JSImmutableButterfly should assert m_header is adjacent to the data
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-06-18  Keith Miller  <keith_miller@apple.com>
2
3         JSImmutableButterfly should assert m_header is adjacent to the data
4         https://bugs.webkit.org/show_bug.cgi?id=186795
5
6         Reviewed by Saam Barati.
7
8         * runtime/JSImmutableButterfly.cpp:
9         * runtime/JSImmutableButterfly.h:
10
11 2018-06-18  Keith Miller  <keith_miller@apple.com>
12
13         Unreviewed, fix the build...
14
15         * runtime/JSArray.cpp:
16         (JSC::JSArray::tryCreateUninitializedRestricted):
17
18 2018-06-18  Keith Miller  <keith_miller@apple.com>
19
20         Unreviewed, remove bad assertion.
21
22         * runtime/JSArray.cpp:
23         (JSC::JSArray::tryCreateUninitializedRestricted):
24
25 2018-06-18  Keith Miller  <keith_miller@apple.com>
26
27         Properly zero unused property storage offsets
28         https://bugs.webkit.org/show_bug.cgi?id=186692
29
30         Reviewed by Filip Pizlo.
31
32         Since the concurrent GC might see a property slot before the mutator has actually
33         stored the value there, we need to ensure that slot doesn't have garbage in it.
34
35         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
36         or creating a RegExp matches array, we never cleared the unused
37         property storage. ObjectIntializationScope has also been upgraded
38         to look for our invariants around property storage. Additionally,
39         a new assertion has been added to check for JSValue() when adding
40         a new property.
41
42         We used to put undefined into deleted property offsets. To
43         make things simpler, this patch causes us to store JSValue() there
44         instead.
45
46         Lastly, this patch fixes an issue where we would initialize the
47         array storage of RegExpMatchesArray twice. First with 0 and
48         secondly with the actual result. Now we only zero memory between
49         vector length and public length.
50
51         * runtime/Butterfly.h:
52         (JSC::Butterfly::offsetOfVectorLength):
53         * runtime/ButterflyInlines.h:
54         (JSC::Butterfly::tryCreateUninitialized):
55         (JSC::Butterfly::createUninitialized):
56         (JSC::Butterfly::tryCreate):
57         (JSC::Butterfly::create):
58         (JSC::Butterfly::createOrGrowPropertyStorage):
59         (JSC::Butterfly::createOrGrowArrayRight):
60         (JSC::Butterfly::growArrayRight):
61         (JSC::Butterfly::resizeArray):
62         * runtime/JSArray.cpp:
63         (JSC::JSArray::tryCreateUninitializedRestricted):
64         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
65         * runtime/JSArray.h:
66         (JSC::tryCreateArrayButterfly):
67         * runtime/JSObject.cpp:
68         (JSC::JSObject::createArrayStorageButterfly):
69         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
70         (JSC::JSObject::deleteProperty):
71         (JSC::JSObject::shiftButterflyAfterFlattening):
72         * runtime/JSObject.h:
73         * runtime/JSObjectInlines.h:
74         (JSC::JSObject::prepareToPutDirectWithoutTransition):
75         * runtime/ObjectInitializationScope.cpp:
76         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
77         * runtime/ObjectInitializationScope.h:
78         (JSC::ObjectInitializationScope::release):
79         * runtime/RegExpMatchesArray.h:
80         (JSC::tryCreateUninitializedRegExpMatchesArray):
81         (JSC::createRegExpMatchesArray):
82
83         * runtime/Butterfly.h:
84         (JSC::Butterfly::offsetOfVectorLength):
85         * runtime/ButterflyInlines.h:
86         (JSC::Butterfly::tryCreateUninitialized):
87         (JSC::Butterfly::createUninitialized):
88         (JSC::Butterfly::tryCreate):
89         (JSC::Butterfly::create):
90         (JSC::Butterfly::createOrGrowPropertyStorage):
91         (JSC::Butterfly::createOrGrowArrayRight):
92         (JSC::Butterfly::growArrayRight):
93         (JSC::Butterfly::resizeArray):
94         * runtime/JSArray.cpp:
95         (JSC::JSArray::tryCreateUninitializedRestricted):
96         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
97         * runtime/JSArray.h:
98         (JSC::tryCreateArrayButterfly):
99         * runtime/JSObject.cpp:
100         (JSC::JSObject::createArrayStorageButterfly):
101         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
102         (JSC::JSObject::deleteProperty):
103         (JSC::JSObject::shiftButterflyAfterFlattening):
104         * runtime/JSObject.h:
105         * runtime/JSObjectInlines.h:
106         (JSC::JSObject::prepareToPutDirectWithoutTransition):
107         * runtime/ObjectInitializationScope.cpp:
108         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
109         * runtime/RegExpMatchesArray.cpp:
110         (JSC::createEmptyRegExpMatchesArray):
111         * runtime/RegExpMatchesArray.h:
112         (JSC::tryCreateUninitializedRegExpMatchesArray):
113         (JSC::createRegExpMatchesArray):
114
115 2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>
116
117         Share structure across instances of classes exported through the ObjC API
118         https://bugs.webkit.org/show_bug.cgi?id=186579
119         <rdar://problem/40969212>
120
121         Reviewed by Saam Barati.
122
123         A new structure was being created for each instance of exported ObjC
124         classes due to setting the prototype in the structure for every object,
125         since prototype transitions are not cached by the structure. Cache the
126         Structure in the JSObjcClassInfo to avoid the transition.
127
128         * API/JSWrapperMap.mm:
129         (-[JSObjCClassInfo wrapperForObject:inContext:]):
130         (-[JSObjCClassInfo structureInContext:]):
131         * API/tests/JSWrapperMapTests.h: Added.
132         * API/tests/JSWrapperMapTests.mm: Added.
133         (+[JSWrapperMapTests testStructureIdentity]):
134         (runJSWrapperMapTests):
135         * API/tests/testapi.mm:
136         (testObjectiveCAPIMain):
137         * JavaScriptCore.xcodeproj/project.pbxproj:
138
139 2018-06-18  Michael Saboff  <msaboff@apple.com>
140
141         Support Unicode 11 in RegExp
142         https://bugs.webkit.org/show_bug.cgi?id=186685
143
144         Reviewed by Mark Lam.
145
146         Updated the UCD tables used to generate RegExp property tables to version 11.0.
147
148         * Scripts/generateYarrUnicodePropertyTables.py:
149         * ucd/CaseFolding.txt:
150         * ucd/DerivedBinaryProperties.txt:
151         * ucd/DerivedCoreProperties.txt:
152         * ucd/DerivedNormalizationProps.txt:
153         * ucd/PropList.txt:
154         * ucd/PropertyAliases.txt:
155         * ucd/PropertyValueAliases.txt:
156         * ucd/ScriptExtensions.txt:
157         * ucd/Scripts.txt:
158         * ucd/UnicodeData.txt:
159         * ucd/emoji-data.txt:
160
161 2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
162
163         [WTF] Remove workarounds needed to support libstdc++-4
164         https://bugs.webkit.org/show_bug.cgi?id=186762
165
166         Reviewed by Michael Catanzaro.
167
168         Revert r226299, r226300 r226301 and r226302.
169
170         * API/tests/TypedArrayCTest.cpp:
171         (assertEqualsAsNumber):
172
173 2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>
174
175         REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
176         https://bugs.webkit.org/show_bug.cgi?id=182923
177
178         Reviewed by Mark Lam.
179
180         The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
181         Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
182
183         * heap/MarkedBlock.h:
184
185 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
186
187         [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
188         https://bugs.webkit.org/show_bug.cgi?id=186723
189
190         Reviewed by Mark Lam.
191
192         Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
193         to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
194
195         This patch improves SixSpeed/spread-literal.es5.
196
197                                      baseline                  patched
198
199         spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
200
201         * runtime/JSArrayInlines.h:
202         (JSC::JSArray::pushInline):
203         * runtime/Structure.cpp:
204         (JSC::Structure::nonPropertyTransitionSlow):
205         (JSC::Structure::nonPropertyTransition): Deleted.
206         * runtime/Structure.h:
207         * runtime/StructureInlines.h:
208         (JSC::Structure::nonPropertyTransition):
209
210 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
211
212         [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
213         https://bugs.webkit.org/show_bug.cgi?id=186721
214
215         Reviewed by Keith Miller.
216
217         We still have several other OSRExits, but this patch reduces that.
218
219         1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
220         So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
221
222         2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
223         non-appropriate.
224
225         These changes a bit fix Kraken/crypto-aes regression.
226
227                                       baseline                  patched
228
229         stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
230
231
232         * dfg/DFGByteCodeParser.cpp:
233         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
234         * ftl/FTLOperations.cpp:
235         (JSC::FTL::operationMaterializeObjectInOSR):
236         * runtime/CommonSlowPaths.cpp:
237         (JSC::SLOW_PATH_DECL):
238
239 2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
240
241         [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
242         https://bugs.webkit.org/show_bug.cgi?id=186460
243
244         Reviewed by Saam Barati.
245
246         Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
247         We should return JSFixedArray for Spread. This patch adds a code generating
248         a JSFixedArray from JSImmutableButterfly.
249
250         Merging JSFixedArray into JSImmutableButterfly is possible future extension.
251
252         * ftl/FTLLowerDFGToB3.cpp:
253         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
254         * runtime/JSFixedArray.h:
255
256 2018-06-15  Saam Barati  <sbarati@apple.com>
257
258         Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
259         https://bugs.webkit.org/show_bug.cgi?id=186687
260         <rdar://problem/40071332>
261
262         Reviewed by Keith Miller.
263
264         * API/JSVirtualMachinePrivate.h:
265
266 2018-06-15  Saam Barati  <sbarati@apple.com>
267
268         Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
269         https://bugs.webkit.org/show_bug.cgi?id=186648
270
271         Reviewed by Michael Saboff.
272
273         This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
274         regressed with my first version of ForceOSRExit CFG pruning. This patch makes
275         ForceOSRExit CFG pruning more aggressive by not ignoring everything that
276         can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
277         if it's the plan's osr entry bytecode target. The goal is to get a speedometer
278         2 speedup with this change on iOS.
279
280         * dfg/DFGByteCodeParser.cpp:
281         (JSC::DFG::ByteCodeParser::parse):
282
283 2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>
284
285         Unreviewed, rolling out r232816.
286
287         Suggested by Caitlin:
288         "this patch clearly does get some things wrong, and it's not
289         easy to find what those things are"
290
291         Reverted changeset:
292
293         "[LLInt] use loadp consistently for
294         get_from_scope/put_to_scope"
295         https://bugs.webkit.org/show_bug.cgi?id=132333
296         https://trac.webkit.org/changeset/232816
297
298 2018-06-14  Michael Saboff  <msaboff@apple.com>
299
300         REGRESSION(232741): Crash running ARES-6
301         https://bugs.webkit.org/show_bug.cgi?id=186630
302
303         Reviewed by Saam Barati.
304
305         The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
306         treated edges between identical predecessor->successor pairs independently.
307         This fixes the issue by handling such edges once, using the added intermediate
308         pad for all instances of the edges between the same pairs.
309
310         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
311         (JSC::DFG::CriticalEdgeBreakingPhase::run):
312         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
313
314 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
315
316         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
317         https://bugs.webkit.org/show_bug.cgi?id=186560
318
319         Reviewed by Brian Burg.
320
321         Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
322         that always receives the session capabilities.
323
324         * inspector/remote/RemoteInspector.h:
325         * inspector/remote/RemoteInspectorConstants.h:
326         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
327         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
328         WebKit here and fill the SessionCapabilities instead.
329         * inspector/remote/glib/RemoteInspectorGlib.cpp:
330         (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
331         * inspector/remote/glib/RemoteInspectorServer.cpp:
332         (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
333         * inspector/remote/glib/RemoteInspectorServer.h:
334
335 2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>
336
337         [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
338         https://bugs.webkit.org/show_bug.cgi?id=186588
339
340         Reviewed by Carlos Garcia Campos.
341
342         Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
343         for resource paths, which avoids needing a switcheroo depending on the port.
344
345         * inspector/remote/glib/RemoteInspectorUtils.cpp:
346
347 2018-06-13  Caitlin Potter  <caitp@igalia.com>
348
349         [LLInt] use loadp consistently for get_from_scope/put_to_scope
350         https://bugs.webkit.org/show_bug.cgi?id=132333
351
352         Reviewed by Mark Lam.
353
354         Using `loadis` for register indexes and `loadp` for constant scopes /
355         symboltables makes sense, but is problematic for big-endian
356         architectures.
357
358         Consistently treating the operand as a pointer simplifies determining
359         how to access the operand, and helps avoid bad accesses and crashes on
360         big-endian ports.
361
362         * bytecode/CodeBlock.cpp:
363         (JSC::CodeBlock::finishCreation):
364         * bytecode/Instruction.h:
365         * jit/JITOperations.cpp:
366         * llint/LLIntSlowPaths.cpp:
367         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
368         * llint/LowLevelInterpreter32_64.asm:
369         * llint/LowLevelInterpreter64.asm:
370         * runtime/CommonSlowPaths.h:
371         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
372         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
373
374 2018-06-13  Keith Miller  <keith_miller@apple.com>
375
376         AutomaticThread should have a way to provide a thread name
377         https://bugs.webkit.org/show_bug.cgi?id=186604
378
379         Reviewed by Filip Pizlo.
380
381         Add names for JSC's automatic threads.
382
383         * dfg/DFGWorklist.cpp:
384         * heap/Heap.cpp:
385         * jit/JITWorklist.cpp:
386         * runtime/VMTraps.cpp:
387         * wasm/WasmWorklist.cpp:
388
389 2018-06-13  Saam Barati  <sbarati@apple.com>
390
391         CFGSimplificationPhase should de-dupe jettisonedBlocks
392         https://bugs.webkit.org/show_bug.cgi?id=186583
393
394         Reviewed by Filip Pizlo.
395
396         When making the predecessors list unique in r232741, it revealed a bug inside
397         of CFG simplification, where we try to remove the same predecessor more than
398         once from a blocks predecessors list. We built the list of blocks to remove
399         from the list of successors, which is not unique, causing us to try to remove
400         the same predecessor more than once. The solution here is to just add to this
401         list of blocks to remove only if the block is not already in the list.
402
403         * dfg/DFGCFGSimplificationPhase.cpp:
404         (JSC::DFG::CFGSimplificationPhase::run):
405
406 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
407
408         [JSC] Always use Nuke & Set procedure for x86
409         https://bugs.webkit.org/show_bug.cgi?id=186592
410
411         Reviewed by Keith Miller.
412
413         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
414         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
415         threads.
416
417         * runtime/JSObject.cpp:
418         (JSC::JSObject::convertContiguousToArrayStorage):
419
420 2018-06-12  Saam Barati  <sbarati@apple.com>
421
422         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
423         https://bugs.webkit.org/show_bug.cgi?id=186071
424
425         Reviewed by Mark Lam.
426
427         * API/JSVirtualMachine.mm:
428         (-[JSVirtualMachine shrinkFootprint]): Deleted.
429         * API/JSVirtualMachinePrivate.h:
430
431 2018-06-11  Saam Barati  <sbarati@apple.com>
432
433         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
434         https://bugs.webkit.org/show_bug.cgi?id=181409
435         <rdar://problem/36383749>
436
437         Reviewed by Keith Miller.
438
439         This patch is me redoing r226655. This is a patch I wrote when
440         profiling Speedometer. Fil rolled this change out in r230928. He
441         showed this slowed down a sunspider tests by ~2x. This sunspider
442         regression revealed a real performance bug in the original change:
443         we would kill blocks that reached OSR entry targets, sometimes leading
444         us to not do OSR entry into the DFG, since we could end up deleting
445         entire loops from the CFG. The reason for this is that code that has run
446         ~once and that reaches loops often has ForceOSRExits inside of it. The
447         solution to this is to not perform this optimization on blocks that can
448         reach OSR entry targets.
449         
450         The reason I'm redoing this patch is that it turns out Fil rolling
451         out the change was a Speedometer 2 regression.
452         
453         This is a modified version of the original ChangeLog I wrote in r226655:
454         
455         When I was looking at profiler data for Speedometer, I noticed that one of
456         the hottest functions in Speedometer is around 1100 bytecode operations long.
457         Only about 100 of those bytecode ops ever execute. However, we ended up
458         spending a lot of time compiling basic blocks that never executed. We often
459         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
460         This is the case when such a node never executes.
461         
462         This patch makes it so that anytime a block has a ForceOSRExit, and that block
463         can not reach an OSR entry target, we replace its terminal node with an Unreachable
464         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
465         size since it removes control flow edges from the CFG. This allows us to get
466         rid of huge chunks of the CFG in certain programs. When doing this transformation,
467         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
468         live-in to the ForceOSRExit.
469         
470         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
471         does not get rid of all the CFG that it could. If we decide it's worth
472         it, we could use additional inputs into this mechanism. For example, we could
473         profile if a basic block ever executes inside the LLInt/Baseline, and
474         remove parts of the CFG based on that.
475         
476         When running Speedometer with the concurrent JIT turned off, this patch
477         improves DFG/FTL compile times by around 5%.
478
479         * dfg/DFGByteCodeParser.cpp:
480         (JSC::DFG::ByteCodeParser::addToGraph):
481         (JSC::DFG::ByteCodeParser::inlineCall):
482         (JSC::DFG::ByteCodeParser::parse):
483         * dfg/DFGGraph.cpp:
484         (JSC::DFG::Graph::blocksInPostOrder):
485
486 2018-06-11  Saam Barati  <sbarati@apple.com>
487
488         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
489         https://bugs.webkit.org/show_bug.cgi?id=184829
490
491         Reviewed by Michael Saboff.
492
493         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
494         In B3/Air, this just meant writing a validation rule. In DFG, this meant
495         ensuring this property when building up the predecessors list, and also adding
496         a validation rule. The NaturalLoops algorithm relies on this property.
497
498         * b3/B3Validate.cpp:
499         * b3/air/AirValidate.cpp:
500         * b3/testb3.cpp:
501         (JSC::B3::testLoopWithMultipleHeaderEdges):
502         (JSC::B3::run):
503         * dfg/DFGGraph.cpp:
504         (JSC::DFG::Graph::handleSuccessor):
505         * dfg/DFGValidate.cpp:
506
507 2018-06-11  Keith Miller  <keith_miller@apple.com>
508
509         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
510         https://bugs.webkit.org/show_bug.cgi?id=186467
511
512         Reviewed by Simon Fraser.
513
514         This patch adds a LazyFireDetail that wraps ScopedLambda so that
515         we don't actually malloc any strings for firing unless those
516         Strings are actually going to be printed.
517
518         * bytecode/Watchpoint.h:
519         (JSC::LazyFireDetail::LazyFireDetail):
520         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
521         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
522         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
523         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
524         * runtime/ArrayPrototype.cpp:
525         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
526
527 2018-06-11  Mark Lam  <mark.lam@apple.com>
528
529         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
530         https://bugs.webkit.org/show_bug.cgi?id=186451
531         <rdar://problem/40875792>
532
533         Reviewed by Tim Horton.
534
535         Enhance setOptions() to be able to take a comma separated options string in
536         addition to white space separated options strings.
537
538         * runtime/Options.cpp:
539         (JSC::isSeparator):
540         (JSC::Options::setOptions):
541
542 2018-06-11  Michael Saboff  <msaboff@apple.com>
543
544         JavaScriptCore: Disable 32-bit JIT on Windows
545         https://bugs.webkit.org/show_bug.cgi?id=185989
546
547         Reviewed by Mark Lam.
548
549         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
550
551         * llint/LLIntData.h:
552         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
553         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
554         have a case label because these aren't opcodes.
555         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
556         on the JIT being enabled.
557         (JSC::recomputeDependentOptions):
558
559 2018-06-11  Michael Saboff  <msaboff@apple.com>
560
561         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
562         https://bugs.webkit.org/show_bug.cgi?id=186477
563
564         Reviewed by Filip Pizlo.
565
566         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
567         YARR interpreter nodes.  This caused us to overwrite other frame information.
568
569         Added frame offset debugging code to YARR interpreter.
570
571         * yarr/YarrInterpreter.cpp:
572         (JSC::Yarr::ByteCompiler::emitDisjunction):
573         (JSC::Yarr::ByteCompiler::dumpDisjunction):
574
575 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
576
577         [JSC] Array.prototype.sort should rejects null comparator
578         https://bugs.webkit.org/show_bug.cgi?id=186458
579
580         Reviewed by Keith Miller.
581
582         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
583         the behavior to Chrome and Firefox.
584
585         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
586         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
587         the spec issue.
588
589         * builtins/ArrayPrototype.js:
590         (sort):
591
592 2018-06-09  Dan Bernstein  <mitz@apple.com>
593
594         [Xcode] Clean up and modernize some build setting definitions
595         https://bugs.webkit.org/show_bug.cgi?id=186463
596
597         Reviewed by Sam Weinig.
598
599         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
600           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
601           is true for all supported Xcode versions.
602         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
603         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
604           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
605         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
606         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
607
608 2018-06-09  Dan Bernstein  <mitz@apple.com>
609
610         Added missing file references to the Configuration group.
611
612         * JavaScriptCore.xcodeproj/project.pbxproj:
613
614 2018-06-08  Darin Adler  <darin@apple.com>
615
616         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
617         https://bugs.webkit.org/show_bug.cgi?id=186436
618
619         Reviewed by Anders Carlsson.
620
621         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
622         objc-internal.h and explicitly declaring the alternative.
623
624 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
625
626         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
627         https://bugs.webkit.org/show_bug.cgi?id=186442
628         <rdar://problem/40879364>
629
630         Reviewed by Tim Horton.
631
632         * Configurations/FeatureDefines.xcconfig:
633
634 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
635
636         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
637         https://bugs.webkit.org/show_bug.cgi?id=186446
638         <rdar://problem/40949995>
639
640         Reviewed by Mark Lam.
641
642         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
643         boolean literals, but it would only work for false. Change it so that it
644         takes the fast path for true, false, null and undefined.
645
646         * llint/LowLevelInterpreter.asm:
647         * llint/LowLevelInterpreter64.asm:
648
649 2018-06-08  Brian Burg  <bburg@apple.com>
650
651         [Cocoa] Web Automation: include browser name and version in listing for automation targets
652         https://bugs.webkit.org/show_bug.cgi?id=186204
653         <rdar://problem/36950423>
654
655         Reviewed by Darin Adler.
656
657         Ask the client what the reported browser name and version should be, then
658         send this as part of the listing for an automation target.
659
660         * inspector/remote/RemoteInspectorConstants.h:
661         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
662         (Inspector::RemoteInspector::listingForAutomationTarget const):
663
664 2018-06-07  Chris Dumez  <cdumez@apple.com>
665
666         Add base class to get WeakPtrFactory member and avoid some boilerplate code
667         https://bugs.webkit.org/show_bug.cgi?id=186407
668
669         Reviewed by Brent Fulgham.
670
671         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
672         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
673         This also gets rid of old-style createWeakPtr() methods in favor of the newer
674         makeWeakPtr().
675
676         * wasm/WasmInstance.h:
677         * wasm/WasmMemory.cpp:
678         (JSC::Wasm::Memory::registerInstance):
679
680 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
681
682         Don't try to allocate JIT memory if we don't have the JIT entitlement
683         https://bugs.webkit.org/show_bug.cgi?id=182605
684         <rdar://problem/38271229>
685
686         Reviewed by Mark Lam.
687
688         Check that the current process has the correct entitlements before
689         trying to allocate JIT memory to silence warnings.
690
691         * jit/ExecutableAllocator.cpp:
692         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
693         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
694
695 2018-06-07  Saam Barati  <sbarati@apple.com>
696
697         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
698         https://bugs.webkit.org/show_bug.cgi?id=186386
699
700         Reviewed by Filip Pizlo.
701
702         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
703
704         * dfg/DFGTierUpCheckInjectionPhase.cpp:
705         (JSC::DFG::TierUpCheckInjectionPhase::run):
706
707 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
708
709         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
710         https://bugs.webkit.org/show_bug.cgi?id=186237
711
712         Reviewed by Saam Barati.
713
714         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
715         that means that we never notice that it fired if it fires between when the DFG decides to
716         watch it and when it actually adds the watchpoint.
717         
718         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
719         reason for being initialized blind: that's how we knew to ignore changes to the prototype
720         before the first allocation. However, that functionality also arose out of the fact that the
721         rare data is created lazily and usually won't exist until the first allocation.
722         
723         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
724         object allocation profile.
725         
726         It's hard to repro this race, however it started causing spurious test failures for me after
727         bug 164904.
728
729         * runtime/FunctionRareData.cpp:
730         (JSC::FunctionRareData::FunctionRareData):
731         (JSC::FunctionRareData::initializeObjectAllocationProfile):
732
733 2018-06-07  Saam Barati  <sbarati@apple.com>
734
735         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
736         https://bugs.webkit.org/show_bug.cgi?id=186218
737         <rdar://problem/38449540>
738
739         Reviewed by Filip Pizlo.
740
741         This patch makes tierUpCommon a tad bit more sane. There are a few things
742         that I did:
743         - There were a few release asserts that were crashing. Those release asserts
744         were incorrect. They were making assumptions about how the code and data
745         structures were ordered that were wrong. This patch removes them. The code
746         was using the loop hierarchy vector to make assumptions about which loop we
747         were currently executing in, which is incorrect. The only information that
748         can be used about where we're currently executing is the bytecode index we're
749         at.
750         - This makes it so that we go back to trying to compile outer loops before
751         inner loops. JF accidentally reverted this behavior that Ben implemented.
752         JF made it so that we just compiled the inner most loop. I make this
753         functionality work by first triggering a compile for the outer most loop
754         that the code is currently executing in and that can perform OSR entry.
755         However, some programs can get stuck in inner loops. The code works by
756         progressively asking inner loops to compile if program execution has not
757         yet reached an outer loop.
758
759         * dfg/DFGOperations.cpp:
760
761 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
762
763         ArityFixup should adjust SP first on 32-bit platforms too
764         https://bugs.webkit.org/show_bug.cgi?id=186351
765
766         Reviewed by Yusuke Suzuki.
767
768         * jit/ThunkGenerators.cpp:
769         (JSC::arityFixupGenerator):
770
771 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
772
773         [DFG] Compare operations do not respect negative zeros
774         https://bugs.webkit.org/show_bug.cgi?id=183729
775
776         Reviewed by Saam Barati.
777
778         Compare operations do not respect negative zeros. So propagating this can
779         reduce the size of the produced code for negative zero case. This pattern
780         can be seen in Kraken stanford-crypto-aes.
781
782         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
783         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
784         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
785
786         * bytecode/SpeculatedType.cpp:
787         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
788         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
789         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
790         SpecDoubleReal.
791
792         * dfg/DFGBackwardsPropagationPhase.cpp:
793         (JSC::DFG::BackwardsPropagationPhase::propagate):
794
795 2018-06-06  Saam Barati  <sbarati@apple.com>
796
797         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
798         https://bugs.webkit.org/show_bug.cgi?id=186363
799
800         Rubber-stamped by Filip Pizlo.
801
802         The code was assuming that the object it was creating an OPC for always
803         had a non-poly-proto structure. However, this assumption was wrong. For
804         example, an object in the prototype chain could be poly proto. That type 
805         of object graph would cause a crash in this code. This patch makes it so
806         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
807         object as we traverse the prototype chain.
808
809         * bytecode/ObjectPropertyConditionSet.cpp:
810         (JSC::generateConditionsForInstanceOf):
811
812 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
813
814         Adjust compile and runtime flags to match shippable state of features
815         https://bugs.webkit.org/show_bug.cgi?id=186319
816         <rdar://problem/40352045>
817
818         Reviewed by Maciej Stachowiak, Jon Lee, and others.
819
820         This patch revises the compile time and runtime state for various features to match their
821         suitability for end-user releases.
822
823         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
824         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
825         Cocoa builds.
826         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
827         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
828         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
829         at runtime for non-production builds.
830
831 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
832
833         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
834         https://bugs.webkit.org/show_bug.cgi?id=186286
835         <rdar://problem/40782992>
836
837         Reviewed by Dan Bernstein.
838
839         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
840         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
841         change this flag when preparing for a production release.
842
843         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
844         whether experimental features should be enabled, and use it to properly define the
845         feature flag.
846
847 2018-06-05  Darin Adler  <darin@apple.com>
848
849         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
850         https://bugs.webkit.org/show_bug.cgi?id=186301
851
852         Reviewed by Anders Carlsson.
853
854         * API/JSContext.mm:
855         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
856         (-[JSContext setName:]): Removed unnecessary call to copy, since the
857         JSStringCreateWithCFString function already reads the characters out
858         of the string and does not retain the string, so there is no need to
859         make an immutable copy. And used __bridge for typecast.
860         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
861         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
862         Ditto.
863
864         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
865         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
866         Use CFBridgingRelease instead of autorelease for a CF dictionary that
867         we return as an NSDictionary.
868
869 2018-06-04  Keith Miller  <keith_miller@apple.com>
870
871         Remove missing files from JavaScriptCore Xcode project
872         https://bugs.webkit.org/show_bug.cgi?id=186297
873
874         Reviewed by Saam Barati.
875
876         * JavaScriptCore.xcodeproj/project.pbxproj:
877
878 2018-06-04  Keith Miller  <keith_miller@apple.com>
879
880         Add test for CoW conversions in the DFG/FTL
881         https://bugs.webkit.org/show_bug.cgi?id=186295
882
883         Reviewed by Saam Barati.
884
885         Add a function to $vm that returns a JSString containing the
886         dataLog dump of the indexingMode of an Object.
887
888         * tools/JSDollarVM.cpp:
889         (JSC::functionIndexingMode):
890         (JSC::JSDollarVM::finishCreation):
891
892 2018-06-04  Saam Barati  <sbarati@apple.com>
893
894         Set the activeLength of all ScratchBuffers to zero when exiting the VM
895         https://bugs.webkit.org/show_bug.cgi?id=186284
896         <rdar://problem/40780738>
897
898         Reviewed by Keith Miller.
899
900         Simon recently found instances where we leak global objects from the
901         ScratchBuffer. Yusuke found that we forgot to set the active length
902         back to zero when doing catch OSR entry in the DFG/FTL. His solution
903         to this was adding a node that cleared the active length. This is
904         a good node to have, but it's not a complete solution: the DFG/FTL
905         could OSR exit before that node executes, which would cause us to leak
906         the data in it.
907         
908         This patch makes it so that we set each scratch buffer's active length
909         to zero on VM exit. This helps prevent leaks for JS code that eventually
910         exits the VM (which is essentially all code on the web and all API users).
911
912         * runtime/VM.cpp:
913         (JSC::VM::clearScratchBuffers):
914         * runtime/VM.h:
915         * runtime/VMEntryScope.cpp:
916         (JSC::VMEntryScope::~VMEntryScope):
917
918 2018-06-04  Keith Miller  <keith_miller@apple.com>
919
920         JSLock should clear last exception when releasing the lock
921         https://bugs.webkit.org/show_bug.cgi?id=186277
922
923         Reviewed by Mark Lam.
924
925         If we don't clear the last exception we essentially leak the
926         object and everything referenced by it until another exception is
927         thrown.
928
929         * runtime/JSLock.cpp:
930         (JSC::JSLock::willReleaseLock):
931
932 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
933
934         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
935         https://bugs.webkit.org/show_bug.cgi?id=180248
936
937         Reviewed by Sam Weinig.
938
939         As a final step, this patch removes ListableHandler from JSC.
940         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
941
942         * CMakeLists.txt:
943         * JavaScriptCore.xcodeproj/project.pbxproj:
944         * heap/Heap.h:
945         * heap/ListableHandler.h: Removed.
946
947 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
948
949         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
950         https://bugs.webkit.org/show_bug.cgi?id=186223
951
952         Reviewed by Keith Miller.
953
954         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
955         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
956
957         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
958         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
959         this ClearCatchLocals valid.
960
961         The existing tests for ExtractCatchLocal just pass.
962
963         * dfg/DFGAbstractHeap.h:
964         * dfg/DFGAbstractInterpreterInlines.h:
965         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
966         * dfg/DFGByteCodeParser.cpp:
967         (JSC::DFG::ByteCodeParser::parseBlock):
968         * dfg/DFGClobberize.h:
969         (JSC::DFG::clobberize):
970         * dfg/DFGDoesGC.cpp:
971         (JSC::DFG::doesGC):
972         * dfg/DFGFixupPhase.cpp:
973         (JSC::DFG::FixupPhase::fixupNode):
974         * dfg/DFGMayExit.cpp:
975         * dfg/DFGNodeType.h:
976         * dfg/DFGOSREntry.cpp:
977         (JSC::DFG::prepareCatchOSREntry):
978         * dfg/DFGPredictionPropagationPhase.cpp:
979         * dfg/DFGSafeToExecute.h:
980         (JSC::DFG::safeToExecute):
981         * dfg/DFGSpeculativeJIT.cpp:
982         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
983         * dfg/DFGSpeculativeJIT.h:
984         * dfg/DFGSpeculativeJIT32_64.cpp:
985         (JSC::DFG::SpeculativeJIT::compile):
986         * dfg/DFGSpeculativeJIT64.cpp:
987         (JSC::DFG::SpeculativeJIT::compile):
988         * ftl/FTLCapabilities.cpp:
989         (JSC::FTL::canCompile):
990         * ftl/FTLLowerDFGToB3.cpp:
991         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
992         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
993
994 2018-06-02  Darin Adler  <darin@apple.com>
995
996         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
997         https://bugs.webkit.org/show_bug.cgi?id=186227
998
999         Reviewed by Dan Bernstein.
1000
1001         * API/JSContext.mm:
1002         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
1003         * API/JSValue.mm:
1004         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
1005         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
1006         ARC-compatible, but more efficient.
1007         (valueToString): Use CFBridgingRelease instead of autorelease.
1008
1009 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
1010
1011         [ESNext][BigInt] Implement support for addition operations
1012         https://bugs.webkit.org/show_bug.cgi?id=179002
1013
1014         Reviewed by Yusuke Suzuki.
1015
1016         This patch is implementing support to BigInt Operands into binary "+"
1017         and binary "-" operators. Right now, we have limited support to DFG
1018         and FTL JIT layers, but we plan to fix this support in future
1019         patches.
1020
1021         * jit/JITOperations.cpp:
1022         * runtime/CommonSlowPaths.cpp:
1023         (JSC::SLOW_PATH_DECL):
1024         * runtime/JSBigInt.cpp:
1025         (JSC::JSBigInt::parseInt):
1026         (JSC::JSBigInt::stringToBigInt):
1027         (JSC::JSBigInt::toString):
1028         (JSC::JSBigInt::multiply):
1029         (JSC::JSBigInt::divide):
1030         (JSC::JSBigInt::remainder):
1031         (JSC::JSBigInt::add):
1032         (JSC::JSBigInt::sub):
1033         (JSC::JSBigInt::absoluteAdd):
1034         (JSC::JSBigInt::absoluteSub):
1035         (JSC::JSBigInt::toStringGeneric):
1036         (JSC::JSBigInt::allocateFor):
1037         (JSC::JSBigInt::toNumber const):
1038         (JSC::JSBigInt::getPrimitiveNumber const):
1039         * runtime/JSBigInt.h:
1040         * runtime/JSCJSValueInlines.h:
1041         * runtime/Operations.cpp:
1042         (JSC::jsAddSlowCase):
1043         * runtime/Operations.h:
1044         (JSC::jsSub):
1045
1046 2018-06-02  Commit Queue  <commit-queue@webkit.org>
1047
1048         Unreviewed, rolling out r232439.
1049         https://bugs.webkit.org/show_bug.cgi?id=186238
1050
1051         It breaks gtk-linux-32-release (Requested by caiolima on
1052         #webkit).
1053
1054         Reverted changeset:
1055
1056         "[ESNext][BigInt] Implement support for addition operations"
1057         https://bugs.webkit.org/show_bug.cgi?id=179002
1058         https://trac.webkit.org/changeset/232439
1059
1060 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1061
1062         Baseline op_jtrue emits an insane amount of code
1063         https://bugs.webkit.org/show_bug.cgi?id=185708
1064
1065         Reviewed by Filip Pizlo.
1066
1067         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
1068
1069         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
1070            to jump directly. This tightens the code.
1071
1072         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
1073
1074         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
1075
1076         [  12] jtrue             arg1, 6(->18)
1077               0x7f233170162c: mov 0x30(%rbp), %rax
1078               0x7f2331701630: mov %rax, %rsi
1079               0x7f2331701633: xor $0x6, %rsi
1080               0x7f2331701637: test $0xfffffffffffffffe, %rsi
1081               0x7f233170163e: jnz 0x7f2331701654
1082               0x7f2331701644: cmp $0x7, %eax
1083               0x7f2331701647: setz %sil
1084               0x7f233170164b: movzx %sil, %esi
1085               0x7f233170164f: jmp 0x7f2331701705
1086               0x7f2331701654: test %rax, %r14
1087               0x7f2331701657: jz 0x7f233170169c
1088               0x7f233170165d: cmp %r14, %rax
1089               0x7f2331701660: jb 0x7f2331701675
1090               0x7f2331701666: test %eax, %eax
1091               0x7f2331701668: setnz %sil
1092               0x7f233170166c: movzx %sil, %esi
1093               0x7f2331701670: jmp 0x7f2331701705
1094               0x7f2331701675: lea (%r14,%rax), %rsi
1095               0x7f2331701679: movq %rsi, %xmm0
1096               0x7f233170167e: xorps %xmm1, %xmm1
1097               0x7f2331701681: ucomisd %xmm1, %xmm0
1098               0x7f2331701685: jz 0x7f2331701695
1099               0x7f233170168b: mov $0x1, %esi
1100               0x7f2331701690: jmp 0x7f2331701705
1101               0x7f2331701695: xor %esi, %esi
1102               0x7f2331701697: jmp 0x7f2331701705
1103               0x7f233170169c: test %rax, %r15
1104               0x7f233170169f: jnz 0x7f2331701703
1105               0x7f23317016a5: cmp $0x1, 0x5(%rax)
1106               0x7f23317016a9: jnz 0x7f23317016c1
1107               0x7f23317016af: mov 0x8(%rax), %esi
1108               0x7f23317016b2: test %esi, %esi
1109               0x7f23317016b4: setnz %sil
1110               0x7f23317016b8: movzx %sil, %esi
1111               0x7f23317016bc: jmp 0x7f2331701705
1112               0x7f23317016c1: test $0x1, 0x6(%rax)
1113               0x7f23317016c5: jz 0x7f23317016f9
1114               0x7f23317016cb: mov (%rax), %esi
1115               0x7f23317016cd: mov $0x7f23315000c8, %rdx
1116               0x7f23317016d7: mov (%rdx), %rdx
1117               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
1118               0x7f23317016de: mov $0x7f2330de0000, %rdx
1119               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
1120               0x7f23317016ec: jnz 0x7f23317016f9
1121               0x7f23317016f2: xor %esi, %esi
1122               0x7f23317016f4: jmp 0x7f2331701705
1123               0x7f23317016f9: mov $0x1, %esi
1124               0x7f23317016fe: jmp 0x7f2331701705
1125               0x7f2331701703: xor %esi, %esi
1126               0x7f2331701705: test %esi, %esi
1127               0x7f2331701707: jnz 0x7f233170171b
1128
1129         [  12] jtrue             arg1, 6(->18)
1130               0x7f6c8710156c: mov 0x30(%rbp), %rax
1131               0x7f6c87101570: test %rax, %r15
1132               0x7f6c87101573: jnz 0x7f6c871015c8
1133               0x7f6c87101579: cmp $0x1, 0x5(%rax)
1134               0x7f6c8710157d: jnz 0x7f6c87101592
1135               0x7f6c87101583: cmp $0x0, 0x8(%rax)
1136               0x7f6c87101587: jnz 0x7f6c87101623
1137               0x7f6c8710158d: jmp 0x7f6c87101615
1138               0x7f6c87101592: test $0x1, 0x6(%rax)
1139               0x7f6c87101596: jz 0x7f6c87101623
1140               0x7f6c8710159c: mov (%rax), %esi
1141               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
1142               0x7f6c871015a8: mov (%rdx), %rdx
1143               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
1144               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
1145               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
1146               0x7f6c871015bd: jnz 0x7f6c87101623
1147               0x7f6c871015c3: jmp 0x7f6c87101615
1148               0x7f6c871015c8: cmp %r14, %rax
1149               0x7f6c871015cb: jb 0x7f6c871015de
1150               0x7f6c871015d1: test %eax, %eax
1151               0x7f6c871015d3: jnz 0x7f6c87101623
1152               0x7f6c871015d9: jmp 0x7f6c87101615
1153               0x7f6c871015de: test %rax, %r14
1154               0x7f6c871015e1: jz 0x7f6c87101602
1155               0x7f6c871015e7: lea (%r14,%rax), %rsi
1156               0x7f6c871015eb: movq %rsi, %xmm0
1157               0x7f6c871015f0: xorps %xmm1, %xmm1
1158               0x7f6c871015f3: ucomisd %xmm1, %xmm0
1159               0x7f6c871015f7: jz 0x7f6c87101615
1160               0x7f6c871015fd: jmp 0x7f6c87101623
1161               0x7f6c87101602: mov $0x7, %r11
1162               0x7f6c8710160c: cmp %r11, %rax
1163               0x7f6c8710160f: jz 0x7f6c87101623
1164
1165         * dfg/DFGSpeculativeJIT32_64.cpp:
1166         (JSC::DFG::SpeculativeJIT::emitBranch):
1167         * dfg/DFGSpeculativeJIT64.cpp:
1168         (JSC::DFG::SpeculativeJIT::emitBranch):
1169         * jit/AssemblyHelpers.cpp:
1170         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1171         (JSC::AssemblyHelpers::branchIfValue):
1172         * jit/AssemblyHelpers.h:
1173         (JSC::AssemblyHelpers::branchIfTruthy):
1174         (JSC::AssemblyHelpers::branchIfFalsey):
1175         * jit/JIT.h:
1176         * jit/JITInlines.h:
1177         (JSC::JIT::addJump):
1178         * jit/JITOpcodes.cpp:
1179         (JSC::JIT::emit_op_jfalse):
1180         (JSC::JIT::emit_op_jtrue):
1181         * jit/JITOpcodes32_64.cpp:
1182         (JSC::JIT::emit_op_jfalse):
1183         (JSC::JIT::emit_op_jtrue):
1184
1185 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1186
1187         [JSC] Remove WeakReferenceHarvester
1188         https://bugs.webkit.org/show_bug.cgi?id=186102
1189
1190         Reviewed by Filip Pizlo.
1191
1192         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
1193         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
1194         by using output constraints & Subspace iteration.
1195
1196         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
1197         output constraint set iterates marked JSWeakMap by using Subspace.
1198
1199         And we also add locking for JSWeakMap's rehash and output constraint visiting.
1200
1201         Attached microbenchmark does not show any regression.
1202
1203         * API/JSAPIWrapperObject.h:
1204         * CMakeLists.txt:
1205         * JavaScriptCore.xcodeproj/project.pbxproj:
1206         * heap/Heap.cpp:
1207         (JSC::Heap::endMarking):
1208         (JSC::Heap::addCoreConstraints):
1209         * heap/Heap.h:
1210         * heap/SlotVisitor.cpp:
1211         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
1212         * heap/SlotVisitor.h:
1213         * heap/WeakReferenceHarvester.h: Removed.
1214         * runtime/WeakMapImpl.cpp:
1215         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
1216         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
1217         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
1218         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
1219         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
1220         * runtime/WeakMapImpl.h:
1221         (JSC::WeakMapImpl::WeakMapImpl):
1222         (JSC::WeakMapImpl::finishCreation):
1223         (JSC::WeakMapImpl::rehash):
1224         (JSC::WeakMapImpl::makeAndSetNewBuffer):
1225         (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
1226
1227 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1228
1229         [JSC] Object.create should have intrinsic
1230         https://bugs.webkit.org/show_bug.cgi?id=186200
1231
1232         Reviewed by Filip Pizlo.
1233
1234         Object.create is used in various JS code. `Object.create(null)` is particularly used
1235         to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
1236         call in ARES-6/Babylon code.
1237
1238         This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
1239         DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
1240         object is null. It offers significant performance boost for `Object.create(null)`.
1241
1242                                                          baseline                  patched
1243
1244         object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
1245         object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
1246         object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
1247
1248         * dfg/DFGAbstractInterpreterInlines.h:
1249         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1250         * dfg/DFGByteCodeParser.cpp:
1251         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1252         * dfg/DFGClobberize.h:
1253         (JSC::DFG::clobberize):
1254         * dfg/DFGConstantFoldingPhase.cpp:
1255         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1256         * dfg/DFGDoesGC.cpp:
1257         (JSC::DFG::doesGC):
1258         * dfg/DFGFixupPhase.cpp:
1259         (JSC::DFG::FixupPhase::fixupNode):
1260         * dfg/DFGNode.h:
1261         (JSC::DFG::Node::convertToNewObject):
1262         * dfg/DFGNodeType.h:
1263         * dfg/DFGOperations.cpp:
1264         * dfg/DFGOperations.h:
1265         * dfg/DFGPredictionPropagationPhase.cpp:
1266         * dfg/DFGSafeToExecute.h:
1267         (JSC::DFG::safeToExecute):
1268         * dfg/DFGSpeculativeJIT.cpp:
1269         (JSC::DFG::SpeculativeJIT::compileObjectCreate):
1270         * dfg/DFGSpeculativeJIT.h:
1271         * dfg/DFGSpeculativeJIT32_64.cpp:
1272         (JSC::DFG::SpeculativeJIT::compile):
1273         * dfg/DFGSpeculativeJIT64.cpp:
1274         (JSC::DFG::SpeculativeJIT::compile):
1275         * ftl/FTLCapabilities.cpp:
1276         (JSC::FTL::canCompile):
1277         * ftl/FTLLowerDFGToB3.cpp:
1278         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1279         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
1280         * runtime/Intrinsic.cpp:
1281         (JSC::intrinsicName):
1282         * runtime/Intrinsic.h:
1283         * runtime/JSGlobalObject.cpp:
1284         (JSC::JSGlobalObject::init):
1285         (JSC::JSGlobalObject::visitChildren):
1286         * runtime/JSGlobalObject.h:
1287         (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
1288         * runtime/ObjectConstructor.cpp:
1289
1290 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
1291
1292         [ESNext][BigInt] Implement support for addition operations
1293         https://bugs.webkit.org/show_bug.cgi?id=179002
1294
1295         Reviewed by Yusuke Suzuki.
1296
1297         This patch is implementing support to BigInt Operands into binary "+"
1298         and binary "-" operators. Right now, we have limited support to DFG
1299         and FTL JIT layers, but we plan to fix this support in future
1300         patches.
1301
1302         * jit/JITOperations.cpp:
1303         * runtime/CommonSlowPaths.cpp:
1304         (JSC::SLOW_PATH_DECL):
1305         * runtime/JSBigInt.cpp:
1306         (JSC::JSBigInt::parseInt):
1307         (JSC::JSBigInt::stringToBigInt):
1308         (JSC::JSBigInt::toString):
1309         (JSC::JSBigInt::multiply):
1310         (JSC::JSBigInt::divide):
1311         (JSC::JSBigInt::remainder):
1312         (JSC::JSBigInt::add):
1313         (JSC::JSBigInt::sub):
1314         (JSC::JSBigInt::absoluteAdd):
1315         (JSC::JSBigInt::absoluteSub):
1316         (JSC::JSBigInt::toStringGeneric):
1317         (JSC::JSBigInt::allocateFor):
1318         (JSC::JSBigInt::toNumber const):
1319         (JSC::JSBigInt::getPrimitiveNumber const):
1320         * runtime/JSBigInt.h:
1321         * runtime/JSCJSValueInlines.h:
1322         * runtime/Operations.cpp:
1323         (JSC::jsAddSlowCase):
1324         * runtime/Operations.h:
1325         (JSC::jsSub):
1326
1327 2018-06-01  Wenson Hsieh  <wenson_hsieh@apple.com>
1328
1329         Fix the watchOS build after r232385
1330         https://bugs.webkit.org/show_bug.cgi?id=186203
1331
1332         Reviewed by Keith Miller.
1333
1334         Add a missing header include for JSImmutableButterfly.
1335
1336         * runtime/ArrayPrototype.cpp:
1337
1338 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1339
1340         [JSC] Add Symbol.prototype.description getter
1341         https://bugs.webkit.org/show_bug.cgi?id=186053
1342
1343         Reviewed by Keith Miller.
1344
1345         Symbol.prototype.description accessor  is now stage 3[1].
1346         This adds a getter to retrieve [[Description]] value from Symbol.
1347         Previously, Symbol#toString() returns `Symbol(${description})` value.
1348         So users need to extract `description` part if they want it.
1349
1350         [1]: https://tc39.github.io/proposal-Symbol-description/
1351
1352         * runtime/Symbol.cpp:
1353         (JSC::Symbol::description const):
1354         * runtime/Symbol.h:
1355         * runtime/SymbolPrototype.cpp:
1356         (JSC::tryExtractSymbol):
1357         (JSC::symbolProtoGetterDescription):
1358         (JSC::symbolProtoFuncToString):
1359         (JSC::symbolProtoFuncValueOf):
1360
1361 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1362
1363         [JSC] Correct values and members of JSBigInt appropriately
1364         https://bugs.webkit.org/show_bug.cgi?id=186196
1365
1366         Reviewed by Darin Adler.
1367
1368         This patch cleans up a bit to select more appropriate values and members of JSBigInt.
1369
1370         1. JSBigInt's structure should be StructureIsImmortal.
1371         2. JSBigInt::allocationSize should be annotated with `inline`.
1372         3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
1373         4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
1374
1375         * runtime/JSBigInt.cpp:
1376         (JSC::JSBigInt::allocationSize):
1377         (JSC::JSBigInt::allocateFor):
1378         (JSC::JSBigInt::compareToDouble):
1379         (JSC::JSBigInt::visitChildren): Deleted.
1380         (JSC::JSBigInt::finishCreation): Deleted.
1381         * runtime/JSBigInt.h:
1382
1383 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1384
1385         [DFG] InById should be converted to MatchStructure
1386         https://bugs.webkit.org/show_bug.cgi?id=185803
1387
1388         Reviewed by Keith Miller.
1389
1390         MatchStructure is introduced for instanceof optimization. But this node
1391         is also useful for InById node. This patch converts InById to MatchStructure
1392         node with CheckStructures if possible by using InByIdStatus.
1393
1394         Added microbenchmarks show improvements.
1395
1396                                    baseline                  patched
1397
1398         in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
1399         in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
1400
1401         * JavaScriptCore.xcodeproj/project.pbxproj:
1402         * Sources.txt:
1403         * bytecode/InByIdStatus.cpp: Added.
1404         (JSC::InByIdStatus::appendVariant):
1405         (JSC::InByIdStatus::computeFor):
1406         (JSC::InByIdStatus::hasExitSite):
1407         (JSC::InByIdStatus::computeForStubInfo):
1408         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1409         (JSC::InByIdStatus::filter):
1410         (JSC::InByIdStatus::dump const):
1411         * bytecode/InByIdStatus.h: Added.
1412         (JSC::InByIdStatus::InByIdStatus):
1413         (JSC::InByIdStatus::state const):
1414         (JSC::InByIdStatus::isSet const):
1415         (JSC::InByIdStatus::operator bool const):
1416         (JSC::InByIdStatus::isSimple const):
1417         (JSC::InByIdStatus::numVariants const):
1418         (JSC::InByIdStatus::variants const):
1419         (JSC::InByIdStatus::at const):
1420         (JSC::InByIdStatus::operator[] const):
1421         (JSC::InByIdStatus::takesSlowPath const):
1422         * bytecode/InByIdVariant.cpp: Added.
1423         (JSC::InByIdVariant::InByIdVariant):
1424         (JSC::InByIdVariant::attemptToMerge):
1425         (JSC::InByIdVariant::dump const):
1426         (JSC::InByIdVariant::dumpInContext const):
1427         * bytecode/InByIdVariant.h: Added.
1428         (JSC::InByIdVariant::isSet const):
1429         (JSC::InByIdVariant::operator bool const):
1430         (JSC::InByIdVariant::structureSet const):
1431         (JSC::InByIdVariant::structureSet):
1432         (JSC::InByIdVariant::conditionSet const):
1433         (JSC::InByIdVariant::offset const):
1434         (JSC::InByIdVariant::isHit const):
1435         * bytecode/PolyProtoAccessChain.h:
1436         * dfg/DFGByteCodeParser.cpp:
1437         (JSC::DFG::ByteCodeParser::parseBlock):
1438
1439 2018-06-01  Keith Miller  <keith_miller@apple.com>
1440
1441         move should only emit the move if it's actually needed
1442         https://bugs.webkit.org/show_bug.cgi?id=186123
1443
1444         Reviewed by Saam Barati.
1445
1446         This patch relpaces move with moveToDestinationIfNeeded. This
1447         will prevent us from emiting moves to the same location. The old
1448         move, has been renamed to emitMove and made private.
1449
1450         * bytecompiler/BytecodeGenerator.cpp:
1451         (JSC::BytecodeGenerator::BytecodeGenerator):
1452         (JSC::BytecodeGenerator::emitMove):
1453         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
1454         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1455         (JSC::BytecodeGenerator::move): Deleted.
1456         * bytecompiler/BytecodeGenerator.h:
1457         (JSC::BytecodeGenerator::move):
1458         (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
1459         * bytecompiler/NodesCodegen.cpp:
1460         (JSC::ThisNode::emitBytecode):
1461         (JSC::SuperNode::emitBytecode):
1462         (JSC::NewTargetNode::emitBytecode):
1463         (JSC::ResolveNode::emitBytecode):
1464         (JSC::TaggedTemplateNode::emitBytecode):
1465         (JSC::ArrayNode::emitBytecode):
1466         (JSC::ObjectLiteralNode::emitBytecode):
1467         (JSC::EvalFunctionCallNode::emitBytecode):
1468         (JSC::FunctionCallResolveNode::emitBytecode):
1469         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
1470         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1471         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
1472         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
1473         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
1474         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
1475         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1476         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
1477         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
1478         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
1479         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
1480         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
1481         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
1482         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
1483         (JSC::CallFunctionCallDotNode::emitBytecode):
1484         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1485         (JSC::emitPostIncOrDec):
1486         (JSC::PostfixNode::emitBracket):
1487         (JSC::PostfixNode::emitDot):
1488         (JSC::PrefixNode::emitResolve):
1489         (JSC::PrefixNode::emitBracket):
1490         (JSC::PrefixNode::emitDot):
1491         (JSC::LogicalOpNode::emitBytecode):
1492         (JSC::ReadModifyResolveNode::emitBytecode):
1493         (JSC::AssignResolveNode::emitBytecode):
1494         (JSC::AssignDotNode::emitBytecode):
1495         (JSC::AssignBracketNode::emitBytecode):
1496         (JSC::FunctionNode::emitBytecode):
1497         (JSC::ClassExprNode::emitBytecode):
1498         (JSC::DestructuringAssignmentNode::emitBytecode):
1499         (JSC::ArrayPatternNode::emitDirectBinding):
1500         (JSC::ObjectPatternNode::bindValue const):
1501         (JSC::AssignmentElementNode::bindValue const):
1502         (JSC::ObjectSpreadExpressionNode::emitBytecode):
1503
1504 2018-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1505
1506         [Baseline] Store constant directly in emit_op_mov
1507         https://bugs.webkit.org/show_bug.cgi?id=186182
1508
1509         Reviewed by Saam Barati.
1510
1511         In the old code, we first move a constant to a register and store it to the specified address.
1512         But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
1513         generated code size. Since the old code was emitting a constant in a code anyway, this change
1514         never increases the size of the generated code.
1515
1516         * jit/JITInlines.h:
1517         (JSC::JIT::emitGetVirtualRegister):
1518         We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
1519         from the stack. If we transfer values in registers without loading values from the stack, it
1520         breaks this assumption.
1521
1522         * jit/JITOpcodes.cpp:
1523         (JSC::JIT::emit_op_mov):
1524
1525 2018-05-31  Caio Lima  <ticaiolima@gmail.com>
1526
1527         [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
1528         https://bugs.webkit.org/show_bug.cgi?id=185929
1529
1530         Reviewed by Yusuke Suzuki.
1531
1532         This patch is introducing support to BigInt operands into ">=" and
1533         "<=" operators.
1534         Here we introduce ```bigIntCompareResult``` that is a helper function
1535         to reuse code between "less than" and "less than or equal" operators.
1536
1537         * runtime/JSBigInt.h:
1538         * runtime/Operations.h:
1539         (JSC::bigIntCompareResult):
1540         (JSC::bigIntCompare):
1541         (JSC::jsLess):
1542         (JSC::jsLessEq):
1543         (JSC::bigIntCompareLess): Deleted.
1544
1545 2018-05-31  Saam Barati  <sbarati@apple.com>
1546
1547         Cache toString results for CoW arrays
1548         https://bugs.webkit.org/show_bug.cgi?id=186160
1549
1550         Reviewed by Keith Miller.
1551
1552         This patch makes it so that we cache the result of toString on
1553         arrays with a CoW butterfly. This cache lives on Heap and is
1554         cleared after every GC. We only cache the toString result when
1555         the CoW butterfly doesn't have a hole (currently, all CoW arrays
1556         have a hole, but this isn't an invariant we want to rely on). The
1557         reason for this is that if there is a hole, the value may be loaded
1558         from the prototype, and the cache may produce a stale result.
1559         
1560         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
1561         progression on ARES.
1562
1563         * heap/Heap.cpp:
1564         (JSC::Heap::finalize):
1565         (JSC::Heap::addCoreConstraints):
1566         * heap/Heap.h:
1567         * runtime/ArrayPrototype.cpp:
1568         (JSC::canUseFastJoin):
1569         (JSC::holesMustForwardToPrototype):
1570         (JSC::isHole):
1571         (JSC::containsHole):
1572         (JSC::fastJoin):
1573         (JSC::arrayProtoFuncToString):
1574
1575 2018-05-31  Saam Barati  <sbarati@apple.com>
1576
1577         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
1578         https://bugs.webkit.org/show_bug.cgi?id=186169
1579
1580         Reviewed by Mark Lam.
1581
1582         If we don't do this, the CFA validation rule about StructureID being
1583         clobbered but AI not clobbering or folding a clobber will cause us
1584         to crash. Simon was running into this yesterday on arstechnica.com.
1585         I couldn't come up with a test case for this, but it's obvious
1586         what the issue is by looking at the IR dump at the time of the crash.
1587
1588         * dfg/DFGAbstractInterpreterInlines.h:
1589         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1590
1591 2018-05-31  Saam Barati  <sbarati@apple.com>
1592
1593         JSImmutableButterfly should align its variable storage
1594         https://bugs.webkit.org/show_bug.cgi?id=186159
1595
1596         Reviewed by Mark Lam.
1597
1598         I'm also making the use of reinterpret_cast and bitwise_cast consistent
1599         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
1600
1601         * runtime/JSImmutableButterfly.h:
1602         (JSC::JSImmutableButterfly::toButterfly const):
1603         (JSC::JSImmutableButterfly::fromButterfly):
1604         (JSC::JSImmutableButterfly::offsetOfData):
1605         (JSC::JSImmutableButterfly::allocationSize):
1606
1607 2018-05-31  Keith Miller  <keith_miller@apple.com>
1608
1609         DFGArrayModes needs to know more about CoW arrays
1610         https://bugs.webkit.org/show_bug.cgi?id=186162
1611
1612         Reviewed by Filip Pizlo.
1613
1614         This patch fixes two issues in DFGArrayMode.
1615
1616         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
1617         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
1618         to vend an accurate original structure.
1619
1620         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
1621         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
1622         action it is expecting when being dumped.
1623
1624         * bytecode/ArrayProfile.h:
1625         (JSC::hasSeenWritableArray):
1626         * dfg/DFGArrayMode.cpp:
1627         (JSC::DFG::ArrayMode::fromObserved):
1628         (JSC::DFG::ArrayMode::refine const):
1629         (JSC::DFG::ArrayMode::originalArrayStructure const):
1630         (JSC::DFG::arrayActionToString):
1631         (JSC::DFG::arrayClassToString):
1632         (JSC::DFG::ArrayMode::dump const):
1633         (WTF::printInternal):
1634         * dfg/DFGArrayMode.h:
1635         (JSC::DFG::ArrayMode::withProfile const):
1636         (JSC::DFG::ArrayMode::isJSArray const):
1637         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
1638         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
1639         * dfg/DFGByteCodeParser.cpp:
1640         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1641         (JSC::DFG::ByteCodeParser::parseBlock):
1642         * dfg/DFGFixupPhase.cpp:
1643         (JSC::DFG::FixupPhase::fixupNode):
1644         * dfg/DFGSpeculativeJIT.cpp:
1645         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1646         * ftl/FTLLowerDFGToB3.cpp:
1647         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
1648
1649 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1650
1651         [JSC] Pass VM& parameter as much as possible
1652         https://bugs.webkit.org/show_bug.cgi?id=186085
1653
1654         Reviewed by Saam Barati.
1655
1656         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
1657         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
1658         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
1659         This patch attempts to pass VM& parameter to such functions as much as possible.
1660
1661         * API/APICast.h:
1662         (toJS):
1663         (toJSForGC):
1664         * API/JSCallbackObjectFunctions.h:
1665         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
1666         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
1667         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1668         * API/JSObjectRef.cpp:
1669         (JSObjectIsConstructor):
1670         * API/JSTypedArray.cpp:
1671         (JSObjectGetTypedArrayBuffer):
1672         * API/JSValueRef.cpp:
1673         (JSValueIsInstanceOfConstructor):
1674         * bindings/ScriptFunctionCall.cpp:
1675         (Deprecated::ScriptFunctionCall::call):
1676         * bindings/ScriptValue.cpp:
1677         (Inspector::jsToInspectorValue):
1678         * bytecode/AccessCase.cpp:
1679         (JSC::AccessCase::generateImpl):
1680         * bytecode/CodeBlock.cpp:
1681         (JSC::CodeBlock::CodeBlock):
1682         * bytecode/ObjectAllocationProfileInlines.h:
1683         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1684         * bytecode/ObjectPropertyConditionSet.cpp:
1685         (JSC::generateConditionsForInstanceOf):
1686         * bytecode/PropertyCondition.cpp:
1687         (JSC::PropertyCondition::isWatchableWhenValid const):
1688         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
1689         * bytecode/StructureStubClearingWatchpoint.cpp:
1690         (JSC::StructureStubClearingWatchpoint::fireInternal):
1691         * debugger/Debugger.cpp:
1692         (JSC::Debugger::detach):
1693         * debugger/DebuggerScope.cpp:
1694         (JSC::DebuggerScope::create):
1695         (JSC::DebuggerScope::put):
1696         (JSC::DebuggerScope::deleteProperty):
1697         (JSC::DebuggerScope::getOwnPropertyNames):
1698         (JSC::DebuggerScope::defineOwnProperty):
1699         * dfg/DFGAbstractInterpreterInlines.h:
1700         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1701         * dfg/DFGAbstractValue.cpp:
1702         (JSC::DFG::AbstractValue::mergeOSREntryValue):
1703         * dfg/DFGArgumentsEliminationPhase.cpp:
1704         * dfg/DFGArrayMode.cpp:
1705         (JSC::DFG::ArrayMode::refine const):
1706         * dfg/DFGByteCodeParser.cpp:
1707         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1708         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1709         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1710         (JSC::DFG::ByteCodeParser::check):
1711         * dfg/DFGConstantFoldingPhase.cpp:
1712         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1713         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1714         * dfg/DFGFixupPhase.cpp:
1715         (JSC::DFG::FixupPhase::fixupNode):
1716         * dfg/DFGGraph.cpp:
1717         (JSC::DFG::Graph::tryGetConstantProperty):
1718         * dfg/DFGOperations.cpp:
1719         * dfg/DFGSpeculativeJIT.cpp:
1720         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1721         * dfg/DFGStrengthReductionPhase.cpp:
1722         (JSC::DFG::StrengthReductionPhase::handleNode):
1723         * ftl/FTLLowerDFGToB3.cpp:
1724         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1725         * ftl/FTLOperations.cpp:
1726         (JSC::FTL::operationPopulateObjectInOSR):
1727         * inspector/InjectedScriptManager.cpp:
1728         (Inspector::InjectedScriptManager::createInjectedScript):
1729         * inspector/JSJavaScriptCallFrame.cpp:
1730         (Inspector::JSJavaScriptCallFrame::caller const):
1731         (Inspector::JSJavaScriptCallFrame::scopeChain const):
1732         * interpreter/CallFrame.cpp:
1733         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
1734         * interpreter/Interpreter.cpp:
1735         (JSC::Interpreter::executeProgram):
1736         (JSC::Interpreter::executeCall):
1737         (JSC::Interpreter::executeConstruct):
1738         (JSC::Interpreter::execute):
1739         (JSC::Interpreter::executeModuleProgram):
1740         * jit/JITOperations.cpp:
1741         (JSC::getByVal):
1742         * jit/Repatch.cpp:
1743         (JSC::tryCacheInByID):
1744         * jsc.cpp:
1745         (functionDollarAgentReceiveBroadcast):
1746         (functionHasCustomProperties):
1747         * llint/LLIntSlowPaths.cpp:
1748         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1749         (JSC::LLInt::setupGetByIdPrototypeCache):
1750         (JSC::LLInt::getByVal):
1751         (JSC::LLInt::handleHostCall):
1752         (JSC::LLInt::llint_throw_stack_overflow_error):
1753         * runtime/AbstractModuleRecord.cpp:
1754         (JSC::AbstractModuleRecord::finishCreation):
1755         * runtime/ArrayConstructor.cpp:
1756         (JSC::constructArrayWithSizeQuirk):
1757         * runtime/ArrayPrototype.cpp:
1758         (JSC::speciesWatchpointIsValid):
1759         (JSC::arrayProtoFuncToString):
1760         (JSC::arrayProtoFuncToLocaleString):
1761         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1762         * runtime/AsyncFunctionConstructor.cpp:
1763         (JSC::callAsyncFunctionConstructor):
1764         (JSC::constructAsyncFunctionConstructor):
1765         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1766         (JSC::callAsyncGeneratorFunctionConstructor):
1767         (JSC::constructAsyncGeneratorFunctionConstructor):
1768         * runtime/BooleanConstructor.cpp:
1769         (JSC::constructWithBooleanConstructor):
1770         * runtime/ClonedArguments.cpp:
1771         (JSC::ClonedArguments::createEmpty):
1772         (JSC::ClonedArguments::createWithInlineFrame):
1773         (JSC::ClonedArguments::createWithMachineFrame):
1774         (JSC::ClonedArguments::createByCopyingFrom):
1775         (JSC::ClonedArguments::getOwnPropertySlot):
1776         (JSC::ClonedArguments::materializeSpecials):
1777         * runtime/CommonSlowPaths.cpp:
1778         (JSC::SLOW_PATH_DECL):
1779         * runtime/CommonSlowPaths.h:
1780         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1781         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1782         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
1783         * runtime/ConstructData.cpp:
1784         (JSC::construct):
1785         * runtime/DateConstructor.cpp:
1786         (JSC::constructWithDateConstructor):
1787         * runtime/DatePrototype.cpp:
1788         (JSC::dateProtoFuncToJSON):
1789         * runtime/DirectArguments.cpp:
1790         (JSC::DirectArguments::overrideThings):
1791         * runtime/Error.cpp:
1792         (JSC::getStackTrace):
1793         * runtime/ErrorConstructor.cpp:
1794         (JSC::Interpreter::constructWithErrorConstructor):
1795         (JSC::Interpreter::callErrorConstructor):
1796         * runtime/FunctionConstructor.cpp:
1797         (JSC::constructWithFunctionConstructor):
1798         (JSC::callFunctionConstructor):
1799         * runtime/GeneratorFunctionConstructor.cpp:
1800         (JSC::callGeneratorFunctionConstructor):
1801         (JSC::constructGeneratorFunctionConstructor):
1802         * runtime/GenericArgumentsInlines.h:
1803         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1804         * runtime/InferredStructureWatchpoint.cpp:
1805         (JSC::InferredStructureWatchpoint::fireInternal):
1806         * runtime/InferredType.cpp:
1807         (JSC::InferredType::removeStructure):
1808         * runtime/InferredType.h:
1809         * runtime/InferredTypeInlines.h:
1810         (JSC::InferredType::finalizeUnconditionally):
1811         * runtime/IntlCollator.cpp:
1812         (JSC::IntlCollator::initializeCollator):
1813         * runtime/IntlCollatorConstructor.cpp:
1814         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1815         * runtime/IntlCollatorPrototype.cpp:
1816         (JSC::IntlCollatorPrototypeGetterCompare):
1817         * runtime/IntlDateTimeFormat.cpp:
1818         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1819         (JSC::IntlDateTimeFormat::formatToParts):
1820         * runtime/IntlDateTimeFormatConstructor.cpp:
1821         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1822         * runtime/IntlDateTimeFormatPrototype.cpp:
1823         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1824         * runtime/IntlNumberFormat.cpp:
1825         (JSC::IntlNumberFormat::initializeNumberFormat):
1826         (JSC::IntlNumberFormat::formatToParts):
1827         * runtime/IntlNumberFormatConstructor.cpp:
1828         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1829         * runtime/IntlNumberFormatPrototype.cpp:
1830         (JSC::IntlNumberFormatPrototypeGetterFormat):
1831         * runtime/IntlObject.cpp:
1832         (JSC::canonicalizeLocaleList):
1833         (JSC::defaultLocale):
1834         (JSC::lookupSupportedLocales):
1835         (JSC::intlObjectFuncGetCanonicalLocales):
1836         * runtime/IntlPluralRules.cpp:
1837         (JSC::IntlPluralRules::initializePluralRules):
1838         (JSC::IntlPluralRules::resolvedOptions):
1839         * runtime/IntlPluralRulesConstructor.cpp:
1840         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1841         * runtime/IteratorOperations.cpp:
1842         (JSC::iteratorNext):
1843         (JSC::iteratorClose):
1844         (JSC::iteratorForIterable):
1845         * runtime/JSArray.cpp:
1846         (JSC::JSArray::shiftCountWithArrayStorage):
1847         (JSC::JSArray::unshiftCountWithArrayStorage):
1848         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
1849         * runtime/JSArrayBufferConstructor.cpp:
1850         (JSC::JSArrayBufferConstructor::finishCreation):
1851         (JSC::constructArrayBuffer):
1852         * runtime/JSArrayBufferPrototype.cpp:
1853         (JSC::arrayBufferProtoFuncSlice):
1854         * runtime/JSArrayBufferView.cpp:
1855         (JSC::JSArrayBufferView::unsharedJSBuffer):
1856         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
1857         * runtime/JSAsyncFunction.cpp:
1858         (JSC::JSAsyncFunction::createImpl):
1859         (JSC::JSAsyncFunction::create):
1860         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
1861         * runtime/JSAsyncGeneratorFunction.cpp:
1862         (JSC::JSAsyncGeneratorFunction::createImpl):
1863         (JSC::JSAsyncGeneratorFunction::create):
1864         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1865         * runtime/JSBoundFunction.cpp:
1866         (JSC::boundThisNoArgsFunctionCall):
1867         (JSC::boundFunctionCall):
1868         (JSC::boundThisNoArgsFunctionConstruct):
1869         (JSC::boundFunctionConstruct):
1870         (JSC::getBoundFunctionStructure):
1871         (JSC::JSBoundFunction::create):
1872         (JSC::JSBoundFunction::boundArgsCopy):
1873         * runtime/JSCJSValue.cpp:
1874         (JSC::JSValue::putToPrimitive):
1875         * runtime/JSCellInlines.h:
1876         (JSC::JSCell::setStructure):
1877         (JSC::JSCell::methodTable const):
1878         (JSC::JSCell::toBoolean const):
1879         * runtime/JSFunction.h:
1880         (JSC::JSFunction::createImpl):
1881         * runtime/JSGeneratorFunction.cpp:
1882         (JSC::JSGeneratorFunction::createImpl):
1883         (JSC::JSGeneratorFunction::create):
1884         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1885         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1886         (JSC::constructGenericTypedArrayViewWithArguments):
1887         (JSC::constructGenericTypedArrayView):
1888         * runtime/JSGenericTypedArrayViewInlines.h:
1889         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1890         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
1891         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
1892         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1893         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1894         (JSC::genericTypedArrayViewProtoFuncSlice):
1895         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1896         * runtime/JSGlobalObject.cpp:
1897         (JSC::JSGlobalObject::init):
1898         (JSC::JSGlobalObject::exposeDollarVM):
1899         (JSC::JSGlobalObject::finishCreation):
1900         * runtime/JSGlobalObject.h:
1901         * runtime/JSGlobalObjectFunctions.cpp:
1902         (JSC::globalFuncEval):
1903         * runtime/JSInternalPromise.cpp:
1904         (JSC::JSInternalPromise::then):
1905         * runtime/JSInternalPromiseConstructor.cpp:
1906         (JSC::constructPromise):
1907         * runtime/JSJob.cpp:
1908         (JSC::JSJobMicrotask::run):
1909         * runtime/JSLexicalEnvironment.cpp:
1910         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1911         (JSC::JSLexicalEnvironment::put):
1912         * runtime/JSMap.cpp:
1913         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1914         * runtime/JSMapIterator.cpp:
1915         (JSC::JSMapIterator::createPair):
1916         * runtime/JSModuleLoader.cpp:
1917         (JSC::JSModuleLoader::provideFetch):
1918         (JSC::JSModuleLoader::loadAndEvaluateModule):
1919         (JSC::JSModuleLoader::loadModule):
1920         (JSC::JSModuleLoader::linkAndEvaluateModule):
1921         (JSC::JSModuleLoader::requestImportModule):
1922         * runtime/JSONObject.cpp:
1923         (JSC::JSONProtoFuncParse):
1924         * runtime/JSObject.cpp:
1925         (JSC::JSObject::putInlineSlow):
1926         (JSC::JSObject::putByIndex):
1927         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1928         (JSC::JSObject::createInitialIndexedStorage):
1929         (JSC::JSObject::createArrayStorage):
1930         (JSC::JSObject::convertUndecidedToArrayStorage):
1931         (JSC::JSObject::convertInt32ToArrayStorage):
1932         (JSC::JSObject::convertDoubleToArrayStorage):
1933         (JSC::JSObject::convertContiguousToArrayStorage):
1934         (JSC::JSObject::convertFromCopyOnWrite):
1935         (JSC::JSObject::ensureWritableInt32Slow):
1936         (JSC::JSObject::ensureWritableDoubleSlow):
1937         (JSC::JSObject::ensureWritableContiguousSlow):
1938         (JSC::JSObject::ensureArrayStorageSlow):
1939         (JSC::JSObject::setPrototypeDirect):
1940         (JSC::JSObject::deleteProperty):
1941         (JSC::callToPrimitiveFunction):
1942         (JSC::JSObject::hasInstance):
1943         (JSC::JSObject::getOwnNonIndexPropertyNames):
1944         (JSC::JSObject::preventExtensions):
1945         (JSC::JSObject::isExtensible):
1946         (JSC::JSObject::reifyAllStaticProperties):
1947         (JSC::JSObject::fillGetterPropertySlot):
1948         (JSC::JSObject::defineOwnIndexedProperty):
1949         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1950         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1951         (JSC::JSObject::putByIndexBeyondVectorLength):
1952         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1953         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1954         (JSC::JSObject::getNewVectorLength):
1955         (JSC::JSObject::increaseVectorLength):
1956         (JSC::JSObject::reallocateAndShrinkButterfly):
1957         (JSC::JSObject::shiftButterflyAfterFlattening):
1958         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
1959         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
1960         (JSC::JSObject::needsSlowPutIndexing const):
1961         (JSC::JSObject::suggestedArrayStorageTransition const):
1962         * runtime/JSObject.h:
1963         (JSC::JSObject::mayInterceptIndexedAccesses):
1964         (JSC::JSObject::hasIndexingHeader const):
1965         (JSC::JSObject::hasCustomProperties):
1966         (JSC::JSObject::hasGetterSetterProperties):
1967         (JSC::JSObject::hasCustomGetterSetterProperties):
1968         (JSC::JSObject::isExtensibleImpl):
1969         (JSC::JSObject::isStructureExtensible):
1970         (JSC::JSObject::indexingShouldBeSparse):
1971         (JSC::JSObject::staticPropertiesReified):
1972         (JSC::JSObject::globalObject const):
1973         (JSC::JSObject::finishCreation):
1974         (JSC::JSNonFinalObject::finishCreation):
1975         (JSC::getCallData):
1976         (JSC::getConstructData):
1977         (JSC::JSObject::getOwnNonIndexPropertySlot):
1978         (JSC::JSObject::putOwnDataProperty):
1979         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
1980         (JSC::JSObject::butterflyPreCapacity):
1981         (JSC::JSObject::butterflyTotalSize):
1982         * runtime/JSObjectInlines.h:
1983         (JSC::JSObject::putDirectInternal):
1984         * runtime/JSPromise.cpp:
1985         (JSC::JSPromise::initialize):
1986         (JSC::JSPromise::resolve):
1987         * runtime/JSPromiseConstructor.cpp:
1988         (JSC::constructPromise):
1989         * runtime/JSPromiseDeferred.cpp:
1990         (JSC::newPromiseCapability):
1991         (JSC::callFunction):
1992         * runtime/JSScope.cpp:
1993         (JSC::abstractAccess):
1994         * runtime/JSScope.h:
1995         (JSC::JSScope::globalObject): Deleted.
1996         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
1997
1998         * runtime/JSSet.cpp:
1999         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2000         * runtime/JSSetIterator.cpp:
2001         (JSC::JSSetIterator::createPair):
2002         * runtime/JSStringIterator.cpp:
2003         (JSC::JSStringIterator::clone):
2004         * runtime/Lookup.cpp:
2005         (JSC::reifyStaticAccessor):
2006         (JSC::setUpStaticFunctionSlot):
2007         * runtime/Lookup.h:
2008         (JSC::getStaticPropertySlotFromTable):
2009         (JSC::replaceStaticPropertySlot):
2010         (JSC::reifyStaticProperty):
2011         * runtime/MapConstructor.cpp:
2012         (JSC::constructMap):
2013         * runtime/NumberConstructor.cpp:
2014         (JSC::NumberConstructor::finishCreation):
2015         * runtime/ObjectConstructor.cpp:
2016         (JSC::constructObject):
2017         (JSC::objectConstructorAssign):
2018         (JSC::toPropertyDescriptor):
2019         * runtime/ObjectPrototype.cpp:
2020         (JSC::objectProtoFuncDefineGetter):
2021         (JSC::objectProtoFuncDefineSetter):
2022         (JSC::objectProtoFuncToLocaleString):
2023         * runtime/Operations.cpp:
2024         (JSC::jsIsFunctionType): Deleted.
2025         Replace it with JSValue::isFunction(VM&).
2026
2027         * runtime/Operations.h:
2028         * runtime/ProgramExecutable.cpp:
2029         (JSC::ProgramExecutable::initializeGlobalProperties):
2030         * runtime/RegExpConstructor.cpp:
2031         (JSC::constructWithRegExpConstructor):
2032         (JSC::callRegExpConstructor):
2033         * runtime/SamplingProfiler.cpp:
2034         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2035         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
2036         * runtime/ScopedArguments.cpp:
2037         (JSC::ScopedArguments::overrideThings):
2038         * runtime/ScriptExecutable.cpp:
2039         (JSC::ScriptExecutable::newCodeBlockFor):
2040         (JSC::ScriptExecutable::prepareForExecutionImpl):
2041         * runtime/SetConstructor.cpp:
2042         (JSC::constructSet):
2043         * runtime/SparseArrayValueMap.cpp:
2044         (JSC::SparseArrayValueMap::putEntry):
2045         (JSC::SparseArrayValueMap::putDirect):
2046         * runtime/StringConstructor.cpp:
2047         (JSC::constructWithStringConstructor):
2048         * runtime/StringPrototype.cpp:
2049         (JSC::replaceUsingRegExpSearch):
2050         (JSC::replaceUsingStringSearch):
2051         (JSC::stringProtoFuncIterator):
2052         * runtime/Structure.cpp:
2053         (JSC::Structure::materializePropertyTable):
2054         (JSC::Structure::willStoreValueSlow):
2055         * runtime/StructureCache.cpp:
2056         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
2057         * runtime/StructureInlines.h:
2058         (JSC::Structure::get):
2059         * runtime/WeakMapConstructor.cpp:
2060         (JSC::constructWeakMap):
2061         * runtime/WeakSetConstructor.cpp:
2062         (JSC::constructWeakSet):
2063         * tools/HeapVerifier.cpp:
2064         (JSC::HeapVerifier::reportCell):
2065         * tools/JSDollarVM.cpp:
2066         (JSC::functionGlobalObjectForObject):
2067         (JSC::JSDollarVM::finishCreation):
2068         * wasm/js/JSWebAssemblyInstance.cpp:
2069         (JSC::JSWebAssemblyInstance::finalizeCreation):
2070         * wasm/js/WasmToJS.cpp:
2071         (JSC::Wasm::handleBadI64Use):
2072         (JSC::Wasm::wasmToJSException):
2073         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2074         (JSC::constructJSWebAssemblyCompileError):
2075         (JSC::callJSWebAssemblyCompileError):
2076         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2077         (JSC::constructJSWebAssemblyLinkError):
2078         (JSC::callJSWebAssemblyLinkError):
2079         * wasm/js/WebAssemblyModuleRecord.cpp:
2080         (JSC::WebAssemblyModuleRecord::evaluate):
2081         * wasm/js/WebAssemblyPrototype.cpp:
2082         (JSC::instantiate):
2083         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2084         (JSC::constructJSWebAssemblyRuntimeError):
2085         (JSC::callJSWebAssemblyRuntimeError):
2086         * wasm/js/WebAssemblyToJSCallee.cpp:
2087         (JSC::WebAssemblyToJSCallee::create):
2088
2089 2018-05-30  Saam Barati  <sbarati@apple.com>
2090
2091         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
2092         https://bugs.webkit.org/show_bug.cgi?id=186121
2093         <rdar://problem/39377796>
2094
2095         Reviewed by Keith Miller.
2096
2097         DFG's combined liveness was reporting that the machine CodeBlock's |this|
2098         argument was dead at certain points in the program. However, a CodeBlock's
2099         arguments are considered live for the entire function. This fixes a bug
2100         where object allocation sinking phase skipped materializing an allocation
2101         because it thought that the argument it was associated with, |this|, was dead.
2102
2103         * dfg/DFGCombinedLiveness.cpp:
2104         (JSC::DFG::liveNodesAtHead):
2105
2106 2018-05-30  Daniel Bates  <dabates@apple.com>
2107
2108         Web Inspector: Annotate Same-Site cookies
2109         https://bugs.webkit.org/show_bug.cgi?id=184897
2110         <rdar://problem/35178209>
2111
2112         Reviewed by Brian Burg.
2113
2114         Update protocol to include cookie Same-Site policy.
2115
2116         * inspector/protocol/Page.json:
2117
2118 2018-05-29  Keith Miller  <keith_miller@apple.com>
2119
2120         Error instances should not strongly hold onto StackFrames
2121         https://bugs.webkit.org/show_bug.cgi?id=185996
2122
2123         Reviewed by Mark Lam.
2124
2125         Previously, we would hold onto all the StackFrames until the the user
2126         looked at one of the properties on the Error object. This patch makes us
2127         only weakly retain the StackFrames and collect all the information
2128         if we are about to collect any frame.
2129
2130         This patch also adds a method to $vm that returns the heaps count
2131         of live global objects.
2132
2133         * heap/Heap.cpp:
2134         (JSC::Heap::finalizeUnconditionalFinalizers):
2135         * interpreter/Interpreter.cpp:
2136         (JSC::Interpreter::stackTraceAsString):
2137         * interpreter/Interpreter.h:
2138         * runtime/Error.cpp:
2139         (JSC::addErrorInfo):
2140         * runtime/ErrorInstance.cpp:
2141         (JSC::ErrorInstance::finalizeUnconditionally):
2142         (JSC::ErrorInstance::computeErrorInfo):
2143         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2144         (JSC::ErrorInstance::visitChildren): Deleted.
2145         * runtime/ErrorInstance.h:
2146         (JSC::ErrorInstance::subspaceFor):
2147         * runtime/JSFunction.cpp:
2148         (JSC::getCalculatedDisplayName):
2149         * runtime/StackFrame.h:
2150         (JSC::StackFrame::isMarked const):
2151         * runtime/VM.cpp:
2152         (JSC::VM::VM):
2153         * runtime/VM.h:
2154         * tools/JSDollarVM.cpp:
2155         (JSC::functionGlobalObjectCount):
2156         (JSC::JSDollarVM::finishCreation):
2157
2158 2018-05-30  Keith Miller  <keith_miller@apple.com>
2159
2160         LLInt get_by_id prototype caching doesn't properly handle changes
2161         https://bugs.webkit.org/show_bug.cgi?id=186112
2162
2163         Reviewed by Filip Pizlo.
2164
2165         The caching would sometimes fail to track that a prototype had changed
2166         and wouldn't update its set of watchpoints.
2167
2168         * bytecode/CodeBlock.cpp:
2169         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2170         * bytecode/CodeBlock.h:
2171         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2172         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
2173         * bytecode/ObjectPropertyConditionSet.h:
2174         (JSC::ObjectPropertyConditionSet::size const):
2175         * bytecode/Watchpoint.h:
2176         (JSC::Watchpoint::Watchpoint): Deleted.
2177         * llint/LLIntSlowPaths.cpp:
2178         (JSC::LLInt::setupGetByIdPrototypeCache):
2179
2180 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
2181
2182         [ESNext][BigInt] Implement support for "%" operation
2183         https://bugs.webkit.org/show_bug.cgi?id=184327
2184
2185         Reviewed by Yusuke Suzuki.
2186
2187         We are introducing the support of BigInt into remainder (a.k.a mod)
2188         operation.
2189
2190         * runtime/CommonSlowPaths.cpp:
2191         (JSC::SLOW_PATH_DECL):
2192         * runtime/JSBigInt.cpp:
2193         (JSC::JSBigInt::remainder):
2194         (JSC::JSBigInt::rightTrim):
2195         * runtime/JSBigInt.h:
2196
2197 2018-05-30  Saam Barati  <sbarati@apple.com>
2198
2199         AI for Atomics.load() is too conservative in always clobbering world
2200         https://bugs.webkit.org/show_bug.cgi?id=185738
2201         <rdar://problem/40342214>
2202
2203         Reviewed by Yusuke Suzuki.
2204
2205         It fails the assertion that Fil added for catching disagreements between
2206         AI and clobberize. This patch fixes that. You'd run into this if you
2207         manually enabled SAB in a build and ran any SAB tests.
2208
2209         * dfg/DFGAbstractInterpreterInlines.h:
2210         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2211
2212 2018-05-30  Michael Saboff  <msaboff@apple.com>
2213
2214         REGRESSION(r232212): Broke Win32 Builds
2215         https://bugs.webkit.org/show_bug.cgi?id=186061
2216
2217         Reviewed by Yusuke Suzuki.
2218
2219         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
2220         instead of LowLevelInterpreterWin.asm.
2221
2222         * CMakeLists.txt:
2223
2224 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
2225
2226         [MIPS] Fix build on MIPS32r1
2227         https://bugs.webkit.org/show_bug.cgi?id=185944
2228
2229         Reviewed by Yusuke Suzuki.
2230
2231         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
2232         on MIPS32r1.
2233
2234         * offlineasm/mips.rb:
2235
2236 2018-05-29  Saam Barati  <sbarati@apple.com>
2237
2238         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
2239         https://bugs.webkit.org/show_bug.cgi?id=186064
2240
2241         Reviewed by Mark Lam.
2242
2243         shrinkFootprint was implemented as:
2244         ```
2245         sanitizeStackForVM(this);
2246         deleteAllCode(DeleteAllCodeIfNotCollecting);
2247         heap.collectNow(Synchronousness::Sync);
2248         WTF::releaseFastMallocFreeMemory();
2249         ```
2250         
2251         However, for correctness reasons, deleteAllCode is implemented to do
2252         work when the VM is idle: no JS is running on the stack. This means
2253         that if shrinkFootprint is called when JS is running on the stack, it
2254         ends up freeing less memory than it could have if it waited to run until
2255         the VM goes idle.
2256         
2257         This patch makes it so we wait until idle before doing work. I'm seeing a
2258         10% footprint progression when testing this against a client of the JSC SPI.
2259         
2260         Because this is a semantic change in how the SPI works, this patch
2261         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
2262         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
2263         Once that happens, we will delete shrinkFootprint. Until then,
2264         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
2265
2266         * API/JSVirtualMachine.mm:
2267         (-[JSVirtualMachine shrinkFootprint]):
2268         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
2269         * API/JSVirtualMachinePrivate.h:
2270         * runtime/VM.cpp:
2271         (JSC::VM::shrinkFootprintWhenIdle):
2272         (JSC::VM::shrinkFootprint): Deleted.
2273         * runtime/VM.h:
2274
2275 2018-05-29  Saam Barati  <sbarati@apple.com>
2276
2277         shrinkFootprint needs to request a full collection
2278         https://bugs.webkit.org/show_bug.cgi?id=186069
2279
2280         Reviewed by Mark Lam.
2281
2282         * runtime/VM.cpp:
2283         (JSC::VM::shrinkFootprint):
2284
2285 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
2286
2287         [ESNext][BigInt] Implement support for "<" and ">" relational operation
2288         https://bugs.webkit.org/show_bug.cgi?id=185379
2289
2290         Reviewed by Yusuke Suzuki.
2291
2292         This patch is changing the ``jsLess``` operation to follow the
2293         semantics of Abstract Relational Comparison[1] that supports BigInt.
2294         For that, we create 2 new helper functions ```bigIntCompareLess``` and
2295         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
2296         compared.
2297
2298         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
2299
2300         * runtime/JSBigInt.cpp:
2301         (JSC::JSBigInt::unequalSign):
2302         (JSC::JSBigInt::absoluteGreater):
2303         (JSC::JSBigInt::absoluteLess):
2304         (JSC::JSBigInt::compare):
2305         (JSC::JSBigInt::absoluteCompare):
2306         * runtime/JSBigInt.h:
2307         * runtime/JSCJSValueInlines.h:
2308         (JSC::JSValue::isPrimitive const):
2309         * runtime/Operations.h:
2310         (JSC::bigIntCompareLess):
2311         (JSC::toPrimitiveNumeric):
2312         (JSC::jsLess):
2313
2314 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2315
2316         [Baseline] Merge loading functionalities
2317         https://bugs.webkit.org/show_bug.cgi?id=185907
2318
2319         Reviewed by Saam Barati.
2320
2321         This patch unifies emitXXXLoad functions in 32bit and 64bit.
2322
2323         * jit/JITInlines.h:
2324         (JSC::JIT::emitDoubleGetByVal):
2325         * jit/JITPropertyAccess.cpp:
2326         (JSC::JIT::emitDoubleLoad):
2327         (JSC::JIT::emitContiguousLoad):
2328         (JSC::JIT::emitArrayStorageLoad):
2329         (JSC::JIT::emitIntTypedArrayGetByVal):
2330         (JSC::JIT::emitFloatTypedArrayGetByVal):
2331         Define register usage first, and share the same code in 32bit and 64bit.
2332
2333         * jit/JITPropertyAccess32_64.cpp:
2334         (JSC::JIT::emitSlow_op_put_by_val):
2335         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
2336         We can remove this special handling.
2337
2338         (JSC::JIT::emitContiguousLoad): Deleted.
2339         (JSC::JIT::emitDoubleLoad): Deleted.
2340         (JSC::JIT::emitArrayStorageLoad): Deleted.
2341
2342 2018-05-29  Saam Barati  <sbarati@apple.com>
2343
2344         JSC should put bmalloc's scavenger into mini mode
2345         https://bugs.webkit.org/show_bug.cgi?id=185988
2346
2347         Reviewed by Michael Saboff.
2348
2349         When we InitializeThreading, we'll now enable bmalloc's mini mode
2350         if the VM is in mini mode. This is an 8-10% progression on the footprint
2351         at end score in run-testmem, making it a 4-5% memory score progression.
2352         It's between a 0-1% regression in its time score.
2353
2354         * runtime/InitializeThreading.cpp:
2355         (JSC::initializeThreading):
2356
2357 2018-05-29  Caitlin Potter  <caitp@igalia.com>
2358
2359         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
2360         https://bugs.webkit.org/show_bug.cgi?id=184267
2361
2362         Reviewed by Saam Barati.
2363
2364         Before this patch, the fast case for Array.prototype.concat was taken if
2365         there was a single argument passed to the function, which is either a
2366         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
2367         This incorrectly prevented Proxy objects from being spread when
2368         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
2369
2370         * builtins/ArrayPrototype.js:
2371         (concat):
2372
2373 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2374
2375         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
2376         https://bugs.webkit.org/show_bug.cgi?id=186022
2377
2378         Reviewed by Darin Adler.
2379
2380         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
2381         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
2382         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
2383         in asm.
2384
2385         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
2386         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
2387         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
2388         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
2389         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
2390         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
2391
2392         This patch also fixes naming convention for constant values.
2393
2394         * runtime/JSBigInt.cpp:
2395         (JSC::JSBigInt::digitMul):
2396         (JSC::JSBigInt::digitDiv):
2397         * runtime/JSBigInt.h:
2398
2399 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2400
2401         [WTF] Add clz32 / clz64 for MSVC
2402         https://bugs.webkit.org/show_bug.cgi?id=186023
2403
2404         Reviewed by Daniel Bates.
2405
2406         Move clz32 and clz64 to WTF.
2407
2408         * runtime/MathCommon.h:
2409         (JSC::clz32): Deleted.
2410         (JSC::clz64): Deleted.
2411
2412 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
2413
2414         [ESNext][BigInt] Implement "+" and "-" unary operation
2415         https://bugs.webkit.org/show_bug.cgi?id=182214
2416
2417         Reviewed by Yusuke Suzuki.
2418
2419         This Patch is implementing support to "-" unary operation on BigInt.
2420         It is also changing the logic of ASTBuilder::makeNegateNode to
2421         calculate BigInt literals with properly sign, avoiding
2422         unecessary operation. It required a refactoring into
2423         JSBigInt::parseInt to consider the sign as parameter.
2424
2425         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
2426         operations. With the introduction of BigInt, it is not true
2427         that every negate operation returns a Number. As ArithNegate is a
2428         node that considers its result is always a Number, like all other
2429         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
2430         speculation indicates that the operand is a BigInt.
2431         This design is following the same distinction between ArithAdd and
2432         ValueAdd. Also, this new node will make simpler the introduction of
2433         optimizations when we create speculation paths for BigInt in future
2434         patches.
2435
2436         In the case of "+" unary operation on BigInt, the current semantic we already have
2437         is correctly, since it needs to throw TypeError because of ToNumber call[1].
2438         In such case, we are adding tests to verify other edge cases.
2439
2440         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
2441
2442         * bytecompiler/BytecodeGenerator.cpp:
2443         (JSC::BytecodeGenerator::addBigIntConstant):
2444         * bytecompiler/BytecodeGenerator.h:
2445         * bytecompiler/NodesCodegen.cpp:
2446         (JSC::BigIntNode::jsValue const):
2447         * dfg/DFGAbstractInterpreterInlines.h:
2448         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2449         * dfg/DFGByteCodeParser.cpp:
2450         (JSC::DFG::ByteCodeParser::makeSafe):
2451         (JSC::DFG::ByteCodeParser::parseBlock):
2452         * dfg/DFGClobberize.h:
2453         (JSC::DFG::clobberize):
2454         * dfg/DFGDoesGC.cpp:
2455         (JSC::DFG::doesGC):
2456         * dfg/DFGFixupPhase.cpp:
2457         (JSC::DFG::FixupPhase::fixupNode):
2458         * dfg/DFGNode.h:
2459         (JSC::DFG::Node::arithNodeFlags):
2460         * dfg/DFGNodeType.h:
2461         * dfg/DFGPredictionPropagationPhase.cpp:
2462         * dfg/DFGSafeToExecute.h:
2463         (JSC::DFG::safeToExecute):
2464         * dfg/DFGSpeculativeJIT.cpp:
2465         (JSC::DFG::SpeculativeJIT::compileValueNegate):
2466         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2467         * dfg/DFGSpeculativeJIT.h:
2468         * dfg/DFGSpeculativeJIT32_64.cpp:
2469         (JSC::DFG::SpeculativeJIT::compile):
2470         * dfg/DFGSpeculativeJIT64.cpp:
2471         (JSC::DFG::SpeculativeJIT::compile):
2472         * ftl/FTLCapabilities.cpp:
2473         (JSC::FTL::canCompile):
2474         * ftl/FTLLowerDFGToB3.cpp:
2475         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2476         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
2477         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2478         * jit/JITOperations.cpp:
2479         * parser/ASTBuilder.h:
2480         (JSC::ASTBuilder::createBigIntWithSign):
2481         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
2482         (JSC::ASTBuilder::makeNegateNode):
2483         * parser/NodeConstructors.h:
2484         (JSC::BigIntNode::BigIntNode):
2485         * parser/Nodes.h:
2486         * runtime/CommonSlowPaths.cpp:
2487         (JSC::updateArithProfileForUnaryArithOp):
2488         (JSC::SLOW_PATH_DECL):
2489         * runtime/JSBigInt.cpp:
2490         (JSC::JSBigInt::parseInt):
2491         * runtime/JSBigInt.h:
2492         * runtime/JSCJSValueInlines.h:
2493         (JSC::JSValue::strictEqualSlowCaseInline):
2494
2495 2018-05-27  Dan Bernstein  <mitz@apple.com>
2496
2497         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
2498
2499         * jit/JITOperations.cpp:
2500
2501 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2502
2503         [JSC] Rename Array#flatten to flat
2504         https://bugs.webkit.org/show_bug.cgi?id=186012
2505
2506         Reviewed by Saam Barati.
2507
2508         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
2509         conflicts with the mootools' function name.
2510
2511         * builtins/ArrayPrototype.js:
2512         (globalPrivate.flatIntoArray):
2513         (flat):
2514         (globalPrivate.flatIntoArrayWithCallback):
2515         (flatMap):
2516         (globalPrivate.flattenIntoArray): Deleted.
2517         (flatten): Deleted.
2518         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
2519         * runtime/ArrayPrototype.cpp:
2520         (JSC::ArrayPrototype::finishCreation):
2521
2522 2018-05-25  Mark Lam  <mark.lam@apple.com>
2523
2524         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
2525         https://bugs.webkit.org/show_bug.cgi?id=185995
2526         <rdar://problem/40173142>
2527
2528         Reviewed by Saam Barati.
2529
2530         This is because there's no guarantee that any of the loop bodies will be
2531         executed.  Hence, there's no guarantee that the TDZ variables will have been
2532         initialized after each loop body.
2533
2534         * bytecompiler/BytecodeGenerator.cpp:
2535         (JSC::BytecodeGenerator::preserveTDZStack):
2536         (JSC::BytecodeGenerator::restoreTDZStack):
2537         * bytecompiler/BytecodeGenerator.h:
2538         * bytecompiler/NodesCodegen.cpp:
2539         (JSC::ForInNode::emitBytecode):
2540
2541 2018-05-25  Mark Lam  <mark.lam@apple.com>
2542
2543         MachineContext's instructionPointer() should handle null PCs correctly.
2544         https://bugs.webkit.org/show_bug.cgi?id=186004
2545         <rdar://problem/40570067>
2546
2547         Reviewed by Saam Barati.
2548
2549         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
2550         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
2551         assert accordingly with a debug ASSERT.  This is inconsequential for release
2552         builds, but to avoid this assertion failure, we should check for a null PC and
2553         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
2554         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
2555
2556         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
2557         for null pointers, but I rather not do that yet.  In general,
2558         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
2559         leave it that way for now.
2560
2561         Note: this assertion failure only manifests when we have signal traps enabled,
2562         and encounter a null pointer deref.
2563
2564         * runtime/MachineContext.h:
2565         (JSC::MachineContext::instructionPointer):
2566
2567 2018-05-25  Mark Lam  <mark.lam@apple.com>
2568
2569         Enforce invariant that GetterSetter objects are invariant.
2570         https://bugs.webkit.org/show_bug.cgi?id=185968
2571         <rdar://problem/40541416>
2572
2573         Reviewed by Saam Barati.
2574
2575         The code already assumes the invariant that GetterSetter objects are immutable.
2576         For example, the use of @tryGetById in builtins expect this invariant to be true.
2577         The existing code mostly enforces this except for one case: JSObject's
2578         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
2579         object.
2580
2581         This patch enforces this invariant by removing the setGetter and setSetter methods
2582         of GetterSetter, and requiring the getter/setter callback functions to be
2583         specified at construction time.
2584
2585         * jit/JITOperations.cpp:
2586         * llint/LLIntSlowPaths.cpp:
2587         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2588         * runtime/GetterSetter.cpp:
2589         (JSC::GetterSetter::withGetter): Deleted.
2590         (JSC::GetterSetter::withSetter): Deleted.
2591         * runtime/GetterSetter.h:
2592         * runtime/JSGlobalObject.cpp:
2593         (JSC::JSGlobalObject::init):
2594         * runtime/JSObject.cpp:
2595         (JSC::JSObject::putIndexedDescriptor):
2596         (JSC::JSObject::putDirectNativeIntrinsicGetter):
2597         (JSC::putDescriptor):
2598         (JSC::validateAndApplyPropertyDescriptor):
2599         * runtime/JSTypedArrayViewPrototype.cpp:
2600         (JSC::JSTypedArrayViewPrototype::finishCreation):
2601         * runtime/Lookup.cpp:
2602         (JSC::reifyStaticAccessor):
2603         * runtime/PropertyDescriptor.cpp:
2604         (JSC::PropertyDescriptor::slowGetterSetter):
2605
2606 2018-05-25  Saam Barati  <sbarati@apple.com>
2607
2608         Make JSC have a mini mode that kicks in when the JIT is disabled
2609         https://bugs.webkit.org/show_bug.cgi?id=185931
2610
2611         Reviewed by Mark Lam.
2612
2613         This patch makes JSC have a mini VM mode. This currently only kicks in
2614         when the process can't JIT. Mini VM now means a few things:
2615         - We always use a 1.27x heap growth factor. This number was the best tradeoff
2616           between memory use progression and time regression in run-testmem. We may
2617           want to tune this more in the future as we make other mini VM changes.
2618         - We always sweep synchronously.
2619         - We disable generational GC.
2620         
2621         I'm going to continue to extend what mini VM mode means in future changes.
2622         
2623         This patch is a 50% memory progression and an ~8-9% time regression
2624         on run-testmem when running in mini VM mode with the JIT disabled.
2625
2626         * heap/Heap.cpp:
2627         (JSC::Heap::collectNow):
2628         (JSC::Heap::finalize):
2629         (JSC::Heap::useGenerationalGC):
2630         (JSC::Heap::shouldSweepSynchronously):
2631         (JSC::Heap::shouldDoFullCollection):
2632         * heap/Heap.h:
2633         * runtime/Options.h:
2634         * runtime/VM.cpp:
2635         (JSC::VM::isInMiniMode):
2636         * runtime/VM.h:
2637
2638 2018-05-25  Saam Barati  <sbarati@apple.com>
2639
2640         Have a memory test where we can validate JSCs mini memory mode
2641         https://bugs.webkit.org/show_bug.cgi?id=185932
2642
2643         Reviewed by Mark Lam.
2644
2645         This patch adds the testmem CLI. It takes as input a file to run
2646         and the number of iterations to run it (by default it runs it
2647         20 times). Each iteration runs in a new JSContext. Each JSContext
2648         belongs to a VM that is created once. When finished, the CLI dumps
2649         out the peak memory usage of the process, the memory usage at the end
2650         of running all the iterations of the process, and the total time it
2651         took to run all the iterations.
2652
2653         * JavaScriptCore.xcodeproj/project.pbxproj:
2654         * testmem: Added.
2655         * testmem/testmem.mm: Added.
2656         (description):
2657         (Footprint::now):
2658         (main):
2659
2660 2018-05-25  David Kilzer  <ddkilzer@apple.com>
2661
2662         Fix issues with -dealloc methods found by clang static analyzer
2663         <https://webkit.org/b/185887>
2664
2665         Reviewed by Joseph Pecoraro.
2666
2667         * API/JSValue.mm:
2668         (-[JSValue dealloc]):
2669         (-[JSValue description]):
2670         - Move method implementations from (Internal) category to the
2671           main category since these are public API.  This fixes the
2672           false positive warning about a missing -dealloc method.
2673
2674 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2675
2676         [Baseline] Remove a hack for DCE removal of NewFunction
2677         https://bugs.webkit.org/show_bug.cgi?id=185945
2678
2679         Reviewed by Saam Barati.
2680
2681         This `undefined` check in baseline is originally introduced in r177871. The problem was,
2682         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
2683         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
2684         retrieve this into the stack since the scope is not referenced from anywhere.
2685
2686         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
2687         implementation. But rather than that, just emitting `Phantom` for this scope is clean
2688         and consistent to the other DFG nodes like GetClosureVar.
2689
2690         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
2691         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
2692         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
2693         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
2694         since it conservatively guards the scope, and it does not introduce any additional overhead
2695         compared to the current status.
2696
2697         * dfg/DFGByteCodeParser.cpp:
2698         (JSC::DFG::ByteCodeParser::parseBlock):
2699         * jit/JITOpcodes.cpp:
2700         (JSC::JIT::emitNewFuncExprCommon):
2701
2702 2018-05-23  Keith Miller  <keith_miller@apple.com>
2703
2704         Expose $vm if window.internals is exposed
2705         https://bugs.webkit.org/show_bug.cgi?id=185900
2706
2707         Reviewed by Mark Lam.
2708
2709         This is useful for testing vm internals when running LayoutTests.
2710
2711         * runtime/JSGlobalObject.cpp:
2712         (JSC::JSGlobalObject::init):
2713         (JSC::JSGlobalObject::visitChildren):
2714         (JSC::JSGlobalObject::exposeDollarVM):
2715         * runtime/JSGlobalObject.h:
2716
2717 2018-05-23  Keith Miller  <keith_miller@apple.com>
2718
2719         Define length on CoW array should properly convert to writable
2720         https://bugs.webkit.org/show_bug.cgi?id=185927
2721
2722         Reviewed by Yusuke Suzuki.
2723
2724         * runtime/JSArray.cpp:
2725         (JSC::JSArray::setLength):
2726
2727 2018-05-23  Keith Miller  <keith_miller@apple.com>
2728
2729         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
2730         https://bugs.webkit.org/show_bug.cgi?id=185923
2731
2732         Reviewed by Saam Barati.
2733
2734         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
2735         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
2736
2737         Block 1:
2738         @1: GetLocal(loc42, FlushedInt32);
2739         @2: PutStructure(Check: Cell: @1);
2740         @3: Jump(Block 1);
2741
2742         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
2743         the type of an local cannot change without writing to it.
2744
2745         This fixes a crash in destructuring-rest-element.js
2746
2747         * dfg/DFGInPlaceAbstractState.cpp:
2748         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2749
2750 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
2751
2752         Speed up JetStream/base64
2753         https://bugs.webkit.org/show_bug.cgi?id=185914
2754
2755         Reviewed by Michael Saboff.
2756         
2757         Make allocation fast paths ALWAYS_INLINE.
2758         
2759         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
2760         ~6%.
2761
2762         * CMakeLists.txt:
2763         * JavaScriptCore.xcodeproj/project.pbxproj:
2764         * heap/AllocatorInlines.h:
2765         (JSC::Allocator::allocate const):
2766         * heap/CompleteSubspace.cpp:
2767         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
2768         * heap/CompleteSubspace.h:
2769         * heap/CompleteSubspaceInlines.h: Added.
2770         (JSC::CompleteSubspace::allocateNonVirtual):
2771         * heap/FreeListInlines.h:
2772         (JSC::FreeList::allocate):
2773         * heap/IsoSubspace.cpp:
2774         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
2775         * heap/IsoSubspace.h:
2776         (JSC::IsoSubspace::allocatorForNonVirtual):
2777         * heap/IsoSubspaceInlines.h: Added.
2778         (JSC::IsoSubspace::allocateNonVirtual):
2779         * runtime/JSCellInlines.h:
2780         * runtime/VM.h:
2781
2782 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
2783
2784         Conversion misspelled "Convertion" in error message string
2785         https://bugs.webkit.org/show_bug.cgi?id=185436
2786
2787         Reviewed by Saam Barati, Michael Saboff
2788
2789         * runtime/JSBigInt.cpp:
2790         (JSC::JSBigInt::toNumber const):
2791
2792 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2793
2794         [JSC] Clean up stringGetByValStubGenerator
2795         https://bugs.webkit.org/show_bug.cgi?id=185864
2796
2797         Reviewed by Saam Barati.
2798
2799         We clean up stringGetByValStubGenerator.
2800
2801         1. Unify 32bit and 64bit implementations.
2802         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
2803         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
2804         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
2805         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
2806
2807         * jit/JIT.h:
2808         * jit/JITPropertyAccess.cpp:
2809         (JSC::JIT::emitSlow_op_get_by_val):
2810         (JSC::JIT::stringGetByValStubGenerator): Deleted.
2811         * jit/JITPropertyAccess32_64.cpp:
2812         (JSC::JIT::emit_op_get_by_val):
2813         (JSC::JIT::emitSlow_op_get_by_val):
2814         (JSC::JIT::stringGetByValStubGenerator): Deleted.
2815         * jit/ThunkGenerators.cpp:
2816         (JSC::stringGetByValGenerator):
2817         * jit/ThunkGenerators.h:
2818
2819 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2820
2821         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
2822         https://bugs.webkit.org/show_bug.cgi?id=185810
2823
2824         Reviewed by Saam Barati.
2825
2826         Let's use branchIfString/branchIfNotString helper functions instead of
2827         checking structure with jsString's structure. It's easy to read. And
2828         it emits less code since we do not need to embed string structure's
2829         raw pointer in 32bit environment.
2830
2831         * jit/JIT.h:
2832         * jit/JITInlines.h:
2833         (JSC::JIT::emitLoadCharacterString):
2834         (JSC::JIT::checkStructure): Deleted.
2835         * jit/JITOpcodes32_64.cpp:
2836         (JSC::JIT::emitSlow_op_eq):
2837         (JSC::JIT::compileOpEqJumpSlow):
2838         (JSC::JIT::emitSlow_op_neq):
2839         * jit/JITPropertyAccess.cpp:
2840         (JSC::JIT::stringGetByValStubGenerator):
2841         (JSC::JIT::emitSlow_op_get_by_val):
2842         (JSC::JIT::emitByValIdentifierCheck):
2843         * jit/JITPropertyAccess32_64.cpp:
2844         (JSC::JIT::stringGetByValStubGenerator):
2845         (JSC::JIT::emitSlow_op_get_by_val):
2846         * jit/JSInterfaceJIT.h:
2847         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
2848         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
2849         * jit/SpecializedThunkJIT.h:
2850         (JSC::SpecializedThunkJIT::loadJSStringArgument):
2851         * jit/ThunkGenerators.cpp:
2852         (JSC::stringCharLoad):
2853         (JSC::charCodeAtThunkGenerator):
2854         (JSC::charAtThunkGenerator):
2855         * runtime/JSString.h:
2856
2857 2018-05-22  Mark Lam  <mark.lam@apple.com>
2858
2859         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
2860         https://bugs.webkit.org/show_bug.cgi?id=185896
2861         <rdar://problem/40471403>
2862
2863         Reviewed by Saam Barati.
2864
2865         * bytecode/BytecodeGeneratorification.cpp:
2866         (JSC::BytecodeGeneratorification::run):
2867
2868 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2869
2870         [JSC] Fix CachedCall's argument count if RegExp has named captures
2871         https://bugs.webkit.org/show_bug.cgi?id=185587
2872
2873         Reviewed by Mark Lam.
2874
2875         If the given RegExp has named captures, the argument count of CachedCall in String#replace
2876         should be increased by one. This causes crash with assertion in test262. This patch corrects
2877         the argument count.
2878
2879         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
2880         the same.
2881
2882         * runtime/StringPrototype.cpp:
2883         (JSC::replaceUsingRegExpSearch):
2884
2885 2018-05-22  Mark Lam  <mark.lam@apple.com>
2886
2887         StringImpl utf8 conversion should not fail silently.
2888         https://bugs.webkit.org/show_bug.cgi?id=185888
2889         <rdar://problem/40464506>
2890
2891         Reviewed by Filip Pizlo.
2892
2893         * dfg/DFGLazyJSValue.cpp:
2894         (JSC::DFG::LazyJSValue::dumpInContext const):
2895         * runtime/DateConstructor.cpp:
2896         (JSC::constructDate):
2897         (JSC::dateParse):
2898         * runtime/JSDateMath.cpp:
2899         (JSC::parseDate):
2900         * runtime/JSDateMath.h:
2901
2902 2018-05-22  Keith Miller  <keith_miller@apple.com>
2903
2904         Remove the UnconditionalFinalizer class
2905         https://bugs.webkit.org/show_bug.cgi?id=185881
2906
2907         Reviewed by Filip Pizlo.
2908
2909         The only remaining user of this API is
2910         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
2911         to use the newer template based API and removes the old class.
2912
2913         * JavaScriptCore.xcodeproj/project.pbxproj:
2914         * bytecode/CodeBlock.h:
2915         * heap/Heap.cpp:
2916         (JSC::Heap::finalizeUnconditionalFinalizers):
2917         * heap/Heap.h:
2918         * heap/SlotVisitor.cpp:
2919         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
2920         * heap/SlotVisitor.h:
2921         * heap/UnconditionalFinalizer.h: Removed.
2922         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2923         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2924         (JSC::JSWebAssemblyCodeBlock::visitChildren):
2925         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
2926         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
2927         * wasm/js/JSWebAssemblyCodeBlock.h:
2928         * wasm/js/JSWebAssemblyModule.h:
2929
2930         * CMakeLists.txt:
2931         * JavaScriptCore.xcodeproj/project.pbxproj:
2932         * bytecode/CodeBlock.h:
2933         * heap/Heap.cpp:
2934         (JSC::Heap::finalizeUnconditionalFinalizers):
2935         * heap/Heap.h:
2936         * heap/SlotVisitor.cpp:
2937         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
2938         * heap/SlotVisitor.h:
2939         * heap/UnconditionalFinalizer.h: Removed.
2940         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2941         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2942         (JSC::JSWebAssemblyCodeBlock::visitChildren):
2943         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
2944         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
2945         * wasm/js/JSWebAssemblyCodeBlock.h:
2946         * wasm/js/JSWebAssemblyModule.h:
2947
2948 2018-05-22  Keith Miller  <keith_miller@apple.com>
2949
2950         Unreviewed, fix internal build.
2951
2952         * runtime/JSImmutableButterfly.cpp:
2953
2954 2018-05-22  Saam Barati  <sbarati@apple.com>
2955
2956         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
2957         https://bugs.webkit.org/show_bug.cgi?id=144525
2958
2959         Reviewed by Filip Pizlo.
2960
2961         This patch teaches LICM to fall back to hoisting a node's type checks when
2962         hoisting the entire node fails.
2963         
2964         This patch follow the same principles we use when deciding to hoist nodes in general:
2965         - If the pre header is control equivalent to where the current check is, we
2966         go ahead and hoist the check.
2967         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
2968         hoist the check. If hoisting failed in the past, we will not hoist the check.
2969
2970         * dfg/DFGLICMPhase.cpp:
2971         (JSC::DFG::LICMPhase::attemptHoist):
2972         * dfg/DFGUseKind.h:
2973         (JSC::DFG::checkMayCrashIfInputIsEmpty):
2974
2975 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
2976
2977         Get rid of TLCs
2978         https://bugs.webkit.org/show_bug.cgi?id=185846
2979
2980         Rubber stamped by Geoffrey Garen.
2981         
2982         This removes support for thread-local caches from the GC in order to speed up allocation a
2983         bit.
2984         
2985         We added TLCs as part of Spectre mitigations, which we have since removed.
2986         
2987         We will want some kind of TLCs eventually, since they allow us to:
2988         
2989         - have a global GC, which may be a perf optimization at some point.
2990         - allocate objects from JIT threads, which we've been wanting to do for a while.
2991         
2992         This change keeps the most interesting aspect of TLCs, which is the
2993         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
2994         TLCs again in the future if we wanted this feature.
2995         
2996         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
2997         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
2998         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
2999         you can directly use it to allocate. This removes two loads and a check from the allocation
3000         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
3001         allowed us to have a statically known set of LocalAllocators. This would have removed the
3002         bounds check (one load and one branch) and it would have made it possible to CSE the load of
3003         the TLC data structure, since that would no longer resize. But that's a harder change that
3004         this patch, and we don't need it right now.
3005         
3006         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
3007         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
3008         that check already. Previously, the TLC bounds check doubled as this check.
3009         
3010         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
3011         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
3012         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
3013         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
3014
3015         * JavaScriptCore.xcodeproj/project.pbxproj:
3016         * Sources.txt:
3017         * bytecode/ObjectAllocationProfileInlines.h:
3018         (JSC::ObjectAllocationProfile::initializeProfile):
3019         * dfg/DFGSpeculativeJIT.cpp:
3020         (JSC::DFG::SpeculativeJIT::compileCreateThis):
3021         * ftl/FTLLowerDFGToB3.cpp:
3022         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3023         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3024         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3025         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3026         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3027         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3028         * heap/Allocator.cpp:
3029         (JSC::Allocator::cellSize const):
3030         * heap/Allocator.h:
3031         (JSC::Allocator::Allocator):
3032         (JSC::Allocator::localAllocator const):
3033         (JSC::Allocator::operator== const):
3034         (JSC::Allocator::offset const): Deleted.
3035         * heap/AllocatorInlines.h:
3036         (JSC::Allocator::allocate const):
3037         (JSC::Allocator::tryAllocate const): Deleted.
3038         * heap/BlockDirectory.cpp:
3039         (JSC::BlockDirectory::BlockDirectory):
3040         (JSC::BlockDirectory::~BlockDirectory):
3041         * heap/BlockDirectory.h:
3042         (JSC::BlockDirectory::allocator const): Deleted.
3043         * heap/CompleteSubspace.cpp:
3044         (JSC::CompleteSubspace::allocateNonVirtual):
3045         (JSC::CompleteSubspace::allocatorForSlow):
3046         (JSC::CompleteSubspace::tryAllocateSlow):
3047         * heap/CompleteSubspace.h:
3048         * heap/Heap.cpp:
3049         (JSC::Heap::Heap):
3050         * heap/Heap.h:
3051         (JSC::Heap::threadLocalCacheLayout): Deleted.
3052         * heap/IsoSubspace.cpp:
3053         (JSC::IsoSubspace::IsoSubspace):
3054         (JSC::IsoSubspace::allocateNonVirtual):
3055         * heap/IsoSubspace.h:
3056         (JSC::IsoSubspace::allocatorForNonVirtual):
3057         * heap/LocalAllocator.cpp:
3058         (JSC::LocalAllocator::LocalAllocator):
3059         (JSC::LocalAllocator::~LocalAllocator):
3060         * heap/LocalAllocator.h:
3061         (JSC::LocalAllocator::cellSize const):
3062         (JSC::LocalAllocator::tlc const): Deleted.
3063         * heap/ThreadLocalCache.cpp: Removed.
3064         * heap/ThreadLocalCache.h: Removed.
3065         * heap/ThreadLocalCacheInlines.h: Removed.
3066         * heap/ThreadLocalCacheLayout.cpp: Removed.
3067         * heap/ThreadLocalCacheLayout.h: Removed.
3068         * jit/AssemblyHelpers.cpp:
3069         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3070         (JSC::AssemblyHelpers::emitAllocate):
3071         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3072         * jit/JITOpcodes.cpp:
3073         (JSC::JIT::emit_op_create_this):
3074         * runtime/JSLock.cpp:
3075         (JSC::JSLock::didAcquireLock):
3076         * runtime/VM.cpp:
3077         (JSC::VM::VM):
3078         (JSC::VM::~VM):
3079         * runtime/VM.h:
3080         * runtime/VMEntryScope.cpp:
3081         (JSC::VMEntryScope::~VMEntryScope):
3082         * runtime/VMEntryScope.h:
3083
3084 2018-05-22  Keith Miller  <keith_miller@apple.com>
3085
3086         We should have a CoW storage for NewArrayBuffer arrays.
3087         https://bugs.webkit.org/show_bug.cgi?id=185003
3088
3089         Reviewed by Filip Pizlo.
3090
3091         This patch adds copy on write storage for new array buffers. In
3092         order to do this there needed to be significant changes to the
3093         layout of IndexingType. The new indexing type has the following
3094         shape:
3095
3096         struct IndexingTypeAndMisc {
3097             struct IndexingModeIncludingHistory {
3098                 struct IndexingMode {
3099                     struct IndexingType {
3100                         uint8_t isArray:1;          // bit 0
3101                         uint8_t shape:3;            // bit 1 - 3
3102                     };
3103                     uint8_t copyOnWrite:1;          // bit 4
3104                 };
3105                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
3106             };
3107             uint8_t cellLockBits:2;                 // bit 6 - 7
3108         };
3109
3110         For simplicity ArrayStorage shapes cannot be CoW. So the only
3111         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
3112         ArrayWithContiguous.
3113
3114         The backing store for a CoW array is a new class
3115         JSImmutableButterfly, which looks exactly the same as a normal
3116         butterfly except that it has a JSCell header. Like other
3117         butterflies, JSImmutableButterfies are allocated out of the
3118         Auxiliary Gigacage and are pointed to by JSCells in the same
3119         way. However, when marking JSImmutableButterflies they are marked
3120         as if they were a property.
3121
3122         With CoW arrays, the new_array_buffer bytecode will reallocate the
3123         shared JSImmutableButterfly if it sees from the allocation profile
3124         that the last array it allocated has transitioned to a different
3125         indexing type. From then on, all arrays created by that
3126         new_array_buffer bytecode will have the promoted indexing
3127         type. This is more or less the same as what we used to do. The
3128         only difference is that we don't promote all the way to array
3129         storage even if we have seen it before.
3130
3131         Transitioning from a CoW indexing mode occurs whenever someone
3132         tries to store to an element, grow the array, or add properties.
3133         Storing or growing the array will call into code that does the
3134         stupid thing of copying the butterfly then continue into the old
3135         code. This doesn't end up costing us as future allocations will
3136         use any upgraded indexing shape.  We get adding properties for
3137         free by just changing the indexing mode on transition (our C++
3138         code always updates the indexing mode).
3139
3140         * JavaScriptCore.xcodeproj/project.pbxproj:
3141         * Sources.txt:
3142         * bytecode/ArrayAllocationProfile.cpp:
3143         (JSC::ArrayAllocationProfile::updateProfile):
3144         * bytecode/ArrayAllocationProfile.h:
3145         (JSC::ArrayAllocationProfile::initializeIndexingMode):
3146         * bytecode/ArrayProfile.cpp:
3147         (JSC::dumpArrayModes):
3148         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3149         * bytecode/ArrayProfile.h:
3150         (JSC::asArrayModes):
3151         (JSC::arrayModeFromStructure):
3152         (JSC::arrayModesInclude):
3153         (JSC::hasSeenCopyOnWriteArray):
3154         * bytecode/BytecodeList.json:
3155         * bytecode/CodeBlock.cpp:
3156         (JSC::CodeBlock::finishCreation):
3157         * bytecode/InlineAccess.cpp:
3158         (JSC::InlineAccess::generateArrayLength):
3159         * bytecode/UnlinkedCodeBlock.h:
3160         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
3161         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3162         * bytecompiler/BytecodeGenerator.cpp:
3163         (JSC::BytecodeGenerator::newArrayAllocationProfile):
3164         (JSC::BytecodeGenerator::emitNewArrayBuffer):
3165         (JSC::BytecodeGenerator::emitNewArray):
3166         (JSC::BytecodeGenerator::emitNewArrayWithSize):
3167         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3168         * bytecompiler/BytecodeGenerator.h:
3169         * bytecompiler/NodesCodegen.cpp:
3170         (JSC::ArrayNode::emitBytecode):
3171         (JSC::ArrayPatternNode::bindValue const):
3172         (JSC::ArrayPatternNode::emitDirectBinding):
3173         * dfg/DFGAbstractInterpreterInlines.h:
3174         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3175         * dfg/DFGArgumentsEliminationPhase.cpp:
3176         * dfg/DFGArgumentsUtilities.cpp:
3177         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3178         * dfg/DFGArrayMode.cpp:
3179         (JSC::DFG::ArrayMode::fromObserved):
3180         (JSC::DFG::ArrayMode::refine const):
3181         (JSC::DFG::ArrayMode::alreadyChecked const):
3182         * dfg/DFGArrayMode.h:
3183         (JSC::DFG::ArrayMode::ArrayMode):
3184         (JSC::DFG::ArrayMode::action const):
3185         (JSC::DFG::ArrayMode::withSpeculation const):
3186         (JSC::DFG::ArrayMode::withArrayClass const):
3187         (JSC::DFG::ArrayMode::withType const):
3188         (JSC::DFG::ArrayMode::withConversion const):
3189         (JSC::DFG::ArrayMode::withTypeAndConversion const):
3190         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
3191         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
3192         * dfg/DFGByteCodeParser.cpp:
3193         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3194         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3195         (JSC::DFG::ByteCodeParser::parseBlock):
3196         * dfg/DFGClobberize.h:
3197         (JSC::DFG::clobberize):
3198         * dfg/DFGConstantFoldingPhase.cpp:
3199         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3200         * dfg/DFGFixupPhase.cpp:
3201         (JSC::DFG::FixupPhase::fixupNode):
3202         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
3203         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3204         * dfg/DFGGraph.cpp:
3205         (JSC::DFG::Graph::dump):
3206         * dfg/DFGNode.h:
3207         (JSC::DFG::Node::indexingType):
3208         (JSC::DFG::Node::indexingMode):
3209         * dfg/DFGOSRExit.cpp:
3210         (JSC::DFG::OSRExit::compileExit):
3211         * dfg/DFGOperations.cpp:
3212         * dfg/DFGOperations.h:
3213         * dfg/DFGSpeculativeJIT.cpp:
3214         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3215         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3216         (JSC::DFG::SpeculativeJIT::arrayify):
3217         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3218         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3219         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3220         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3221         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3222         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3223         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
3224         * dfg/DFGSpeculativeJIT32_64.cpp:
3225         (JSC::DFG::SpeculativeJIT::compile):
3226         * dfg/DFGSpeculativeJIT64.cpp:
3227         (JSC::DFG::SpeculativeJIT::compile):
3228         * dfg/DFGValidate.cpp:
3229         * ftl/FTLAbstractHeapRepository.h:
3230         * ftl/FTLLowerDFGToB3.cpp:
3231         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
3232         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
3233         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3234         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3235         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3236         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
3237         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
3238         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
3239         * ftl/FTLOperations.cpp:
3240         (JSC::FTL::operationMaterializeObjectInOSR):
3241         * generate-bytecode-files:
3242         * interpreter/Interpreter.cpp:
3243         (JSC::sizeOfVarargs):
3244         (JSC::loadVarargs):
3245         * jit/AssemblyHelpers.cpp:
3246         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3247         * jit/AssemblyHelpers.h:
3248         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3249         * jit/JITOperations.cpp:
3250         * jit/JITPropertyAccess.cpp:
3251         (JSC::JIT::emit_op_put_by_val):
3252         (JSC::JIT::emitSlow_op_put_by_val):
3253         * jit/Repatch.cpp:
3254         (JSC::tryCachePutByID):
3255         * llint/LowLevelInterpreter.asm:
3256         * llint/LowLevelInterpreter32_64.asm:
3257         * llint/LowLevelInterpreter64.asm:
3258         * runtime/Butterfly.h:
3259         (JSC::ContiguousData::Data::Data):
3260         (JSC::ContiguousData::Data::operator bool const):
3261         (JSC::ContiguousData::Data::operator=):
3262         (JSC::ContiguousData::Data::operator const T& const):
3263         (JSC::ContiguousData::Data::set):
3264         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
3265         (JSC::ContiguousData::Data::clear):
3266         (JSC::ContiguousData::Data::get const):
3267         (JSC::ContiguousData::atUnsafe):
3268         (JSC::ContiguousData::at const): Deleted.
3269         (JSC::ContiguousData::at): Deleted.
3270         * runtime/ButterflyInlines.h:
3271         (JSC::ContiguousData<T>::at const):
3272         (JSC::ContiguousData<T>::at):
3273         * runtime/ClonedArguments.cpp:
3274         (JSC::ClonedArguments::createEmpty):
3275         * runtime/CommonSlowPaths.cpp:
3276         (JSC::SLOW_PATH_DECL):
3277         * runtime/CommonSlowPaths.h:
3278         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
3279         * runtime/IndexingType.cpp:
3280         (JSC::leastUpperBoundOfIndexingTypeAndType):
3281         (JSC::leastUpperBoundOfIndexingTypeAndValue):
3282         (JSC::dumpIndexingType):
3283         * runtime/IndexingType.h:
3284         (JSC::hasIndexedProperties):
3285         (JSC::hasUndecided):
3286         (JSC::hasInt32):
3287         (JSC::hasDouble):
3288         (JSC::hasContiguous):
3289         (JSC::hasArrayStorage):
3290         (JSC::hasAnyArrayStorage):
3291         (JSC::hasSlowPutArrayStorage):
3292         (JSC::shouldUseSlowPut):
3293         (JSC::isCopyOnWrite):
3294         (JSC::arrayIndexFromIndexingType):
3295         * runtime/JSArray.cpp:
3296         (JSC::JSArray::tryCreateUninitializedRestricted):
3297         (JSC::JSArray::put):
3298         (JSC::JSArray::appendMemcpy):
3299         (JSC::JSArray::setLength):
3300         (JSC::JSArray::pop):
3301         (JSC::JSArray::fastSlice):
3302         (JSC::JSArray::shiftCountWithAnyIndexingType):
3303         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3304         (JSC::JSArray::fillArgList):
3305         (JSC::JSArray::copyToArguments):
3306         * runtime/JSArrayInlines.h:
3307         (JSC::JSArray::pushInline):
3308         * runtime/JSCell.h:
3309         * runtime/JSCellInlines.h:
3310         (JSC::JSCell::JSCell):
3311         (JSC::JSCell::finishCreation):
3312         (JSC::JSCell::indexingType const):
3313         (JSC::JSCell::indexingMode const):
3314         (JSC::JSCell::setStructure):
3315         * runtime/JSFixedArray.h:
3316         * runtime/JSGlobalObject.cpp:
3317         (JSC::JSGlobalObject::init):
3318         (JSC::JSGlobalObject::haveABadTime):
3319         (JSC::JSGlobalObject::visitChildren):
3320         * runtime/JSGlobalObject.h:
3321         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
3322         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
3323         (JSC::JSGlobalObject::isOriginalArrayStructure):
3324         * runtime/JSImmutableButterfly.cpp: Added.
3325         (JSC::JSImmutableButterfly::visitChildren):
3326         (JSC::JSImmutableButterfly::copyToArguments):
3327         * runtime/JSImmutableButterfly.h: Added.
3328         (JSC::JSImmutableButterfly::createStructure):
3329         (JSC::JSImmutableButterfly::tryCreate):
3330         (JSC::JSImmutableButterfly::create):
3331         (JSC::JSImmutableButterfly::publicLength const):
3332         (JSC::JSImmutableButterfly::vectorLength const):
3333         (JSC::JSImmutableButterfly::length const):
3334         (JSC::JSImmutableButterfly::toButterfly const):
3335         (JSC::JSImmutableButterfly::fromButterfly):
3336         (JSC::JSImmutableButterfly::get const):
3337         (JSC::JSImmutableButterfly::subspaceFor):
3338         (JSC::JSImmutableButterfly::setIndex):
3339         (JSC::JSImmutableButterfly::allocationSize):
3340         (JSC::JSImmutableButterfly::JSImmutableButterfly):
3341         * runtime/JSObject.cpp:
3342         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
3343         (JSC::JSObject::visitButterflyImpl):
3344         (JSC::JSObject::getOwnPropertySlotByIndex):
3345         (JSC::JSObject::putByIndex):
3346         (JSC::JSObject::createInitialInt32):
3347         (JSC::JSObject::createInitialDouble):
3348         (JSC::JSObject::createInitialContiguous):
3349         (JSC::JSObject::convertUndecidedToInt32):
3350         (JSC::JSObject::convertUndecidedToDouble):
3351         (JSC::JSObject::convertUndecidedToContiguous):
3352         (JSC::JSObject::convertInt32ToDouble):
3353         (JSC::JSObject::convertInt32ToArrayStorage):
3354         (JSC::JSObject::convertDoubleToContiguous):
3355         (JSC::JSObject::convertDoubleToArrayStorage):
3356         (JSC::JSObject::convertContiguousToArrayStorage):
3357         (JSC::JSObject::createInitialForValueAndSet):
3358         (JSC::JSObject::convertInt32ForValue):
3359         (JSC::JSObject::convertFromCopyOnWrite):
3360         (JSC::JSObject::ensureWritableInt32Slow):
3361         (JSC::JSObject::ensureWritableDoubleSlow):
3362         (JSC::JSObject::ensureWritableContiguousSlow):