Add missing exception check.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-18  Mark Lam  <mark.lam@apple.com>
2
3         Add missing exception check.
4         https://bugs.webkit.org/show_bug.cgi?id=185786
5         <rdar://problem/35686560>
6
7         Reviewed by Michael Saboff.
8
9         * runtime/JSPropertyNameEnumerator.h:
10         (JSC::propertyNameEnumerator):
11
12 2018-05-18  Jer Noble  <jer.noble@apple.com>
13
14         Complete fix for enabling modern EME by default
15         https://bugs.webkit.org/show_bug.cgi?id=185770
16         <rdar://problem/40368220>
17
18         Reviewed by Eric Carlson.
19
20         * Configurations/FeatureDefines.xcconfig:
21
22 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
23
24         Unreviewed, fix exception checking, part 2
25         https://bugs.webkit.org/show_bug.cgi?id=185350
26
27         * dfg/DFGOperations.cpp:
28         (JSC::DFG::putByValInternal):
29         * jit/JITOperations.cpp:
30         * runtime/CommonSlowPaths.h:
31         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
32
33 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
34
35         JSC should have InstanceOf inline caching
36         https://bugs.webkit.org/show_bug.cgi?id=185652
37
38         Reviewed by Saam Barati.
39         
40         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
41         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
42         too many cases, we emit the generic instanceof implementation instead.
43         
44         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
45         abstraction.
46         
47         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
48         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
49
50         * API/tests/testapi.mm:
51         (testObjectiveCAPIMain):
52         * JavaScriptCore.xcodeproj/project.pbxproj:
53         * Sources.txt:
54         * b3/B3Effects.h:
55         (JSC::B3::Effects::forReadOnlyCall):
56         * bytecode/AccessCase.cpp:
57         (JSC::AccessCase::guardedByStructureCheck const):
58         (JSC::AccessCase::canReplace const):
59         (JSC::AccessCase::visitWeak const):
60         (JSC::AccessCase::generateWithGuard):
61         (JSC::AccessCase::generateImpl):
62         * bytecode/AccessCase.h:
63         * bytecode/InstanceOfAccessCase.cpp: Added.
64         (JSC::InstanceOfAccessCase::create):
65         (JSC::InstanceOfAccessCase::dumpImpl const):
66         (JSC::InstanceOfAccessCase::clone const):
67         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
68         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
69         * bytecode/InstanceOfAccessCase.h: Added.
70         (JSC::InstanceOfAccessCase::prototype const):
71         * bytecode/ObjectPropertyCondition.h:
72         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
73         (JSC::ObjectPropertyCondition::hasPrototype):
74         * bytecode/ObjectPropertyConditionSet.cpp:
75         (JSC::generateConditionsForInstanceOf):
76         * bytecode/ObjectPropertyConditionSet.h:
77         * bytecode/PolymorphicAccess.cpp:
78         (JSC::PolymorphicAccess::addCases):
79         (JSC::PolymorphicAccess::regenerate):
80         (WTF::printInternal):
81         * bytecode/PropertyCondition.cpp:
82         (JSC::PropertyCondition::dumpInContext const):
83         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
84         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
85         (WTF::printInternal):
86         * bytecode/PropertyCondition.h:
87         (JSC::PropertyCondition::absenceWithoutBarrier):
88         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
89         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
90         (JSC::PropertyCondition::hasPrototype):
91         (JSC::PropertyCondition::hasPrototype const):
92         (JSC::PropertyCondition::prototype const):
93         (JSC::PropertyCondition::hash const):
94         (JSC::PropertyCondition::operator== const):
95         * bytecode/StructureStubInfo.cpp:
96         (JSC::StructureStubInfo::StructureStubInfo):
97         (JSC::StructureStubInfo::reset):
98         * bytecode/StructureStubInfo.h:
99         (JSC::StructureStubInfo::considerCaching):
100         * dfg/DFGByteCodeParser.cpp:
101         (JSC::DFG::ByteCodeParser::parseBlock):
102         * dfg/DFGFixupPhase.cpp:
103         (JSC::DFG::FixupPhase::fixupNode):
104         * dfg/DFGInlineCacheWrapper.h:
105         * dfg/DFGInlineCacheWrapperInlines.h:
106         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
107         * dfg/DFGJITCompiler.cpp:
108         (JSC::DFG::JITCompiler::link):
109         * dfg/DFGJITCompiler.h:
110         (JSC::DFG::JITCompiler::addInstanceOf):
111         * dfg/DFGOperations.cpp:
112         * dfg/DFGSpeculativeJIT.cpp:
113         (JSC::DFG::SpeculativeJIT::usedRegisters):
114         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
115         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
116         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
117         * dfg/DFGSpeculativeJIT.h:
118         * dfg/DFGSpeculativeJIT64.cpp:
119         (JSC::DFG::SpeculativeJIT::cachedGetById):
120         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
121         * ftl/FTLLowerDFGToB3.cpp:
122         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
123         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
124         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
125         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
126         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
127         (JSC::FTL::DFG::LowerDFGToB3::getById):
128         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
129         * jit/ICStats.h:
130         * jit/JIT.cpp:
131         (JSC::JIT::privateCompileSlowCases):
132         (JSC::JIT::link):
133         * jit/JIT.h:
134         * jit/JITInlineCacheGenerator.cpp:
135         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
136         (JSC::JITInlineCacheGenerator::finalize):
137         (JSC::JITByIdGenerator::JITByIdGenerator):
138         (JSC::JITByIdGenerator::finalize):
139         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
140         (JSC::JITInstanceOfGenerator::generateFastPath):
141         (JSC::JITInstanceOfGenerator::finalize):
142         * jit/JITInlineCacheGenerator.h:
143         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
144         (JSC::JITInlineCacheGenerator::slowPathBegin const):
145         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
146         (JSC::finalizeInlineCaches):
147         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
148         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
149         * jit/JITOpcodes.cpp:
150         (JSC::JIT::emit_op_instanceof):
151         (JSC::JIT::emitSlow_op_instanceof):
152         * jit/JITOperations.cpp:
153         * jit/JITOperations.h:
154         * jit/JITPropertyAccess.cpp:
155         (JSC::JIT::privateCompileGetByValWithCachedId):
156         (JSC::JIT::privateCompilePutByValWithCachedId):
157         * jit/RegisterSet.cpp:
158         (JSC::RegisterSet::stubUnavailableRegisters):
159         * jit/Repatch.cpp:
160         (JSC::tryCacheIn):
161         (JSC::tryCacheInstanceOf):
162         (JSC::repatchInstanceOf):
163         (JSC::resetPatchableJump):
164         (JSC::resetIn):
165         (JSC::resetInstanceOf):
166         * jit/Repatch.h:
167         * runtime/Options.h:
168         * runtime/Structure.h:
169
170 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
171
172         Unreviewed, fix exception checking
173         https://bugs.webkit.org/show_bug.cgi?id=185350
174
175         * runtime/CommonSlowPaths.h:
176         (JSC::CommonSlowPaths::putDirectWithReify):
177         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
178
179 2018-05-17  Michael Saboff  <msaboff@apple.com>
180
181         We don't throw SyntaxErrors for runtime generated regular expressions with errors
182         https://bugs.webkit.org/show_bug.cgi?id=185755
183
184         Reviewed by Keith Miller.
185
186         Added a new helper that creates the correct exception to throw for each type of error when
187         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
188         where we create a new RegExp from an existing one.  Also refactored other places that we
189         throw SyntaxErrors after a failed RegExp compile to use the new helper.
190
191         * runtime/RegExp.h:
192         * runtime/RegExpConstructor.cpp:
193         (JSC::regExpCreate):
194         (JSC::constructRegExp):
195         * runtime/RegExpPrototype.cpp:
196         (JSC::regExpProtoFuncCompile):
197         * yarr/YarrErrorCode.cpp:
198         (JSC::Yarr::errorToThrow):
199         * yarr/YarrErrorCode.h:
200
201 2018-05-17  Saam Barati  <sbarati@apple.com>
202
203         Remove shrinkFootprint test from apitests since it's flaky
204         https://bugs.webkit.org/show_bug.cgi?id=185754
205
206         Reviewed by Mark Lam.
207
208         This test is flaky as it keeps failing on certain people's machines.
209         Having a test about OS footprint seems like it'll forever be doomed
210         to being flaky.
211
212         * API/tests/testapi.mm:
213         (testObjectiveCAPIMain):
214
215 2018-05-17  Saam Barati  <sbarati@apple.com>
216
217         defaultConstructorSourceCode needs to makeSource every time it's called
218         https://bugs.webkit.org/show_bug.cgi?id=185753
219
220         Rubber-stamped by Mark Lam.
221
222         The bug here is multiple VMs can be running concurrently to one another
223         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
224         if we copy a static SourceCode. instead, we create a new one each time
225         this function is called.
226
227         * builtins/BuiltinExecutables.cpp:
228         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
229
230 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
231
232         [JSC] Use AssemblyHelpers' type checking functions as much as possible
233         https://bugs.webkit.org/show_bug.cgi?id=185730
234
235         Reviewed by Saam Barati.
236
237         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
238         bit and register operations for type tagging of JSValue. It is really useful when we would like
239         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
240         the named function is more readable than some branching operations.
241
242         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
243         to AssemblyHelpers' one.
244
245         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
246         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
247         semantics is aligned to the existing branchIfCell / branchIfNotCell.
248
249         * bytecode/AccessCase.cpp:
250         (JSC::AccessCase::generateWithGuard):
251         * dfg/DFGSpeculativeJIT.cpp:
252         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
253         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
254         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
255         (JSC::DFG::SpeculativeJIT::compileSpread):
256         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
257         (JSC::DFG::SpeculativeJIT::speculateCellType):
258         (JSC::DFG::SpeculativeJIT::speculateNumber):
259         (JSC::DFG::SpeculativeJIT::speculateMisc):
260         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
261         (JSC::DFG::SpeculativeJIT::compileCreateThis):
262         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
263         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
264         * dfg/DFGSpeculativeJIT32_64.cpp:
265         (JSC::DFG::SpeculativeJIT::emitCall):
266         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
267         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
268         (JSC::DFG::SpeculativeJIT::compile):
269         * dfg/DFGSpeculativeJIT64.cpp:
270         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
271         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
272         (JSC::DFG::SpeculativeJIT::emitCall):
273         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
274         (JSC::DFG::SpeculativeJIT::compile):
275         (JSC::DFG::SpeculativeJIT::convertAnyInt):
276         * ftl/FTLLowerDFGToB3.cpp:
277         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
278         * jit/AssemblyHelpers.h:
279         (JSC::AssemblyHelpers::branchIfInt32):
280         (JSC::AssemblyHelpers::branchIfNotInt32):
281         (JSC::AssemblyHelpers::branchIfNumber):
282         (JSC::AssemblyHelpers::branchIfNotNumber):
283         (JSC::AssemblyHelpers::branchIfBoolean):
284         (JSC::AssemblyHelpers::branchIfNotBoolean):
285         (JSC::AssemblyHelpers::branchIfEmpty):
286         (JSC::AssemblyHelpers::branchIfNotEmpty):
287         (JSC::AssemblyHelpers::branchIfUndefined):
288         (JSC::AssemblyHelpers::branchIfNotUndefined):
289         (JSC::AssemblyHelpers::branchIfNull):
290         (JSC::AssemblyHelpers::branchIfNotNull):
291         * jit/JIT.h:
292         * jit/JITArithmetic.cpp:
293         (JSC::JIT::emit_compareAndJump):
294         (JSC::JIT::emit_compareAndJumpSlow):
295         * jit/JITArithmetic32_64.cpp:
296         (JSC::JIT::emit_compareAndJump):
297         (JSC::JIT::emit_op_unsigned):
298         (JSC::JIT::emit_op_inc):
299         (JSC::JIT::emit_op_dec):
300         (JSC::JIT::emitBinaryDoubleOp):
301         (JSC::JIT::emit_op_mod):
302         * jit/JITCall.cpp:
303         (JSC::JIT::compileCallEval):
304         (JSC::JIT::compileOpCall):
305         * jit/JITCall32_64.cpp:
306         (JSC::JIT::compileCallEval):
307         (JSC::JIT::compileOpCall):
308         * jit/JITInlines.h:
309         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
310         (JSC::JIT::emitJumpIfBothJSCells):
311         (JSC::JIT::emitJumpSlowCaseIfJSCell):
312         (JSC::JIT::emitJumpIfNotInt):
313         (JSC::JIT::emitJumpSlowCaseIfNotInt):
314         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
315         (JSC::JIT::emitJumpIfCellObject): Deleted.
316         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
317         (JSC::JIT::emitJumpIfJSCell): Deleted.
318         (JSC::JIT::emitJumpIfInt): Deleted.
319         * jit/JITOpcodes.cpp:
320         (JSC::JIT::emit_op_instanceof):
321         (JSC::JIT::emit_op_is_undefined):
322         (JSC::JIT::emit_op_is_cell_with_type):
323         (JSC::JIT::emit_op_is_object):
324         (JSC::JIT::emit_op_to_primitive):
325         (JSC::JIT::emit_op_jeq_null):
326         (JSC::JIT::emit_op_jneq_null):
327         (JSC::JIT::compileOpStrictEq):
328         (JSC::JIT::compileOpStrictEqJump):
329         (JSC::JIT::emit_op_to_number):
330         (JSC::JIT::emit_op_to_string):
331         (JSC::JIT::emit_op_to_object):
332         (JSC::JIT::emit_op_eq_null):
333         (JSC::JIT::emit_op_neq_null):
334         (JSC::JIT::emit_op_to_this):
335         (JSC::JIT::emit_op_create_this):
336         (JSC::JIT::emit_op_check_tdz):
337         (JSC::JIT::emitNewFuncExprCommon):
338         (JSC::JIT::emit_op_profile_type):
339         * jit/JITOpcodes32_64.cpp:
340         (JSC::JIT::emit_op_instanceof):
341         (JSC::JIT::emit_op_is_undefined):
342         (JSC::JIT::emit_op_is_cell_with_type):
343         (JSC::JIT::emit_op_is_object):
344         (JSC::JIT::emit_op_to_primitive):
345         (JSC::JIT::emit_op_not):
346         (JSC::JIT::emit_op_jeq_null):
347         (JSC::JIT::emit_op_jneq_null):
348         (JSC::JIT::emit_op_jneq_ptr):
349         (JSC::JIT::emit_op_eq):
350         (JSC::JIT::emit_op_jeq):
351         (JSC::JIT::emit_op_neq):
352         (JSC::JIT::emit_op_jneq):
353         (JSC::JIT::compileOpStrictEq):
354         (JSC::JIT::compileOpStrictEqJump):
355         (JSC::JIT::emit_op_eq_null):
356         (JSC::JIT::emit_op_neq_null):
357         (JSC::JIT::emit_op_to_number):
358         (JSC::JIT::emit_op_to_string):
359         (JSC::JIT::emit_op_to_object):
360         (JSC::JIT::emit_op_create_this):
361         (JSC::JIT::emit_op_to_this):
362         (JSC::JIT::emit_op_check_tdz):
363         (JSC::JIT::emit_op_profile_type):
364         * jit/JITPropertyAccess.cpp:
365         (JSC::JIT::emit_op_get_by_val):
366         (JSC::JIT::emitGetByValWithCachedId):
367         (JSC::JIT::emitGenericContiguousPutByVal):
368         (JSC::JIT::emitPutByValWithCachedId):
369         (JSC::JIT::emit_op_get_from_scope):
370         (JSC::JIT::emit_op_put_to_scope):
371         (JSC::JIT::emitWriteBarrier):
372         (JSC::JIT::emitIntTypedArrayPutByVal):
373         (JSC::JIT::emitFloatTypedArrayPutByVal):
374         * jit/JITPropertyAccess32_64.cpp:
375         (JSC::JIT::emit_op_get_by_val):
376         (JSC::JIT::emitContiguousLoad):
377         (JSC::JIT::emitArrayStorageLoad):
378         (JSC::JIT::emitGetByValWithCachedId):
379         (JSC::JIT::emitGenericContiguousPutByVal):
380         (JSC::JIT::emitPutByValWithCachedId):
381         (JSC::JIT::emit_op_get_from_scope):
382         (JSC::JIT::emit_op_put_to_scope):
383         * jit/JSInterfaceJIT.h:
384         (JSC::JSInterfaceJIT::emitLoadJSCell):
385         (JSC::JSInterfaceJIT::emitLoadInt32):
386         (JSC::JSInterfaceJIT::emitLoadDouble):
387         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
388         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
389         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
390         * jit/Repatch.cpp:
391         (JSC::linkPolymorphicCall):
392         * jit/ThunkGenerators.cpp:
393         (JSC::virtualThunkFor):
394         (JSC::absThunkGenerator):
395         * tools/JSDollarVM.cpp:
396         (WTF::DOMJITNode::checkSubClassSnippet):
397         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
398
399 2018-05-17  Saam Barati  <sbarati@apple.com>
400
401         Unreviewed. Fix the build after my attempted build fix broke the build.
402
403         * builtins/BuiltinExecutables.cpp:
404         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
405         (JSC::BuiltinExecutables::createDefaultConstructor):
406         * builtins/BuiltinExecutables.h:
407
408 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
409
410         [JSC] Remove reifyPropertyNameIfNeeded
411         https://bugs.webkit.org/show_bug.cgi?id=185350
412
413         Reviewed by Saam Barati.
414
415         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
416         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
417         cost, we should remove this from the critical path.
418
419         This patch removes this function call from the critical path. And in our slow paths, we call
420         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
421         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
422         and care the edge cases. The other callsites of putDirect should know the type of the given
423         object and the name of the property (And avoid these edge cases).
424
425         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
426         regressions of the existing tests.
427
428                                            baseline                  patched
429         Kraken:
430             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
431
432         SixSpeed:
433             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
434
435         * dfg/DFGOperations.cpp:
436         (JSC::DFG::putByValInternal):
437         (JSC::DFG::putByValCellInternal):
438         * jit/JITOperations.cpp:
439         * llint/LLIntSlowPaths.cpp:
440         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
441         * runtime/ClassInfo.h:
442         * runtime/CommonSlowPaths.h:
443         (JSC::CommonSlowPaths::putDirectWithReify):
444         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
445         * runtime/JSCell.cpp:
446         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
447         * runtime/JSCell.h:
448         * runtime/JSFunction.cpp:
449         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
450         * runtime/JSFunction.h:
451         * runtime/JSObject.cpp:
452         (JSC::JSObject::putDirectAccessor):
453         (JSC::JSObject::putDirectNonIndexAccessor):
454         * runtime/JSObject.h:
455         * runtime/JSObjectInlines.h:
456         (JSC::JSObject::putDirectInternal):
457
458 2018-05-17  Saam Barati  <sbarati@apple.com>
459
460         Unreviewed. Try to fix windows build.
461
462         * builtins/BuiltinExecutables.cpp:
463         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
464
465 2018-05-16  Saam Barati  <sbarati@apple.com>
466
467         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
468         https://bugs.webkit.org/show_bug.cgi?id=185637
469
470         Reviewed by Keith Miller.
471
472         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
473         source code. However, we were only using this for default class constructors. There
474         are only two types of default class constructors. This patch makes it so that
475         we just store this information inside of a single bit, and ask for the source
476         code as needed instead of holding it in a nullable field that is 24 bytes in size.
477         
478         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
479         This has the consequence of making it allocated out of a 160 byte size class
480         instead of a 224 byte size class. This should bring down its memory footprint
481         by ~40%.
482
483         * builtins/BuiltinExecutables.cpp:
484         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
485         (JSC::BuiltinExecutables::createDefaultConstructor):
486         (JSC::BuiltinExecutables::createExecutable):
487         * builtins/BuiltinExecutables.h:
488         * bytecode/UnlinkedFunctionExecutable.cpp:
489         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
490         (JSC::UnlinkedFunctionExecutable::link):
491         * bytecode/UnlinkedFunctionExecutable.h:
492         * runtime/CodeCache.cpp:
493         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
494
495 2018-05-16  Saam Barati  <sbarati@apple.com>
496
497         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
498         https://bugs.webkit.org/show_bug.cgi?id=185707
499
500         Reviewed by Mark Lam.
501
502         * runtime/VM.cpp:
503         (JSC::VM::shrinkFootprint):
504
505 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
506
507         [ESNext][BigInt] Implement support for "/" operation
508         https://bugs.webkit.org/show_bug.cgi?id=183996
509
510         Reviewed by Yusuke Suzuki.
511
512         This patch is introducing the support for BigInt into divide
513         operation int LLInt and JIT layers.
514
515         * dfg/DFGOperations.cpp:
516         * runtime/CommonSlowPaths.cpp:
517         (JSC::SLOW_PATH_DECL):
518         * runtime/JSBigInt.cpp:
519         (JSC::JSBigInt::divide):
520         (JSC::JSBigInt::copy):
521         (JSC::JSBigInt::unaryMinus):
522         (JSC::JSBigInt::absoluteCompare):
523         (JSC::JSBigInt::absoluteDivLarge):
524         (JSC::JSBigInt::productGreaterThan):
525         (JSC::JSBigInt::inplaceAdd):
526         (JSC::JSBigInt::inplaceSub):
527         (JSC::JSBigInt::inplaceRightShift):
528         (JSC::JSBigInt::specialLeftShift):
529         (JSC::JSBigInt::digit):
530         (JSC::JSBigInt::setDigit):
531         * runtime/JSBigInt.h:
532
533 2018-05-16  Saam Barati  <sbarati@apple.com>
534
535         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
536         https://bugs.webkit.org/show_bug.cgi?id=185670
537
538         Reviewed by Yusuke Suzuki.
539
540         This patch makes it so that we constant fold CheckTypeInfoFlags for
541         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
542         fold in three ways:
543         - When the incoming value is a constant, we just look at its inline type
544         flags. Since those flags never change after an object is created, this
545         is sound.
546         - Based on the incoming value having a finite structure set. We just iterate
547         all structures and ensure they have the bit set.
548         - Based on speculated type. To do this, I split up SpecFunction into two
549         subheaps where one is for functions that have the bit set, and one for
550         functions that don't have the bit set. The latter is currently only comprised
551         of JSBoundFunctions. To constant fold, we check that the incoming
552         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
553
554         * bytecode/SpeculatedType.cpp:
555         (JSC::speculationFromClassInfo):
556         * bytecode/SpeculatedType.h:
557         * dfg/DFGAbstractInterpreterInlines.h:
558         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
559         * dfg/DFGConstantFoldingPhase.cpp:
560         (JSC::DFG::ConstantFoldingPhase::foldConstants):
561         * dfg/DFGSpeculativeJIT.cpp:
562         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
563         * dfg/DFGStrengthReductionPhase.cpp:
564         (JSC::DFG::StrengthReductionPhase::handleNode):
565         * runtime/JSFunction.cpp:
566         (JSC::JSFunction::JSFunction):
567         (JSC::JSFunction::assertTypeInfoFlagInvariants):
568         * runtime/JSFunction.h:
569         (JSC::JSFunction::assertTypeInfoFlagInvariants):
570         * runtime/JSFunctionInlines.h:
571         (JSC::JSFunction::JSFunction):
572
573 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
574
575         Web Inspector: create a navigation item for toggling the overlay rulers/guides
576         https://bugs.webkit.org/show_bug.cgi?id=185644
577
578         Reviewed by Matt Baker.
579
580         * inspector/protocol/OverlayTypes.json:
581         * inspector/protocol/Page.json:
582
583 2018-05-16  Commit Queue  <commit-queue@webkit.org>
584
585         Unreviewed, rolling out r231845.
586         https://bugs.webkit.org/show_bug.cgi?id=185702
587
588         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
589         caiolima on #webkit).
590
591         Reverted changeset:
592
593         "[ESNext][BigInt] Implement support for "/" operation"
594         https://bugs.webkit.org/show_bug.cgi?id=183996
595         https://trac.webkit.org/changeset/231845
596
597 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
598
599         DFG models InstanceOf incorrectly
600         https://bugs.webkit.org/show_bug.cgi?id=185694
601
602         Reviewed by Keith Miller.
603         
604         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
605         hoist it.
606
607         * dfg/DFGAbstractInterpreterInlines.h:
608         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
609         * dfg/DFGClobberize.h:
610         (JSC::DFG::clobberize):
611         * dfg/DFGHeapLocation.cpp:
612         (WTF::printInternal):
613         * dfg/DFGHeapLocation.h:
614         * dfg/DFGNodeType.h:
615
616 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
617
618         Add support for Intl NumberFormat formatToParts
619         https://bugs.webkit.org/show_bug.cgi?id=185375
620
621         Reviewed by Yusuke Suzuki.
622
623         Add flag for NumberFormat formatToParts. Implement formatToParts using
624         unum_formatDoubleForFields. Because the fields are nested and come back
625         in no guaranteed order, the simple algorithm to convert them to the
626         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
627         it appears to perform well enough for the initial implementation. Another
628         issue has been created to improve this algorithm.
629
630         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
631         on macOS, since only v57 is available.
632
633         * Configurations/FeatureDefines.xcconfig:
634         * runtime/IntlNumberFormat.cpp:
635         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
636         (JSC::IntlNumberFormat::partTypeString):
637         (JSC::IntlNumberFormat::formatToParts):
638         * runtime/IntlNumberFormat.h:
639         * runtime/IntlNumberFormatPrototype.cpp:
640         (JSC::IntlNumberFormatPrototype::create):
641         (JSC::IntlNumberFormatPrototype::finishCreation):
642         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
643         * runtime/IntlNumberFormatPrototype.h:
644         * runtime/Options.h:
645
646 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
647
648         [ESNext][BigInt] Implement support for "/" operation
649         https://bugs.webkit.org/show_bug.cgi?id=183996
650
651         Reviewed by Yusuke Suzuki.
652
653         This patch is introducing the support for BigInt into divide
654         operation int LLInt and JIT layers.
655
656         * dfg/DFGOperations.cpp:
657         * runtime/CommonSlowPaths.cpp:
658         (JSC::SLOW_PATH_DECL):
659         * runtime/JSBigInt.cpp:
660         (JSC::JSBigInt::divide):
661         (JSC::JSBigInt::copy):
662         (JSC::JSBigInt::unaryMinus):
663         (JSC::JSBigInt::absoluteCompare):
664         (JSC::JSBigInt::absoluteDivLarge):
665         (JSC::JSBigInt::productGreaterThan):
666         (JSC::JSBigInt::inplaceAdd):
667         (JSC::JSBigInt::inplaceSub):
668         (JSC::JSBigInt::inplaceRightShift):
669         (JSC::JSBigInt::specialLeftShift):
670         (JSC::JSBigInt::digit):
671         (JSC::JSBigInt::setDigit):
672         * runtime/JSBigInt.h:
673
674 2018-05-16  Alberto Garcia  <berto@igalia.com>
675
676         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
677         https://bugs.webkit.org/show_bug.cgi?id=182622
678
679         Reviewed by Michael Catanzaro.
680
681         We were linking JavaScriptCore against libatomic in MIPS because
682         in that architecture __atomic_fetch_add_8() is not a compiler
683         intrinsic and is provided by that library instead. However other
684         architectures (e.g armel) are in the same situation, so we need a
685         generic test.
686
687         That test already exists in WebKit/CMakeLists.txt, so we just have
688         to move it to a common file (WebKitCompilerFlags.cmake) and use
689         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
690
691         * CMakeLists.txt:
692
693 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
694
695         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
696         https://bugs.webkit.org/show_bug.cgi?id=185601
697
698         Reviewed by Saam Barati.
699
700         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
701         before calling getCallData when we would like to check whether a given object is callable
702         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
703         is fine. But if we would like to check whether the object is callable, we can have non
704         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
705
706         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
707         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
708         OverridesGetCallData checking before calling getCallData.
709
710         We found that this virtual call exists in JSON.stringify's critial path. Checking
711         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
712
713                                                baseline                  patched
714
715             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
716
717         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
718         since major cases are covered by this fast JSFunctionType checking.
719
720         * API/JSCallbackObject.h:
721         * dfg/DFGAbstractInterpreterInlines.h:
722         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
723         * dfg/DFGOperations.cpp:
724         * dfg/DFGSpeculativeJIT.cpp:
725         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
726         (JSC::DFG::SpeculativeJIT::compileIsFunction):
727         * ftl/FTLLowerDFGToB3.cpp:
728         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
729         * jit/AssemblyHelpers.h:
730         (JSC::AssemblyHelpers::emitTypeOf):
731         * runtime/ExceptionHelpers.cpp:
732         (JSC::createError):
733         (JSC::createInvalidFunctionApplyParameterError):
734         * runtime/FunctionPrototype.cpp:
735         (JSC::functionProtoFuncToString):
736         * runtime/InternalFunction.h:
737         * runtime/JSCJSValue.h:
738         * runtime/JSCJSValueInlines.h:
739         (JSC::JSValue::isFunction const):
740         (JSC::JSValue::isCallable const):
741         * runtime/JSCell.h:
742         * runtime/JSCellInlines.h:
743         (JSC::JSCell::isFunction):
744         ALWAYS_INLINE works well for my environment.
745         (JSC::JSCell::isCallable):
746         * runtime/JSFunction.h:
747         * runtime/JSONObject.cpp:
748         (JSC::Stringifier::toJSON):
749         (JSC::Stringifier::toJSONImpl):
750         (JSC::Stringifier::appendStringifiedValue):
751         * runtime/JSObjectInlines.h:
752         (JSC::createListFromArrayLike):
753         * runtime/JSTypeInfo.h:
754         (JSC::TypeInfo::overridesGetCallData const):
755         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
756         * runtime/Operations.cpp:
757         (JSC::jsTypeStringForValue):
758         (JSC::jsIsObjectTypeOrNull):
759         * runtime/ProxyObject.h:
760         * runtime/RuntimeType.cpp:
761         (JSC::runtimeTypeForValue):
762         * runtime/RuntimeType.h:
763         * runtime/Structure.cpp:
764         (JSC::Structure::Structure):
765         * runtime/TypeProfilerLog.cpp:
766         (JSC::TypeProfilerLog::TypeProfilerLog):
767         (JSC::TypeProfilerLog::processLogEntries):
768         * runtime/TypeProfilerLog.h:
769         * runtime/VM.cpp:
770         (JSC::VM::enableTypeProfiler):
771         * tools/JSDollarVM.cpp:
772         (JSC::functionFindTypeForExpression):
773         (JSC::functionReturnTypeFor):
774         (JSC::functionHasBasicBlockExecuted):
775         (JSC::functionBasicBlockExecutionCount):
776         * wasm/js/JSWebAssemblyHelpers.h:
777         (JSC::getWasmBufferFromValue):
778         * wasm/js/JSWebAssemblyInstance.cpp:
779         (JSC::JSWebAssemblyInstance::create):
780         * wasm/js/WebAssemblyFunction.cpp:
781         (JSC::callWebAssemblyFunction):
782         * wasm/js/WebAssemblyInstanceConstructor.cpp:
783         (JSC::constructJSWebAssemblyInstance):
784         * wasm/js/WebAssemblyModuleRecord.cpp:
785         (JSC::WebAssemblyModuleRecord::link):
786         * wasm/js/WebAssemblyPrototype.cpp:
787         (JSC::webAssemblyInstantiateFunc):
788         (JSC::webAssemblyInstantiateStreamingInternal):
789         * wasm/js/WebAssemblyWrapperFunction.cpp:
790         (JSC::WebAssemblyWrapperFunction::finishCreation):
791
792 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
793
794         Web Inspector: Add rulers and guides
795         https://bugs.webkit.org/show_bug.cgi?id=32263
796         <rdar://problem/19281564>
797
798         Reviewed by Matt Baker.
799
800         * inspector/protocol/OverlayTypes.json:
801
802 2018-05-14  Keith Miller  <keith_miller@apple.com>
803
804         Remove butterflyMask from DFGAbstractHeap
805         https://bugs.webkit.org/show_bug.cgi?id=185640
806
807         Reviewed by Saam Barati.
808
809         We don't have a butterfly indexing mask anymore so we don't need
810         the abstract heap information for it anymore.
811
812         * dfg/DFGAbstractHeap.h:
813         * dfg/DFGClobberize.h:
814         (JSC::DFG::clobberize):
815
816 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
817
818         [INTL] Handle error in defineProperty for supported locales length
819         https://bugs.webkit.org/show_bug.cgi?id=185623
820
821         Reviewed by Saam Barati.
822
823         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
824         length of the supported locales array.
825
826         * runtime/IntlObject.cpp:
827         (JSC::supportedLocales):
828
829 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
830
831         [JSC] Tweak LiteralParser to improve lexing performance
832         https://bugs.webkit.org/show_bug.cgi?id=185541
833
834         Reviewed by Saam Barati.
835
836         This patch attemps to improve LiteralParser performance.
837
838         This patch improves Kraken/json-parse-financial by roughly ~10%.
839                                            baseline                  patched
840
841             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
842
843         * parser/Lexer.cpp:
844         (JSC::Lexer<T>::Lexer):
845         * runtime/ArgList.h:
846         (JSC::MarkedArgumentBuffer::takeLast):
847         Add takeLast() for idiomatic last() + removeLast() calls.
848
849         * runtime/LiteralParser.cpp:
850         (JSC::LiteralParser<CharType>::Lexer::lex):
851         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
852         We should not include this mode in its template parameter to reduce the code size.
853         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
854         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
855
856         (JSC::LiteralParser<CharType>::Lexer::next):
857         (JSC::isSafeStringCharacter):
858         Take mode in its template parameter. But do not take terminator character in its template parameter.
859
860         (JSC::LiteralParser<CharType>::Lexer::lexString):
861         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
862         Duplicate while statements manually since this is a critical path.
863
864         (JSC::LiteralParser<CharType>::parse):
865         Use takeLast().
866
867         * runtime/LiteralParser.h:
868
869 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
870
871         [MIPS] Use btpz to compare against 0 instead of bpeq
872         https://bugs.webkit.org/show_bug.cgi?id=185607
873
874         Reviewed by Yusuke Suzuki.
875
876         Fixes build on MIPS since MIPS doesn't have an instruction to
877         compare a register against an immediate. Since the immediate is just 0
878         in this case the simplest solution is just to use btpz instead of bpeq
879         to compare to 0.
880
881         * llint/LowLevelInterpreter.asm:
882
883 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
884
885         CachedCall::call() should be faster
886         https://bugs.webkit.org/show_bug.cgi?id=185583
887
888         Reviewed by Yusuke Suzuki.
889         
890         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
891         Unfortunately, because of a combination of abstraction and assertions, this code path had a
892         lot of overhead. This patch reduces this overhead by:
893         
894         - Turning off some assertions. These assertions don't look to have security value; they're
895           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
896           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
897           call, considering that the caller would have already been strongly assuming that the JSLock
898           is held.
899         
900         - Making more things inlineable.
901         
902         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
903
904         * JavaScriptCore.xcodeproj/project.pbxproj:
905         * interpreter/CachedCall.h:
906         (JSC::CachedCall::call):
907         * interpreter/Interpreter.cpp:
908         (JSC::checkedReturn): Deleted.
909         * interpreter/Interpreter.h:
910         (JSC::Interpreter::checkedReturn):
911         * interpreter/InterpreterInlines.h:
912         (JSC::Interpreter::execute):
913         * jit/JITCode.cpp:
914         (JSC::JITCode::execute): Deleted.
915         * jit/JITCodeInlines.h: Added.
916         (JSC::JITCode::execute):
917         * llint/LowLevelInterpreter.asm:
918         * runtime/StringPrototype.cpp:
919
920 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
921
922         [INTL] Improve spec & test262 compliance for Intl APIs
923         https://bugs.webkit.org/show_bug.cgi?id=185578
924
925         Reviewed by Yusuke Suzuki.
926
927         Use putDirectIndex over push for lists to arrays.
928         Update default options to construct with a null prototype.
929         Define constructor and toStringTag on prototypes.
930         Add proper time clipping.
931         Remove some outdated comment spec text, use url instead.
932
933         * runtime/IntlCollator.cpp:
934         (JSC::IntlCollator::initializeCollator):
935         * runtime/IntlCollatorConstructor.cpp:
936         (JSC::IntlCollatorConstructor::finishCreation):
937         * runtime/IntlCollatorPrototype.cpp:
938         (JSC::IntlCollatorPrototype::finishCreation):
939         * runtime/IntlDateTimeFormatConstructor.cpp:
940         (JSC::IntlDateTimeFormatConstructor::finishCreation):
941         * runtime/IntlDateTimeFormatPrototype.cpp:
942         (JSC::IntlDateTimeFormatPrototype::finishCreation):
943         (JSC::IntlDateTimeFormatFuncFormatDateTime):
944         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
945         * runtime/IntlNumberFormat.cpp:
946         (JSC::IntlNumberFormat::initializeNumberFormat):
947         * runtime/IntlNumberFormatConstructor.cpp:
948         (JSC::IntlNumberFormatConstructor::finishCreation):
949         * runtime/IntlNumberFormatPrototype.cpp:
950         (JSC::IntlNumberFormatPrototype::finishCreation):
951         * runtime/IntlObject.cpp:
952         (JSC::lookupSupportedLocales):
953         (JSC::supportedLocales):
954         (JSC::intlObjectFuncGetCanonicalLocales):
955         * runtime/IntlPluralRules.cpp:
956         (JSC::IntlPluralRules::resolvedOptions):
957         * runtime/IntlPluralRulesConstructor.cpp:
958         (JSC::IntlPluralRulesConstructor::finishCreation):
959
960 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
961
962         [ESNext][BigInt] Implement support for "*" operation
963         https://bugs.webkit.org/show_bug.cgi?id=183721
964
965         Reviewed by Yusuke Suzuki.
966
967         Added BigInt support into times binary operator into LLInt and on
968         JITOperations profiledMul and unprofiledMul. We are also replacing all
969         uses of int to unsigned when there is no negative values for
970         variables.
971
972         * dfg/DFGConstantFoldingPhase.cpp:
973         (JSC::DFG::ConstantFoldingPhase::foldConstants):
974         * jit/JITOperations.cpp:
975         * runtime/CommonSlowPaths.cpp:
976         (JSC::SLOW_PATH_DECL):
977         * runtime/JSBigInt.cpp:
978         (JSC::JSBigInt::JSBigInt):
979         (JSC::JSBigInt::allocationSize):
980         (JSC::JSBigInt::createWithLength):
981         (JSC::JSBigInt::toString):
982         (JSC::JSBigInt::multiply):
983         (JSC::JSBigInt::digitDiv):
984         (JSC::JSBigInt::internalMultiplyAdd):
985         (JSC::JSBigInt::multiplyAccumulate):
986         (JSC::JSBigInt::equals):
987         (JSC::JSBigInt::absoluteDivSmall):
988         (JSC::JSBigInt::calculateMaximumCharactersRequired):
989         (JSC::JSBigInt::toStringGeneric):
990         (JSC::JSBigInt::rightTrim):
991         (JSC::JSBigInt::allocateFor):
992         (JSC::JSBigInt::parseInt):
993         (JSC::JSBigInt::digit):
994         (JSC::JSBigInt::setDigit):
995         * runtime/JSBigInt.h:
996         * runtime/JSCJSValue.h:
997         * runtime/JSCJSValueInlines.h:
998         (JSC::JSValue::toNumeric const):
999         * runtime/Operations.h:
1000         (JSC::jsMul):
1001
1002 2018-05-11  Commit Queue  <commit-queue@webkit.org>
1003
1004         Unreviewed, rolling out r231316 and r231332.
1005         https://bugs.webkit.org/show_bug.cgi?id=185564
1006
1007         Appears to be a Speedometer2/MotionMark regression (Requested
1008         by keith_miller on #webkit).
1009
1010         Reverted changesets:
1011
1012         "Remove the prototype caching for get_by_id in the LLInt"
1013         https://bugs.webkit.org/show_bug.cgi?id=185226
1014         https://trac.webkit.org/changeset/231316
1015
1016         "Unreviewed, fix 32-bit profile offset for change in bytecode"
1017         https://trac.webkit.org/changeset/231332
1018
1019 2018-05-11  Michael Saboff  <msaboff@apple.com>
1020
1021         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
1022         https://bugs.webkit.org/show_bug.cgi?id=185328
1023
1024         Reviewed by Keith Miller.
1025
1026         Fixed a typo from when this code was added in r228968 where resultGPR
1027         was assigned the input register instead of the result.gpr().
1028
1029         * dfg/DFGSpeculativeJIT64.cpp:
1030         (JSC::DFG::SpeculativeJIT::compile):
1031
1032 2018-05-11  Saam Barati  <sbarati@apple.com>
1033
1034         Don't use inferred types when the JIT is disabled
1035         https://bugs.webkit.org/show_bug.cgi?id=185539
1036
1037         Reviewed by Yusuke Suzuki.
1038
1039         There are many JSC API clients that run with the JIT disabled. They were
1040         all allocating and tracking inferred types for no benefit. Inferred types
1041         only benefit programs when they make it to the DFG/FTL. I was seeing cases
1042         where the inferred type machinery used ~0.5MB. This patch makes is so we
1043         don't allocate that machinery when the JIT is disabled.
1044
1045         * runtime/Structure.cpp:
1046         (JSC::Structure::willStoreValueSlow):
1047         * runtime/Structure.h:
1048
1049 2018-05-11  Saam Barati  <sbarati@apple.com>
1050
1051         Don't allocate value profiles when the JIT is disabled
1052         https://bugs.webkit.org/show_bug.cgi?id=185525
1053
1054         Reviewed by Michael Saboff.
1055
1056         There are many JSC API clients that run with the JIT disabled. We were
1057         still allocating a ton of value profiles in this use case even though
1058         these clients get no benefit from doing value profiling. This patch makes
1059         it so that we don't allocate value profiles or argument value profiles
1060         when we're not using the JIT. We now just make all value profiles in
1061         the instruction stream point to a global value profile that the VM owns.
1062         And we make the argument value profile array have zero length and teach
1063         the LLInt how to handle that. Heap clears the global value profile on each GC.
1064
1065         In an app that I'm testing this against, this saves ~1MB of memory.
1066
1067         * bytecode/CodeBlock.cpp:
1068         (JSC::CodeBlock::finishCreation):
1069         (JSC::CodeBlock::setNumParameters):
1070         * bytecode/CodeBlock.h:
1071         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1072         (JSC::CodeBlock::valueProfileForArgument):
1073         * bytecompiler/BytecodeGenerator.cpp:
1074         (JSC::BytecodeGenerator::emitProfiledOpcode):
1075         * heap/Heap.cpp:
1076         (JSC::Heap::runEndPhase):
1077         * llint/LowLevelInterpreter.asm:
1078         * runtime/VM.cpp:
1079         (JSC::VM::VM):
1080         * runtime/VM.h:
1081
1082 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1083
1084         [JSC][GLIB] Add introspectable alternatives to functions using vargars
1085         https://bugs.webkit.org/show_bug.cgi?id=185508
1086
1087         Reviewed by Michael Catanzaro.
1088
1089         * API/glib/JSCClass.cpp:
1090         (jscClassCreateConstructor):
1091         (jsc_class_add_constructor):
1092         (jsc_class_add_constructorv):
1093         (jscClassAddMethod):
1094         (jsc_class_add_method):
1095         (jsc_class_add_methodv):
1096         * API/glib/JSCClass.h:
1097         * API/glib/JSCValue.cpp:
1098         (jsObjectCall):
1099         (jscValueCallFunction):
1100         (jsc_value_object_invoke_methodv):
1101         (jscValueFunctionCreate):
1102         (jsc_value_new_function):
1103         (jsc_value_new_functionv):
1104         (jsc_value_function_callv):
1105         (jsc_value_constructor_callv):
1106         * API/glib/JSCValue.h:
1107         * API/glib/docs/jsc-glib-4.0-sections.txt:
1108
1109 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1110
1111         [JSC] Make return types of construction functions tight
1112         https://bugs.webkit.org/show_bug.cgi?id=185509
1113
1114         Reviewed by Saam Barati.
1115
1116         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
1117
1118         * runtime/ArrayConstructor.cpp:
1119         (JSC::constructArrayWithSizeQuirk):
1120         * runtime/ArrayConstructor.h:
1121         * runtime/ObjectConstructor.h:
1122         (JSC::constructEmptyObject):
1123
1124 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1125
1126         [JSC] Object.assign for final objects should be faster
1127         https://bugs.webkit.org/show_bug.cgi?id=185348
1128
1129         Reviewed by Saam Barati.
1130
1131         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
1132         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
1133
1134         If enumerating properties of source objects and putting properties to target object are non observable,
1135         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
1136         and put them to target object. This patch adds this fast path to Object.assign implementation.
1137
1138         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
1139         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
1140         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
1141
1142         This improves object-assign.es6 by 1.85x.
1143
1144                                         baseline                  patched
1145
1146             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
1147
1148         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
1149
1150         * runtime/JSObject.h:
1151         * runtime/JSObjectInlines.h:
1152         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
1153         (JSC::JSObject::canPerformFastPutInline):
1154         * runtime/ObjectConstructor.cpp:
1155         (JSC::objectConstructorAssign):
1156         * runtime/Structure.cpp:
1157         (JSC::Structure::Structure):
1158         * runtime/Structure.h:
1159         * runtime/StructureInlines.h:
1160         (JSC::Structure::forEachProperty):
1161         (JSC::Structure::add):
1162
1163 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
1164
1165         DFG CFA should pick the right time to inject OSR entry data
1166         https://bugs.webkit.org/show_bug.cgi?id=185530
1167
1168         Reviewed by Saam Barati.
1169         
1170         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
1171         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
1172         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
1173         would eventually LUB to non-constant.
1174         
1175         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
1176         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
1177         useless regexp/string execution in the compiler.
1178
1179         * dfg/DFGBlockSet.h:
1180         (JSC::DFG::BlockSet::remove):
1181         * dfg/DFGCFAPhase.cpp:
1182         (JSC::DFG::CFAPhase::run):
1183         (JSC::DFG::CFAPhase::injectOSR):
1184         (JSC::DFG::CFAPhase::performBlockCFA):
1185
1186 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1187
1188         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
1189         https://bugs.webkit.org/show_bug.cgi?id=185452
1190
1191         Reviewed by Michael Saboff.
1192         
1193         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
1194         from the block head to InPlaceAbstractState::m_variables. It is necessary for
1195         InPlaceAbstractState to have its own copy since we need to mutate it separately from
1196         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
1197         of superfluous work.
1198         
1199         This change adds a bitvector called m_activeVariables that tracks which variables have been
1200         copied. We lazily copy the variables on first use. Variables that were never copied also have
1201         a simplified merging path, which just needs to consider if the variable got clobbered between
1202         head and tail.
1203         
1204         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
1205
1206         * bytecode/Operands.h:
1207         (JSC::Operands::argumentIndex const):
1208         (JSC::Operands::localIndex const):
1209         (JSC::Operands::argument):
1210         (JSC::Operands::argument const):
1211         (JSC::Operands::local):
1212         (JSC::Operands::local const):
1213         (JSC::Operands::operandIndex const):
1214         * dfg/DFGAbstractValue.h:
1215         (JSC::DFG::AbstractValue::fastForwardFromTo):
1216         * dfg/DFGCFAPhase.cpp:
1217         (JSC::DFG::CFAPhase::performForwardCFA):
1218         * dfg/DFGInPlaceAbstractState.cpp:
1219         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1220         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1221         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
1222         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1223         (JSC::DFG::InPlaceAbstractState::activateVariable):
1224         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
1225         * dfg/DFGInPlaceAbstractState.h:
1226         (JSC::DFG::InPlaceAbstractState::variableAt):
1227         (JSC::DFG::InPlaceAbstractState::operand):
1228         (JSC::DFG::InPlaceAbstractState::local):
1229         (JSC::DFG::InPlaceAbstractState::argument):
1230         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
1231         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
1232
1233 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
1234
1235         [ESNext][BigInt] Implement support for "==" operation
1236         https://bugs.webkit.org/show_bug.cgi?id=184474
1237
1238         Reviewed by Yusuke Suzuki.
1239
1240         This patch is implementing support of BigInt for equals operator
1241         following the spec semantics[1].
1242
1243         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
1244
1245         * runtime/JSBigInt.cpp:
1246         (JSC::JSBigInt::parseInt):
1247         (JSC::JSBigInt::stringToBigInt):
1248         (JSC::JSBigInt::toString):
1249         (JSC::JSBigInt::setDigit):
1250         (JSC::JSBigInt::equalsToNumber):
1251         (JSC::JSBigInt::compareToDouble):
1252         * runtime/JSBigInt.h:
1253         * runtime/JSCJSValueInlines.h:
1254         (JSC::JSValue::equalSlowCaseInline):
1255
1256 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1257
1258         Speed up AbstractInterpreter::executeEdges
1259         https://bugs.webkit.org/show_bug.cgi?id=185457
1260
1261         Reviewed by Saam Barati.
1262
1263         This patch started out with the desire to make executeEdges() faster by making filtering faster.
1264         However, when I studied the disassembly, I found that there are many opportunities for
1265         improvement and I implemented all of them:
1266         
1267         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
1268           for non-cells.
1269         
1270         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
1271           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
1272         
1273         - Similarly, edge verification doesn't need to fast-forward in the common case.
1274         
1275         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
1276         
1277         - The edge doesn't even have to be considered for execution if it's UntypedUse.
1278         
1279         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
1280         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
1281         it means proving that the value could either be formatted as a double (with impure NaN values),
1282         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
1283         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
1284         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
1285         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
1286         SpecBytecodeNumber (if returning a JSValueRep).
1287         
1288         But that fix revealed an amazing timeout in
1289         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
1290         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
1291         ever realizing that we should jettison something. The problem was with how
1292         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
1293         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
1294         
1295         This is a 1% improvement in V8Spider-CompileTime.
1296
1297         * bytecode/ExitKind.cpp:
1298         (JSC::exitKindMayJettison):
1299         * dfg/DFGAbstractInterpreter.h:
1300         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
1301         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
1302         * dfg/DFGAbstractInterpreterInlines.h:
1303         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
1304         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
1305         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
1306         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
1307         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1308         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1309         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1310         * dfg/DFGAbstractValue.cpp:
1311         (JSC::DFG::AbstractValue::filterSlow):
1312         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
1313         * dfg/DFGAbstractValue.h:
1314         (JSC::DFG::AbstractValue::filter):
1315         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
1316         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
1317         (JSC::DFG::AbstractValue::makeTop):
1318         * dfg/DFGAtTailAbstractState.h:
1319         (JSC::DFG::AtTailAbstractState::fastForward):
1320         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
1321         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
1322         * dfg/DFGGraph.h:
1323         (JSC::DFG::Graph::doToChildren):
1324         * dfg/DFGInPlaceAbstractState.h:
1325         (JSC::DFG::InPlaceAbstractState::fastForward):
1326         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
1327         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
1328         * dfg/DFGOSRExit.cpp:
1329         (JSC::DFG::OSRExit::executeOSRExit):
1330         * dfg/DFGOSRExitCompilerCommon.cpp:
1331         (JSC::DFG::handleExitCounts):
1332         * dfg/DFGOperations.cpp:
1333         * dfg/DFGOperations.h:
1334
1335 2018-05-09  Saam Barati  <sbarati@apple.com>
1336
1337         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
1338         https://bugs.webkit.org/show_bug.cgi?id=185441
1339         <rdar://problem/39999414>
1340
1341         Reviewed by Keith Miller.
1342
1343         This patch adds JSVirtualMachine SPI to release as much memory as possible.
1344         The SPI does:
1345         - Deletes all code caches.
1346         - Synchronous GC.
1347         - Run the scavenger.
1348
1349         * API/JSVirtualMachine.mm:
1350         (-[JSVirtualMachine shrinkFootprint]):
1351         * API/JSVirtualMachinePrivate.h: Added.
1352         * API/tests/testapi.mm:
1353         (testObjectiveCAPIMain):
1354         * JavaScriptCore.xcodeproj/project.pbxproj:
1355         * runtime/VM.cpp:
1356         (JSC::VM::shrinkFootprint):
1357         * runtime/VM.h:
1358
1359 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
1360
1361         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
1362         Error found in the following Test262 tests:
1363
1364         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
1365         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
1366         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
1367
1368         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
1369         presenting a length > 2**32-1
1370         https://bugs.webkit.org/show_bug.cgi?id=185476
1371
1372         Reviewed by Yusuke Suzuki.
1373
1374         * runtime/ArrayPrototype.cpp:
1375
1376 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
1377
1378         [WPE] Build cleanly with GCC 8 and ICU 60
1379         https://bugs.webkit.org/show_bug.cgi?id=185462
1380
1381         Reviewed by Carlos Alberto Lopez Perez.
1382
1383         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
1384         (jsc_class_add_constructor):
1385         (jsc_class_add_method):
1386         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
1387         (jsc_value_object_define_property_accessor):
1388         (jsc_value_new_function):
1389         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
1390         problem with GCC 7 too, but might as well fix it now.
1391         * assembler/ProbeContext.h:
1392         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
1393         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
1394         * b3/air/AirArg.h:
1395         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
1396         * builtins/BuiltinNames.cpp:
1397         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
1398         * builtins/BuiltinNames.h:
1399         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
1400         * dfg/DFGDoubleFormatState.h:
1401         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
1402         * heap/MarkedBlockInlines.h:
1403         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
1404         * runtime/ConfigFile.cpp:
1405         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
1406         with the wrong length parameter and the result is not null-terminated. Also, silence a
1407         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
1408         * runtime/IntlDateTimeFormat.cpp:
1409         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
1410         * runtime/JSGlobalObject.cpp:
1411         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
1412         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
1413
1414 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1415
1416         [ARMv7] Drop ARMv7 disassembler in favor of capstone
1417         https://bugs.webkit.org/show_bug.cgi?id=185423
1418
1419         Reviewed by Michael Catanzaro.
1420
1421         This patch removes ARMv7Disassembler in our tree.
1422         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
1423
1424         * CMakeLists.txt:
1425         * JavaScriptCore.xcodeproj/project.pbxproj:
1426         * Sources.txt:
1427         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
1428         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
1429         * disassembler/ARMv7Disassembler.cpp: Removed.
1430
1431 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
1432
1433         [MIPS] Optimize generated JIT code using r2
1434         https://bugs.webkit.org/show_bug.cgi?id=184584
1435
1436         Reviewed by Yusuke Suzuki.
1437
1438         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
1439         Also, done some code size optimizations that were discovered in meantime.
1440
1441         * assembler/MIPSAssembler.h:
1442         (JSC::MIPSAssembler::ext):
1443         (JSC::MIPSAssembler::mfhc1):
1444         * assembler/MacroAssemblerMIPS.cpp:
1445         * assembler/MacroAssemblerMIPS.h:
1446         (JSC::MacroAssemblerMIPS::isPowerOf2):
1447         (JSC::MacroAssemblerMIPS::bitPosition):
1448         (JSC::MacroAssemblerMIPS::loadAddress):
1449         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1450         (JSC::MacroAssemblerMIPS::load8):
1451         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1452         (JSC::MacroAssemblerMIPS::load32):
1453         (JSC::MacroAssemblerMIPS::load16Unaligned):
1454         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
1455         (JSC::MacroAssemblerMIPS::load16):
1456         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1457         (JSC::MacroAssemblerMIPS::store8):
1458         (JSC::MacroAssemblerMIPS::store16):
1459         (JSC::MacroAssemblerMIPS::store32):
1460         (JSC::MacroAssemblerMIPS::branchTest32):
1461         (JSC::MacroAssemblerMIPS::loadFloat):
1462         (JSC::MacroAssemblerMIPS::loadDouble):
1463         (JSC::MacroAssemblerMIPS::storeFloat):
1464         (JSC::MacroAssemblerMIPS::storeDouble):
1465
1466 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1467
1468         [JSC][GTK][JSCONLY] Use capstone disassembler
1469         https://bugs.webkit.org/show_bug.cgi?id=185283
1470
1471         Reviewed by Michael Catanzaro.
1472
1473         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
1474         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
1475
1476         And we remove ARM LLVM disassembler.
1477
1478         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
1479
1480         * CMakeLists.txt:
1481         * Sources.txt:
1482         * disassembler/ARMLLVMDisassembler.cpp: Removed.
1483         * disassembler/CapstoneDisassembler.cpp: Added.
1484         (JSC::tryToDisassemble):
1485
1486 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
1487
1488         [MIPS] Use mfhc1 and mthc1 to fix assembler error
1489         https://bugs.webkit.org/show_bug.cgi?id=185464
1490
1491         Reviewed by Yusuke Suzuki.
1492
1493         The binutils-assembler started to report failures for copying words between
1494         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
1495         of mfc1 and mtc1 for conversion.
1496
1497         * offlineasm/mips.rb:
1498
1499 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
1500
1501         [MIPS] Collect callee-saved register using inline assembly
1502         https://bugs.webkit.org/show_bug.cgi?id=185428
1503
1504         Reviewed by Yusuke Suzuki.
1505
1506         MIPS used setjmp instead of collecting registers with inline assembly like
1507         other architectures.
1508
1509         * heap/RegisterState.h:
1510
1511 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1512
1513         [BigInt] Simplifying JSBigInt by using bool addition
1514         https://bugs.webkit.org/show_bug.cgi?id=185374
1515
1516         Reviewed by Alex Christensen.
1517
1518         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
1519         Just adding overflow flag to carry/borrow produces setb + add in x86.
1520
1521         Also we annotate small helper functions and accessors with `inline` not to call these functions
1522         inside internalMultiplyAdd loop.
1523
1524         * runtime/JSBigInt.cpp:
1525         (JSC::JSBigInt::isZero):
1526         (JSC::JSBigInt::inplaceMultiplyAdd):
1527         (JSC::JSBigInt::digitAdd):
1528         (JSC::JSBigInt::digitSub):
1529         (JSC::JSBigInt::digitMul):
1530         (JSC::JSBigInt::digitPow):
1531         (JSC::JSBigInt::digitDiv):
1532         (JSC::JSBigInt::offsetOfData):
1533         (JSC::JSBigInt::dataStorage):
1534         (JSC::JSBigInt::digit):
1535         (JSC::JSBigInt::setDigit):
1536
1537 2018-05-08  Michael Saboff  <msaboff@apple.com>
1538
1539         Replace multiple Watchpoint Set fireAll() methods with templates
1540         https://bugs.webkit.org/show_bug.cgi?id=185456
1541
1542         Reviewed by Saam Barati.
1543
1544         Refactored to minimize duplicate code.
1545
1546         * bytecode/Watchpoint.h:
1547         (JSC::WatchpointSet::fireAll):
1548         (JSC::InlineWatchpointSet::fireAll):
1549
1550 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
1551
1552         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
1553         https://bugs.webkit.org/show_bug.cgi?id=185453
1554
1555         Reviewed by Michael Saboff.
1556         
1557         Tiny improvement for compile times.
1558
1559         * dfg/DFGFlowMap.h:
1560         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
1561         * dfg/DFGInPlaceAbstractState.cpp:
1562         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
1563
1564 2018-05-08  Michael Saboff  <msaboff@apple.com>
1565
1566         Deferred firing of structure transition watchpoints is racy
1567         https://bugs.webkit.org/show_bug.cgi?id=185438
1568
1569         Reviewed by Saam Barati.
1570
1571         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
1572         and fire them in the destructor.  When the watchpoints are taken from the
1573         original WatchpointSet, that WatchpointSet if marked invalid.
1574
1575         * bytecode/Watchpoint.cpp:
1576         (JSC::WatchpointSet::fireAllSlow):
1577         (JSC::WatchpointSet::take):
1578         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
1579         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
1580         (JSC::DeferredWatchpointFire::fireAll):
1581         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
1582         * bytecode/Watchpoint.h:
1583         (JSC::WatchpointSet::fireAll):
1584         (JSC::InlineWatchpointSet::fireAll):
1585         * runtime/JSObject.cpp:
1586         (JSC::JSObject::setPrototypeDirect):
1587         (JSC::JSObject::convertToDictionary):
1588         * runtime/JSObjectInlines.h:
1589         (JSC::JSObject::putDirectInternal):
1590         * runtime/Structure.cpp:
1591         (JSC::Structure::Structure):
1592         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
1593         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
1594         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
1595         (JSC::Structure::didTransitionFromThisStructure const):
1596         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
1597         * runtime/Structure.h:
1598         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
1599
1600 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
1601
1602         Consecutive messages logged as JSON are coalesced
1603         https://bugs.webkit.org/show_bug.cgi?id=185432
1604
1605         Reviewed by Joseph Pecoraro.
1606
1607         * inspector/ConsoleMessage.cpp:
1608         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
1609
1610 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1611
1612         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1613         https://bugs.webkit.org/show_bug.cgi?id=185365
1614
1615         Reviewed by Saam Barati.
1616         
1617         This patch does three things to improve compile times:
1618         
1619         - Fixes some inlining goofs.
1620         
1621         - Adds the ability to measure compile times with run-jsc-benchmarks.
1622         
1623         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1624           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1625           sense that this was the only thing protecting it from loading the abstract value of a no-result
1626           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1627           Any node that produces a result will explicitly set its abstract value, so this problem can
1628           also be guarded by just having constant folding check if the node it wants to fold returns any
1629           result.
1630         
1631         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1632         
1633         Rolling back in after fixing cloop build.
1634
1635         * dfg/DFGAbstractInterpreterInlines.h:
1636         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1637         * dfg/DFGAbstractValue.cpp:
1638         (JSC::DFG::AbstractValue::set):
1639         * dfg/DFGAbstractValue.h:
1640         (JSC::DFG::AbstractValue::merge):
1641         * dfg/DFGConstantFoldingPhase.cpp:
1642         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1643         * dfg/DFGGraph.h:
1644         (JSC::DFG::Graph::doToChildrenWithNode):
1645         (JSC::DFG::Graph::doToChildren):
1646         * dfg/DFGInPlaceAbstractState.cpp:
1647         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1648         * jit/JIT.cpp:
1649         (JSC::JIT::totalCompileTime):
1650         * jit/JIT.h:
1651         * jsc.cpp:
1652         (GlobalObject::finishCreation):
1653         (functionTotalCompileTime):
1654
1655 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
1656
1657         Unreviewed, rolling out r231468.
1658
1659         Broke the CLoop build
1660
1661         Reverted changeset:
1662
1663         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
1664         any abstract values"
1665         https://bugs.webkit.org/show_bug.cgi?id=185365
1666         https://trac.webkit.org/changeset/231468
1667
1668 2018-05-07  Daniel Bates  <dabates@apple.com>
1669
1670         Check X-Frame-Options and CSP frame-ancestors in network process
1671         https://bugs.webkit.org/show_bug.cgi?id=185410
1672         <rdar://problem/37733934>
1673
1674         Reviewed by Ryosuke Niwa.
1675
1676         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
1677
1678         * runtime/ConsoleTypes.h:
1679
1680 2018-05-07  Saam Barati  <sbarati@apple.com>
1681
1682         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
1683         https://bugs.webkit.org/show_bug.cgi?id=185329
1684         <rdar://problem/39961536>
1685
1686         Reviewed by Michael Saboff.
1687
1688         I was made aware of a memory goof inside of JSC where we would inefficiently
1689         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
1690         
1691         We did two things badly:
1692         1. We used a HashMap instead of a Vector to represent the environment. Having
1693         a HashMap is useful when looking things up when generating bytecode, but it's
1694         space inefficient. Because UnlinkedFunctionExecutables live a long time because
1695         of the code cache, we should have them store this information efficiently
1696         inside of a Vector.
1697         
1698         2. We didn't hash-cons these environments together. If you think about how
1699         some programs are structured, hash-consing these together is hugely profitable.
1700         Consider some code like this:
1701         ```
1702         const/let V_1 = ...;
1703         const/let V_2 = ...;
1704         ...
1705         const/let V_n = ...;
1706         
1707         function f_1() { ... };
1708         function f_2() { ... };
1709         ...
1710         function f_n() { ... };
1711         ```
1712         
1713         Each f_i would store an identical hash map for its parent TDZ variables
1714         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
1715         each f_i just holds onto a reference to the environment.
1716         
1717         I benchmarked this change against an app that made heavy use of the
1718         above code pattern and it reduced its peak memory footprint from ~220MB
1719         to ~160MB.
1720
1721         * bytecode/UnlinkedFunctionExecutable.cpp:
1722         (JSC::generateUnlinkedFunctionCodeBlock):
1723         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1724         * bytecode/UnlinkedFunctionExecutable.h:
1725         * parser/VariableEnvironment.cpp:
1726         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
1727         (JSC::CompactVariableEnvironment::operator== const):
1728         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
1729         (JSC::CompactVariableMap::get):
1730         (JSC::CompactVariableMap::Handle::~Handle):
1731         * parser/VariableEnvironment.h:
1732         (JSC::VariableEnvironmentEntry::bits const):
1733         (JSC::VariableEnvironmentEntry::operator== const):
1734         (JSC::VariableEnvironment::isEverythingCaptured const):
1735         (JSC::CompactVariableEnvironment::hash const):
1736         (JSC::CompactVariableMapKey::CompactVariableMapKey):
1737         (JSC::CompactVariableMapKey::hash):
1738         (JSC::CompactVariableMapKey::equal):
1739         (JSC::CompactVariableMapKey::makeDeletedValue):
1740         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
1741         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
1742         (JSC::CompactVariableMapKey::environment):
1743         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
1744         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
1745         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
1746         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
1747         (JSC::CompactVariableMap::Handle::Handle):
1748         (JSC::CompactVariableMap::Handle::environment const):
1749         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
1750         * runtime/VM.cpp:
1751         (JSC::VM::VM):
1752         * runtime/VM.h:
1753
1754 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1755
1756         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
1757         https://bugs.webkit.org/show_bug.cgi?id=185371
1758
1759         Reviewed by Mark Lam.
1760
1761         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
1762         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
1763         but actually MIPS have much more registers.
1764
1765         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
1766         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
1767         have extra mechanism.
1768
1769         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
1770
1771         * dfg/DFGByteCodeParser.cpp:
1772         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1773         * dfg/DFGFixupPhase.cpp:
1774         (JSC::DFG::FixupPhase::fixupNode):
1775         * dfg/DFGSpeculativeJIT32_64.cpp:
1776         (JSC::DFG::SpeculativeJIT::compile):
1777         * jit/CCallHelpers.h:
1778         * jit/GPRInfo.h:
1779         (JSC::GPRInfo::toRegister):
1780         (JSC::GPRInfo::toIndex):
1781         * offlineasm/mips.rb:
1782
1783 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1784
1785         DFG AI should have O(1) clobbering
1786         https://bugs.webkit.org/show_bug.cgi?id=185287
1787
1788         Reviewed by Saam Barati.
1789         
1790         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
1791         would traverse all of the state available to the AI at that time and clobber it.
1792         
1793         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
1794         
1795         This is a ~1% speed-up for compile times.
1796
1797         * JavaScriptCore.xcodeproj/project.pbxproj:
1798         * Sources.txt:
1799         * dfg/DFGAbstractInterpreter.h:
1800         (JSC::DFG::AbstractInterpreter::forNode):
1801         (JSC::DFG::AbstractInterpreter::setForNode):
1802         (JSC::DFG::AbstractInterpreter::clearForNode):
1803         (JSC::DFG::AbstractInterpreter::variables): Deleted.
1804         * dfg/DFGAbstractInterpreterInlines.h:
1805         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1806         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1807         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
1808         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
1809         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1810         * dfg/DFGAbstractValue.cpp:
1811         (JSC::DFG::AbstractValue::fastForwardToSlow):
1812         * dfg/DFGAbstractValue.h:
1813         (JSC::DFG::AbstractValue::fastForwardTo):
1814         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
1815         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
1816         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
1817         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
1818         (JSC::DFG::AbstractValueClobberEpoch::dump const):
1819         * dfg/DFGAbstractValueClobberEpoch.h: Added.
1820         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
1821         (JSC::DFG::AbstractValueClobberEpoch::first):
1822         (JSC::DFG::AbstractValueClobberEpoch::clobber):
1823         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
1824         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
1825         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
1826         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
1827         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
1828         * dfg/DFGAtTailAbstractState.h:
1829         (JSC::DFG::AtTailAbstractState::setForNode):
1830         (JSC::DFG::AtTailAbstractState::clearForNode):
1831         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
1832         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
1833         (JSC::DFG::AtTailAbstractState::operand):
1834         (JSC::DFG::AtTailAbstractState::local):
1835         (JSC::DFG::AtTailAbstractState::argument):
1836         (JSC::DFG::AtTailAbstractState::clobberStructures):
1837         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
1838         (JSC::DFG::AtTailAbstractState::variables): Deleted.
1839         * dfg/DFGCFAPhase.cpp:
1840         (JSC::DFG::CFAPhase::performBlockCFA):
1841         * dfg/DFGConstantFoldingPhase.cpp:
1842         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1843         * dfg/DFGFlowMap.h:
1844         (JSC::DFG::FlowMap::at):
1845         (JSC::DFG::FlowMap::atShadow):
1846         (JSC::DFG::FlowMap::at const):
1847         (JSC::DFG::FlowMap::atShadow const):
1848         * dfg/DFGInPlaceAbstractState.cpp:
1849         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1850         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1851         * dfg/DFGInPlaceAbstractState.h:
1852         (JSC::DFG::InPlaceAbstractState::forNode):
1853         (JSC::DFG::InPlaceAbstractState::setForNode):
1854         (JSC::DFG::InPlaceAbstractState::clearForNode):
1855         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1856         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
1857         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
1858         (JSC::DFG::InPlaceAbstractState::operand):
1859         (JSC::DFG::InPlaceAbstractState::local):
1860         (JSC::DFG::InPlaceAbstractState::argument):
1861         (JSC::DFG::InPlaceAbstractState::variableAt):
1862         (JSC::DFG::InPlaceAbstractState::clobberStructures):
1863         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
1864         (JSC::DFG::InPlaceAbstractState::fastForward):
1865         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
1866         * dfg/DFGSpeculativeJIT64.cpp:
1867         (JSC::DFG::SpeculativeJIT::compile):
1868         * ftl/FTLLowerDFGToB3.cpp:
1869         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
1870
1871 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1872
1873         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1874         https://bugs.webkit.org/show_bug.cgi?id=185365
1875
1876         Reviewed by Saam Barati.
1877         
1878         This patch does three things to improve compile times:
1879         
1880         - Fixes some inlining goofs.
1881         
1882         - Adds the ability to measure compile times with run-jsc-benchmarks.
1883         
1884         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1885           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1886           sense that this was the only thing protecting it from loading the abstract value of a no-result
1887           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1888           Any node that produces a result will explicitly set its abstract value, so this problem can
1889           also be guarded by just having constant folding check if the node it wants to fold returns any
1890           result.
1891         
1892         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1893
1894         * dfg/DFGAbstractInterpreterInlines.h:
1895         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1896         * dfg/DFGAbstractValue.cpp:
1897         (JSC::DFG::AbstractValue::set):
1898         * dfg/DFGAbstractValue.h:
1899         (JSC::DFG::AbstractValue::merge):
1900         * dfg/DFGConstantFoldingPhase.cpp:
1901         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1902         * dfg/DFGGraph.h:
1903         (JSC::DFG::Graph::doToChildrenWithNode):
1904         (JSC::DFG::Graph::doToChildren):
1905         * dfg/DFGInPlaceAbstractState.cpp:
1906         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1907         * jit/JIT.cpp:
1908         (JSC::JIT::totalCompileTime):
1909         * jit/JIT.h:
1910         * jsc.cpp:
1911         (GlobalObject::finishCreation):
1912         (functionTotalCompileTime):
1913
1914 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1915
1916         DFG AI doesn't need to merge valuesAtTail - it can just assign them
1917         https://bugs.webkit.org/show_bug.cgi?id=185355
1918
1919         Reviewed by Mark Lam.
1920         
1921         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
1922         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
1923         merging will get the same answer because the value computed this time will be either the same
1924         as or more general than the value computed last time. If the value does change for some
1925         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
1926         changes, then we have no reason to believe that this new value is less right than the last
1927         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
1928         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
1929
1930         * dfg/DFGInPlaceAbstractState.cpp:
1931         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1932
1933 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
1934
1935         Remove defunct email address
1936         https://bugs.webkit.org/show_bug.cgi?id=185396
1937
1938         Reviewed by Mark Lam.
1939
1940         The email address thetalecrafter@gmail.com is no longer valid, as the
1941         associated google account has been closed. This updates the email
1942         address so questions about these Intl contributions go to the right
1943         place.
1944
1945         * builtins/DatePrototype.js:
1946         * builtins/NumberPrototype.js:
1947         * builtins/StringPrototype.js:
1948         * runtime/IntlCollator.cpp:
1949         * runtime/IntlCollator.h:
1950         * runtime/IntlCollatorConstructor.cpp:
1951         * runtime/IntlCollatorConstructor.h:
1952         * runtime/IntlCollatorPrototype.cpp:
1953         * runtime/IntlCollatorPrototype.h:
1954         * runtime/IntlDateTimeFormat.cpp:
1955         * runtime/IntlDateTimeFormat.h:
1956         * runtime/IntlDateTimeFormatConstructor.cpp:
1957         * runtime/IntlDateTimeFormatConstructor.h:
1958         * runtime/IntlDateTimeFormatPrototype.cpp:
1959         * runtime/IntlDateTimeFormatPrototype.h:
1960         * runtime/IntlNumberFormat.cpp:
1961         * runtime/IntlNumberFormat.h:
1962         * runtime/IntlNumberFormatConstructor.cpp:
1963         * runtime/IntlNumberFormatConstructor.h:
1964         * runtime/IntlNumberFormatPrototype.cpp:
1965         * runtime/IntlNumberFormatPrototype.h:
1966         * runtime/IntlObject.cpp:
1967         * runtime/IntlObject.h:
1968         * runtime/IntlPluralRules.cpp:
1969         * runtime/IntlPluralRules.h:
1970         * runtime/IntlPluralRulesConstructor.cpp:
1971         * runtime/IntlPluralRulesConstructor.h:
1972         * runtime/IntlPluralRulesPrototype.cpp:
1973         * runtime/IntlPluralRulesPrototype.h:
1974
1975 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1976
1977         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
1978         https://bugs.webkit.org/show_bug.cgi?id=185362
1979
1980         Reviewed by Sam Weinig.
1981
1982         "namespace std" may include many names. It can conflict with names defined by our code,
1983         and the other platform provided headers. For example, std::byte conflicts with Windows'
1984         ::byte.
1985         This patch removes "using namespace std;" from JSC and bmalloc.
1986
1987         * API/JSClassRef.cpp:
1988         (OpaqueJSClass::create):
1989         * bytecode/Opcode.cpp:
1990         * bytecompiler/BytecodeGenerator.cpp:
1991         (JSC::BytecodeGenerator::newRegister):
1992         * heap/Heap.cpp:
1993         (JSC::Heap::updateAllocationLimits):
1994         * interpreter/Interpreter.cpp:
1995         * jit/JIT.cpp:
1996         * parser/Parser.cpp:
1997         * runtime/JSArray.cpp:
1998         * runtime/JSLexicalEnvironment.cpp:
1999         * runtime/JSModuleEnvironment.cpp:
2000         * runtime/Structure.cpp:
2001         * shell/DLLLauncherMain.cpp:
2002         (getStringValue):
2003         (applePathFromRegistry):
2004         (appleApplicationSupportDirectory):
2005         (copyEnvironmentVariable):
2006         (prependPath):
2007         (fatalError):
2008         (directoryExists):
2009         (modifyPath):
2010         (getLastErrorString):
2011         (wWinMain):
2012
2013 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2014
2015         DFG CFA phase should only do clobber asserts in debug
2016         https://bugs.webkit.org/show_bug.cgi?id=185354
2017
2018         Reviewed by Saam Barati.
2019         
2020         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
2021         unless asserts are enabled.
2022
2023         * dfg/DFGCFAPhase.cpp:
2024         (JSC::DFG::CFAPhase::performBlockCFA):
2025
2026 2018-05-04  Keith Miller  <keith_miller@apple.com>
2027
2028         isCacheableArrayLength should return true for undecided arrays
2029         https://bugs.webkit.org/show_bug.cgi?id=185309
2030
2031         Reviewed by Michael Saboff.
2032
2033         Undecided arrays have butterflies so there is no reason why we
2034         should not be able to cache their length.
2035
2036         * bytecode/InlineAccess.cpp:
2037         (JSC::InlineAccess::isCacheableArrayLength):
2038
2039 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2040
2041         Remove std::random_shuffle
2042         https://bugs.webkit.org/show_bug.cgi?id=185292
2043
2044         Reviewed by Darin Adler.
2045
2046         std::random_shuffle is deprecated in C++14 and removed in C++17,
2047         since std::random_shuffle relies on rand and srand.
2048         Use std::shuffle instead.
2049
2050         * jit/BinarySwitch.cpp:
2051         (JSC::RandomNumberGenerator::RandomNumberGenerator):
2052         (JSC::RandomNumberGenerator::operator()):
2053         (JSC::RandomNumberGenerator::min):
2054         (JSC::RandomNumberGenerator::max):
2055         (JSC::BinarySwitch::build):
2056
2057 2018-05-03  Saam Barati  <sbarati@apple.com>
2058
2059         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
2060         https://bugs.webkit.org/show_bug.cgi?id=185177
2061
2062         Reviewed by Filip Pizlo.
2063
2064         This patch teaches the DFG/FTL how to constant fold CreateThis with
2065         a known poly proto Structure to NewObject. We do it by emitting a NewObject
2066         followed by a PutByOffset for the prototype value.
2067         
2068         We make it so that ObjectAllocationProfile holds the prototype value.
2069         This is sound because JSFunction clears that profile when its 'prototype'
2070         field changes.
2071         
2072         This patch also renames underscoreProtoPrivateName to polyProtoName since
2073         that name was nonsensical: it was only used for poly proto.
2074         
2075         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
2076         regressed that benchmark when I first introduced poly proto.
2077
2078         * builtins/BuiltinNames.cpp:
2079         * builtins/BuiltinNames.h:
2080         (JSC::BuiltinNames::BuiltinNames):
2081         (JSC::BuiltinNames::polyProtoName const):
2082         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
2083         * bytecode/ObjectAllocationProfile.h:
2084         (JSC::ObjectAllocationProfile::prototype):
2085         (JSC::ObjectAllocationProfile::clear):
2086         (JSC::ObjectAllocationProfile::visitAggregate):
2087         * bytecode/ObjectAllocationProfileInlines.h:
2088         (JSC::ObjectAllocationProfile::initializeProfile):
2089         * dfg/DFGAbstractInterpreterInlines.h:
2090         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2091         * dfg/DFGByteCodeParser.cpp:
2092         (JSC::DFG::ByteCodeParser::parseBlock):
2093         * dfg/DFGConstantFoldingPhase.cpp:
2094         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2095         * dfg/DFGOperations.cpp:
2096         * runtime/CommonSlowPaths.cpp:
2097         (JSC::SLOW_PATH_DECL):
2098         * runtime/FunctionRareData.h:
2099         * runtime/Structure.cpp:
2100         (JSC::Structure::create):
2101
2102 2018-05-03  Michael Saboff  <msaboff@apple.com>
2103
2104         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
2105         https://bugs.webkit.org/show_bug.cgi?id=185281
2106
2107         Reviewed by Saam Barati.
2108
2109         When we compute bytecode block reachability, we need to take into account blocks
2110         containing try/catch.
2111
2112         * jit/JIT.cpp:
2113         (JSC::JIT::privateCompileMainPass):
2114
2115 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2116
2117         ARM: Wrong offset for operand rt in disassembler
2118         https://bugs.webkit.org/show_bug.cgi?id=184083
2119
2120         Reviewed by Yusuke Suzuki.
2121
2122         * disassembler/ARMv7/ARMv7DOpcode.h:
2123         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
2124         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
2125
2126 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2127
2128         ARM: Support vstr in disassembler
2129         https://bugs.webkit.org/show_bug.cgi?id=184084
2130
2131         Reviewed by Yusuke Suzuki.
2132
2133         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2134         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
2135         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
2136         * disassembler/ARMv7/ARMv7DOpcode.h:
2137         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
2138         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
2139         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
2140         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
2141         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
2142         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
2143         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
2144
2145 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2146
2147         Invoke ensureArrayStorage for all arguments
2148         https://bugs.webkit.org/show_bug.cgi?id=185247
2149
2150         Reviewed by Yusuke Suzuki.
2151
2152         ensureArrayStorage was only invoked for first argument in each loop iteration.
2153
2154         * jsc.cpp:
2155         (functionEnsureArrayStorage):
2156
2157 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2158
2159         Make it easy to log compile times for all optimizing tiers
2160         https://bugs.webkit.org/show_bug.cgi?id=185270
2161
2162         Reviewed by Keith Miller.
2163         
2164         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
2165         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
2166         it.
2167         
2168         This should help us reduce compile times by telling us where to look. So, far, it looks like
2169         CFA is the worst.
2170
2171         * JavaScriptCore.xcodeproj/project.pbxproj:
2172         * Sources.txt:
2173         * b3/B3Common.cpp:
2174         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
2175         * b3/B3Common.h:
2176         * b3/B3TimingScope.cpp: Removed.
2177         * b3/B3TimingScope.h:
2178         (JSC::B3::TimingScope::TimingScope):
2179         * dfg/DFGPhase.h:
2180         (JSC::DFG::runAndLog):
2181         * dfg/DFGPlan.cpp:
2182         (JSC::DFG::Plan::compileInThread):
2183         * tools/CompilerTimingScope.cpp: Added.
2184         (JSC::CompilerTimingScope::CompilerTimingScope):
2185         (JSC::CompilerTimingScope::~CompilerTimingScope):
2186         * tools/CompilerTimingScope.h: Added.
2187         * runtime/Options.cpp:
2188         (JSC::recomputeDependentOptions):
2189         * runtime/Options.h:
2190
2191 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2192
2193         Strings should not be allocated in a gigacage
2194         https://bugs.webkit.org/show_bug.cgi?id=185218
2195
2196         Reviewed by Saam Barati.
2197
2198         * runtime/JSBigInt.cpp:
2199         (JSC::JSBigInt::toStringGeneric):
2200         * runtime/JSString.cpp:
2201         (JSC::JSRopeString::resolveRopeToAtomicString const):
2202         (JSC::JSRopeString::resolveRope const):
2203         * runtime/JSString.h:
2204         (JSC::JSString::create):
2205         (JSC::JSString::createHasOtherOwner):
2206         * runtime/VM.h:
2207         (JSC::VM::gigacageAuxiliarySpace):
2208
2209 2018-05-03  Keith Miller  <keith_miller@apple.com>
2210
2211         Unreviewed, fix 32-bit profile offset for change in bytecode
2212         length of the get_by_id and get_array_length opcodes.
2213
2214         * llint/LowLevelInterpreter32_64.asm:
2215
2216 2018-05-03  Michael Saboff  <msaboff@apple.com>
2217
2218         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
2219         https://bugs.webkit.org/show_bug.cgi?id=185231
2220
2221         Reviewed by Saam Barati.
2222
2223         We weren't clearing the scratch register cache when switching back and forth between 
2224         allowing scratch register usage.  We disallow scratch register usage when we are in
2225         code that will freely allocate and use any register.  Such usage can change the
2226         contents of scratch registers.  For ARM64, where we cache the contents of scratch
2227         registers to reuse some or all of the contained values, we need to invalidate these
2228         caches.  We do this when re-enabling scratch register usage, that is when we transition
2229         from disallow to allow scratch register usage.
2230
2231         Added a new Air regression test.
2232
2233         * assembler/AllowMacroScratchRegisterUsage.h:
2234         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
2235         * assembler/AllowMacroScratchRegisterUsageIf.h:
2236         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
2237         * assembler/DisallowMacroScratchRegisterUsage.h:
2238         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
2239         * b3/air/testair.cpp:
2240
2241 2018-05-03  Keith Miller  <keith_miller@apple.com>
2242
2243         Remove the prototype caching for get_by_id in the LLInt
2244         https://bugs.webkit.org/show_bug.cgi?id=185226
2245
2246         Reviewed by Michael Saboff.
2247
2248         There is no evidence that this is actually a speedup and we keep
2249         getting bugs with it. At this point it seems like we should just
2250         remove this code.
2251
2252         * CMakeLists.txt:
2253         * JavaScriptCore.xcodeproj/project.pbxproj:
2254         * Sources.txt:
2255         * bytecode/BytecodeDumper.cpp:
2256         (JSC::BytecodeDumper<Block>::printGetByIdOp):
2257         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
2258         (JSC::BytecodeDumper<Block>::dumpBytecode):
2259         * bytecode/BytecodeList.json:
2260         * bytecode/BytecodeUseDef.h:
2261         (JSC::computeUsesForBytecodeOffset):
2262         (JSC::computeDefsForBytecodeOffset):
2263         * bytecode/CodeBlock.cpp:
2264         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2265         * bytecode/CodeBlock.h:
2266         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
2267         * bytecode/GetByIdStatus.cpp:
2268         (JSC::GetByIdStatus::computeFromLLInt):
2269         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
2270         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
2271         * bytecompiler/BytecodeGenerator.cpp:
2272         (JSC::BytecodeGenerator::emitGetById):
2273         * dfg/DFGByteCodeParser.cpp:
2274         (JSC::DFG::ByteCodeParser::parseBlock):
2275         * dfg/DFGCapabilities.cpp:
2276         (JSC::DFG::capabilityLevel):
2277         * jit/JIT.cpp:
2278         (JSC::JIT::privateCompileMainPass):
2279         (JSC::JIT::privateCompileSlowCases):
2280         * llint/LLIntSlowPaths.cpp:
2281         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2282         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
2283         * llint/LowLevelInterpreter32_64.asm:
2284         * llint/LowLevelInterpreter64.asm:
2285         * runtime/Options.h:
2286
2287 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
2288
2289         Unreviewed, rolling out r231197.
2290
2291         The test added with this change crashes on the 32-bit JSC bot.
2292
2293         Reverted changeset:
2294
2295         "Correctly detect string overflow when using the 'Function'
2296         constructor"
2297         https://bugs.webkit.org/show_bug.cgi?id=184883
2298         https://trac.webkit.org/changeset/231197
2299
2300 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2301
2302         Disable usage of fused multiply-add instructions for JSC with compiler flag
2303         https://bugs.webkit.org/show_bug.cgi?id=184909
2304
2305         Reviewed by Yusuke Suzuki.
2306
2307         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
2308         like parseInt() do not return slightly different results depending on whether the
2309         compiler was able to use fused multiply-add instructions or not.
2310
2311         * CMakeLists.txt:
2312
2313 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2314
2315         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
2316         https://bugs.webkit.org/show_bug.cgi?id=185192
2317
2318         compareDouble relies on MacroAssembler::invert function.
2319
2320         * assembler/MacroAssembler.h:
2321         (JSC::MacroAssembler::compareDouble):
2322         * assembler/MacroAssemblerARM.h:
2323         (JSC::MacroAssemblerARM::compareDouble): Deleted.
2324         * assembler/MacroAssemblerARMv7.h:
2325         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
2326         * assembler/MacroAssemblerMIPS.h:
2327         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
2328
2329 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2330
2331         [JSC] Add MacroAssembler::and16 and store16
2332         https://bugs.webkit.org/show_bug.cgi?id=185188
2333
2334         Reviewed by Mark Lam.
2335
2336         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
2337         This patch adds these methods for ARM.
2338
2339         * assembler/MacroAssemblerARM.h:
2340         (JSC::MacroAssemblerARM::and16):
2341         (JSC::MacroAssemblerARM::store16):
2342
2343 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2344
2345         [DFG] Unify compare related code in 32bit and 64bit
2346         https://bugs.webkit.org/show_bug.cgi?id=185189
2347
2348         Reviewed by Mark Lam.
2349
2350         This patch unifies some part of compare related code in 32bit and 64bit
2351         to reduce the size of 32bit specific DFG code.
2352
2353         * dfg/DFGSpeculativeJIT.cpp:
2354         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
2355         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
2356         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2357         * dfg/DFGSpeculativeJIT32_64.cpp:
2358         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2359         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2360         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2361         * dfg/DFGSpeculativeJIT64.cpp:
2362         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2363         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2364         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2365
2366 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2367
2368         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
2369         https://bugs.webkit.org/show_bug.cgi?id=185192
2370
2371         Reviewed by Mark Lam.
2372
2373         Now Object.is starts using compareDouble. So we would like to have
2374         efficient implementation for compareDouble and compareFloat for
2375         major architectures, ARM64, X86, and X86_64.
2376
2377         This patch adds compareDouble and compareFloat implementations for
2378         these architectures. And generic implementation is moved to each
2379         architecture's MacroAssembler implementation.
2380
2381         We also add tests for them in testmasm. To implement this test
2382         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
2383         major architectures.
2384
2385         * assembler/MacroAssembler.h:
2386         (JSC::MacroAssembler::compareDouble): Deleted.
2387         (JSC::MacroAssembler::compareFloat): Deleted.
2388         * assembler/MacroAssemblerARM.h:
2389         (JSC::MacroAssemblerARM::compareDouble):
2390         * assembler/MacroAssemblerARM64.h:
2391         (JSC::MacroAssemblerARM64::compareDouble):
2392         (JSC::MacroAssemblerARM64::compareFloat):
2393         (JSC::MacroAssemblerARM64::loadFloat):
2394         (JSC::MacroAssemblerARM64::floatingPointCompare):
2395         * assembler/MacroAssemblerARMv7.h:
2396         (JSC::MacroAssemblerARMv7::compareDouble):
2397         * assembler/MacroAssemblerMIPS.h:
2398         (JSC::MacroAssemblerMIPS::compareDouble):
2399         * assembler/MacroAssemblerX86Common.h:
2400         (JSC::MacroAssemblerX86Common::loadFloat):
2401         (JSC::MacroAssemblerX86Common::compareDouble):
2402         (JSC::MacroAssemblerX86Common::compareFloat):
2403         (JSC::MacroAssemblerX86Common::floatingPointCompare):
2404         * assembler/X86Assembler.h:
2405         (JSC::X86Assembler::movss_mr):
2406         (JSC::X86Assembler::movss_rm):
2407         * assembler/testmasm.cpp:
2408         (JSC::floatOperands):
2409         (JSC::testCompareFloat):
2410         (JSC::run):
2411
2412 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2413
2414         Unreviewed, fix 32bit DFG code
2415         https://bugs.webkit.org/show_bug.cgi?id=185065
2416
2417         * dfg/DFGSpeculativeJIT.cpp:
2418         (JSC::DFG::SpeculativeJIT::compileSameValue):
2419
2420 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
2421
2422         JSC should know how to cache custom getter accesses on the prototype chain
2423         https://bugs.webkit.org/show_bug.cgi?id=185213
2424
2425         Reviewed by Keith Miller.
2426
2427         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
2428
2429         * jit/Repatch.cpp:
2430         (JSC::tryCacheGetByID):
2431
2432 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
2433
2434         JSC should be able to cache custom setter calls on the prototype chain
2435         https://bugs.webkit.org/show_bug.cgi?id=185174
2436
2437         Reviewed by Saam Barati.
2438
2439         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
2440         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
2441         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
2442         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
2443         custom accessors because it won't find the custom property in the structure.
2444
2445         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
2446
2447         This is a 4x speed-up on assign-custom-setter.js.
2448
2449         * bytecode/AccessCase.cpp:
2450         (JSC::AccessCase::hasAlternateBase const):
2451         (JSC::AccessCase::alternateBase const):
2452         (JSC::AccessCase::generateImpl):
2453         * bytecode/AccessCase.h:
2454         (JSC::AccessCase::alternateBase const): Deleted.
2455         * bytecode/GetterSetterAccessCase.cpp:
2456         (JSC::GetterSetterAccessCase::hasAlternateBase const):
2457         (JSC::GetterSetterAccessCase::alternateBase const):
2458         * bytecode/GetterSetterAccessCase.h:
2459         * bytecode/ObjectPropertyConditionSet.cpp:
2460         (JSC::generateConditionsForPrototypePropertyHitCustom):
2461         * bytecode/ObjectPropertyConditionSet.h:
2462         * jit/Repatch.cpp:
2463         (JSC::tryCacheGetByID):
2464         (JSC::tryCachePutByID):
2465
2466 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
2467
2468         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
2469         https://bugs.webkit.org/show_bug.cgi?id=185195
2470
2471         Reviewed by Mark Lam.
2472
2473         This implements the given function for MIPS, such that it builds again.
2474
2475         * assembler/MacroAssemblerMIPS.h:
2476         (JSC::MacroAssemblerMIPS::and16):
2477         (JSC::MacroAssemblerMIPS::store16):
2478
2479 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
2480
2481         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
2482         https://bugs.webkit.org/show_bug.cgi?id=185043
2483
2484         Reviewed by Filip Pizlo.
2485
2486         * jsc.cpp:
2487         (GlobalObject::finishCreation):
2488         (functionDollarAgentMonotonicNow):
2489
2490 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
2491
2492         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
2493         https://bugs.webkit.org/show_bug.cgi?id=185196
2494
2495         Reviewed by Mark Lam.
2496
2497         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
2498
2499         * assembler/MacroAssemblerARMv7.h:
2500         (JSC::MacroAssemblerARMv7::and16):
2501         (JSC::MacroAssemblerARMv7::store16):
2502
2503 2018-05-02  Robin Morisset  <rmorisset@apple.com>
2504
2505         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
2506         https://bugs.webkit.org/show_bug.cgi?id=183172
2507
2508         Reviewed by Filip Pizlo.
2509
2510         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
2511         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
2512
2513         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
2514         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
2515         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
2516
2517         * dfg/DFGArgumentsEliminationPhase.cpp:
2518         * dfg/DFGArgumentsUtilities.cpp:
2519         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2520
2521 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2522
2523         Unreviewed, stackPointer signature is different from declaration
2524         https://bugs.webkit.org/show_bug.cgi?id=184790
2525
2526         * runtime/MachineContext.h:
2527         (JSC::MachineContext::stackPointer):
2528
2529 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2530
2531         [JSC] Add SameValue DFG node
2532         https://bugs.webkit.org/show_bug.cgi?id=185065
2533
2534         Reviewed by Saam Barati.
2535
2536         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
2537         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
2538         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
2539         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
2540         implementations for these SameValue nodes.
2541
2542         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
2543         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
2544         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
2545         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
2546         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
2547         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
2548
2549         Added microbenchmark shows performance improvement.
2550
2551             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
2552
2553         * assembler/MacroAssembler.h:
2554         * assembler/MacroAssemblerX86Common.h:
2555         (JSC::MacroAssemblerX86Common::compareDouble):
2556         * assembler/MacroAssemblerX86_64.h:
2557         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
2558         * assembler/testmasm.cpp:
2559         (JSC::doubleOperands):
2560         (JSC::testCompareDouble):
2561         (JSC::run):
2562         * dfg/DFGAbstractInterpreterInlines.h:
2563         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2564         * dfg/DFGByteCodeParser.cpp:
2565         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2566         * dfg/DFGClobberize.h:
2567         (JSC::DFG::clobberize):
2568         * dfg/DFGConstantFoldingPhase.cpp:
2569         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2570         * dfg/DFGDoesGC.cpp:
2571         (JSC::DFG::doesGC):
2572         * dfg/DFGFixupPhase.cpp:
2573         (JSC::DFG::FixupPhase::fixupNode):
2574         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2575         * dfg/DFGNodeType.h:
2576         * dfg/DFGOperations.cpp:
2577         * dfg/DFGOperations.h:
2578         * dfg/DFGPredictionPropagationPhase.cpp:
2579         * dfg/DFGSafeToExecute.h:
2580         (JSC::DFG::safeToExecute):
2581         * dfg/DFGSpeculativeJIT.cpp:
2582         (JSC::DFG::SpeculativeJIT::compileSameValue):
2583         * dfg/DFGSpeculativeJIT.h:
2584         * dfg/DFGSpeculativeJIT32_64.cpp:
2585         (JSC::DFG::SpeculativeJIT::compile):
2586         * dfg/DFGSpeculativeJIT64.cpp:
2587         (JSC::DFG::SpeculativeJIT::compile):
2588         * dfg/DFGValidate.cpp:
2589         * ftl/FTLCapabilities.cpp:
2590         (JSC::FTL::canCompile):
2591         * ftl/FTLLowerDFGToB3.cpp:
2592         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2593         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
2594         * runtime/Intrinsic.cpp:
2595         (JSC::intrinsicName):
2596         * runtime/Intrinsic.h:
2597         * runtime/ObjectConstructor.cpp:
2598
2599 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
2600
2601         B3::demoteValues should be able to handle patchpoint terminals
2602         https://bugs.webkit.org/show_bug.cgi?id=185151
2603
2604         Reviewed by Saam Barati.
2605         
2606         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
2607         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
2608         longer the last thing in the block.
2609         
2610         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
2611         really do that because demotion happens as a prerequisite to other transformations.
2612         
2613         One solution might have been to make demoteValues insert a basic block whenever it encounters
2614         this problem. But that would break clients that do CFG analysis before demoteValues and use
2615         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
2616         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
2617         so it's not bad to introduce that requirement.
2618         
2619         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
2620         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
2621         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
2622         successors of the patchpoint terminal.
2623         
2624         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
2625         a unit test in testb3.
2626
2627         * b3/B3BreakCriticalEdges.cpp:
2628         (JSC::B3::breakCriticalEdges):
2629         * b3/B3BreakCriticalEdges.h:
2630         * b3/B3FixSSA.cpp:
2631         (JSC::B3::demoteValues):
2632         (JSC::B3::fixSSA):
2633         * b3/B3FixSSA.h:
2634         * b3/B3Value.cpp:
2635         (JSC::B3::Value::foldIdentity const):
2636         (JSC::B3::Value::performSubstitution):
2637         * b3/B3Value.h:
2638         * b3/testb3.cpp:
2639         (JSC::B3::testDemotePatchpointTerminal):
2640         (JSC::B3::run):
2641
2642 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2643
2644         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
2645         https://bugs.webkit.org/show_bug.cgi?id=184772
2646         <rdar://problem/39146327>
2647
2648         Reviewed by Filip Pizlo.
2649
2650         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
2651         This patch now makes sure that the check correctly detects if there is an integer overflow.
2652
2653         * runtime/JSArray.cpp:
2654         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2655
2656 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2657
2658         Correctly detect string overflow when using the 'Function' constructor
2659         https://bugs.webkit.org/show_bug.cgi?id=184883
2660         <rdar://problem/36320331>
2661
2662         Reviewed by Filip Pizlo.
2663
2664         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
2665         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
2666
2667         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
2668         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
2669         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
2670
2671         * runtime/FunctionConstructor.cpp:
2672         (JSC::constructFunctionSkippingEvalEnabledCheck):
2673         * runtime/JSONObject.cpp:
2674         (JSC::Stringifier::appendStringifiedValue):
2675
2676 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2677
2678         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
2679         https://bugs.webkit.org/show_bug.cgi?id=185162
2680
2681         Reviewed by Filip Pizlo.
2682
2683         * runtime/IntlObject.cpp:
2684         (JSC::removeUnicodeLocaleExtension):
2685
2686 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
2687
2688         Add SetCallee as DFG-Operation
2689         https://bugs.webkit.org/show_bug.cgi?id=184582
2690
2691         Reviewed by Filip Pizlo.
2692
2693         For recursive tail calls not only the argument count can change but also the
2694         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
2695         Also update the callee when optimizing a recursive tail call.
2696         Enable recursive tail call optimization also for closures.
2697
2698         * dfg/DFGAbstractInterpreterInlines.h:
2699         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2700         * dfg/DFGByteCodeParser.cpp:
2701         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2702         (JSC::DFG::ByteCodeParser::handleCallVariant):
2703         * dfg/DFGClobberize.h:
2704         (JSC::DFG::clobberize):
2705         * dfg/DFGDoesGC.cpp:
2706         (JSC::DFG::doesGC):
2707         * dfg/DFGFixupPhase.cpp:
2708         (JSC::DFG::FixupPhase::fixupNode):
2709         * dfg/DFGMayExit.cpp:
2710         * dfg/DFGNodeType.h:
2711         * dfg/DFGPredictionPropagationPhase.cpp:
2712         * dfg/DFGSafeToExecute.h:
2713         (JSC::DFG::safeToExecute):
2714         * dfg/DFGSpeculativeJIT.cpp:
2715         (JSC::DFG::SpeculativeJIT::compileSetCallee):
2716         * dfg/DFGSpeculativeJIT.h:
2717         * dfg/DFGSpeculativeJIT32_64.cpp:
2718         (JSC::DFG::SpeculativeJIT::compile):
2719         * dfg/DFGSpeculativeJIT64.cpp:
2720         (JSC::DFG::SpeculativeJIT::compile):
2721         * ftl/FTLCapabilities.cpp:
2722         (JSC::FTL::canCompile):
2723         * ftl/FTLLowerDFGToB3.cpp:
2724         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2725         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
2726
2727 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
2728
2729         WebAssembly: add support for stream APIs - JavaScript API
2730         https://bugs.webkit.org/show_bug.cgi?id=183442
2731
2732         Reviewed by Yusuke Suzuki and JF Bastien.
2733
2734         Add WebAssembly stream API. Current patch only add functions
2735         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
2736         does not add streaming way of the implementation. So in current version it
2737         only wait for load whole module, than start to parse.
2738
2739         * CMakeLists.txt:
2740         * Configurations/FeatureDefines.xcconfig:
2741         * DerivedSources.make:
2742         * JavaScriptCore.xcodeproj/project.pbxproj:
2743         * builtins/BuiltinNames.h:
2744         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
2745         (compileStreaming):
2746         (instantiateStreaming):
2747         * jsc.cpp:
2748         * runtime/JSGlobalObject.cpp:
2749         (JSC::JSGlobalObject::init):
2750         * runtime/JSGlobalObject.h:
2751         * runtime/Options.h:
2752         * runtime/PromiseDeferredTimer.cpp:
2753         (JSC::PromiseDeferredTimer::hasPendingPromise):
2754         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
2755         * runtime/PromiseDeferredTimer.h:
2756         * wasm/js/WebAssemblyPrototype.cpp:
2757         (JSC::webAssemblyModuleValidateAsyncInternal):
2758         (JSC::webAssemblyCompileFunc):
2759         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
2760         (JSC::webAssemblyModuleInstantinateAsyncInternal):
2761         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
2762         (JSC::webAssemblyCompileStreamingInternal):
2763         (JSC::webAssemblyInstantiateStreamingInternal):
2764         (JSC::WebAssemblyPrototype::create):
2765         (JSC::WebAssemblyPrototype::finishCreation):
2766         * wasm/js/WebAssemblyPrototype.h:
2767
2768 2018-04-30  Saam Barati  <sbarati@apple.com>
2769
2770         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
2771         https://bugs.webkit.org/show_bug.cgi?id=185149
2772         <rdar://problem/39455917>
2773
2774         Reviewed by Filip Pizlo.
2775
2776         The bug was that we were deleting checks that we shouldn't have deleted.
2777         This patch makes a helper inside strength reduction that converts to
2778         a LazyJSConstant while maintaining checks, and switches users of the
2779         node API inside strength reduction to instead call the helper function.
2780         
2781         This patch also fixes a potential bug where StringReplace and
2782         StringReplaceRegExp may not preserve all their checks.
2783
2784
2785         * dfg/DFGStrengthReductionPhase.cpp:
2786         (JSC::DFG::StrengthReductionPhase::handleNode):
2787         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
2788
2789 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2790
2791         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
2792         https://bugs.webkit.org/show_bug.cgi?id=185126
2793
2794         Reviewed by Saam Barati.
2795         
2796         This change is just restoring functionality that we've already had for a while. It had been
2797         accidentally broken due to an unrelated CodeBlock refactoring.
2798
2799         * dfg/DFGLICMPhase.cpp:
2800         (JSC::DFG::LICMPhase::attemptHoist):
2801
2802 2018-04-30  Mark Lam  <mark.lam@apple.com>
2803
2804         Apply PtrTags to the MetaAllocator and friends.
2805         https://bugs.webkit.org/show_bug.cgi?id=185110
2806         <rdar://problem/39533895>
2807
2808         Reviewed by Saam Barati.
2809
2810         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
2811         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
2812            and add a sanity check to verify that allocated code buffers are within those
2813            bounds.
2814
2815         * assembler/LinkBuffer.cpp:
2816         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
2817         (JSC::LinkBuffer::copyCompactAndLinkCode):
2818         (JSC::LinkBuffer::linkCode):
2819         (JSC::LinkBuffer::allocate):
2820         * assembler/LinkBuffer.h:
2821         (JSC::LinkBuffer::LinkBuffer):
2822         (JSC::LinkBuffer::debugAddress):
2823         (JSC::LinkBuffer::code):
2824         * assembler/MacroAssemblerCodeRef.h:
2825         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
2826         * bytecode/InlineAccess.cpp:
2827         (JSC::linkCodeInline):
2828         (JSC::InlineAccess::rewireStubAsJump):
2829         * dfg/DFGJITCode.cpp:
2830         (JSC::DFG::JITCode::findPC):
2831         * ftl/FTLJITCode.cpp:
2832         (JSC::FTL::JITCode::findPC):
2833         * jit/ExecutableAllocator.cpp:
2834         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2835         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2836         (JSC::ExecutableAllocator::allocate):
2837         * jit/ExecutableAllocator.h:
2838         (JSC::isJITPC):
2839         (JSC::performJITMemcpy):
2840         * jit/JIT.cpp:
2841         (JSC::JIT::link):
2842         * jit/JITMathIC.h:
2843         (JSC::isProfileEmpty):
2844         * runtime/JSCPtrTag.h:
2845         * wasm/WasmCallee.cpp:
2846         (JSC::Wasm::Callee::Callee):
2847         * wasm/WasmFaultSignalHandler.cpp:
2848         (JSC::Wasm::trapHandler):
2849
2850 2018-04-30  Keith Miller  <keith_miller@apple.com>
2851
2852         Move the MayBePrototype JSCell header bit to InlineTypeFlags
2853         https://bugs.webkit.org/show_bug.cgi?id=185143
2854
2855         Reviewed by Mark Lam.
2856
2857         * runtime/IndexingType.h:
2858         * runtime/JSCellInlines.h:
2859         (JSC::JSCell::setStructure):
2860         (JSC::JSCell::mayBePrototype const):
2861         (JSC::JSCell::didBecomePrototype):
2862         * runtime/JSTypeInfo.h:
2863         (JSC::TypeInfo::mayBePrototype):
2864         (JSC::TypeInfo::mergeInlineTypeFlags):
2865
2866 2018-04-30  Keith Miller  <keith_miller@apple.com>
2867
2868         Remove unneeded exception check from String.fromCharCode
2869         https://bugs.webkit.org/show_bug.cgi?id=185083
2870
2871         Reviewed by Mark Lam.
2872
2873         * runtime/StringConstructor.cpp:
2874         (JSC::stringFromCharCode):
2875
2876 2018-04-30  Keith Miller  <keith_miller@apple.com>
2877
2878         Move StructureIsImmortal to out of line flags.
2879         https://bugs.webkit.org/show_bug.cgi?id=185101
2880
2881         Reviewed by Saam Barati.
2882
2883         This will free up a bit in the inline flags where we can move the
2884         isPrototype bit to. This will, in turn, free a bit for use in
2885         implementing copy on write butterflies.
2886
2887         Also, this patch removes an assertion from Structure::typeInfo()
2888         that inadvertently makes the function invalid to call while
2889         cleaning up the vm.
2890
2891         * heap/HeapCellType.cpp:
2892         (JSC::DefaultDestroyFunc::operator() const):
2893         * runtime/JSCell.h:
2894         * runtime/JSCellInlines.h:
2895         (JSC::JSCell::callDestructor): Deleted.
2896         * runtime/JSTypeInfo.h:
2897         (JSC::TypeInfo::hasStaticPropertyTable):
2898         (JSC::TypeInfo::structureIsImmortal const):
2899         * runtime/Structure.h:
2900
2901 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2902
2903         [JSC] Remove arity fixup check if the number of parameters is 1
2904         https://bugs.webkit.org/show_bug.cgi?id=183984
2905
2906         Reviewed by Mark Lam.
2907
2908         If the number of parameters is one (|this|), we never hit arity fixup check.
2909         We do not need to emit arity fixup check code.
2910
2911         * dfg/DFGDriver.cpp:
2912         (JSC::DFG::compileImpl):
2913         * dfg/DFGJITCompiler.cpp:
2914         (JSC::DFG::JITCompiler::compileFunction):
2915         * dfg/DFGJITCompiler.h:
2916         * ftl/FTLLink.cpp:
2917         (JSC::FTL::link):
2918         * jit/JIT.cpp:
2919         (JSC::JIT::compileWithoutLinking):
2920
2921 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2922
2923         Use WordLock instead of std::mutex for Threading
2924         https://bugs.webkit.org/show_bug.cgi?id=185121
2925
2926         Reviewed by Geoffrey Garen.
2927
2928         ThreadGroup starts using WordLock.
2929
2930         * heap/MachineStackMarker.h:
2931         (JSC::MachineThreads::getLock):
2932
2933 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2934
2935         B3 should run tail duplication at the bitter end
2936         https://bugs.webkit.org/show_bug.cgi?id=185123
2937
2938         Reviewed by Geoffrey Garen.
2939         
2940         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
2941         everywhere else.
2942         
2943         The goal of this change is to allow us to run path specialization after switch lowering but
2944         before tail duplication.
2945
2946         * b3/B3Generate.cpp:
2947         (JSC::B3::generateToAir):
2948         * runtime/Options.h:
2949
2950 2018-04-29  Commit Queue  <commit-queue@webkit.org>
2951
2952         Unreviewed, rolling out r231137.
2953         https://bugs.webkit.org/show_bug.cgi?id=185118
2954
2955         It is breaking Test262 language/expressions/multiplication
2956         /order-of-evaluation.js (Requested by caiolima on #webkit).
2957
2958         Reverted changeset:
2959
2960         "[ESNext][BigInt] Implement support for "*" operation"
2961         https://bugs.webkit.org/show_bug.cgi?id=183721
2962         https://trac.webkit.org/changeset/231137
2963
2964 2018-04-28  Saam Barati  <sbarati@apple.com>
2965
2966         We don't model regexp effects properly
2967         https://bugs.webkit.org/show_bug.cgi?id=185059
2968         <rdar://problem/39736150>
2969
2970         Reviewed by Filip Pizlo.
2971
2972         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
2973         the regexp is global.
2974
2975         * dfg/DFGAbstractInterpreterInlines.h:
2976         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2977         * dfg/DFGClobberize.h:
2978         (JSC::DFG::clobberize):
2979
2980 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
2981
2982         Token misspelled "tocken" in error message string
2983         https://bugs.webkit.org/show_bug.cgi?id=185030
2984
2985         Reviewed by Saam Barati.
2986
2987         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
2988         (JSC::Parser<LexerType>::Parser):
2989         (JSC::Parser<LexerType>::didFinishParsing):
2990         (JSC::Parser<LexerType>::parseSourceElements):
2991         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2992         (JSC::Parser<LexerType>::parseVariableDeclaration):
2993         (JSC::Parser<LexerType>::parseWhileStatement):
2994         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2995         (JSC::Parser<LexerType>::createBindingPattern):
2996         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2997         (JSC::Parser<LexerType>::parseObjectRestElement):
2998         (JSC::Parser<LexerType>::parseDestructuringPattern):
2999         (JSC::Parser<LexerType>::parseForStatement):
3000         (JSC::Parser<LexerType>::parseBreakStatement):
3001         (JSC::Parser<LexerType>::parseContinueStatement):
3002         (JSC::Parser<LexerType>::parseThrowStatement):
3003         (JSC::Parser<LexerType>::parseWithStatement):
3004         (JSC::Parser<LexerType>::parseSwitchStatement):
3005         (JSC::Parser<LexerType>::parseSwitchClauses):
3006         (JSC::Parser<LexerType>::parseTryStatement):
3007         (JSC::Parser<LexerType>::parseBlockStatement):
3008         (JSC::Parser<LexerType>::parseFormalParameters):
3009         (JSC::Parser<LexerType>::parseFunctionParameters):
3010         (JSC::Parser<LexerType>::parseFunctionInfo):
3011         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
3012         (JSC::Parser<LexerType>::parseExpressionStatement):
3013         (JSC::Parser<LexerType>::parseIfStatement):
3014         (JSC::Parser<LexerType>::parseAssignmentExpression):
3015         (JSC::Parser<LexerType>::parseConditionalExpression):
3016         (JSC::Parser<LexerType>::parseBinaryExpression):
3017         (JSC::Parser<LexerType>::parseObjectLiteral):
3018         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
3019         (JSC::Parser<LexerType>::parseArrayLiteral):
3020         (JSC::Parser<LexerType>::parseArguments):
3021         (JSC::Parser<LexerType>::parseMemberExpression):
3022         (JSC::operatorString):
3023         (JSC::Parser<LexerType>::parseUnaryExpression):
3024         (JSC::Parser<LexerType>::printUnexpectedTokenText):
3025
3026 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
3027
3028         [ESNext][BigInt] Implement support for "*" operation
3029         https://bugs.webkit.org/show_bug.cgi?id=183721
3030
3031         Reviewed by Saam Barati.
3032
3033         Added BigInt support into times binary operator into LLInt and on
3034         JITOperations profiledMul and unprofiledMul. We are also replacing all
3035         uses of int to unsigned when there is no negative values for
3036         variables.
3037
3038         * dfg/DFGConstantFoldingPhase.cpp:
3039         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3040         * jit/JITOperations.cpp:
3041         * runtime/CommonSlowPaths.cpp:
3042         (JSC::SLOW_PATH_DECL):
3043         * runtime/JSBigInt.cpp:
3044         (JSC::JSBigInt::JSBigInt):
3045         (JSC::JSBigInt::allocationSize):
3046         (JSC::JSBigInt::createWithLength):
3047         (JSC::JSBigInt::toString):
3048         (JSC::JSBigInt::multiply):
3049         (JSC::JSBigInt::digitDiv):
3050         (JSC::JSBigInt::internalMultiplyAdd):
3051         (JSC::JSBigInt::multiplyAccumulate):
3052         (JSC::JSBigInt::equals):
3053         (JSC::JSBigInt::absoluteDivSmall):
3054         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3055         (JSC::JSBigInt::toStringGeneric):
3056         (JSC::JSBigInt::rightTrim):
3057         (JSC::JSBigInt::allocateFor):
3058         (JSC::JSBigInt::parseInt):
3059         (JSC::JSBigInt::digit):
3060         (JSC::JSBigInt::setDigit):
3061         * runtime/JSBigInt.h:
3062         * runtime/Operations.h:
3063         (JSC::jsMul):
3064
3065 2018-04-28  Commit Queue  <commit-queue@webkit.org>
3066
3067         Unreviewed, rolling out r231131.
3068         https://bugs.webkit.org/show_bug.cgi?id=185112
3069
3070         It is breaking Debug build due to unchecked exception
3071         (Requested by caiolima on #webkit).
3072
3073         Reverted changeset:
3074
3075         "[ESNext][BigInt] Implement support for "*" operation"
3076         https://bugs.webkit.org/show_bug.cgi?id=183721
3077         https://trac.webkit.org/changeset/231131
3078
3079 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
3080
3081         [ESNext][BigInt] Implement support for "*" operation
3082         https://bugs.webkit.org/show_bug.cgi?id=183721
3083
3084         Reviewed by Saam Barati.
3085
3086         Added BigInt support into times binary operator into LLInt and on
3087         JITOperations profiledMul and unprofiledMul. We are also replacing all
3088         uses of int to unsigned when there is no negative values for
3089         variables.
3090
3091         * dfg/DFGConstantFoldingPhase.cpp:
3092         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3093         * jit/JITOperations.cpp:
3094         * runtime/CommonSlowPaths.cpp:
3095         (JSC::SLOW_PATH_DECL):
3096         * runtime/JSBigInt.cpp:
3097         (JSC::JSBigInt::JSBigInt):
3098         (JSC::JSBigInt::allocationSize):
3099         (JSC::JSBigInt::createWithLength):
3100         (JSC::JSBigInt::toString):
3101         (JSC::JSBigInt::multiply):
3102         (JSC::JSBigInt::digitDiv):
3103         (JSC::JSBigInt::internalMultiplyAdd):
3104         (JSC::JSBigInt::multiplyAccumulate):
3105         (JSC::JSBigInt::equals):
3106         (JSC::JSBigInt::absoluteDivSmall):
3107         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3108         (JSC::JSBigInt::toStringGeneric):
3109         (JSC::JSBigInt::rightTrim):
3110         (JSC::JSBigInt::allocateFor):
3111         (JSC::JSBigInt::parseInt):
3112         (JSC::JSBigInt::digit):
3113         (JSC::JSBigInt::setDigit):
3114         * runtime/JSBigInt.h:
3115         * runtime/Operations.h:
3116         (JSC::jsMul):
3117
3118 2018-04-27  JF Bastien  <jfbastien@apple.com>
3119
3120         Make the first 64 bits of JSString look like a double JSValue
3121         https://bugs.webkit.org/show_bug.cgi?id=185081
3122
3123         Reviewed by Filip Pizlo.
3124
3125         We can be clever about how we lay out JSString so that, were it
3126         reinterpreted as a JSValue, it would look like a double.
3127
3128         * assembler/MacroAssemblerX86Common.h:
3129         (JSC::MacroAssemblerX86Common::and16):
3130         * assembler/X86Assembler.h:
3131         (JSC::X86Assembler::andw_mr):
3132         * dfg/DFGSpeculativeJIT.cpp:
3133         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3134         * ftl/FTLLowerDFGToB3.cpp:
3135         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3136         * ftl/FTLOutput.h:
3137         (JSC::FTL::Output::store32As8):
3138         (JSC::FTL::Output::store32As16):
3139         * runtime/JSString.h:
3140         (JSC::JSString::JSString):
3141
3142 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3143
3144         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
3145         https://bugs.webkit.org/show_bug.cgi?id=185055
3146
3147         Reviewed by JF Bastien.
3148
3149         This patch is paving the way to emitting jscvt instruction if possible.
3150         To do that, we need to determine jscvt instruction is supported in the
3151         given CPU.
3152
3153         We add a function collectCPUFeatures, which is responsible to collect
3154         CPU features if necessary. In Linux, we can use auxiliary vector to get
3155         the information without parsing /proc/cpuinfo.
3156
3157         Currently, nobody calls this function. It is later called when we emit
3158         jscvt instruction. To make it possible, we also need to add disassembler
3159         support too.
3160
3161         * assembler/AbstractMacroAssembler.h:
3162         * assembler/MacroAssemblerARM64.cpp:
3163         (JSC::MacroAssemblerARM64::collectCPUFeatures):
3164         * assembler/MacroAssemblerARM64.h:
3165         * assembler/MacroAssemblerX86Common.h:
3166
3167 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
3168
3169         Also run foldPathConstants before mussing up SSA
3170         https://bugs.webkit.org/show_bug.cgi?id=185069
3171
3172         Reviewed by Saam Barati.
3173         
3174         This isn't needed now, but will be once I implement the phase in bug 185060.
3175         
3176         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
3177         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
3178         be landed separately and measured separately from that phase.
3179         
3180         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
3181         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
3182         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
3183         neutral. It all depends on what programs typically look like.
3184
3185         * b3/B3Generate.cpp:
3186         (JSC::B3::generateToAir):
3187
3188 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
3189
3190         Unreviewed, rolling out r231086.
3191
3192         Caused JSC test failures due to an unchecked exception.
3193
3194         Reverted changeset:
3195
3196         "[ESNext][BigInt] Implement support for "*" operation"
3197         https://bugs.webkit.org/show_bug.cgi?id=183721
3198         https://trac.webkit.org/changeset/231086
3199
3200 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
3201
3202         [ESNext][BigInt] Implement support for "*" operation
3203         https://bugs.webkit.org/show_bug.cgi?id=183721
3204
3205         Reviewed by Saam Barati.
3206
3207         Added BigInt support into times binary operator into LLInt and on
3208         JITOperations profiledMul and unprofiledMul. We are also replacing all
3209         uses of int to unsigned when there is no negative values for
3210         variables.
3211
3212         * dfg/DFGConstantFoldingPhase.cpp:
3213         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3214         * jit/JITOperations.cpp:
3215         * runtime/CommonSlowPaths.cpp:
3216         (JSC::SLOW_PATH_DECL):
3217         * runtime/JSBigInt.cpp:
3218         (JSC::JSBigInt::JSBigInt):
3219         (JSC::JSBigInt::allocationSize):
3220         (JSC::JSBigInt::createWithLength):
3221         (JSC::JSBigInt::toString):
3222         (JSC::JSBigInt::multiply):
3223         (JSC::JSBigInt::digitDiv):
3224         (JSC::JSBigInt::internalMultiplyAdd):
3225         (JSC::JSBigInt::multiplyAccumulate):
3226         (JSC::JSBigInt::equals):
3227         (JSC::JSBigInt::absoluteDivSmall):
3228         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3229         (JSC::JSBigInt::toStringGeneric):
3230         (JSC::JSBigInt::rightTrim):
3231         (JSC::JSBigInt::allocateFor):
3232         (JSC::JSBigInt::parseInt):
3233         (JSC::JSBigInt::digit):
3234         (JSC::JSBigInt::setDigit):
3235         * runtime/JSBigInt.h:
3236         * runtime/Operations.h:
3237         (JSC::jsMul):
3238
3239 2018-04-26  Mark Lam  <mark.lam@apple.com>
3240
3241         Gardening: Speculative build fix for Windows.
3242         https://bugs.webkit.org/show_bug.cgi?id=184976
3243         <rdar://problem/39723901>
3244
3245         Not reviewed.
3246
3247         * runtime/JSCPtrTag.h:
3248
3249 2018-04-26  Mark Lam  <mark.lam@apple.com>
3250
3251         Gardening: Windows build fix.
3252
3253         Not reviewed.
3254
3255         * runtime/Options.cpp:
3256
3257 2018-04-26  Jer Noble  <jer.noble@apple.com>
3258
3259         WK_COCOA_TOUCH all the things.
3260         https://bugs.webkit.org/show_bug.cgi?id=185006
3261         <rdar://problem/39736025>
3262
3263         Reviewed by Tim Horton.
3264
3265         * Configurations/Base.xcconfig:
3266
3267 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
3268
3269         Disable content filtering in minimal simulator mode
3270         https://bugs.webkit.org/show_bug.cgi?id=185027
3271         <rdar://problem/39736091>
3272
3273         Reviewed by Jer Noble.
3274
3275         * Configurations/FeatureDefines.xcconfig:
3276
3277 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
3278
3279         [INTL] Implement Intl.PluralRules
3280         https://bugs.webkit.org/show_bug.cgi?id=184312
3281
3282         Reviewed by JF Bastien.
3283
3284         Use UNumberFormat to enforce formatting, and then UPluralRules to find
3285         the correct plural rule for the given number. Relies on ICU v59+ for
3286         resolvedOptions().pluralCategories and trailing 0 detection.
3287         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
3288
3289         * CMakeLists.txt:
3290         * Configurations/FeatureDefines.xcconfig:
3291         * DerivedSources.make:
3292         * JavaScriptCore.xcodeproj/project.pbxproj:
3293         * Sources.txt:
3294         * builtins/BuiltinNames.h:
3295         * runtime/BigIntObject.cpp:
3296         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
3297         * runtime/BigIntObject.h:
3298         * runtime/CommonIdentifiers.h:
3299         * runtime/IntlObject.cpp:
3300         (JSC::IntlObject::finishCreation):
3301         * runtime/IntlObject.h:
3302         * runtime/IntlPluralRules.cpp: Added.
3303         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
3304         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
3305         (JSC::UEnumerationDeleter::operator() const):
3306         (JSC::IntlPluralRules::create):
3307         (JSC::IntlPluralRules::createStructure):
3308         (JSC::IntlPluralRules::IntlPluralRules):
3309         (JSC::IntlPluralRules::finishCreation):
3310         (JSC::IntlPluralRules::destroy):
3311         (JSC::IntlPluralRules::visitChildren):
3312         (JSC::IntlPRInternal::localeData):
3313         (JSC::IntlPluralRules::initializePluralRules):
3314         (JSC::IntlPluralRules::resolvedOptions):
3315         (JSC::IntlPluralRules::select):
3316         * runtime/IntlPluralRules.h: Added.
3317         * runtime/IntlPluralRulesConstructor.cpp: Added.
3318         (JSC::IntlPluralRulesConstructor::create):
3319         (JSC::IntlPluralRulesConstructor::createStructure):
3320         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
3321         (JSC::IntlPluralRulesConstructor::finishCreation):
3322         (JSC::constructIntlPluralRules):
3323         (JSC::callIntlPluralRules):
3324         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
3325         (JSC::IntlPluralRulesConstructor::visitChildren):
3326         * runtime/IntlPluralRulesConstructor.h: Added.
3327         * runtime/IntlPluralRulesPrototype.cpp: Added.
3328         (JSC::IntlPluralRulesPrototype::create):
3329         (JSC::IntlPluralRulesPrototype::createStructure):
3330         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
3331         (JSC::IntlPluralRulesPrototype::finishCreation):
3332         (JSC::IntlPluralRulesPrototypeFuncSelect):
3333         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
3334         * runtime/IntlPluralRulesPrototype.h: Added.
3335         * runtime/JSGlobalObject.cpp:
3336         (JSC::JSGlobalObject::init):
3337         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3338         * runtime/JSGlobalObject.h:
3339         * runtime/Options.h:
3340         * runtime/RegExpPrototype.cpp: Added inlines header.
3341         * runtime/VM.cpp:
3342         (JSC::VM::VM):
3343         * runtime/VM.h:
3344
3345 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
3346
3347         [MIPS] Fix branch offsets in branchNeg32
3348         https://bugs.webkit.org/show_bug.cgi?id=185025
3349
3350         Reviewed by Yusuke Suzuki.
3351
3352         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
3353
3354         * assembler/MacroAssemblerMIPS.h:
3355         (JSC::MacroAssemblerMIPS::branchNeg32):
3356
3357 2018-04-25  Robin Morisset  <rmorisset@apple.com>
3358
3359         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
3360         https://bugs.webkit.org/show_bug.cgi?id=184773
3361         <rdar://problem/37773612>
3362
3363         Reviewed by Filip Pizlo.
3364
3365         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
3366         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
3367         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
3368         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
3369         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
3370
3371         * ftl/FTLLowerDFGToB3.cpp:
3372         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3373
3374 2018-04-25  Mark Lam  <mark.lam@apple.com>
3375
3376         Push the definition of PtrTag down to the WTF layer.
3377         https://bugs.webkit.org/show_bug.cgi?id=184976
3378         <rdar://problem/39723901>
3379
3380         Reviewed by Saam Barati.
3381
3382         * CMakeLists.txt:
3383         * JavaScriptCore.xcodeproj/project.pbxproj:
3384         * assembler/ARM64Assembler.h:
3385         * assembler/AbstractMacroAssembler.h:
3386         * assembler/MacroAssemblerCodeRef.cpp:
3387         * assembler/MacroAssemblerCodeRef.h:
3388         * b3/B3MathExtras.cpp: