSC::MarkingConstraintSet::add):
1253         * interpreter/ShadowChicken.cpp:
1254         (JSC::ShadowChicken::update):
1255         * jit/BinarySwitch.cpp:
1256         (JSC::BinarySwitch::BinarySwitch):
1257         (JSC::BinarySwitch::build):
1258         * llint/LLIntData.cpp:
1259         (JSC::LLInt::Data::loadStats):
1260         (JSC::LLInt::Data::saveStats):
1261         * runtime/ArrayPrototype.cpp:
1262         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1263         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1264         * runtime/ErrorInstance.cpp:
1265         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
1266         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
1267         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
1268         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
1269         * runtime/IntlDateTimeFormat.cpp:
1270         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1271         * runtime/PromiseDeferredTimer.cpp:
1272         (JSC::PromiseDeferredTimer::doWork):
1273         (JSC::PromiseDeferredTimer::addPendingPromise):
1274         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1275         * runtime/TypeProfiler.cpp:
1276         (JSC::TypeProfiler::insertNewLocation):
1277         * runtime/TypeProfilerLog.cpp:
1278         (JSC::TypeProfilerLog::processLogEntries):
1279         * runtime/WeakMapPrototype.cpp:
1280         (JSC::protoFuncWeakMapDelete):
1281         (JSC::protoFuncWeakMapGet):
1282         (JSC::protoFuncWeakMapHas):
1283         (JSC::protoFuncWeakMapSet):
1284         (JSC::getWeakMapData): Deleted.
1285         * runtime/WeakSetPrototype.cpp:
1286         (JSC::protoFuncWeakSetDelete):
1287         (JSC::protoFuncWeakSetHas):
1288         (JSC::protoFuncWeakSetAdd):
1289         (JSC::getWeakMapData): Deleted.
1290         * testRegExp.cpp:
1291         (testOneRegExp):
1292         (runFromFiles):
1293         * wasm/WasmB3IRGenerator.cpp:
1294         (JSC::Wasm::parseAndCompile):
1295         * wasm/WasmBBQPlan.cpp:
1296         (JSC::Wasm::BBQPlan::moveToState):
1297         (JSC::Wasm::BBQPlan::parseAndValidateModule):
1298         (JSC::Wasm::BBQPlan::prepare):
1299         (JSC::Wasm::BBQPlan::compileFunctions):
1300         (JSC::Wasm::BBQPlan::complete):
1301         * wasm/WasmFaultSignalHandler.cpp:
1302         (JSC::Wasm::trapHandler):
1303         * wasm/WasmOMGPlan.cpp:
1304         (JSC::Wasm::OMGPlan::OMGPlan):
1305         (JSC::Wasm::OMGPlan::work):
1306         * wasm/WasmPlan.cpp:
1307         (JSC::Wasm::Plan::fail):
1308         * wasm/WasmSignature.cpp:
1309         (JSC::Wasm::SignatureInformation::adopt):
1310         * wasm/WasmWorklist.cpp:
1311         (JSC::Wasm::Worklist::enqueue):
1312
1313 2017-09-12  Michael Saboff  <msaboff@apple.com>
1314
1315         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
1316         https://bugs.webkit.org/show_bug.cgi?id=176814
1317
1318         Reviewed by Mark Lam.
1319
1320         The copy and advance indices where off by one and needed a little fine tuning.
1321
1322         * runtime/StringPrototype.cpp:
1323         (JSC::substituteBackreferencesSlow):
1324
1325 2017-09-11  Mark Lam  <mark.lam@apple.com>
1326
1327         More exception check book-keeping needed found by 32-bit JSC test failures.
1328         https://bugs.webkit.org/show_bug.cgi?id=176742
1329
1330         Reviewed by Michael Saboff and Keith Miller.
1331
1332         * dfg/DFGOperations.cpp:
1333
1334 2017-09-11  Mark Lam  <mark.lam@apple.com>
1335
1336         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
1337         https://bugs.webkit.org/show_bug.cgi?id=176722
1338
1339         Reviewed by Saam Barati.
1340
1341         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
1342         in effect when jsc is invoked.
1343
1344         * jsc.cpp:
1345         (CommandLine::parseArguments):
1346
1347 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
1348
1349         Unreviewed, rolling out r221854.
1350
1351         The test added with this change fails on 32-bit JSC bots.
1352
1353         Reverted changeset:
1354
1355         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
1356         https://bugs.webkit.org/show_bug.cgi?id=176010
1357         http://trac.webkit.org/changeset/221854
1358
1359 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1360
1361         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
1362         https://bugs.webkit.org/show_bug.cgi?id=176010
1363
1364         Reviewed by Filip Pizlo.
1365
1366         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
1367         It is used for meta property for objects (see peekMeta function in Ember.js).
1368
1369         This patch optimizes WeakMap#get.
1370
1371         1. We use inlineGet to inline WeakMap#get operation in the native function.
1372         Since this native function itself is very small, we should inline HashMap#get
1373         entirely in this function.
1374
1375         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
1376         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
1377         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
1378         ObjectUse, and Int32Use.
1379
1380         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
1381         calculate hash value for the key's Object and use this hash value to look up value from
1382         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
1383         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
1384         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
1385         patches.
1386
1387         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
1388         not used in Ember.js right now.
1389
1390         This patch optimizes WeakMap#get by 50%.
1391
1392                                  baseline                  patched
1393
1394         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
1395
1396         * bytecode/DirectEvalCodeCache.h:
1397         (JSC::DirectEvalCodeCache::tryGet):
1398         * bytecode/SpeculatedType.cpp:
1399         (JSC::dumpSpeculation):
1400         (JSC::speculationFromClassInfo):
1401         (JSC::speculationFromJSType):
1402         (JSC::speculationFromString):
1403         * bytecode/SpeculatedType.h:
1404         * dfg/DFGAbstractInterpreterInlines.h:
1405         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1406         * dfg/DFGByteCodeParser.cpp:
1407         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1408         * dfg/DFGClobberize.h:
1409         (JSC::DFG::clobberize):
1410         * dfg/DFGDoesGC.cpp:
1411         (JSC::DFG::doesGC):
1412         * dfg/DFGFixupPhase.cpp:
1413         (JSC::DFG::FixupPhase::fixupNode):
1414         * dfg/DFGHeapLocation.cpp:
1415         (WTF::printInternal):
1416         * dfg/DFGHeapLocation.h:
1417         * dfg/DFGNode.h:
1418         (JSC::DFG::Node::hasHeapPrediction):
1419         * dfg/DFGNodeType.h:
1420         * dfg/DFGOperations.cpp:
1421         * dfg/DFGOperations.h:
1422         * dfg/DFGPredictionPropagationPhase.cpp:
1423         * dfg/DFGSafeToExecute.h:
1424         (JSC::DFG::SafeToExecuteEdge::operator()):
1425         (JSC::DFG::safeToExecute):
1426         * dfg/DFGSpeculativeJIT.cpp:
1427         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1428         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1429         (JSC::DFG::SpeculativeJIT::speculate):
1430         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1431         * dfg/DFGSpeculativeJIT.h:
1432         (JSC::DFG::SpeculativeJIT::callOperation):
1433         * dfg/DFGSpeculativeJIT32_64.cpp:
1434         (JSC::DFG::SpeculativeJIT::compile):
1435         * dfg/DFGSpeculativeJIT64.cpp:
1436         (JSC::DFG::SpeculativeJIT::compile):
1437         * dfg/DFGUseKind.cpp:
1438         (WTF::printInternal):
1439         * dfg/DFGUseKind.h:
1440         (JSC::DFG::typeFilterFor):
1441         (JSC::DFG::isCell):
1442         * ftl/FTLCapabilities.cpp:
1443         (JSC::FTL::canCompile):
1444         * ftl/FTLLowerDFGToB3.cpp:
1445         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1446         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1447         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1448         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1449         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1450         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1451         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1452         * jit/JITOperations.h:
1453         * runtime/Intrinsic.cpp:
1454         (JSC::intrinsicName):
1455         * runtime/Intrinsic.h:
1456         * runtime/JSType.h:
1457         * runtime/JSWeakMap.h:
1458         (JSC::isJSWeakMap):
1459         * runtime/JSWeakSet.h:
1460         (JSC::isJSWeakSet):
1461         * runtime/WeakMapBase.cpp:
1462         (JSC::WeakMapBase::get):
1463         * runtime/WeakMapBase.h:
1464         (JSC::WeakMapBase::HashTranslator::hash):
1465         (JSC::WeakMapBase::HashTranslator::equal):
1466         (JSC::WeakMapBase::inlineGet):
1467         * runtime/WeakMapPrototype.cpp:
1468         (JSC::WeakMapPrototype::finishCreation):
1469         (JSC::getWeakMap):
1470         (JSC::protoFuncWeakMapGet):
1471         * runtime/WeakSetPrototype.cpp:
1472         (JSC::getWeakSet):
1473
1474 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1475
1476         [JSC] Optimize Object.keys by using careful array allocation
1477         https://bugs.webkit.org/show_bug.cgi?id=176654
1478
1479         Reviewed by Darin Adler.
1480
1481         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
1482         function in JS apps. Luckily Object.keys has several good features.
1483
1484         1. Once PropertyNameArray is allocated, we know the length of the result array since
1485         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
1486         but it rarely appears. ProxyObject case goes to the generic path.
1487
1488         2. Object.keys does not need to access object after listing PropertyNameArray. It means
1489         that we do not need to worry about enumeration attribute change by touching object.
1490
1491         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
1492         with the size and ArrayContiguous indexing shape.
1493
1494         This further improves SixSpeed object-assign.es5 by 13%.
1495
1496                                             baseline                  patched
1497         Microbenchmarks:
1498            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
1499            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
1500
1501                                             baseline                  patched
1502         SixSpeed:
1503            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
1504
1505         BTW, the further optimization of Object.keys can be considered: introducing own property keys
1506         cache which is similar to the current enumeration cache. But this patch is orthogonal to
1507         this optimization!
1508
1509         * runtime/ObjectConstructor.cpp:
1510         (JSC::objectConstructorValues):
1511         (JSC::ownPropertyKeys):
1512         * runtime/ObjectConstructor.h:
1513
1514 2017-09-10  Mark Lam  <mark.lam@apple.com>
1515
1516         Fix all ExceptionScope verification failures in JavaScriptCore.
1517         https://bugs.webkit.org/show_bug.cgi?id=176662
1518         <rdar://problem/34352085>
1519
1520         Reviewed by Filip Pizlo.
1521
1522         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
1523            verification for release builds too (though this requires manually setting
1524            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
1525
1526            This is useful because it allows us to run the tests more quickly to check
1527            if any regressions have occurred.  Debug builds run so much slower and not
1528            good for a quick turn around.  Debug builds are necessary though to get
1529            trace information without inlining by the C++ compiler.  This is necessary to
1530            diagnose where the missing exception check is.
1531
1532         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
1533            simulated throw when an exception scope verification fails.
1534
1535            Previously, this option dumps the stack trace on all simulated throws.  That
1536            turned out to not be very useful, and slows down the debugging process.
1537            Instead, the new implementation captures the stack trace and only dumps it
1538            if we have a verification failure.
1539
1540         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
1541            to pass with JSC_validateExceptionChecks=true.
1542
1543         * bytecode/CodeBlock.cpp:
1544         (JSC::CodeBlock::finishCreation):
1545         * dfg/DFGOSRExit.cpp:
1546         (JSC::DFG::OSRExit::executeOSRExit):
1547         * dfg/DFGOperations.cpp:
1548         * interpreter/Interpreter.cpp:
1549         (JSC::eval):
1550         (JSC::loadVarargs):
1551         (JSC::Interpreter::unwind):
1552         (JSC::Interpreter::executeProgram):
1553         (JSC::Interpreter::executeCall):
1554         (JSC::Interpreter::executeConstruct):
1555         (JSC::Interpreter::prepareForRepeatCall):
1556         (JSC::Interpreter::execute):
1557         (JSC::Interpreter::executeModuleProgram):
1558         * jit/JITOperations.cpp:
1559         (JSC::getByVal):
1560         * jsc.cpp:
1561         (WTF::CustomGetter::customGetterAcessor):
1562         (GlobalObject::moduleLoaderImportModule):
1563         (GlobalObject::moduleLoaderResolve):
1564         * llint/LLIntSlowPaths.cpp:
1565         (JSC::LLInt::getByVal):
1566         (JSC::LLInt::setUpCall):
1567         * parser/Parser.h:
1568         (JSC::Parser::popScopeInternal):
1569         * runtime/AbstractModuleRecord.cpp:
1570         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1571         (JSC::AbstractModuleRecord::resolveImport):
1572         (JSC::AbstractModuleRecord::resolveExportImpl):
1573         (JSC::getExportedNames):
1574         (JSC::AbstractModuleRecord::getModuleNamespace):
1575         * runtime/ArrayPrototype.cpp:
1576         (JSC::getProperty):
1577         (JSC::unshift):
1578         (JSC::arrayProtoFuncToString):
1579         (JSC::arrayProtoFuncToLocaleString):
1580         (JSC::arrayProtoFuncJoin):
1581         (JSC::arrayProtoFuncPop):
1582         (JSC::arrayProtoFuncPush):
1583         (JSC::arrayProtoFuncReverse):
1584         (JSC::arrayProtoFuncShift):
1585         (JSC::arrayProtoFuncSlice):
1586         (JSC::arrayProtoFuncSplice):
1587         (JSC::arrayProtoFuncUnShift):
1588         (JSC::arrayProtoFuncIndexOf):
1589         (JSC::arrayProtoFuncLastIndexOf):
1590         (JSC::concatAppendOne):
1591         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1592         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1593         * runtime/CatchScope.h:
1594         * runtime/CommonSlowPaths.cpp:
1595         (JSC::SLOW_PATH_DECL):
1596         * runtime/DatePrototype.cpp:
1597         (JSC::dateProtoFuncSetTime):
1598         (JSC::setNewValueFromTimeArgs):
1599         * runtime/DirectArguments.h:
1600         (JSC::DirectArguments::length const):
1601         * runtime/ErrorPrototype.cpp:
1602         (JSC::errorProtoFuncToString):
1603         * runtime/ExceptionFuzz.cpp:
1604         (JSC::doExceptionFuzzing):
1605         * runtime/ExceptionScope.h:
1606         (JSC::ExceptionScope::needExceptionCheck):
1607         (JSC::ExceptionScope::assertNoException):
1608         * runtime/GenericArgumentsInlines.h:
1609         (JSC::GenericArguments<Type>::defineOwnProperty):
1610         * runtime/HashMapImpl.h:
1611         (JSC::HashMapImpl::rehash):
1612         * runtime/IntlDateTimeFormat.cpp:
1613         (JSC::IntlDateTimeFormat::formatToParts):
1614         * runtime/JSArray.cpp:
1615         (JSC::JSArray::defineOwnProperty):
1616         (JSC::JSArray::put):
1617         * runtime/JSCJSValue.cpp:
1618         (JSC::JSValue::putToPrimitive):
1619         (JSC::JSValue::putToPrimitiveByIndex):
1620         * runtime/JSCJSValueInlines.h:
1621         (JSC::JSValue::toIndex const):
1622         (JSC::JSValue::get const):
1623         (JSC::JSValue::getPropertySlot const):
1624         (JSC::JSValue::equalSlowCaseInline):
1625         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1626         (JSC::constructGenericTypedArrayViewFromIterator):
1627         (JSC::constructGenericTypedArrayViewWithArguments):
1628         * runtime/JSGenericTypedArrayViewInlines.h:
1629         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1630         * runtime/JSGlobalObject.cpp:
1631         (JSC::JSGlobalObject::put):
1632         * runtime/JSGlobalObjectFunctions.cpp:
1633         (JSC::decode):
1634         (JSC::globalFuncEval):
1635         (JSC::globalFuncProtoGetter):
1636         (JSC::globalFuncProtoSetter):
1637         (JSC::globalFuncImportModule):
1638         * runtime/JSInternalPromise.cpp:
1639         (JSC::JSInternalPromise::then):
1640         * runtime/JSInternalPromiseDeferred.cpp:
1641         (JSC::JSInternalPromiseDeferred::create):
1642         * runtime/JSJob.cpp:
1643         (JSC::JSJobMicrotask::run):
1644         * runtime/JSModuleEnvironment.cpp:
1645         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1646         (JSC::JSModuleEnvironment::put):
1647         (JSC::JSModuleEnvironment::deleteProperty):
1648         * runtime/JSModuleLoader.cpp:
1649         (JSC::JSModuleLoader::provide):
1650         (JSC::JSModuleLoader::loadAndEvaluateModule):
1651         (JSC::JSModuleLoader::loadModule):
1652         (JSC::JSModuleLoader::linkAndEvaluateModule):
1653         (JSC::JSModuleLoader::requestImportModule):
1654         * runtime/JSModuleRecord.cpp:
1655         (JSC::JSModuleRecord::link):
1656         (JSC::JSModuleRecord::instantiateDeclarations):
1657         * runtime/JSONObject.cpp:
1658         (JSC::Stringifier::stringify):
1659         (JSC::Stringifier::toJSON):
1660         (JSC::JSONProtoFuncParse):
1661         * runtime/JSObject.cpp:
1662         (JSC::JSObject::calculatedClassName):
1663         (JSC::ordinarySetSlow):
1664         (JSC::JSObject::putInlineSlow):
1665         (JSC::JSObject::ordinaryToPrimitive const):
1666         (JSC::JSObject::toPrimitive const):
1667         (JSC::JSObject::hasInstance):
1668         (JSC::JSObject::getPropertyNames):
1669         (JSC::JSObject::toNumber const):
1670         (JSC::JSObject::defineOwnIndexedProperty):
1671         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1672         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1673         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1674         (JSC::validateAndApplyPropertyDescriptor):
1675         (JSC::JSObject::defineOwnNonIndexProperty):
1676         (JSC::JSObject::getGenericPropertyNames):
1677         * runtime/JSObject.h:
1678         (JSC::JSObject::get const):
1679         * runtime/JSObjectInlines.h:
1680         (JSC::JSObject::getPropertySlot const):
1681         (JSC::JSObject::getPropertySlot):
1682         (JSC::JSObject::getNonIndexPropertySlot):
1683         (JSC::JSObject::putInlineForJSObject):
1684         * runtime/JSPromiseConstructor.cpp:
1685         (JSC::constructPromise):
1686         * runtime/JSPromiseDeferred.cpp:
1687         (JSC::JSPromiseDeferred::create):
1688         * runtime/JSScope.cpp:
1689         (JSC::abstractAccess):
1690         (JSC::JSScope::resolve):
1691         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1692         (JSC::JSScope::abstractResolve):
1693         * runtime/LiteralParser.cpp:
1694         (JSC::LiteralParser<CharType>::tryJSONPParse):
1695         (JSC::LiteralParser<CharType>::parse):
1696         * runtime/Lookup.h:
1697         (JSC::putEntry):
1698         * runtime/MapConstructor.cpp:
1699         (JSC::constructMap):
1700         * runtime/NumberPrototype.cpp:
1701         (JSC::numberProtoFuncToString):
1702         * runtime/ObjectConstructor.cpp:
1703         (JSC::objectConstructorSetPrototypeOf):
1704         (JSC::objectConstructorGetOwnPropertyDescriptor):
1705         (JSC::objectConstructorGetOwnPropertyDescriptors):
1706         (JSC::objectConstructorAssign):
1707         (JSC::objectConstructorValues):
1708         (JSC::toPropertyDescriptor):
1709         (JSC::objectConstructorDefineProperty):
1710         (JSC::defineProperties):
1711         (JSC::objectConstructorDefineProperties):
1712         (JSC::ownPropertyKeys):
1713         * runtime/ObjectPrototype.cpp:
1714         (JSC::objectProtoFuncHasOwnProperty):
1715         (JSC::objectProtoFuncIsPrototypeOf):
1716         (JSC::objectProtoFuncLookupGetter):
1717         (JSC::objectProtoFuncLookupSetter):
1718         (JSC::objectProtoFuncToLocaleString):
1719         (JSC::objectProtoFuncToString):
1720         * runtime/Options.h:
1721         * runtime/ParseInt.h:
1722         (JSC::toStringView):
1723         * runtime/ProxyObject.cpp:
1724         (JSC::performProxyGet):
1725         (JSC::ProxyObject::performPut):
1726         * runtime/ReflectObject.cpp:
1727         (JSC::reflectObjectDefineProperty):
1728         * runtime/RegExpConstructor.cpp:
1729         (JSC::toFlags):
1730         (JSC::regExpCreate):
1731         (JSC::constructRegExp):
1732         * runtime/RegExpObject.cpp:
1733         (JSC::collectMatches):
1734         * runtime/RegExpObjectInlines.h:
1735         (JSC::RegExpObject::execInline):
1736         (JSC::RegExpObject::matchInline):
1737         * runtime/RegExpPrototype.cpp:
1738         (JSC::regExpProtoFuncTestFast):
1739         (JSC::regExpProtoFuncExec):
1740         (JSC::regExpProtoFuncMatchFast):
1741         (JSC::regExpProtoFuncToString):
1742         (JSC::regExpProtoFuncSplitFast):
1743         * runtime/ScriptExecutable.cpp:
1744         (JSC::ScriptExecutable::newCodeBlockFor):
1745         (JSC::ScriptExecutable::prepareForExecutionImpl):
1746         * runtime/SetConstructor.cpp:
1747         (JSC::constructSet):
1748         * runtime/ThrowScope.cpp:
1749         (JSC::ThrowScope::simulateThrow):
1750         * runtime/VM.cpp:
1751         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1752         * runtime/VM.h:
1753         * runtime/WeakMapPrototype.cpp:
1754         (JSC::protoFuncWeakMapSet):
1755         * runtime/WeakSetPrototype.cpp:
1756         (JSC::protoFuncWeakSetAdd):
1757         * wasm/js/WebAssemblyModuleConstructor.cpp:
1758         (JSC::WebAssemblyModuleConstructor::createModule):
1759         * wasm/js/WebAssemblyModuleRecord.cpp:
1760         (JSC::WebAssemblyModuleRecord::link):
1761         * wasm/js/WebAssemblyPrototype.cpp:
1762         (JSC::reject):
1763         (JSC::webAssemblyCompileFunc):
1764         (JSC::resolve):
1765         (JSC::webAssemblyInstantiateFunc):
1766
1767 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
1768
1769         Error should compute .stack and friends lazily
1770         https://bugs.webkit.org/show_bug.cgi?id=176645
1771
1772         Reviewed by Saam Barati.
1773         
1774         Building the string portion of the stack trace after we walk the stack accounts for most of
1775         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
1776         Vector<StackFrame> so that it can build the string only once it's really needed.
1777         
1778         This is an enormous speed-up for programs that allocate and throw exceptions.
1779         
1780         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
1781         
1782         It's a 2.2x speed-up for throwing and catching an Error.
1783         
1784         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
1785         
1786         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
1787         delta-blue-try-catch is 1.16x faster.
1788
1789         * interpreter/Interpreter.cpp:
1790         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1791         (JSC::GetStackTraceFunctor::operator() const):
1792         (JSC::Interpreter::getStackTrace):
1793         * interpreter/Interpreter.h:
1794         * runtime/Error.cpp:
1795         (JSC::getStackTrace):
1796         (JSC::getBytecodeOffset):
1797         (JSC::addErrorInfo):
1798         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
1799         * runtime/Error.h:
1800         * runtime/ErrorInstance.cpp:
1801         (JSC::ErrorInstance::ErrorInstance):
1802         (JSC::ErrorInstance::finishCreation):
1803         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1804         (JSC::ErrorInstance::visitChildren):
1805         (JSC::ErrorInstance::getOwnPropertySlot):
1806         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
1807         (JSC::ErrorInstance::defineOwnProperty):
1808         (JSC::ErrorInstance::put):
1809         (JSC::ErrorInstance::deleteProperty):
1810         * runtime/ErrorInstance.h:
1811         * runtime/Exception.cpp:
1812         (JSC::Exception::visitChildren):
1813         (JSC::Exception::finishCreation):
1814         * runtime/Exception.h:
1815         * runtime/StackFrame.cpp:
1816         (JSC::StackFrame::visitChildren):
1817         * runtime/StackFrame.h:
1818         (JSC::StackFrame::StackFrame):
1819
1820 2017-09-09  Mark Lam  <mark.lam@apple.com>
1821
1822         [Re-landing] Use JIT probes for DFG OSR exit.
1823         https://bugs.webkit.org/show_bug.cgi?id=175144
1824         <rdar://problem/33437050>
1825
1826         Not reviewed.  Original patch reviewed by Saam Barati.
1827
1828         Relanding r221774.
1829
1830         * JavaScriptCore.xcodeproj/project.pbxproj:
1831         * assembler/MacroAssembler.cpp:
1832         (JSC::stdFunctionCallback):
1833         * assembler/MacroAssemblerPrinter.cpp:
1834         (JSC::Printer::printCallback):
1835         * assembler/ProbeContext.h:
1836         (JSC::Probe::CPUState::gpr const):
1837         (JSC::Probe::CPUState::spr const):
1838         (JSC::Probe::Context::Context):
1839         (JSC::Probe::Context::arg):
1840         (JSC::Probe::Context::gpr):
1841         (JSC::Probe::Context::spr):
1842         (JSC::Probe::Context::fpr):
1843         (JSC::Probe::Context::gprName):
1844         (JSC::Probe::Context::sprName):
1845         (JSC::Probe::Context::fprName):
1846         (JSC::Probe::Context::gpr const):
1847         (JSC::Probe::Context::spr const):
1848         (JSC::Probe::Context::fpr const):
1849         (JSC::Probe::Context::pc):
1850         (JSC::Probe::Context::fp):
1851         (JSC::Probe::Context::sp):
1852         (JSC::Probe:: const): Deleted.
1853         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
1854         * assembler/ProbeStack.cpp:
1855         (JSC::Probe::Page::Page):
1856         * assembler/ProbeStack.h:
1857         (JSC::Probe::Page::get):
1858         (JSC::Probe::Page::set):
1859         (JSC::Probe::Page::physicalAddressFor):
1860         (JSC::Probe::Stack::lowWatermark):
1861         (JSC::Probe::Stack::get):
1862         (JSC::Probe::Stack::set):
1863         * bytecode/ArithProfile.cpp:
1864         * bytecode/ArithProfile.h:
1865         * bytecode/ArrayProfile.h:
1866         (JSC::ArrayProfile::observeArrayMode):
1867         * bytecode/CodeBlock.cpp:
1868         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1869         * bytecode/CodeBlock.h:
1870         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1871         * bytecode/ExecutionCounter.h:
1872         (JSC::ExecutionCounter::hasCrossedThreshold const):
1873         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1874         * bytecode/MethodOfGettingAValueProfile.cpp:
1875         (JSC::MethodOfGettingAValueProfile::reportValue):
1876         * bytecode/MethodOfGettingAValueProfile.h:
1877         * dfg/DFGDriver.cpp:
1878         (JSC::DFG::compileImpl):
1879         * dfg/DFGJITCode.cpp:
1880         (JSC::DFG::JITCode::findPC): Deleted.
1881         * dfg/DFGJITCode.h:
1882         * dfg/DFGJITCompiler.cpp:
1883         (JSC::DFG::JITCompiler::linkOSRExits):
1884         (JSC::DFG::JITCompiler::link):
1885         * dfg/DFGOSRExit.cpp:
1886         (JSC::DFG::jsValueFor):
1887         (JSC::DFG::restoreCalleeSavesFor):
1888         (JSC::DFG::saveCalleeSavesFor):
1889         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1890         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1891         (JSC::DFG::saveOrCopyCalleeSavesFor):
1892         (JSC::DFG::createDirectArgumentsDuringExit):
1893         (JSC::DFG::createClonedArgumentsDuringExit):
1894         (JSC::DFG::OSRExit::OSRExit):
1895         (JSC::DFG::emitRestoreArguments):
1896         (JSC::DFG::OSRExit::executeOSRExit):
1897         (JSC::DFG::reifyInlinedCallFrames):
1898         (JSC::DFG::adjustAndJumpToTarget):
1899         (JSC::DFG::printOSRExit):
1900         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1901         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1902         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1903         (JSC::DFG::OSRExit::correctJump): Deleted.
1904         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1905         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1906         (JSC::DFG::OSRExit::compileExit): Deleted.
1907         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
1908         * dfg/DFGOSRExit.h:
1909         (JSC::DFG::OSRExitState::OSRExitState):
1910         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1911         * dfg/DFGOSRExitCompilerCommon.cpp:
1912         * dfg/DFGOSRExitCompilerCommon.h:
1913         * dfg/DFGOperations.cpp:
1914         * dfg/DFGOperations.h:
1915         * dfg/DFGThunks.cpp:
1916         (JSC::DFG::osrExitThunkGenerator):
1917         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
1918         * dfg/DFGThunks.h:
1919         * jit/AssemblyHelpers.cpp:
1920         (JSC::AssemblyHelpers::debugCall): Deleted.
1921         * jit/AssemblyHelpers.h:
1922         * jit/JITOperations.cpp:
1923         * jit/JITOperations.h:
1924         * profiler/ProfilerOSRExit.h:
1925         (JSC::Profiler::OSRExit::incCount):
1926         * runtime/JSCJSValue.h:
1927         * runtime/JSCJSValueInlines.h:
1928         * runtime/VM.h:
1929
1930 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
1931
1932         Unreviewed, rolling out r221774.
1933
1934         This change introduced three debug JSC test timeouts.
1935
1936         Reverted changeset:
1937
1938         "Use JIT probes for DFG OSR exit."
1939         https://bugs.webkit.org/show_bug.cgi?id=175144
1940         http://trac.webkit.org/changeset/221774
1941
1942 2017-09-09  Mark Lam  <mark.lam@apple.com>
1943
1944         Avoid duplicate computations of ExecState::vm().
1945         https://bugs.webkit.org/show_bug.cgi?id=176647
1946
1947         Reviewed by Saam Barati.
1948
1949         Because while computing ExecState::vm() is cheap, it is not free.
1950
1951         This patch also:
1952         1. gets rids of some convenience methods in CallFrame that implicitly does a
1953            ExecState::vm() computation.  This minimizes the chance of us accidentally
1954            computing ExecState::vm() more than necessary.
1955         2. passes vm (when available) to methodTable().
1956         3. passes vm (when available) to JSLockHolder.
1957
1958         * API/JSBase.cpp:
1959         (JSCheckScriptSyntax):
1960         (JSGarbageCollect):
1961         (JSReportExtraMemoryCost):
1962         (JSSynchronousGarbageCollectForDebugging):
1963         (JSSynchronousEdenCollectForDebugging):
1964         * API/JSCallbackConstructor.h:
1965         (JSC::JSCallbackConstructor::create):
1966         * API/JSCallbackObject.h:
1967         (JSC::JSCallbackObject::create):
1968         * API/JSContext.mm:
1969         (-[JSContext setException:]):
1970         * API/JSContextRef.cpp:
1971         (JSContextGetGlobalObject):
1972         (JSContextCreateBacktrace):
1973         * API/JSManagedValue.mm:
1974         (-[JSManagedValue value]):
1975         * API/JSObjectRef.cpp:
1976         (JSObjectMake):
1977         (JSObjectMakeFunctionWithCallback):
1978         (JSObjectMakeConstructor):
1979         (JSObjectMakeFunction):
1980         (JSObjectSetPrototype):
1981         (JSObjectHasProperty):
1982         (JSObjectGetProperty):
1983         (JSObjectSetProperty):
1984         (JSObjectSetPropertyAtIndex):
1985         (JSObjectDeleteProperty):
1986         (JSObjectGetPrivateProperty):
1987         (JSObjectSetPrivateProperty):
1988         (JSObjectDeletePrivateProperty):
1989         (JSObjectIsFunction):
1990         (JSObjectCallAsFunction):
1991         (JSObjectCallAsConstructor):
1992         (JSObjectCopyPropertyNames):
1993         (JSPropertyNameAccumulatorAddName):
1994         * API/JSScriptRef.cpp:
1995         * API/JSTypedArray.cpp:
1996         (JSValueGetTypedArrayType):
1997         (JSObjectMakeTypedArrayWithArrayBuffer):
1998         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
1999         (JSObjectGetTypedArrayBytesPtr):
2000         (JSObjectGetTypedArrayBuffer):
2001         (JSObjectMakeArrayBufferWithBytesNoCopy):
2002         (JSObjectGetArrayBufferBytesPtr):
2003         * API/JSWeakObjectMapRefPrivate.cpp:
2004         * API/JSWrapperMap.mm:
2005         (constructorHasInstance):
2006         (makeWrapper):
2007         * API/ObjCCallbackFunction.mm:
2008         (objCCallbackFunctionForInvocation):
2009         * bytecode/CodeBlock.cpp:
2010         (JSC::CodeBlock::CodeBlock):
2011         (JSC::CodeBlock::jettison):
2012         * bytecode/CodeBlock.h:
2013         (JSC::CodeBlock::addConstant):
2014         (JSC::CodeBlock::replaceConstant):
2015         * bytecode/PutByIdStatus.cpp:
2016         (JSC::PutByIdStatus::computeFromLLInt):
2017         (JSC::PutByIdStatus::computeFor):
2018         * dfg/DFGDesiredWatchpoints.cpp:
2019         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2020         * dfg/DFGGraph.h:
2021         (JSC::DFG::Graph::globalThisObjectFor):
2022         * dfg/DFGOperations.cpp:
2023         * ftl/FTLOSRExitCompiler.cpp:
2024         (JSC::FTL::compileFTLOSRExit):
2025         * ftl/FTLOperations.cpp:
2026         (JSC::FTL::operationPopulateObjectInOSR):
2027         (JSC::FTL::operationMaterializeObjectInOSR):
2028         * heap/GCAssertions.h:
2029         * inspector/InjectedScriptHost.cpp:
2030         (Inspector::InjectedScriptHost::wrapper):
2031         * inspector/JSInjectedScriptHost.cpp:
2032         (Inspector::JSInjectedScriptHost::subtype):
2033         (Inspector::constructInternalProperty):
2034         (Inspector::JSInjectedScriptHost::getInternalProperties):
2035         (Inspector::JSInjectedScriptHost::weakMapEntries):
2036         (Inspector::JSInjectedScriptHost::weakSetEntries):
2037         (Inspector::JSInjectedScriptHost::iteratorEntries):
2038         * inspector/JSJavaScriptCallFrame.cpp:
2039         (Inspector::valueForScopeLocation):
2040         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2041         (Inspector::toJS):
2042         * inspector/ScriptCallStackFactory.cpp:
2043         (Inspector::extractSourceInformationFromException):
2044         (Inspector::createScriptArguments):
2045         * interpreter/CachedCall.h:
2046         (JSC::CachedCall::CachedCall):
2047         * interpreter/CallFrame.h:
2048         (JSC::ExecState::atomicStringTable const): Deleted.
2049         (JSC::ExecState::propertyNames const): Deleted.
2050         (JSC::ExecState::emptyList const): Deleted.
2051         (JSC::ExecState::interpreter): Deleted.
2052         (JSC::ExecState::heap): Deleted.
2053         * interpreter/Interpreter.cpp:
2054         (JSC::Interpreter::executeProgram):
2055         (JSC::Interpreter::execute):
2056         (JSC::Interpreter::executeModuleProgram):
2057         * jit/JIT.cpp:
2058         (JSC::JIT::privateCompileMainPass):
2059         * jit/JITOperations.cpp:
2060         * jit/JITWorklist.cpp:
2061         (JSC::JITWorklist::compileNow):
2062         * jsc.cpp:
2063         (WTF::RuntimeArray::create):
2064         (WTF::RuntimeArray::getOwnPropertySlot):
2065         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2066         (WTF::DOMJITFunctionObject::unsafeFunction):
2067         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2068         (GlobalObject::moduleLoaderFetch):
2069         (functionDumpCallFrame):
2070         (functionCreateRoot):
2071         (functionGetElement):
2072         (functionSetElementRoot):
2073         (functionCreateSimpleObject):
2074         (functionSetHiddenValue):
2075         (functionCreateProxy):
2076         (functionCreateImpureGetter):
2077         (functionCreateCustomGetterObject):
2078         (functionCreateDOMJITNodeObject):
2079         (functionCreateDOMJITGetterObject):
2080         (functionCreateDOMJITGetterComplexObject):
2081         (functionCreateDOMJITFunctionObject):
2082         (functionCreateDOMJITCheckSubClassObject):
2083         (functionGCAndSweep):
2084         (functionFullGC):
2085         (functionEdenGC):
2086         (functionHeapSize):
2087         (functionShadowChickenFunctionsOnStack):
2088         (functionSetGlobalConstRedeclarationShouldNotThrow):
2089         (functionJSCOptions):
2090         (functionFailNextNewCodeBlock):
2091         (functionMakeMasquerader):
2092         (functionDumpTypesForAllVariables):
2093         (functionFindTypeForExpression):
2094         (functionReturnTypeFor):
2095         (functionDumpBasicBlockExecutionRanges):
2096         (functionBasicBlockExecutionCount):
2097         (functionDrainMicrotasks):
2098         (functionGenerateHeapSnapshot):
2099         (functionEnsureArrayStorage):
2100         (functionStartSamplingProfiler):
2101         (runInteractive):
2102         * llint/LLIntSlowPaths.cpp:
2103         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2104         * parser/ModuleAnalyzer.cpp:
2105         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2106         * profiler/ProfilerBytecode.cpp:
2107         (JSC::Profiler::Bytecode::toJS const):
2108         * profiler/ProfilerBytecodeSequence.cpp:
2109         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
2110         * profiler/ProfilerBytecodes.cpp:
2111         (JSC::Profiler::Bytecodes::toJS const):
2112         * profiler/ProfilerCompilation.cpp:
2113         (JSC::Profiler::Compilation::toJS const):
2114         * profiler/ProfilerCompiledBytecode.cpp:
2115         (JSC::Profiler::CompiledBytecode::toJS const):
2116         * profiler/ProfilerDatabase.cpp:
2117         (JSC::Profiler::Database::toJS const):
2118         * profiler/ProfilerEvent.cpp:
2119         (JSC::Profiler::Event::toJS const):
2120         * profiler/ProfilerOSRExit.cpp:
2121         (JSC::Profiler::OSRExit::toJS const):
2122         * profiler/ProfilerOrigin.cpp:
2123         (JSC::Profiler::Origin::toJS const):
2124         * profiler/ProfilerProfiledBytecodes.cpp:
2125         (JSC::Profiler::ProfiledBytecodes::toJS const):
2126         * runtime/AbstractModuleRecord.cpp:
2127         (JSC::identifierToJSValue):
2128         (JSC::AbstractModuleRecord::resolveExportImpl):
2129         (JSC::getExportedNames):
2130         * runtime/ArrayPrototype.cpp:
2131         (JSC::arrayProtoFuncToString):
2132         (JSC::arrayProtoFuncToLocaleString):
2133         * runtime/BooleanConstructor.cpp:
2134         (JSC::constructBooleanFromImmediateBoolean):
2135         * runtime/CallData.cpp:
2136         (JSC::call):
2137         * runtime/CommonSlowPaths.cpp:
2138         (JSC::SLOW_PATH_DECL):
2139         * runtime/CommonSlowPaths.h:
2140         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2141         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2142         * runtime/Completion.cpp:
2143         (JSC::checkSyntax):
2144         (JSC::evaluate):
2145         (JSC::loadAndEvaluateModule):
2146         (JSC::loadModule):
2147         (JSC::linkAndEvaluateModule):
2148         (JSC::importModule):
2149         * runtime/ConstructData.cpp:
2150         (JSC::construct):
2151         * runtime/DatePrototype.cpp:
2152         (JSC::dateProtoFuncToJSON):
2153         * runtime/DirectArguments.h:
2154         (JSC::DirectArguments::length const):
2155         * runtime/DirectEvalExecutable.cpp:
2156         (JSC::DirectEvalExecutable::create):
2157         * runtime/ErrorPrototype.cpp:
2158         (JSC::errorProtoFuncToString):
2159         * runtime/ExceptionHelpers.cpp:
2160         (JSC::createUndefinedVariableError):
2161         (JSC::errorDescriptionForValue):
2162         * runtime/FunctionConstructor.cpp:
2163         (JSC::constructFunction):
2164         * runtime/GenericArgumentsInlines.h:
2165         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2166         * runtime/IdentifierInlines.h:
2167         (JSC::Identifier::add):
2168         * runtime/IndirectEvalExecutable.cpp:
2169         (JSC::IndirectEvalExecutable::create):
2170         * runtime/InternalFunction.cpp:
2171         (JSC::InternalFunction::finishCreation):
2172         (JSC::InternalFunction::createSubclassStructureSlow):
2173         * runtime/JSArray.cpp:
2174         (JSC::JSArray::getOwnPropertySlot):
2175         (JSC::JSArray::put):
2176         (JSC::JSArray::deleteProperty):
2177         (JSC::JSArray::getOwnNonIndexPropertyNames):
2178         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
2179         * runtime/JSArray.h:
2180         (JSC::JSArray::shiftCountForShift):
2181         * runtime/JSCJSValue.cpp:
2182         (JSC::JSValue::dumpForBacktrace const):
2183         * runtime/JSDataView.cpp:
2184         (JSC::JSDataView::getOwnPropertySlot):
2185         (JSC::JSDataView::deleteProperty):
2186         (JSC::JSDataView::getOwnNonIndexPropertyNames):
2187         * runtime/JSFunction.cpp:
2188         (JSC::JSFunction::getOwnPropertySlot):
2189         (JSC::JSFunction::deleteProperty):
2190         (JSC::JSFunction::reifyName):
2191         * runtime/JSGlobalObjectFunctions.cpp:
2192         (JSC::globalFuncEval):
2193         * runtime/JSInternalPromise.cpp:
2194         (JSC::JSInternalPromise::then):
2195         * runtime/JSLexicalEnvironment.cpp:
2196         (JSC::JSLexicalEnvironment::deleteProperty):
2197         * runtime/JSMap.cpp:
2198         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2199         * runtime/JSMapIterator.h:
2200         (JSC::JSMapIterator::advanceIter):
2201         * runtime/JSModuleEnvironment.cpp:
2202         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2203         * runtime/JSModuleLoader.cpp:
2204         (JSC::printableModuleKey):
2205         (JSC::JSModuleLoader::provide):
2206         (JSC::JSModuleLoader::loadAndEvaluateModule):
2207         (JSC::JSModuleLoader::loadModule):
2208         (JSC::JSModuleLoader::linkAndEvaluateModule):
2209         (JSC::JSModuleLoader::requestImportModule):
2210         * runtime/JSModuleNamespaceObject.h:
2211         * runtime/JSModuleRecord.cpp:
2212         (JSC::JSModuleRecord::evaluate):
2213         * runtime/JSONObject.cpp:
2214         (JSC::Stringifier::Stringifier):
2215         (JSC::Stringifier::appendStringifiedValue):
2216         (JSC::Stringifier::Holder::appendNextProperty):
2217         * runtime/JSObject.cpp:
2218         (JSC::JSObject::calculatedClassName):
2219         (JSC::JSObject::putByIndex):
2220         (JSC::JSObject::ordinaryToPrimitive const):
2221         (JSC::JSObject::toPrimitive const):
2222         (JSC::JSObject::hasInstance):
2223         (JSC::JSObject::getOwnPropertyNames):
2224         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2225         (JSC::getCustomGetterSetterFunctionForGetterSetter):
2226         (JSC::JSObject::getOwnPropertyDescriptor):
2227         (JSC::JSObject::getMethod):
2228         * runtime/JSObject.h:
2229         (JSC::JSObject::createRawObject):
2230         (JSC::JSFinalObject::create):
2231         * runtime/JSObjectInlines.h:
2232         (JSC::JSObject::canPerformFastPutInline):
2233         (JSC::JSObject::putInlineForJSObject):
2234         (JSC::JSObject::hasOwnProperty const):
2235         * runtime/JSScope.cpp:
2236         (JSC::isUnscopable):
2237         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
2238         * runtime/JSSet.cpp:
2239         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2240         * runtime/JSSetIterator.h:
2241         (JSC::JSSetIterator::advanceIter):
2242         * runtime/JSString.cpp:
2243         (JSC::JSString::getStringPropertyDescriptor):
2244         * runtime/JSString.h:
2245         (JSC::JSString::getStringPropertySlot):
2246         * runtime/MapConstructor.cpp:
2247         (JSC::constructMap):
2248         * runtime/ModuleProgramExecutable.cpp:
2249         (JSC::ModuleProgramExecutable::create):
2250         * runtime/ObjectPrototype.cpp:
2251         (JSC::objectProtoFuncToLocaleString):
2252         * runtime/ProgramExecutable.h:
2253         * runtime/RegExpObject.cpp:
2254         (JSC::RegExpObject::getOwnPropertySlot):
2255         (JSC::RegExpObject::deleteProperty):
2256         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2257         (JSC::RegExpObject::getPropertyNames):
2258         (JSC::RegExpObject::getGenericPropertyNames):
2259         (JSC::RegExpObject::put):
2260         * runtime/ScopedArguments.h:
2261         (JSC::ScopedArguments::length const):
2262         * runtime/StrictEvalActivation.h:
2263         (JSC::StrictEvalActivation::create):
2264         * runtime/StringObject.cpp:
2265         (JSC::isStringOwnProperty):
2266         (JSC::StringObject::deleteProperty):
2267         (JSC::StringObject::getOwnNonIndexPropertyNames):
2268         * tools/JSDollarVMPrototype.cpp:
2269         (JSC::JSDollarVMPrototype::gc):
2270         (JSC::JSDollarVMPrototype::edenGC):
2271         * wasm/js/WebAssemblyModuleRecord.cpp:
2272         (JSC::WebAssemblyModuleRecord::evaluate):
2273
2274 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2275
2276         [DFG] NewArrayWithSize(size)'s size does not care negative zero
2277         https://bugs.webkit.org/show_bug.cgi?id=176300
2278
2279         Reviewed by Saam Barati.
2280
2281         NewArrayWithSize(size)'s size does not care negative zero as
2282         is the same to NewTypedArray. We propagate this information
2283         in DFGBackwardsPropagationPhase. This removes negative zero
2284         check in kraken fft's deinterleave function.
2285
2286         * dfg/DFGBackwardsPropagationPhase.cpp:
2287         (JSC::DFG::BackwardsPropagationPhase::propagate):
2288
2289 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2290
2291         [DFG] PutByVal with Array::Generic is too generic
2292         https://bugs.webkit.org/show_bug.cgi?id=176345
2293
2294         Reviewed by Filip Pizlo.
2295
2296         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
2297         We could have the case like,
2298
2299             dst[key] = src[key];
2300
2301         with string or symbol keys. But they are handled in slow path.
2302         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
2303         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
2304
2305         This improves SixSpeed object-assign.es5 by 9.1%.
2306
2307         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
2308
2309         * dfg/DFGFixupPhase.cpp:
2310         (JSC::DFG::FixupPhase::fixupNode):
2311         * dfg/DFGOperations.cpp:
2312         (JSC::DFG::putByVal):
2313         (JSC::DFG::putByValInternal):
2314         (JSC::DFG::putByValCellInternal):
2315         (JSC::DFG::putByValCellStringInternal):
2316         (JSC::DFG::operationPutByValInternal): Deleted.
2317         * dfg/DFGOperations.h:
2318         * dfg/DFGSpeculativeJIT.cpp:
2319         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
2320         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
2321         * dfg/DFGSpeculativeJIT.h:
2322         (JSC::DFG::SpeculativeJIT::callOperation):
2323         * dfg/DFGSpeculativeJIT32_64.cpp:
2324         (JSC::DFG::SpeculativeJIT::compile):
2325         * dfg/DFGSpeculativeJIT64.cpp:
2326         (JSC::DFG::SpeculativeJIT::compile):
2327         * ftl/FTLLowerDFGToB3.cpp:
2328         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2329         * jit/JITOperations.h:
2330
2331 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2332
2333         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
2334         https://bugs.webkit.org/show_bug.cgi?id=176590
2335
2336         Reviewed by Saam Barati.
2337
2338         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
2339
2340                                          baseline                  patched
2341
2342         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
2343         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
2344
2345         * dfg/DFGFixupPhase.cpp:
2346         (JSC::DFG::FixupPhase::fixupNode):
2347         * dfg/DFGOperations.cpp:
2348         (JSC::DFG::getByValObject):
2349         * dfg/DFGOperations.h:
2350         * dfg/DFGSpeculativeJIT.cpp:
2351         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
2352         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
2353         * dfg/DFGSpeculativeJIT.h:
2354         * dfg/DFGSpeculativeJIT32_64.cpp:
2355         (JSC::DFG::SpeculativeJIT::compile):
2356         * dfg/DFGSpeculativeJIT64.cpp:
2357         (JSC::DFG::SpeculativeJIT::compile):
2358         * ftl/FTLLowerDFGToB3.cpp:
2359         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2360
2361 2017-09-07  Mark Lam  <mark.lam@apple.com>
2362
2363         Use JIT probes for DFG OSR exit.
2364         https://bugs.webkit.org/show_bug.cgi?id=175144
2365         <rdar://problem/33437050>
2366
2367         Reviewed by Saam Barati.
2368
2369         This patch does the following:
2370         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
2371            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
2372            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
2373            generates a thunk that just executes the OSR exit.
2374
2375            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
2376            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
2377            CPU registers, and providing the Probe::Stack mechanism for modifying the
2378            stack frame.
2379
2380            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
2381            OSRExit::compileExit().  It is basically a re-write of those functions to
2382            execute the OSR exit work instead of compiling code to execute the work.
2383
2384            As a result, we get the following savings:
2385            a. no more OSR exit ramp compilation time.
2386            b. no use of JIT executable memory for storing each unique OSR exit ramp.
2387
2388            On the negative side, we incur these costs:
2389
2390            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
2391               version of the ramp.  However, OSR exits are rare.  Hence, this small
2392               difference should not matter much.  It is also offset by the savings from
2393               (a).
2394
2395            d. the Probe::Stack allocates 1K pages for memory for buffering stack
2396               modifcations.  The number of these pages depends on the span of stack memory
2397               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
2398               tends to only modify values in the current DFG frame and the current
2399               VMEntryRecord, the number of pages tends to only be 1 or 2.
2400
2401               Using the jsc tests as a workload, the vast majority of tests that do OSR
2402               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
2403               A few tests that are pathological uses up to 14 pages, and one particularly
2404               bad test (function-apply-many-args.js) uses 513 pages.
2405
2406            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
2407            only executed once to compute some values for the exit site that is used by
2408            all exit operations from that site, and a 2nd part to execute the exit.  The
2409            1st part is protected by a checking if exit.exitState has already been
2410            initialized.  The computed values are cached in exit.exitState.
2411
2412            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
2413            longer need the facility to patch the site that jumps to the OSR exit ramp.
2414            The DFG::JITCompiler has been modified to remove this patching code.
2415
2416         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
2417            std::memcpy to avoid strict aliasing issues.
2418
2419            Also optimized the implementation of Probe::Stack::physicalAddressFor().
2420
2421         3. Miscellaneous convenience methods added to make the Probe::Context easier of
2422            use.
2423
2424         4. Added a Probe::Frame class that makes it easier to get/set operands and
2425            arguments in a given frame using the deferred write properties of the
2426            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
2427            the OSR exit ramp.
2428
2429         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
2430            JIT versions of these functions are still left in place because they are still
2431            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
2432            These functions include:
2433
2434            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
2435                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
2436            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
2437                DFGOSRExit.cpp's reifyInlinedCallFrames()
2438            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
2439                DFGOSRExit.cpp's adjustAndJumpToTarget()
2440
2441            MethodOfGettingAValueProfile::emitReportValue() ==>
2442                MethodOfGettingAValueProfile::reportValue()
2443
2444            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
2445                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
2446            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
2447                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
2448
2449         * JavaScriptCore.xcodeproj/project.pbxproj:
2450         * assembler/MacroAssembler.cpp:
2451         (JSC::stdFunctionCallback):
2452         * assembler/MacroAssemblerPrinter.cpp:
2453         (JSC::Printer::printCallback):
2454         * assembler/ProbeContext.h:
2455         (JSC::Probe::CPUState::gpr const):
2456         (JSC::Probe::CPUState::spr const):
2457         (JSC::Probe::Context::Context):
2458         (JSC::Probe::Context::arg):
2459         (JSC::Probe::Context::gpr):
2460         (JSC::Probe::Context::spr):
2461         (JSC::Probe::Context::fpr):
2462         (JSC::Probe::Context::gprName):
2463         (JSC::Probe::Context::sprName):
2464         (JSC::Probe::Context::fprName):
2465         (JSC::Probe::Context::gpr const):
2466         (JSC::Probe::Context::spr const):
2467         (JSC::Probe::Context::fpr const):
2468         (JSC::Probe::Context::pc):
2469         (JSC::Probe::Context::fp):
2470         (JSC::Probe::Context::sp):
2471         (JSC::Probe:: const): Deleted.
2472         * assembler/ProbeFrame.h: Added.
2473         (JSC::Probe::Frame::Frame):
2474         (JSC::Probe::Frame::getArgument):
2475         (JSC::Probe::Frame::getOperand):
2476         (JSC::Probe::Frame::get):
2477         (JSC::Probe::Frame::setArgument):
2478         (JSC::Probe::Frame::setOperand):
2479         (JSC::Probe::Frame::set):
2480         * assembler/ProbeStack.cpp:
2481         (JSC::Probe::Page::Page):
2482         * assembler/ProbeStack.h:
2483         (JSC::Probe::Page::get):
2484         (JSC::Probe::Page::set):
2485         (JSC::Probe::Page::physicalAddressFor):
2486         (JSC::Probe::Stack::lowWatermark):
2487         (JSC::Probe::Stack::get):
2488         (JSC::Probe::Stack::set):
2489         * bytecode/ArithProfile.cpp:
2490         * bytecode/ArithProfile.h:
2491         * bytecode/ArrayProfile.h:
2492         (JSC::ArrayProfile::observeArrayMode):
2493         * bytecode/CodeBlock.cpp:
2494         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
2495         * bytecode/CodeBlock.h:
2496         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
2497         * bytecode/ExecutionCounter.h:
2498         (JSC::ExecutionCounter::hasCrossedThreshold const):
2499         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
2500         * bytecode/MethodOfGettingAValueProfile.cpp:
2501         (JSC::MethodOfGettingAValueProfile::reportValue):
2502         * bytecode/MethodOfGettingAValueProfile.h:
2503         * dfg/DFGDriver.cpp:
2504         (JSC::DFG::compileImpl):
2505         * dfg/DFGJITCode.cpp:
2506         (JSC::DFG::JITCode::findPC): Deleted.
2507         * dfg/DFGJITCode.h:
2508         * dfg/DFGJITCompiler.cpp:
2509         (JSC::DFG::JITCompiler::linkOSRExits):
2510         (JSC::DFG::JITCompiler::link):
2511         * dfg/DFGOSRExit.cpp:
2512         (JSC::DFG::jsValueFor):
2513         (JSC::DFG::restoreCalleeSavesFor):
2514         (JSC::DFG::saveCalleeSavesFor):
2515         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2516         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2517         (JSC::DFG::saveOrCopyCalleeSavesFor):
2518         (JSC::DFG::createDirectArgumentsDuringExit):
2519         (JSC::DFG::createClonedArgumentsDuringExit):
2520         (JSC::DFG::OSRExit::OSRExit):
2521         (JSC::DFG::emitRestoreArguments):
2522         (JSC::DFG::OSRExit::executeOSRExit):
2523         (JSC::DFG::reifyInlinedCallFrames):
2524         (JSC::DFG::adjustAndJumpToTarget):
2525         (JSC::DFG::printOSRExit):
2526         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2527         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2528         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
2529         (JSC::DFG::OSRExit::correctJump): Deleted.
2530         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
2531         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
2532         (JSC::DFG::OSRExit::compileExit): Deleted.
2533         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2534         * dfg/DFGOSRExit.h:
2535         (JSC::DFG::OSRExitState::OSRExitState):
2536         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2537         * dfg/DFGOSRExitCompilerCommon.cpp:
2538         * dfg/DFGOSRExitCompilerCommon.h:
2539         * dfg/DFGOperations.cpp:
2540         * dfg/DFGOperations.h:
2541         * dfg/DFGThunks.cpp:
2542         (JSC::DFG::osrExitThunkGenerator):
2543         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2544         * dfg/DFGThunks.h:
2545         * jit/AssemblyHelpers.cpp:
2546         (JSC::AssemblyHelpers::debugCall): Deleted.
2547         * jit/AssemblyHelpers.h:
2548         * jit/JITOperations.cpp:
2549         * jit/JITOperations.h:
2550         * profiler/ProfilerOSRExit.h:
2551         (JSC::Profiler::OSRExit::incCount):
2552         * runtime/JSCJSValue.h:
2553         * runtime/JSCJSValueInlines.h:
2554         * runtime/VM.h:
2555
2556 2017-09-07  Michael Saboff  <msaboff@apple.com>
2557
2558         Add support for RegExp named capture groups
2559         https://bugs.webkit.org/show_bug.cgi?id=176435
2560
2561         Reviewed by Filip Pizlo.
2562
2563         Added parsing for both naming a captured parenthesis as well and using a named group in
2564         a back reference.  Also added support for using named groups with String.prototype.replace().
2565
2566         This patch does not throw Syntax Errors as described in the current spec text for the two
2567         cases of malformed back references in String.prototype.replace() as I believe that it
2568         is inconsistent with the current semantics for handling of other malformed replacement
2569         tokens.  I filed an issue for the requested change to the proposed spec and also filed
2570         a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
2571
2572         This patch does not implement strength reduction in the optimizing JITs for named capture
2573         groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
2574
2575         * dfg/DFGAbstractInterpreterInlines.h:
2576         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2577         * dfg/DFGStrengthReductionPhase.cpp:
2578         (JSC::DFG::StrengthReductionPhase::handleNode):
2579         * runtime/CommonIdentifiers.h:
2580         * runtime/JSGlobalObject.cpp:
2581         (JSC::JSGlobalObject::init):
2582         (JSC::JSGlobalObject::haveABadTime):
2583         * runtime/JSGlobalObject.h:
2584         (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
2585         * runtime/RegExp.cpp:
2586         (JSC::RegExp::finishCreation):
2587         * runtime/RegExp.h:
2588         * runtime/RegExpMatchesArray.cpp:
2589         (JSC::createStructureImpl):
2590         (JSC::createRegExpMatchesArrayWithGroupsStructure):
2591         (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
2592         * runtime/RegExpMatchesArray.h:
2593         (JSC::createRegExpMatchesArray):
2594         * runtime/StringPrototype.cpp:
2595         (JSC::substituteBackreferencesSlow):
2596         (JSC::replaceUsingRegExpSearch):
2597         * yarr/YarrParser.h:
2598         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
2599         (JSC::Yarr::Parser::parseEscape):
2600         (JSC::Yarr::Parser::parseParenthesesBegin):
2601         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
2602         (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
2603         (JSC::Yarr::Parser::isIdentifierStart):
2604         (JSC::Yarr::Parser::isIdentifierPart):
2605         (JSC::Yarr::Parser::tryConsumeGroupName):
2606         * yarr/YarrPattern.cpp:
2607         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
2608         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
2609         (JSC::Yarr::YarrPattern::errorMessage):
2610         * yarr/YarrPattern.h:
2611         (JSC::Yarr::YarrPattern::reset):
2612         * yarr/YarrSyntaxChecker.cpp:
2613         (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
2614         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
2615
2616 2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>
2617
2618         [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
2619         https://bugs.webkit.org/show_bug.cgi?id=176561
2620
2621         Reviewed by Brent Fulgham.
2622
2623         * runtime/IntlObject.cpp:
2624         (JSC::defaultLocale):
2625
2626 2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>
2627
2628         Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
2629         https://bugs.webkit.org/show_bug.cgi?id=176563
2630         <rdar://problem/19639583>
2631
2632         Reviewed by Matt Baker.
2633
2634         * inspector/protocol/DOM.json:
2635         Add an event that is useful for augmented inspectors to inspect
2636         a node. Web pages will still prefer Inspector.inspect.
2637
2638 2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2639
2640         [JSC] Remove "malloc" and "free" from JSC/API
2641         https://bugs.webkit.org/show_bug.cgi?id=176331
2642
2643         Reviewed by Keith Miller.
2644
2645         Remove "malloc" and "free" manual calls in JSC/API.
2646
2647         * API/JSValue.mm:
2648         (createStructHandlerMap):
2649         * API/JSWrapperMap.mm:
2650         (parsePropertyAttributes):
2651         (makeSetterName):
2652         (copyPrototypeProperties):
2653         Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
2654
2655         * API/ObjcRuntimeExtras.h:
2656         (adoptSystem):
2657         Add adoptSystem to automate calling system free().
2658
2659         (protocolImplementsProtocol):
2660         (forEachProtocolImplementingProtocol):
2661         (forEachMethodInClass):
2662         (forEachMethodInProtocol):
2663         (forEachPropertyInProtocol):
2664         (StringRange::StringRange):
2665         (StringRange::operator const char* const):
2666         (StringRange::get const):
2667         Use CString for backend.
2668
2669         (StructBuffer::StructBuffer):
2670         (StructBuffer::~StructBuffer):
2671         (StringRange::~StringRange): Deleted.
2672         Use fastAlignedMalloc/astAlignedFree to get aligned memory.
2673
2674 2017-09-06  Mark Lam  <mark.lam@apple.com>
2675
2676         constructGenericTypedArrayViewWithArguments() is missing an exception check.
2677         https://bugs.webkit.org/show_bug.cgi?id=176485
2678         <rdar://problem/33898874>
2679
2680         Reviewed by Keith Miller.
2681
2682         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2683         (JSC::constructGenericTypedArrayViewWithArguments):
2684
2685 2017-09-06  Saam Barati  <sbarati@apple.com>
2686
2687         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
2688         https://bugs.webkit.org/show_bug.cgi?id=176346
2689
2690         Reviewed by Mark Lam.
2691
2692         * b3/B3Procedure.cpp:
2693         (JSC::B3::Procedure::Procedure):
2694         (JSC::B3::Procedure::setNumEntrypoints):
2695         * b3/B3Procedure.h:
2696         (JSC::B3::Procedure::setNumEntrypoints): Deleted.
2697         * b3/air/AirCode.cpp:
2698         (JSC::B3::Air::defaultPrologueGenerator):
2699         (JSC::B3::Air::Code::Code):
2700         (JSC::B3::Air::Code::setNumEntrypoints):
2701         * b3/air/AirCode.h:
2702         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2703         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2704         (JSC::B3::Air::Code::setEntrypoints):
2705         (JSC::B3::Air::Code::setEntrypointLabels):
2706         * b3/air/AirGenerate.cpp:
2707         (JSC::B3::Air::generate):
2708         * ftl/FTLLowerDFGToB3.cpp:
2709         (JSC::FTL::DFG::LowerDFGToB3::lower):
2710
2711 2017-09-06  Saam Barati  <sbarati@apple.com>
2712
2713         ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
2714         https://bugs.webkit.org/show_bug.cgi?id=176470
2715
2716         Reviewed by Mark Lam.
2717
2718         Update Node::convertToCheckStructureImmediate's assertion to allow
2719         the node to either be a CheckStructure or CheckStructureOrEmpty.
2720
2721         * dfg/DFGNode.h:
2722         (JSC::DFG::Node::convertToCheckStructureImmediate):
2723
2724 2017-09-05  Saam Barati  <sbarati@apple.com>
2725
2726         isNotCellSpeculation is wrong with respect to SpecEmpty
2727         https://bugs.webkit.org/show_bug.cgi?id=176429
2728
2729         Reviewed by Michael Saboff.
2730
2731         The isNotCellSpeculation(SpeculatedType t) function was not taking into account
2732         SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
2733         the empty value will fail a NotCell check. This bug would cause us to erroneously
2734         generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
2735
2736         * bytecode/SpeculatedType.h:
2737         (JSC::isNotCellSpeculation):
2738
2739 2017-09-05  Saam Barati  <sbarati@apple.com>
2740
2741         Make the distinction between entrypoints and CFG roots more clear by naming things better
2742         https://bugs.webkit.org/show_bug.cgi?id=176336
2743
2744         Reviewed by Mark Lam and Keith Miller and Michael Saboff.
2745
2746         This patch does renaming to make the distinction between Graph::m_entrypoints
2747         and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
2748         Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
2749         Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
2750         size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
2751         to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
2752         field to m_rootToArguments.
2753         
2754         Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
2755         when compiling with EntrySwitch. It represents the logical number of entrypoints
2756         the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
2757         cases.
2758
2759         * dfg/DFGByteCodeParser.cpp:
2760         (JSC::DFG::ByteCodeParser::parseBlock):
2761         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2762         * dfg/DFGCFG.h:
2763         (JSC::DFG::CFG::roots):
2764         (JSC::DFG::CPSCFG::CPSCFG):
2765         * dfg/DFGCPSRethreadingPhase.cpp:
2766         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
2767         * dfg/DFGDCEPhase.cpp:
2768         (JSC::DFG::DCEPhase::run):
2769         * dfg/DFGGraph.cpp:
2770         (JSC::DFG::Graph::dump):
2771         (JSC::DFG::Graph::determineReachability):
2772         (JSC::DFG::Graph::blocksInPreOrder):
2773         (JSC::DFG::Graph::blocksInPostOrder):
2774         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2775         * dfg/DFGGraph.h:
2776         (JSC::DFG::Graph::isRoot):
2777         (JSC::DFG::Graph::isEntrypoint): Deleted.
2778         * dfg/DFGInPlaceAbstractState.cpp:
2779         (JSC::DFG::InPlaceAbstractState::initialize):
2780         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2781         (JSC::DFG::createPreHeader):
2782         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2783         (JSC::DFG::MaximalFlushInsertionPhase::run):
2784         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2785         * dfg/DFGOSREntrypointCreationPhase.cpp:
2786         (JSC::DFG::OSREntrypointCreationPhase::run):
2787         * dfg/DFGPredictionInjectionPhase.cpp:
2788         (JSC::DFG::PredictionInjectionPhase::run):
2789         * dfg/DFGSSAConversionPhase.cpp:
2790         (JSC::DFG::SSAConversionPhase::run):
2791         * dfg/DFGSpeculativeJIT.cpp:
2792         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2793         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2794         * dfg/DFGTypeCheckHoistingPhase.cpp:
2795         (JSC::DFG::TypeCheckHoistingPhase::run):
2796         * dfg/DFGValidate.cpp:
2797
2798 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
2799
2800         test262: Completion values for control flow do not match the spec
2801         https://bugs.webkit.org/show_bug.cgi?id=171265
2802
2803         Reviewed by Saam Barati.
2804
2805         * bytecompiler/BytecodeGenerator.h:
2806         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
2807         When we care about having proper completion values (global code
2808         in programs, modules, and eval) insert undefined results for
2809         control flow statements.
2810
2811         * bytecompiler/NodesCodegen.cpp:
2812         (JSC::SourceElements::emitBytecode):
2813         Reduce writing a default `undefined` value to the completion result to
2814         only once before the last statement we know will produce a value.
2815
2816         (JSC::IfElseNode::emitBytecode):
2817         (JSC::WithNode::emitBytecode):
2818         (JSC::WhileNode::emitBytecode):
2819         (JSC::ForNode::emitBytecode):
2820         (JSC::ForInNode::emitBytecode):
2821         (JSC::ForOfNode::emitBytecode):
2822         (JSC::SwitchNode::emitBytecode):
2823         Insert an undefined to handle cases where code may break out of an
2824         if/else or with statement (break/continue).
2825
2826         (JSC::TryNode::emitBytecode):
2827         Same handling for break cases. Also, finally block statement completion
2828         values are always ignored for the try statement result.
2829
2830         (JSC::ClassDeclNode::emitBytecode):
2831         Class declarations, like function declarations, produce an empty result.
2832
2833         * parser/Nodes.cpp:
2834         (JSC::SourceElements::lastStatement):
2835         (JSC::SourceElements::hasCompletionValue):
2836         (JSC::SourceElements::hasEarlyBreakOrContinue):
2837         (JSC::BlockNode::lastStatement):
2838         (JSC::BlockNode::singleStatement):
2839         (JSC::BlockNode::hasCompletionValue):
2840         (JSC::BlockNode::hasEarlyBreakOrContinue):
2841         (JSC::ScopeNode::singleStatement):
2842         (JSC::ScopeNode::hasCompletionValue):
2843         (JSC::ScopeNode::hasEarlyBreakOrContinue):
2844         The only non-trivial cases need to loop through their list of statements
2845         to determine if this has a completion value or not. Likewise for
2846         determining if there is an early break / continue, meaning a break or
2847         continue statement with no preceding statement that has a completion value.
2848
2849         * parser/Nodes.h:
2850         (JSC::StatementNode::next):
2851         (JSC::StatementNode::hasCompletionValue):
2852         Helper to check if a statement nodes produces a completion value or not.
2853
2854 2017-09-04  Saam Barati  <sbarati@apple.com>
2855
2856         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
2857         https://bugs.webkit.org/show_bug.cgi?id=176317
2858
2859         Reviewed by Keith Miller.
2860
2861         It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
2862         the SetLocal of a particular value where the value is the empty JSValue.
2863         On 64-bit platforms, the empty value is zero. This means that the empty value
2864         passes a cell check. This will lead to a crash when we dereference null to load
2865         the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
2866         in the structure checks it hoists. On 64-bit platforms, instead of emitting a
2867         CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
2868         the empty value to flow through. If the value isn't empty, it'll perform the normal
2869         structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
2870         on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
2871         value to flow through.
2872
2873         * dfg/DFGAbstractInterpreterInlines.h:
2874         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2875         * dfg/DFGArgumentsEliminationPhase.cpp:
2876         * dfg/DFGClobberize.h:
2877         (JSC::DFG::clobberize):
2878         * dfg/DFGConstantFoldingPhase.cpp:
2879         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2880         * dfg/DFGDoesGC.cpp:
2881         (JSC::DFG::doesGC):
2882         * dfg/DFGFixupPhase.cpp:
2883         (JSC::DFG::FixupPhase::fixupNode):
2884         * dfg/DFGNode.h:
2885         (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
2886         (JSC::DFG::Node::hasStructureSet):
2887         * dfg/DFGNodeType.h:
2888         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2889         * dfg/DFGPredictionPropagationPhase.cpp:
2890         * dfg/DFGSafeToExecute.h:
2891         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2892         (JSC::DFG::SafeToExecuteEdge::operator()):
2893         (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
2894         (JSC::DFG::safeToExecute):
2895         * dfg/DFGSpeculativeJIT.cpp:
2896         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
2897         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
2898         * dfg/DFGSpeculativeJIT.h:
2899         * dfg/DFGSpeculativeJIT32_64.cpp:
2900         (JSC::DFG::SpeculativeJIT::compile):
2901         * dfg/DFGSpeculativeJIT64.cpp:
2902         (JSC::DFG::SpeculativeJIT::compile):
2903         * dfg/DFGTypeCheckHoistingPhase.cpp:
2904         (JSC::DFG::TypeCheckHoistingPhase::run):
2905         * dfg/DFGValidate.cpp:
2906         * ftl/FTLCapabilities.cpp:
2907         (JSC::FTL::canCompile):
2908         * ftl/FTLLowerDFGToB3.cpp:
2909         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2910         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
2911
2912 2017-09-04  Saam Barati  <sbarati@apple.com>
2913
2914         Support compiling catch in the FTL
2915         https://bugs.webkit.org/show_bug.cgi?id=175396
2916
2917         Reviewed by Filip Pizlo.
2918
2919         This patch implements op_catch in the FTL. It extends the DFG implementation
2920         by supporting multiple entrypoints in DFG-SSA. This patch implements this
2921         by introducing an EntrySwitch node. When converting to SSA, we introduce a new
2922         root block with an EntrySwitch that has the previous DFG entrypoints as its
2923         successors. By convention, we pick the zeroth entry point index to be the
2924         op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
2925         switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
2926         simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
2927         SSAConversion creates can not exit because we would both not know where to exit
2928         to in the program: we would not have valid OSR exit state. This design also
2929         mandates that anything we hoist above EntrySwitch in the new root block
2930         can not exit since they also do not have valid OSR exit state.
2931         
2932         This patch also adds a new metadata node named InitializeEntrypointArguments.
2933         InitializeEntrypointArguments is a metadata node that initializes the flush format for
2934         the arguments at a given entrypoint. For a given entrypoint index, this node
2935         tells AI and OSRAvailabilityAnalysis what the flush format for each argument
2936         is. This allows each individual entrypoint to have an independent set of
2937         argument types. Currently, this won't happen in practice because ArgumentPosition
2938         unifies flush formats, but this is an implementation detail we probably want
2939         to modify in the future. SSAConversion will add InitializeEntrypointArguments
2940         to the beginning of each of the original DFG entrypoint blocks.
2941         
2942         This patch also adds the ability to specify custom prologue code generators in Air.
2943         This allows the FTL to specify a custom prologue for catch entrypoints that
2944         matches the op_catch OSR entry calling convention that the DFG uses. This way,
2945         the baseline JIT code OSR enters into op_catch the same way both in the DFG
2946         and the FTL. In the future, we can use this same mechanism to perform stack
2947         overflow checks instead of using a patchpoint.
2948
2949         * b3/air/AirCode.cpp:
2950         (JSC::B3::Air::Code::isEntrypoint):
2951         (JSC::B3::Air::Code::entrypointIndex):
2952         * b3/air/AirCode.h:
2953         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2954         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2955         * b3/air/AirGenerate.cpp:
2956         (JSC::B3::Air::generate):
2957         * dfg/DFGAbstractInterpreterInlines.h:
2958         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2959         * dfg/DFGBasicBlock.h:
2960         * dfg/DFGByteCodeParser.cpp:
2961         (JSC::DFG::ByteCodeParser::parseBlock):
2962         (JSC::DFG::ByteCodeParser::parse):
2963         * dfg/DFGCFG.h:
2964         (JSC::DFG::selectCFG):
2965         * dfg/DFGClobberize.h:
2966         (JSC::DFG::clobberize):
2967         * dfg/DFGClobbersExitState.cpp:
2968         (JSC::DFG::clobbersExitState):
2969         * dfg/DFGCommonData.cpp:
2970         (JSC::DFG::CommonData::shrinkToFit):
2971         (JSC::DFG::CommonData::finalizeCatchEntrypoints):
2972         * dfg/DFGCommonData.h:
2973         (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
2974         (JSC::DFG::CommonData::appendCatchEntrypoint):
2975         * dfg/DFGDoesGC.cpp:
2976         (JSC::DFG::doesGC):
2977         * dfg/DFGFixupPhase.cpp:
2978         (JSC::DFG::FixupPhase::fixupNode):
2979         * dfg/DFGGraph.cpp:
2980         (JSC::DFG::Graph::dump):
2981         (JSC::DFG::Graph::invalidateCFG):
2982         (JSC::DFG::Graph::ensureCPSCFG):
2983         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2984         * dfg/DFGGraph.h:
2985         (JSC::DFG::Graph::isEntrypoint):
2986         * dfg/DFGInPlaceAbstractState.cpp:
2987         (JSC::DFG::InPlaceAbstractState::initialize):
2988         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2989         * dfg/DFGJITCode.cpp:
2990         (JSC::DFG::JITCode::shrinkToFit):
2991         (JSC::DFG::JITCode::finalizeOSREntrypoints):
2992         * dfg/DFGJITCode.h:
2993         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
2994         (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
2995         * dfg/DFGJITCompiler.cpp:
2996         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2997         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2998         * dfg/DFGMayExit.cpp:
2999         * dfg/DFGNode.h:
3000         (JSC::DFG::Node::isEntrySwitch):
3001         (JSC::DFG::Node::isTerminal):
3002         (JSC::DFG::Node::entrySwitchData):
3003         (JSC::DFG::Node::numSuccessors):
3004         (JSC::DFG::Node::successor):
3005         (JSC::DFG::Node::entrypointIndex):
3006         * dfg/DFGNodeType.h:
3007         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3008         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3009         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3010         * dfg/DFGOSREntry.cpp:
3011         (JSC::DFG::prepareCatchOSREntry):
3012         * dfg/DFGOSREntry.h:
3013         * dfg/DFGOSREntrypointCreationPhase.cpp:
3014         (JSC::DFG::OSREntrypointCreationPhase::run):
3015         * dfg/DFGPredictionPropagationPhase.cpp:
3016         * dfg/DFGSSAConversionPhase.cpp:
3017         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
3018         (JSC::DFG::SSAConversionPhase::run):
3019         * dfg/DFGSafeToExecute.h:
3020         (JSC::DFG::safeToExecute):
3021         * dfg/DFGSpeculativeJIT.cpp:
3022         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3023         * dfg/DFGSpeculativeJIT32_64.cpp:
3024         (JSC::DFG::SpeculativeJIT::compile):
3025         * dfg/DFGSpeculativeJIT64.cpp:
3026         (JSC::DFG::SpeculativeJIT::compile):
3027         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
3028         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
3029         * dfg/DFGValidate.cpp:
3030         * ftl/FTLCapabilities.cpp:
3031         (JSC::FTL::canCompile):
3032         * ftl/FTLCompile.cpp:
3033         (JSC::FTL::compile):
3034         * ftl/FTLLowerDFGToB3.cpp:
3035         (JSC::FTL::DFG::LowerDFGToB3::lower):
3036         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3037         (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
3038         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
3039         (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
3040         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3041         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
3042         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
3043         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
3044         * ftl/FTLOutput.cpp:
3045         (JSC::FTL::Output::entrySwitch):
3046         * ftl/FTLOutput.h:
3047         * jit/JITOperations.cpp:
3048
3049 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3050
3051         [DFG][FTL] Efficiently execute number#toString()
3052         https://bugs.webkit.org/show_bug.cgi?id=170007
3053
3054         Reviewed by Keith Miller.
3055
3056         In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
3057         However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.
3058
3059         While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
3060         So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
3061         Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
3062         speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
3063         It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).
3064
3065         In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
3066         throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
3067         conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
3068         radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
3069         We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
3070         It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.
3071
3072         Added microbenchmarks show performance improvement.
3073
3074                                                       baseline                  patched
3075
3076         number-to-string-with-radix-cse           43.8312+-1.3017     ^      7.4930+-0.5105        ^ definitely 5.8496x faster
3077         number-to-string-with-radix-10             7.2775+-0.5225     ^      2.1906+-0.1864        ^ definitely 3.3222x faster
3078         number-to-string-with-radix               39.7378+-1.4921     ^     16.6137+-0.7776        ^ definitely 2.3919x faster
3079         number-to-string-strength-reduction       94.9667+-2.7157     ^      9.3060+-0.7202        ^ definitely 10.2049x faster
3080
3081         * dfg/DFGAbstractInterpreterInlines.h:
3082         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3083         * dfg/DFGClobberize.h:
3084         (JSC::DFG::clobberize):
3085         * dfg/DFGConstantFoldingPhase.cpp:
3086         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3087         * dfg/DFGDoesGC.cpp:
3088         (JSC::DFG::doesGC):
3089         * dfg/DFGFixupPhase.cpp:
3090         (JSC::DFG::FixupPhase::fixupNode):
3091         * dfg/DFGGraph.h:
3092         (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
3093         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
3094         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
3095         * dfg/DFGNode.h:
3096         (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
3097         (JSC::DFG::Node::hasValidRadixConstant):
3098         (JSC::DFG::Node::validRadixConstant):
3099         * dfg/DFGNodeType.h:
3100         * dfg/DFGPredictionPropagationPhase.cpp:
3101         * dfg/DFGSafeToExecute.h:
3102         (JSC::DFG::safeToExecute):
3103         * dfg/DFGSpeculativeJIT.cpp:
3104         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
3105         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
3106         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
3107         * dfg/DFGSpeculativeJIT.h:
3108         * dfg/DFGSpeculativeJIT32_64.cpp:
3109         (JSC::DFG::SpeculativeJIT::compile):
3110         * dfg/DFGSpeculativeJIT64.cpp:
3111         (JSC::DFG::SpeculativeJIT::compile):
3112         * dfg/DFGStrengthReductionPhase.cpp:
3113         (JSC::DFG::StrengthReductionPhase::handleNode):
3114         * ftl/FTLCapabilities.cpp:
3115         (JSC::FTL::canCompile):
3116         * ftl/FTLLowerDFGToB3.cpp:
3117         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3118         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
3119         * runtime/JSGlobalObject.cpp:
3120         (JSC::JSGlobalObject::JSGlobalObject):
3121         (JSC::JSGlobalObject::init):
3122         (JSC::JSGlobalObject::visitChildren):
3123         * runtime/JSGlobalObject.h:
3124         (JSC::JSGlobalObject::numberToStringWatchpoint):
3125         (JSC::JSGlobalObject::numberProtoToStringFunction const):
3126         * runtime/NumberPrototype.cpp:
3127         (JSC::NumberPrototype::finishCreation):
3128         (JSC::toStringWithRadixInternal):
3129         (JSC::toStringWithRadix):
3130         (JSC::int32ToStringInternal):
3131         (JSC::numberToStringInternal):
3132         * runtime/NumberPrototype.h:
3133
3134 2017-09-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3135
3136         [DFG] Consider increasing the number of DFG worklist threads
3137         https://bugs.webkit.org/show_bug.cgi?id=176222
3138
3139         Reviewed by Saam Barati.
3140
3141         Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
3142         very long time if the target function is very large. However, DFG worklist
3143         has only one thread before this patch. Therefore, one function that takes
3144         too much time to be compiled can prevent the other functions from being
3145         compiled in DFG or upper tiers.
3146
3147         One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
3148         super long time (447 ms) because of its super large size of the function.
3149         While this function never gets compiled in FTL due to its large size,
3150         it can be compiled in DFG and takes super long time. Subsequent "a8" function
3151         compilation in DFG is blocked by this "a1". As a consequence, the benchmark
3152         takes very long time in a1/Baseline code, which is slower than DFG of course.
3153
3154         While FTL has a bit more threads, DFG worklist has only one thread. This patch
3155         adds one more thread to DFG worklist to alleviate the above situation. This
3156         change significantly improves Octane/zlib performance.
3157
3158                                     baseline                  patched
3159
3160         zlib           x2     482.32825+-6.07640    ^   408.66072+-14.03856      ^ definitely 1.1803x faster
3161
3162         * runtime/Options.h:
3163
3164 2017-09-04  Sam Weinig  <sam@webkit.org>
3165
3166         [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
3167         https://bugs.webkit.org/show_bug.cgi?id=176312
3168
3169         Reviewed by Darin Adler.
3170
3171         * runtime/CommonIdentifiers.h:
3172
3173             Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
3174             to WebCoreBuiltinNames in WebCore.
3175
3176 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3177
3178         Remove "malloc" and "free" use
3179         https://bugs.webkit.org/show_bug.cgi?id=176310
3180
3181         Reviewed by Darin Adler.
3182
3183         Use Vector instead.
3184
3185         * API/JSWrapperMap.mm:
3186         (selectorToPropertyName):
3187
3188 2017-09-03  Darin Adler  <darin@apple.com>
3189
3190         Try to fix Windows build.
3191
3192         * runtime/JSGlobalObjectFunctions.cpp: #include <unicode/utf8.h>.
3193
3194 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3195
3196         [WTF] Add C++03 allocator interface for GCC < 6
3197         https://bugs.webkit.org/show_bug.cgi?id=176301
3198
3199         Reviewed by Darin Adler.
3200
3201         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3202
3203 2017-09-03  Chris Dumez  <cdumez@apple.com>
3204
3205         Unreviewed, rolling out r221555.
3206
3207         Did not fix Windows build
3208
3209         Reverted changeset:
3210
3211         "Unreviewed attempt to fix Windows build."
3212         http://trac.webkit.org/changeset/221555
3213
3214 2017-09-03  Chris Dumez  <cdumez@apple.com>
3215
3216         Unreviewed attempt to fix Windows build.
3217
3218         * runtime/JSGlobalObjectFunctions.cpp:
3219
3220 2017-09-03  Chris Dumez  <cdumez@apple.com>
3221
3222         Unreviewed, rolling out r221552.
3223
3224         Broke the build
3225
3226         Reverted changeset:
3227
3228         "[WTF] Add C++03 allocator interface for GCC < 6"
3229         https://bugs.webkit.org/show_bug.cgi?id=176301
3230         http://trac.webkit.org/changeset/221552
3231
3232 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3233
3234         [WTF] Add C++03 allocator interface for GCC < 6
3235         https://bugs.webkit.org/show_bug.cgi?id=176301
3236
3237         Reviewed by Darin Adler.
3238
3239         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3240
3241 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3242
3243         [JSC] Clean up BytecodeLivenessAnalysis
3244         https://bugs.webkit.org/show_bug.cgi?id=176295
3245
3246         Reviewed by Saam Barati.
3247
3248         Previously, computeDefsForBytecodeOffset was a bit customizable.
3249         This is used for try-catch handler's liveness analysis. But after
3250         careful generatorification implementation, it is now not necessary.
3251         This patch drops this customizability.
3252
3253         * bytecode/BytecodeGeneratorification.cpp:
3254         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
3255         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
3256         * bytecode/BytecodeLivenessAnalysis.cpp:
3257         (JSC::BytecodeLivenessAnalysis::computeKills):
3258         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
3259         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
3260         * bytecode/BytecodeLivenessAnalysis.h:
3261         * bytecode/BytecodeLivenessAnalysisInlines.h:
3262         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
3263         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
3264         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
3265         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
3266         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
3267         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
3268         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
3269         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
3270         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
3271         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.
3272
3273 2017-09-03  Sam Weinig  <sam@webkit.org>
3274
3275         Remove CanvasProxy
3276         https://bugs.webkit.org/show_bug.cgi?id=176288
3277
3278         Reviewed by Yusuke Suzuki.
3279
3280         CanvasProxy does not appear to be in any current HTML spec
3281         and was disabled and unimplemented in our tree. Time to 
3282         get rid of it.
3283
3284         * Configurations/FeatureDefines.xcconfig:
3285
3286 2017-09-02  Oliver Hunt  <oliver@apple.com>
3287
3288         Need an API to get the global context from JSObjectRef
3289         https://bugs.webkit.org/show_bug.cgi?id=176291
3290
3291         Reviewed by Saam Barati.
3292
3293         Very simple additional API, starting off as SPI on principle.
3294
3295         * API/JSObjectRef.cpp:
3296         (JSObjectGetGlobalContext):
3297         * API/JSObjectRefPrivate.h:
3298         * API/tests/testapi.c:
3299         (main):
3300
3301 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3302
3303         [DFG] Relax arity requirement
3304         https://bugs.webkit.org/show_bug.cgi?id=175523
3305
3306         Reviewed by Saam Barati.
3307
3308         Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
3309         It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
3310         of the pre-ES6.
3311
3312         This patch removes the above restriction by performing the arity fixup in DFG.
3313
3314         SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
3315
3316                                        baseline                  patched
3317
3318         defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
3319         rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
3320         spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
3321         generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster
3322
3323         * bytecode/InlineCallFrame.cpp:
3324         (JSC::InlineCallFrame::dumpInContext const):
3325         * bytecode/InlineCallFrame.h:
3326         (JSC::InlineCallFrame::InlineCallFrame):
3327         * dfg/DFGAbstractInterpreterInlines.h:
3328         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3329         * dfg/DFGArgumentsEliminationPhase.cpp:
3330         * dfg/DFGArgumentsUtilities.cpp:
3331         (JSC::DFG::argumentsInvolveStackSlot):
3332         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3333         * dfg/DFGByteCodeParser.cpp:
3334         (JSC::DFG::ByteCodeParser::setLocal):
3335         (JSC::DFG::ByteCodeParser::setArgument):
3336         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
3337         (JSC::DFG::ByteCodeParser::flush):
3338         (JSC::DFG::ByteCodeParser::getArgumentCount):