Speculatively change iteration protocall to use the same next function

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2017-09-22  Keith Miller  <keith_miller@apple.com>

        Speculatively change iteration protocall to use the same next function
        https://bugs.webkit.org/show_bug.cgi?id=175653

        Reviewed by Saam Barati.

        This patch speculatively makes a change to the iteration protocall to fetch the next
        property immediately after calling the Symbol.iterator function. This is, in theory,
        a breaking change, so we will see if this breaks things (most likely it won't as this
        is a relatively subtle point).

        See: https://github.com/tc39/ecma262/issues/976

        * builtins/IteratorHelpers.js:
        (performIteration):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::emitIteratorNext):
        (JSC::BytecodeGenerator::emitIteratorNextWithValue):
        (JSC::BytecodeGenerator::emitDelegateYield):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayPatternNode::bindValue const):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * runtime/IteratorOperations.cpp:
        (JSC::iteratorNext):
        (JSC::iteratorStep):
        (JSC::iteratorClose):
        (JSC::iteratorForIterable):
        * runtime/IteratorOperations.h:
        (JSC::forEachInIterable):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewFromIterator):
        (JSC::constructGenericTypedArrayViewWithArguments):

2017-09-22  Fujii Hironori  <Hironori.Fujii@sony.com>

        [Win64] Crashes in Yarr JIT compiled code
        https://bugs.webkit.org/show_bug.cgi?id=177293

        Reviewed by Yusuke Suzuki.

        In x64 Windows, rcx register is used for the address of allocated
        space for the return value. But, rcx is used for regT1 since
        r221052. Save rcx in the stack.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
        (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.

2017-09-22  Saam Barati  <sbarati@apple.com>

        Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
        https://bugs.webkit.org/show_bug.cgi?id=177368

        Reviewed by Keith Miller.

        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::finishCreation):
        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
        (JSC::ErrorInstance::visitChildren):

2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Profile array vector length for array allocation
        https://bugs.webkit.org/show_bug.cgi?id=177051

        Reviewed by Saam Barati.

        Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
        new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
        if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
        the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.

            empty array allocation,

            var array = [];
            array.push(0);
            array.push(1);
            array.push(2);
            array.push(3);
            array.push(4);

            v.s. new_array_buffer case,

            var array = [0];
            array.push(1);
            array.push(2);
            array.push(3);
            array.push(4);

        In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
        we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.

        We select 25 to make it fit to one of size classes.

        In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
        If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
        is larger than 25, we just use it for allocation as before.

        Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.

            new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
            spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster

        * bytecode/ArrayAllocationProfile.cpp:
        (JSC::ArrayAllocationProfile::updateProfile):
        (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
        * bytecode/ArrayAllocationProfile.h:
        (JSC::ArrayAllocationProfile::selectIndexingType):
        (JSC::ArrayAllocationProfile::vectorLengthHint):
        (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateAllArrayPredictions):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::vectorLengthHint):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
        (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
        * runtime/ArrayConventions.h:
        * runtime/JSArray.h:
        (JSC::JSArray::tryCreate):

2017-09-22  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r222380.
        https://bugs.webkit.org/show_bug.cgi?id=177352

        Octane/box2d shows 8% regression (Requested by yusukesuzuki on
        #webkit).

        Reverted changeset:

        "[DFG][FTL] Profile array vector length for array allocation"
        https://bugs.webkit.org/show_bug.cgi?id=177051
        http://trac.webkit.org/changeset/222380

2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Profile array vector length for array allocation
        https://bugs.webkit.org/show_bug.cgi?id=177051

        Reviewed by Saam Barati.

        Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
        new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
        if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
        the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.

            empty array allocation,

            var array = [];
            array.push(0);
            array.push(1);
            array.push(2);
            array.push(3);
            array.push(4);

            v.s. new_array_buffer case,

            var array = [0];
            array.push(1);
            array.push(2);
            array.push(3);
            array.push(4);

        In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
        we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.

        We select 25 to make it fit to one of size classes.

        In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
        If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
        is larger than 25, we just use it for allocation as before.

        Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.

            new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
            spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster

        * bytecode/ArrayAllocationProfile.cpp:
        (JSC::ArrayAllocationProfile::updateProfile):
        (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
        * bytecode/ArrayAllocationProfile.h:
        (JSC::ArrayAllocationProfile::selectIndexingType):
        (JSC::ArrayAllocationProfile::vectorLengthHint):
        (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateAllArrayPredictions):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::vectorLengthHint):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
        (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
        * runtime/ArrayConventions.h:
        * runtime/JSArray.h:
        (JSC::JSArray::tryCreate):

2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove support for CSS Regions
        https://bugs.webkit.org/show_bug.cgi?id=177287

        Reviewed by Matt Baker.

        * inspector/protocol/CSS.json:
        * inspector/protocol/OverlayTypes.json:

2017-09-21  Brian Burg  <bburg@apple.com>

        Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
        https://bugs.webkit.org/show_bug.cgi?id=177010
        <rdar://problem/33134548>

        Reviewed by Joseph Pecoraro.

        Use "reload from origin" nomenclature instead of "reload ignoring cache".

        * inspector/protocol/Page.json: Improve the comment, but don't change the
        parameter name since this would be a divergence from legacy protocols.

2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>

        test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
        https://bugs.webkit.org/show_bug.cgi?id=177307

        Reviewed by Michael Saboff.

        * runtime/RegExpPrototype.cpp:
        In r221160 we added support for the new RegExp flag (dotAll).
        We needed to make space for it in FlagsString.

2017-09-20  Keith Miller  <keith_miller@apple.com>

        JSC should use unified sources for platform specific files.
        https://bugs.webkit.org/show_bug.cgi?id=177290

        Reviewed by Michael Saboff.

        Add a list of platform specific source files and update the
        Generate Unified Sources phase of the Xcode build. I skipped WPE
        since that seems to have failed for some reason that I didn't
        fully understand. See:
        https://webkit-queues.webkit.org/results/4611260

        Also, fix duplicate symbols in Glib remote inspector files.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * PlatformGTK.cmake:
        * PlatformMac.cmake:
        * SourcesGTK.txt: Added.
        * SourcesMac.txt: Added.
        * inspector/remote/glib/RemoteInspectorServer.cpp:
        (Inspector::RemoteInspectorServer::interfaceInfo):
        (Inspector::RemoteInspectorServer::setTargetList):
        (Inspector::RemoteInspectorServer::setupInspectorClient):
        (Inspector::RemoteInspectorServer::setup):
        (Inspector::RemoteInspectorServer::close):
        (Inspector::RemoteInspectorServer::connectionClosed):
        (Inspector::RemoteInspectorServer::sendMessageToBackend):
        (Inspector::RemoteInspectorServer::sendMessageToFrontend):
        (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.

2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>

        [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
        https://bugs.webkit.org/show_bug.cgi?id=177017

        Reviewed by Alex Christensen.

        * API/JSRemoteInspector.cpp:
        (JSRemoteInspectorSetParentProcessInformation):
        * API/JSRemoteInspector.h:
        * inspector/remote/RemoteInspector.h:

2017-09-20  Keith Miller  <keith_miller@apple.com>

        Rename source list file to Sources.txt
        https://bugs.webkit.org/show_bug.cgi?id=177283

        Reviewed by Saam Barati.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.

2017-09-20  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix string capitalization

        * JavaScriptCore.xcodeproj/project.pbxproj:

2017-09-20  Keith Miller  <keith_miller@apple.com>

        JSC Xcode build should use unified sources for platform independent files
        https://bugs.webkit.org/show_bug.cgi?id=177190

        Reviewed by Saam Barati.

        This patch changes the Xcode build to use unified sources. The
        main difference from a development perspective is that instead of
        added source files to Xcode they need to be added to the shared
        sources.txt. For now, platform specific files are still added
        to the JavaScriptCore target.

        Because Xcode needs to know about all the files before we generate
        them all the unified source files need to be added to the
        JavaScriptCore framework target. As a result, if we run out of
        bundle files more will need to be added to the project. Currently,
        there are no spare files. If adding more bundle files becomes
        problematic we can change this.

        LowLevelInterpreter.cpp can't be added to the unified source list yet
        due to a clang bug.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * sources.txt: Added.

2017-09-20  Per Arne Vollan  <pvollan@apple.com>

        [Win] Cannot find script to generate unified sources.
        https://bugs.webkit.org/show_bug.cgi?id=177014

        Reviewed by Keith Miller.

        The ruby script can now be found in WTF/Scripts in the forwarding headers folder.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.proj:

2017-09-20  Alberto Garcia  <berto@igalia.com>

        Fix HPPA and Alpha builds
        https://bugs.webkit.org/show_bug.cgi?id=177224

        Reviewed by Alex Christensen.

        * CMakeLists.txt:

2017-09-18  Filip Pizlo  <fpizlo@apple.com>

        ErrorInstance and Exception need destroy methods
        https://bugs.webkit.org/show_bug.cgi?id=177095

        Reviewed by Saam Barati.
        
        When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
        follow that type's protocol.

        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::destroy): Implement this to fix leaks.
        * runtime/ErrorInstance.h:
        * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.

2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
        https://bugs.webkit.org/show_bug.cgi?id=177070

        Reviewed by Saam Barati.

        Due to the security reason, our global object is immutable prototype exotic object.
        It prevents users from injecting proxies into the prototype chain of the global object[1].
        But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
        of the global object after instantiating it.

        This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
        of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
        edge cases.

        [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d

        * API/JSObjectRef.cpp:
        (JSObjectSetPrototype):
        * API/tests/CustomGlobalObjectClassTest.c:
        (globalObjectSetPrototypeTest):

2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Remove ToThis more aggressively
        https://bugs.webkit.org/show_bug.cgi?id=177056

        Reviewed by Saam Barati.

        The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
        We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
        and attempts to fold/convert to efficient nodes.

        We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
        we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.

        Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
        watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.

        This removes GetGlobalThis from ES6 generators in common cases.

        spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::isToThisAnIdentity):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToGetGlobalThis):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
        * runtime/JSGlobalLexicalEnvironment.cpp:
        (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
        * runtime/JSGlobalLexicalEnvironment.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::toThis): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::addressOfGlobalThis):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::toThis): Deleted.
        * runtime/JSLexicalEnvironment.h:
        * runtime/JSScope.cpp:
        (JSC::JSScope::toThis):
        * runtime/JSScope.h:
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::toThis): Deleted.
        * runtime/StrictEvalActivation.h:

2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        Merge JSLexicalEnvironment and JSEnvironmentRecord
        https://bugs.webkit.org/show_bug.cgi?id=175492

        Reviewed by Saam Barati.

        JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
        We can merge JSEnvironmentRecord and JSLexicalEnvironment.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emitScopedArgumentsGetByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emitPutClosureVar):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSEnvironmentRecord.cpp: Removed.
        * runtime/JSEnvironmentRecord.h: Removed.
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::visitChildren):
        (JSC::JSLexicalEnvironment::heapSnapshot):
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::subspaceFor):
        (JSC::JSLexicalEnvironment::variables):
        (JSC::JSLexicalEnvironment::isValidScopeOffset):
        (JSC::JSLexicalEnvironment::variableAt):
        (JSC::JSLexicalEnvironment::offsetOfVariables):
        (JSC::JSLexicalEnvironment::offsetOfVariable):
        (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
        (JSC::JSLexicalEnvironment::allocationSize):
        (JSC::JSLexicalEnvironment::finishCreationUninitialized):
        (JSC::JSLexicalEnvironment::finishCreation):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::create):
        * runtime/JSObject.h:
        (JSC::JSObject::isEnvironment const):
        (JSC::JSObject::isEnvironmentRecord const): Deleted.
        * runtime/JSSegmentedVariableObject.h:
        * runtime/StringPrototype.cpp:
        (JSC::checkObjectCoercible):

2017-09-15  Saam Barati  <sbarati@apple.com>

        Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
        https://bugs.webkit.org/show_bug.cgi?id=176981

        Reviewed by Yusuke Suzuki.

        This patch makes inline arity fixup happen in two phases:
        1. We get all the values we need and MovHint them to the expected locals.
        2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
           frame is already set up. If any SetLocal exits, we have a valid exit state.
           This is required because if we didn't do this in two phases, we may exit in
           the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
           we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
           of the frame right before exiting. For example, consider if we need to pad two args:
           [arg3][arg2][arg1][arg0]
           [fix ][fix ][arg3][arg2][arg1][arg0]
           We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
           for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
           [arg3][arg2][arg1][arg2][arg1][arg0]
           And the caller would then just end up thinking its argument are:
           [arg3][arg2][arg1][arg2]
           which is incorrect.
       
       
        This patch also fixes a couple of bugs in IdentitiyWithProfile:
        1. The bytecode generator for this bytecode intrinsic was written incorrectly.
           It needed to store the result of evaluating its argument in a temporary that
           it creates. Otherwise, it might try to simply overwrite a constant
           or a register that it didn't own.
        2. We weren't eliminating this node in CSE inside the DFG.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::inlineCall):
        * dfg/DFGCSEPhase.cpp:

2017-09-15  JF Bastien  <jfbastien@apple.com>

        WTF: use Forward.h when appropriate instead of Vector.h
        https://bugs.webkit.org/show_bug.cgi?id=176984

        Reviewed by Saam Barati.

        There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.

        * bytecode/HandlerInfo.h:
        * heap/GCIncomingRefCounted.h:
        * heap/GCSegmentedArray.h:
        * wasm/js/JSWebAssemblyModule.h:

2017-09-14  Saam Barati  <sbarati@apple.com>

        We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
        https://bugs.webkit.org/show_bug.cgi?id=176863

        Reviewed by Keith Miller.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::getOwnPropertySlotCommon):
        (JSC::ProxyObject::performPut):
        (JSC::performProxyCall):
        (JSC::performProxyConstruct):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performIsExtensible):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        (JSC::ProxyObject::performSetPrototype):
        (JSC::ProxyObject::performGetPrototype):

2017-09-14  Saam Barati  <sbarati@apple.com>

        Make dumping the graph print when both when exitOK and !exitOK
        https://bugs.webkit.org/show_bug.cgi?id=176954

        Reviewed by Keith Miller.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):

2017-09-14  Saam Barati  <sbarati@apple.com>

        It should be valid to exit before each set when doing arity fixup when inlining
        https://bugs.webkit.org/show_bug.cgi?id=176948

        Reviewed by Keith Miller.

        This patch makes it so that we can exit before each SetLocal when doing arity
        fixup during inlining. This is OK because if we exit at any of these SetLocals,
        we will simply exit to the beginning of the call instruction.
        
        Not doing this led to a bug where FixupPhase would insert a ValueRep of
        a node before the actual node. This is obviously invalid IR. I've added
        a new validation rule to catch this malformed IR.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::inliningCost):
        (JSC::DFG::ByteCodeParser::inlineCall):
        * dfg/DFGValidate.cpp:
        * runtime/Options.h:

2017-09-14  Mark Lam  <mark.lam@apple.com>

        AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
        https://bugs.webkit.org/show_bug.cgi?id=176874
        <rdar://problem/34436415>

        Reviewed by Saam Barati.

        1. Make Probe::Stack play nice with ASan by:

           a. using a local memcpy implementation that suppresses ASan on ASan builds.
              We don't want to use std:memcpy() which validates stack memory because
              we are intentionally copying stack memory beyond the current frame.

           b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
              This ensures that Page::flushWrites() only writes stack memory that was
              modified by a probe.  The probes should only modify stack memory that
              belongs to JSC stack data structures.  We don't want to inadvertently
              modify adjacent words that may belong to ASan (which may happen if
              s_chunkSize is larger than sizeof(uintptr_t)).

           c. fixing a bug in Page dirtyBits management for when the size of the value to
              write is greater than s_chunkSize.  The fix in generic, but in practice,
              this currently only manifests on 32-bit ASan builds because
              sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
              values.

           d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
              s_chunksPerPage we can have even on ASan builds.

        2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
           std::memcpy to avoid strict aliasing issues.

        3. Optimized the implementation of Page::physicalAddressFor().

        4. Optimized the implementation of Stack::set() in the recording of the low
           watermark.  We just record the lowest raw pointer now, and only compute the
           alignment to its chuck boundary later when the low watermark is requested.

        5. Changed a value in testmasm to make the test less vulnerable to rounding issues.

        No new test needed because this is already covered by testmasm with ASan enabled.

        * assembler/ProbeContext.h:
        (JSC::Probe::CPUState::gpr const):
        (JSC::Probe::CPUState::spr const):
        (JSC::Probe::Context::gpr):
        (JSC::Probe::Context::spr):
        (JSC::Probe::Context::fpr):
        (JSC::Probe::Context::gprName):
        (JSC::Probe::Context::sprName):
        (JSC::Probe::Context::fprName):
        (JSC::Probe::Context::gpr const):
        (JSC::Probe::Context::spr const):
        (JSC::Probe::Context::fpr const):
        (JSC::Probe::Context::pc):
        (JSC::Probe::Context::fp):
        (JSC::Probe::Context::sp):
        (JSC::Probe:: const): Deleted.
        * assembler/ProbeStack.cpp:
        (JSC::Probe::copyStackPage):
        (JSC::Probe::Page::Page):
        (JSC::Probe::Page::flushWrites):
        * assembler/ProbeStack.h:
        (JSC::Probe::Page::get):
        (JSC::Probe::Page::set):
        (JSC::Probe::Page::dirtyBitFor):
        (JSC::Probe::Page::physicalAddressFor):
        (JSC::Probe::Stack::lowWatermark):
        (JSC::Probe::Stack::get):
        (JSC::Probe::Stack::set):
        * assembler/testmasm.cpp:
        (JSC::testProbeModifiesStackValues):

2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
        https://bugs.webkit.org/show_bug.cgi?id=176917

        Reviewed by Saam Barati.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::inliningCost):
        * runtime/Options.h:

2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
        https://bugs.webkit.org/show_bug.cgi?id=176867

        Reviewed by Sam Weinig.

        We rarely require private symbols when enumerating property names.
        This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
        is specified, PropertyNameArray does not include private symbols.
        This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.

        One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
        It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.

        object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster

        * API/JSObjectRef.cpp:
        (JSObjectCopyPropertyNames):
        * bindings/ScriptValue.cpp:
        (Inspector::jsToInspectorValue):
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
        * runtime/EnumerationMode.h:
        * runtime/IntlObject.cpp:
        (JSC::supportedLocales):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::create):
        * runtime/JSPropertyNameEnumerator.h:
        (JSC::propertyNameEnumerator):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptors):
        (JSC::objectConstructorAssign):
        (JSC::objectConstructorValues):
        (JSC::defineProperties):
        (JSC::setIntegrityLevel):
        (JSC::testIntegrityLevel):
        (JSC::ownPropertyKeys):
        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::PropertyNameArray):
        (JSC::PropertyNameArray::propertyNameMode const):
        (JSC::PropertyNameArray::privateSymbolMode const):
        (JSC::PropertyNameArray::addUncheckedInternal):
        (JSC::PropertyNameArray::addUnchecked):
        (JSC::PropertyNameArray::add):
        (JSC::PropertyNameArray::isUidMatchedToTypeMode):
        (JSC::PropertyNameArray::includeSymbolProperties const):
        (JSC::PropertyNameArray::includeStringProperties const):
        (JSC::PropertyNameArray::mode const): Deleted.
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::performGetOwnPropertyNames):

2017-09-13  Mark Lam  <mark.lam@apple.com>

        Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
        https://bugs.webkit.org/show_bug.cgi?id=176888
        <rdar://problem/34381832>

        Not reviewed.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssembler.cpp:
        (JSC::stdFunctionCallback):
        * assembler/MacroAssemblerPrinter.cpp:
        (JSC::Printer::printCallback):
        * assembler/ProbeContext.h:
        (JSC::Probe:: const):
        (JSC::Probe::Context::Context):
        (JSC::Probe::Context::gpr):
        (JSC::Probe::Context::spr):
        (JSC::Probe::Context::fpr):
        (JSC::Probe::Context::gprName):
        (JSC::Probe::Context::sprName):
        (JSC::Probe::Context::fprName):
        (JSC::Probe::Context::pc):
        (JSC::Probe::Context::fp):
        (JSC::Probe::Context::sp):
        (JSC::Probe::CPUState::gpr const): Deleted.
        (JSC::Probe::CPUState::spr const): Deleted.
        (JSC::Probe::Context::arg): Deleted.
        (JSC::Probe::Context::gpr const): Deleted.
        (JSC::Probe::Context::spr const): Deleted.
        (JSC::Probe::Context::fpr const): Deleted.
        * assembler/ProbeFrame.h: Removed.
        * assembler/ProbeStack.cpp:
        (JSC::Probe::Page::Page):
        * assembler/ProbeStack.h:
        (JSC::Probe::Page::get):
        (JSC::Probe::Page::set):
        (JSC::Probe::Page::physicalAddressFor):
        (JSC::Probe::Stack::lowWatermark):
        (JSC::Probe::Stack::get):
        (JSC::Probe::Stack::set):
        * bytecode/ArithProfile.cpp:
        * bytecode/ArithProfile.h:
        * bytecode/ArrayProfile.h:
        (JSC::ArrayProfile::observeArrayMode): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addressOfOSRExitCounter):
        * bytecode/ExecutionCounter.h:
        (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
        (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
        * bytecode/MethodOfGettingAValueProfile.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::findPC):
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::setPatchableCodeOffset):
        (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
        (JSC::DFG::OSRExit::codeLocationForRepatch const):
        (JSC::DFG::OSRExit::correctJump):
        (JSC::DFG::OSRExit::emitRestoreArguments):
        (JSC::DFG::OSRExit::compileOSRExit):
        (JSC::DFG::OSRExit::compileExit):
        (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
        (JSC::DFG::jsValueFor): Deleted.
        (JSC::DFG::restoreCalleeSavesFor): Deleted.
        (JSC::DFG::saveCalleeSavesFor): Deleted.
        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
        (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
        (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
        (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
        (JSC::DFG::emitRestoreArguments): Deleted.
        (JSC::DFG::OSRExit::executeOSRExit): Deleted.
        (JSC::DFG::reifyInlinedCallFrames): Deleted.
        (JSC::DFG::adjustAndJumpToTarget): Deleted.
        (JSC::DFG::printOSRExit): Deleted.
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExitState::OSRExitState): Deleted.
        * dfg/DFGOSRExitCompilerCommon.cpp:
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        (JSC::DFG::osrExitThunkGenerator): Deleted.
        * dfg/DFGThunks.h:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::debugCall):
        * jit/AssemblyHelpers.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * profiler/ProfilerOSRExit.h:
        (JSC::Profiler::OSRExit::incCount): Deleted.
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        * runtime/VM.h:

2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Move class/struct used in other class' member out of anonymous namespace
        https://bugs.webkit.org/show_bug.cgi?id=176876

        Reviewed by Saam Barati.

        GCC warns if a class has a base or field whose type uses the anonymous namespace
        and it is defined in an included file. This is because this possibly violates
        one definition rule (ODR): if an included file has the anonymous namespace, each
        translation unit creates its private anonymous namespace. Thus, each type
        inside the anonymous namespace becomes different in each translation unit if
        the file is included in multiple translation units.

        While the current use in JSC is not violating ODR since these cpp files are included
        only once for unified sources, specifying `-Wno-subobject-linkage` could miss
        the actual bugs. So, in this patch, we just move related classes/structs out of
        the anonymous namespace.

        * dfg/DFGIntegerCheckCombiningPhase.cpp:
        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
        (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
        (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
        (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
        (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
        * dfg/DFGLICMPhase.cpp:

2017-09-13  Devin Rousso  <webkit@devinrousso.com>

        Web Inspector: Event Listeners section does not update when listeners are added/removed
        https://bugs.webkit.org/show_bug.cgi?id=170570
        <rdar://problem/31501645>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/DOM.json:
        Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
        contain any information about the event listeners that were added/removed. They serve more
        as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.

2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Fix Array allocation in Object.keys
        https://bugs.webkit.org/show_bug.cgi?id=176826

        Reviewed by Saam Barati.

        When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
        We check isHavingABadTime() in ownPropertyKeys fast path.
        And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.

        * runtime/ObjectConstructor.cpp:
        (JSC::ownPropertyKeys):

2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Optimize WeakMap::get by adding intrinsic and fixup
        https://bugs.webkit.org/show_bug.cgi?id=176010

        Reviewed by Filip Pizlo.

        It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
        It is used for meta property for objects (see peekMeta function in Ember.js).

        This patch optimizes WeakMap#get.

        1. We use inlineGet to inline WeakMap#get operation in the native function.
        Since this native function itself is very small, we should inline HashMap#get
        entirely in this function.

        2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
        very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
        to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
        ObjectUse, and Int32Use.

        3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
        calculate hash value for the key's Object and use this hash value to look up value from
        JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
        It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
        But anyway, the current one already optimizes the performance, so we leave this for the subsequent
        patches.

        We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
        not used in Ember.js right now.

        This patch optimizes WeakMap#get by 50%.

                                 baseline                  patched

        weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster

        * bytecode/DirectEvalCodeCache.h:
        (JSC::DirectEvalCodeCache::tryGet):
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationFromClassInfo):
        (JSC::speculationFromJSType):
        (JSC::speculationFromString):
        * bytecode/SpeculatedType.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
        (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
        (JSC::DFG::SpeculativeJIT::speculate):
        (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isCell):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
        (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
        (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
        (JSC::FTL::DFG::LowerDFGToB3::speculate):
        (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
        (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
        * jit/JITOperations.h:
        * runtime/HashMapImpl.h:
        (JSC::WeakMapHash::hash):
        (JSC::WeakMapHash::equal):
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:
        * runtime/JSType.h:
        * runtime/JSWeakMap.h:
        (JSC::isJSWeakMap):
        * runtime/JSWeakSet.h:
        (JSC::isJSWeakSet):
        * runtime/WeakMapBase.cpp:
        (JSC::WeakMapBase::get):
        * runtime/WeakMapBase.h:
        (JSC::WeakMapBase::HashTranslator::hash):
        (JSC::WeakMapBase::HashTranslator::equal):
        (JSC::WeakMapBase::inlineGet):
        * runtime/WeakMapPrototype.cpp:
        (JSC::WeakMapPrototype::finishCreation):
        (JSC::getWeakMap):
        (JSC::protoFuncWeakMapGet):
        * runtime/WeakSetPrototype.cpp:
        (JSC::getWeakSet):

2017-09-12  Keith Miller  <keith_miller@apple.com>

        Rename JavaScriptCore CMake unifiable sources list
        https://bugs.webkit.org/show_bug.cgi?id=176823

        Reviewed by Joseph Pecoraro.

        This patch also changes the error message when the unified source
        bundler fails to be more accurate.

        * CMakeLists.txt:

2017-09-12  Keith Miller  <keith_miller@apple.com>

        Do unified source builds for JSC
        https://bugs.webkit.org/show_bug.cgi?id=176076

        Reviewed by Geoffrey Garen.

        This patch switches the CMake JavaScriptCore build to use unified sources.
        The Xcode build will be upgraded in a follow up patch.

        Most of the source changes in this patch are fixing static
        variable/functions name collisions. The most common collisions
        were from our use of "static const bool verbose" and "using
        namespace ...". I fixed all the verbose cases and fixed the "using
        namespace" issues that occurred under the current bundling
        strategy. It's likely that more of the "using namespace" issues
        will need to be resolved in the future, particularly in the FTL.

        I don't expect either of these problems will apply to other parts
        of the project nearly as much as in JSC. Using a verbose variable
        is a JSC idiom and JSC tends use the same, canonical, class name
        in multiple parts of the engine.

        * CMakeLists.txt:
        * b3/B3CheckSpecial.cpp:
        (JSC::B3::CheckSpecial::forEachArg):
        (JSC::B3::CheckSpecial::generate):
        (JSC::B3::Air::numB3Args): Deleted.
        * b3/B3DuplicateTails.cpp:
        * b3/B3EliminateCommonSubexpressions.cpp:
        * b3/B3FixSSA.cpp:
        (JSC::B3::demoteValues):
        * b3/B3FoldPathConstants.cpp:
        * b3/B3InferSwitches.cpp:
        * b3/B3LowerMacrosAfterOptimizations.cpp:
        (): Deleted.
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
        (JSC::B3::Air::LowerToAir::run): Deleted.
        (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
        (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
        (JSC::B3::Air::LowerToAir::tmp): Deleted.
        (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
        (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
        (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
        (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
        (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
        (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
        (JSC::B3::Air::LowerToAir::addr): Deleted.
        (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
        (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
        (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
        (JSC::B3::Air::LowerToAir::imm): Deleted.
        (JSC::B3::Air::LowerToAir::bitImm): Deleted.
        (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
        (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
        (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
        (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
        (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
        (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
        (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
        (JSC::B3::Air::LowerToAir::appendShift): Deleted.
        (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
        (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
        (JSC::B3::Air::LowerToAir::createStore): Deleted.
        (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
        (JSC::B3::Air::LowerToAir::appendStore): Deleted.
        (JSC::B3::Air::LowerToAir::moveForType): Deleted.
        (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
        (JSC::B3::Air::LowerToAir::print): Deleted.
        (JSC::B3::Air::LowerToAir::append): Deleted.
        (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
        (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
        (JSC::B3::Air::LowerToAir::newBlock): Deleted.
        (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
        (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
        (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
        (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
        (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
        (JSC::B3::Air::LowerToAir::createBranch): Deleted.
        (JSC::B3::Air::LowerToAir::createCompare): Deleted.
        (JSC::B3::Air::LowerToAir::createSelect): Deleted.
        (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
        (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
        (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
        (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
        (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
        (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
        (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
        (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
        (JSC::B3::Air::LowerToAir::lower): Deleted.
        * b3/B3PatchpointSpecial.cpp:
        (JSC::B3::PatchpointSpecial::generate):
        * b3/B3ReduceDoubleToFloat.cpp:
        (JSC::B3::reduceDoubleToFloat):
        * b3/B3ReduceStrength.cpp:
        * b3/B3StackmapGenerationParams.cpp:
        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::repsImpl):
        (JSC::B3::StackmapSpecial::repForArg):
        * b3/air/AirAllocateStackByGraphColoring.cpp:
        (JSC::B3::Air::allocateStackByGraphColoring):
        * b3/air/AirEmitShuffle.cpp:
        (JSC::B3::Air::emitShuffle):
        * b3/air/AirFixObviousSpills.cpp:
        * b3/air/AirLowerAfterRegAlloc.cpp:
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/air/AirStackAllocation.cpp:
        (JSC::B3::Air::attemptAssignment):
        (JSC::B3::Air::assign):
        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeDFGStatuses):
        * bytecode/GetterSetterAccessCase.cpp:
        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
        * bytecode/ObjectPropertyConditionSet.cpp:
        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::addCases):
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::addAccessCase):
        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
        (JSC::DFG::ByteCodeParser::inliningCost):
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::planLoad):
        (JSC::DFG::ByteCodeParser::store):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::linkBlocks):
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::merge):
        * dfg/DFGIntegerCheckCombiningPhase.cpp:
        (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGMovHintRemovalPhase.cpp:
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGPhantomInsertionPhase.cpp:
        * dfg/DFGPutStackSinkingPhase.cpp:
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * dfg/DFGVarargsForwardingPhase.cpp:
        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::AbstractHeap::compute):
        * ftl/FTLAbstractHeapRepository.cpp:
        (JSC::FTL::AbstractHeapRepository::decorateMemory):
        (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
        (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
        (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
        (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
        (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
        (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
        (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
        (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * heap/MarkingConstraintSet.cpp:
        (JSC::MarkingConstraintSet::add):
        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::update):
        * jit/BinarySwitch.cpp:
        (JSC::BinarySwitch::BinarySwitch):
        (JSC::BinarySwitch::build):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::loadStats):
        (JSC::LLInt::Data::saveStats):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
        * runtime/ErrorInstance.cpp:
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::doWork):
        (JSC::PromiseDeferredTimer::addPendingPromise):
        (JSC::PromiseDeferredTimer::cancelPendingPromise):
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::insertNewLocation):
        * runtime/TypeProfilerLog.cpp:
        (JSC::TypeProfilerLog::processLogEntries):
        * runtime/WeakMapPrototype.cpp:
        (JSC::protoFuncWeakMapDelete):
        (JSC::protoFuncWeakMapGet):
        (JSC::protoFuncWeakMapHas):
        (JSC::protoFuncWeakMapSet):
        (JSC::getWeakMapData): Deleted.
        * runtime/WeakSetPrototype.cpp:
        (JSC::protoFuncWeakSetDelete):
        (JSC::protoFuncWeakSetHas):
        (JSC::protoFuncWeakSetAdd):
        (JSC::getWeakMapData): Deleted.
        * testRegExp.cpp:
        (testOneRegExp):
        (runFromFiles):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::moveToState):
        (JSC::Wasm::BBQPlan::parseAndValidateModule):
        (JSC::Wasm::BBQPlan::prepare):
        (JSC::Wasm::BBQPlan::compileFunctions):
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::OMGPlan):
        (JSC::Wasm::OMGPlan::work):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::fail):
        * wasm/WasmSignature.cpp:
        (JSC::Wasm::SignatureInformation::adopt):
        * wasm/WasmWorklist.cpp:
        (JSC::Wasm::Worklist::enqueue):

2017-09-12  Michael Saboff  <msaboff@apple.com>

        String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
        https://bugs.webkit.org/show_bug.cgi?id=176814

        Reviewed by Mark Lam.

        The copy and advance indices where off by one and needed a little fine tuning.

        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferencesSlow):

2017-09-11  Mark Lam  <mark.lam@apple.com>

        More exception check book-keeping needed found by 32-bit JSC test failures.
        https://bugs.webkit.org/show_bug.cgi?id=176742

        Reviewed by Michael Saboff and Keith Miller.

        * dfg/DFGOperations.cpp:

2017-09-11  Mark Lam  <mark.lam@apple.com>

        Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
        https://bugs.webkit.org/show_bug.cgi?id=176722

        Reviewed by Saam Barati.

        For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
        in effect when jsc is invoked.

        * jsc.cpp:
        (CommandLine::parseArguments):

2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r221854.

        The test added with this change fails on 32-bit JSC bots.

        Reverted changeset:

        "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
        https://bugs.webkit.org/show_bug.cgi?id=176010
        http://trac.webkit.org/changeset/221854

2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Optimize WeakMap::get by adding intrinsic and fixup
        https://bugs.webkit.org/show_bug.cgi?id=176010

        Reviewed by Filip Pizlo.

        It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
        It is used for meta property for objects (see peekMeta function in Ember.js).

        This patch optimizes WeakMap#get.

        1. We use inlineGet to inline WeakMap#get operation in the native function.
        Since this native function itself is very small, we should inline HashMap#get
        entirely in this function.

        2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
        very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
        to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
        ObjectUse, and Int32Use.

        3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
        calculate hash value for the key's Object and use this hash value to look up value from
        JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
        It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
        But anyway, the current one already optimizes the performance, so we leave this for the subsequent
        patches.

        We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
        not used in Ember.js right now.

        This patch optimizes WeakMap#get by 50%.

                                 baseline                  patched

        weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster

        * bytecode/DirectEvalCodeCache.h:
        (JSC::DirectEvalCodeCache::tryGet):
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationFromClassInfo):
        (JSC::speculationFromJSType):
        (JSC::speculationFromString):
        * bytecode/SpeculatedType.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
        (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
        (JSC::DFG::SpeculativeJIT::speculate):
        (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isCell):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
        (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
        (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
        (JSC::FTL::DFG::LowerDFGToB3::speculate):
        (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
        (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
        * jit/JITOperations.h:
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:
        * runtime/JSType.h:
        * runtime/JSWeakMap.h:
        (JSC::isJSWeakMap):
        * runtime/JSWeakSet.h:
        (JSC::isJSWeakSet):
        * runtime/WeakMapBase.cpp:
        (JSC::WeakMapBase::get):
        * runtime/WeakMapBase.h:
        (JSC::WeakMapBase::HashTranslator::hash):
        (JSC::WeakMapBase::HashTranslator::equal):
        (JSC::WeakMapBase::inlineGet):
        * runtime/WeakMapPrototype.cpp:
        (JSC::WeakMapPrototype::finishCreation):
        (JSC::getWeakMap):
        (JSC::protoFuncWeakMapGet):
        * runtime/WeakSetPrototype.cpp:
        (JSC::getWeakSet):

2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize Object.keys by using careful array allocation
        https://bugs.webkit.org/show_bug.cgi?id=176654

        Reviewed by Darin Adler.

        SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
        function in JS apps. Luckily Object.keys has several good features.

        1. Once PropertyNameArray is allocated, we know the length of the result array since
        we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
        but it rarely appears. ProxyObject case goes to the generic path.

        2. Object.keys does not need to access object after listing PropertyNameArray. It means
        that we do not need to worry about enumeration attribute change by touching object.

        This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
        with the size and ArrayContiguous indexing shape.

        This further improves SixSpeed object-assign.es5 by 13%.

                                            baseline                  patched
        Microbenchmarks:
           object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
           object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster

                                            baseline                  patched
        SixSpeed:
           object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster

        BTW, the further optimization of Object.keys can be considered: introducing own property keys
        cache which is similar to the current enumeration cache. But this patch is orthogonal to
        this optimization!

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorValues):
        (JSC::ownPropertyKeys):
        * runtime/ObjectConstructor.h:

2017-09-10  Mark Lam  <mark.lam@apple.com>

        Fix all ExceptionScope verification failures in JavaScriptCore.
        https://bugs.webkit.org/show_bug.cgi?id=176662
        <rdar://problem/34352085>

        Reviewed by Filip Pizlo.

        1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
           verification for release builds too (though this requires manually setting
           ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).

           This is useful because it allows us to run the tests more quickly to check
           if any regressions have occurred.  Debug builds run so much slower and not
           good for a quick turn around.  Debug builds are necessary though to get
           trace information without inlining by the C++ compiler.  This is necessary to
           diagnose where the missing exception check is.

        2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
           simulated throw when an exception scope verification fails.

           Previously, this option dumps the stack trace on all simulated throws.  That
           turned out to not be very useful, and slows down the debugging process.
           Instead, the new implementation captures the stack trace and only dumps it
           if we have a verification failure.

        3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
           to pass with JSC_validateExceptionChecks=true.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::executeOSRExit):
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        (JSC::loadVarargs):
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::executeProgram):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeModuleProgram):
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * jsc.cpp:
        (WTF::CustomGetter::customGetterAcessor):
        (GlobalObject::moduleLoaderImportModule):
        (GlobalObject::moduleLoaderResolve):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        (JSC::LLInt::setUpCall):
        * parser/Parser.h:
        (JSC::Parser::popScopeInternal):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::hostResolveImportedModule):
        (JSC::AbstractModuleRecord::resolveImport):
        (JSC::AbstractModuleRecord::resolveExportImpl):
        (JSC::getExportedNames):
        (JSC::AbstractModuleRecord::getModuleNamespace):
        * runtime/ArrayPrototype.cpp:
        (JSC::getProperty):
        (JSC::unshift):
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):
        (JSC::concatAppendOne):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        (JSC::arrayProtoPrivateFuncAppendMemcpy):
        * runtime/CatchScope.h:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncSetTime):
        (JSC::setNewValueFromTimeArgs):
        * runtime/DirectArguments.h:
        (JSC::DirectArguments::length const):
        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/ExceptionFuzz.cpp:
        (JSC::doExceptionFuzzing):
        * runtime/ExceptionScope.h:
        (JSC::ExceptionScope::needExceptionCheck):
        (JSC::ExceptionScope::assertNoException):
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::defineOwnProperty):
        * runtime/HashMapImpl.h:
        (JSC::HashMapImpl::rehash):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::formatToParts):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::put):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        (JSC::JSValue::putToPrimitiveByIndex):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toIndex const):
        (JSC::JSValue::get const):
        (JSC::JSValue::getPropertySlot const):
        (JSC::JSValue::equalSlowCaseInline):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewFromIterator):
        (JSC::constructGenericTypedArrayViewWithArguments):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::set):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::put):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::decode):
        (JSC::globalFuncEval):
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter):
        (JSC::globalFuncImportModule):
        * runtime/JSInternalPromise.cpp:
        (JSC::JSInternalPromise::then):
        * runtime/JSInternalPromiseDeferred.cpp:
        (JSC::JSInternalPromiseDeferred::create):
        * runtime/JSJob.cpp:
        (JSC::JSJobMicrotask::run):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::getOwnPropertySlot):
        (JSC::JSModuleEnvironment::put):
        (JSC::JSModuleEnvironment::deleteProperty):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::provide):
        (JSC::JSModuleLoader::loadAndEvaluateModule):
        (JSC::JSModuleLoader::loadModule):
        (JSC::JSModuleLoader::linkAndEvaluateModule):
        (JSC::JSModuleLoader::requestImportModule):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::link):
        (JSC::JSModuleRecord::instantiateDeclarations):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::stringify):
        (JSC::Stringifier::toJSON):
        (JSC::JSONProtoFuncParse):
        * runtime/JSObject.cpp:
        (JSC::JSObject::calculatedClassName):
        (JSC::ordinarySetSlow):
        (JSC::JSObject::putInlineSlow):
        (JSC::JSObject::ordinaryToPrimitive const):
        (JSC::JSObject::toPrimitive const):
        (JSC::JSObject::hasInstance):
        (JSC::JSObject::getPropertyNames):
        (JSC::JSObject::toNumber const):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        (JSC::validateAndApplyPropertyDescriptor):
        (JSC::JSObject::defineOwnNonIndexProperty):
        (JSC::JSObject::getGenericPropertyNames):
        * runtime/JSObject.h:
        (JSC::JSObject::get const):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::getPropertySlot const):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::getNonIndexPropertySlot):
        (JSC::JSObject::putInlineForJSObject):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::constructPromise):
        * runtime/JSPromiseDeferred.cpp:
        (JSC::JSPromiseDeferred::create):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        (JSC::JSScope::resolve):
        (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
        (JSC::JSScope::abstractResolve):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::tryJSONPParse):
        (JSC::LiteralParser<CharType>::parse):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToString):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSetPrototypeOf):
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorGetOwnPropertyDescriptors):
        (JSC::objectConstructorAssign):
        (JSC::objectConstructorValues):
        (JSC::toPropertyDescriptor):
        (JSC::objectConstructorDefineProperty):
        (JSC::defineProperties):
        (JSC::objectConstructorDefineProperties):
        (JSC::ownPropertyKeys):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncIsPrototypeOf):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        (JSC::objectProtoFuncToLocaleString):
        (JSC::objectProtoFuncToString):
        * runtime/Options.h:
        * runtime/ParseInt.h:
        (JSC::toStringView):
        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performPut):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectDefineProperty):
        * runtime/RegExpConstructor.cpp:
        (JSC::toFlags):
        (JSC::regExpCreate):
        (JSC::constructRegExp):
        * runtime/RegExpObject.cpp:
        (JSC::collectMatches):
        * runtime/RegExpObjectInlines.h:
        (JSC::RegExpObject::execInline):
        (JSC::RegExpObject::matchInline):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTestFast):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncMatchFast):
        (JSC::regExpProtoFuncToString):
        (JSC::regExpProtoFuncSplitFast):
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/SetConstructor.cpp:
        (JSC::constructSet):
        * runtime/ThrowScope.cpp:
        (JSC::ThrowScope::simulateThrow):
        * runtime/VM.cpp:
        (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
        * runtime/VM.h:
        * runtime/WeakMapPrototype.cpp:
        (JSC::protoFuncWeakMapSet):
        * runtime/WeakSetPrototype.cpp:
        (JSC::protoFuncWeakSetAdd):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::WebAssemblyModuleConstructor::createModule):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::reject):
        (JSC::webAssemblyCompileFunc):
        (JSC::resolve):
        (JSC::webAssemblyInstantiateFunc):

2017-09-08  Filip Pizlo  <fpizlo@apple.com>

        Error should compute .stack and friends lazily
        https://bugs.webkit.org/show_bug.cgi?id=176645

        Reviewed by Saam Barati.
        
        Building the string portion of the stack trace after we walk the stack accounts for most of
        the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
        Vector<StackFrame> so that it can build the string only once it's really needed.
        
        This is an enormous speed-up for programs that allocate and throw exceptions.
        
        It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
        
        It's a 2.2x speed-up for throwing and catching an Error.
        
        It's a 1.17x speed-up for the WSL test suite (which throws a lot).
        
        It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
        delta-blue-try-catch is 1.16x faster.

        * interpreter/Interpreter.cpp:
        (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
        (JSC::GetStackTraceFunctor::operator() const):
        (JSC::Interpreter::getStackTrace):
        * interpreter/Interpreter.h:
        * runtime/Error.cpp:
        (JSC::getStackTrace):
        (JSC::getBytecodeOffset):
        (JSC::addErrorInfo):
        (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
        * runtime/Error.h:
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        (JSC::ErrorInstance::finishCreation):
        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
        (JSC::ErrorInstance::visitChildren):
        (JSC::ErrorInstance::getOwnPropertySlot):
        (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
        (JSC::ErrorInstance::defineOwnProperty):
        (JSC::ErrorInstance::put):
        (JSC::ErrorInstance::deleteProperty):
        * runtime/ErrorInstance.h:
        * runtime/Exception.cpp:
        (JSC::Exception::visitChildren):
        (JSC::Exception::finishCreation):
        * runtime/Exception.h:
        * runtime/StackFrame.cpp:
        (JSC::StackFrame::visitChildren):
        * runtime/StackFrame.h:
        (JSC::StackFrame::StackFrame):

2017-09-09  Mark Lam  <mark.lam@apple.com>

        [Re-landing] Use JIT probes for DFG OSR exit.
        https://bugs.webkit.org/show_bug.cgi?id=175144
        <rdar://problem/33437050>

        Not reviewed.  Original patch reviewed by Saam Barati.

        Relanding r221774.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssembler.cpp:
        (JSC::stdFunctionCallback):
        * assembler/MacroAssemblerPrinter.cpp:
        (JSC::Printer::printCallback):
        * assembler/ProbeContext.h:
        (JSC::Probe::CPUState::gpr const):
        (JSC::Probe::CPUState::spr const):
        (JSC::Probe::Context::Context):
        (JSC::Probe::Context::arg):
        (JSC::Probe::Context::gpr):
        (JSC::Probe::Context::spr):
        (JSC::Probe::Context::fpr):
        (JSC::Probe::Context::gprName):
        (JSC::Probe::Context::sprName):
        (JSC::Probe::Context::fprName):
        (JSC::Probe::Context::gpr const):
        (JSC::Probe::Context::spr const):
        (JSC::Probe::Context::fpr const):
        (JSC::Probe::Context::pc):
        (JSC::Probe::Context::fp):
        (JSC::Probe::Context::sp):
        (JSC::Probe:: const): Deleted.
        * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
        * assembler/ProbeStack.cpp:
        (JSC::Probe::Page::Page):
        * assembler/ProbeStack.h:
        (JSC::Probe::Page::get):
        (JSC::Probe::Page::set):
        (JSC::Probe::Page::physicalAddressFor):
        (JSC::Probe::Stack::lowWatermark):
        (JSC::Probe::Stack::get):
        (JSC::Probe::Stack::set):
        * bytecode/ArithProfile.cpp:
        * bytecode/ArithProfile.h:
        * bytecode/ArrayProfile.h:
        (JSC::ArrayProfile::observeArrayMode):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
        * bytecode/ExecutionCounter.h:
        (JSC::ExecutionCounter::hasCrossedThreshold const):
        (JSC::ExecutionCounter::setNewThresholdForOSRExit):
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::reportValue):
        * bytecode/MethodOfGettingAValueProfile.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::findPC): Deleted.
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::jsValueFor):
        (JSC::DFG::restoreCalleeSavesFor):
        (JSC::DFG::saveCalleeSavesFor):
        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        (JSC::DFG::saveOrCopyCalleeSavesFor):
        (JSC::DFG::createDirectArgumentsDuringExit):
        (JSC::DFG::createClonedArgumentsDuringExit):
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::emitRestoreArguments):
        (JSC::DFG::OSRExit::executeOSRExit):
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        (JSC::DFG::printOSRExit):
        (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
        (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
        (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
        (JSC::DFG::OSRExit::correctJump): Deleted.
        (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
        (JSC::DFG::OSRExit::compileOSRExit): Deleted.
        (JSC::DFG::OSRExit::compileExit): Deleted.
        (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExitState::OSRExitState):
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitThunkGenerator):
        (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
        * dfg/DFGThunks.h:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::debugCall): Deleted.
        * jit/AssemblyHelpers.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * profiler/ProfilerOSRExit.h:
        (JSC::Profiler::OSRExit::incCount):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        * runtime/VM.h:

2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r221774.

        This change introduced three debug JSC test timeouts.

        Reverted changeset:

        "Use JIT probes for DFG OSR exit."
        https://bugs.webkit.org/show_bug.cgi?id=175144
        http://trac.webkit.org/changeset/221774

2017-09-09  Mark Lam  <mark.lam@apple.com>

        Avoid duplicate computations of ExecState::vm().
        https://bugs.webkit.org/show_bug.cgi?id=176647

        Reviewed by Saam Barati.

        Because while computing ExecState::vm() is cheap, it is not free.

        This patch also:
        1. gets rids of some convenience methods in CallFrame that implicitly does a
           ExecState::vm() computation.  This minimizes the chance of us accidentally
           computing ExecState::vm() more than necessary.
        2. passes vm (when available) to methodTable().
        3. passes vm (when available) to JSLockHolder.

        * API/JSBase.cpp:
        (JSCheckScriptSyntax):
        (JSGarbageCollect):
        (JSReportExtraMemoryCost):
        (JSSynchronousGarbageCollectForDebugging):
        (JSSynchronousEdenCollectForDebugging):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::create):
        * API/JSContext.mm:
        (-[JSContext setException:]):
        * API/JSContextRef.cpp:
        (JSContextGetGlobalObject):
        (JSContextCreateBacktrace):
        * API/JSManagedValue.mm:
        (-[JSManagedValue value]):
        * API/JSObjectRef.cpp:
        (JSObjectMake):
        (JSObjectMakeFunctionWithCallback):
        (JSObjectMakeConstructor):
        (JSObjectMakeFunction):
        (JSObjectSetPrototype):
        (JSObjectHasProperty):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        (JSObjectIsFunction):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        (JSObjectCopyPropertyNames):
        (JSPropertyNameAccumulatorAddName):
        * API/JSScriptRef.cpp:
        * API/JSTypedArray.cpp:
        (JSValueGetTypedArrayType):
        (JSObjectMakeTypedArrayWithArrayBuffer):
        (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
        (JSObjectGetTypedArrayBytesPtr):
        (JSObjectGetTypedArrayBuffer):
        (JSObjectMakeArrayBufferWithBytesNoCopy):
        (JSObjectGetArrayBufferBytesPtr):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/JSWrapperMap.mm:
        (constructorHasInstance):
        (makeWrapper):
        * API/ObjCCallbackFunction.mm:
        (objCCallbackFunctionForInvocation):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::jettison):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addConstant):
        (JSC::CodeBlock::replaceConstant):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeFor):
        * dfg/DFGDesiredWatchpoints.cpp:
        (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::globalThisObjectFor):
        * dfg/DFGOperations.cpp:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationPopulateObjectInOSR):
        (JSC::FTL::operationMaterializeObjectInOSR):
        * heap/GCAssertions.h:
        * inspector/InjectedScriptHost.cpp:
        (Inspector::InjectedScriptHost::wrapper):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::subtype):
        (Inspector::constructInternalProperty):
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        (Inspector::JSInjectedScriptHost::weakMapEntries):
        (Inspector::JSInjectedScriptHost::weakSetEntries):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::valueForScopeLocation):
        (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
        (Inspector::toJS):
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::extractSourceInformationFromException):
        (Inspector::createScriptArguments):
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * interpreter/CallFrame.h:
        (JSC::ExecState::atomicStringTable const): Deleted.
        (JSC::ExecState::propertyNames const): Deleted.
        (JSC::ExecState::emptyList const): Deleted.
        (JSC::ExecState::interpreter): Deleted.
        (JSC::ExecState::heap): Deleted.
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeProgram):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeModuleProgram):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JITOperations.cpp:
        * jit/JITWorklist.cpp:
        (JSC::JITWorklist::compileNow):
        * jsc.cpp:
        (WTF::RuntimeArray::create):
        (WTF::RuntimeArray::getOwnPropertySlot):
        (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
        (WTF::DOMJITFunctionObject::unsafeFunction):
        (WTF::DOMJITCheckSubClassObject::unsafeFunction):
        (GlobalObject::moduleLoaderFetch):
        (functionDumpCallFrame):
        (functionCreateRoot):
        (functionGetElement):
        (functionSetElementRoot):
        (functionCreateSimpleObject):
        (functionSetHiddenValue):
        (functionCreateProxy):
        (functionCreateImpureGetter):
        (functionCreateCustomGetterObject):
        (functionCreateDOMJITNodeObject):
        (functionCreateDOMJITGetterObject):
        (functionCreateDOMJITGetterComplexObject):
        (functionCreateDOMJITFunctionObject):
        (functionCreateDOMJITCheckSubClassObject):
        (functionGCAndSweep):
        (functionFullGC):
        (functionEdenGC):
        (functionHeapSize):
        (functionShadowChickenFunctionsOnStack):
        (functionSetGlobalConstRedeclarationShouldNotThrow):
        (functionJSCOptions):
        (functionFailNextNewCodeBlock):
        (functionMakeMasquerader):
        (functionDumpTypesForAllVariables):
        (functionFindTypeForExpression):
        (functionReturnTypeFor):
        (functionDumpBasicBlockExecutionRanges):
        (functionBasicBlockExecutionCount):
        (functionDrainMicrotasks):
        (functionGenerateHeapSnapshot):
        (functionEnsureArrayStorage):
        (functionStartSamplingProfiler):
        (runInteractive):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * parser/ModuleAnalyzer.cpp:
        (JSC::ModuleAnalyzer::ModuleAnalyzer):
        * profiler/ProfilerBytecode.cpp:
        (JSC::Profiler::Bytecode::toJS const):
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
        * profiler/ProfilerBytecodes.cpp:
        (JSC::Profiler::Bytecodes::toJS const):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::toJS const):
        * profiler/ProfilerCompiledBytecode.cpp:
        (JSC::Profiler::CompiledBytecode::toJS const):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::toJS const):
        * profiler/ProfilerEvent.cpp:
        (JSC::Profiler::Event::toJS const):
        * profiler/ProfilerOSRExit.cpp:
        (JSC::Profiler::OSRExit::toJS const):
        * profiler/ProfilerOrigin.cpp:
        (JSC::Profiler::Origin::toJS const):
        * profiler/ProfilerProfiledBytecodes.cpp:
        (JSC::Profiler::ProfiledBytecodes::toJS const):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::identifierToJSValue):
        (JSC::AbstractModuleRecord::resolveExportImpl):
        (JSC::getExportedNames):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        * runtime/BooleanConstructor.cpp:
        (JSC::constructBooleanFromImmediateBoolean):
        * runtime/CallData.cpp:
        (JSC::call):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
        (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        (JSC::loadAndEvaluateModule):
        (JSC::loadModule):
        (JSC::linkAndEvaluateModule):
        (JSC::importModule):
        * runtime/ConstructData.cpp:
        (JSC::construct):
        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToJSON):
        * runtime/DirectArguments.h:
        (JSC::DirectArguments::length const):
        * runtime/DirectEvalExecutable.cpp:
        (JSC::DirectEvalExecutable::create):
        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createUndefinedVariableError):
        (JSC::errorDescriptionForValue):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::getOwnPropertyNames):
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::add):
        * runtime/IndirectEvalExecutable.cpp:
        (JSC::IndirectEvalExecutable::create):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        (JSC::InternalFunction::createSubclassStructureSlow):
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertySlot):
        (JSC::JSArray::put):
        (JSC::JSArray::deleteProperty):
        (JSC::JSArray::getOwnNonIndexPropertyNames):
        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
        * runtime/JSArray.h:
        (JSC::JSArray::shiftCountForShift):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpForBacktrace const):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::getOwnPropertySlot):
        (JSC::JSDataView::deleteProperty):
        (JSC::JSDataView::getOwnNonIndexPropertyNames):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::deleteProperty):
        (JSC::JSFunction::reifyName):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSInternalPromise.cpp:
        (JSC::JSInternalPromise::then):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::deleteProperty):
        * runtime/JSMap.cpp:
        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
        * runtime/JSMapIterator.h:
        (JSC::JSMapIterator::advanceIter):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
        * runtime/JSModuleLoader.cpp:
        (JSC::printableModuleKey):
        (JSC::JSModuleLoader::provide):
        (JSC::JSModuleLoader::loadAndEvaluateModule):
        (JSC::JSModuleLoader::loadModule):
        (JSC::JSModuleLoader::linkAndEvaluateModule):
        (JSC::JSModuleLoader::requestImportModule):
        * runtime/JSModuleNamespaceObject.h:
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::evaluate):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Stringifier::Holder::appendNextProperty):
        * runtime/JSObject.cpp:
        (JSC::JSObject::calculatedClassName):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::ordinaryToPrimitive const):
        (JSC::JSObject::toPrimitive const):
        (JSC::JSObject::hasInstance):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
        (JSC::getCustomGetterSetterFunctionForGetterSetter):
        (JSC::JSObject::getOwnPropertyDescriptor):
        (JSC::JSObject::getMethod):
        * runtime/JSObject.h:
        (JSC::JSObject::createRawObject):
        (JSC::JSFinalObject::create):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::canPerformFastPutInline):
        (JSC::JSObject::putInlineForJSObject):
        (JSC::JSObject::hasOwnProperty const):
        * runtime/JSScope.cpp:
        (JSC::isUnscopable):
        (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
        * runtime/JSSet.cpp:
        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
        * runtime/JSSetIterator.h:
        (JSC::JSSetIterator::advanceIter):
        * runtime/JSString.cpp:
        (JSC::JSString::getStringPropertyDescriptor):
        * runtime/JSString.h:
        (JSC::JSString::getStringPropertySlot):
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/ModuleProgramExecutable.cpp:
        (JSC::ModuleProgramExecutable::create):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToLocaleString):
        * runtime/ProgramExecutable.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlot):
        (JSC::RegExpObject::deleteProperty):
        (JSC::RegExpObject::getOwnNonIndexPropertyNames):
        (JSC::RegExpObject::getPropertyNames):
        (JSC::RegExpObject::getGenericPropertyNames):
        (JSC::RegExpObject::put):
        * runtime/ScopedArguments.h:
        (JSC::ScopedArguments::length const):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        * runtime/StringObject.cpp:
        (JSC::isStringOwnProperty):
        (JSC::StringObject::deleteProperty):
        (JSC::StringObject::getOwnNonIndexPropertyNames):
        * tools/JSDollarVMPrototype.cpp:
        (JSC::JSDollarVMPrototype::gc):
        (JSC::JSDollarVMPrototype::edenGC):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::evaluate):

2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] NewArrayWithSize(size)'s size does not care negative zero
        https://bugs.webkit.org/show_bug.cgi?id=176300

        Reviewed by Saam Barati.

        NewArrayWithSize(size)'s size does not care negative zero as
        is the same to NewTypedArray. We propagate this information
        in DFGBackwardsPropagationPhase. This removes negative zero
        check in kraken fft's deinterleave function.

        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):

2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] PutByVal with Array::Generic is too generic
        https://bugs.webkit.org/show_bug.cgi?id=176345

        Reviewed by Filip Pizlo.

        Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
        We could have the case like,

            dst[key] = src[key];

        with string or symbol keys. But they are handled in slow path.
        This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
        to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).

        This improves SixSpeed object-assign.es5 by 9.1%.

        object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        (JSC::DFG::putByValInternal):
        (JSC::DFG::putByValCellInternal):
        (JSC::DFG::putByValCellStringInternal):
        (JSC::DFG::operationPutByValInternal): Deleted.
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
        (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        * jit/JITOperations.h:

2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
        https://bugs.webkit.org/show_bug.cgi?id=176590

        Reviewed by Saam Barati.

        We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.

                                         baseline                  patched

        object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
        object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::getByValObject):
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
        (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):

2017-09-07  Mark Lam  <mark.lam@apple.com>

        Use JIT probes for DFG OSR exit.
        https://bugs.webkit.org/show_bug.cgi?id=175144
        <rdar://problem/33437050>

        Reviewed by Saam Barati.

        This patch does the following:
        1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
           While osrExitGenerationThunkGenerator() generates a thunk that compiles a
           unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
           generates a thunk that just executes the OSR exit.

           The osrExitThunkGenerator() generated thunk works by using a single JIT probe
           to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
           CPU registers, and providing the Probe::Stack mechanism for modifying the
           stack frame.

           OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
           OSRExit::compileExit().  It is basically a re-write of those functions to
           execute the OSR exit work instead of compiling code to execute the work.

           As a result, we get the following savings:
           a. no more OSR exit ramp compilation time.
           b. no use of JIT executable memory for storing each unique OSR exit ramp.

           On the negative side, we incur these costs:

           c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
              version of the ramp.  However, OSR exits are rare.  Hence, this small
              difference should not matter much.  It is also offset by the savings from
              (a).

           d. the Probe::Stack allocates 1K pages for memory for buffering stack
              modifcations.  The number of these pages depends on the span of stack memory
              that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
              tends to only modify values in the current DFG frame and the current
              VMEntryRecord, the number of pages tends to only be 1 or 2.

              Using the jsc tests as a workload, the vast majority of tests that do OSR
              exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
              A few tests that are pathological uses up to 14 pages, and one particularly
              bad test (function-apply-many-args.js) uses 513 pages.

           Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
           only executed once to compute some values for the exit site that is used by
           all exit operations from that site, and a 2nd part to execute the exit.  The
           1st part is protected by a checking if exit.exitState has already been
           initialized.  The computed values are cached in exit.exitState.

           Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
           longer need the facility to patch the site that jumps to the OSR exit ramp.
           The DFG::JITCompiler has been modified to remove this patching code.

        2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
           std::memcpy to avoid strict aliasing issues.

           Also optimized the implementation of Probe::Stack::physicalAddressFor().

        3. Miscellaneous convenience methods added to make the Probe::Context easier of
           use.

        4. Added a Probe::Frame class that makes it easier to get/set operands and
           arguments in a given frame using the deferred write properties of the
           Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
           the OSR exit ramp.

        5. Cloned or converted some functions needed by the OSR exit ramp.  The original
           JIT versions of these functions are still left in place because they are still
           needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
           These functions include:

           DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
               CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
           DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
               DFGOSRExit.cpp's reifyInlinedCallFrames()
           DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
               DFGOSRExit.cpp's adjustAndJumpToTarget()

           MethodOfGettingAValueProfile::emitReportValue() ==>
               MethodOfGettingAValueProfile::reportValue()

           DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
               DFGOSRExit.cpp's createDirectArgumentsDuringExit()
           DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
               DFGOSRExit.cpp's createClonedArgumentsDuringExit()

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssembler.cpp:
        (JSC::stdFunctionCallback):
        * assembler/MacroAssemblerPrinter.cpp:
        (JSC::Printer::printCallback):
        * assembler/ProbeContext.h:
        (JSC::Probe::CPUState::gpr const):
        (JSC::Probe::CPUState::spr const):
        (JSC::Probe::Context::Context):
        (JSC::Probe::Context::arg):
        (JSC::Probe::Context::gpr):
        (JSC::Probe::Context::spr):
        (JSC::Probe::Context::fpr):
        (JSC::Probe::Context::gprName):
        (JSC::Probe::Context::sprName):
        (JSC::Probe::Context::fprName):
        (JSC::Probe::Context::gpr const):
        (JSC::Probe::Context::spr const):
        (JSC::Probe::Context::fpr const):
        (JSC::Probe::Context::pc):
        (JSC::Probe::Context::fp):
        (JSC::Probe::Context::sp):
        (JSC::Probe:: const): Deleted.
        * assembler/ProbeFrame.h: Added.
        (JSC::Probe::Frame::Frame):
        (JSC::Probe::Frame::getArgument):
        (JSC::Probe::Frame::getOperand):
        (JSC::Probe::Frame::get):
        (JSC::Probe::Frame::setArgument):
        (JSC::Probe::Frame::setOperand):
        (JSC::Probe::Frame::set):
        * assembler/ProbeStack.cpp:
        (JSC::Probe::Page::Page):
        * assembler/ProbeStack.h:
        (JSC::Probe::Page::get):
        (JSC::Probe::Page::set):
        (JSC::Probe::Page::physicalAddressFor):
        (JSC::Probe::Stack::lowWatermark):
        (JSC::Probe::Stack::get):
        (JSC::Probe::Stack::set):
        * bytecode/ArithProfile.cpp:
        * bytecode/ArithProfile.h:
        * bytecode/ArrayProfile.h:
        (JSC::ArrayProfile::observeArrayMode):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
        * bytecode/ExecutionCounter.h:
        (JSC::ExecutionCounter::hasCrossedThreshold const):
        (JSC::ExecutionCounter::setNewThresholdForOSRExit):
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::reportValue):
        * bytecode/MethodOfGettingAValueProfile.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::findPC): Deleted.
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::jsValueFor):
        (JSC::DFG::restoreCalleeSavesFor):
        (JSC::DFG::saveCalleeSavesFor):
        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        (JSC::DFG::saveOrCopyCalleeSavesFor):
        (JSC::DFG::createDirectArgumentsDuringExit):
        (JSC::DFG::createClonedArgumentsDuringExit):
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::emitRestoreArguments):
        (JSC::DFG::OSRExit::executeOSRExit):
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        (JSC::DFG::printOSRExit):
        (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
        (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
        (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
        (JSC::DFG::OSRExit::correctJump): Deleted.
        (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
        (JSC::DFG::OSRExit::compileOSRExit): Deleted.
        (JSC::DFG::OSRExit::compileExit): Deleted.
        (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExitState::OSRExitState):
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitThunkGenerator):
        (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
        * dfg/DFGThunks.h:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::debugCall): Deleted.
        * jit/AssemblyHelpers.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * profiler/ProfilerOSRExit.h:
        (JSC::Profiler::OSRExit::incCount):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        * runtime/VM.h:

2017-09-07  Michael Saboff  <msaboff@apple.com>

        Add support for RegExp named capture groups
        https://bugs.webkit.org/show_bug.cgi?id=176435

        Reviewed by Filip Pizlo.

        Added parsing for both naming a captured parenthesis as well and using a named group in
        a back reference.  Also added support for using named groups with String.prototype.replace().

        This patch does not throw Syntax Errors as described in the current spec text for the two
        cases of malformed back references in String.prototype.replace() as I believe that it
        is inconsistent with the current semantics for handling of other malformed replacement
        tokens.  I filed an issue for the requested change to the proposed spec and also filed
        a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.

        This patch does not implement strength reduction in the optimizing JITs for named capture
        groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::haveABadTime):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
        * runtime/RegExp.cpp:
        (JSC::RegExp::finishCreation):
        * runtime/RegExp.h:
        * runtime/RegExpMatchesArray.cpp:
        (JSC::createStructureImpl):
        (JSC::createRegExpMatchesArrayWithGroupsStructure):
        (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
        * runtime/RegExpMatchesArray.h:
        (JSC::createRegExpMatchesArray):
        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferencesSlow):
        (JSC::replaceUsingRegExpSearch):
        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
        (JSC::Yarr::Parser::parseEscape):
        (JSC::Yarr::Parser::parseParenthesesBegin):
        (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
        (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
        (JSC::Yarr::Parser::isIdentifierStart):
        (JSC::Yarr::Parser::isIdentifierPart):
        (JSC::Yarr::Parser::tryConsumeGroupName):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
        (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
        (JSC::Yarr::YarrPattern::errorMessage):
        * yarr/YarrPattern.h:
        (JSC::Yarr::YarrPattern::reset):
        * yarr/YarrSyntaxChecker.cpp:
        (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
        (JSC::Yarr::SyntaxChecker::atomNamedBackReference):

2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>

        [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
        https://bugs.webkit.org/show_bug.cgi?id=176561

        Reviewed by Brent Fulgham.

        * runtime/IntlObject.cpp:
        (JSC::defaultLocale):

2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>

        Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
        https://bugs.webkit.org/show_bug.cgi?id=176563
        <rdar://problem/19639583>

        Reviewed by Matt Baker.

        * inspector/protocol/DOM.json:
        Add an event that is useful for augmented inspectors to inspect
        a node. Web pages will still prefer Inspector.inspect.

2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove "malloc" and "free" from JSC/API
        https://bugs.webkit.org/show_bug.cgi?id=176331

        Reviewed by Keith Miller.

        Remove "malloc" and "free" manual calls in JSC/API.

        * API/JSValue.mm:
        (createStructHandlerMap):
        * API/JSWrapperMap.mm:
        (parsePropertyAttributes):
        (makeSetterName):
        (copyPrototypeProperties):
        Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.

        * API/ObjcRuntimeExtras.h:
        (adoptSystem):
        Add adoptSystem to automate calling system free().

        (protocolImplementsProtocol):
        (forEachProtocolImplementingProtocol):
        (forEachMethodInClass):
        (forEachMethodInProtocol):
        (forEachPropertyInProtocol):
        (StringRange::StringRange):
        (StringRange::operator const char* const):
        (StringRange::get const):
        Use CString for backend.

        (StructBuffer::StructBuffer):
        (StructBuffer::~StructBuffer):
        (StringRange::~StringRange): Deleted.
        Use fastAlignedMalloc/astAlignedFree to get aligned memory.

2017-09-06  Mark Lam  <mark.lam@apple.com>

        constructGenericTypedArrayViewWithArguments() is missing an exception check.
        https://bugs.webkit.org/show_bug.cgi?id=176485
        <rdar://problem/33898874>

        Reviewed by Keith Miller.

        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewWithArguments):

2017-09-06  Saam Barati  <sbarati@apple.com>

        Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
        https://bugs.webkit.org/show_bug.cgi?id=176346

        Reviewed by Mark Lam.

        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::Procedure):
        (JSC::B3::Procedure::setNumEntrypoints):
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::setNumEntrypoints): Deleted.
        * b3/air/AirCode.cpp:
        (JSC::B3::Air::defaultPrologueGenerator):
        (JSC::B3::Air::Code::Code):
        (JSC::B3::Air::Code::setNumEntrypoints):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::setPrologueForEntrypoint):
        (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
        (JSC::B3::Air::Code::setEntrypoints):
        (JSC::B3::Air::Code::setEntrypointLabels):
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::generate):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):

2017-09-06  Saam Barati  <sbarati@apple.com>

        ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
        https://bugs.webkit.org/show_bug.cgi?id=176470

        Reviewed by Mark Lam.

        Update Node::convertToCheckStructureImmediate's assertion to allow
        the node to either be a CheckStructure or CheckStructureOrEmpty.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToCheckStructureImmediate):

2017-09-05  Saam Barati  <sbarati@apple.com>

        isNotCellSpeculation is wrong with respect to SpecEmpty
        https://bugs.webkit.org/show_bug.cgi?id=176429

        Reviewed by Michael Saboff.

        The isNotCellSpeculation(SpeculatedType t) function was not taking into account
        SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
        the empty value will fail a NotCell check. This bug would cause us to erroneously
        generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.

        * bytecode/SpeculatedType.h:
        (JSC::isNotCellSpeculation):

2017-09-05  Saam Barati  <sbarati@apple.com>

        Make the distinction between entrypoints and CFG roots more clear by naming things better
        https://bugs.webkit.org/show_bug.cgi?id=176336

        Reviewed by Mark Lam and Keith Miller and Michael Saboff.

        This patch does renaming to make the distinction between Graph::m_entrypoints
        and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
        Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
        Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
        size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
        to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
        field to m_rootToArguments.
        
        Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
        when compiling with EntrySwitch. It represents the logical number of entrypoints
        the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
        cases.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCFG.h:
        (JSC::DFG::CFG::roots):
        (JSC::DFG::CPSCFG::CPSCFG):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::determineReachability):
        (JSC::DFG::Graph::blocksInPreOrder):
        (JSC::DFG::Graph::blocksInPostOrder):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isRoot):
        (JSC::DFG::Graph::isEntrypoint): Deleted.
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        (JSC::DFG::createPreHeader):
        * dfg/DFGMaximalFlushInsertionPhase.cpp:
        (JSC::DFG::MaximalFlushInsertionPhase::run):
        (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGPredictionInjectionPhase.cpp:
        (JSC::DFG::PredictionInjectionPhase::run):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::linkOSREntries):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::run):
        * dfg/DFGValidate.cpp:

2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>

        test262: Completion values for control flow do not match the spec
        https://bugs.webkit.org/show_bug.cgi?id=171265

        Reviewed by Saam Barati.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
        When we care about having proper completion values (global code
        in programs, modules, and eval) insert undefined results for
        control flow statements.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::SourceElements::emitBytecode):
        Reduce writing a default `undefined` value to the completion result to
        only once before the last statement we know will produce a value.

        (JSC::IfElseNode::emitBytecode):
        (JSC::WithNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::SwitchNode::emitBytecode):
        Insert an undefined to handle cases where code may break out of an
        if/else or with statement (break/continue).

        (JSC::TryNode::emitBytecode):
        Same handling for break cases. Also, finally block statement completion
        values are always ignored for the try statement result.

        (JSC::ClassDeclNode::emitBytecode):
        Class declarations, like function declarations, produce an empty result.

        * parser/Nodes.cpp:
        (JSC::SourceElements::lastStatement):
        (JSC::SourceElements::hasCompletionValue):
        (JSC::SourceElements::hasEarlyBreakOrContinue):
        (JSC::BlockNode::lastStatement):
        (JSC::BlockNode::singleStatement):
        (JSC::BlockNode::hasCompletionValue):
        (JSC::BlockNode::hasEarlyBreakOrContinue):
        (JSC::ScopeNode::singleStatement):
        (JSC::ScopeNode::hasCompletionValue):
        (JSC::ScopeNode::hasEarlyBreakOrContinue):
        The only non-trivial cases need to loop through their list of statements
        to determine if this has a completion value or not. Likewise for
        determining if there is an early break / continue, meaning a break or
        continue statement with no preceding statement that has a completion value.

        * parser/Nodes.h:
        (JSC::StatementNode::next):
        (JSC::StatementNode::hasCompletionValue):
        Helper to check if a statement nodes produces a completion value or not.

2017-09-04  Saam Barati  <sbarati@apple.com>

        typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=176317

        Reviewed by Keith Miller.

        It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
        the SetLocal of a particular value where the value is the empty JSValue.
        On 64-bit platforms, the empty value is zero. This means that the empty value
        passes a cell check. This will lead to a crash when we dereference null to load
        the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
        in the structure checks it hoists. On 64-bit platforms, instead of emitting a
        CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
        the empty value to flow through. If the value isn't empty, it'll perform the normal
        structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
        on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
        value to flow through.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
        (JSC::DFG::Node::hasStructureSet):
        * dfg/DFGNodeType.h:
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitStructureCheck):
        (JSC::DFG::SpeculativeJIT::compileCheckStructure):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::run):
        * dfg/DFGValidate.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):

2017-09-04  Saam Barati  <sbarati@apple.com>

        Support compiling catch in the FTL
        https://bugs.webkit.org/show_bug.cgi?id=175396

        Reviewed by Filip Pizlo.

        This patch implements op_catch in the FTL. It extends the DFG implementation
        by supporting multiple entrypoints in DFG-SSA. This patch implements this
        by introducing an EntrySwitch node. When converting to SSA, we introduce a new
        root block with an EntrySwitch that has the previous DFG entrypoints as its
        successors. By convention, we pick the zeroth entry point index to be the
        op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
        switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
        simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
        SSAConversion creates can not exit because we would both not know where to exit
        to in the program: we would not have valid OSR exit state. This design also
        mandates that anything we hoist above EntrySwitch in the new root block
        can not exit since they also do not have valid OSR exit state.
        
        This patch also adds a new metadata node named InitializeEntrypointArguments.
        InitializeEntrypointArguments is a metadata node that initializes the flush format for
        the arguments at a given entrypoint. For a given entrypoint index, this node
        tells AI and OSRAvailabilityAnalysis what the flush format for each argument
        is. This allows each individual entrypoint to have an independent set of
        argument types. Currently, this won't happen in practice because ArgumentPosition
        unifies flush formats, but this is an implementation detail we probably want
        to modify in the future. SSAConversion will add InitializeEntrypointArguments
        to the beginning of each of the original DFG entrypoint blocks.
        
        This patch also adds the ability to specify custom prologue code generators in Air.
        This allows the FTL to specify a custom prologue for catch entrypoints that
        matches the op_catch OSR entry calling convention that the DFG uses. This way,
        the baseline JIT code OSR enters into op_catch the same way both in the DFG
        and the FTL. In the future, we can use this same mechanism to perform stack
        overflow checks instead of using a patchpoint.

        * b3/air/AirCode.cpp:
        (JSC::B3::Air::Code::isEntrypoint):
        (JSC::B3::Air::Code::entrypointIndex):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::setPrologueForEntrypoint):
        (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::generate):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCFG.h:
        (JSC::DFG::selectCFG):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGClobbersExitState.cpp:
        (JSC::DFG::clobbersExitState):
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::shrinkToFit):
        (JSC::DFG::CommonData::finalizeCatchEntrypoints):
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
        (JSC::DFG::CommonData::appendCatchEntrypoint):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::invalidateCFG):
        (JSC::DFG::Graph::ensureCPSCFG):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isEntrypoint):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::shrinkToFit):
        (JSC::DFG::JITCode::finalizeOSREntrypoints):
        * dfg/DFGJITCode.h:
        (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
        (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
        (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
        * dfg/DFGMayExit.cpp:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isEntrySwitch):
        (JSC::DFG::Node::isTerminal):
        (JSC::DFG::Node::entrySwitchData):
        (JSC::DFG::Node::numSuccessors):
        (JSC::DFG::Node::successor):
        (JSC::DFG::Node::entrypointIndex):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareCatchOSREntry):
        * dfg/DFGOSREntry.h:
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::linkOSREntries):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
        (JSC::DFG::StaticExecutionCountEstimationPhase::run):
        * dfg/DFGValidate.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
        (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
        (JSC::FTL::DFG::LowerDFGToB3::speculate):
        (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
        (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
        (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::entrySwitch):
        * ftl/FTLOutput.h:
        * jit/JITOperations.cpp:

2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Efficiently execute number#toString()
        https://bugs.webkit.org/show_bug.cgi?id=170007

        Reviewed by Keith Miller.

        In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
        However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.

        While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
        So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
        Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
        speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
        It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).

        In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
        throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
        conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
        radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
        We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
        It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.

        Added microbenchmarks show performance improvement.

                                                      baseline                  patched

        number-to-string-with-radix-cse           43.8312+-1.3017     ^      7.4930+-0.5105        ^ definitely 5.8496x faster
        number-to-string-with-radix-10             7.2775+-0.5225     ^      2.1906+-0.1864        ^ definitely 3.3222x faster
        number-to-string-with-radix               39.7378+-1.4921     ^     16.6137+-0.7776        ^ definitely 2.3919x faster
        number-to-string-strength-reduction       94.9667+-2.7157     ^      9.3060+-0.7202        ^ definitely 10.2049x faster

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
        (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
        (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
        (JSC::DFG::Node::hasValidRadixConstant):
        (JSC::DFG::Node::validRadixConstant):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
        (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
        (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::numberToStringWatchpoint):
        (JSC::JSGlobalObject::numberProtoToStringFunction const):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::finishCreation):
        (JSC::toStringWithRadixInternal):
        (JSC::toStringWithRadix):
        (JSC::int32ToStringInternal):
        (JSC::numberToStringInternal):
        * runtime/NumberPrototype.h:

2017-09-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Consider increasing the number of DFG worklist threads
        https://bugs.webkit.org/show_bug.cgi?id=176222

        Reviewed by Saam Barati.

        Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
        very long time if the target function is very large. However, DFG worklist
        has only one thread before this patch. Therefore, one function that takes
        too much time to be compiled can prevent the other functions from being
        compiled in DFG or upper tiers.

        One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
        super long time (447 ms) because of its super large size of the function.
        While this function never gets compiled in FTL due to its large size,
        it can be compiled in DFG and takes super long time. Subsequent "a8" function
        compilation in DFG is blocked by this "a1". As a consequence, the benchmark
        takes very long time in a1/Baseline code, which is slower than DFG of course.

        While FTL has a bit more threads, DFG worklist has only one thread. This patch
        adds one more thread to DFG worklist to alleviate the above situation. This
        change significantly improves Octane/zlib performance.

                                    baseline                  patched

        zlib           x2     482.32825+-6.07640    ^   408.66072+-14.03856      ^ definitely 1.1803x faster

        * runtime/Options.h:

2017-09-04  Sam Weinig  <sam@webkit.org>

        [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
        https://bugs.webkit.org/show_bug.cgi?id=176312

        Reviewed by Darin Adler.

        * runtime/CommonIdentifiers.h:

            Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
            to WebCoreBuiltinNames in WebCore.

2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        Remove "malloc" and "free" use
        https://bugs.webkit.org/show_bug.cgi?id=176310

        Reviewed by Darin Adler.

        Use Vector instead.

        * API/JSWrapperMap.mm:
        (selectorToPropertyName):

2017-09-03  Darin Adler  <darin@apple.com>

        Try to fix Windows build.

        * runtime/JSGlobalObjectFunctions.cpp: #include <unicode/utf8.h>.

2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Add C++03 allocator interface for GCC < 6
        https://bugs.webkit.org/show_bug.cgi?id=176301

        Reviewed by Darin Adler.

        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2017-09-03  Chris Dumez  <cdumez@apple.com>

        Unreviewed, rolling out r221555.

        Did not fix Windows build

        Reverted changeset:

        "Unreviewed attempt to fix Windows build."
        http://trac.webkit.org/changeset/221555

2017-09-03  Chris Dumez  <cdumez@apple.com>

        Unreviewed attempt to fix Windows build.

        * runtime/JSGlobalObjectFunctions.cpp:

2017-09-03  Chris Dumez  <cdumez@apple.com>

        Unreviewed, rolling out r221552.

        Broke the build

        Reverted changeset:

        "[WTF] Add C++03 allocator interface for GCC < 6"
        https://bugs.webkit.org/show_bug.cgi?id=176301
        http://trac.webkit.org/changeset/221552

2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Add C++03 allocator interface for GCC < 6
        https://bugs.webkit.org/show_bug.cgi?id=176301

        Reviewed by Darin Adler.

        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Clean up BytecodeLivenessAnalysis
        https://bugs.webkit.org/show_bug.cgi?id=176295

        Reviewed by Saam Barati.

        Previously, computeDefsForBytecodeOffset was a bit customizable.
        This is used for try-catch handler's liveness analysis. But after
        careful generatorification implementation, it is now not necessary.
        This patch drops this customizability.

        * bytecode/BytecodeGeneratorification.cpp:
        (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
        (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::BytecodeLivenessAnalysis::computeKills):
        (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
        (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/BytecodeLivenessAnalysisInlines.h:
        (JSC::BytecodeLivenessPropagation::stepOverInstruction):
        (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
        (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
        (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
        (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.

2017-09-03  Sam Weinig  <sam@webkit.org>

        Remove CanvasProxy
        https://bugs.webkit.org/show_bug.cgi?id=176288

        Reviewed by Yusuke Suzuki.

        CanvasProxy does not appear to be in any current HTML spec
        and was disabled and unimplemented in our tree. Time to 
        get rid of it.

        * Configurations/FeatureDefines.xcconfig:

2017-09-02  Oliver Hunt  <oliver@apple.com>

        Need an API to get the global context from JSObjectRef
        https://bugs.webkit.org/show_bug.cgi?id=176291

        Reviewed by Saam Barati.

        Very simple additional API, starting off as SPI on principle.

        * API/JSObjectRef.cpp:
        (JSObjectGetGlobalContext):
        * API/JSObjectRefPrivate.h:
        * API/tests/testapi.c:
        (main):

2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Relax arity requirement
        https://bugs.webkit.org/show_bug.cgi?id=175523

        Reviewed by Saam Barati.

        Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
        It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
        of the pre-ES6.

        This patch removes the above restriction by performing the arity fixup in DFG.

        SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).

                                       baseline                  patched

        defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
        rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
        spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
        generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster

        * bytecode/InlineCallFrame.cpp:
        (JSC::InlineCallFrame::dumpInContext const):
        * bytecode/InlineCallFrame.h:
        (JSC::InlineCallFrame::InlineCallFrame):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGArgumentsUtilities.cpp:
        (JSC::DFG::argumentsInvolveStackSlot):
        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::getArgumentCount):