Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredProp...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-06-11  Keith Miller  <keith_miller@apple.com>
2
3         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
4         https://bugs.webkit.org/show_bug.cgi?id=186467
5
6         Reviewed by Simon Fraser.
7
8         This patch adds a LazyFireDetail that wraps ScopedLambda so that
9         we don't actually malloc any strings for firing unless those
10         Strings are actually going to be printed.
11
12         * bytecode/Watchpoint.h:
13         (JSC::LazyFireDetail::LazyFireDetail):
14         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
15         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
16         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
17         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
18         * runtime/ArrayPrototype.cpp:
19         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
20
21 2018-06-11  Mark Lam  <mark.lam@apple.com>
22
23         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
24         https://bugs.webkit.org/show_bug.cgi?id=186451
25         <rdar://problem/40875792>
26
27         Reviewed by Tim Horton.
28
29         Enhance setOptions() to be able to take a comma separated options string in
30         addition to white space separated options strings.
31
32         * runtime/Options.cpp:
33         (JSC::isSeparator):
34         (JSC::Options::setOptions):
35
36 2018-06-11  Michael Saboff  <msaboff@apple.com>
37
38         JavaScriptCore: Disable 32-bit JIT on Windows
39         https://bugs.webkit.org/show_bug.cgi?id=185989
40
41         Reviewed by Mark Lam.
42
43         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
44
45         * llint/LLIntData.h:
46         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
47         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
48         have a case label because these aren't opcodes.
49         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
50         on the JIT being enabled.
51         (JSC::recomputeDependentOptions):
52
53 2018-06-11  Michael Saboff  <msaboff@apple.com>
54
55         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
56         https://bugs.webkit.org/show_bug.cgi?id=186477
57
58         Reviewed by Filip Pizlo.
59
60         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
61         YARR interpreter nodes.  This caused us to overwrite other frame information.
62
63         Added frame offset debugging code to YARR interpreter.
64
65         * yarr/YarrInterpreter.cpp:
66         (JSC::Yarr::ByteCompiler::emitDisjunction):
67         (JSC::Yarr::ByteCompiler::dumpDisjunction):
68
69 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
70
71         [JSC] Array.prototype.sort should rejects null comparator
72         https://bugs.webkit.org/show_bug.cgi?id=186458
73
74         Reviewed by Keith Miller.
75
76         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
77         the behavior to Chrome and Firefox.
78
79         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
80         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
81         the spec issue.
82
83         * builtins/ArrayPrototype.js:
84         (sort):
85
86 2018-06-09  Dan Bernstein  <mitz@apple.com>
87
88         [Xcode] Clean up and modernize some build setting definitions
89         https://bugs.webkit.org/show_bug.cgi?id=186463
90
91         Reviewed by Sam Weinig.
92
93         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
94           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
95           is true for all supported Xcode versions.
96         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
97         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
98           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
99         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
100         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
101
102 2018-06-09  Dan Bernstein  <mitz@apple.com>
103
104         Added missing file references to the Configuration group.
105
106         * JavaScriptCore.xcodeproj/project.pbxproj:
107
108 2018-06-08  Darin Adler  <darin@apple.com>
109
110         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
111         https://bugs.webkit.org/show_bug.cgi?id=186436
112
113         Reviewed by Anders Carlsson.
114
115         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
116         objc-internal.h and explicitly declaring the alternative.
117
118 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
119
120         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
121         https://bugs.webkit.org/show_bug.cgi?id=186442
122         <rdar://problem/40879364>
123
124         Reviewed by Tim Horton.
125
126         * Configurations/FeatureDefines.xcconfig:
127
128 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
129
130         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
131         https://bugs.webkit.org/show_bug.cgi?id=186446
132         <rdar://problem/40949995>
133
134         Reviewed by Mark Lam.
135
136         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
137         boolean literals, but it would only work for false. Change it so that it
138         takes the fast path for true, false, null and undefined.
139
140         * llint/LowLevelInterpreter.asm:
141         * llint/LowLevelInterpreter64.asm:
142
143 2018-06-08  Brian Burg  <bburg@apple.com>
144
145         [Cocoa] Web Automation: include browser name and version in listing for automation targets
146         https://bugs.webkit.org/show_bug.cgi?id=186204
147         <rdar://problem/36950423>
148
149         Reviewed by Darin Adler.
150
151         Ask the client what the reported browser name and version should be, then
152         send this as part of the listing for an automation target.
153
154         * inspector/remote/RemoteInspectorConstants.h:
155         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
156         (Inspector::RemoteInspector::listingForAutomationTarget const):
157
158 2018-06-07  Chris Dumez  <cdumez@apple.com>
159
160         Add base class to get WeakPtrFactory member and avoid some boilerplate code
161         https://bugs.webkit.org/show_bug.cgi?id=186407
162
163         Reviewed by Brent Fulgham.
164
165         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
166         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
167         This also gets rid of old-style createWeakPtr() methods in favor of the newer
168         makeWeakPtr().
169
170         * wasm/WasmInstance.h:
171         * wasm/WasmMemory.cpp:
172         (JSC::Wasm::Memory::registerInstance):
173
174 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
175
176         Don't try to allocate JIT memory if we don't have the JIT entitlement
177         https://bugs.webkit.org/show_bug.cgi?id=182605
178         <rdar://problem/38271229>
179
180         Reviewed by Mark Lam.
181
182         Check that the current process has the correct entitlements before
183         trying to allocate JIT memory to silence warnings.
184
185         * jit/ExecutableAllocator.cpp:
186         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
187         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
188
189 2018-06-07  Saam Barati  <sbarati@apple.com>
190
191         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
192         https://bugs.webkit.org/show_bug.cgi?id=186386
193
194         Reviewed by Filip Pizlo.
195
196         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
197
198         * dfg/DFGTierUpCheckInjectionPhase.cpp:
199         (JSC::DFG::TierUpCheckInjectionPhase::run):
200
201 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
202
203         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
204         https://bugs.webkit.org/show_bug.cgi?id=186237
205
206         Reviewed by Saam Barati.
207
208         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
209         that means that we never notice that it fired if it fires between when the DFG decides to
210         watch it and when it actually adds the watchpoint.
211         
212         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
213         reason for being initialized blind: that's how we knew to ignore changes to the prototype
214         before the first allocation. However, that functionality also arose out of the fact that the
215         rare data is created lazily and usually won't exist until the first allocation.
216         
217         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
218         object allocation profile.
219         
220         It's hard to repro this race, however it started causing spurious test failures for me after
221         bug 164904.
222
223         * runtime/FunctionRareData.cpp:
224         (JSC::FunctionRareData::FunctionRareData):
225         (JSC::FunctionRareData::initializeObjectAllocationProfile):
226
227 2018-06-07  Saam Barati  <sbarati@apple.com>
228
229         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
230         https://bugs.webkit.org/show_bug.cgi?id=186218
231         <rdar://problem/38449540>
232
233         Reviewed by Filip Pizlo.
234
235         This patch makes tierUpCommon a tad bit more sane. There are a few things
236         that I did:
237         - There were a few release asserts that were crashing. Those release asserts
238         were incorrect. They were making assumptions about how the code and data
239         structures were ordered that were wrong. This patch removes them. The code
240         was using the loop hierarchy vector to make assumptions about which loop we
241         were currently executing in, which is incorrect. The only information that
242         can be used about where we're currently executing is the bytecode index we're
243         at.
244         - This makes it so that we go back to trying to compile outer loops before
245         inner loops. JF accidentally reverted this behavior that Ben implemented.
246         JF made it so that we just compiled the inner most loop. I make this
247         functionality work by first triggering a compile for the outer most loop
248         that the code is currently executing in and that can perform OSR entry.
249         However, some programs can get stuck in inner loops. The code works by
250         progressively asking inner loops to compile if program execution has not
251         yet reached an outer loop.
252
253         * dfg/DFGOperations.cpp:
254
255 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
256
257         ArityFixup should adjust SP first on 32-bit platforms too
258         https://bugs.webkit.org/show_bug.cgi?id=186351
259
260         Reviewed by Yusuke Suzuki.
261
262         * jit/ThunkGenerators.cpp:
263         (JSC::arityFixupGenerator):
264
265 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
266
267         [DFG] Compare operations do not respect negative zeros
268         https://bugs.webkit.org/show_bug.cgi?id=183729
269
270         Reviewed by Saam Barati.
271
272         Compare operations do not respect negative zeros. So propagating this can
273         reduce the size of the produced code for negative zero case. This pattern
274         can be seen in Kraken stanford-crypto-aes.
275
276         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
277         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
278         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
279
280         * bytecode/SpeculatedType.cpp:
281         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
282         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
283         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
284         SpecDoubleReal.
285
286         * dfg/DFGBackwardsPropagationPhase.cpp:
287         (JSC::DFG::BackwardsPropagationPhase::propagate):
288
289 2018-06-06  Saam Barati  <sbarati@apple.com>
290
291         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
292         https://bugs.webkit.org/show_bug.cgi?id=186363
293
294         Rubber-stamped by Filip Pizlo.
295
296         The code was assuming that the object it was creating an OPC for always
297         had a non-poly-proto structure. However, this assumption was wrong. For
298         example, an object in the prototype chain could be poly proto. That type 
299         of object graph would cause a crash in this code. This patch makes it so
300         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
301         object as we traverse the prototype chain.
302
303         * bytecode/ObjectPropertyConditionSet.cpp:
304         (JSC::generateConditionsForInstanceOf):
305
306 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
307
308         Adjust compile and runtime flags to match shippable state of features
309         https://bugs.webkit.org/show_bug.cgi?id=186319
310         <rdar://problem/40352045>
311
312         Reviewed by Maciej Stachowiak, Jon Lee, and others.
313
314         This patch revises the compile time and runtime state for various features to match their
315         suitability for end-user releases.
316
317         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
318         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
319         Cocoa builds.
320         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
321         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
322         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
323         at runtime for non-production builds.
324
325 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
326
327         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
328         https://bugs.webkit.org/show_bug.cgi?id=186286
329         <rdar://problem/40782992>
330
331         Reviewed by Dan Bernstein.
332
333         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
334         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
335         change this flag when preparing for a production release.
336
337         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
338         whether experimental features should be enabled, and use it to properly define the
339         feature flag.
340
341 2018-06-05  Darin Adler  <darin@apple.com>
342
343         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
344         https://bugs.webkit.org/show_bug.cgi?id=186301
345
346         Reviewed by Anders Carlsson.
347
348         * API/JSContext.mm:
349         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
350         (-[JSContext setName:]): Removed unnecessary call to copy, since the
351         JSStringCreateWithCFString function already reads the characters out
352         of the string and does not retain the string, so there is no need to
353         make an immutable copy. And used __bridge for typecast.
354         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
355         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
356         Ditto.
357
358         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
359         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
360         Use CFBridgingRelease instead of autorelease for a CF dictionary that
361         we return as an NSDictionary.
362
363 2018-06-04  Keith Miller  <keith_miller@apple.com>
364
365         Remove missing files from JavaScriptCore Xcode project
366         https://bugs.webkit.org/show_bug.cgi?id=186297
367
368         Reviewed by Saam Barati.
369
370         * JavaScriptCore.xcodeproj/project.pbxproj:
371
372 2018-06-04  Keith Miller  <keith_miller@apple.com>
373
374         Add test for CoW conversions in the DFG/FTL
375         https://bugs.webkit.org/show_bug.cgi?id=186295
376
377         Reviewed by Saam Barati.
378
379         Add a function to $vm that returns a JSString containing the
380         dataLog dump of the indexingMode of an Object.
381
382         * tools/JSDollarVM.cpp:
383         (JSC::functionIndexingMode):
384         (JSC::JSDollarVM::finishCreation):
385
386 2018-06-04  Saam Barati  <sbarati@apple.com>
387
388         Set the activeLength of all ScratchBuffers to zero when exiting the VM
389         https://bugs.webkit.org/show_bug.cgi?id=186284
390         <rdar://problem/40780738>
391
392         Reviewed by Keith Miller.
393
394         Simon recently found instances where we leak global objects from the
395         ScratchBuffer. Yusuke found that we forgot to set the active length
396         back to zero when doing catch OSR entry in the DFG/FTL. His solution
397         to this was adding a node that cleared the active length. This is
398         a good node to have, but it's not a complete solution: the DFG/FTL
399         could OSR exit before that node executes, which would cause us to leak
400         the data in it.
401         
402         This patch makes it so that we set each scratch buffer's active length
403         to zero on VM exit. This helps prevent leaks for JS code that eventually
404         exits the VM (which is essentially all code on the web and all API users).
405
406         * runtime/VM.cpp:
407         (JSC::VM::clearScratchBuffers):
408         * runtime/VM.h:
409         * runtime/VMEntryScope.cpp:
410         (JSC::VMEntryScope::~VMEntryScope):
411
412 2018-06-04  Keith Miller  <keith_miller@apple.com>
413
414         JSLock should clear last exception when releasing the lock
415         https://bugs.webkit.org/show_bug.cgi?id=186277
416
417         Reviewed by Mark Lam.
418
419         If we don't clear the last exception we essentially leak the
420         object and everything referenced by it until another exception is
421         thrown.
422
423         * runtime/JSLock.cpp:
424         (JSC::JSLock::willReleaseLock):
425
426 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
427
428         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
429         https://bugs.webkit.org/show_bug.cgi?id=180248
430
431         Reviewed by Sam Weinig.
432
433         As a final step, this patch removes ListableHandler from JSC.
434         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
435
436         * CMakeLists.txt:
437         * JavaScriptCore.xcodeproj/project.pbxproj:
438         * heap/Heap.h:
439         * heap/ListableHandler.h: Removed.
440
441 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
442
443         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
444         https://bugs.webkit.org/show_bug.cgi?id=186223
445
446         Reviewed by Keith Miller.
447
448         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
449         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
450
451         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
452         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
453         this ClearCatchLocals valid.
454
455         The existing tests for ExtractCatchLocal just pass.
456
457         * dfg/DFGAbstractHeap.h:
458         * dfg/DFGAbstractInterpreterInlines.h:
459         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
460         * dfg/DFGByteCodeParser.cpp:
461         (JSC::DFG::ByteCodeParser::parseBlock):
462         * dfg/DFGClobberize.h:
463         (JSC::DFG::clobberize):
464         * dfg/DFGDoesGC.cpp:
465         (JSC::DFG::doesGC):
466         * dfg/DFGFixupPhase.cpp:
467         (JSC::DFG::FixupPhase::fixupNode):
468         * dfg/DFGMayExit.cpp:
469         * dfg/DFGNodeType.h:
470         * dfg/DFGOSREntry.cpp:
471         (JSC::DFG::prepareCatchOSREntry):
472         * dfg/DFGPredictionPropagationPhase.cpp:
473         * dfg/DFGSafeToExecute.h:
474         (JSC::DFG::safeToExecute):
475         * dfg/DFGSpeculativeJIT.cpp:
476         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
477         * dfg/DFGSpeculativeJIT.h:
478         * dfg/DFGSpeculativeJIT32_64.cpp:
479         (JSC::DFG::SpeculativeJIT::compile):
480         * dfg/DFGSpeculativeJIT64.cpp:
481         (JSC::DFG::SpeculativeJIT::compile):
482         * ftl/FTLCapabilities.cpp:
483         (JSC::FTL::canCompile):
484         * ftl/FTLLowerDFGToB3.cpp:
485         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
486         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
487
488 2018-06-02  Darin Adler  <darin@apple.com>
489
490         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
491         https://bugs.webkit.org/show_bug.cgi?id=186227
492
493         Reviewed by Dan Bernstein.
494
495         * API/JSContext.mm:
496         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
497         * API/JSValue.mm:
498         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
499         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
500         ARC-compatible, but more efficient.
501         (valueToString): Use CFBridgingRelease instead of autorelease.
502
503 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
504
505         [ESNext][BigInt] Implement support for addition operations
506         https://bugs.webkit.org/show_bug.cgi?id=179002
507
508         Reviewed by Yusuke Suzuki.
509
510         This patch is implementing support to BigInt Operands into binary "+"
511         and binary "-" operators. Right now, we have limited support to DFG
512         and FTL JIT layers, but we plan to fix this support in future
513         patches.
514
515         * jit/JITOperations.cpp:
516         * runtime/CommonSlowPaths.cpp:
517         (JSC::SLOW_PATH_DECL):
518         * runtime/JSBigInt.cpp:
519         (JSC::JSBigInt::parseInt):
520         (JSC::JSBigInt::stringToBigInt):
521         (JSC::JSBigInt::toString):
522         (JSC::JSBigInt::multiply):
523         (JSC::JSBigInt::divide):
524         (JSC::JSBigInt::remainder):
525         (JSC::JSBigInt::add):
526         (JSC::JSBigInt::sub):
527         (JSC::JSBigInt::absoluteAdd):
528         (JSC::JSBigInt::absoluteSub):
529         (JSC::JSBigInt::toStringGeneric):
530         (JSC::JSBigInt::allocateFor):
531         (JSC::JSBigInt::toNumber const):
532         (JSC::JSBigInt::getPrimitiveNumber const):
533         * runtime/JSBigInt.h:
534         * runtime/JSCJSValueInlines.h:
535         * runtime/Operations.cpp:
536         (JSC::jsAddSlowCase):
537         * runtime/Operations.h:
538         (JSC::jsSub):
539
540 2018-06-02  Commit Queue  <commit-queue@webkit.org>
541
542         Unreviewed, rolling out r232439.
543         https://bugs.webkit.org/show_bug.cgi?id=186238
544
545         It breaks gtk-linux-32-release (Requested by caiolima on
546         #webkit).
547
548         Reverted changeset:
549
550         "[ESNext][BigInt] Implement support for addition operations"
551         https://bugs.webkit.org/show_bug.cgi?id=179002
552         https://trac.webkit.org/changeset/232439
553
554 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
555
556         Baseline op_jtrue emits an insane amount of code
557         https://bugs.webkit.org/show_bug.cgi?id=185708
558
559         Reviewed by Filip Pizlo.
560
561         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
562
563         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
564            to jump directly. This tightens the code.
565
566         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
567
568         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
569
570         [  12] jtrue             arg1, 6(->18)
571               0x7f233170162c: mov 0x30(%rbp), %rax
572               0x7f2331701630: mov %rax, %rsi
573               0x7f2331701633: xor $0x6, %rsi
574               0x7f2331701637: test $0xfffffffffffffffe, %rsi
575               0x7f233170163e: jnz 0x7f2331701654
576               0x7f2331701644: cmp $0x7, %eax
577               0x7f2331701647: setz %sil
578               0x7f233170164b: movzx %sil, %esi
579               0x7f233170164f: jmp 0x7f2331701705
580               0x7f2331701654: test %rax, %r14
581               0x7f2331701657: jz 0x7f233170169c
582               0x7f233170165d: cmp %r14, %rax
583               0x7f2331701660: jb 0x7f2331701675
584               0x7f2331701666: test %eax, %eax
585               0x7f2331701668: setnz %sil
586               0x7f233170166c: movzx %sil, %esi
587               0x7f2331701670: jmp 0x7f2331701705
588               0x7f2331701675: lea (%r14,%rax), %rsi
589               0x7f2331701679: movq %rsi, %xmm0
590               0x7f233170167e: xorps %xmm1, %xmm1
591               0x7f2331701681: ucomisd %xmm1, %xmm0
592               0x7f2331701685: jz 0x7f2331701695
593               0x7f233170168b: mov $0x1, %esi
594               0x7f2331701690: jmp 0x7f2331701705
595               0x7f2331701695: xor %esi, %esi
596               0x7f2331701697: jmp 0x7f2331701705
597               0x7f233170169c: test %rax, %r15
598               0x7f233170169f: jnz 0x7f2331701703
599               0x7f23317016a5: cmp $0x1, 0x5(%rax)
600               0x7f23317016a9: jnz 0x7f23317016c1
601               0x7f23317016af: mov 0x8(%rax), %esi
602               0x7f23317016b2: test %esi, %esi
603               0x7f23317016b4: setnz %sil
604               0x7f23317016b8: movzx %sil, %esi
605               0x7f23317016bc: jmp 0x7f2331701705
606               0x7f23317016c1: test $0x1, 0x6(%rax)
607               0x7f23317016c5: jz 0x7f23317016f9
608               0x7f23317016cb: mov (%rax), %esi
609               0x7f23317016cd: mov $0x7f23315000c8, %rdx
610               0x7f23317016d7: mov (%rdx), %rdx
611               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
612               0x7f23317016de: mov $0x7f2330de0000, %rdx
613               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
614               0x7f23317016ec: jnz 0x7f23317016f9
615               0x7f23317016f2: xor %esi, %esi
616               0x7f23317016f4: jmp 0x7f2331701705
617               0x7f23317016f9: mov $0x1, %esi
618               0x7f23317016fe: jmp 0x7f2331701705
619               0x7f2331701703: xor %esi, %esi
620               0x7f2331701705: test %esi, %esi
621               0x7f2331701707: jnz 0x7f233170171b
622
623         [  12] jtrue             arg1, 6(->18)
624               0x7f6c8710156c: mov 0x30(%rbp), %rax
625               0x7f6c87101570: test %rax, %r15
626               0x7f6c87101573: jnz 0x7f6c871015c8
627               0x7f6c87101579: cmp $0x1, 0x5(%rax)
628               0x7f6c8710157d: jnz 0x7f6c87101592
629               0x7f6c87101583: cmp $0x0, 0x8(%rax)
630               0x7f6c87101587: jnz 0x7f6c87101623
631               0x7f6c8710158d: jmp 0x7f6c87101615
632               0x7f6c87101592: test $0x1, 0x6(%rax)
633               0x7f6c87101596: jz 0x7f6c87101623
634               0x7f6c8710159c: mov (%rax), %esi
635               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
636               0x7f6c871015a8: mov (%rdx), %rdx
637               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
638               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
639               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
640               0x7f6c871015bd: jnz 0x7f6c87101623
641               0x7f6c871015c3: jmp 0x7f6c87101615
642               0x7f6c871015c8: cmp %r14, %rax
643               0x7f6c871015cb: jb 0x7f6c871015de
644               0x7f6c871015d1: test %eax, %eax
645               0x7f6c871015d3: jnz 0x7f6c87101623
646               0x7f6c871015d9: jmp 0x7f6c87101615
647               0x7f6c871015de: test %rax, %r14
648               0x7f6c871015e1: jz 0x7f6c87101602
649               0x7f6c871015e7: lea (%r14,%rax), %rsi
650               0x7f6c871015eb: movq %rsi, %xmm0
651               0x7f6c871015f0: xorps %xmm1, %xmm1
652               0x7f6c871015f3: ucomisd %xmm1, %xmm0
653               0x7f6c871015f7: jz 0x7f6c87101615
654               0x7f6c871015fd: jmp 0x7f6c87101623
655               0x7f6c87101602: mov $0x7, %r11
656               0x7f6c8710160c: cmp %r11, %rax
657               0x7f6c8710160f: jz 0x7f6c87101623
658
659         * dfg/DFGSpeculativeJIT32_64.cpp:
660         (JSC::DFG::SpeculativeJIT::emitBranch):
661         * dfg/DFGSpeculativeJIT64.cpp:
662         (JSC::DFG::SpeculativeJIT::emitBranch):
663         * jit/AssemblyHelpers.cpp:
664         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
665         (JSC::AssemblyHelpers::branchIfValue):
666         * jit/AssemblyHelpers.h:
667         (JSC::AssemblyHelpers::branchIfTruthy):
668         (JSC::AssemblyHelpers::branchIfFalsey):
669         * jit/JIT.h:
670         * jit/JITInlines.h:
671         (JSC::JIT::addJump):
672         * jit/JITOpcodes.cpp:
673         (JSC::JIT::emit_op_jfalse):
674         (JSC::JIT::emit_op_jtrue):
675         * jit/JITOpcodes32_64.cpp:
676         (JSC::JIT::emit_op_jfalse):
677         (JSC::JIT::emit_op_jtrue):
678
679 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
680
681         [JSC] Remove WeakReferenceHarvester
682         https://bugs.webkit.org/show_bug.cgi?id=186102
683
684         Reviewed by Filip Pizlo.
685
686         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
687         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
688         by using output constraints & Subspace iteration.
689
690         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
691         output constraint set iterates marked JSWeakMap by using Subspace.
692
693         And we also add locking for JSWeakMap's rehash and output constraint visiting.
694
695         Attached microbenchmark does not show any regression.
696
697         * API/JSAPIWrapperObject.h:
698         * CMakeLists.txt:
699         * JavaScriptCore.xcodeproj/project.pbxproj:
700         * heap/Heap.cpp:
701         (JSC::Heap::endMarking):
702         (JSC::Heap::addCoreConstraints):
703         * heap/Heap.h:
704         * heap/SlotVisitor.cpp:
705         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
706         * heap/SlotVisitor.h:
707         * heap/WeakReferenceHarvester.h: Removed.
708         * runtime/WeakMapImpl.cpp:
709         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
710         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
711         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
712         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
713         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
714         * runtime/WeakMapImpl.h:
715         (JSC::WeakMapImpl::WeakMapImpl):
716         (JSC::WeakMapImpl::finishCreation):
717         (JSC::WeakMapImpl::rehash):
718         (JSC::WeakMapImpl::makeAndSetNewBuffer):
719         (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
720
721 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
722
723         [JSC] Object.create should have intrinsic
724         https://bugs.webkit.org/show_bug.cgi?id=186200
725
726         Reviewed by Filip Pizlo.
727
728         Object.create is used in various JS code. `Object.create(null)` is particularly used
729         to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
730         call in ARES-6/Babylon code.
731
732         This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
733         DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
734         object is null. It offers significant performance boost for `Object.create(null)`.
735
736                                                          baseline                  patched
737
738         object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
739         object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
740         object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
741
742         * dfg/DFGAbstractInterpreterInlines.h:
743         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
744         * dfg/DFGByteCodeParser.cpp:
745         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
746         * dfg/DFGClobberize.h:
747         (JSC::DFG::clobberize):
748         * dfg/DFGConstantFoldingPhase.cpp:
749         (JSC::DFG::ConstantFoldingPhase::foldConstants):
750         * dfg/DFGDoesGC.cpp:
751         (JSC::DFG::doesGC):
752         * dfg/DFGFixupPhase.cpp:
753         (JSC::DFG::FixupPhase::fixupNode):
754         * dfg/DFGNode.h:
755         (JSC::DFG::Node::convertToNewObject):
756         * dfg/DFGNodeType.h:
757         * dfg/DFGOperations.cpp:
758         * dfg/DFGOperations.h:
759         * dfg/DFGPredictionPropagationPhase.cpp:
760         * dfg/DFGSafeToExecute.h:
761         (JSC::DFG::safeToExecute):
762         * dfg/DFGSpeculativeJIT.cpp:
763         (JSC::DFG::SpeculativeJIT::compileObjectCreate):
764         * dfg/DFGSpeculativeJIT.h:
765         * dfg/DFGSpeculativeJIT32_64.cpp:
766         (JSC::DFG::SpeculativeJIT::compile):
767         * dfg/DFGSpeculativeJIT64.cpp:
768         (JSC::DFG::SpeculativeJIT::compile):
769         * ftl/FTLCapabilities.cpp:
770         (JSC::FTL::canCompile):
771         * ftl/FTLLowerDFGToB3.cpp:
772         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
773         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
774         * runtime/Intrinsic.cpp:
775         (JSC::intrinsicName):
776         * runtime/Intrinsic.h:
777         * runtime/JSGlobalObject.cpp:
778         (JSC::JSGlobalObject::init):
779         (JSC::JSGlobalObject::visitChildren):
780         * runtime/JSGlobalObject.h:
781         (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
782         * runtime/ObjectConstructor.cpp:
783
784 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
785
786         [ESNext][BigInt] Implement support for addition operations
787         https://bugs.webkit.org/show_bug.cgi?id=179002
788
789         Reviewed by Yusuke Suzuki.
790
791         This patch is implementing support to BigInt Operands into binary "+"
792         and binary "-" operators. Right now, we have limited support to DFG
793         and FTL JIT layers, but we plan to fix this support in future
794         patches.
795
796         * jit/JITOperations.cpp:
797         * runtime/CommonSlowPaths.cpp:
798         (JSC::SLOW_PATH_DECL):
799         * runtime/JSBigInt.cpp:
800         (JSC::JSBigInt::parseInt):
801         (JSC::JSBigInt::stringToBigInt):
802         (JSC::JSBigInt::toString):
803         (JSC::JSBigInt::multiply):
804         (JSC::JSBigInt::divide):
805         (JSC::JSBigInt::remainder):
806         (JSC::JSBigInt::add):
807         (JSC::JSBigInt::sub):
808         (JSC::JSBigInt::absoluteAdd):
809         (JSC::JSBigInt::absoluteSub):
810         (JSC::JSBigInt::toStringGeneric):
811         (JSC::JSBigInt::allocateFor):
812         (JSC::JSBigInt::toNumber const):
813         (JSC::JSBigInt::getPrimitiveNumber const):
814         * runtime/JSBigInt.h:
815         * runtime/JSCJSValueInlines.h:
816         * runtime/Operations.cpp:
817         (JSC::jsAddSlowCase):
818         * runtime/Operations.h:
819         (JSC::jsSub):
820
821 2018-06-01  Wenson Hsieh  <wenson_hsieh@apple.com>
822
823         Fix the watchOS build after r232385
824         https://bugs.webkit.org/show_bug.cgi?id=186203
825
826         Reviewed by Keith Miller.
827
828         Add a missing header include for JSImmutableButterfly.
829
830         * runtime/ArrayPrototype.cpp:
831
832 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
833
834         [JSC] Add Symbol.prototype.description getter
835         https://bugs.webkit.org/show_bug.cgi?id=186053
836
837         Reviewed by Keith Miller.
838
839         Symbol.prototype.description accessor  is now stage 3[1].
840         This adds a getter to retrieve [[Description]] value from Symbol.
841         Previously, Symbol#toString() returns `Symbol(${description})` value.
842         So users need to extract `description` part if they want it.
843
844         [1]: https://tc39.github.io/proposal-Symbol-description/
845
846         * runtime/Symbol.cpp:
847         (JSC::Symbol::description const):
848         * runtime/Symbol.h:
849         * runtime/SymbolPrototype.cpp:
850         (JSC::tryExtractSymbol):
851         (JSC::symbolProtoGetterDescription):
852         (JSC::symbolProtoFuncToString):
853         (JSC::symbolProtoFuncValueOf):
854
855 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
856
857         [JSC] Correct values and members of JSBigInt appropriately
858         https://bugs.webkit.org/show_bug.cgi?id=186196
859
860         Reviewed by Darin Adler.
861
862         This patch cleans up a bit to select more appropriate values and members of JSBigInt.
863
864         1. JSBigInt's structure should be StructureIsImmortal.
865         2. JSBigInt::allocationSize should be annotated with `inline`.
866         3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
867         4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
868
869         * runtime/JSBigInt.cpp:
870         (JSC::JSBigInt::allocationSize):
871         (JSC::JSBigInt::allocateFor):
872         (JSC::JSBigInt::compareToDouble):
873         (JSC::JSBigInt::visitChildren): Deleted.
874         (JSC::JSBigInt::finishCreation): Deleted.
875         * runtime/JSBigInt.h:
876
877 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
878
879         [DFG] InById should be converted to MatchStructure
880         https://bugs.webkit.org/show_bug.cgi?id=185803
881
882         Reviewed by Keith Miller.
883
884         MatchStructure is introduced for instanceof optimization. But this node
885         is also useful for InById node. This patch converts InById to MatchStructure
886         node with CheckStructures if possible by using InByIdStatus.
887
888         Added microbenchmarks show improvements.
889
890                                    baseline                  patched
891
892         in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
893         in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
894
895         * JavaScriptCore.xcodeproj/project.pbxproj:
896         * Sources.txt:
897         * bytecode/InByIdStatus.cpp: Added.
898         (JSC::InByIdStatus::appendVariant):
899         (JSC::InByIdStatus::computeFor):
900         (JSC::InByIdStatus::hasExitSite):
901         (JSC::InByIdStatus::computeForStubInfo):
902         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
903         (JSC::InByIdStatus::filter):
904         (JSC::InByIdStatus::dump const):
905         * bytecode/InByIdStatus.h: Added.
906         (JSC::InByIdStatus::InByIdStatus):
907         (JSC::InByIdStatus::state const):
908         (JSC::InByIdStatus::isSet const):
909         (JSC::InByIdStatus::operator bool const):
910         (JSC::InByIdStatus::isSimple const):
911         (JSC::InByIdStatus::numVariants const):
912         (JSC::InByIdStatus::variants const):
913         (JSC::InByIdStatus::at const):
914         (JSC::InByIdStatus::operator[] const):
915         (JSC::InByIdStatus::takesSlowPath const):
916         * bytecode/InByIdVariant.cpp: Added.
917         (JSC::InByIdVariant::InByIdVariant):
918         (JSC::InByIdVariant::attemptToMerge):
919         (JSC::InByIdVariant::dump const):
920         (JSC::InByIdVariant::dumpInContext const):
921         * bytecode/InByIdVariant.h: Added.
922         (JSC::InByIdVariant::isSet const):
923         (JSC::InByIdVariant::operator bool const):
924         (JSC::InByIdVariant::structureSet const):
925         (JSC::InByIdVariant::structureSet):
926         (JSC::InByIdVariant::conditionSet const):
927         (JSC::InByIdVariant::offset const):
928         (JSC::InByIdVariant::isHit const):
929         * bytecode/PolyProtoAccessChain.h:
930         * dfg/DFGByteCodeParser.cpp:
931         (JSC::DFG::ByteCodeParser::parseBlock):
932
933 2018-06-01  Keith Miller  <keith_miller@apple.com>
934
935         move should only emit the move if it's actually needed
936         https://bugs.webkit.org/show_bug.cgi?id=186123
937
938         Reviewed by Saam Barati.
939
940         This patch relpaces move with moveToDestinationIfNeeded. This
941         will prevent us from emiting moves to the same location. The old
942         move, has been renamed to emitMove and made private.
943
944         * bytecompiler/BytecodeGenerator.cpp:
945         (JSC::BytecodeGenerator::BytecodeGenerator):
946         (JSC::BytecodeGenerator::emitMove):
947         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
948         (JSC::BytecodeGenerator::emitGetAsyncIterator):
949         (JSC::BytecodeGenerator::move): Deleted.
950         * bytecompiler/BytecodeGenerator.h:
951         (JSC::BytecodeGenerator::move):
952         (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
953         * bytecompiler/NodesCodegen.cpp:
954         (JSC::ThisNode::emitBytecode):
955         (JSC::SuperNode::emitBytecode):
956         (JSC::NewTargetNode::emitBytecode):
957         (JSC::ResolveNode::emitBytecode):
958         (JSC::TaggedTemplateNode::emitBytecode):
959         (JSC::ArrayNode::emitBytecode):
960         (JSC::ObjectLiteralNode::emitBytecode):
961         (JSC::EvalFunctionCallNode::emitBytecode):
962         (JSC::FunctionCallResolveNode::emitBytecode):
963         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
964         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
965         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
966         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
967         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
968         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
969         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
970         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
971         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
972         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
973         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
974         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
975         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
976         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
977         (JSC::CallFunctionCallDotNode::emitBytecode):
978         (JSC::ApplyFunctionCallDotNode::emitBytecode):
979         (JSC::emitPostIncOrDec):
980         (JSC::PostfixNode::emitBracket):
981         (JSC::PostfixNode::emitDot):
982         (JSC::PrefixNode::emitResolve):
983         (JSC::PrefixNode::emitBracket):
984         (JSC::PrefixNode::emitDot):
985         (JSC::LogicalOpNode::emitBytecode):
986         (JSC::ReadModifyResolveNode::emitBytecode):
987         (JSC::AssignResolveNode::emitBytecode):
988         (JSC::AssignDotNode::emitBytecode):
989         (JSC::AssignBracketNode::emitBytecode):
990         (JSC::FunctionNode::emitBytecode):
991         (JSC::ClassExprNode::emitBytecode):
992         (JSC::DestructuringAssignmentNode::emitBytecode):
993         (JSC::ArrayPatternNode::emitDirectBinding):
994         (JSC::ObjectPatternNode::bindValue const):
995         (JSC::AssignmentElementNode::bindValue const):
996         (JSC::ObjectSpreadExpressionNode::emitBytecode):
997
998 2018-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
999
1000         [Baseline] Store constant directly in emit_op_mov
1001         https://bugs.webkit.org/show_bug.cgi?id=186182
1002
1003         Reviewed by Saam Barati.
1004
1005         In the old code, we first move a constant to a register and store it to the specified address.
1006         But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
1007         generated code size. Since the old code was emitting a constant in a code anyway, this change
1008         never increases the size of the generated code.
1009
1010         * jit/JITInlines.h:
1011         (JSC::JIT::emitGetVirtualRegister):
1012         We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
1013         from the stack. If we transfer values in registers without loading values from the stack, it
1014         breaks this assumption.
1015
1016         * jit/JITOpcodes.cpp:
1017         (JSC::JIT::emit_op_mov):
1018
1019 2018-05-31  Caio Lima  <ticaiolima@gmail.com>
1020
1021         [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
1022         https://bugs.webkit.org/show_bug.cgi?id=185929
1023
1024         Reviewed by Yusuke Suzuki.
1025
1026         This patch is introducing support to BigInt operands into ">=" and
1027         "<=" operators.
1028         Here we introduce ```bigIntCompareResult``` that is a helper function
1029         to reuse code between "less than" and "less than or equal" operators.
1030
1031         * runtime/JSBigInt.h:
1032         * runtime/Operations.h:
1033         (JSC::bigIntCompareResult):
1034         (JSC::bigIntCompare):
1035         (JSC::jsLess):
1036         (JSC::jsLessEq):
1037         (JSC::bigIntCompareLess): Deleted.
1038
1039 2018-05-31  Saam Barati  <sbarati@apple.com>
1040
1041         Cache toString results for CoW arrays
1042         https://bugs.webkit.org/show_bug.cgi?id=186160
1043
1044         Reviewed by Keith Miller.
1045
1046         This patch makes it so that we cache the result of toString on
1047         arrays with a CoW butterfly. This cache lives on Heap and is
1048         cleared after every GC. We only cache the toString result when
1049         the CoW butterfly doesn't have a hole (currently, all CoW arrays
1050         have a hole, but this isn't an invariant we want to rely on). The
1051         reason for this is that if there is a hole, the value may be loaded
1052         from the prototype, and the cache may produce a stale result.
1053         
1054         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
1055         progression on ARES.
1056
1057         * heap/Heap.cpp:
1058         (JSC::Heap::finalize):
1059         (JSC::Heap::addCoreConstraints):
1060         * heap/Heap.h:
1061         * runtime/ArrayPrototype.cpp:
1062         (JSC::canUseFastJoin):
1063         (JSC::holesMustForwardToPrototype):
1064         (JSC::isHole):
1065         (JSC::containsHole):
1066         (JSC::fastJoin):
1067         (JSC::arrayProtoFuncToString):
1068
1069 2018-05-31  Saam Barati  <sbarati@apple.com>
1070
1071         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
1072         https://bugs.webkit.org/show_bug.cgi?id=186169
1073
1074         Reviewed by Mark Lam.
1075
1076         If we don't do this, the CFA validation rule about StructureID being
1077         clobbered but AI not clobbering or folding a clobber will cause us
1078         to crash. Simon was running into this yesterday on arstechnica.com.
1079         I couldn't come up with a test case for this, but it's obvious
1080         what the issue is by looking at the IR dump at the time of the crash.
1081
1082         * dfg/DFGAbstractInterpreterInlines.h:
1083         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1084
1085 2018-05-31  Saam Barati  <sbarati@apple.com>
1086
1087         JSImmutableButterfly should align its variable storage
1088         https://bugs.webkit.org/show_bug.cgi?id=186159
1089
1090         Reviewed by Mark Lam.
1091
1092         I'm also making the use of reinterpret_cast and bitwise_cast consistent
1093         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
1094
1095         * runtime/JSImmutableButterfly.h:
1096         (JSC::JSImmutableButterfly::toButterfly const):
1097         (JSC::JSImmutableButterfly::fromButterfly):
1098         (JSC::JSImmutableButterfly::offsetOfData):
1099         (JSC::JSImmutableButterfly::allocationSize):
1100
1101 2018-05-31  Keith Miller  <keith_miller@apple.com>
1102
1103         DFGArrayModes needs to know more about CoW arrays
1104         https://bugs.webkit.org/show_bug.cgi?id=186162
1105
1106         Reviewed by Filip Pizlo.
1107
1108         This patch fixes two issues in DFGArrayMode.
1109
1110         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
1111         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
1112         to vend an accurate original structure.
1113
1114         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
1115         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
1116         action it is expecting when being dumped.
1117
1118         * bytecode/ArrayProfile.h:
1119         (JSC::hasSeenWritableArray):
1120         * dfg/DFGArrayMode.cpp:
1121         (JSC::DFG::ArrayMode::fromObserved):
1122         (JSC::DFG::ArrayMode::refine const):
1123         (JSC::DFG::ArrayMode::originalArrayStructure const):
1124         (JSC::DFG::arrayActionToString):
1125         (JSC::DFG::arrayClassToString):
1126         (JSC::DFG::ArrayMode::dump const):
1127         (WTF::printInternal):
1128         * dfg/DFGArrayMode.h:
1129         (JSC::DFG::ArrayMode::withProfile const):
1130         (JSC::DFG::ArrayMode::isJSArray const):
1131         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
1132         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
1133         * dfg/DFGByteCodeParser.cpp:
1134         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1135         (JSC::DFG::ByteCodeParser::parseBlock):
1136         * dfg/DFGFixupPhase.cpp:
1137         (JSC::DFG::FixupPhase::fixupNode):
1138         * dfg/DFGSpeculativeJIT.cpp:
1139         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1140         * ftl/FTLLowerDFGToB3.cpp:
1141         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
1142
1143 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1144
1145         [JSC] Pass VM& parameter as much as possible
1146         https://bugs.webkit.org/show_bug.cgi?id=186085
1147
1148         Reviewed by Saam Barati.
1149
1150         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
1151         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
1152         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
1153         This patch attempts to pass VM& parameter to such functions as much as possible.
1154
1155         * API/APICast.h:
1156         (toJS):
1157         (toJSForGC):
1158         * API/JSCallbackObjectFunctions.h:
1159         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
1160         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
1161         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1162         * API/JSObjectRef.cpp:
1163         (JSObjectIsConstructor):
1164         * API/JSTypedArray.cpp:
1165         (JSObjectGetTypedArrayBuffer):
1166         * API/JSValueRef.cpp:
1167         (JSValueIsInstanceOfConstructor):
1168         * bindings/ScriptFunctionCall.cpp:
1169         (Deprecated::ScriptFunctionCall::call):
1170         * bindings/ScriptValue.cpp:
1171         (Inspector::jsToInspectorValue):
1172         * bytecode/AccessCase.cpp:
1173         (JSC::AccessCase::generateImpl):
1174         * bytecode/CodeBlock.cpp:
1175         (JSC::CodeBlock::CodeBlock):
1176         * bytecode/ObjectAllocationProfileInlines.h:
1177         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1178         * bytecode/ObjectPropertyConditionSet.cpp:
1179         (JSC::generateConditionsForInstanceOf):
1180         * bytecode/PropertyCondition.cpp:
1181         (JSC::PropertyCondition::isWatchableWhenValid const):
1182         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
1183         * bytecode/StructureStubClearingWatchpoint.cpp:
1184         (JSC::StructureStubClearingWatchpoint::fireInternal):
1185         * debugger/Debugger.cpp:
1186         (JSC::Debugger::detach):
1187         * debugger/DebuggerScope.cpp:
1188         (JSC::DebuggerScope::create):
1189         (JSC::DebuggerScope::put):
1190         (JSC::DebuggerScope::deleteProperty):
1191         (JSC::DebuggerScope::getOwnPropertyNames):
1192         (JSC::DebuggerScope::defineOwnProperty):
1193         * dfg/DFGAbstractInterpreterInlines.h:
1194         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1195         * dfg/DFGAbstractValue.cpp:
1196         (JSC::DFG::AbstractValue::mergeOSREntryValue):
1197         * dfg/DFGArgumentsEliminationPhase.cpp:
1198         * dfg/DFGArrayMode.cpp:
1199         (JSC::DFG::ArrayMode::refine const):
1200         * dfg/DFGByteCodeParser.cpp:
1201         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1202         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1203         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1204         (JSC::DFG::ByteCodeParser::check):
1205         * dfg/DFGConstantFoldingPhase.cpp:
1206         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1207         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1208         * dfg/DFGFixupPhase.cpp:
1209         (JSC::DFG::FixupPhase::fixupNode):
1210         * dfg/DFGGraph.cpp:
1211         (JSC::DFG::Graph::tryGetConstantProperty):
1212         * dfg/DFGOperations.cpp:
1213         * dfg/DFGSpeculativeJIT.cpp:
1214         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1215         * dfg/DFGStrengthReductionPhase.cpp:
1216         (JSC::DFG::StrengthReductionPhase::handleNode):
1217         * ftl/FTLLowerDFGToB3.cpp:
1218         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1219         * ftl/FTLOperations.cpp:
1220         (JSC::FTL::operationPopulateObjectInOSR):
1221         * inspector/InjectedScriptManager.cpp:
1222         (Inspector::InjectedScriptManager::createInjectedScript):
1223         * inspector/JSJavaScriptCallFrame.cpp:
1224         (Inspector::JSJavaScriptCallFrame::caller const):
1225         (Inspector::JSJavaScriptCallFrame::scopeChain const):
1226         * interpreter/CallFrame.cpp:
1227         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
1228         * interpreter/Interpreter.cpp:
1229         (JSC::Interpreter::executeProgram):
1230         (JSC::Interpreter::executeCall):
1231         (JSC::Interpreter::executeConstruct):
1232         (JSC::Interpreter::execute):
1233         (JSC::Interpreter::executeModuleProgram):
1234         * jit/JITOperations.cpp:
1235         (JSC::getByVal):
1236         * jit/Repatch.cpp:
1237         (JSC::tryCacheInByID):
1238         * jsc.cpp:
1239         (functionDollarAgentReceiveBroadcast):
1240         (functionHasCustomProperties):
1241         * llint/LLIntSlowPaths.cpp:
1242         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1243         (JSC::LLInt::setupGetByIdPrototypeCache):
1244         (JSC::LLInt::getByVal):
1245         (JSC::LLInt::handleHostCall):
1246         (JSC::LLInt::llint_throw_stack_overflow_error):
1247         * runtime/AbstractModuleRecord.cpp:
1248         (JSC::AbstractModuleRecord::finishCreation):
1249         * runtime/ArrayConstructor.cpp:
1250         (JSC::constructArrayWithSizeQuirk):
1251         * runtime/ArrayPrototype.cpp:
1252         (JSC::speciesWatchpointIsValid):
1253         (JSC::arrayProtoFuncToString):
1254         (JSC::arrayProtoFuncToLocaleString):
1255         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1256         * runtime/AsyncFunctionConstructor.cpp:
1257         (JSC::callAsyncFunctionConstructor):
1258         (JSC::constructAsyncFunctionConstructor):
1259         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1260         (JSC::callAsyncGeneratorFunctionConstructor):
1261         (JSC::constructAsyncGeneratorFunctionConstructor):
1262         * runtime/BooleanConstructor.cpp:
1263         (JSC::constructWithBooleanConstructor):
1264         * runtime/ClonedArguments.cpp:
1265         (JSC::ClonedArguments::createEmpty):
1266         (JSC::ClonedArguments::createWithInlineFrame):
1267         (JSC::ClonedArguments::createWithMachineFrame):
1268         (JSC::ClonedArguments::createByCopyingFrom):
1269         (JSC::ClonedArguments::getOwnPropertySlot):
1270         (JSC::ClonedArguments::materializeSpecials):
1271         * runtime/CommonSlowPaths.cpp:
1272         (JSC::SLOW_PATH_DECL):
1273         * runtime/CommonSlowPaths.h:
1274         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1275         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1276         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
1277         * runtime/ConstructData.cpp:
1278         (JSC::construct):
1279         * runtime/DateConstructor.cpp:
1280         (JSC::constructWithDateConstructor):
1281         * runtime/DatePrototype.cpp:
1282         (JSC::dateProtoFuncToJSON):
1283         * runtime/DirectArguments.cpp:
1284         (JSC::DirectArguments::overrideThings):
1285         * runtime/Error.cpp:
1286         (JSC::getStackTrace):
1287         * runtime/ErrorConstructor.cpp:
1288         (JSC::Interpreter::constructWithErrorConstructor):
1289         (JSC::Interpreter::callErrorConstructor):
1290         * runtime/FunctionConstructor.cpp:
1291         (JSC::constructWithFunctionConstructor):
1292         (JSC::callFunctionConstructor):
1293         * runtime/GeneratorFunctionConstructor.cpp:
1294         (JSC::callGeneratorFunctionConstructor):
1295         (JSC::constructGeneratorFunctionConstructor):
1296         * runtime/GenericArgumentsInlines.h:
1297         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1298         * runtime/InferredStructureWatchpoint.cpp:
1299         (JSC::InferredStructureWatchpoint::fireInternal):
1300         * runtime/InferredType.cpp:
1301         (JSC::InferredType::removeStructure):
1302         * runtime/InferredType.h:
1303         * runtime/InferredTypeInlines.h:
1304         (JSC::InferredType::finalizeUnconditionally):
1305         * runtime/IntlCollator.cpp:
1306         (JSC::IntlCollator::initializeCollator):
1307         * runtime/IntlCollatorConstructor.cpp:
1308         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1309         * runtime/IntlCollatorPrototype.cpp:
1310         (JSC::IntlCollatorPrototypeGetterCompare):
1311         * runtime/IntlDateTimeFormat.cpp:
1312         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1313         (JSC::IntlDateTimeFormat::formatToParts):
1314         * runtime/IntlDateTimeFormatConstructor.cpp:
1315         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1316         * runtime/IntlDateTimeFormatPrototype.cpp:
1317         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1318         * runtime/IntlNumberFormat.cpp:
1319         (JSC::IntlNumberFormat::initializeNumberFormat):
1320         (JSC::IntlNumberFormat::formatToParts):
1321         * runtime/IntlNumberFormatConstructor.cpp:
1322         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1323         * runtime/IntlNumberFormatPrototype.cpp:
1324         (JSC::IntlNumberFormatPrototypeGetterFormat):
1325         * runtime/IntlObject.cpp:
1326         (JSC::canonicalizeLocaleList):
1327         (JSC::defaultLocale):
1328         (JSC::lookupSupportedLocales):
1329         (JSC::intlObjectFuncGetCanonicalLocales):
1330         * runtime/IntlPluralRules.cpp:
1331         (JSC::IntlPluralRules::initializePluralRules):
1332         (JSC::IntlPluralRules::resolvedOptions):
1333         * runtime/IntlPluralRulesConstructor.cpp:
1334         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1335         * runtime/IteratorOperations.cpp:
1336         (JSC::iteratorNext):
1337         (JSC::iteratorClose):
1338         (JSC::iteratorForIterable):
1339         * runtime/JSArray.cpp:
1340         (JSC::JSArray::shiftCountWithArrayStorage):
1341         (JSC::JSArray::unshiftCountWithArrayStorage):
1342         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
1343         * runtime/JSArrayBufferConstructor.cpp:
1344         (JSC::JSArrayBufferConstructor::finishCreation):
1345         (JSC::constructArrayBuffer):
1346         * runtime/JSArrayBufferPrototype.cpp:
1347         (JSC::arrayBufferProtoFuncSlice):
1348         * runtime/JSArrayBufferView.cpp:
1349         (JSC::JSArrayBufferView::unsharedJSBuffer):
1350         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
1351         * runtime/JSAsyncFunction.cpp:
1352         (JSC::JSAsyncFunction::createImpl):
1353         (JSC::JSAsyncFunction::create):
1354         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
1355         * runtime/JSAsyncGeneratorFunction.cpp:
1356         (JSC::JSAsyncGeneratorFunction::createImpl):
1357         (JSC::JSAsyncGeneratorFunction::create):
1358         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1359         * runtime/JSBoundFunction.cpp:
1360         (JSC::boundThisNoArgsFunctionCall):
1361         (JSC::boundFunctionCall):
1362         (JSC::boundThisNoArgsFunctionConstruct):
1363         (JSC::boundFunctionConstruct):
1364         (JSC::getBoundFunctionStructure):
1365         (JSC::JSBoundFunction::create):
1366         (JSC::JSBoundFunction::boundArgsCopy):
1367         * runtime/JSCJSValue.cpp:
1368         (JSC::JSValue::putToPrimitive):
1369         * runtime/JSCellInlines.h:
1370         (JSC::JSCell::setStructure):
1371         (JSC::JSCell::methodTable const):
1372         (JSC::JSCell::toBoolean const):
1373         * runtime/JSFunction.h:
1374         (JSC::JSFunction::createImpl):
1375         * runtime/JSGeneratorFunction.cpp:
1376         (JSC::JSGeneratorFunction::createImpl):
1377         (JSC::JSGeneratorFunction::create):
1378         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1379         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1380         (JSC::constructGenericTypedArrayViewWithArguments):
1381         (JSC::constructGenericTypedArrayView):
1382         * runtime/JSGenericTypedArrayViewInlines.h:
1383         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1384         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
1385         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
1386         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1387         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1388         (JSC::genericTypedArrayViewProtoFuncSlice):
1389         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1390         * runtime/JSGlobalObject.cpp:
1391         (JSC::JSGlobalObject::init):
1392         (JSC::JSGlobalObject::exposeDollarVM):
1393         (JSC::JSGlobalObject::finishCreation):
1394         * runtime/JSGlobalObject.h:
1395         * runtime/JSGlobalObjectFunctions.cpp:
1396         (JSC::globalFuncEval):
1397         * runtime/JSInternalPromise.cpp:
1398         (JSC::JSInternalPromise::then):
1399         * runtime/JSInternalPromiseConstructor.cpp:
1400         (JSC::constructPromise):
1401         * runtime/JSJob.cpp:
1402         (JSC::JSJobMicrotask::run):
1403         * runtime/JSLexicalEnvironment.cpp:
1404         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1405         (JSC::JSLexicalEnvironment::put):
1406         * runtime/JSMap.cpp:
1407         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1408         * runtime/JSMapIterator.cpp:
1409         (JSC::JSMapIterator::createPair):
1410         * runtime/JSModuleLoader.cpp:
1411         (JSC::JSModuleLoader::provideFetch):
1412         (JSC::JSModuleLoader::loadAndEvaluateModule):
1413         (JSC::JSModuleLoader::loadModule):
1414         (JSC::JSModuleLoader::linkAndEvaluateModule):
1415         (JSC::JSModuleLoader::requestImportModule):
1416         * runtime/JSONObject.cpp:
1417         (JSC::JSONProtoFuncParse):
1418         * runtime/JSObject.cpp:
1419         (JSC::JSObject::putInlineSlow):
1420         (JSC::JSObject::putByIndex):
1421         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1422         (JSC::JSObject::createInitialIndexedStorage):
1423         (JSC::JSObject::createArrayStorage):
1424         (JSC::JSObject::convertUndecidedToArrayStorage):
1425         (JSC::JSObject::convertInt32ToArrayStorage):
1426         (JSC::JSObject::convertDoubleToArrayStorage):
1427         (JSC::JSObject::convertContiguousToArrayStorage):
1428         (JSC::JSObject::convertFromCopyOnWrite):
1429         (JSC::JSObject::ensureWritableInt32Slow):
1430         (JSC::JSObject::ensureWritableDoubleSlow):
1431         (JSC::JSObject::ensureWritableContiguousSlow):
1432         (JSC::JSObject::ensureArrayStorageSlow):
1433         (JSC::JSObject::setPrototypeDirect):
1434         (JSC::JSObject::deleteProperty):
1435         (JSC::callToPrimitiveFunction):
1436         (JSC::JSObject::hasInstance):
1437         (JSC::JSObject::getOwnNonIndexPropertyNames):
1438         (JSC::JSObject::preventExtensions):
1439         (JSC::JSObject::isExtensible):
1440         (JSC::JSObject::reifyAllStaticProperties):
1441         (JSC::JSObject::fillGetterPropertySlot):
1442         (JSC::JSObject::defineOwnIndexedProperty):
1443         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1444         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1445         (JSC::JSObject::putByIndexBeyondVectorLength):
1446         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1447         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1448         (JSC::JSObject::getNewVectorLength):
1449         (JSC::JSObject::increaseVectorLength):
1450         (JSC::JSObject::reallocateAndShrinkButterfly):
1451         (JSC::JSObject::shiftButterflyAfterFlattening):
1452         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
1453         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
1454         (JSC::JSObject::needsSlowPutIndexing const):
1455         (JSC::JSObject::suggestedArrayStorageTransition const):
1456         * runtime/JSObject.h:
1457         (JSC::JSObject::mayInterceptIndexedAccesses):
1458         (JSC::JSObject::hasIndexingHeader const):
1459         (JSC::JSObject::hasCustomProperties):
1460         (JSC::JSObject::hasGetterSetterProperties):
1461         (JSC::JSObject::hasCustomGetterSetterProperties):
1462         (JSC::JSObject::isExtensibleImpl):
1463         (JSC::JSObject::isStructureExtensible):
1464         (JSC::JSObject::indexingShouldBeSparse):
1465         (JSC::JSObject::staticPropertiesReified):
1466         (JSC::JSObject::globalObject const):
1467         (JSC::JSObject::finishCreation):
1468         (JSC::JSNonFinalObject::finishCreation):
1469         (JSC::getCallData):
1470         (JSC::getConstructData):
1471         (JSC::JSObject::getOwnNonIndexPropertySlot):
1472         (JSC::JSObject::putOwnDataProperty):
1473         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
1474         (JSC::JSObject::butterflyPreCapacity):
1475         (JSC::JSObject::butterflyTotalSize):
1476         * runtime/JSObjectInlines.h:
1477         (JSC::JSObject::putDirectInternal):
1478         * runtime/JSPromise.cpp:
1479         (JSC::JSPromise::initialize):
1480         (JSC::JSPromise::resolve):
1481         * runtime/JSPromiseConstructor.cpp:
1482         (JSC::constructPromise):
1483         * runtime/JSPromiseDeferred.cpp:
1484         (JSC::newPromiseCapability):
1485         (JSC::callFunction):
1486         * runtime/JSScope.cpp:
1487         (JSC::abstractAccess):
1488         * runtime/JSScope.h:
1489         (JSC::JSScope::globalObject): Deleted.
1490         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
1491
1492         * runtime/JSSet.cpp:
1493         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
1494         * runtime/JSSetIterator.cpp:
1495         (JSC::JSSetIterator::createPair):
1496         * runtime/JSStringIterator.cpp:
1497         (JSC::JSStringIterator::clone):
1498         * runtime/Lookup.cpp:
1499         (JSC::reifyStaticAccessor):
1500         (JSC::setUpStaticFunctionSlot):
1501         * runtime/Lookup.h:
1502         (JSC::getStaticPropertySlotFromTable):
1503         (JSC::replaceStaticPropertySlot):
1504         (JSC::reifyStaticProperty):
1505         * runtime/MapConstructor.cpp:
1506         (JSC::constructMap):
1507         * runtime/NumberConstructor.cpp:
1508         (JSC::NumberConstructor::finishCreation):
1509         * runtime/ObjectConstructor.cpp:
1510         (JSC::constructObject):
1511         (JSC::objectConstructorAssign):
1512         (JSC::toPropertyDescriptor):
1513         * runtime/ObjectPrototype.cpp:
1514         (JSC::objectProtoFuncDefineGetter):
1515         (JSC::objectProtoFuncDefineSetter):
1516         (JSC::objectProtoFuncToLocaleString):
1517         * runtime/Operations.cpp:
1518         (JSC::jsIsFunctionType): Deleted.
1519         Replace it with JSValue::isFunction(VM&).
1520
1521         * runtime/Operations.h:
1522         * runtime/ProgramExecutable.cpp:
1523         (JSC::ProgramExecutable::initializeGlobalProperties):
1524         * runtime/RegExpConstructor.cpp:
1525         (JSC::constructWithRegExpConstructor):
1526         (JSC::callRegExpConstructor):
1527         * runtime/SamplingProfiler.cpp:
1528         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1529         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
1530         * runtime/ScopedArguments.cpp:
1531         (JSC::ScopedArguments::overrideThings):
1532         * runtime/ScriptExecutable.cpp:
1533         (JSC::ScriptExecutable::newCodeBlockFor):
1534         (JSC::ScriptExecutable::prepareForExecutionImpl):
1535         * runtime/SetConstructor.cpp:
1536         (JSC::constructSet):
1537         * runtime/SparseArrayValueMap.cpp:
1538         (JSC::SparseArrayValueMap::putEntry):
1539         (JSC::SparseArrayValueMap::putDirect):
1540         * runtime/StringConstructor.cpp:
1541         (JSC::constructWithStringConstructor):
1542         * runtime/StringPrototype.cpp:
1543         (JSC::replaceUsingRegExpSearch):
1544         (JSC::replaceUsingStringSearch):
1545         (JSC::stringProtoFuncIterator):
1546         * runtime/Structure.cpp:
1547         (JSC::Structure::materializePropertyTable):
1548         (JSC::Structure::willStoreValueSlow):
1549         * runtime/StructureCache.cpp:
1550         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
1551         * runtime/StructureInlines.h:
1552         (JSC::Structure::get):
1553         * runtime/WeakMapConstructor.cpp:
1554         (JSC::constructWeakMap):
1555         * runtime/WeakSetConstructor.cpp:
1556         (JSC::constructWeakSet):
1557         * tools/HeapVerifier.cpp:
1558         (JSC::HeapVerifier::reportCell):
1559         * tools/JSDollarVM.cpp:
1560         (JSC::functionGlobalObjectForObject):
1561         (JSC::JSDollarVM::finishCreation):
1562         * wasm/js/JSWebAssemblyInstance.cpp:
1563         (JSC::JSWebAssemblyInstance::finalizeCreation):
1564         * wasm/js/WasmToJS.cpp:
1565         (JSC::Wasm::handleBadI64Use):
1566         (JSC::Wasm::wasmToJSException):
1567         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1568         (JSC::constructJSWebAssemblyCompileError):
1569         (JSC::callJSWebAssemblyCompileError):
1570         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1571         (JSC::constructJSWebAssemblyLinkError):
1572         (JSC::callJSWebAssemblyLinkError):
1573         * wasm/js/WebAssemblyModuleRecord.cpp:
1574         (JSC::WebAssemblyModuleRecord::evaluate):
1575         * wasm/js/WebAssemblyPrototype.cpp:
1576         (JSC::instantiate):
1577         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1578         (JSC::constructJSWebAssemblyRuntimeError):
1579         (JSC::callJSWebAssemblyRuntimeError):
1580         * wasm/js/WebAssemblyToJSCallee.cpp:
1581         (JSC::WebAssemblyToJSCallee::create):
1582
1583 2018-05-30  Saam Barati  <sbarati@apple.com>
1584
1585         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
1586         https://bugs.webkit.org/show_bug.cgi?id=186121
1587         <rdar://problem/39377796>
1588
1589         Reviewed by Keith Miller.
1590
1591         DFG's combined liveness was reporting that the machine CodeBlock's |this|
1592         argument was dead at certain points in the program. However, a CodeBlock's
1593         arguments are considered live for the entire function. This fixes a bug
1594         where object allocation sinking phase skipped materializing an allocation
1595         because it thought that the argument it was associated with, |this|, was dead.
1596
1597         * dfg/DFGCombinedLiveness.cpp:
1598         (JSC::DFG::liveNodesAtHead):
1599
1600 2018-05-30  Daniel Bates  <dabates@apple.com>
1601
1602         Web Inspector: Annotate Same-Site cookies
1603         https://bugs.webkit.org/show_bug.cgi?id=184897
1604         <rdar://problem/35178209>
1605
1606         Reviewed by Brian Burg.
1607
1608         Update protocol to include cookie Same-Site policy.
1609
1610         * inspector/protocol/Page.json:
1611
1612 2018-05-29  Keith Miller  <keith_miller@apple.com>
1613
1614         Error instances should not strongly hold onto StackFrames
1615         https://bugs.webkit.org/show_bug.cgi?id=185996
1616
1617         Reviewed by Mark Lam.
1618
1619         Previously, we would hold onto all the StackFrames until the the user
1620         looked at one of the properties on the Error object. This patch makes us
1621         only weakly retain the StackFrames and collect all the information
1622         if we are about to collect any frame.
1623
1624         This patch also adds a method to $vm that returns the heaps count
1625         of live global objects.
1626
1627         * heap/Heap.cpp:
1628         (JSC::Heap::finalizeUnconditionalFinalizers):
1629         * interpreter/Interpreter.cpp:
1630         (JSC::Interpreter::stackTraceAsString):
1631         * interpreter/Interpreter.h:
1632         * runtime/Error.cpp:
1633         (JSC::addErrorInfo):
1634         * runtime/ErrorInstance.cpp:
1635         (JSC::ErrorInstance::finalizeUnconditionally):
1636         (JSC::ErrorInstance::computeErrorInfo):
1637         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1638         (JSC::ErrorInstance::visitChildren): Deleted.
1639         * runtime/ErrorInstance.h:
1640         (JSC::ErrorInstance::subspaceFor):
1641         * runtime/JSFunction.cpp:
1642         (JSC::getCalculatedDisplayName):
1643         * runtime/StackFrame.h:
1644         (JSC::StackFrame::isMarked const):
1645         * runtime/VM.cpp:
1646         (JSC::VM::VM):
1647         * runtime/VM.h:
1648         * tools/JSDollarVM.cpp:
1649         (JSC::functionGlobalObjectCount):
1650         (JSC::JSDollarVM::finishCreation):
1651
1652 2018-05-30  Keith Miller  <keith_miller@apple.com>
1653
1654         LLInt get_by_id prototype caching doesn't properly handle changes
1655         https://bugs.webkit.org/show_bug.cgi?id=186112
1656
1657         Reviewed by Filip Pizlo.
1658
1659         The caching would sometimes fail to track that a prototype had changed
1660         and wouldn't update its set of watchpoints.
1661
1662         * bytecode/CodeBlock.cpp:
1663         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1664         * bytecode/CodeBlock.h:
1665         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
1666         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
1667         * bytecode/ObjectPropertyConditionSet.h:
1668         (JSC::ObjectPropertyConditionSet::size const):
1669         * bytecode/Watchpoint.h:
1670         (JSC::Watchpoint::Watchpoint): Deleted.
1671         * llint/LLIntSlowPaths.cpp:
1672         (JSC::LLInt::setupGetByIdPrototypeCache):
1673
1674 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
1675
1676         [ESNext][BigInt] Implement support for "%" operation
1677         https://bugs.webkit.org/show_bug.cgi?id=184327
1678
1679         Reviewed by Yusuke Suzuki.
1680
1681         We are introducing the support of BigInt into remainder (a.k.a mod)
1682         operation.
1683
1684         * runtime/CommonSlowPaths.cpp:
1685         (JSC::SLOW_PATH_DECL):
1686         * runtime/JSBigInt.cpp:
1687         (JSC::JSBigInt::remainder):
1688         (JSC::JSBigInt::rightTrim):
1689         * runtime/JSBigInt.h:
1690
1691 2018-05-30  Saam Barati  <sbarati@apple.com>
1692
1693         AI for Atomics.load() is too conservative in always clobbering world
1694         https://bugs.webkit.org/show_bug.cgi?id=185738
1695         <rdar://problem/40342214>
1696
1697         Reviewed by Yusuke Suzuki.
1698
1699         It fails the assertion that Fil added for catching disagreements between
1700         AI and clobberize. This patch fixes that. You'd run into this if you
1701         manually enabled SAB in a build and ran any SAB tests.
1702
1703         * dfg/DFGAbstractInterpreterInlines.h:
1704         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1705
1706 2018-05-30  Michael Saboff  <msaboff@apple.com>
1707
1708         REGRESSION(r232212): Broke Win32 Builds
1709         https://bugs.webkit.org/show_bug.cgi?id=186061
1710
1711         Reviewed by Yusuke Suzuki.
1712
1713         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
1714         instead of LowLevelInterpreterWin.asm.
1715
1716         * CMakeLists.txt:
1717
1718 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
1719
1720         [MIPS] Fix build on MIPS32r1
1721         https://bugs.webkit.org/show_bug.cgi?id=185944
1722
1723         Reviewed by Yusuke Suzuki.
1724
1725         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
1726         on MIPS32r1.
1727
1728         * offlineasm/mips.rb:
1729
1730 2018-05-29  Saam Barati  <sbarati@apple.com>
1731
1732         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
1733         https://bugs.webkit.org/show_bug.cgi?id=186064
1734
1735         Reviewed by Mark Lam.
1736
1737         shrinkFootprint was implemented as:
1738         ```
1739         sanitizeStackForVM(this);
1740         deleteAllCode(DeleteAllCodeIfNotCollecting);
1741         heap.collectNow(Synchronousness::Sync);
1742         WTF::releaseFastMallocFreeMemory();
1743         ```
1744         
1745         However, for correctness reasons, deleteAllCode is implemented to do
1746         work when the VM is idle: no JS is running on the stack. This means
1747         that if shrinkFootprint is called when JS is running on the stack, it
1748         ends up freeing less memory than it could have if it waited to run until
1749         the VM goes idle.
1750         
1751         This patch makes it so we wait until idle before doing work. I'm seeing a
1752         10% footprint progression when testing this against a client of the JSC SPI.
1753         
1754         Because this is a semantic change in how the SPI works, this patch
1755         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
1756         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
1757         Once that happens, we will delete shrinkFootprint. Until then,
1758         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
1759
1760         * API/JSVirtualMachine.mm:
1761         (-[JSVirtualMachine shrinkFootprint]):
1762         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
1763         * API/JSVirtualMachinePrivate.h:
1764         * runtime/VM.cpp:
1765         (JSC::VM::shrinkFootprintWhenIdle):
1766         (JSC::VM::shrinkFootprint): Deleted.
1767         * runtime/VM.h:
1768
1769 2018-05-29  Saam Barati  <sbarati@apple.com>
1770
1771         shrinkFootprint needs to request a full collection
1772         https://bugs.webkit.org/show_bug.cgi?id=186069
1773
1774         Reviewed by Mark Lam.
1775
1776         * runtime/VM.cpp:
1777         (JSC::VM::shrinkFootprint):
1778
1779 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
1780
1781         [ESNext][BigInt] Implement support for "<" and ">" relational operation
1782         https://bugs.webkit.org/show_bug.cgi?id=185379
1783
1784         Reviewed by Yusuke Suzuki.
1785
1786         This patch is changing the ``jsLess``` operation to follow the
1787         semantics of Abstract Relational Comparison[1] that supports BigInt.
1788         For that, we create 2 new helper functions ```bigIntCompareLess``` and
1789         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
1790         compared.
1791
1792         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
1793
1794         * runtime/JSBigInt.cpp:
1795         (JSC::JSBigInt::unequalSign):
1796         (JSC::JSBigInt::absoluteGreater):
1797         (JSC::JSBigInt::absoluteLess):
1798         (JSC::JSBigInt::compare):
1799         (JSC::JSBigInt::absoluteCompare):
1800         * runtime/JSBigInt.h:
1801         * runtime/JSCJSValueInlines.h:
1802         (JSC::JSValue::isPrimitive const):
1803         * runtime/Operations.h:
1804         (JSC::bigIntCompareLess):
1805         (JSC::toPrimitiveNumeric):
1806         (JSC::jsLess):
1807
1808 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1809
1810         [Baseline] Merge loading functionalities
1811         https://bugs.webkit.org/show_bug.cgi?id=185907
1812
1813         Reviewed by Saam Barati.
1814
1815         This patch unifies emitXXXLoad functions in 32bit and 64bit.
1816
1817         * jit/JITInlines.h:
1818         (JSC::JIT::emitDoubleGetByVal):
1819         * jit/JITPropertyAccess.cpp:
1820         (JSC::JIT::emitDoubleLoad):
1821         (JSC::JIT::emitContiguousLoad):
1822         (JSC::JIT::emitArrayStorageLoad):
1823         (JSC::JIT::emitIntTypedArrayGetByVal):
1824         (JSC::JIT::emitFloatTypedArrayGetByVal):
1825         Define register usage first, and share the same code in 32bit and 64bit.
1826
1827         * jit/JITPropertyAccess32_64.cpp:
1828         (JSC::JIT::emitSlow_op_put_by_val):
1829         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
1830         We can remove this special handling.
1831
1832         (JSC::JIT::emitContiguousLoad): Deleted.
1833         (JSC::JIT::emitDoubleLoad): Deleted.
1834         (JSC::JIT::emitArrayStorageLoad): Deleted.
1835
1836 2018-05-29  Saam Barati  <sbarati@apple.com>
1837
1838         JSC should put bmalloc's scavenger into mini mode
1839         https://bugs.webkit.org/show_bug.cgi?id=185988
1840
1841         Reviewed by Michael Saboff.
1842
1843         When we InitializeThreading, we'll now enable bmalloc's mini mode
1844         if the VM is in mini mode. This is an 8-10% progression on the footprint
1845         at end score in run-testmem, making it a 4-5% memory score progression.
1846         It's between a 0-1% regression in its time score.
1847
1848         * runtime/InitializeThreading.cpp:
1849         (JSC::initializeThreading):
1850
1851 2018-05-29  Caitlin Potter  <caitp@igalia.com>
1852
1853         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
1854         https://bugs.webkit.org/show_bug.cgi?id=184267
1855
1856         Reviewed by Saam Barati.
1857
1858         Before this patch, the fast case for Array.prototype.concat was taken if
1859         there was a single argument passed to the function, which is either a
1860         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
1861         This incorrectly prevented Proxy objects from being spread when
1862         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
1863
1864         * builtins/ArrayPrototype.js:
1865         (concat):
1866
1867 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1868
1869         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
1870         https://bugs.webkit.org/show_bug.cgi?id=186022
1871
1872         Reviewed by Darin Adler.
1873
1874         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
1875         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
1876         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
1877         in asm.
1878
1879         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
1880         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
1881         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
1882         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
1883         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
1884         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
1885
1886         This patch also fixes naming convention for constant values.
1887
1888         * runtime/JSBigInt.cpp:
1889         (JSC::JSBigInt::digitMul):
1890         (JSC::JSBigInt::digitDiv):
1891         * runtime/JSBigInt.h:
1892
1893 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1894
1895         [WTF] Add clz32 / clz64 for MSVC
1896         https://bugs.webkit.org/show_bug.cgi?id=186023
1897
1898         Reviewed by Daniel Bates.
1899
1900         Move clz32 and clz64 to WTF.
1901
1902         * runtime/MathCommon.h:
1903         (JSC::clz32): Deleted.
1904         (JSC::clz64): Deleted.
1905
1906 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
1907
1908         [ESNext][BigInt] Implement "+" and "-" unary operation
1909         https://bugs.webkit.org/show_bug.cgi?id=182214
1910
1911         Reviewed by Yusuke Suzuki.
1912
1913         This Patch is implementing support to "-" unary operation on BigInt.
1914         It is also changing the logic of ASTBuilder::makeNegateNode to
1915         calculate BigInt literals with properly sign, avoiding
1916         unecessary operation. It required a refactoring into
1917         JSBigInt::parseInt to consider the sign as parameter.
1918
1919         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
1920         operations. With the introduction of BigInt, it is not true
1921         that every negate operation returns a Number. As ArithNegate is a
1922         node that considers its result is always a Number, like all other
1923         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
1924         speculation indicates that the operand is a BigInt.
1925         This design is following the same distinction between ArithAdd and
1926         ValueAdd. Also, this new node will make simpler the introduction of
1927         optimizations when we create speculation paths for BigInt in future
1928         patches.
1929
1930         In the case of "+" unary operation on BigInt, the current semantic we already have
1931         is correctly, since it needs to throw TypeError because of ToNumber call[1].
1932         In such case, we are adding tests to verify other edge cases.
1933
1934         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
1935
1936         * bytecompiler/BytecodeGenerator.cpp:
1937         (JSC::BytecodeGenerator::addBigIntConstant):
1938         * bytecompiler/BytecodeGenerator.h:
1939         * bytecompiler/NodesCodegen.cpp:
1940         (JSC::BigIntNode::jsValue const):
1941         * dfg/DFGAbstractInterpreterInlines.h:
1942         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1943         * dfg/DFGByteCodeParser.cpp:
1944         (JSC::DFG::ByteCodeParser::makeSafe):
1945         (JSC::DFG::ByteCodeParser::parseBlock):
1946         * dfg/DFGClobberize.h:
1947         (JSC::DFG::clobberize):
1948         * dfg/DFGDoesGC.cpp:
1949         (JSC::DFG::doesGC):
1950         * dfg/DFGFixupPhase.cpp:
1951         (JSC::DFG::FixupPhase::fixupNode):
1952         * dfg/DFGNode.h:
1953         (JSC::DFG::Node::arithNodeFlags):
1954         * dfg/DFGNodeType.h:
1955         * dfg/DFGPredictionPropagationPhase.cpp:
1956         * dfg/DFGSafeToExecute.h:
1957         (JSC::DFG::safeToExecute):
1958         * dfg/DFGSpeculativeJIT.cpp:
1959         (JSC::DFG::SpeculativeJIT::compileValueNegate):
1960         (JSC::DFG::SpeculativeJIT::compileArithNegate):
1961         * dfg/DFGSpeculativeJIT.h:
1962         * dfg/DFGSpeculativeJIT32_64.cpp:
1963         (JSC::DFG::SpeculativeJIT::compile):
1964         * dfg/DFGSpeculativeJIT64.cpp:
1965         (JSC::DFG::SpeculativeJIT::compile):
1966         * ftl/FTLCapabilities.cpp:
1967         (JSC::FTL::canCompile):
1968         * ftl/FTLLowerDFGToB3.cpp:
1969         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1970         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
1971         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
1972         * jit/JITOperations.cpp:
1973         * parser/ASTBuilder.h:
1974         (JSC::ASTBuilder::createBigIntWithSign):
1975         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
1976         (JSC::ASTBuilder::makeNegateNode):
1977         * parser/NodeConstructors.h:
1978         (JSC::BigIntNode::BigIntNode):
1979         * parser/Nodes.h:
1980         * runtime/CommonSlowPaths.cpp:
1981         (JSC::updateArithProfileForUnaryArithOp):
1982         (JSC::SLOW_PATH_DECL):
1983         * runtime/JSBigInt.cpp:
1984         (JSC::JSBigInt::parseInt):
1985         * runtime/JSBigInt.h:
1986         * runtime/JSCJSValueInlines.h:
1987         (JSC::JSValue::strictEqualSlowCaseInline):
1988
1989 2018-05-27  Dan Bernstein  <mitz@apple.com>
1990
1991         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
1992
1993         * jit/JITOperations.cpp:
1994
1995 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1996
1997         [JSC] Rename Array#flatten to flat
1998         https://bugs.webkit.org/show_bug.cgi?id=186012
1999
2000         Reviewed by Saam Barati.
2001
2002         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
2003         conflicts with the mootools' function name.
2004
2005         * builtins/ArrayPrototype.js:
2006         (globalPrivate.flatIntoArray):
2007         (flat):
2008         (globalPrivate.flatIntoArrayWithCallback):
2009         (flatMap):
2010         (globalPrivate.flattenIntoArray): Deleted.
2011         (flatten): Deleted.
2012         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
2013         * runtime/ArrayPrototype.cpp:
2014         (JSC::ArrayPrototype::finishCreation):
2015
2016 2018-05-25  Mark Lam  <mark.lam@apple.com>
2017
2018         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
2019         https://bugs.webkit.org/show_bug.cgi?id=185995
2020         <rdar://problem/40173142>
2021
2022         Reviewed by Saam Barati.
2023
2024         This is because there's no guarantee that any of the loop bodies will be
2025         executed.  Hence, there's no guarantee that the TDZ variables will have been
2026         initialized after each loop body.
2027
2028         * bytecompiler/BytecodeGenerator.cpp:
2029         (JSC::BytecodeGenerator::preserveTDZStack):
2030         (JSC::BytecodeGenerator::restoreTDZStack):
2031         * bytecompiler/BytecodeGenerator.h:
2032         * bytecompiler/NodesCodegen.cpp:
2033         (JSC::ForInNode::emitBytecode):
2034
2035 2018-05-25  Mark Lam  <mark.lam@apple.com>
2036
2037         MachineContext's instructionPointer() should handle null PCs correctly.
2038         https://bugs.webkit.org/show_bug.cgi?id=186004
2039         <rdar://problem/40570067>
2040
2041         Reviewed by Saam Barati.
2042
2043         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
2044         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
2045         assert accordingly with a debug ASSERT.  This is inconsequential for release
2046         builds, but to avoid this assertion failure, we should check for a null PC and
2047         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
2048         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
2049
2050         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
2051         for null pointers, but I rather not do that yet.  In general,
2052         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
2053         leave it that way for now.
2054
2055         Note: this assertion failure only manifests when we have signal traps enabled,
2056         and encounter a null pointer deref.
2057
2058         * runtime/MachineContext.h:
2059         (JSC::MachineContext::instructionPointer):
2060
2061 2018-05-25  Mark Lam  <mark.lam@apple.com>
2062
2063         Enforce invariant that GetterSetter objects are invariant.
2064         https://bugs.webkit.org/show_bug.cgi?id=185968
2065         <rdar://problem/40541416>
2066
2067         Reviewed by Saam Barati.
2068
2069         The code already assumes the invariant that GetterSetter objects are immutable.
2070         For example, the use of @tryGetById in builtins expect this invariant to be true.
2071         The existing code mostly enforces this except for one case: JSObject's
2072         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
2073         object.
2074
2075         This patch enforces this invariant by removing the setGetter and setSetter methods
2076         of GetterSetter, and requiring the getter/setter callback functions to be
2077         specified at construction time.
2078
2079         * jit/JITOperations.cpp:
2080         * llint/LLIntSlowPaths.cpp:
2081         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2082         * runtime/GetterSetter.cpp:
2083         (JSC::GetterSetter::withGetter): Deleted.
2084         (JSC::GetterSetter::withSetter): Deleted.
2085         * runtime/GetterSetter.h:
2086         * runtime/JSGlobalObject.cpp:
2087         (JSC::JSGlobalObject::init):
2088         * runtime/JSObject.cpp:
2089         (JSC::JSObject::putIndexedDescriptor):
2090         (JSC::JSObject::putDirectNativeIntrinsicGetter):
2091         (JSC::putDescriptor):
2092         (JSC::validateAndApplyPropertyDescriptor):
2093         * runtime/JSTypedArrayViewPrototype.cpp:
2094         (JSC::JSTypedArrayViewPrototype::finishCreation):
2095         * runtime/Lookup.cpp:
2096         (JSC::reifyStaticAccessor):
2097         * runtime/PropertyDescriptor.cpp:
2098         (JSC::PropertyDescriptor::slowGetterSetter):
2099
2100 2018-05-25  Saam Barati  <sbarati@apple.com>
2101
2102         Make JSC have a mini mode that kicks in when the JIT is disabled
2103         https://bugs.webkit.org/show_bug.cgi?id=185931
2104
2105         Reviewed by Mark Lam.
2106
2107         This patch makes JSC have a mini VM mode. This currently only kicks in
2108         when the process can't JIT. Mini VM now means a few things:
2109         - We always use a 1.27x heap growth factor. This number was the best tradeoff
2110           between memory use progression and time regression in run-testmem. We may
2111           want to tune this more in the future as we make other mini VM changes.
2112         - We always sweep synchronously.
2113         - We disable generational GC.
2114         
2115         I'm going to continue to extend what mini VM mode means in future changes.
2116         
2117         This patch is a 50% memory progression and an ~8-9% time regression
2118         on run-testmem when running in mini VM mode with the JIT disabled.
2119
2120         * heap/Heap.cpp:
2121         (JSC::Heap::collectNow):
2122         (JSC::Heap::finalize):
2123         (JSC::Heap::useGenerationalGC):
2124         (JSC::Heap::shouldSweepSynchronously):
2125         (JSC::Heap::shouldDoFullCollection):
2126         * heap/Heap.h:
2127         * runtime/Options.h:
2128         * runtime/VM.cpp:
2129         (JSC::VM::isInMiniMode):
2130         * runtime/VM.h:
2131
2132 2018-05-25  Saam Barati  <sbarati@apple.com>
2133
2134         Have a memory test where we can validate JSCs mini memory mode
2135         https://bugs.webkit.org/show_bug.cgi?id=185932
2136
2137         Reviewed by Mark Lam.
2138
2139         This patch adds the testmem CLI. It takes as input a file to run
2140         and the number of iterations to run it (by default it runs it
2141         20 times). Each iteration runs in a new JSContext. Each JSContext
2142         belongs to a VM that is created once. When finished, the CLI dumps
2143         out the peak memory usage of the process, the memory usage at the end
2144         of running all the iterations of the process, and the total time it
2145         took to run all the iterations.
2146
2147         * JavaScriptCore.xcodeproj/project.pbxproj:
2148         * testmem: Added.
2149         * testmem/testmem.mm: Added.
2150         (description):
2151         (Footprint::now):
2152         (main):
2153
2154 2018-05-25  David Kilzer  <ddkilzer@apple.com>
2155
2156         Fix issues with -dealloc methods found by clang static analyzer
2157         <https://webkit.org/b/185887>
2158
2159         Reviewed by Joseph Pecoraro.
2160
2161         * API/JSValue.mm:
2162         (-[JSValue dealloc]):
2163         (-[JSValue description]):
2164         - Move method implementations from (Internal) category to the
2165           main category since these are public API.  This fixes the
2166           false positive warning about a missing -dealloc method.
2167
2168 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2169
2170         [Baseline] Remove a hack for DCE removal of NewFunction
2171         https://bugs.webkit.org/show_bug.cgi?id=185945
2172
2173         Reviewed by Saam Barati.
2174
2175         This `undefined` check in baseline is originally introduced in r177871. The problem was,
2176         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
2177         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
2178         retrieve this into the stack since the scope is not referenced from anywhere.
2179
2180         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
2181         implementation. But rather than that, just emitting `Phantom` for this scope is clean
2182         and consistent to the other DFG nodes like GetClosureVar.
2183
2184         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
2185         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
2186         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
2187         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
2188         since it conservatively guards the scope, and it does not introduce any additional overhead
2189         compared to the current status.
2190
2191         * dfg/DFGByteCodeParser.cpp:
2192         (JSC::DFG::ByteCodeParser::parseBlock):
2193         * jit/JITOpcodes.cpp:
2194         (JSC::JIT::emitNewFuncExprCommon):
2195
2196 2018-05-23  Keith Miller  <keith_miller@apple.com>
2197
2198         Expose $vm if window.internals is exposed
2199         https://bugs.webkit.org/show_bug.cgi?id=185900
2200
2201         Reviewed by Mark Lam.
2202
2203         This is useful for testing vm internals when running LayoutTests.
2204
2205         * runtime/JSGlobalObject.cpp:
2206         (JSC::JSGlobalObject::init):
2207         (JSC::JSGlobalObject::visitChildren):
2208         (JSC::JSGlobalObject::exposeDollarVM):
2209         * runtime/JSGlobalObject.h:
2210
2211 2018-05-23  Keith Miller  <keith_miller@apple.com>
2212
2213         Define length on CoW array should properly convert to writable
2214         https://bugs.webkit.org/show_bug.cgi?id=185927
2215
2216         Reviewed by Yusuke Suzuki.
2217
2218         * runtime/JSArray.cpp:
2219         (JSC::JSArray::setLength):
2220
2221 2018-05-23  Keith Miller  <keith_miller@apple.com>
2222
2223         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
2224         https://bugs.webkit.org/show_bug.cgi?id=185923
2225
2226         Reviewed by Saam Barati.
2227
2228         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
2229         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
2230
2231         Block 1:
2232         @1: GetLocal(loc42, FlushedInt32);
2233         @2: PutStructure(Check: Cell: @1);
2234         @3: Jump(Block 1);
2235
2236         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
2237         the type of an local cannot change without writing to it.
2238
2239         This fixes a crash in destructuring-rest-element.js
2240
2241         * dfg/DFGInPlaceAbstractState.cpp:
2242         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2243
2244 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
2245
2246         Speed up JetStream/base64
2247         https://bugs.webkit.org/show_bug.cgi?id=185914
2248
2249         Reviewed by Michael Saboff.
2250         
2251         Make allocation fast paths ALWAYS_INLINE.
2252         
2253         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
2254         ~6%.
2255
2256         * CMakeLists.txt:
2257         * JavaScriptCore.xcodeproj/project.pbxproj:
2258         * heap/AllocatorInlines.h:
2259         (JSC::Allocator::allocate const):
2260         * heap/CompleteSubspace.cpp:
2261         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
2262         * heap/CompleteSubspace.h:
2263         * heap/CompleteSubspaceInlines.h: Added.
2264         (JSC::CompleteSubspace::allocateNonVirtual):
2265         * heap/FreeListInlines.h:
2266         (JSC::FreeList::allocate):
2267         * heap/IsoSubspace.cpp:
2268         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
2269         * heap/IsoSubspace.h:
2270         (JSC::IsoSubspace::allocatorForNonVirtual):
2271         * heap/IsoSubspaceInlines.h: Added.
2272         (JSC::IsoSubspace::allocateNonVirtual):
2273         * runtime/JSCellInlines.h:
2274         * runtime/VM.h:
2275
2276 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
2277
2278         Conversion misspelled "Convertion" in error message string
2279         https://bugs.webkit.org/show_bug.cgi?id=185436
2280
2281         Reviewed by Saam Barati, Michael Saboff
2282
2283         * runtime/JSBigInt.cpp:
2284         (JSC::JSBigInt::toNumber const):
2285
2286 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2287
2288         [JSC] Clean up stringGetByValStubGenerator
2289         https://bugs.webkit.org/show_bug.cgi?id=185864
2290
2291         Reviewed by Saam Barati.
2292
2293         We clean up stringGetByValStubGenerator.
2294
2295         1. Unify 32bit and 64bit implementations.
2296         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
2297         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
2298         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
2299         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
2300
2301         * jit/JIT.h:
2302         * jit/JITPropertyAccess.cpp:
2303         (JSC::JIT::emitSlow_op_get_by_val):
2304         (JSC::JIT::stringGetByValStubGenerator): Deleted.
2305         * jit/JITPropertyAccess32_64.cpp:
2306         (JSC::JIT::emit_op_get_by_val):
2307         (JSC::JIT::emitSlow_op_get_by_val):
2308         (JSC::JIT::stringGetByValStubGenerator): Deleted.
2309         * jit/ThunkGenerators.cpp:
2310         (JSC::stringGetByValGenerator):
2311         * jit/ThunkGenerators.h:
2312
2313 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2314
2315         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
2316         https://bugs.webkit.org/show_bug.cgi?id=185810
2317
2318         Reviewed by Saam Barati.
2319
2320         Let's use branchIfString/branchIfNotString helper functions instead of
2321         checking structure with jsString's structure. It's easy to read. And
2322         it emits less code since we do not need to embed string structure's
2323         raw pointer in 32bit environment.
2324
2325         * jit/JIT.h:
2326         * jit/JITInlines.h:
2327         (JSC::JIT::emitLoadCharacterString):
2328         (JSC::JIT::checkStructure): Deleted.
2329         * jit/JITOpcodes32_64.cpp:
2330         (JSC::JIT::emitSlow_op_eq):
2331         (JSC::JIT::compileOpEqJumpSlow):
2332         (JSC::JIT::emitSlow_op_neq):
2333         * jit/JITPropertyAccess.cpp:
2334         (JSC::JIT::stringGetByValStubGenerator):
2335         (JSC::JIT::emitSlow_op_get_by_val):
2336         (JSC::JIT::emitByValIdentifierCheck):
2337         * jit/JITPropertyAccess32_64.cpp:
2338         (JSC::JIT::stringGetByValStubGenerator):
2339         (JSC::JIT::emitSlow_op_get_by_val):
2340         * jit/JSInterfaceJIT.h:
2341         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
2342         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
2343         * jit/SpecializedThunkJIT.h:
2344         (JSC::SpecializedThunkJIT::loadJSStringArgument):
2345         * jit/ThunkGenerators.cpp:
2346         (JSC::stringCharLoad):
2347         (JSC::charCodeAtThunkGenerator):
2348         (JSC::charAtThunkGenerator):
2349         * runtime/JSString.h:
2350
2351 2018-05-22  Mark Lam  <mark.lam@apple.com>
2352
2353         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
2354         https://bugs.webkit.org/show_bug.cgi?id=185896
2355         <rdar://problem/40471403>
2356
2357         Reviewed by Saam Barati.
2358
2359         * bytecode/BytecodeGeneratorification.cpp:
2360         (JSC::BytecodeGeneratorification::run):
2361
2362 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2363
2364         [JSC] Fix CachedCall's argument count if RegExp has named captures
2365         https://bugs.webkit.org/show_bug.cgi?id=185587
2366
2367         Reviewed by Mark Lam.
2368
2369         If the given RegExp has named captures, the argument count of CachedCall in String#replace
2370         should be increased by one. This causes crash with assertion in test262. This patch corrects
2371         the argument count.
2372
2373         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
2374         the same.
2375
2376         * runtime/StringPrototype.cpp:
2377         (JSC::replaceUsingRegExpSearch):
2378
2379 2018-05-22  Mark Lam  <mark.lam@apple.com>
2380
2381         StringImpl utf8 conversion should not fail silently.
2382         https://bugs.webkit.org/show_bug.cgi?id=185888
2383         <rdar://problem/40464506>
2384
2385         Reviewed by Filip Pizlo.
2386
2387         * dfg/DFGLazyJSValue.cpp:
2388         (JSC::DFG::LazyJSValue::dumpInContext const):
2389         * runtime/DateConstructor.cpp:
2390         (JSC::constructDate):
2391         (JSC::dateParse):
2392         * runtime/JSDateMath.cpp:
2393         (JSC::parseDate):
2394         * runtime/JSDateMath.h:
2395
2396 2018-05-22  Keith Miller  <keith_miller@apple.com>
2397
2398         Remove the UnconditionalFinalizer class
2399         https://bugs.webkit.org/show_bug.cgi?id=185881
2400
2401         Reviewed by Filip Pizlo.
2402
2403         The only remaining user of this API is
2404         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
2405         to use the newer template based API and removes the old class.
2406
2407         * JavaScriptCore.xcodeproj/project.pbxproj:
2408         * bytecode/CodeBlock.h:
2409         * heap/Heap.cpp:
2410         (JSC::Heap::finalizeUnconditionalFinalizers):
2411         * heap/Heap.h:
2412         * heap/SlotVisitor.cpp:
2413         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
2414         * heap/SlotVisitor.h:
2415         * heap/UnconditionalFinalizer.h: Removed.
2416         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2417         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2418         (JSC::JSWebAssemblyCodeBlock::visitChildren):
2419         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
2420         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
2421         * wasm/js/JSWebAssemblyCodeBlock.h:
2422         * wasm/js/JSWebAssemblyModule.h:
2423
2424         * CMakeLists.txt:
2425         * JavaScriptCore.xcodeproj/project.pbxproj:
2426         * bytecode/CodeBlock.h:
2427         * heap/Heap.cpp:
2428         (JSC::Heap::finalizeUnconditionalFinalizers):
2429         * heap/Heap.h:
2430         * heap/SlotVisitor.cpp:
2431         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
2432         * heap/SlotVisitor.h:
2433         * heap/UnconditionalFinalizer.h: Removed.
2434         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2435         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2436         (JSC::JSWebAssemblyCodeBlock::visitChildren):
2437         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
2438         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
2439         * wasm/js/JSWebAssemblyCodeBlock.h:
2440         * wasm/js/JSWebAssemblyModule.h:
2441
2442 2018-05-22  Keith Miller  <keith_miller@apple.com>
2443
2444         Unreviewed, fix internal build.
2445
2446         * runtime/JSImmutableButterfly.cpp:
2447
2448 2018-05-22  Saam Barati  <sbarati@apple.com>
2449
2450         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
2451         https://bugs.webkit.org/show_bug.cgi?id=144525
2452
2453         Reviewed by Filip Pizlo.
2454
2455         This patch teaches LICM to fall back to hoisting a node's type checks when
2456         hoisting the entire node fails.
2457         
2458         This patch follow the same principles we use when deciding to hoist nodes in general:
2459         - If the pre header is control equivalent to where the current check is, we
2460         go ahead and hoist the check.
2461         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
2462         hoist the check. If hoisting failed in the past, we will not hoist the check.
2463
2464         * dfg/DFGLICMPhase.cpp:
2465         (JSC::DFG::LICMPhase::attemptHoist):
2466         * dfg/DFGUseKind.h:
2467         (JSC::DFG::checkMayCrashIfInputIsEmpty):
2468
2469 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
2470
2471         Get rid of TLCs
2472         https://bugs.webkit.org/show_bug.cgi?id=185846
2473
2474         Rubber stamped by Geoffrey Garen.
2475         
2476         This removes support for thread-local caches from the GC in order to speed up allocation a
2477         bit.
2478         
2479         We added TLCs as part of Spectre mitigations, which we have since removed.
2480         
2481         We will want some kind of TLCs eventually, since they allow us to:
2482         
2483         - have a global GC, which may be a perf optimization at some point.
2484         - allocate objects from JIT threads, which we've been wanting to do for a while.
2485         
2486         This change keeps the most interesting aspect of TLCs, which is the
2487         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
2488         TLCs again in the future if we wanted this feature.
2489         
2490         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
2491         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
2492         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
2493         you can directly use it to allocate. This removes two loads and a check from the allocation
2494         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
2495         allowed us to have a statically known set of LocalAllocators. This would have removed the
2496         bounds check (one load and one branch) and it would have made it possible to CSE the load of
2497         the TLC data structure, since that would no longer resize. But that's a harder change that
2498         this patch, and we don't need it right now.
2499         
2500         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
2501         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
2502         that check already. Previously, the TLC bounds check doubled as this check.
2503         
2504         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
2505         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
2506         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
2507         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
2508
2509         * JavaScriptCore.xcodeproj/project.pbxproj:
2510         * Sources.txt:
2511         * bytecode/ObjectAllocationProfileInlines.h:
2512         (JSC::ObjectAllocationProfile::initializeProfile):
2513         * dfg/DFGSpeculativeJIT.cpp:
2514         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2515         * ftl/FTLLowerDFGToB3.cpp:
2516         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2517         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2518         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2519         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2520         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2521         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2522         * heap/Allocator.cpp:
2523         (JSC::Allocator::cellSize const):
2524         * heap/Allocator.h:
2525         (JSC::Allocator::Allocator):
2526         (JSC::Allocator::localAllocator const):
2527         (JSC::Allocator::operator== const):
2528         (JSC::Allocator::offset const): Deleted.
2529         * heap/AllocatorInlines.h:
2530         (JSC::Allocator::allocate const):
2531         (JSC::Allocator::tryAllocate const): Deleted.
2532         * heap/BlockDirectory.cpp:
2533         (JSC::BlockDirectory::BlockDirectory):
2534         (JSC::BlockDirectory::~BlockDirectory):
2535         * heap/BlockDirectory.h:
2536         (JSC::BlockDirectory::allocator const): Deleted.
2537         * heap/CompleteSubspace.cpp:
2538         (JSC::CompleteSubspace::allocateNonVirtual):
2539         (JSC::CompleteSubspace::allocatorForSlow):
2540         (JSC::CompleteSubspace::tryAllocateSlow):
2541         * heap/CompleteSubspace.h:
2542         * heap/Heap.cpp:
2543         (JSC::Heap::Heap):
2544         * heap/Heap.h:
2545         (JSC::Heap::threadLocalCacheLayout): Deleted.
2546         * heap/IsoSubspace.cpp:
2547         (JSC::IsoSubspace::IsoSubspace):
2548         (JSC::IsoSubspace::allocateNonVirtual):
2549         * heap/IsoSubspace.h:
2550         (JSC::IsoSubspace::allocatorForNonVirtual):
2551         * heap/LocalAllocator.cpp:
2552         (JSC::LocalAllocator::LocalAllocator):
2553         (JSC::LocalAllocator::~LocalAllocator):
2554         * heap/LocalAllocator.h:
2555         (JSC::LocalAllocator::cellSize const):
2556         (JSC::LocalAllocator::tlc const): Deleted.
2557         * heap/ThreadLocalCache.cpp: Removed.
2558         * heap/ThreadLocalCache.h: Removed.
2559         * heap/ThreadLocalCacheInlines.h: Removed.
2560         * heap/ThreadLocalCacheLayout.cpp: Removed.
2561         * heap/ThreadLocalCacheLayout.h: Removed.
2562         * jit/AssemblyHelpers.cpp:
2563         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2564         (JSC::AssemblyHelpers::emitAllocate):
2565         (JSC::AssemblyHelpers::emitAllocateVariableSized):
2566         * jit/JITOpcodes.cpp:
2567         (JSC::JIT::emit_op_create_this):
2568         * runtime/JSLock.cpp:
2569         (JSC::JSLock::didAcquireLock):
2570         * runtime/VM.cpp:
2571         (JSC::VM::VM):
2572         (JSC::VM::~VM):
2573         * runtime/VM.h:
2574         * runtime/VMEntryScope.cpp:
2575         (JSC::VMEntryScope::~VMEntryScope):
2576         * runtime/VMEntryScope.h:
2577
2578 2018-05-22  Keith Miller  <keith_miller@apple.com>
2579
2580         We should have a CoW storage for NewArrayBuffer arrays.
2581         https://bugs.webkit.org/show_bug.cgi?id=185003
2582
2583         Reviewed by Filip Pizlo.
2584
2585         This patch adds copy on write storage for new array buffers. In
2586         order to do this there needed to be significant changes to the
2587         layout of IndexingType. The new indexing type has the following
2588         shape:
2589
2590         struct IndexingTypeAndMisc {
2591             struct IndexingModeIncludingHistory {
2592                 struct IndexingMode {
2593                     struct IndexingType {
2594                         uint8_t isArray:1;          // bit 0
2595                         uint8_t shape:3;            // bit 1 - 3
2596                     };
2597                     uint8_t copyOnWrite:1;          // bit 4
2598                 };
2599                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
2600             };
2601             uint8_t cellLockBits:2;                 // bit 6 - 7
2602         };
2603
2604         For simplicity ArrayStorage shapes cannot be CoW. So the only
2605         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
2606         ArrayWithContiguous.
2607
2608         The backing store for a CoW array is a new class
2609         JSImmutableButterfly, which looks exactly the same as a normal
2610         butterfly except that it has a JSCell header. Like other
2611         butterflies, JSImmutableButterfies are allocated out of the
2612         Auxiliary Gigacage and are pointed to by JSCells in the same
2613         way. However, when marking JSImmutableButterflies they are marked
2614         as if they were a property.
2615
2616         With CoW arrays, the new_array_buffer bytecode will reallocate the
2617         shared JSImmutableButterfly if it sees from the allocation profile
2618         that the last array it allocated has transitioned to a different
2619         indexing type. From then on, all arrays created by that
2620         new_array_buffer bytecode will have the promoted indexing
2621         type. This is more or less the same as what we used to do. The
2622         only difference is that we don't promote all the way to array
2623         storage even if we have seen it before.
2624
2625         Transitioning from a CoW indexing mode occurs whenever someone
2626         tries to store to an element, grow the array, or add properties.
2627         Storing or growing the array will call into code that does the
2628         stupid thing of copying the butterfly then continue into the old
2629         code. This doesn't end up costing us as future allocations will
2630         use any upgraded indexing shape.  We get adding properties for
2631         free by just changing the indexing mode on transition (our C++
2632         code always updates the indexing mode).
2633
2634         * JavaScriptCore.xcodeproj/project.pbxproj:
2635         * Sources.txt:
2636         * bytecode/ArrayAllocationProfile.cpp:
2637         (JSC::ArrayAllocationProfile::updateProfile):
2638         * bytecode/ArrayAllocationProfile.h:
2639         (JSC::ArrayAllocationProfile::initializeIndexingMode):
2640         * bytecode/ArrayProfile.cpp:
2641         (JSC::dumpArrayModes):
2642         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2643         * bytecode/ArrayProfile.h:
2644         (JSC::asArrayModes):
2645         (JSC::arrayModeFromStructure):
2646         (JSC::arrayModesInclude):
2647         (JSC::hasSeenCopyOnWriteArray):
2648         * bytecode/BytecodeList.json:
2649         * bytecode/CodeBlock.cpp:
2650         (JSC::CodeBlock::finishCreation):
2651         * bytecode/InlineAccess.cpp:
2652         (JSC::InlineAccess::generateArrayLength):
2653         * bytecode/UnlinkedCodeBlock.h:
2654         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
2655         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2656         * bytecompiler/BytecodeGenerator.cpp:
2657         (JSC::BytecodeGenerator::newArrayAllocationProfile):
2658         (JSC::BytecodeGenerator::emitNewArrayBuffer):
2659         (JSC::BytecodeGenerator::emitNewArray):
2660         (JSC::BytecodeGenerator::emitNewArrayWithSize):
2661         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
2662         * bytecompiler/BytecodeGenerator.h:
2663         * bytecompiler/NodesCodegen.cpp:
2664         (JSC::ArrayNode::emitBytecode):
2665         (JSC::ArrayPatternNode::bindValue const):
2666         (JSC::ArrayPatternNode::emitDirectBinding):
2667         * dfg/DFGAbstractInterpreterInlines.h:
2668         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2669         * dfg/DFGArgumentsEliminationPhase.cpp:
2670         * dfg/DFGArgumentsUtilities.cpp:
2671         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2672         * dfg/DFGArrayMode.cpp:
2673         (JSC::DFG::ArrayMode::fromObserved):
2674         (JSC::DFG::ArrayMode::refine const):
2675         (JSC::DFG::ArrayMode::alreadyChecked const):
2676         * dfg/DFGArrayMode.h:
2677         (JSC::DFG::ArrayMode::ArrayMode):
2678         (JSC::DFG::ArrayMode::action const):
2679         (JSC::DFG::ArrayMode::withSpeculation const):
2680         (JSC::DFG::ArrayMode::withArrayClass const):
2681         (JSC::DFG::ArrayMode::withType const):
2682         (JSC::DFG::ArrayMode::withConversion const):
2683         (JSC::DFG::ArrayMode::withTypeAndConversion const):
2684         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
2685         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
2686         * dfg/DFGByteCodeParser.cpp:
2687         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2688         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
2689         (JSC::DFG::ByteCodeParser::parseBlock):
2690         * dfg/DFGClobberize.h:
2691         (JSC::DFG::clobberize):
2692         * dfg/DFGConstantFoldingPhase.cpp:
2693         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2694         * dfg/DFGFixupPhase.cpp:
2695         (JSC::DFG::FixupPhase::fixupNode):
2696         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
2697         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2698         * dfg/DFGGraph.cpp:
2699         (JSC::DFG::Graph::dump):
2700         * dfg/DFGNode.h:
2701         (JSC::DFG::Node::indexingType):
2702         (JSC::DFG::Node::indexingMode):
2703         * dfg/DFGOSRExit.cpp:
2704         (JSC::DFG::OSRExit::compileExit):
2705         * dfg/DFGOperations.cpp:
2706         * dfg/DFGOperations.h:
2707         * dfg/DFGSpeculativeJIT.cpp:
2708         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2709         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2710         (JSC::DFG::SpeculativeJIT::arrayify):
2711         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2712         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2713         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2714         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2715         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2716         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2717         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
2718         * dfg/DFGSpeculativeJIT32_64.cpp:
2719         (JSC::DFG::SpeculativeJIT::compile):
2720         * dfg/DFGSpeculativeJIT64.cpp:
2721         (JSC::DFG::SpeculativeJIT::compile):
2722         * dfg/DFGValidate.cpp:
2723         * ftl/FTLAbstractHeapRepository.h:
2724         * ftl/FTLLowerDFGToB3.cpp:
2725         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
2726         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2727         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2728         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2729         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2730         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
2731         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
2732         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2733         * ftl/FTLOperations.cpp:
2734         (JSC::FTL::operationMaterializeObjectInOSR):
2735         * generate-bytecode-files:
2736         * interpreter/Interpreter.cpp:
2737         (JSC::sizeOfVarargs):
2738         (JSC::loadVarargs):
2739         * jit/AssemblyHelpers.cpp:
2740         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2741         * jit/AssemblyHelpers.h:
2742         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2743         * jit/JITOperations.cpp:
2744         * jit/JITPropertyAccess.cpp:
2745         (JSC::JIT::emit_op_put_by_val):
2746         (JSC::JIT::emitSlow_op_put_by_val):
2747         * jit/Repatch.cpp:
2748         (JSC::tryCachePutByID):
2749         * llint/LowLevelInterpreter.asm:
2750         * llint/LowLevelInterpreter32_64.asm:
2751         * llint/LowLevelInterpreter64.asm:
2752         * runtime/Butterfly.h:
2753         (JSC::ContiguousData::Data::Data):
2754         (JSC::ContiguousData::Data::operator bool const):
2755         (JSC::ContiguousData::Data::operator=):
2756         (JSC::ContiguousData::Data::operator const T& const):
2757         (JSC::ContiguousData::Data::set):
2758         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
2759         (JSC::ContiguousData::Data::clear):
2760         (JSC::ContiguousData::Data::get const):
2761         (JSC::ContiguousData::atUnsafe):
2762         (JSC::ContiguousData::at const): Deleted.
2763         (JSC::ContiguousData::at): Deleted.
2764         * runtime/ButterflyInlines.h:
2765         (JSC::ContiguousData<T>::at const):
2766         (JSC::ContiguousData<T>::at):
2767         * runtime/ClonedArguments.cpp:
2768         (JSC::ClonedArguments::createEmpty):
2769         * runtime/CommonSlowPaths.cpp:
2770         (JSC::SLOW_PATH_DECL):
2771         * runtime/CommonSlowPaths.h:
2772         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
2773         * runtime/IndexingType.cpp:
2774         (JSC::leastUpperBoundOfIndexingTypeAndType):
2775         (JSC::leastUpperBoundOfIndexingTypeAndValue):
2776         (JSC::dumpIndexingType):
2777         * runtime/IndexingType.h:
2778         (JSC::hasIndexedProperties):
2779         (JSC::hasUndecided):
2780         (JSC::hasInt32):
2781         (JSC::hasDouble):
2782         (JSC::hasContiguous):
2783         (JSC::hasArrayStorage):
2784         (JSC::hasAnyArrayStorage):
2785         (JSC::hasSlowPutArrayStorage):
2786         (JSC::shouldUseSlowPut):
2787         (JSC::isCopyOnWrite):
2788         (JSC::arrayIndexFromIndexingType):
2789         * runtime/JSArray.cpp:
2790         (JSC::JSArray::tryCreateUninitializedRestricted):
2791         (JSC::JSArray::put):
2792         (JSC::JSArray::appendMemcpy):
2793         (JSC::JSArray::setLength):
2794         (JSC::JSArray::pop):
2795         (JSC::JSArray::fastSlice):
2796         (JSC::JSArray::shiftCountWithAnyIndexingType):
2797         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2798         (JSC::JSArray::fillArgList):
2799         (JSC::JSArray::copyToArguments):
2800         * runtime/JSArrayInlines.h:
2801         (JSC::JSArray::pushInline):
2802         * runtime/JSCell.h:
2803         * runtime/JSCellInlines.h:
2804         (JSC::JSCell::JSCell):
2805         (JSC::JSCell::finishCreation):
2806         (JSC::JSCell::indexingType const):
2807         (JSC::JSCell::indexingMode const):
2808         (JSC::JSCell::setStructure):
2809         * runtime/JSFixedArray.h:
2810         * runtime/JSGlobalObject.cpp:
2811         (JSC::JSGlobalObject::init):
2812         (JSC::JSGlobalObject::haveABadTime):
2813         (JSC::JSGlobalObject::visitChildren):
2814         * runtime/JSGlobalObject.h:
2815         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
2816         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
2817         (JSC::JSGlobalObject::isOriginalArrayStructure):
2818         * runtime/JSImmutableButterfly.cpp: Added.
2819         (JSC::JSImmutableButterfly::visitChildren):
2820         (JSC::JSImmutableButterfly::copyToArguments):
2821         * runtime/JSImmutableButterfly.h: Added.
2822         (JSC::JSImmutableButterfly::createStructure):
2823         (JSC::JSImmutableButterfly::tryCreate):
2824         (JSC::JSImmutableButterfly::create):
2825         (JSC::JSImmutableButterfly::publicLength const):
2826         (JSC::JSImmutableButterfly::vectorLength const):
2827         (JSC::JSImmutableButterfly::length const):
2828         (JSC::JSImmutableButterfly::toButterfly const):
2829         (JSC::JSImmutableButterfly::fromButterfly):
2830         (JSC::JSImmutableButterfly::get const):
2831         (JSC::JSImmutableButterfly::subspaceFor):
2832         (JSC::JSImmutableButterfly::setIndex):
2833         (JSC::JSImmutableButterfly::allocationSize):
2834         (JSC::JSImmutableButterfly::JSImmutableButterfly):
2835         * runtime/JSObject.cpp:
2836         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
2837         (JSC::JSObject::visitButterflyImpl):
2838         (JSC::JSObject::getOwnPropertySlotByIndex):
2839         (JSC::JSObject::putByIndex):
2840         (JSC::JSObject::createInitialInt32):
2841         (JSC::JSObject::createInitialDouble):
2842         (JSC::JSObject::createInitialContiguous):
2843         (JSC::JSObject::convertUndecidedToInt32):
2844         (JSC::JSObject::convertUndecidedToDouble):
2845         (JSC::JSObject::convertUndecidedToContiguous):
2846         (JSC::JSObject::convertInt32ToDouble):
2847         (JSC::JSObject::convertInt32ToArrayStorage):
2848         (JSC::JSObject::convertDoubleToContiguous):
2849         (JSC::JSObject::convertDoubleToArrayStorage):
2850         (JSC::JSObject::convertContiguousToArrayStorage):
2851         (JSC::JSObject::createInitialForValueAndSet):
2852         (JSC::JSObject::convertInt32ForValue):
2853         (JSC::JSObject::convertFromCopyOnWrite):
2854         (JSC::JSObject::ensureWritableInt32Slow):
2855         (JSC::JSObject::ensureWritableDoubleSlow):
2856         (JSC::JSObject::ensureWritableContiguousSlow):
2857         (JSC::JSObject::ensureArrayStorageSlow):
2858         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2859         (JSC::JSObject::switchToSlowPutArrayStorage):
2860         (JSC::JSObject::deletePropertyByIndex):
2861         (JSC::JSObject::getOwnPropertyNames):
2862         (JSC::canDoFastPutDirectIndex):
2863         (JSC::JSObject::defineOwnIndexedProperty):
2864         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2865         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2866         (JSC::JSObject::putByIndexBeyondVectorLength):
2867         (JSC::JSObject::countElements):
2868         (JSC::JSObject::ensureLengthSlow):
2869         (JSC::JSObject::getEnumerableLength):
2870         (JSC::JSObject::ensureInt32Slow): Deleted.
2871         (JSC::JSObject::ensureDoubleSlow): Deleted.
2872         (JSC::JSObject::ensureContiguousSlow): Deleted.
2873         * runtime/JSObject.h:
2874         (JSC::JSObject::putDirectIndex):
2875         (JSC::JSObject::canGetIndexQuickly):
2876         (JSC::JSObject::getIndexQuickly):
2877         (JSC::JSObject::tryGetIndexQuickly const):
2878         (JSC::JSObject::canSetIndexQuickly):
2879         (JSC::JSObject::setIndexQuickly):
2880         (JSC::JSObject::initializeIndex):
2881         (JSC::JSObject::initializeIndexWithoutBarrier):
2882         (JSC::JSObject::ensureWritableInt32):
2883         (JSC::JSObject::ensureWritableDouble):
2884         (JSC::JSObject::ensureWritableContiguous):
2885         (JSC::JSObject::ensureLength):
2886         (JSC::JSObject::ensureInt32): Deleted.
2887         (JSC::JSObject::ensureDouble): Deleted.
2888         (JSC::JSObject::ensureContiguous): Deleted.
2889         * runtime/JSObjectInlines.h:
2890         (JSC::JSObject::putDirectInternal):
2891         * runtime/JSType.h:
2892         * runtime/RegExpMatchesArray.h:
2893         (JSC::tryCreateUninitializedRegExpMatchesArray):
2894         * runtime/Structure.cpp:
2895         (JSC::Structure::Structure):
2896         (JSC::Structure::addNewPropertyTransition):
2897         (JSC::Structure::nonPropertyTransition):
2898         * runtime/Structure.h:
2899         * runtime/StructureIDBlob.h:
2900         (JSC::StructureIDBlob::StructureIDBlob):
2901         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
2902         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
2903         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
2904         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
2905         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
2906         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
2907         * runtime/StructureTransitionTable.h:
2908         (JSC::newIndexingType):
2909         * runtime/VM.cpp:
2910         (JSC::VM::VM):
2911         * runtime/VM.h:
2912
2913 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
2914
2915         Unreviewed, rolling out r232052.
2916
2917         Breaks internal builds.
2918
2919         Reverted changeset:
2920
2921         "Use more C++17"
2922         https://bugs.webkit.org/show_bug.cgi?id=185176
2923         https://trac.webkit.org/changeset/232052
2924
2925 2018-05-22  Alberto Garcia  <berto@igalia.com>
2926
2927         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
2928         https://bugs.webkit.org/show_bug.cgi?id=182622
2929         <rdar://problem/40292317>
2930
2931         Reviewed by Michael Catanzaro.
2932
2933         We were linking JavaScriptCore against libatomic in MIPS because
2934         in that architecture __atomic_fetch_add_8() is not a compiler
2935         intrinsic and is provided by that library instead. However other
2936         architectures (e.g armel) are in the same situation, so we need a
2937         generic test.
2938
2939         That test already exists in WebKit/CMakeLists.txt, so we just have
2940         to move it to a common file (WebKitCompilerFlags.cmake) and use
2941         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
2942
2943         * CMakeLists.txt:
2944
2945 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
2946
2947         Unreviewed, rolling out r231843.
2948
2949         Broke cross build
2950
2951         Reverted changeset:
2952
2953         "[CMake] Properly detect compiler flags, needed libs, and
2954         fallbacks for usage of 64-bit atomic operations"
2955         https://bugs.webkit.org/show_bug.cgi?id=182622
2956         https://trac.webkit.org/changeset/231843
2957
2958 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2959
2960         Use more C++17
2961         https://bugs.webkit.org/show_bug.cgi?id=185176
2962
2963         Reviewed by JF Bastien.
2964
2965         * Configurations/Base.xcconfig:
2966
2967 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2968
2969         [JSC] Remove duplicate methods in JSInterfaceJIT
2970         https://bugs.webkit.org/show_bug.cgi?id=185813
2971
2972         Reviewed by Saam Barati.
2973
2974         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
2975         This patch removes these ones and use AssemblyHelpers' ones instead.
2976
2977         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
2978
2979         * jit/AssemblyHelpers.h:
2980         (JSC::AssemblyHelpers::tagFor):
2981         (JSC::AssemblyHelpers::payloadFor):
2982         * jit/JIT.h:
2983         * jit/JITArithmetic.cpp:
2984         (JSC::JIT::emit_op_unsigned):
2985         (JSC::JIT::emit_compareUnsigned):
2986         (JSC::JIT::emit_op_inc):
2987         (JSC::JIT::emit_op_dec):
2988         (JSC::JIT::emit_op_mod):
2989         * jit/JITCall32_64.cpp:
2990         (JSC::JIT::compileOpCall):
2991         * jit/JITInlines.h:
2992         (JSC::JIT::emitPutIntToCallFrameHeader):
2993         (JSC::JIT::updateTopCallFrame):
2994         (JSC::JIT::emitInitRegister):
2995         (JSC::JIT::emitLoad):
2996         (JSC::JIT::emitStore):
2997         (JSC::JIT::emitStoreInt32):
2998         (JSC::JIT::emitStoreCell):
2999         (JSC::JIT::emitStoreBool):
3000         (JSC::JIT::emitGetVirtualRegister):
3001         (JSC::JIT::emitPutVirtualRegister):
3002         (JSC::JIT::emitTagBool): Deleted.
3003         * jit/JITOpcodes.cpp:
3004         (JSC::JIT::emit_op_overrides_has_instance):
3005         (JSC::JIT::emit_op_is_empty):
3006         (JSC::JIT::emit_op_is_undefined):
3007         (JSC::JIT::emit_op_is_boolean):
3008         (JSC::JIT::emit_op_is_number):
3009         (JSC::JIT::emit_op_is_cell_with_type):
3010         (JSC::JIT::emit_op_is_object):
3011         (JSC::JIT::emit_op_eq):
3012         (JSC::JIT::emit_op_neq):
3013         (JSC::JIT::compileOpStrictEq):
3014         (JSC::JIT::emit_op_eq_null):
3015         (JSC::JIT::emit_op_neq_null):
3016         (JSC::JIT::emitSlow_op_eq):
3017         (JSC::JIT::emitSlow_op_neq):
3018         (JSC::JIT::emitSlow_op_instanceof_custom):
3019         (JSC::JIT::emitNewFuncExprCommon):
3020         * jit/JSInterfaceJIT.h:
3021         (JSC::JSInterfaceJIT::emitLoadInt32):
3022         (JSC::JSInterfaceJIT::emitLoadDouble):
3023         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
3024         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
3025         (JSC::JSInterfaceJIT::tagFor): Deleted.
3026         (JSC::JSInterfaceJIT::payloadFor): Deleted.
3027         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
3028         (JSC::JSInterfaceJIT::intTagFor): Deleted.
3029         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
3030         (JSC::JSInterfaceJIT::addressFor): Deleted.
3031         * jit/SpecializedThunkJIT.h:
3032         (JSC::SpecializedThunkJIT::returnDouble):
3033         * jit/ThunkGenerators.cpp:
3034         (JSC::nativeForGenerator):
3035         (JSC::arityFixupGenerator):
3036
3037 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3038
3039         Unreviewed, reland InById cache
3040         https://bugs.webkit.org/show_bug.cgi?id=185682
3041
3042         Includes Dominik's 32bit fix.
3043
3044         * bytecode/AccessCase.cpp:
3045         (JSC::AccessCase::fromStructureStubInfo):
3046         (JSC::AccessCase::generateWithGuard):
3047         (JSC::AccessCase::generateImpl):
3048         * bytecode/BytecodeDumper.cpp:
3049         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
3050         (JSC::BytecodeDumper<Block>::dumpBytecode):
3051         * bytecode/BytecodeDumper.h:
3052         * bytecode/BytecodeList.json:
3053         * bytecode/BytecodeUseDef.h:
3054         (JSC::computeUsesForBytecodeOffset):
3055         (JSC::computeDefsForBytecodeOffset):
3056         * bytecode/CodeBlock.cpp:
3057         (JSC::CodeBlock::finishCreation):
3058         * bytecode/InlineAccess.cpp:
3059         (JSC::InlineAccess::generateSelfInAccess):
3060         * bytecode/InlineAccess.h:
3061         * bytecode/StructureStubInfo.cpp:
3062         (JSC::StructureStubInfo::initInByIdSelf):
3063         (JSC::StructureStubInfo::deref):
3064         (JSC::StructureStubInfo::aboutToDie):
3065         (JSC::StructureStubInfo::reset):
3066         (JSC::StructureStubInfo::visitWeakReferences):
3067         (JSC::StructureStubInfo::propagateTransitions):
3068         * bytecode/StructureStubInfo.h:
3069         (JSC::StructureStubInfo::patchableJump):
3070         * bytecompiler/BytecodeGenerator.cpp:
3071         (JSC::BytecodeGenerator::emitInByVal):
3072         (JSC::BytecodeGenerator::emitInById):
3073         (JSC::BytecodeGenerator::emitIn): Deleted.
3074         * bytecompiler/BytecodeGenerator.h:
3075         * bytecompiler/NodesCodegen.cpp:
3076         (JSC::InNode::emitBytecode):
3077         * dfg/DFGAbstractInterpreterInlines.h:
3078         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3079         * dfg/DFGByteCodeParser.cpp:
3080         (JSC::DFG::ByteCodeParser::parseBlock):
3081         * dfg/DFGCapabilities.cpp:
3082         (JSC::DFG::capabilityLevel):
3083         * dfg/DFGClobberize.h:
3084         (JSC::DFG::clobberize):
3085         * dfg/DFGConstantFoldingPhase.cpp:
3086         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3087         * dfg/DFGDoesGC.cpp:
3088         (JSC::DFG::doesGC):
3089         * dfg/DFGFixupPhase.cpp:
3090         (JSC::DFG::FixupPhase::fixupNode):
3091         * dfg/DFGJITCompiler.cpp:
3092         (JSC::DFG::JITCompiler::link):
3093         * dfg/DFGJITCompiler.h:
3094         (JSC::DFG::JITCompiler::addInById):
3095         (JSC::DFG::InRecord::InRecord): Deleted.
3096         (JSC::DFG::JITCompiler::addIn): Deleted.
3097         * dfg/DFGNode.h:
3098         (JSC::DFG::Node::convertToInById):
3099         (JSC::DFG::Node::hasIdentifier):
3100         (JSC::DFG::Node::hasArrayMode):
3101         * dfg/DFGNodeType.h:
3102         * dfg/DFGPredictionPropagationPhase.cpp:
3103         * dfg/DFGSafeToExecute.h:
3104         (JSC::DFG::safeToExecute):
3105         * dfg/DFGSpeculativeJIT.cpp:
3106         (JSC::DFG::SpeculativeJIT::compileInById):
3107         (JSC::DFG::SpeculativeJIT::compileInByVal):
3108         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
3109         * dfg/DFGSpeculativeJIT.h:
3110         * dfg/DFGSpeculativeJIT32_64.cpp:
3111         (JSC::DFG::SpeculativeJIT::compile):
3112         * dfg/DFGSpeculativeJIT64.cpp:
3113         (JSC::DFG::SpeculativeJIT::compile):
3114         * ftl/FTLCapabilities.cpp:
3115         (JSC::FTL::canCompile):
3116         * ftl/FTLLowerDFGToB3.cpp:
3117         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3118         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
3119         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
3120         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
3121         * jit/AssemblyHelpers.h:
3122         (JSC::AssemblyHelpers::boxBoolean):
3123         * jit/ICStats.h:
3124         * jit/JIT.cpp:
3125         (JSC::JIT::JIT):
3126         (JSC::JIT::privateCompileMainPass):
3127         (JSC::JIT::privateCompileSlowCases):
3128         (JSC::JIT::link):
3129         * jit/JIT.h:
3130         * jit/JITInlineCacheGenerator.cpp:
3131         (JSC::JITInByIdGenerator::JITInByIdGenerator):
3132         (JSC::JITInByIdGenerator::generateFastPath):
3133         * jit/JITInlineCacheGenerator.h:
3134         (JSC::JITInByIdGenerator::JITInByIdGenerator):
3135         * jit/JITOperations.cpp:
3136         * jit/JITOperations.h:
3137         * jit/JITPropertyAccess.cpp:
3138         (JSC::JIT::emit_op_in_by_id):
3139         (JSC::JIT::emitSlow_op_in_by_id):
3140         * jit/JITPropertyAccess32_64.cpp:
3141         (JSC::JIT::emit_op_in_by_id):
3142         (JSC::JIT::emitSlow_op_in_by_id):
3143         * jit/Repatch.cpp:
3144         (JSC::tryCacheInByID):
3145         (JSC::repatchInByID):
3146         (JSC::resetInByID):
3147         (JSC::tryCacheIn): Deleted.
3148         (JSC::repatchIn): Deleted.
3149         (JSC::resetIn): Deleted.
3150         * jit/Repatch.h:
3151         * llint/LowLevelInterpreter.asm:
3152         * llint/LowLevelInterpreter64.asm:
3153         * parser/NodeConstructors.h:
3154         (JSC::InNode::InNode):
3155         * runtime/CommonSlowPaths.cpp:
3156         (JSC::SLOW_PATH_DECL):
3157         * runtime/CommonSlowPaths.h:
3158         (JSC::CommonSlowPaths::opInByVal):
3159         (JSC::CommonSlowPaths::opIn): Deleted.
3160
3161 2018-05-21  Commit Queue  <commit-queue@webkit.org>
3162
3163         Unreviewed, rolling out r231998 and r232017.
3164         https://bugs.webkit.org/show_bug.cgi?id=185842
3165
3166         causes crashes on 32 JSC bot (Requested by realdawei on
3167         #webkit).
3168
3169         Reverted changesets:
3170
3171         "[JSC] JSC should have consistent InById IC"
3172         https://bugs.webkit.org/show_bug.cgi?id=185682
3173         https://trac.webkit.org/changeset/231998
3174
3175         "Unreviewed, fix 32bit and scope release"
3176         https://bugs.webkit.org/show_bug.cgi?id=185682
3177         https://trac.webkit.org/changeset/232017
3178
3179 2018-05-21  Jer Noble  <jer.noble@apple.com>
3180
3181         Complete fix for enabling modern EME by default
3182         https://bugs.webkit.org/show_bug.cgi?id=185770
3183         <rdar://problem/40368220>
3184
3185         Reviewed by Eric Carlson.
3186
3187         * Configurations/FeatureDefines.xcconfig:
3188
3189 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3190
3191         Unreviewed, fix 32bit and scope release
3192         https://bugs.webkit.org/show_bug.cgi?id=185682
3193
3194         * jit/JITOperations.cpp:
3195         * jit/JITPropertyAccess32_64.cpp:
3196         (JSC::JIT::emitSlow_op_in_by_id):
3197
3198 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
3199
3200         Revert the B3 compiler pipeline's treatment of taildup
3201         https://bugs.webkit.org/show_bug.cgi?id=185808
3202
3203         Reviewed by Yusuke Suzuki.
3204         
3205         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
3206         But then path specialization turned out to be a negative result. This reverts the pipeline to the
3207         way it was before that work.
3208         
3209         1.5% progression on V8Spider-CompileTime.
3210
3211         * b3/B3Generate.cpp:
3212         (JSC::B3::generateToAir):
3213
3214 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3215
3216         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
3217         https://bugs.webkit.org/show_bug.cgi?id=185802
3218
3219         Reviewed by Saam Barati.
3220
3221         * dfg/DFGConstantFoldingPhase.cpp:
3222         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3223
3224 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
3225
3226         DFG should inline InstanceOf ICs
3227         https://bugs.webkit.org/show_bug.cgi?id=185695
3228
3229         Reviewed by Yusuke Suzuki.
3230         
3231         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
3232         be folded to a CheckStructure + JSConstant.
3233         
3234         In the process of testing this, I found a bug where LICM was not hoisting things that
3235         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
3236         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
3237         
3238         This is a ~5% speed-up on boyer.
3239         
3240         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
3241         instanceof-sometimes-hit microbenchmarks.
3242
3243         * JavaScriptCore.xcodeproj/project.pbxproj:
3244         * Sources.txt:
3245         * bytecode/GetByIdStatus.cpp:
3246         (JSC::GetByIdStatus::appendVariant):
3247         (JSC::GetByIdStatus::filter):
3248         * bytecode/GetByIdStatus.h:
3249         (JSC::GetByIdStatus::operator bool const):
3250         (JSC::GetByIdStatus::operator! const): Deleted.
3251         * bytecode/GetByIdVariant.h:
3252         (JSC::GetByIdVariant::operator bool const):
3253         (JSC::GetByIdVariant::operator! const): Deleted.
3254         * bytecode/ICStatusUtils.h: Added.
3255         (JSC::appendICStatusVariant):
3256         (JSC::filterICStatusVariants):
3257         * bytecode/InstanceOfStatus.cpp: Added.
3258         (JSC::InstanceOfStatus::appendVariant):
3259         (JSC::InstanceOfStatus::computeFor):
3260         (JSC::InstanceOfStatus::computeForStubInfo):
3261         (JSC::InstanceOfStatus::commonPrototype const):
3262         (JSC::InstanceOfStatus::filter):
3263         * bytecode/InstanceOfStatus.h: Added.
3264         (JSC::InstanceOfStatus::InstanceOfStatus):
3265         (JSC::InstanceOfStatus::state const):
3266         (JSC::InstanceOfStatus::isSet const):
3267         (JSC::InstanceOfStatus::operator bool const):
3268         (JSC::InstanceOfStatus::isSimple const):
3269         (JSC::InstanceOfStatus::takesSlowPath const):
3270         (JSC::InstanceOfStatus::numVariants const):
3271         (JSC::InstanceOfStatus::variants const):
3272         (JSC::InstanceOfStatus::at const):
3273         (JSC::InstanceOfStatus::operator[] const):
3274         * bytecode/InstanceOfVariant.cpp: Added.
3275         (JSC::InstanceOfVariant::InstanceOfVariant):
3276         (JSC::InstanceOfVariant::attemptToMerge):
3277         (JSC::InstanceOfVariant::dump const):
3278         (JSC::InstanceOfVariant::dumpInContext const):
3279         * bytecode/InstanceOfVariant.h: Added.
3280         (JSC::InstanceOfVariant::InstanceOfVariant):
3281         (JSC::InstanceOfVariant::operator bool const):
3282         (JSC::InstanceOfVariant::structureSet const):
3283         (JSC::InstanceOfVariant::structureSet):
3284         (JSC::InstanceOfVariant::conditionSet const):
3285         (JSC::InstanceOfVariant::prototype const):
3286         (JSC::InstanceOfVariant::isHit const):
3287         * bytecode/StructureStubInfo.cpp:
3288         (JSC::StructureStubInfo::StructureStubInfo):
3289         * bytecode/StructureStubInfo.h:
3290         (JSC::StructureStubInfo::considerCaching):
3291         * dfg/DFGAbstractInterpreterInlines.h:
3292         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3293         * dfg/DFGByteCodeParser.cpp:
3294         (JSC::DFG::ByteCodeParser::parseBlock):
3295         * dfg/DFGClobberize.h:
3296         (JSC::DFG::clobberize):
3297         * dfg/DFGConstantFoldingPhase.cpp:
3298         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3299         * dfg/DFGDoesGC.cpp:
3300         (JSC::DFG::doesGC):
3301         * dfg/DFGFixupPhase.cpp:
3302         (JSC::DFG::FixupPhase::fixupNode):
3303         * dfg/DFGGraph.cpp:
3304         (JSC::DFG::Graph::dump):
3305         * dfg/DFGGraph.h:
3306         * dfg/DFGLICMPhase.cpp:
3307         (JSC::DFG::LICMPhase::attemptHoist):
3308         * dfg/DFGNode.cpp:
3309         (JSC::DFG::Node::remove):
3310         * dfg/DFGNode.h:
3311         (JSC::DFG::Node::hasMatchStructureData):
3312         (JSC::DFG::Node::matchStructureData):
3313         * dfg/DFGNodeType.h:
3314         * dfg/DFGSafeToExecute.h:
3315         (JSC::DFG::safeToExecute):
3316         * dfg/DFGSpeculativeJIT.cpp:
3317         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
3318         * dfg/DFGSpeculativeJIT.h:
3319         * dfg/DFGSpeculativeJIT32_64.cpp:
3320         (JSC::DFG::SpeculativeJIT::compile):
3321         * dfg/DFGSpeculativeJIT64.cpp:
3322         (JSC::DFG::SpeculativeJIT::compile):
3323         * ftl/FTLCapabilities.cpp:
3324         (JSC::FTL::canCompile):
3325         * ftl/FTLLowerDFGToB3.cpp:
3326         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3327         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
3328
3329 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3330
3331         [JSC] JSC should have consistent InById IC
3332         https://bugs.webkit.org/show_bug.cgi?id=185682
3333
3334         Reviewed by Filip Pizlo.
3335
3336         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
3337         when we found that DFG::In's parameter is constant string. We should
3338         align this IC to the other ById ICs to clean up and remove adhoc code
3339         in DFG and FTL.
3340
3341         This patch cleans up our "In" IC by aligning it to the other ById ICs.
3342         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
3343         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
3344         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
3345         has a inline access cache for own property case, which is the same to
3346         JITGetByIdGenerator.
3347
3348         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
3349         to the original In DFG node. DFG AI attempts to lower InByVal to InById
3350         if AI figured out that the property name is a constant string. And in
3351         InById node, we use JITInByIdGenerator code.
3352
3353         This patch cleans up DFG and FTL's adhoc In IC code.
3354
3355         In a subsequent patch, we should introduce InByIdStatus to optimize
3356         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
3357         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
3358         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
3359
3360         * bytecode/AccessCase.cpp:
3361         (JSC::AccessCase::fromStructureStubInfo):
3362         (JSC::AccessCase::generateWithGuard):
3363         * bytecode/BytecodeDumper.cpp:
3364         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
3365         (JSC::BytecodeDumper<Block>::dumpBytecode):
3366         * bytecode/BytecodeDumper.h:
3367         * bytecode/BytecodeList.json:
3368         * bytecode/BytecodeUseDef.h:
3369         (JSC::computeUsesForBytecodeOffset):