7ecb6407f3ab928b48b801fa17b696b8943f7602
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-26  Filip Pizlo  <fpizlo@apple.com>
2
3         Put g_gigacageBasePtr into its own page and make it read-only
4         https://bugs.webkit.org/show_bug.cgi?id=174972
5
6         Reviewed by Michael Saboff.
7         
8         C++ code doesn't have to know about this change. That includes C++ code that generates JIT code.
9         
10         But the offline assembler now needs to know about how to load from offsets of global variables.
11         This turned out to be easy to support by extending the existing expression support.
12
13         * llint/LowLevelInterpreter64.asm:
14         * offlineasm/ast.rb:
15         * offlineasm/parser.rb:
16         * offlineasm/transform.rb:
17         * offlineasm/x86.rb:
18
19 2017-09-26  Commit Queue  <commit-queue@webkit.org>
20
21         Unreviewed, rolling out r222518.
22         https://bugs.webkit.org/show_bug.cgi?id=177507
23
24         Break the High Sierra build (Requested by yusukesuzuki on
25         #webkit).
26
27         Reverted changeset:
28
29         "Add Above/Below comparisons for UInt32 patterns"
30         https://bugs.webkit.org/show_bug.cgi?id=177281
31         http://trac.webkit.org/changeset/222518
32
33 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
34
35         Add Above/Below comparisons for UInt32 patterns
36         https://bugs.webkit.org/show_bug.cgi?id=177281
37
38         Reviewed by Saam Barati.
39
40         Sometimes, we would like to have UInt32 operations in JS. While VM does
41         not support UInt32 nicely, VM supports efficient Int32 operations. As long
42         as signedness does not matter, we can just perform Int32 operations instead
43         and recognize its bit pattern as UInt32.
44
45         But of course, some operations respect signedness. The most frequently
46         used one is comparison. Octane/zlib performs UInt32 comparison by performing
47         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
48         UInt32 in Int32 form. And op_unsigned will generate Double value if
49         the generated Int32 is < 0 (which should be UInt32).
50
51         There is a chance for optimization. The given code pattern is the following.
52
53             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
54
55         This can be converted to the following.
56
57             op_urshift(@1) below:< op_urshift(@2)
58
59         The above conversion is nice since
60
61         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
62         this check depends on the value of Int32, dropping this check is not as easy as
63         removing Int32 edge filters.
64
65         2. We can perform unsigned comparison in Int32 form. We do not need to convert
66         them to DoubleRep.
67
68         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
69         op_unsigned offers huge win.
70
71         At first, my patch attempts to convert the above thing in DFG pipeline.
72         However it poses several problems.
73
74         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
75         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
76
77             2: UInt32ToNumber(@0)
78             3: MovHint(@2, xxx)
79             4: UInt32ToNumber(@1)
80             5: MovHint(@1, xxx)
81
82         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
83
84         So, instead, we start introducing a simple optimization in the bytecode compiler.
85         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
86         We adds op_below and op_above families to bytecodes. They only accept Int32 and
87         perform unsigned comparison.
88
89         This offers 4% performance improvement in Octane/zlib.
90
91                                     baseline                  patched
92
93         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
94
95         * bytecode/BytecodeDumper.cpp:
96         (JSC::BytecodeDumper<Block>::printCompareJump):
97         (JSC::BytecodeDumper<Block>::dumpBytecode):
98         * bytecode/BytecodeDumper.h:
99         * bytecode/BytecodeList.json:
100         * bytecode/BytecodeUseDef.h:
101         (JSC::computeUsesForBytecodeOffset):
102         (JSC::computeDefsForBytecodeOffset):
103         * bytecode/Opcode.h:
104         (JSC::isBranch):
105         * bytecode/PreciseJumpTargetsInlines.h:
106         (JSC::extractStoredJumpTargetsForBytecodeOffset):
107         * bytecompiler/BytecodeGenerator.cpp:
108         (JSC::BytecodeGenerator::emitJumpIfTrue):
109         (JSC::BytecodeGenerator::emitJumpIfFalse):
110         * bytecompiler/NodesCodegen.cpp:
111         (JSC::BinaryOpNode::emitBytecode):
112         * dfg/DFGAbstractInterpreterInlines.h:
113         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
114         * dfg/DFGByteCodeParser.cpp:
115         (JSC::DFG::ByteCodeParser::parseBlock):
116         * dfg/DFGCapabilities.cpp:
117         (JSC::DFG::capabilityLevel):
118         * dfg/DFGClobberize.h:
119         (JSC::DFG::clobberize):
120         * dfg/DFGDoesGC.cpp:
121         (JSC::DFG::doesGC):
122         * dfg/DFGFixupPhase.cpp:
123         (JSC::DFG::FixupPhase::fixupNode):
124         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
125         * dfg/DFGNodeType.h:
126         * dfg/DFGPredictionPropagationPhase.cpp:
127         * dfg/DFGSafeToExecute.h:
128         (JSC::DFG::safeToExecute):
129         * dfg/DFGSpeculativeJIT.cpp:
130         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
131         * dfg/DFGSpeculativeJIT.h:
132         * dfg/DFGSpeculativeJIT32_64.cpp:
133         (JSC::DFG::SpeculativeJIT::compile):
134         * dfg/DFGSpeculativeJIT64.cpp:
135         (JSC::DFG::SpeculativeJIT::compile):
136         * dfg/DFGStrengthReductionPhase.cpp:
137         (JSC::DFG::StrengthReductionPhase::handleNode):
138         * dfg/DFGValidate.cpp:
139         * ftl/FTLCapabilities.cpp:
140         (JSC::FTL::canCompile):
141         * ftl/FTLLowerDFGToB3.cpp:
142         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
143         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
144         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
145         * jit/JIT.cpp:
146         (JSC::JIT::privateCompileMainPass):
147         * jit/JIT.h:
148         * jit/JITArithmetic.cpp:
149         (JSC::JIT::emit_op_below):
150         (JSC::JIT::emit_op_beloweq):
151         (JSC::JIT::emit_op_jbelow):
152         (JSC::JIT::emit_op_jbeloweq):
153         (JSC::JIT::emit_compareUnsignedAndJump):
154         (JSC::JIT::emit_compareUnsigned):
155         * jit/JITArithmetic32_64.cpp:
156         (JSC::JIT::emit_compareUnsignedAndJump):
157         (JSC::JIT::emit_compareUnsigned):
158         * llint/LowLevelInterpreter.asm:
159         * llint/LowLevelInterpreter32_64.asm:
160         * llint/LowLevelInterpreter64.asm:
161         * parser/Nodes.h:
162         (JSC::ExpressionNode::isBinaryOpNode const):
163
164 2017-09-24  Keith Miller  <keith_miller@apple.com>
165
166         JSC build should use unified sources for derived sources
167         https://bugs.webkit.org/show_bug.cgi?id=177421
168
169         Reviewed by JF Bastien.
170
171         This patch make a couple of changes:
172
173         1) Make derived sources added to relevant bundles. I was going to add JSCBuiltins.cpp
174         to runtime but that kept breaking the windows build. I'll get back to it later
175         2) Move the derived location of some sources both for clarity and for ease of use.
176         3) Make auto generator scripts able to create directories if needed.
177         4) Move some scripts from the top level of the JavaScriptCore directory to a
178         more appropriate directory.
179         5) Move some CMake generation commands around for clarity.
180
181         * CMakeLists.txt:
182         * DerivedSources.make:
183         * JavaScriptCore.xcodeproj/project.pbxproj:
184         * Scripts/lazywriter.py:
185         (LazyFileWriter.close):
186         * Sources.txt:
187         * inspector/scripts/generate-inspector-protocol-bindings.py:
188         (IncrementalFileWriter.close):
189         * yarr/create_regex_tables: Renamed from Source/JavaScriptCore/create_regex_tables.
190         * yarr/generateYarrCanonicalizeUnicode: Renamed from Source/JavaScriptCore/generateYarrCanonicalizeUnicode.
191
192 2017-09-26  Zan Dobersek  <zdobersek@igalia.com>
193
194         Support building JavaScriptCore with the Bionic C library
195         https://bugs.webkit.org/show_bug.cgi?id=177427
196
197         Reviewed by Michael Catanzaro.
198
199         When compiling with the Bionic C library, the MachineContext.h header
200         should enable the same code paths that are enabled for the GNU C library.
201
202         The Bionic C library defines the __BIONIC__ macro, but unlike other C
203         libraries that mimic the GNU one, it doesn't define __GLIBC__. So the
204         __BIONIC__ macro checks have to match the __GLIBC__ ones.
205
206         * runtime/MachineContext.h:
207         (JSC::MachineContext::stackPointer):
208         (JSC::MachineContext::framePointer):
209         (JSC::MachineContext::instructionPointer):
210         (JSC::MachineContext::argumentPointer<1>):
211         (JSC::MachineContext::llintInstructionPointer):
212
213 2017-09-25  Devin Rousso  <webkit@devinrousso.com>
214
215         Web Inspector: move Console.addInspectedNode to DOM.setInspectedNode
216         https://bugs.webkit.org/show_bug.cgi?id=176827
217
218         Reviewed by Joseph Pecoraro.
219
220         * inspector/agents/InspectorConsoleAgent.h:
221
222         * inspector/agents/JSGlobalObjectConsoleAgent.h:
223         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
224         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode): Deleted.
225
226         * inspector/protocol/Console.json:
227         * inspector/protocol/DOM.json:
228
229 2017-09-25  Ryan Haddad  <ryanhaddad@apple.com>
230
231         Unreviewed, rebaseline builtins generator tests after r222473.
232
233         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
234
235 2017-09-25  Alex Christensen  <achristensen@webkit.org>
236
237         Make Attribute an enum class
238         https://bugs.webkit.org/show_bug.cgi?id=177414
239
240         Reviewed by Yusuke Suzuki.
241
242         I've had enough of these naming collisions.  This is what enum classes are for.
243         Unfortunately a lot of static_cast<unsigned> is necessary until those functions take
244         an OptionSet<Attribute> instead of an unsigned parameter, but this is a big step
245         towards where we ought to be.
246
247         * API/JSCallbackObjectFunctions.h:
248         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
249         * API/JSObjectRef.cpp:
250         (JSObjectMakeConstructor):
251         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
252         (BuiltinsInternalsWrapperImplementationGenerator.property_macro):
253         * bytecode/GetByIdStatus.cpp:
254         (JSC::GetByIdStatus::computeFromLLInt):
255         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
256         (JSC::GetByIdStatus::computeFor):
257         * bytecode/PropertyCondition.cpp:
258         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
259         (JSC::PropertyCondition::isValidValueForAttributes):
260         * bytecode/PutByIdStatus.cpp:
261         (JSC::PutByIdStatus::computeFor):
262         * bytecompiler/BytecodeGenerator.cpp:
263         (JSC::BytecodeGenerator::instantiateLexicalVariables):
264         (JSC::BytecodeGenerator::variable):
265         * bytecompiler/BytecodeGenerator.h:
266         (JSC::Variable::isReadOnly const):
267         (JSC::Variable::setIsReadOnly):
268         * bytecompiler/NodesCodegen.cpp:
269         (JSC::PropertyListNode::emitBytecode):
270         * create_hash_table:
271         * debugger/DebuggerScope.cpp:
272         (JSC::DebuggerScope::getOwnPropertySlot):
273         * dfg/DFGOperations.cpp:
274         * inspector/JSInjectedScriptHostPrototype.cpp:
275         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
276         * inspector/JSJavaScriptCallFramePrototype.cpp:
277         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
278         * jit/Repatch.cpp:
279         (JSC::tryCacheGetByID):
280         * jsc.cpp:
281         (WTF::CustomGetter::getOwnPropertySlot):
282         (WTF::RuntimeArray::getOwnPropertySlot):
283         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
284         (WTF::DOMJITGetter::finishCreation):
285         (WTF::DOMJITGetterComplex::finishCreation):
286         (WTF::DOMJITFunctionObject::finishCreation):
287         (WTF::DOMJITCheckSubClassObject::finishCreation):
288         (GlobalObject::finishCreation):
289         * runtime/ArrayConstructor.cpp:
290         (JSC::ArrayConstructor::finishCreation):
291         * runtime/ArrayIteratorPrototype.cpp:
292         (JSC::ArrayIteratorPrototype::finishCreation):
293         * runtime/ArrayPrototype.cpp:
294         (JSC::ArrayPrototype::finishCreation):
295         * runtime/AsyncFromSyncIteratorPrototype.cpp:
296         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
297         * runtime/AsyncFunctionConstructor.cpp:
298         (JSC::AsyncFunctionConstructor::finishCreation):
299         * runtime/AsyncFunctionPrototype.cpp:
300         (JSC::AsyncFunctionPrototype::finishCreation):
301         * runtime/AsyncGeneratorFunctionConstructor.cpp:
302         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
303         * runtime/AsyncGeneratorFunctionPrototype.cpp:
304         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
305         * runtime/AsyncGeneratorPrototype.cpp:
306         (JSC::AsyncGeneratorPrototype::finishCreation):
307         * runtime/AsyncIteratorPrototype.cpp:
308         (JSC::AsyncIteratorPrototype::finishCreation):
309         * runtime/AtomicsObject.cpp:
310         (JSC::AtomicsObject::finishCreation):
311         * runtime/BooleanConstructor.cpp:
312         (JSC::BooleanConstructor::finishCreation):
313         * runtime/ClonedArguments.cpp:
314         (JSC::ClonedArguments::createStructure):
315         (JSC::ClonedArguments::getOwnPropertySlot):
316         (JSC::ClonedArguments::materializeSpecials):
317         * runtime/CommonSlowPaths.cpp:
318         (JSC::SLOW_PATH_DECL):
319         * runtime/ConsoleObject.cpp:
320         (JSC::ConsoleObject::finishCreation):
321         * runtime/DateConstructor.cpp:
322         (JSC::DateConstructor::finishCreation):
323         * runtime/DatePrototype.cpp:
324         (JSC::DatePrototype::finishCreation):
325         * runtime/DirectArguments.cpp:
326         (JSC::DirectArguments::overrideThings):
327         * runtime/Error.cpp:
328         (JSC::addErrorInfo):
329         * runtime/ErrorConstructor.cpp:
330         (JSC::ErrorConstructor::finishCreation):
331         * runtime/ErrorInstance.cpp:
332         (JSC::ErrorInstance::finishCreation):
333         * runtime/ErrorPrototype.cpp:
334         (JSC::ErrorPrototype::finishCreation):
335         * runtime/FunctionConstructor.cpp:
336         (JSC::FunctionConstructor::finishCreation):
337         * runtime/FunctionPrototype.cpp:
338         (JSC::FunctionPrototype::finishCreation):
339         (JSC::FunctionPrototype::addFunctionProperties):
340         (JSC::FunctionPrototype::initRestrictedProperties):
341         * runtime/GeneratorFunctionConstructor.cpp:
342         (JSC::GeneratorFunctionConstructor::finishCreation):
343         * runtime/GeneratorFunctionPrototype.cpp:
344         (JSC::GeneratorFunctionPrototype::finishCreation):
345         * runtime/GeneratorPrototype.cpp:
346         (JSC::GeneratorPrototype::finishCreation):
347         * runtime/GenericArgumentsInlines.h:
348         (JSC::GenericArguments<Type>::getOwnPropertySlot):
349         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
350         * runtime/InternalFunction.cpp:
351         (JSC::InternalFunction::finishCreation):
352         * runtime/IntlCollatorConstructor.cpp:
353         (JSC::IntlCollatorConstructor::finishCreation):
354         * runtime/IntlDateTimeFormatConstructor.cpp:
355         (JSC::IntlDateTimeFormatConstructor::finishCreation):
356         * runtime/IntlDateTimeFormatPrototype.cpp:
357         (JSC::IntlDateTimeFormatPrototype::finishCreation):
358         * runtime/IntlNumberFormatConstructor.cpp:
359         (JSC::IntlNumberFormatConstructor::finishCreation):
360         * runtime/IntlObject.cpp:
361         (JSC::IntlObject::finishCreation):
362         * runtime/IteratorPrototype.cpp:
363         (JSC::IteratorPrototype::finishCreation):
364         * runtime/JSArray.cpp:
365         (JSC::JSArray::getOwnPropertySlot):
366         (JSC::JSArray::setLengthWithArrayStorage):
367         * runtime/JSArrayBufferConstructor.cpp:
368         (JSC::JSArrayBufferConstructor::finishCreation):
369         * runtime/JSArrayBufferPrototype.cpp:
370         (JSC::JSArrayBufferPrototype::finishCreation):
371         * runtime/JSBoundFunction.cpp:
372         (JSC::JSBoundFunction::finishCreation):
373         * runtime/JSCJSValue.cpp:
374         (JSC::JSValue::putToPrimitive):
375         * runtime/JSDataView.cpp:
376         (JSC::JSDataView::getOwnPropertySlot):
377         * runtime/JSDataViewPrototype.cpp:
378         (JSC::JSDataViewPrototype::finishCreation):
379         * runtime/JSFunction.cpp:
380         (JSC::JSFunction::finishCreation):
381         (JSC::JSFunction::getOwnPropertySlot):
382         (JSC::JSFunction::defineOwnProperty):
383         (JSC::JSFunction::reifyLength):
384         (JSC::JSFunction::reifyName):
385         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
386         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
387         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
388         * runtime/JSGenericTypedArrayViewInlines.h:
389         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
390         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
391         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
392         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
393         * runtime/JSGlobalObject.cpp:
394         (JSC::JSGlobalObject::init):
395         (JSC::JSGlobalObject::addStaticGlobals):
396         * runtime/JSLexicalEnvironment.cpp:
397         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
398         * runtime/JSModuleNamespaceObject.cpp:
399         (JSC::JSModuleNamespaceObject::finishCreation):
400         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
401         * runtime/JSONObject.cpp:
402         (JSC::JSONObject::finishCreation):
403         * runtime/JSObject.cpp:
404         (JSC::getClassPropertyNames):
405         (JSC::JSObject::getOwnPropertySlotByIndex):
406         (JSC::ordinarySetSlow):
407         (JSC::JSObject::putInlineSlow):
408         (JSC::JSObject::putGetter):
409         (JSC::JSObject::putSetter):
410         (JSC::JSObject::putDirectAccessor):
411         (JSC::JSObject::putDirectCustomAccessor):
412         (JSC::JSObject::putDirectNonIndexAccessor):
413         (JSC::JSObject::deleteProperty):
414         (JSC::JSObject::deletePropertyByIndex):
415         (JSC::JSObject::getOwnPropertyNames):
416         (JSC::JSObject::putIndexedDescriptor):
417         (JSC::JSObject::defineOwnIndexedProperty):
418         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
419         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
420         (JSC::JSObject::getOwnPropertyDescriptor):
421         (JSC::putDescriptor):
422         (JSC::validateAndApplyPropertyDescriptor):
423         * runtime/JSObject.h:
424         (JSC::JSObject::putDirect):
425         * runtime/JSObjectInlines.h:
426         (JSC::JSObject::putDirectWithoutTransition):
427         (JSC::JSObject::putDirectInternal):
428         * runtime/JSPromiseConstructor.cpp:
429         (JSC::JSPromiseConstructor::finishCreation):
430         (JSC::JSPromiseConstructor::addOwnInternalSlots):
431         * runtime/JSPromisePrototype.cpp:
432         (JSC::JSPromisePrototype::finishCreation):
433         (JSC::JSPromisePrototype::addOwnInternalSlots):
434         * runtime/JSString.cpp:
435         (JSC::JSString::getStringPropertyDescriptor):
436         * runtime/JSString.h:
437         (JSC::JSString::getStringPropertySlot):
438         * runtime/JSSymbolTableObject.cpp:
439         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
440         * runtime/JSSymbolTableObject.h:
441         (JSC::symbolTableGet):
442         * runtime/JSTypedArrayViewConstructor.cpp:
443         (JSC::JSTypedArrayViewConstructor::finishCreation):
444         * runtime/JSTypedArrayViewPrototype.cpp:
445         (JSC::JSTypedArrayViewPrototype::finishCreation):
446         * runtime/LazyClassStructure.cpp:
447         (JSC::LazyClassStructure::Initializer::setConstructor):
448         * runtime/Lookup.cpp:
449         (JSC::reifyStaticAccessor):
450         (JSC::setUpStaticFunctionSlot):
451         * runtime/Lookup.h:
452         (JSC::HashTableValue::intrinsic const):
453         (JSC::HashTableValue::builtinGenerator const):
454         (JSC::HashTableValue::function const):
455         (JSC::HashTableValue::functionLength const):
456         (JSC::HashTableValue::propertyGetter const):
457         (JSC::HashTableValue::propertyPutter const):
458         (JSC::HashTableValue::domJIT const):
459         (JSC::HashTableValue::signature const):
460         (JSC::HashTableValue::accessorGetter const):
461         (JSC::HashTableValue::accessorSetter const):
462         (JSC::HashTableValue::constantInteger const):
463         (JSC::HashTableValue::lazyCellPropertyOffset const):
464         (JSC::HashTableValue::lazyClassStructureOffset const):
465         (JSC::HashTableValue::lazyPropertyCallback const):
466         (JSC::HashTableValue::builtinAccessorGetterGenerator const):
467         (JSC::HashTableValue::builtinAccessorSetterGenerator const):
468         (JSC::getStaticPropertySlotFromTable):
469         (JSC::putEntry):
470         (JSC::reifyStaticProperty):
471         * runtime/MapConstructor.cpp:
472         (JSC::MapConstructor::finishCreation):
473         * runtime/MapIteratorPrototype.cpp:
474         (JSC::MapIteratorPrototype::finishCreation):
475         * runtime/MapPrototype.cpp:
476         (JSC::MapPrototype::finishCreation):
477         * runtime/MathObject.cpp:
478         (JSC::MathObject::finishCreation):
479         * runtime/NativeErrorConstructor.cpp:
480         (JSC::NativeErrorConstructor::finishCreation):
481         * runtime/NativeErrorPrototype.cpp:
482         (JSC::NativeErrorPrototype::finishCreation):
483         * runtime/NumberConstructor.cpp:
484         (JSC::NumberConstructor::finishCreation):
485         * runtime/NumberPrototype.cpp:
486         (JSC::NumberPrototype::finishCreation):
487         * runtime/ObjectConstructor.cpp:
488         (JSC::ObjectConstructor::finishCreation):
489         (JSC::objectConstructorAssign):
490         (JSC::objectConstructorValues):
491         (JSC::objectConstructorDefineProperty):
492         * runtime/ObjectPrototype.cpp:
493         (JSC::ObjectPrototype::finishCreation):
494         (JSC::objectProtoFuncLookupGetter):
495         (JSC::objectProtoFuncLookupSetter):
496         * runtime/ProgramExecutable.cpp:
497         (JSC::ProgramExecutable::initializeGlobalProperties):
498         * runtime/PropertyDescriptor.cpp:
499         (JSC::PropertyDescriptor::writable const):
500         (JSC::PropertyDescriptor::enumerable const):
501         (JSC::PropertyDescriptor::configurable const):
502         (JSC::PropertyDescriptor::setUndefined):
503         (JSC::PropertyDescriptor::setDescriptor):
504         (JSC::PropertyDescriptor::setCustomDescriptor):
505         (JSC::PropertyDescriptor::setAccessorDescriptor):
506         (JSC::PropertyDescriptor::setWritable):
507         (JSC::PropertyDescriptor::setEnumerable):
508         (JSC::PropertyDescriptor::setConfigurable):
509         (JSC::PropertyDescriptor::setSetter):
510         (JSC::PropertyDescriptor::setGetter):
511         (JSC::PropertyDescriptor::attributesEqual const):
512         (JSC::PropertyDescriptor::attributesOverridingCurrent const):
513         * runtime/PropertySlot.cpp:
514         (JSC::PropertySlot::customGetter const):
515         * runtime/PropertySlot.h:
516         (JSC::operator| ):
517         (JSC::operator&):
518         (JSC::operator<):
519         (JSC::operator~):
520         (JSC::operator|=):
521         (JSC::PropertySlot::setUndefined):
522         * runtime/ProxyConstructor.cpp:
523         (JSC::makeRevocableProxy):
524         (JSC::ProxyConstructor::finishCreation):
525         * runtime/ProxyObject.cpp:
526         (JSC::ProxyObject::performHasProperty):
527         * runtime/ProxyRevoke.cpp:
528         (JSC::ProxyRevoke::finishCreation):
529         * runtime/ReflectObject.cpp:
530         (JSC::ReflectObject::finishCreation):
531         (JSC::reflectObjectDefineProperty):
532         * runtime/RegExpConstructor.cpp:
533         (JSC::RegExpConstructor::finishCreation):
534         * runtime/RegExpObject.cpp:
535         (JSC::RegExpObject::getOwnPropertySlot):
536         * runtime/RegExpPrototype.cpp:
537         (JSC::RegExpPrototype::finishCreation):
538         * runtime/ScopedArguments.cpp:
539         (JSC::ScopedArguments::overrideThings):
540         * runtime/SetConstructor.cpp:
541         (JSC::SetConstructor::finishCreation):
542         * runtime/SetIteratorPrototype.cpp:
543         (JSC::SetIteratorPrototype::finishCreation):
544         * runtime/SetPrototype.cpp:
545         (JSC::SetPrototype::finishCreation):
546         * runtime/SparseArrayValueMap.cpp:
547         (JSC::SparseArrayValueMap::putDirect):
548         (JSC::SparseArrayEntry::put):
549         * runtime/StringConstructor.cpp:
550         (JSC::StringConstructor::finishCreation):
551         * runtime/StringIteratorPrototype.cpp:
552         (JSC::StringIteratorPrototype::finishCreation):
553         * runtime/StringPrototype.cpp:
554         (JSC::StringPrototype::finishCreation):
555         * runtime/Structure.cpp:
556         (JSC::Structure::nonPropertyTransition):
557         (JSC::Structure::isSealed):
558         (JSC::Structure::isFrozen):
559         (JSC::Structure::getPropertyNamesFromStructure):
560         (JSC::Structure::prototypeChainMayInterceptStoreTo):
561         * runtime/StructureInlines.h:
562         (JSC::Structure::add):
563         * runtime/SymbolConstructor.cpp:
564         (JSC::SymbolConstructor::finishCreation):
565         * runtime/SymbolPrototype.cpp:
566         (JSC::SymbolPrototype::finishCreation):
567         * runtime/SymbolTable.h:
568         (JSC::SymbolTableEntry::Fast::getAttributes const):
569         (JSC::SymbolTableEntry::SymbolTableEntry):
570         (JSC::SymbolTableEntry::setAttributes):
571         * runtime/TemplateRegistry.cpp:
572         (JSC::TemplateRegistry::getTemplateObject):
573         * runtime/WeakMapConstructor.cpp:
574         (JSC::WeakMapConstructor::finishCreation):
575         * runtime/WeakMapPrototype.cpp:
576         (JSC::WeakMapPrototype::finishCreation):
577         * runtime/WeakSetConstructor.cpp:
578         (JSC::WeakSetConstructor::finishCreation):
579         * runtime/WeakSetPrototype.cpp:
580         (JSC::WeakSetPrototype::finishCreation):
581         * tools/JSDollarVMPrototype.cpp:
582         (JSC::JSDollarVMPrototype::finishCreation):
583         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
584         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
585         * wasm/js/WebAssemblyInstanceConstructor.cpp:
586         (JSC::WebAssemblyInstanceConstructor::finishCreation):
587         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
588         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
589         * wasm/js/WebAssemblyMemoryConstructor.cpp:
590         (JSC::WebAssemblyMemoryConstructor::finishCreation):
591         * wasm/js/WebAssemblyMemoryPrototype.cpp:
592         * wasm/js/WebAssemblyModuleConstructor.cpp:
593         (JSC::WebAssemblyModuleConstructor::finishCreation):
594         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
595         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
596         * wasm/js/WebAssemblyTableConstructor.cpp:
597         (JSC::WebAssemblyTableConstructor::finishCreation):
598
599 2017-09-23  Oleksandr Skachkov  <gskachkov@gmail.com>
600
601         [ESNext] Async iteration - Implement Async Generator - optimization
602         https://bugs.webkit.org/show_bug.cgi?id=175891
603
604         Reviewed by Yusuke Suzuki.
605
606         Add small optimization for async generators:
607         1. merging async generator queue to async generator itself
608         generator.@first / generator.@last is enough, by doing so,
609           we remove one unnecessary object alloc.
610         2. merging request with queue.
611
612         * builtins/AsyncGeneratorPrototype.js:
613         (globalPrivate.asyncGeneratorQueueIsEmpty):
614         (globalPrivate.asyncGeneratorQueueCreateItem):
615         (globalPrivate.asyncGeneratorQueueEnqueue):
616         (globalPrivate.asyncGeneratorQueueDequeue):
617         (globalPrivate.asyncGeneratorDequeue):
618         (globalPrivate.isSuspendYieldState):
619         (globalPrivate.asyncGeneratorEnqueue):
620         * builtins/BuiltinNames.h:
621         * bytecompiler/BytecodeGenerator.cpp:
622         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
623         * bytecompiler/BytecodeGenerator.h:
624         * bytecompiler/NodesCodegen.cpp:
625         (JSC::FunctionNode::emitBytecode):
626
627 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
628
629         test262: $.agent became $262.agent in test262 update
630         https://bugs.webkit.org/show_bug.cgi?id=177407
631
632         Reviewed by Yusuke Suzuki.
633
634         * jsc.cpp:
635         (GlobalObject::finishCreation):
636         Alias `$` and `$262` for now.
637
638 2017-09-22  Keith Miller  <keith_miller@apple.com>
639
640         Speculatively change iteration protocall to use the same next function
641         https://bugs.webkit.org/show_bug.cgi?id=175653
642
643         Reviewed by Saam Barati.
644
645         This patch speculatively makes a change to the iteration protocall to fetch the next
646         property immediately after calling the Symbol.iterator function. This is, in theory,
647         a breaking change, so we will see if this breaks things (most likely it won't as this
648         is a relatively subtle point).
649
650         See: https://github.com/tc39/ecma262/issues/976
651
652         * builtins/IteratorHelpers.js:
653         (performIteration):
654         * bytecompiler/BytecodeGenerator.cpp:
655         (JSC::BytecodeGenerator::emitEnumeration):
656         (JSC::BytecodeGenerator::emitIteratorNext):
657         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
658         (JSC::BytecodeGenerator::emitDelegateYield):
659         * bytecompiler/BytecodeGenerator.h:
660         * bytecompiler/NodesCodegen.cpp:
661         (JSC::ArrayPatternNode::bindValue const):
662         * inspector/JSInjectedScriptHost.cpp:
663         (Inspector::JSInjectedScriptHost::iteratorEntries):
664         * runtime/IteratorOperations.cpp:
665         (JSC::iteratorNext):
666         (JSC::iteratorStep):
667         (JSC::iteratorClose):
668         (JSC::iteratorForIterable):
669         * runtime/IteratorOperations.h:
670         (JSC::forEachInIterable):
671         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
672         (JSC::constructGenericTypedArrayViewFromIterator):
673         (JSC::constructGenericTypedArrayViewWithArguments):
674
675 2017-09-22  Fujii Hironori  <Hironori.Fujii@sony.com>
676
677         [Win64] Crashes in Yarr JIT compiled code
678         https://bugs.webkit.org/show_bug.cgi?id=177293
679
680         Reviewed by Yusuke Suzuki.
681
682         In x64 Windows, rcx register is used for the address of allocated
683         space for the return value. But, rcx is used for regT1 since
684         r221052. Save rcx in the stack.
685
686         * yarr/YarrJIT.cpp:
687         (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
688         (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
689
690 2017-09-22  Saam Barati  <sbarati@apple.com>
691
692         Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
693         https://bugs.webkit.org/show_bug.cgi?id=177368
694
695         Reviewed by Keith Miller.
696
697         * runtime/ErrorInstance.cpp:
698         (JSC::ErrorInstance::finishCreation):
699         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
700         (JSC::ErrorInstance::visitChildren):
701
702 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
703
704         [DFG][FTL] Profile array vector length for array allocation
705         https://bugs.webkit.org/show_bug.cgi?id=177051
706
707         Reviewed by Saam Barati.
708
709         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
710         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
711         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
712         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
713
714             empty array allocation,
715
716             var array = [];
717             array.push(0);
718             array.push(1);
719             array.push(2);
720             array.push(3);
721             array.push(4);
722
723             v.s. new_array_buffer case,
724
725             var array = [0];
726             array.push(1);
727             array.push(2);
728             array.push(3);
729             array.push(4);
730
731         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
732         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
733
734         We select 25 to make it fit to one of size classes.
735
736         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
737         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
738         is larger than 25, we just use it for allocation as before.
739
740         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
741
742             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
743             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
744
745         * bytecode/ArrayAllocationProfile.cpp:
746         (JSC::ArrayAllocationProfile::updateProfile):
747         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
748         * bytecode/ArrayAllocationProfile.h:
749         (JSC::ArrayAllocationProfile::selectIndexingType):
750         (JSC::ArrayAllocationProfile::vectorLengthHint):
751         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
752         * bytecode/CodeBlock.cpp:
753         (JSC::CodeBlock::updateAllArrayPredictions):
754         * dfg/DFGByteCodeParser.cpp:
755         (JSC::DFG::ByteCodeParser::parseBlock):
756         * dfg/DFGGraph.cpp:
757         (JSC::DFG::Graph::dump):
758         * dfg/DFGNode.h:
759         (JSC::DFG::Node::vectorLengthHint):
760         * dfg/DFGOperations.cpp:
761         * dfg/DFGOperations.h:
762         * dfg/DFGSpeculativeJIT64.cpp:
763         (JSC::DFG::SpeculativeJIT::compile):
764         * ftl/FTLLowerDFGToB3.cpp:
765         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
766         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
767         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
768         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
769         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
770         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
771         * runtime/ArrayConventions.h:
772         * runtime/JSArray.h:
773         (JSC::JSArray::tryCreate):
774
775 2017-09-22  Commit Queue  <commit-queue@webkit.org>
776
777         Unreviewed, rolling out r222380.
778         https://bugs.webkit.org/show_bug.cgi?id=177352
779
780         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
781         #webkit).
782
783         Reverted changeset:
784
785         "[DFG][FTL] Profile array vector length for array allocation"
786         https://bugs.webkit.org/show_bug.cgi?id=177051
787         http://trac.webkit.org/changeset/222380
788
789 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
790
791         [DFG][FTL] Profile array vector length for array allocation
792         https://bugs.webkit.org/show_bug.cgi?id=177051
793
794         Reviewed by Saam Barati.
795
796         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
797         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
798         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
799         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
800
801             empty array allocation,
802
803             var array = [];
804             array.push(0);
805             array.push(1);
806             array.push(2);
807             array.push(3);
808             array.push(4);
809
810             v.s. new_array_buffer case,
811
812             var array = [0];
813             array.push(1);
814             array.push(2);
815             array.push(3);
816             array.push(4);
817
818         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
819         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
820
821         We select 25 to make it fit to one of size classes.
822
823         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
824         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
825         is larger than 25, we just use it for allocation as before.
826
827         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
828
829             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
830             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
831
832         * bytecode/ArrayAllocationProfile.cpp:
833         (JSC::ArrayAllocationProfile::updateProfile):
834         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
835         * bytecode/ArrayAllocationProfile.h:
836         (JSC::ArrayAllocationProfile::selectIndexingType):
837         (JSC::ArrayAllocationProfile::vectorLengthHint):
838         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
839         * bytecode/CodeBlock.cpp:
840         (JSC::CodeBlock::updateAllArrayPredictions):
841         * dfg/DFGByteCodeParser.cpp:
842         (JSC::DFG::ByteCodeParser::parseBlock):
843         * dfg/DFGGraph.cpp:
844         (JSC::DFG::Graph::dump):
845         * dfg/DFGNode.h:
846         (JSC::DFG::Node::vectorLengthHint):
847         * dfg/DFGOperations.cpp:
848         * dfg/DFGOperations.h:
849         * dfg/DFGSpeculativeJIT64.cpp:
850         (JSC::DFG::SpeculativeJIT::compile):
851         * ftl/FTLLowerDFGToB3.cpp:
852         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
853         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
854         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
855         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
856         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
857         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
858         * runtime/ArrayConventions.h:
859         * runtime/JSArray.h:
860         (JSC::JSArray::tryCreate):
861
862 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
863
864         Web Inspector: Remove support for CSS Regions
865         https://bugs.webkit.org/show_bug.cgi?id=177287
866
867         Reviewed by Matt Baker.
868
869         * inspector/protocol/CSS.json:
870         * inspector/protocol/OverlayTypes.json:
871
872 2017-09-21  Brian Burg  <bburg@apple.com>
873
874         Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
875         https://bugs.webkit.org/show_bug.cgi?id=177010
876         <rdar://problem/33134548>
877
878         Reviewed by Joseph Pecoraro.
879
880         Use "reload from origin" nomenclature instead of "reload ignoring cache".
881
882         * inspector/protocol/Page.json: Improve the comment, but don't change the
883         parameter name since this would be a divergence from legacy protocols.
884
885 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
886
887         test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
888         https://bugs.webkit.org/show_bug.cgi?id=177307
889
890         Reviewed by Michael Saboff.
891
892         * runtime/RegExpPrototype.cpp:
893         In r221160 we added support for the new RegExp flag (dotAll).
894         We needed to make space for it in FlagsString.
895
896 2017-09-20  Keith Miller  <keith_miller@apple.com>
897
898         JSC should use unified sources for platform specific files.
899         https://bugs.webkit.org/show_bug.cgi?id=177290
900
901         Reviewed by Michael Saboff.
902
903         Add a list of platform specific source files and update the
904         Generate Unified Sources phase of the Xcode build. I skipped WPE
905         since that seems to have failed for some reason that I didn't
906         fully understand. See:
907         https://webkit-queues.webkit.org/results/4611260
908
909         Also, fix duplicate symbols in Glib remote inspector files.
910
911         * CMakeLists.txt:
912         * JavaScriptCore.xcodeproj/project.pbxproj:
913         * PlatformGTK.cmake:
914         * PlatformMac.cmake:
915         * SourcesGTK.txt: Added.
916         * SourcesMac.txt: Added.
917         * inspector/remote/glib/RemoteInspectorServer.cpp:
918         (Inspector::RemoteInspectorServer::interfaceInfo):
919         (Inspector::RemoteInspectorServer::setTargetList):
920         (Inspector::RemoteInspectorServer::setupInspectorClient):
921         (Inspector::RemoteInspectorServer::setup):
922         (Inspector::RemoteInspectorServer::close):
923         (Inspector::RemoteInspectorServer::connectionClosed):
924         (Inspector::RemoteInspectorServer::sendMessageToBackend):
925         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
926         (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
927
928 2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>
929
930         [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
931         https://bugs.webkit.org/show_bug.cgi?id=177017
932
933         Reviewed by Alex Christensen.
934
935         * API/JSRemoteInspector.cpp:
936         (JSRemoteInspectorSetParentProcessInformation):
937         * API/JSRemoteInspector.h:
938         * inspector/remote/RemoteInspector.h:
939
940 2017-09-20  Keith Miller  <keith_miller@apple.com>
941
942         Rename source list file to Sources.txt
943         https://bugs.webkit.org/show_bug.cgi?id=177283
944
945         Reviewed by Saam Barati.
946
947         * CMakeLists.txt:
948         * JavaScriptCore.xcodeproj/project.pbxproj:
949         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
950
951 2017-09-20  Keith Miller  <keith_miller@apple.com>
952
953         Unreviewed, fix string capitalization
954
955         * JavaScriptCore.xcodeproj/project.pbxproj:
956
957 2017-09-20  Keith Miller  <keith_miller@apple.com>
958
959         JSC Xcode build should use unified sources for platform independent files
960         https://bugs.webkit.org/show_bug.cgi?id=177190
961
962         Reviewed by Saam Barati.
963
964         This patch changes the Xcode build to use unified sources. The
965         main difference from a development perspective is that instead of
966         added source files to Xcode they need to be added to the shared
967         sources.txt. For now, platform specific files are still added
968         to the JavaScriptCore target.
969
970         Because Xcode needs to know about all the files before we generate
971         them all the unified source files need to be added to the
972         JavaScriptCore framework target. As a result, if we run out of
973         bundle files more will need to be added to the project. Currently,
974         there are no spare files. If adding more bundle files becomes
975         problematic we can change this.
976
977         LowLevelInterpreter.cpp can't be added to the unified source list yet
978         due to a clang bug.
979
980         * CMakeLists.txt:
981         * JavaScriptCore.xcodeproj/project.pbxproj:
982         * sources.txt: Added.
983
984 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
985
986         [Win] Cannot find script to generate unified sources.
987         https://bugs.webkit.org/show_bug.cgi?id=177014
988
989         Reviewed by Keith Miller.
990
991         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
992
993         * CMakeLists.txt:
994         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
995
996 2017-09-20  Alberto Garcia  <berto@igalia.com>
997
998         Fix HPPA and Alpha builds
999         https://bugs.webkit.org/show_bug.cgi?id=177224
1000
1001         Reviewed by Alex Christensen.
1002
1003         * CMakeLists.txt:
1004
1005 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
1006
1007         ErrorInstance and Exception need destroy methods
1008         https://bugs.webkit.org/show_bug.cgi?id=177095
1009
1010         Reviewed by Saam Barati.
1011         
1012         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
1013         follow that type's protocol.
1014
1015         * runtime/ErrorInstance.cpp:
1016         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
1017         * runtime/ErrorInstance.h:
1018         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
1019
1020 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1021
1022         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
1023         https://bugs.webkit.org/show_bug.cgi?id=177070
1024
1025         Reviewed by Saam Barati.
1026
1027         Due to the security reason, our global object is immutable prototype exotic object.
1028         It prevents users from injecting proxies into the prototype chain of the global object[1].
1029         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
1030         of the global object after instantiating it.
1031
1032         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
1033         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
1034         edge cases.
1035
1036         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
1037
1038         * API/JSObjectRef.cpp:
1039         (JSObjectSetPrototype):
1040         * API/tests/CustomGlobalObjectClassTest.c:
1041         (globalObjectSetPrototypeTest):
1042
1043 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1044
1045         [DFG] Remove ToThis more aggressively
1046         https://bugs.webkit.org/show_bug.cgi?id=177056
1047
1048         Reviewed by Saam Barati.
1049
1050         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
1051         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
1052         and attempts to fold/convert to efficient nodes.
1053
1054         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
1055         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
1056
1057         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
1058         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
1059
1060         This removes GetGlobalThis from ES6 generators in common cases.
1061
1062         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
1063
1064         * dfg/DFGAbstractInterpreterInlines.h:
1065         (JSC::DFG::isToThisAnIdentity):
1066         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1067         * dfg/DFGClobberize.h:
1068         (JSC::DFG::clobberize):
1069         * dfg/DFGConstantFoldingPhase.cpp:
1070         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1071         * dfg/DFGDoesGC.cpp:
1072         (JSC::DFG::doesGC):
1073         * dfg/DFGFixupPhase.cpp:
1074         (JSC::DFG::FixupPhase::fixupNode):
1075         * dfg/DFGNode.h:
1076         (JSC::DFG::Node::convertToGetGlobalThis):
1077         * dfg/DFGNodeType.h:
1078         * dfg/DFGPredictionPropagationPhase.cpp:
1079         * dfg/DFGSafeToExecute.h:
1080         (JSC::DFG::safeToExecute):
1081         * dfg/DFGSpeculativeJIT.cpp:
1082         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
1083         * dfg/DFGSpeculativeJIT.h:
1084         * dfg/DFGSpeculativeJIT32_64.cpp:
1085         (JSC::DFG::SpeculativeJIT::compile):
1086         * dfg/DFGSpeculativeJIT64.cpp:
1087         (JSC::DFG::SpeculativeJIT::compile):
1088         * ftl/FTLCapabilities.cpp:
1089         (JSC::FTL::canCompile):
1090         * ftl/FTLLowerDFGToB3.cpp:
1091         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1092         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
1093         * runtime/JSGlobalLexicalEnvironment.cpp:
1094         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
1095         * runtime/JSGlobalLexicalEnvironment.h:
1096         * runtime/JSGlobalObject.cpp:
1097         (JSC::JSGlobalObject::toThis): Deleted.
1098         * runtime/JSGlobalObject.h:
1099         (JSC::JSGlobalObject::addressOfGlobalThis):
1100         * runtime/JSLexicalEnvironment.cpp:
1101         (JSC::JSLexicalEnvironment::toThis): Deleted.
1102         * runtime/JSLexicalEnvironment.h:
1103         * runtime/JSScope.cpp:
1104         (JSC::JSScope::toThis):
1105         * runtime/JSScope.h:
1106         * runtime/StrictEvalActivation.cpp:
1107         (JSC::StrictEvalActivation::toThis): Deleted.
1108         * runtime/StrictEvalActivation.h:
1109
1110 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1111
1112         Merge JSLexicalEnvironment and JSEnvironmentRecord
1113         https://bugs.webkit.org/show_bug.cgi?id=175492
1114
1115         Reviewed by Saam Barati.
1116
1117         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
1118         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
1119
1120         * CMakeLists.txt:
1121         * JavaScriptCore.xcodeproj/project.pbxproj:
1122         * dfg/DFGSpeculativeJIT.cpp:
1123         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1124         * dfg/DFGSpeculativeJIT32_64.cpp:
1125         (JSC::DFG::SpeculativeJIT::compile):
1126         * dfg/DFGSpeculativeJIT64.cpp:
1127         (JSC::DFG::SpeculativeJIT::compile):
1128         * ftl/FTLAbstractHeapRepository.h:
1129         * ftl/FTLLowerDFGToB3.cpp:
1130         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1131         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1132         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
1133         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
1134         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1135         * jit/JITPropertyAccess.cpp:
1136         (JSC::JIT::emitGetClosureVar):
1137         (JSC::JIT::emitPutClosureVar):
1138         (JSC::JIT::emitScopedArgumentsGetByVal):
1139         * jit/JITPropertyAccess32_64.cpp:
1140         (JSC::JIT::emitGetClosureVar):
1141         (JSC::JIT::emitPutClosureVar):
1142         * llint/LLIntOffsetsExtractor.cpp:
1143         * llint/LowLevelInterpreter.asm:
1144         * llint/LowLevelInterpreter32_64.asm:
1145         * llint/LowLevelInterpreter64.asm:
1146         * runtime/JSEnvironmentRecord.cpp: Removed.
1147         * runtime/JSEnvironmentRecord.h: Removed.
1148         * runtime/JSLexicalEnvironment.cpp:
1149         (JSC::JSLexicalEnvironment::visitChildren):
1150         (JSC::JSLexicalEnvironment::heapSnapshot):
1151         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1152         * runtime/JSLexicalEnvironment.h:
1153         (JSC::JSLexicalEnvironment::subspaceFor):
1154         (JSC::JSLexicalEnvironment::variables):
1155         (JSC::JSLexicalEnvironment::isValidScopeOffset):
1156         (JSC::JSLexicalEnvironment::variableAt):
1157         (JSC::JSLexicalEnvironment::offsetOfVariables):
1158         (JSC::JSLexicalEnvironment::offsetOfVariable):
1159         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
1160         (JSC::JSLexicalEnvironment::allocationSize):
1161         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
1162         (JSC::JSLexicalEnvironment::finishCreation):
1163         * runtime/JSModuleEnvironment.cpp:
1164         (JSC::JSModuleEnvironment::create):
1165         * runtime/JSObject.h:
1166         (JSC::JSObject::isEnvironment const):
1167         (JSC::JSObject::isEnvironmentRecord const): Deleted.
1168         * runtime/JSSegmentedVariableObject.h:
1169         * runtime/StringPrototype.cpp:
1170         (JSC::checkObjectCoercible):
1171
1172 2017-09-15  Saam Barati  <sbarati@apple.com>
1173
1174         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
1175         https://bugs.webkit.org/show_bug.cgi?id=176981
1176
1177         Reviewed by Yusuke Suzuki.
1178
1179         This patch makes inline arity fixup happen in two phases:
1180         1. We get all the values we need and MovHint them to the expected locals.
1181         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
1182            frame is already set up. If any SetLocal exits, we have a valid exit state.
1183            This is required because if we didn't do this in two phases, we may exit in
1184            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
1185            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
1186            of the frame right before exiting. For example, consider if we need to pad two args:
1187            [arg3][arg2][arg1][arg0]
1188            [fix ][fix ][arg3][arg2][arg1][arg0]
1189            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
1190            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
1191            [arg3][arg2][arg1][arg2][arg1][arg0]
1192            And the caller would then just end up thinking its argument are:
1193            [arg3][arg2][arg1][arg2]
1194            which is incorrect.
1195        
1196        
1197         This patch also fixes a couple of bugs in IdentitiyWithProfile:
1198         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
1199            It needed to store the result of evaluating its argument in a temporary that
1200            it creates. Otherwise, it might try to simply overwrite a constant
1201            or a register that it didn't own.
1202         2. We weren't eliminating this node in CSE inside the DFG.
1203
1204         * bytecompiler/NodesCodegen.cpp:
1205         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1206         * dfg/DFGByteCodeParser.cpp:
1207         (JSC::DFG::ByteCodeParser::inlineCall):
1208         * dfg/DFGCSEPhase.cpp:
1209
1210 2017-09-15  JF Bastien  <jfbastien@apple.com>
1211
1212         WTF: use Forward.h when appropriate instead of Vector.h
1213         https://bugs.webkit.org/show_bug.cgi?id=176984
1214
1215         Reviewed by Saam Barati.
1216
1217         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
1218
1219         * bytecode/HandlerInfo.h:
1220         * heap/GCIncomingRefCounted.h:
1221         * heap/GCSegmentedArray.h:
1222         * wasm/js/JSWebAssemblyModule.h:
1223
1224 2017-09-14  Saam Barati  <sbarati@apple.com>
1225
1226         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
1227         https://bugs.webkit.org/show_bug.cgi?id=176863
1228
1229         Reviewed by Keith Miller.
1230
1231         * CMakeLists.txt:
1232         * JavaScriptCore.xcodeproj/project.pbxproj:
1233         * runtime/ProxyObject.cpp:
1234         (JSC::performProxyGet):
1235         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1236         (JSC::ProxyObject::performHasProperty):
1237         (JSC::ProxyObject::getOwnPropertySlotCommon):
1238         (JSC::ProxyObject::performPut):
1239         (JSC::performProxyCall):
1240         (JSC::performProxyConstruct):
1241         (JSC::ProxyObject::performDelete):
1242         (JSC::ProxyObject::performPreventExtensions):
1243         (JSC::ProxyObject::performIsExtensible):
1244         (JSC::ProxyObject::performDefineOwnProperty):
1245         (JSC::ProxyObject::performGetOwnPropertyNames):
1246         (JSC::ProxyObject::performSetPrototype):
1247         (JSC::ProxyObject::performGetPrototype):
1248
1249 2017-09-14  Saam Barati  <sbarati@apple.com>
1250
1251         Make dumping the graph print when both when exitOK and !exitOK
1252         https://bugs.webkit.org/show_bug.cgi?id=176954
1253
1254         Reviewed by Keith Miller.
1255
1256         * dfg/DFGGraph.cpp:
1257         (JSC::DFG::Graph::dump):
1258
1259 2017-09-14  Saam Barati  <sbarati@apple.com>
1260
1261         It should be valid to exit before each set when doing arity fixup when inlining
1262         https://bugs.webkit.org/show_bug.cgi?id=176948
1263
1264         Reviewed by Keith Miller.
1265
1266         This patch makes it so that we can exit before each SetLocal when doing arity
1267         fixup during inlining. This is OK because if we exit at any of these SetLocals,
1268         we will simply exit to the beginning of the call instruction.
1269         
1270         Not doing this led to a bug where FixupPhase would insert a ValueRep of
1271         a node before the actual node. This is obviously invalid IR. I've added
1272         a new validation rule to catch this malformed IR.
1273
1274         * dfg/DFGByteCodeParser.cpp:
1275         (JSC::DFG::ByteCodeParser::inliningCost):
1276         (JSC::DFG::ByteCodeParser::inlineCall):
1277         * dfg/DFGValidate.cpp:
1278         * runtime/Options.h:
1279
1280 2017-09-14  Mark Lam  <mark.lam@apple.com>
1281
1282         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
1283         https://bugs.webkit.org/show_bug.cgi?id=176874
1284         <rdar://problem/34436415>
1285
1286         Reviewed by Saam Barati.
1287
1288         1. Make Probe::Stack play nice with ASan by:
1289
1290            a. using a local memcpy implementation that suppresses ASan on ASan builds.
1291               We don't want to use std:memcpy() which validates stack memory because
1292               we are intentionally copying stack memory beyond the current frame.
1293
1294            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
1295               This ensures that Page::flushWrites() only writes stack memory that was
1296               modified by a probe.  The probes should only modify stack memory that
1297               belongs to JSC stack data structures.  We don't want to inadvertently
1298               modify adjacent words that may belong to ASan (which may happen if
1299               s_chunkSize is larger than sizeof(uintptr_t)).
1300
1301            c. fixing a bug in Page dirtyBits management for when the size of the value to
1302               write is greater than s_chunkSize.  The fix in generic, but in practice,
1303               this currently only manifests on 32-bit ASan builds because
1304               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
1305               values.
1306
1307            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
1308               s_chunksPerPage we can have even on ASan builds.
1309
1310         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
1311            std::memcpy to avoid strict aliasing issues.
1312
1313         3. Optimized the implementation of Page::physicalAddressFor().
1314
1315         4. Optimized the implementation of Stack::set() in the recording of the low
1316            watermark.  We just record the lowest raw pointer now, and only compute the
1317            alignment to its chuck boundary later when the low watermark is requested.
1318
1319         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
1320
1321         No new test needed because this is already covered by testmasm with ASan enabled.
1322
1323         * assembler/ProbeContext.h:
1324         (JSC::Probe::CPUState::gpr const):
1325         (JSC::Probe::CPUState::spr const):
1326         (JSC::Probe::Context::gpr):
1327         (JSC::Probe::Context::spr):
1328         (JSC::Probe::Context::fpr):
1329         (JSC::Probe::Context::gprName):
1330         (JSC::Probe::Context::sprName):
1331         (JSC::Probe::Context::fprName):
1332         (JSC::Probe::Context::gpr const):
1333         (JSC::Probe::Context::spr const):
1334         (JSC::Probe::Context::fpr const):
1335         (JSC::Probe::Context::pc):
1336         (JSC::Probe::Context::fp):
1337         (JSC::Probe::Context::sp):
1338         (JSC::Probe:: const): Deleted.
1339         * assembler/ProbeStack.cpp:
1340         (JSC::Probe::copyStackPage):
1341         (JSC::Probe::Page::Page):
1342         (JSC::Probe::Page::flushWrites):
1343         * assembler/ProbeStack.h:
1344         (JSC::Probe::Page::get):
1345         (JSC::Probe::Page::set):
1346         (JSC::Probe::Page::dirtyBitFor):
1347         (JSC::Probe::Page::physicalAddressFor):
1348         (JSC::Probe::Stack::lowWatermark):
1349         (JSC::Probe::Stack::get):
1350         (JSC::Probe::Stack::set):
1351         * assembler/testmasm.cpp:
1352         (JSC::testProbeModifiesStackValues):
1353
1354 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1355
1356         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
1357         https://bugs.webkit.org/show_bug.cgi?id=176917
1358
1359         Reviewed by Saam Barati.
1360
1361         * dfg/DFGByteCodeParser.cpp:
1362         (JSC::DFG::ByteCodeParser::inliningCost):
1363         * runtime/Options.h:
1364
1365 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1366
1367         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
1368         https://bugs.webkit.org/show_bug.cgi?id=176867
1369
1370         Reviewed by Sam Weinig.
1371
1372         We rarely require private symbols when enumerating property names.
1373         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
1374         is specified, PropertyNameArray does not include private symbols.
1375         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
1376
1377         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
1378         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
1379
1380         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
1381
1382         * API/JSObjectRef.cpp:
1383         (JSObjectCopyPropertyNames):
1384         * bindings/ScriptValue.cpp:
1385         (Inspector::jsToInspectorValue):
1386         * bytecode/ObjectAllocationProfile.h:
1387         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1388         * runtime/EnumerationMode.h:
1389         * runtime/IntlObject.cpp:
1390         (JSC::supportedLocales):
1391         * runtime/JSONObject.cpp:
1392         (JSC::Stringifier::Stringifier):
1393         (JSC::Stringifier::Holder::appendNextProperty):
1394         (JSC::Walker::walk):
1395         * runtime/JSPropertyNameEnumerator.cpp:
1396         (JSC::JSPropertyNameEnumerator::create):
1397         * runtime/JSPropertyNameEnumerator.h:
1398         (JSC::propertyNameEnumerator):
1399         * runtime/ObjectConstructor.cpp:
1400         (JSC::objectConstructorGetOwnPropertyDescriptors):
1401         (JSC::objectConstructorAssign):
1402         (JSC::objectConstructorValues):
1403         (JSC::defineProperties):
1404         (JSC::setIntegrityLevel):
1405         (JSC::testIntegrityLevel):
1406         (JSC::ownPropertyKeys):
1407         * runtime/PropertyNameArray.h:
1408         (JSC::PropertyNameArray::PropertyNameArray):
1409         (JSC::PropertyNameArray::propertyNameMode const):
1410         (JSC::PropertyNameArray::privateSymbolMode const):
1411         (JSC::PropertyNameArray::addUncheckedInternal):
1412         (JSC::PropertyNameArray::addUnchecked):
1413         (JSC::PropertyNameArray::add):
1414         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
1415         (JSC::PropertyNameArray::includeSymbolProperties const):
1416         (JSC::PropertyNameArray::includeStringProperties const):
1417         (JSC::PropertyNameArray::mode const): Deleted.
1418         * runtime/ProxyObject.cpp:
1419         (JSC::ProxyObject::performGetOwnPropertyNames):
1420
1421 2017-09-13  Mark Lam  <mark.lam@apple.com>
1422
1423         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
1424         https://bugs.webkit.org/show_bug.cgi?id=176888
1425         <rdar://problem/34381832>
1426
1427         Not reviewed.
1428
1429         * JavaScriptCore.xcodeproj/project.pbxproj:
1430         * assembler/MacroAssembler.cpp:
1431         (JSC::stdFunctionCallback):
1432         * assembler/MacroAssemblerPrinter.cpp:
1433         (JSC::Printer::printCallback):
1434         * assembler/ProbeContext.h:
1435         (JSC::Probe:: const):
1436         (JSC::Probe::Context::Context):
1437         (JSC::Probe::Context::gpr):
1438         (JSC::Probe::Context::spr):
1439         (JSC::Probe::Context::fpr):
1440         (JSC::Probe::Context::gprName):
1441         (JSC::Probe::Context::sprName):
1442         (JSC::Probe::Context::fprName):
1443         (JSC::Probe::Context::pc):
1444         (JSC::Probe::Context::fp):
1445         (JSC::Probe::Context::sp):
1446         (JSC::Probe::CPUState::gpr const): Deleted.
1447         (JSC::Probe::CPUState::spr const): Deleted.
1448         (JSC::Probe::Context::arg): Deleted.
1449         (JSC::Probe::Context::gpr const): Deleted.
1450         (JSC::Probe::Context::spr const): Deleted.
1451         (JSC::Probe::Context::fpr const): Deleted.
1452         * assembler/ProbeFrame.h: Removed.
1453         * assembler/ProbeStack.cpp:
1454         (JSC::Probe::Page::Page):
1455         * assembler/ProbeStack.h:
1456         (JSC::Probe::Page::get):
1457         (JSC::Probe::Page::set):
1458         (JSC::Probe::Page::physicalAddressFor):
1459         (JSC::Probe::Stack::lowWatermark):
1460         (JSC::Probe::Stack::get):
1461         (JSC::Probe::Stack::set):
1462         * bytecode/ArithProfile.cpp:
1463         * bytecode/ArithProfile.h:
1464         * bytecode/ArrayProfile.h:
1465         (JSC::ArrayProfile::observeArrayMode): Deleted.
1466         * bytecode/CodeBlock.cpp:
1467         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
1468         * bytecode/CodeBlock.h:
1469         (JSC::CodeBlock::addressOfOSRExitCounter):
1470         * bytecode/ExecutionCounter.h:
1471         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
1472         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
1473         * bytecode/MethodOfGettingAValueProfile.cpp:
1474         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
1475         * bytecode/MethodOfGettingAValueProfile.h:
1476         * dfg/DFGDriver.cpp:
1477         (JSC::DFG::compileImpl):
1478         * dfg/DFGJITCode.cpp:
1479         (JSC::DFG::JITCode::findPC):
1480         * dfg/DFGJITCode.h:
1481         * dfg/DFGJITCompiler.cpp:
1482         (JSC::DFG::JITCompiler::linkOSRExits):
1483         (JSC::DFG::JITCompiler::link):
1484         * dfg/DFGOSRExit.cpp:
1485         (JSC::DFG::OSRExit::setPatchableCodeOffset):
1486         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
1487         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1488         (JSC::DFG::OSRExit::correctJump):
1489         (JSC::DFG::OSRExit::emitRestoreArguments):
1490         (JSC::DFG::OSRExit::compileOSRExit):
1491         (JSC::DFG::OSRExit::compileExit):
1492         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1493         (JSC::DFG::jsValueFor): Deleted.
1494         (JSC::DFG::restoreCalleeSavesFor): Deleted.
1495         (JSC::DFG::saveCalleeSavesFor): Deleted.
1496         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
1497         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
1498         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
1499         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
1500         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
1501         (JSC::DFG::emitRestoreArguments): Deleted.
1502         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
1503         (JSC::DFG::reifyInlinedCallFrames): Deleted.
1504         (JSC::DFG::adjustAndJumpToTarget): Deleted.
1505         (JSC::DFG::printOSRExit): Deleted.
1506         * dfg/DFGOSRExit.h:
1507         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
1508         * dfg/DFGOSRExitCompilerCommon.cpp:
1509         * dfg/DFGOSRExitCompilerCommon.h:
1510         * dfg/DFGOperations.cpp:
1511         * dfg/DFGOperations.h:
1512         * dfg/DFGThunks.cpp:
1513         (JSC::DFG::osrExitGenerationThunkGenerator):
1514         (JSC::DFG::osrExitThunkGenerator): Deleted.
1515         * dfg/DFGThunks.h:
1516         * jit/AssemblyHelpers.cpp:
1517         (JSC::AssemblyHelpers::debugCall):
1518         * jit/AssemblyHelpers.h:
1519         * jit/JITOperations.cpp:
1520         * jit/JITOperations.h:
1521         * profiler/ProfilerOSRExit.h:
1522         (JSC::Profiler::OSRExit::incCount): Deleted.
1523         * runtime/JSCJSValue.h:
1524         * runtime/JSCJSValueInlines.h:
1525         * runtime/VM.h:
1526
1527 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1528
1529         [JSC] Move class/struct used in other class' member out of anonymous namespace
1530         https://bugs.webkit.org/show_bug.cgi?id=176876
1531
1532         Reviewed by Saam Barati.
1533
1534         GCC warns if a class has a base or field whose type uses the anonymous namespace
1535         and it is defined in an included file. This is because this possibly violates
1536         one definition rule (ODR): if an included file has the anonymous namespace, each
1537         translation unit creates its private anonymous namespace. Thus, each type
1538         inside the anonymous namespace becomes different in each translation unit if
1539         the file is included in multiple translation units.
1540
1541         While the current use in JSC is not violating ODR since these cpp files are included
1542         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
1543         the actual bugs. So, in this patch, we just move related classes/structs out of
1544         the anonymous namespace.
1545
1546         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1547         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
1548         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
1549         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
1550         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
1551         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
1552         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
1553         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
1554         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
1555         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
1556         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
1557         * dfg/DFGLICMPhase.cpp:
1558
1559 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
1560
1561         Web Inspector: Event Listeners section does not update when listeners are added/removed
1562         https://bugs.webkit.org/show_bug.cgi?id=170570
1563         <rdar://problem/31501645>
1564
1565         Reviewed by Joseph Pecoraro.
1566
1567         * inspector/protocol/DOM.json:
1568         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
1569         contain any information about the event listeners that were added/removed. They serve more
1570         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
1571
1572 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1573
1574         [JSC] Fix Array allocation in Object.keys
1575         https://bugs.webkit.org/show_bug.cgi?id=176826
1576
1577         Reviewed by Saam Barati.
1578
1579         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
1580         We check isHavingABadTime() in ownPropertyKeys fast path.
1581         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
1582
1583         * runtime/ObjectConstructor.cpp:
1584         (JSC::ownPropertyKeys):
1585
1586 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1587
1588         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
1589         https://bugs.webkit.org/show_bug.cgi?id=176010
1590
1591         Reviewed by Filip Pizlo.
1592
1593         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
1594         It is used for meta property for objects (see peekMeta function in Ember.js).
1595
1596         This patch optimizes WeakMap#get.
1597
1598         1. We use inlineGet to inline WeakMap#get operation in the native function.
1599         Since this native function itself is very small, we should inline HashMap#get
1600         entirely in this function.
1601
1602         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
1603         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
1604         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
1605         ObjectUse, and Int32Use.
1606
1607         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
1608         calculate hash value for the key's Object and use this hash value to look up value from
1609         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
1610         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
1611         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
1612         patches.
1613
1614         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
1615         not used in Ember.js right now.
1616
1617         This patch optimizes WeakMap#get by 50%.
1618
1619                                  baseline                  patched
1620
1621         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
1622
1623         * bytecode/DirectEvalCodeCache.h:
1624         (JSC::DirectEvalCodeCache::tryGet):
1625         * bytecode/SpeculatedType.cpp:
1626         (JSC::dumpSpeculation):
1627         (JSC::speculationFromClassInfo):
1628         (JSC::speculationFromJSType):
1629         (JSC::speculationFromString):
1630         * bytecode/SpeculatedType.h:
1631         * dfg/DFGAbstractInterpreterInlines.h:
1632         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1633         * dfg/DFGByteCodeParser.cpp:
1634         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1635         * dfg/DFGClobberize.h:
1636         (JSC::DFG::clobberize):
1637         * dfg/DFGDoesGC.cpp:
1638         (JSC::DFG::doesGC):
1639         * dfg/DFGFixupPhase.cpp:
1640         (JSC::DFG::FixupPhase::fixupNode):
1641         * dfg/DFGHeapLocation.cpp:
1642         (WTF::printInternal):
1643         * dfg/DFGHeapLocation.h:
1644         * dfg/DFGNode.h:
1645         (JSC::DFG::Node::hasHeapPrediction):
1646         * dfg/DFGNodeType.h:
1647         * dfg/DFGOperations.cpp:
1648         * dfg/DFGOperations.h:
1649         * dfg/DFGPredictionPropagationPhase.cpp:
1650         * dfg/DFGSafeToExecute.h:
1651         (JSC::DFG::SafeToExecuteEdge::operator()):
1652         (JSC::DFG::safeToExecute):
1653         * dfg/DFGSpeculativeJIT.cpp:
1654         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1655         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1656         (JSC::DFG::SpeculativeJIT::speculate):
1657         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1658         * dfg/DFGSpeculativeJIT.h:
1659         (JSC::DFG::SpeculativeJIT::callOperation):
1660         * dfg/DFGSpeculativeJIT32_64.cpp:
1661         (JSC::DFG::SpeculativeJIT::compile):
1662         * dfg/DFGSpeculativeJIT64.cpp:
1663         (JSC::DFG::SpeculativeJIT::compile):
1664         * dfg/DFGUseKind.cpp:
1665         (WTF::printInternal):
1666         * dfg/DFGUseKind.h:
1667         (JSC::DFG::typeFilterFor):
1668         (JSC::DFG::isCell):
1669         * ftl/FTLCapabilities.cpp:
1670         (JSC::FTL::canCompile):
1671         * ftl/FTLLowerDFGToB3.cpp:
1672         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1673         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1674         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1675         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1676         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1677         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1678         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1679         * jit/JITOperations.h:
1680         * runtime/HashMapImpl.h:
1681         (JSC::WeakMapHash::hash):
1682         (JSC::WeakMapHash::equal):
1683         * runtime/Intrinsic.cpp:
1684         (JSC::intrinsicName):
1685         * runtime/Intrinsic.h:
1686         * runtime/JSType.h:
1687         * runtime/JSWeakMap.h:
1688         (JSC::isJSWeakMap):
1689         * runtime/JSWeakSet.h:
1690         (JSC::isJSWeakSet):
1691         * runtime/WeakMapBase.cpp:
1692         (JSC::WeakMapBase::get):
1693         * runtime/WeakMapBase.h:
1694         (JSC::WeakMapBase::HashTranslator::hash):
1695         (JSC::WeakMapBase::HashTranslator::equal):
1696         (JSC::WeakMapBase::inlineGet):
1697         * runtime/WeakMapPrototype.cpp:
1698         (JSC::WeakMapPrototype::finishCreation):
1699         (JSC::getWeakMap):
1700         (JSC::protoFuncWeakMapGet):
1701         * runtime/WeakSetPrototype.cpp:
1702         (JSC::getWeakSet):
1703
1704 2017-09-12  Keith Miller  <keith_miller@apple.com>
1705
1706         Rename JavaScriptCore CMake unifiable sources list
1707         https://bugs.webkit.org/show_bug.cgi?id=176823
1708
1709         Reviewed by Joseph Pecoraro.
1710
1711         This patch also changes the error message when the unified source
1712         bundler fails to be more accurate.
1713
1714         * CMakeLists.txt:
1715
1716 2017-09-12  Keith Miller  <keith_miller@apple.com>
1717
1718         Do unified source builds for JSC
1719         https://bugs.webkit.org/show_bug.cgi?id=176076
1720
1721         Reviewed by Geoffrey Garen.
1722
1723         This patch switches the CMake JavaScriptCore build to use unified sources.
1724         The Xcode build will be upgraded in a follow up patch.
1725
1726         Most of the source changes in this patch are fixing static
1727         variable/functions name collisions. The most common collisions
1728         were from our use of "static const bool verbose" and "using
1729         namespace ...". I fixed all the verbose cases and fixed the "using
1730         namespace" issues that occurred under the current bundling
1731         strategy. It's likely that more of the "using namespace" issues
1732         will need to be resolved in the future, particularly in the FTL.
1733
1734         I don't expect either of these problems will apply to other parts
1735         of the project nearly as much as in JSC. Using a verbose variable
1736         is a JSC idiom and JSC tends use the same, canonical, class name
1737         in multiple parts of the engine.
1738
1739         * CMakeLists.txt:
1740         * b3/B3CheckSpecial.cpp:
1741         (JSC::B3::CheckSpecial::forEachArg):
1742         (JSC::B3::CheckSpecial::generate):
1743         (JSC::B3::Air::numB3Args): Deleted.
1744         * b3/B3DuplicateTails.cpp:
1745         * b3/B3EliminateCommonSubexpressions.cpp:
1746         * b3/B3FixSSA.cpp:
1747         (JSC::B3::demoteValues):
1748         * b3/B3FoldPathConstants.cpp:
1749         * b3/B3InferSwitches.cpp:
1750         * b3/B3LowerMacrosAfterOptimizations.cpp:
1751         (): Deleted.
1752         * b3/B3LowerToAir.cpp:
1753         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
1754         (JSC::B3::Air::LowerToAir::run): Deleted.
1755         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
1756         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
1757         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
1758         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
1759         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
1760         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
1761         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
1762         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
1763         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
1764         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
1765         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
1766         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
1767         (JSC::B3::Air::LowerToAir::tmp): Deleted.
1768         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
1769         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
1770         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
1771         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
1772         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
1773         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1774         (JSC::B3::Air::LowerToAir::addr): Deleted.
1775         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
1776         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
1777         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
1778         (JSC::B3::Air::LowerToAir::imm): Deleted.
1779         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
1780         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
1781         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
1782         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
1783         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
1784         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
1785         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
1786         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
1787         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
1788         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
1789         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
1790         (JSC::B3::Air::LowerToAir::createStore): Deleted.
1791         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
1792         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
1793         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
1794         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
1795         (JSC::B3::Air::LowerToAir::print): Deleted.
1796         (JSC::B3::Air::LowerToAir::append): Deleted.
1797         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
1798         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
1799         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
1800         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
1801         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
1802         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
1803         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
1804         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
1805         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
1806         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
1807         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
1808         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
1809         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
1810         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
1811         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
1812         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
1813         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
1814         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
1815         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
1816         (JSC::B3::Air::LowerToAir::lower): Deleted.
1817         * b3/B3PatchpointSpecial.cpp:
1818         (JSC::B3::PatchpointSpecial::generate):
1819         * b3/B3ReduceDoubleToFloat.cpp:
1820         (JSC::B3::reduceDoubleToFloat):
1821         * b3/B3ReduceStrength.cpp:
1822         * b3/B3StackmapGenerationParams.cpp:
1823         * b3/B3StackmapSpecial.cpp:
1824         (JSC::B3::StackmapSpecial::repsImpl):
1825         (JSC::B3::StackmapSpecial::repForArg):
1826         * b3/air/AirAllocateStackByGraphColoring.cpp:
1827         (JSC::B3::Air::allocateStackByGraphColoring):
1828         * b3/air/AirEmitShuffle.cpp:
1829         (JSC::B3::Air::emitShuffle):
1830         * b3/air/AirFixObviousSpills.cpp:
1831         * b3/air/AirLowerAfterRegAlloc.cpp:
1832         (JSC::B3::Air::lowerAfterRegAlloc):
1833         * b3/air/AirStackAllocation.cpp:
1834         (JSC::B3::Air::attemptAssignment):
1835         (JSC::B3::Air::assign):
1836         * bytecode/AccessCase.cpp:
1837         (JSC::AccessCase::generateImpl):
1838         * bytecode/CallLinkStatus.cpp:
1839         (JSC::CallLinkStatus::computeDFGStatuses):
1840         * bytecode/GetterSetterAccessCase.cpp:
1841         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1842         * bytecode/ObjectPropertyConditionSet.cpp:
1843         * bytecode/PolymorphicAccess.cpp:
1844         (JSC::PolymorphicAccess::addCases):
1845         (JSC::PolymorphicAccess::regenerate):
1846         * bytecode/PropertyCondition.cpp:
1847         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1848         * bytecode/StructureStubInfo.cpp:
1849         (JSC::StructureStubInfo::addAccessCase):
1850         * dfg/DFGArgumentsEliminationPhase.cpp:
1851         * dfg/DFGByteCodeParser.cpp:
1852         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1853         (JSC::DFG::ByteCodeParser::inliningCost):
1854         (JSC::DFG::ByteCodeParser::inlineCall):
1855         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1856         (JSC::DFG::ByteCodeParser::handleInlining):
1857         (JSC::DFG::ByteCodeParser::planLoad):
1858         (JSC::DFG::ByteCodeParser::store):
1859         (JSC::DFG::ByteCodeParser::parseBlock):
1860         (JSC::DFG::ByteCodeParser::linkBlock):
1861         (JSC::DFG::ByteCodeParser::linkBlocks):
1862         * dfg/DFGCSEPhase.cpp:
1863         * dfg/DFGInPlaceAbstractState.cpp:
1864         (JSC::DFG::InPlaceAbstractState::merge):
1865         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1866         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1867         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1868         * dfg/DFGMovHintRemovalPhase.cpp:
1869         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1870         * dfg/DFGPhantomInsertionPhase.cpp:
1871         * dfg/DFGPutStackSinkingPhase.cpp:
1872         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1873         * dfg/DFGVarargsForwardingPhase.cpp:
1874         * ftl/FTLAbstractHeap.cpp:
1875         (JSC::FTL::AbstractHeap::compute):
1876         * ftl/FTLAbstractHeapRepository.cpp:
1877         (JSC::FTL::AbstractHeapRepository::decorateMemory):
1878         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
1879         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
1880         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
1881         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
1882         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
1883         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
1884         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
1885         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
1886         * ftl/FTLLink.cpp:
1887         (JSC::FTL::link):
1888         * heap/MarkingConstraintSet.cpp:
1889         (JSC::MarkingConstraintSet::add):
1890         * interpreter/ShadowChicken.cpp:
1891         (JSC::ShadowChicken::update):
1892         * jit/BinarySwitch.cpp:
1893         (JSC::BinarySwitch::BinarySwitch):
1894         (JSC::BinarySwitch::build):
1895         * llint/LLIntData.cpp:
1896         (JSC::LLInt::Data::loadStats):
1897         (JSC::LLInt::Data::saveStats):
1898         * runtime/ArrayPrototype.cpp:
1899         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1900         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1901         * runtime/ErrorInstance.cpp:
1902         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
1903         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
1904         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
1905         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
1906         * runtime/IntlDateTimeFormat.cpp:
1907         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1908         * runtime/PromiseDeferredTimer.cpp:
1909         (JSC::PromiseDeferredTimer::doWork):
1910         (JSC::PromiseDeferredTimer::addPendingPromise):
1911         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1912         * runtime/TypeProfiler.cpp:
1913         (JSC::TypeProfiler::insertNewLocation):
1914         * runtime/TypeProfilerLog.cpp:
1915         (JSC::TypeProfilerLog::processLogEntries):
1916         * runtime/WeakMapPrototype.cpp:
1917         (JSC::protoFuncWeakMapDelete):
1918         (JSC::protoFuncWeakMapGet):
1919         (JSC::protoFuncWeakMapHas):
1920         (JSC::protoFuncWeakMapSet):
1921         (JSC::getWeakMapData): Deleted.
1922         * runtime/WeakSetPrototype.cpp:
1923         (JSC::protoFuncWeakSetDelete):
1924         (JSC::protoFuncWeakSetHas):
1925         (JSC::protoFuncWeakSetAdd):
1926         (JSC::getWeakMapData): Deleted.
1927         * testRegExp.cpp:
1928         (testOneRegExp):
1929         (runFromFiles):
1930         * wasm/WasmB3IRGenerator.cpp:
1931         (JSC::Wasm::parseAndCompile):
1932         * wasm/WasmBBQPlan.cpp:
1933         (JSC::Wasm::BBQPlan::moveToState):
1934         (JSC::Wasm::BBQPlan::parseAndValidateModule):
1935         (JSC::Wasm::BBQPlan::prepare):
1936         (JSC::Wasm::BBQPlan::compileFunctions):
1937         (JSC::Wasm::BBQPlan::complete):
1938         * wasm/WasmFaultSignalHandler.cpp:
1939         (JSC::Wasm::trapHandler):
1940         * wasm/WasmOMGPlan.cpp:
1941         (JSC::Wasm::OMGPlan::OMGPlan):
1942         (JSC::Wasm::OMGPlan::work):
1943         * wasm/WasmPlan.cpp:
1944         (JSC::Wasm::Plan::fail):
1945         * wasm/WasmSignature.cpp:
1946         (JSC::Wasm::SignatureInformation::adopt):
1947         * wasm/WasmWorklist.cpp:
1948         (JSC::Wasm::Worklist::enqueue):
1949
1950 2017-09-12  Michael Saboff  <msaboff@apple.com>
1951
1952         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
1953         https://bugs.webkit.org/show_bug.cgi?id=176814
1954
1955         Reviewed by Mark Lam.
1956
1957         The copy and advance indices where off by one and needed a little fine tuning.
1958
1959         * runtime/StringPrototype.cpp:
1960         (JSC::substituteBackreferencesSlow):
1961
1962 2017-09-11  Mark Lam  <mark.lam@apple.com>
1963
1964         More exception check book-keeping needed found by 32-bit JSC test failures.
1965         https://bugs.webkit.org/show_bug.cgi?id=176742
1966
1967         Reviewed by Michael Saboff and Keith Miller.
1968
1969         * dfg/DFGOperations.cpp:
1970
1971 2017-09-11  Mark Lam  <mark.lam@apple.com>
1972
1973         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
1974         https://bugs.webkit.org/show_bug.cgi?id=176722
1975
1976         Reviewed by Saam Barati.
1977
1978         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
1979         in effect when jsc is invoked.
1980
1981         * jsc.cpp:
1982         (CommandLine::parseArguments):
1983
1984 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
1985
1986         Unreviewed, rolling out r221854.
1987
1988         The test added with this change fails on 32-bit JSC bots.
1989
1990         Reverted changeset:
1991
1992         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
1993         https://bugs.webkit.org/show_bug.cgi?id=176010
1994         http://trac.webkit.org/changeset/221854
1995
1996 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1997
1998         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
1999         https://bugs.webkit.org/show_bug.cgi?id=176010
2000
2001         Reviewed by Filip Pizlo.
2002
2003         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
2004         It is used for meta property for objects (see peekMeta function in Ember.js).
2005
2006         This patch optimizes WeakMap#get.
2007
2008         1. We use inlineGet to inline WeakMap#get operation in the native function.
2009         Since this native function itself is very small, we should inline HashMap#get
2010         entirely in this function.
2011
2012         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
2013         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
2014         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
2015         ObjectUse, and Int32Use.
2016
2017         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
2018         calculate hash value for the key's Object and use this hash value to look up value from
2019         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
2020         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
2021         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
2022         patches.
2023
2024         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
2025         not used in Ember.js right now.
2026
2027         This patch optimizes WeakMap#get by 50%.
2028
2029                                  baseline                  patched
2030
2031         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
2032
2033         * bytecode/DirectEvalCodeCache.h:
2034         (JSC::DirectEvalCodeCache::tryGet):
2035         * bytecode/SpeculatedType.cpp:
2036         (JSC::dumpSpeculation):
2037         (JSC::speculationFromClassInfo):
2038         (JSC::speculationFromJSType):
2039         (JSC::speculationFromString):
2040         * bytecode/SpeculatedType.h:
2041         * dfg/DFGAbstractInterpreterInlines.h:
2042         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2043         * dfg/DFGByteCodeParser.cpp:
2044         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2045         * dfg/DFGClobberize.h:
2046         (JSC::DFG::clobberize):
2047         * dfg/DFGDoesGC.cpp:
2048         (JSC::DFG::doesGC):
2049         * dfg/DFGFixupPhase.cpp:
2050         (JSC::DFG::FixupPhase::fixupNode):
2051         * dfg/DFGHeapLocation.cpp:
2052         (WTF::printInternal):
2053         * dfg/DFGHeapLocation.h:
2054         * dfg/DFGNode.h:
2055         (JSC::DFG::Node::hasHeapPrediction):
2056         * dfg/DFGNodeType.h:
2057         * dfg/DFGOperations.cpp:
2058         * dfg/DFGOperations.h:
2059         * dfg/DFGPredictionPropagationPhase.cpp:
2060         * dfg/DFGSafeToExecute.h:
2061         (JSC::DFG::SafeToExecuteEdge::operator()):
2062         (JSC::DFG::safeToExecute):
2063         * dfg/DFGSpeculativeJIT.cpp:
2064         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
2065         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
2066         (JSC::DFG::SpeculativeJIT::speculate):
2067         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
2068         * dfg/DFGSpeculativeJIT.h:
2069         (JSC::DFG::SpeculativeJIT::callOperation):
2070         * dfg/DFGSpeculativeJIT32_64.cpp:
2071         (JSC::DFG::SpeculativeJIT::compile):
2072         * dfg/DFGSpeculativeJIT64.cpp:
2073         (JSC::DFG::SpeculativeJIT::compile):
2074         * dfg/DFGUseKind.cpp:
2075         (WTF::printInternal):
2076         * dfg/DFGUseKind.h:
2077         (JSC::DFG::typeFilterFor):
2078         (JSC::DFG::isCell):
2079         * ftl/FTLCapabilities.cpp:
2080         (JSC::FTL::canCompile):
2081         * ftl/FTLLowerDFGToB3.cpp:
2082         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2083         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
2084         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
2085         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
2086         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2087         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
2088         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
2089         * jit/JITOperations.h:
2090         * runtime/Intrinsic.cpp:
2091         (JSC::intrinsicName):
2092         * runtime/Intrinsic.h:
2093         * runtime/JSType.h:
2094         * runtime/JSWeakMap.h:
2095         (JSC::isJSWeakMap):
2096         * runtime/JSWeakSet.h:
2097         (JSC::isJSWeakSet):
2098         * runtime/WeakMapBase.cpp:
2099         (JSC::WeakMapBase::get):
2100         * runtime/WeakMapBase.h:
2101         (JSC::WeakMapBase::HashTranslator::hash):
2102         (JSC::WeakMapBase::HashTranslator::equal):
2103         (JSC::WeakMapBase::inlineGet):
2104         * runtime/WeakMapPrototype.cpp:
2105         (JSC::WeakMapPrototype::finishCreation):
2106         (JSC::getWeakMap):
2107         (JSC::protoFuncWeakMapGet):
2108         * runtime/WeakSetPrototype.cpp:
2109         (JSC::getWeakSet):
2110
2111 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2112
2113         [JSC] Optimize Object.keys by using careful array allocation
2114         https://bugs.webkit.org/show_bug.cgi?id=176654
2115
2116         Reviewed by Darin Adler.
2117
2118         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
2119         function in JS apps. Luckily Object.keys has several good features.
2120
2121         1. Once PropertyNameArray is allocated, we know the length of the result array since
2122         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
2123         but it rarely appears. ProxyObject case goes to the generic path.
2124
2125         2. Object.keys does not need to access object after listing PropertyNameArray. It means
2126         that we do not need to worry about enumeration attribute change by touching object.
2127
2128         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
2129         with the size and ArrayContiguous indexing shape.
2130
2131         This further improves SixSpeed object-assign.es5 by 13%.
2132
2133                                             baseline                  patched
2134         Microbenchmarks:
2135            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
2136            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
2137
2138                                             baseline                  patched
2139         SixSpeed:
2140            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
2141
2142         BTW, the further optimization of Object.keys can be considered: introducing own property keys
2143         cache which is similar to the current enumeration cache. But this patch is orthogonal to
2144         this optimization!
2145
2146         * runtime/ObjectConstructor.cpp:
2147         (JSC::objectConstructorValues):
2148         (JSC::ownPropertyKeys):
2149         * runtime/ObjectConstructor.h:
2150
2151 2017-09-10  Mark Lam  <mark.lam@apple.com>
2152
2153         Fix all ExceptionScope verification failures in JavaScriptCore.
2154         https://bugs.webkit.org/show_bug.cgi?id=176662
2155         <rdar://problem/34352085>
2156
2157         Reviewed by Filip Pizlo.
2158
2159         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
2160            verification for release builds too (though this requires manually setting
2161            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
2162
2163            This is useful because it allows us to run the tests more quickly to check
2164            if any regressions have occurred.  Debug builds run so much slower and not
2165            good for a quick turn around.  Debug builds are necessary though to get
2166            trace information without inlining by the C++ compiler.  This is necessary to
2167            diagnose where the missing exception check is.
2168
2169         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
2170            simulated throw when an exception scope verification fails.
2171
2172            Previously, this option dumps the stack trace on all simulated throws.  That
2173            turned out to not be very useful, and slows down the debugging process.
2174            Instead, the new implementation captures the stack trace and only dumps it
2175            if we have a verification failure.
2176
2177         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
2178            to pass with JSC_validateExceptionChecks=true.
2179
2180         * bytecode/CodeBlock.cpp:
2181         (JSC::CodeBlock::finishCreation):
2182         * dfg/DFGOSRExit.cpp:
2183         (JSC::DFG::OSRExit::executeOSRExit):
2184         * dfg/DFGOperations.cpp:
2185         * interpreter/Interpreter.cpp:
2186         (JSC::eval):
2187         (JSC::loadVarargs):
2188         (JSC::Interpreter::unwind):
2189         (JSC::Interpreter::executeProgram):
2190         (JSC::Interpreter::executeCall):
2191         (JSC::Interpreter::executeConstruct):
2192         (JSC::Interpreter::prepareForRepeatCall):
2193         (JSC::Interpreter::execute):
2194         (JSC::Interpreter::executeModuleProgram):
2195         * jit/JITOperations.cpp:
2196         (JSC::getByVal):
2197         * jsc.cpp:
2198         (WTF::CustomGetter::customGetterAcessor):
2199         (GlobalObject::moduleLoaderImportModule):
2200         (GlobalObject::moduleLoaderResolve):
2201         * llint/LLIntSlowPaths.cpp:
2202         (JSC::LLInt::getByVal):
2203         (JSC::LLInt::setUpCall):
2204         * parser/Parser.h:
2205         (JSC::Parser::popScopeInternal):
2206         * runtime/AbstractModuleRecord.cpp:
2207         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2208         (JSC::AbstractModuleRecord::resolveImport):
2209         (JSC::AbstractModuleRecord::resolveExportImpl):
2210         (JSC::getExportedNames):
2211         (JSC::AbstractModuleRecord::getModuleNamespace):
2212         * runtime/ArrayPrototype.cpp:
2213         (JSC::getProperty):
2214         (JSC::unshift):
2215         (JSC::arrayProtoFuncToString):
2216         (JSC::arrayProtoFuncToLocaleString):
2217         (JSC::arrayProtoFuncJoin):
2218         (JSC::arrayProtoFuncPop):
2219         (JSC::arrayProtoFuncPush):
2220         (JSC::arrayProtoFuncReverse):
2221         (JSC::arrayProtoFuncShift):
2222         (JSC::arrayProtoFuncSlice):
2223         (JSC::arrayProtoFuncSplice):
2224         (JSC::arrayProtoFuncUnShift):
2225         (JSC::arrayProtoFuncIndexOf):
2226         (JSC::arrayProtoFuncLastIndexOf):
2227         (JSC::concatAppendOne):
2228         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2229         (JSC::arrayProtoPrivateFuncAppendMemcpy):
2230         * runtime/CatchScope.h:
2231         * runtime/CommonSlowPaths.cpp:
2232         (JSC::SLOW_PATH_DECL):
2233         * runtime/DatePrototype.cpp:
2234         (JSC::dateProtoFuncSetTime):
2235         (JSC::setNewValueFromTimeArgs):
2236         * runtime/DirectArguments.h:
2237         (JSC::DirectArguments::length const):
2238         * runtime/ErrorPrototype.cpp:
2239         (JSC::errorProtoFuncToString):
2240         * runtime/ExceptionFuzz.cpp:
2241         (JSC::doExceptionFuzzing):
2242         * runtime/ExceptionScope.h:
2243         (JSC::ExceptionScope::needExceptionCheck):
2244         (JSC::ExceptionScope::assertNoException):
2245         * runtime/GenericArgumentsInlines.h:
2246         (JSC::GenericArguments<Type>::defineOwnProperty):
2247         * runtime/HashMapImpl.h:
2248         (JSC::HashMapImpl::rehash):
2249         * runtime/IntlDateTimeFormat.cpp:
2250         (JSC::IntlDateTimeFormat::formatToParts):
2251         * runtime/JSArray.cpp:
2252         (JSC::JSArray::defineOwnProperty):
2253         (JSC::JSArray::put):
2254         * runtime/JSCJSValue.cpp:
2255         (JSC::JSValue::putToPrimitive):
2256         (JSC::JSValue::putToPrimitiveByIndex):
2257         * runtime/JSCJSValueInlines.h:
2258         (JSC::JSValue::toIndex const):
2259         (JSC::JSValue::get const):
2260         (JSC::JSValue::getPropertySlot const):
2261         (JSC::JSValue::equalSlowCaseInline):
2262         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2263         (JSC::constructGenericTypedArrayViewFromIterator):
2264         (JSC::constructGenericTypedArrayViewWithArguments):
2265         * runtime/JSGenericTypedArrayViewInlines.h:
2266         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2267         * runtime/JSGlobalObject.cpp:
2268         (JSC::JSGlobalObject::put):
2269         * runtime/JSGlobalObjectFunctions.cpp:
2270         (JSC::decode):
2271         (JSC::globalFuncEval):
2272         (JSC::globalFuncProtoGetter):
2273         (JSC::globalFuncProtoSetter):
2274         (JSC::globalFuncImportModule):
2275         * runtime/JSInternalPromise.cpp:
2276         (JSC::JSInternalPromise::then):
2277         * runtime/JSInternalPromiseDeferred.cpp:
2278         (JSC::JSInternalPromiseDeferred::create):
2279         * runtime/JSJob.cpp:
2280         (JSC::JSJobMicrotask::run):
2281         * runtime/JSModuleEnvironment.cpp:
2282         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2283         (JSC::JSModuleEnvironment::put):
2284         (JSC::JSModuleEnvironment::deleteProperty):
2285         * runtime/JSModuleLoader.cpp:
2286         (JSC::JSModuleLoader::provide):
2287         (JSC::JSModuleLoader::loadAndEvaluateModule):
2288         (JSC::JSModuleLoader::loadModule):
2289         (JSC::JSModuleLoader::linkAndEvaluateModule):
2290         (JSC::JSModuleLoader::requestImportModule):
2291         * runtime/JSModuleRecord.cpp:
2292         (JSC::JSModuleRecord::link):
2293         (JSC::JSModuleRecord::instantiateDeclarations):
2294         * runtime/JSONObject.cpp:
2295         (JSC::Stringifier::stringify):
2296         (JSC::Stringifier::toJSON):
2297         (JSC::JSONProtoFuncParse):
2298         * runtime/JSObject.cpp:
2299         (JSC::JSObject::calculatedClassName):
2300         (JSC::ordinarySetSlow):
2301         (JSC::JSObject::putInlineSlow):
2302         (JSC::JSObject::ordinaryToPrimitive const):
2303         (JSC::JSObject::toPrimitive const):
2304         (JSC::JSObject::hasInstance):
2305         (JSC::JSObject::getPropertyNames):
2306         (JSC::JSObject::toNumber const):
2307         (JSC::JSObject::defineOwnIndexedProperty):
2308         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2309         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2310         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2311         (JSC::validateAndApplyPropertyDescriptor):
2312         (JSC::JSObject::defineOwnNonIndexProperty):
2313         (JSC::JSObject::getGenericPropertyNames):
2314         * runtime/JSObject.h:
2315         (JSC::JSObject::get const):
2316         * runtime/JSObjectInlines.h:
2317         (JSC::JSObject::getPropertySlot const):
2318         (JSC::JSObject::getPropertySlot):
2319         (JSC::JSObject::getNonIndexPropertySlot):
2320         (JSC::JSObject::putInlineForJSObject):
2321         * runtime/JSPromiseConstructor.cpp:
2322         (JSC::constructPromise):
2323         * runtime/JSPromiseDeferred.cpp:
2324         (JSC::JSPromiseDeferred::create):
2325         * runtime/JSScope.cpp:
2326         (JSC::abstractAccess):
2327         (JSC::JSScope::resolve):
2328         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
2329         (JSC::JSScope::abstractResolve):
2330         * runtime/LiteralParser.cpp:
2331         (JSC::LiteralParser<CharType>::tryJSONPParse):
2332         (JSC::LiteralParser<CharType>::parse):
2333         * runtime/Lookup.h:
2334         (JSC::putEntry):
2335         * runtime/MapConstructor.cpp:
2336         (JSC::constructMap):
2337         * runtime/NumberPrototype.cpp:
2338         (JSC::numberProtoFuncToString):
2339         * runtime/ObjectConstructor.cpp:
2340         (JSC::objectConstructorSetPrototypeOf):
2341         (JSC::objectConstructorGetOwnPropertyDescriptor):
2342         (JSC::objectConstructorGetOwnPropertyDescriptors):
2343         (JSC::objectConstructorAssign):
2344         (JSC::objectConstructorValues):
2345         (JSC::toPropertyDescriptor):
2346         (JSC::objectConstructorDefineProperty):
2347         (JSC::defineProperties):
2348         (JSC::objectConstructorDefineProperties):
2349         (JSC::ownPropertyKeys):
2350         * runtime/ObjectPrototype.cpp:
2351         (JSC::objectProtoFuncHasOwnProperty):
2352         (JSC::objectProtoFuncIsPrototypeOf):
2353         (JSC::objectProtoFuncLookupGetter):
2354         (JSC::objectProtoFuncLookupSetter):
2355         (JSC::objectProtoFuncToLocaleString):
2356         (JSC::objectProtoFuncToString):
2357         * runtime/Options.h:
2358         * runtime/ParseInt.h:
2359         (JSC::toStringView):
2360         * runtime/ProxyObject.cpp:
2361         (JSC::performProxyGet):
2362         (JSC::ProxyObject::performPut):
2363         * runtime/ReflectObject.cpp:
2364         (JSC::reflectObjectDefineProperty):
2365         * runtime/RegExpConstructor.cpp:
2366         (JSC::toFlags):
2367         (JSC::regExpCreate):
2368         (JSC::constructRegExp):
2369         * runtime/RegExpObject.cpp:
2370         (JSC::collectMatches):
2371         * runtime/RegExpObjectInlines.h:
2372         (JSC::RegExpObject::execInline):
2373         (JSC::RegExpObject::matchInline):
2374         * runtime/RegExpPrototype.cpp:
2375         (JSC::regExpProtoFuncTestFast):
2376         (JSC::regExpProtoFuncExec):
2377         (JSC::regExpProtoFuncMatchFast):
2378         (JSC::regExpProtoFuncToString):
2379         (JSC::regExpProtoFuncSplitFast):
2380         * runtime/ScriptExecutable.cpp:
2381         (JSC::ScriptExecutable::newCodeBlockFor):
2382         (JSC::ScriptExecutable::prepareForExecutionImpl):
2383         * runtime/SetConstructor.cpp:
2384         (JSC::constructSet):
2385         * runtime/ThrowScope.cpp:
2386         (JSC::ThrowScope::simulateThrow):
2387         * runtime/VM.cpp:
2388         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
2389         * runtime/VM.h:
2390         * runtime/WeakMapPrototype.cpp:
2391         (JSC::protoFuncWeakMapSet):
2392         * runtime/WeakSetPrototype.cpp:
2393         (JSC::protoFuncWeakSetAdd):
2394         * wasm/js/WebAssemblyModuleConstructor.cpp:
2395         (JSC::WebAssemblyModuleConstructor::createModule):
2396         * wasm/js/WebAssemblyModuleRecord.cpp:
2397         (JSC::WebAssemblyModuleRecord::link):
2398         * wasm/js/WebAssemblyPrototype.cpp:
2399         (JSC::reject):
2400         (JSC::webAssemblyCompileFunc):
2401         (JSC::resolve):
2402         (JSC::webAssemblyInstantiateFunc):
2403
2404 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
2405
2406         Error should compute .stack and friends lazily
2407         https://bugs.webkit.org/show_bug.cgi?id=176645
2408
2409         Reviewed by Saam Barati.
2410         
2411         Building the string portion of the stack trace after we walk the stack accounts for most of
2412         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
2413         Vector<StackFrame> so that it can build the string only once it's really needed.
2414         
2415         This is an enormous speed-up for programs that allocate and throw exceptions.
2416         
2417         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
2418         
2419         It's a 2.2x speed-up for throwing and catching an Error.
2420         
2421         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
2422         
2423         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
2424         delta-blue-try-catch is 1.16x faster.
2425
2426         * interpreter/Interpreter.cpp:
2427         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
2428         (JSC::GetStackTraceFunctor::operator() const):
2429         (JSC::Interpreter::getStackTrace):
2430         * interpreter/Interpreter.h:
2431         * runtime/Error.cpp:
2432         (JSC::getStackTrace):
2433         (JSC::getBytecodeOffset):
2434         (JSC::addErrorInfo):
2435         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
2436         * runtime/Error.h:
2437         * runtime/ErrorInstance.cpp:
2438         (JSC::ErrorInstance::ErrorInstance):
2439         (JSC::ErrorInstance::finishCreation):
2440         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2441         (JSC::ErrorInstance::visitChildren):
2442         (JSC::ErrorInstance::getOwnPropertySlot):
2443         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
2444         (JSC::ErrorInstance::defineOwnProperty):
2445         (JSC::ErrorInstance::put):
2446         (JSC::ErrorInstance::deleteProperty):
2447         * runtime/ErrorInstance.h:
2448         * runtime/Exception.cpp:
2449         (JSC::Exception::visitChildren):
2450         (JSC::Exception::finishCreation):
2451         * runtime/Exception.h:
2452         * runtime/StackFrame.cpp:
2453         (JSC::StackFrame::visitChildren):
2454         * runtime/StackFrame.h:
2455         (JSC::StackFrame::StackFrame):
2456
2457 2017-09-09  Mark Lam  <mark.lam@apple.com>
2458
2459         [Re-landing] Use JIT probes for DFG OSR exit.
2460         https://bugs.webkit.org/show_bug.cgi?id=175144
2461         <rdar://problem/33437050>
2462
2463         Not reviewed.  Original patch reviewed by Saam Barati.
2464
2465         Relanding r221774.
2466
2467         * JavaScriptCore.xcodeproj/project.pbxproj:
2468         * assembler/MacroAssembler.cpp:
2469         (JSC::stdFunctionCallback):
2470         * assembler/MacroAssemblerPrinter.cpp:
2471         (JSC::Printer::printCallback):
2472         * assembler/ProbeContext.h:
2473         (JSC::Probe::CPUState::gpr const):
2474         (JSC::Probe::CPUState::spr const):
2475         (JSC::Probe::Context::Context):
2476         (JSC::Probe::Context::arg):
2477         (JSC::Probe::Context::gpr):
2478         (JSC::Probe::Context::spr):
2479         (JSC::Probe::Context::fpr):
2480         (JSC::Probe::Context::gprName):
2481         (JSC::Probe::Context::sprName):
2482         (JSC::Probe::Context::fprName):
2483         (JSC::Probe::Context::gpr const):
2484         (JSC::Probe::Context::spr const):
2485         (JSC::Probe::Context::fpr const):
2486         (JSC::Probe::Context::pc):
2487         (JSC::Probe::Context::fp):
2488         (JSC::Probe::Context::sp):
2489         (JSC::Probe:: const): Deleted.
2490         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
2491         * assembler/ProbeStack.cpp:
2492         (JSC::Probe::Page::Page):
2493         * assembler/ProbeStack.h:
2494         (JSC::Probe::Page::get):
2495         (JSC::Probe::Page::set):
2496         (JSC::Probe::Page::physicalAddressFor):
2497         (JSC::Probe::Stack::lowWatermark):
2498         (JSC::Probe::Stack::get):
2499         (JSC::Probe::Stack::set):
2500         * bytecode/ArithProfile.cpp:
2501         * bytecode/ArithProfile.h:
2502         * bytecode/ArrayProfile.h:
2503         (JSC::ArrayProfile::observeArrayMode):
2504         * bytecode/CodeBlock.cpp:
2505         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
2506         * bytecode/CodeBlock.h:
2507         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
2508         * bytecode/ExecutionCounter.h:
2509         (JSC::ExecutionCounter::hasCrossedThreshold const):
2510         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
2511         * bytecode/MethodOfGettingAValueProfile.cpp:
2512         (JSC::MethodOfGettingAValueProfile::reportValue):
2513         * bytecode/MethodOfGettingAValueProfile.h:
2514         * dfg/DFGDriver.cpp:
2515         (JSC::DFG::compileImpl):
2516         * dfg/DFGJITCode.cpp:
2517         (JSC::DFG::JITCode::findPC): Deleted.
2518         * dfg/DFGJITCode.h:
2519         * dfg/DFGJITCompiler.cpp:
2520         (JSC::DFG::JITCompiler::linkOSRExits):
2521         (JSC::DFG::JITCompiler::link):
2522         * dfg/DFGOSRExit.cpp:
2523         (JSC::DFG::jsValueFor):
2524         (JSC::DFG::restoreCalleeSavesFor):
2525         (JSC::DFG::saveCalleeSavesFor):
2526         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2527         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2528         (JSC::DFG::saveOrCopyCalleeSavesFor):
2529         (JSC::DFG::createDirectArgumentsDuringExit):
2530         (JSC::DFG::createClonedArgumentsDuringExit):
2531         (JSC::DFG::OSRExit::OSRExit):
2532         (JSC::DFG::emitRestoreArguments):
2533         (JSC::DFG::OSRExit::executeOSRExit):
2534         (JSC::DFG::reifyInlinedCallFrames):
2535         (JSC::DFG::adjustAndJumpToTarget):
2536         (JSC::DFG::printOSRExit):
2537         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2538         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2539         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
2540         (JSC::DFG::OSRExit::correctJump): Deleted.
2541         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
2542         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
2543         (JSC::DFG::OSRExit::compileExit): Deleted.
2544         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2545         * dfg/DFGOSRExit.h:
2546         (JSC::DFG::OSRExitState::OSRExitState):
2547         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2548         * dfg/DFGOSRExitCompilerCommon.cpp:
2549         * dfg/DFGOSRExitCompilerCommon.h:
2550         * dfg/DFGOperations.cpp:
2551         * dfg/DFGOperations.h:
2552         * dfg/DFGThunks.cpp:
2553         (JSC::DFG::osrExitThunkGenerator):
2554         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2555         * dfg/DFGThunks.h:
2556         * jit/AssemblyHelpers.cpp:
2557         (JSC::AssemblyHelpers::debugCall): Deleted.
2558         * jit/AssemblyHelpers.h:
2559         * jit/JITOperations.cpp:
2560         * jit/JITOperations.h:
2561         * profiler/ProfilerOSRExit.h:
2562         (JSC::Profiler::OSRExit::incCount):
2563         * runtime/JSCJSValue.h:
2564         * runtime/JSCJSValueInlines.h:
2565         * runtime/VM.h:
2566
2567 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
2568
2569         Unreviewed, rolling out r221774.
2570
2571         This change introduced three debug JSC test timeouts.
2572
2573         Reverted changeset:
2574
2575         "Use JIT probes for DFG OSR exit."
2576         https://bugs.webkit.org/show_bug.cgi?id=175144
2577         http://trac.webkit.org/changeset/221774
2578
2579 2017-09-09  Mark Lam  <mark.lam@apple.com>
2580
2581         Avoid duplicate computations of ExecState::vm().
2582         https://bugs.webkit.org/show_bug.cgi?id=176647
2583
2584         Reviewed by Saam Barati.
2585
2586         Because while computing ExecState::vm() is cheap, it is not free.
2587
2588         This patch also:
2589         1. gets rids of some convenience methods in CallFrame that implicitly does a
2590            ExecState::vm() computation.  This minimizes the chance of us accidentally
2591            computing ExecState::vm() more than necessary.
2592         2. passes vm (when available) to methodTable().
2593         3. passes vm (when available) to JSLockHolder.
2594
2595         * API/JSBase.cpp:
2596         (JSCheckScriptSyntax):
2597         (JSGarbageCollect):
2598         (JSReportExtraMemoryCost):
2599         (JSSynchronousGarbageCollectForDebugging):
2600         (JSSynchronousEdenCollectForDebugging):
2601         * API/JSCallbackConstructor.h:
2602         (JSC::JSCallbackConstructor::create):
2603         * API/JSCallbackObject.h:
2604         (JSC::JSCallbackObject::create):
2605         * API/JSContext.mm:
2606         (-[JSContext setException:]):
2607         * API/JSContextRef.cpp:
2608         (JSContextGetGlobalObject):
2609         (JSContextCreateBacktrace):
2610         * API/JSManagedValue.mm:
2611         (-[JSManagedValue value]):
2612         * API/JSObjectRef.cpp:
2613         (JSObjectMake):
2614         (JSObjectMakeFunctionWithCallback):
2615         (JSObjectMakeConstructor):
2616         (JSObjectMakeFunction):
2617         (JSObjectSetPrototype):
2618         (JSObjectHasProperty):
2619         (JSObjectGetProperty):
2620         (JSObjectSetProperty):
2621         (JSObjectSetPropertyAtIndex):
2622         (JSObjectDeleteProperty):
2623         (JSObjectGetPrivateProperty):
2624         (JSObjectSetPrivateProperty):
2625         (JSObjectDeletePrivateProperty):
2626         (JSObjectIsFunction):
2627         (JSObjectCallAsFunction):
2628         (JSObjectCallAsConstructor):
2629         (JSObjectCopyPropertyNames):
2630         (JSPropertyNameAccumulatorAddName):
2631         * API/JSScriptRef.cpp:
2632         * API/JSTypedArray.cpp:
2633         (JSValueGetTypedArrayType):
2634         (JSObjectMakeTypedArrayWithArrayBuffer):
2635         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
2636         (JSObjectGetTypedArrayBytesPtr):
2637         (JSObjectGetTypedArrayBuffer):
2638         (JSObjectMakeArrayBufferWithBytesNoCopy):
2639         (JSObjectGetArrayBufferBytesPtr):
2640         * API/JSWeakObjectMapRefPrivate.cpp:
2641         * API/JSWrapperMap.mm:
2642         (constructorHasInstance):
2643         (makeWrapper):
2644         * API/ObjCCallbackFunction.mm:
2645         (objCCallbackFunctionForInvocation):
2646         * bytecode/CodeBlock.cpp:
2647         (JSC::CodeBlock::CodeBlock):
2648         (JSC::CodeBlock::jettison):
2649         * bytecode/CodeBlock.h:
2650         (JSC::CodeBlock::addConstant):
2651         (JSC::CodeBlock::replaceConstant):
2652         * bytecode/PutByIdStatus.cpp:
2653         (JSC::PutByIdStatus::computeFromLLInt):
2654         (JSC::PutByIdStatus::computeFor):
2655         * dfg/DFGDesiredWatchpoints.cpp:
2656         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2657         * dfg/DFGGraph.h:
2658         (JSC::DFG::Graph::globalThisObjectFor):
2659         * dfg/DFGOperations.cpp:
2660         * ftl/FTLOSRExitCompiler.cpp:
2661         (JSC::FTL::compileFTLOSRExit):
2662         * ftl/FTLOperations.cpp:
2663         (JSC::FTL::operationPopulateObjectInOSR):
2664         (JSC::FTL::operationMaterializeObjectInOSR):
2665         * heap/GCAssertions.h:
2666         * inspector/InjectedScriptHost.cpp:
2667         (Inspector::InjectedScriptHost::wrapper):
2668         * inspector/JSInjectedScriptHost.cpp:
2669         (Inspector::JSInjectedScriptHost::subtype):
2670         (Inspector::constructInternalProperty):
2671         (Inspector::JSInjectedScriptHost::getInternalProperties):
2672         (Inspector::JSInjectedScriptHost::weakMapEntries):
2673         (Inspector::JSInjectedScriptHost::weakSetEntries):
2674         (Inspector::JSInjectedScriptHost::iteratorEntries):
2675         * inspector/JSJavaScriptCallFrame.cpp:
2676         (Inspector::valueForScopeLocation):
2677         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2678         (Inspector::toJS):
2679         * inspector/ScriptCallStackFactory.cpp:
2680         (Inspector::extractSourceInformationFromException):
2681         (Inspector::createScriptArguments):
2682         * interpreter/CachedCall.h:
2683         (JSC::CachedCall::CachedCall):
2684         * interpreter/CallFrame.h:
2685         (JSC::ExecState::atomicStringTable const): Deleted.
2686         (JSC::ExecState::propertyNames const): Deleted.
2687         (JSC::ExecState::emptyList const): Deleted.
2688         (JSC::ExecState::interpreter): Deleted.
2689         (JSC::ExecState::heap): Deleted.
2690         * interpreter/Interpreter.cpp:
2691         (JSC::Interpreter::executeProgram):
2692         (JSC::Interpreter::execute):
2693         (JSC::Interpreter::executeModuleProgram):
2694         * jit/JIT.cpp:
2695         (JSC::JIT::privateCompileMainPass):
2696         * jit/JITOperations.cpp:
2697         * jit/JITWorklist.cpp:
2698         (JSC::JITWorklist::compileNow):
2699         * jsc.cpp:
2700         (WTF::RuntimeArray::create):
2701         (WTF::RuntimeArray::getOwnPropertySlot):
2702         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2703         (WTF::DOMJITFunctionObject::unsafeFunction):
2704         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2705         (GlobalObject::moduleLoaderFetch):
2706         (functionDumpCallFrame):
2707         (functionCreateRoot):
2708         (functionGetElement):
2709         (functionSetElementRoot):
2710         (functionCreateSimpleObject):
2711         (functionSetHiddenValue):
2712         (functionCreateProxy):
2713         (functionCreateImpureGetter):
2714         (functionCreateCustomGetterObject):
2715         (functionCreateDOMJITNodeObject):
2716         (functionCreateDOMJITGetterObject):
2717         (functionCreateDOMJITGetterComplexObject):
2718         (functionCreateDOMJITFunctionObject):
2719         (functionCreateDOMJITCheckSubClassObject):
2720         (functionGCAndSweep):
2721         (functionFullGC):
2722         (functionEdenGC):
2723         (functionHeapSize):
2724         (functionShadowChickenFunctionsOnStack):
2725         (functionSetGlobalConstRedeclarationShouldNotThrow):
2726         (functionJSCOptions):
2727         (functionFailNextNewCodeBlock):
2728         (functionMakeMasquerader):
2729         (functionDumpTypesForAllVariables):
2730         (functionFindTypeForExpression):
2731         (functionReturnTypeFor):
2732         (functionDumpBasicBlockExecutionRanges):
2733         (functionBasicBlockExecutionCount):
2734         (functionDrainMicrotasks):
2735         (functionGenerateHeapSnapshot):
2736         (functionEnsureArrayStorage):
2737         (functionStartSamplingProfiler):
2738         (runInteractive):
2739         * llint/LLIntSlowPaths.cpp:
2740         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2741         * parser/ModuleAnalyzer.cpp:
2742         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2743         * profiler/ProfilerBytecode.cpp:
2744         (JSC::Profiler::Bytecode::toJS const):
2745         * profiler/ProfilerBytecodeSequence.cpp:
2746         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
2747         * profiler/ProfilerBytecodes.cpp:
2748         (JSC::Profiler::Bytecodes::toJS const):
2749         * profiler/ProfilerCompilation.cpp:
2750         (JSC::Profiler::Compilation::toJS const):
2751         * profiler/ProfilerCompiledBytecode.cpp:
2752         (JSC::Profiler::CompiledBytecode::toJS const):
2753         * profiler/ProfilerDatabase.cpp:
2754         (JSC::Profiler::Database::toJS const):
2755         * profiler/ProfilerEvent.cpp:
2756         (JSC::Profiler::Event::toJS const):
2757         * profiler/ProfilerOSRExit.cpp:
2758         (JSC::Profiler::OSRExit::toJS const):
2759         * profiler/ProfilerOrigin.cpp:
2760         (JSC::Profiler::Origin::toJS const):
2761         * profiler/ProfilerProfiledBytecodes.cpp:
2762         (JSC::Profiler::ProfiledBytecodes::toJS const):
2763         * runtime/AbstractModuleRecord.cpp:
2764         (JSC::identifierToJSValue):
2765         (JSC::AbstractModuleRecord::resolveExportImpl):
2766         (JSC::getExportedNames):
2767         * runtime/ArrayPrototype.cpp:
2768         (JSC::arrayProtoFuncToString):
2769         (JSC::arrayProtoFuncToLocaleString):
2770         * runtime/BooleanConstructor.cpp:
2771         (JSC::constructBooleanFromImmediateBoolean):
2772         * runtime/CallData.cpp:
2773         (JSC::call):
2774         * runtime/CommonSlowPaths.cpp:
2775         (JSC::SLOW_PATH_DECL):
2776         * runtime/CommonSlowPaths.h:
2777         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2778         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2779         * runtime/Completion.cpp:
2780         (JSC::checkSyntax):
2781         (JSC::evaluate):
2782         (JSC::loadAndEvaluateModule):
2783         (JSC::loadModule):
2784         (JSC::linkAndEvaluateModule):
2785         (JSC::importModule):
2786         * runtime/ConstructData.cpp:
2787         (JSC::construct):
2788         * runtime/DatePrototype.cpp:
2789         (JSC::dateProtoFuncToJSON):
2790         * runtime/DirectArguments.h:
2791         (JSC::DirectArguments::length const):
2792         * runtime/DirectEvalExecutable.cpp:
2793         (JSC::DirectEvalExecutable::create):
2794         * runtime/ErrorPrototype.cpp:
2795         (JSC::errorProtoFuncToString):
2796         * runtime/ExceptionHelpers.cpp:
2797         (JSC::createUndefinedVariableError):
2798         (JSC::errorDescriptionForValue):
2799         * runtime/FunctionConstructor.cpp:
2800         (JSC::constructFunction):
2801         * runtime/GenericArgumentsInlines.h:
2802         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2803         * runtime/IdentifierInlines.h:
2804         (JSC::Identifier::add):
2805         * runtime/IndirectEvalExecutable.cpp:
2806         (JSC::IndirectEvalExecutable::create):
2807         * runtime/InternalFunction.cpp:
2808         (JSC::InternalFunction::finishCreation):
2809         (JSC::InternalFunction::createSubclassStructureSlow):
2810         * runtime/JSArray.cpp:
2811         (JSC::JSArray::getOwnPropertySlot):
2812         (JSC::JSArray::put):
2813         (JSC::JSArray::deleteProperty):
2814         (JSC::JSArray::getOwnNonIndexPropertyNames):
2815         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
2816         * runtime/JSArray.h:
2817         (JSC::JSArray::shiftCountForShift):
2818         * runtime/JSCJSValue.cpp:
2819         (JSC::JSValue::dumpForBacktrace const):
2820         * runtime/JSDataView.cpp:
2821         (JSC::JSDataView::getOwnPropertySlot):
2822         (JSC::JSDataView::deleteProperty):
2823         (JSC::JSDataView::getOwnNonIndexPropertyNames):
2824         * runtime/JSFunction.cpp:
2825         (JSC::JSFunction::getOwnPropertySlot):
2826         (JSC::JSFunction::deleteProperty):
2827         (JSC::JSFunction::reifyName):
2828         * runtime/JSGlobalObjectFunctions.cpp:
2829         (JSC::globalFuncEval):
2830         * runtime/JSInternalPromise.cpp:
2831         (JSC::JSInternalPromise::then):
2832         * runtime/JSLexicalEnvironment.cpp:
2833         (JSC::JSLexicalEnvironment::deleteProperty):
2834         * runtime/JSMap.cpp:
2835         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2836         * runtime/JSMapIterator.h:
2837         (JSC::JSMapIterator::advanceIter):
2838         * runtime/JSModuleEnvironment.cpp:
2839         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2840         * runtime/JSModuleLoader.cpp:
2841         (JSC::printableModuleKey):
2842         (JSC::JSModuleLoader::provide):
2843         (JSC::JSModuleLoader::loadAndEvaluateModule):
2844         (JSC::JSModuleLoader::loadModule):
2845         (JSC::JSModuleLoader::linkAndEvaluateModule):
2846         (JSC::JSModuleLoader::requestImportModule):
2847         * runtime/JSModuleNamespaceObject.h:
2848         * runtime/JSModuleRecord.cpp:
2849         (JSC::JSModuleRecord::evaluate):
2850         * runtime/JSONObject.cpp:
2851         (JSC::Stringifier::Stringifier):
2852         (JSC::Stringifier::appendStringifiedValue):
2853         (JSC::Stringifier::Holder::appendNextProperty):
2854         * runtime/JSObject.cpp:
2855         (JSC::JSObject::calculatedClassName):
2856         (JSC::JSObject::putByIndex):
2857         (JSC::JSObject::ordinaryToPrimitive const):
2858         (JSC::JSObject::toPrimitive const):
2859         (JSC::JSObject::hasInstance):
2860         (JSC::JSObject::getOwnPropertyNames):
2861         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2862         (JSC::getCustomGetterSetterFunctionForGetterSetter):
2863         (JSC::JSObject::getOwnPropertyDescriptor):
2864         (JSC::JSObject::getMethod):
2865         * runtime/JSObject.h:
2866         (JSC::JSObject::createRawObject):
2867         (JSC::JSFinalObject::create):
2868         * runtime/JSObjectInlines.h:
2869         (JSC::JSObject::canPerformFastPutInline):
2870         (JSC::JSObject::putInlineForJSObject):
2871         (JSC::JSObject::hasOwnProperty const):
2872         * runtime/JSScope.cpp:
2873         (JSC::isUnscopable):
2874         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
2875         * runtime/JSSet.cpp:
2876         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2877         * runtime/JSSetIterator.h:
2878         (JSC::JSSetIterator::advanceIter):
2879         * runtime/JSString.cpp:
2880         (JSC::JSString::getStringPropertyDescriptor):
2881         * runtime/JSString.h:
2882         (JSC::JSString::getStringPropertySlot):
2883         * runtime/MapConstructor.cpp:
2884         (JSC::constructMap):
2885         * runtime/ModuleProgramExecutable.cpp:
2886         (JSC::ModuleProgramExecutable::create):
2887         * runtime/ObjectPrototype.cpp:
2888         (JSC::objectProtoFuncToLocaleString):
2889         * runtime/ProgramExecutable.h:
2890         * runtime/RegExpObject.cpp:
2891         (JSC::RegExpObject::getOwnPropertySlot):
2892         (JSC::RegExpObject::deleteProperty):
2893         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2894         (JSC::RegExpObject::getPropertyNames):
2895         (JSC::RegExpObject::getGenericPropertyNames):
2896         (JSC::RegExpObject::put):
2897         * runtime/ScopedArguments.h:
2898         (JSC::ScopedArguments::length const):
2899         * runtime/StrictEvalActivation.h:
2900         (JSC::StrictEvalActivation::create):
2901         * runtime/StringObject.cpp:
2902         (JSC::isStringOwnProperty):
2903         (JSC::StringObject::deleteProperty):
2904         (JSC::StringObject::getOwnNonIndexPropertyNames):
2905         * tools/JSDollarVMPrototype.cpp:
2906         (JSC::JSDollarVMPrototype::gc):
2907         (JSC::JSDollarVMPrototype::edenGC):
2908         * wasm/js/WebAssemblyModuleRecord.cpp:
2909         (JSC::WebAssemblyModuleRecord::evaluate):
2910
2911 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2912
2913         [DFG] NewArrayWithSize(size)'s size does not care negative zero
2914         https://bugs.webkit.org/show_bug.cgi?id=176300
2915
2916         Reviewed by Saam Barati.
2917
2918         NewArrayWithSize(size)'s size does not care negative zero as
2919         is the same to NewTypedArray. We propagate this information
2920         in DFGBackwardsPropagationPhase. This removes negative zero
2921         check in kraken fft's deinterleave function.
2922
2923         * dfg/DFGBackwardsPropagationPhase.cpp:
2924         (JSC::DFG::BackwardsPropagationPhase::propagate):
2925
2926 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2927
2928         [DFG] PutByVal with Array::Generic is too generic
2929         https://bugs.webkit.org/show_bug.cgi?id=176345
2930
2931         Reviewed by Filip Pizlo.
2932
2933         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
2934         We could have the case like,
2935
2936             dst[key] = src[key];
2937
2938         with string or symbol keys. But they are handled in slow path.
2939         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
2940         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
2941
2942         This improves SixSpeed object-assign.es5 by 9.1%.
2943
2944         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
2945
2946         * dfg/DFGFixupPhase.cpp:
2947         (JSC::DFG::FixupPhase::fixupNode):
2948         * dfg/DFGOperations.cpp:
2949         (JSC::DFG::putByVal):
2950         (JSC::DFG::putByValInternal):
2951         (JSC::DFG::putByValCellInternal):
2952         (JSC::DFG::putByValCellStringInternal):
2953         (JSC::DFG::operationPutByValInternal): Deleted.
2954         * dfg/DFGOperations.h:
2955         * dfg/DFGSpeculativeJIT.cpp:
2956         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
2957         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
2958         * dfg/DFGSpeculativeJIT.h:
2959         (JSC::DFG::SpeculativeJIT::callOperation):
2960         * dfg/DFGSpeculativeJIT32_64.cpp:
2961         (JSC::DFG::SpeculativeJIT::compile):
2962         * dfg/DFGSpeculativeJIT64.cpp:
2963         (JSC::DFG::SpeculativeJIT::compile):
2964         * ftl/FTLLowerDFGToB3.cpp:
2965         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2966         * jit/JITOperations.h:
2967
2968 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2969
2970         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
2971         https://bugs.webkit.org/show_bug.cgi?id=176590
2972
2973         Reviewed by Saam Barati.
2974
2975         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
2976
2977                                          baseline                  patched
2978
2979         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
2980         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
2981
2982         * dfg/DFGFixupPhase.cpp:
2983         (JSC::DFG::FixupPhase::fixupNode):
2984         * dfg/DFGOperations.cpp:
2985         (JSC::DFG::getByValObject):
2986         * dfg/DFGOperations.h:
2987         * dfg/DFGSpeculativeJIT.cpp:
2988         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
2989         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
2990         * dfg/DFGSpeculativeJIT.h:
2991         * dfg/DFGSpeculativeJIT32_64.cpp:
2992         (JSC::DFG::SpeculativeJIT::compile):
2993         * dfg/DFGSpeculativeJIT64.cpp:
2994         (JSC::DFG::SpeculativeJIT::compile):
2995         * ftl/FTLLowerDFGToB3.cpp:
2996         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2997
2998 2017-09-07  Mark Lam  <mark.lam@apple.com>
2999
3000         Use JIT probes for DFG OSR exit.
3001         https://bugs.webkit.org/show_bug.cgi?id=175144
3002         <rdar://problem/33437050>
3003
3004         Reviewed by Saam Barati.
3005
3006         This patch does the following:
3007         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
3008            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
3009            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
3010            generates a thunk that just executes the OSR exit.
3011
3012            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
3013            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
3014            CPU registers, and providing the Probe::Stack mechanism for modifying the
3015            stack frame.
3016
3017            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
3018            OSRExit::compileExit().  It is basically a re-write of those functions to
3019            execute the OSR exit work instead of compiling code to execute the work.
3020
3021            As a result, we get the following savings:
3022            a. no more OSR exit ramp compilation time.
3023            b. no use of JIT executable memory for storing each unique OSR exit ramp.
3024
3025            On the negative side, we incur these costs:
3026
3027            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
3028               version of the ramp.  However, OSR exits are rare.  Hence, this small
3029               difference should not matter much.  It is also offset by the savings from
3030               (a).
3031
3032            d. the Probe::Stack allocates 1K pages for memory for buffering stack
3033               modifcations.  The number of these pages depends on the span of stack memory
3034               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
3035               tends to only modify values in the current DFG frame and the current
3036               VMEntryRecord, the number of pages tends to only be 1 or 2.
3037
3038               Using the jsc tests as a workload, the vast majority of tests that do OSR
3039               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
3040               A few tests that are pathological uses up to 14 pages, and one particularly
3041               bad test (function-apply-many-args.js) uses 513 pages.
3042
3043            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
3044            only executed once to compute some values for the exit site that is used by
3045            all exit operations from that site, and a 2nd part to execute the exit.  The
3046            1st part is protected by a checking if exit.exitState has already been
3047            initialized.  The computed values are cached in exit.exitState.
3048
3049            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
3050            longer need the facility to patch the site that jumps to the OSR exit ramp.
3051            The DFG::JITCompiler has been modified to remove this patching code.
3052
3053         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
3054            std::memcpy to avoid strict aliasing issues.
3055
3056            Also optimized the implementation of Probe::Stack::physicalAddressFor().
3057
3058         3. Miscellaneous convenience methods added to make the Probe::Context easier of
3059            use.
3060
3061         4. Added a Probe::Frame class that makes it easier to get/set operands and
3062            arguments in a given frame using the deferred write properties of the
3063            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
3064            the OSR exit ramp.
3065
3066         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
3067            JIT versions of these functions are still left in place because they are still
3068            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
3069            These functions include:
3070
3071            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
3072                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
3073            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
3074                DFGOSRExit.cpp's reifyInlinedCallFrames()
3075            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
3076                DFGOSRExit.cpp's adjustAndJumpToTarget()
3077
3078            MethodOfGettingAValueProfile::emitReportValue() ==>
3079                MethodOfGettingAValueProfile::reportValue()
3080
3081            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
3082                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
3083            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
3084                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
3085
3086         * JavaScriptCore.xcodeproj/project.pbxproj:
3087         * assembler/MacroAssembler.cpp:
3088         (JSC::stdFunctionCallback):
3089         * assembler/MacroAssemblerPrinter.cpp:
3090         (JSC::Printer::printCallback):
3091         * assembler/ProbeContext.h:
3092         (JSC::Probe::CPUState::gpr const):
3093         (JSC::Probe::CPUState::spr const):
3094         (JSC::Probe::Context::Context):
3095         (JSC::Probe::Context::arg):
3096         (JSC::Probe::Context::gpr):
3097         (JSC::Probe::Context::spr):
3098         (JSC::Probe::Context::fpr):
3099         (JSC::Probe::Context::gprName):
3100         (JSC::Probe::Context::sprName):
3101         (JSC::Probe::Context::fprName):
3102         (JSC::Probe::Context::gpr const):
3103         (JSC::Probe::Context::spr const):
3104         (JSC::Probe::Context::fpr const):
3105         (JSC::Probe::Context::pc):
3106         (JSC::Probe::Context::fp):
3107         (JSC::Probe::Context::sp):
3108         (JSC::Probe:: const): Deleted.
3109         * assembler/ProbeFrame.h: Added.
3110         (JSC::Probe::Frame::Frame):
3111         (JSC::Probe::Frame::getArgument):
3112         (JSC::Probe::Frame::getOperand):
3113         (JSC::Probe::Frame::get):
3114         (JSC::Probe::Frame::setArgument):
3115         (JSC::Probe::Frame::setOperand):
3116         (JSC::Probe::Frame::set):
3117         * assembler/ProbeStack.cpp:
3118         (JSC::Probe::Page::Page):
3119         * assembler/ProbeStack.h:
3120         (JSC::Probe::Page::get):
3121         (JSC::Probe::Page::set):
3122         (JSC::Probe::Page::physicalAddressFor):
3123         (JSC::Probe::Stack::lowWatermark):
3124         (JSC::Probe::Stack::get):
3125         (JSC::Probe::Stack::set):
3126         * bytecode/ArithProfile.cpp:
3127         * bytecode/ArithProfile.h:
3128         * bytecode/ArrayProfile.h:
3129         (JSC::ArrayProfile::observeArrayMode):
3130         * bytecode/CodeBlock.cpp:
3131         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
3132         * bytecode/CodeBlock.h:
3133         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
3134         * bytecode/ExecutionCounter.h:
3135         (JSC::ExecutionCounter::hasCrossedThreshold const):
3136         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
3137         * bytecode/MethodOfGettingAValueProfile.cpp:
3138         (JSC::MethodOfGettingAValueProfile::reportValue):
3139         * bytecode/MethodOfGettingAValueProfile.h:
3140         * dfg/DFGDriver.cpp:
3141         (JSC::DFG::compileImpl):
3142         * dfg/DFGJITCode.cpp:
3143         (JSC::DFG::JITCode::findPC): Deleted.
3144         * dfg/DFGJITCode.h:
3145         * dfg/DFGJITCompiler.cpp:
3146         (JSC::DFG::JITCompiler::linkOSRExits):
3147         (JSC::DFG::JITCompiler::link):
3148         * dfg/DFGOSRExit.cpp:
3149         (JSC::DFG::jsValueFor):
3150         (JSC::DFG::restoreCalleeSavesFor):
3151         (JSC::DFG::saveCalleeSavesFor):
3152         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3153         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3154         (JSC::DFG::saveOrCopyCalleeSavesFor):
3155         (JSC::DFG::createDirectArgumentsDuringExit):
3156         (JSC::DFG::createClonedArgumentsDuringExit):
3157         (JSC::DFG::OSRExit::OSRExit):
3158         (JSC::DFG::emitRestoreArguments):
3159         (JSC::DFG::OSRExit::executeOSRExit):
3160         (JSC::DFG::reifyInlinedCallFrames):
3161         (JSC::DFG::adjustAndJumpToTarget):
3162         (JSC::DFG::printOSRExit):
3163         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
3164         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
3165         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
3166         (JSC::DFG::OSRExit::correctJump): Deleted.
3167         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
3168         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
3169         (JSC::DFG::OSRExit::compileExit): Deleted.
3170         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
3171         * dfg/DFGOSRExit.h:
3172         (JSC::DFG::OSRExitState::OSRExitState):
3173         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
3174         * dfg/DFGOSRExitCompilerCommon.cpp:
3175         * dfg/DFGOSRExitCompilerCommon.h:
3176         * dfg/DFGOperations.cpp:
3177         * dfg/DFGOperations.h:
3178         * dfg/DFGThunks.cpp:
3179         (JSC::DFG::osrExitThunkGenerator):
3180         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
3181         * dfg/DFGThunks.h:
3182         * jit/AssemblyHelpers.cpp:
3183         (JSC::AssemblyHelpers::debugCall): Deleted.
3184         * jit/AssemblyHelpers.h:
3185         * jit/JITOperations.cpp:
3186         * jit/JITOperations.h:
3187         * profiler/ProfilerOSRExit.h:
3188         (JSC::Profiler::OSRExit::incCount):
3189         * runtime/JSCJSValue.h:
3190         * runtime/JSCJSValueInlines.h:
3191         * runtime/VM.h:
3192
3193 2017-09-07  Michael Saboff  <msaboff@apple.com>
3194
3195         Add support for RegExp named capture groups
3196         https://bugs.webkit.org/show_bug.cgi?id=176435
3197
3198         Reviewed by Filip Pizlo.
3199
3200         Added parsing for both naming a captured parenthesis as well and using a named group in
3201         a back reference.  Also added support for using named groups with String.prototype.replace().
3202
3203         This patch does not throw Syntax Errors as described in the current spec text for the two
3204         cases of malformed back references in String.prototype.replace() as I believe that it
3205         is inconsistent with the current semantics for handling of other malformed replacement
3206         tokens.  I filed an issue for the requested change to the proposed spec and also filed
3207         a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
3208
3209         This patch does not implement strength reduction in the optimizing JITs for named capture
3210         groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
3211
3212         * dfg/DFGAbstractInterpreterInlines.h:
3213         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3214         * dfg/DFGStrengthReductionPhase.cpp:
3215         (JSC::DFG::StrengthReductionPhase::handleNode):
3216         * runtime/CommonIdentifiers.h:
3217         * runtime/JSGlobalObject.cpp:
3218         (JSC::JSGlobalObject::init):
3219         (JSC::JSGlobalObject::haveABadTime):
3220         * runtime/JSGlobalObject.h:
3221         (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
3222         * runtime/RegExp.cpp:
3223         (JSC::RegExp::finishCreation):
3224         * runtime/RegExp.h:
3225         * runtime/RegExpMatchesArray.cpp:
3226         (JSC::createStructureImpl):
3227         (JSC::createRegExpMatchesArrayWithGroupsStructure):
3228         (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
3229         * runtime/RegExpMatchesArray.h:
3230         (JSC::createRegExpMatchesArray):
3231         * runtime/StringPrototype.cpp:
3232         (JSC::substituteBackreferencesSlow):
3233         (JSC::replaceUsingRegExpSearch):
3234         * yarr/YarrParser.h:
3235         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
3236         (JSC::Yarr::Parser::parseEscape):
3237         (JSC::Yarr::Parser::parseParenthesesBegin):
3238         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
3239         (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
3240         (JSC::Yarr::Parser::isIdentifierStart):
3241         (JSC::Yarr::Parser::isIdentifierPart):
3242         (JSC::Yarr::Parser::tryConsumeGroupName):
3243         * yarr/YarrPattern.cpp:
3244         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
3245         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
3246         (JSC::Yarr::YarrPattern::errorMessage):
3247         * yarr/YarrPattern.h:
3248         (JSC::Yarr::YarrPattern::reset):
3249         * yarr/YarrSyntaxChecker.cpp:
3250         (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
3251         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
3252
3253 2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>
3254
3255         [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
3256         https://bugs.webkit.org/show_bug.cgi?id=176561
3257
3258         Reviewed by Brent Fulgham.
3259
3260         * runtime/IntlObject.cpp:
3261         (JSC::defaultLocale):
3262
3263 2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>
3264
3265         Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
3266         https://bugs.webkit.org/show_bug.cgi?id=176563
3267         <rdar://problem/19639583>
3268
3269         Reviewed by Matt Baker.
3270
3271         * inspector/protocol/DOM.json:
3272         Add an event that is useful for augmented inspectors to inspect
3273         a node. Web pages will still prefer Inspector.inspect.
3274
3275 2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3276
3277         [JSC] Remove "malloc" and "free" from JSC/API
3278         https://bugs.webkit.org/show_bug.cgi?id=176331
3279
3280         Reviewed by Keith Miller.
3281
3282         Remove "malloc" and "free" manual calls in JSC/API.
3283
3284         * API/JSValue.mm:
3285         (createStructHandlerMap):
3286         * API/JSWrapperMap.mm:
3287         (parsePropertyAttributes):
3288         (makeSetterName):
3289         (copyPrototypeProperties):
3290         Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
3291
3292         * API/ObjcRuntimeExtras.h:
3293         (adoptSystem):
3294         Add adoptSystem to automate calling system free().
3295
3296         (protocolImplementsProtocol):
3297         (forEachProtocolImplementingProtocol):
3298         (forEachMethodInClass):
3299         (forEachMethodInProtocol):
3300         (forEachPropertyInProtocol):
3301         (StringRange::StringRange):
3302         (StringRange::operator const char* const):
3303         (StringRange::get const):
3304         Use CString for backend.
3305
3306         (StructBuffer::StructBuffer):
3307         (StructBuffer::~StructBuffer):
3308         (StringRange::~StringRange): Deleted.
3309         Use fastAlignedMalloc/astAlignedFree to get aligned memory.
3310
3311 2017-09-06  Mark Lam  <mark.lam@apple.com>
3312
3313         constructGenericTypedArrayViewWithArguments() is missing an exception check.
3314         https://bugs.webkit.org/show_bug.cgi?id=176485
3315         <rdar://problem/33898874>
3316
3317         Reviewed by Keith Miller.
3318
3319         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3320         (JSC::constructGenericTypedArrayViewWithArguments):
3321
3322 2017-09-06  Saam Barati  <sbarati@apple.com>
3323
3324         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
3325         https://bugs.webkit.org/show_bug.cgi?id=176346
3326
3327         Reviewed by Mark Lam.
3328
3329         * b3/B3Procedure.cpp:
3330         (JSC::B3::Procedure::Procedure):
3331         (JSC::B3::Procedure::setNumEntrypoints):
3332         * b3/B3Procedure.h:
3333         (JSC::B3::Procedure::setNumEntrypoints): Deleted.
3334         * b3/air/AirCode.cpp:
3335         (JSC::B3::Air::defaultPrologueGenerator):
3336         (JSC::B3::Air::Code::Code):
3337         (JSC::B3::Air::Code::setNumEntrypoints):
3338         * b3/air/AirCode.h:
3339         (JSC::B3::Air::Code::setPrologueForEntrypoint):
3340         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
3341         (JSC::B3::Air::Code::setEntrypoints):
3342         (JSC::B3::Air::Code::setEntrypointLabels):
3343         * b3/air/AirGenerate.cpp:
3344         (JSC::B3::Air::generate):
3345         * ftl/FTLLowerDFGToB3.cpp:
3346         (JSC::FTL::DFG::LowerDFGToB3::lower):
3347
3348 2017-09-06  Saam Barati  <sbarati@apple.com>
3349
3350         ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
3351         https://bugs.webkit.org/show_bug.cgi?id=176470
3352
3353         Reviewed by Mark Lam.
3354
3355         Update Node::convertToCheckStructureImmediate's assertion to allow
3356         the node to either be a CheckStructure or CheckStructureOrEmpty.
3357
3358         * dfg/DFGNode.h:
3359         (JSC::DFG::Node::convertToCheckStructureImmediate):
3360
3361 2017-09-05  Saam Barati  <sbarati@apple.com>
3362
3363         isNotCellSpeculation is wrong with respect to SpecEmpty
3364         https://bugs.webkit.org/show_bug.cgi?id=176429
3365
3366         Reviewed by Michael Saboff.
3367
3368         The isNotCellSpeculation(SpeculatedType t) function was not taking into account
3369         SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
3370         the empty value will fail a NotCell check. This bug would cause us to erroneously
3371         generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
3372
3373         * bytecode/SpeculatedType.h:
3374         (JSC::isNotCellSpeculation):
3375
3376 2017-09-05  Saam Barati  <sbarati@apple.com>
3377
3378         Make the distinction between entrypoints and CFG roots more clear by naming things better
3379         https://bugs.webkit.org/show_bug.cgi?id=176336
3380
3381         Reviewed by Mark Lam and Keith Miller and Michael Saboff.
3382
3383         This patch does renaming to make the distinction between Graph::m_entrypoints
3384         and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
3385         Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
3386         Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
3387         size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
3388         to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
3389         field to m_rootToArguments.
3390         
3391         Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
3392         when compiling with EntrySwitch. It represents the logical number of entrypoints
3393         the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
3394         cases.
3395
3396         * dfg/DFGByteCodeParser.cpp:
3397         (JSC::DFG::ByteCodeParser::parseBlock):
3398         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3399         * dfg/DFGCFG.h:
3400         (JSC::DFG::CFG::roots):
3401         (JSC::DFG::CPSCFG::CPSCFG):
3402         * dfg/DFGCPSRethreadingPhase.cpp:
3403         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
3404         * dfg/DFGDCEPhase.cpp:
3405         (JSC::DFG::DCEPhase::run):
3406         * dfg/DFGGraph.cpp:
3407         (JSC::DFG::Graph::dump):
3408         (JSC::DFG::Graph::determineReachability):
3409         (JSC::DFG::Graph::blocksInPreOrder):
3410         (JSC::DFG::Graph::blocksInPostOrder):
3411         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3412         * dfg/DFGGraph.h:
3413         (JSC::DFG::Graph::isRoot):
3414         (JSC::DFG::Graph::isEntrypoint): Deleted.
3415         * dfg/DFGInPlaceAbstractState.cpp:
3416         (JSC::DFG::InPlaceAbstractState::initialize):
3417         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3418         (JSC::DFG::createPreHeader):
3419         * dfg/DFGMaximalFlushInsertionPhase.cpp:
3420         (JSC::DFG::MaximalFlushInsertionPhase::run):
3421         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
3422         * dfg/DFGOSREntrypointCreationPhase.cpp:
3423         (JSC::DFG::OSREntrypointCreationPhase::run):
3424         * dfg/DFGPredictionInjectionPhase.cpp:
3425         (JSC::DFG::PredictionInjectionPhase::run):
3426         * dfg/DFGSSAConversionPhase.cpp:
3427         (JSC::DFG::SSAConversionPhase::run):
3428         * dfg/DFGSpeculativeJIT.cpp:
3429         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3430         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3431         * dfg/DFGTypeCheckHoistingPhase.cpp:
3432         (JSC::DFG::TypeCheckHoistingPhase::run):
3433         * dfg/DFGValidate.cpp:
3434
3435 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3436
3437         test262: Completion values for control flow do not match the spec
3438         https://bugs.webkit.org/show_bug.cgi?id=171265
3439
3440         Reviewed by Saam Barati.
3441
3442         * bytecompiler/BytecodeGenerator.h:
3443         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
3444         When we care about having proper completion values (global code
3445         in programs, modules, and eval) insert undefined results for
3446         control flow statements.
3447
3448         * bytecompiler/NodesCodegen.cpp:
3449         (JSC::SourceElements::emitBytecode):
3450         Reduce writing a default `undefined` value to the completion result to
3451         only once before the last statement we know will produce a value.
3452
3453         (JSC::IfElseNode::emitBytecode):
3454         (JSC::WithNode::emitBytecode):
3455         (JSC::WhileNode::emitBytecode):
3456         (JSC::ForNode::emitBytecode):
3457         (JSC::ForInNode::emitBytecode):
3458         (JSC::ForOfNode::emitBytecode):
3459         (JSC::SwitchNode::emitBytecode):
3460         Insert an undefined to handle cases where code may break out of an
3461         if/else or with statement (break/continue).
3462
3463         (JSC::TryNode::emitBytecode):
3464         Same handling for break cases. Also, finally block statement completion
3465         values are always ignored for the try statement result.
3466
3467         (JSC::ClassDeclNode::emitBytecode):
3468         Class declarations, like function declarations, produce an empty result.
3469
3470         * parser/Nodes.cpp:
3471         (JSC::SourceElements::lastStatement):
3472         (JSC::SourceElements::hasCompletionValue):
3473         (JSC::SourceElements::hasEarlyBreakOrContinue):
3474         (JSC::BlockNode::lastStatement):
3475         (JSC::BlockNode::singleStatement):
3476         (JSC::BlockNode::hasCompletionValue):
3477         (JSC::BlockNode::hasEarlyBreakOrContinue):
3478         (JSC::ScopeNode::singleStatement):
3479         (JSC::ScopeNode::hasCompletionValue):
3480         (JSC::ScopeNode::hasEarlyBreakOrContinue):
3481         The only non-trivial cases need to loop through their list of statements
3482         to determine if this has a completion value or not. Likewise for
3483         determining if there is an early break / continue, meaning a break or
3484         continue statement with no preceding statement that has a completion value.
3485
3486         * parser/Nodes.h:
3487         (JSC::StatementNode::next):
3488         (JSC::StatementNode::hasCompletionValue):
3489         Helper to check if a statement nodes produces a completion value or not.
3490
3491 2017-09-04  Saam Barati  <sbarati@apple.com>
3492
3493         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
3494         https://bugs.webkit.org/show_bug.cgi?id=176317
3495
3496         Reviewed by Keith Miller.
3497
3498         It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
3499         the SetLocal of a particular value where the value is the empty JSValue.
3500         On 64-bit platforms, the empty value is zero. This means that the empty value
3501         passes a cell check. This will lead to a crash when we dereference null to load
3502         the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
3503         in the structure checks it hoists. On 64-bit platforms, instead of emitting a
3504         CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
3505         the empty value to flow through. If the value isn't empty, it'll perform the normal
3506         structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
3507         on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
3508         value to flow through.
3509
3510         * dfg/DFGAbstractInterpreterInlines.h:
3511         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3512         * dfg/DFGArgumentsEliminationPhase.cpp:
3513         * dfg/DFGClobberize.h:
3514         (JSC::DFG::clobberize):
3515         * dfg/DFGConstantFoldingPhase.cpp:
3516         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3517         * dfg/DFGDoesGC.cpp:
3518         (JSC::DFG::doesGC):
3519         * dfg/DFGFixupPhase.cpp:
3520         (JSC::DFG::FixupPhase::fixupNode):
3521         * dfg/DFGNode.h:
3522         (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
3523         (JSC::DFG::Node::hasStructureSet):
3524         * dfg/DFGNodeType.h:
3525         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3526         * dfg/DFGPredictionPropagationPhase.cpp:
3527         * dfg/DFGSafeToExecute.h:
3528         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
3529         (JSC::DFG::SafeToExecuteEdge::operator()):
3530         (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
3531         (JSC::DFG::safeToExecute):
3532         * dfg/DFGSpeculativeJIT.cpp:
3533         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
3534         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
3535         * dfg/DFGSpeculativeJIT.h:
3536         * dfg/DFGSpeculativeJIT32_64.cpp:
3537         (JSC::DFG::SpeculativeJIT::compile):
3538         * dfg/DFGSpeculativeJIT64.cpp:
3539         (JSC::DFG::SpeculativeJIT::compile):
3540         * dfg/DFGTypeCheckHoistingPhase.cpp:
3541         (JSC::DFG::TypeCheckHoistingPhase::run):
3542         * dfg/DFGValidate.cpp:
3543         * ftl/FTLCapabilities.cpp:
3544         (JSC::FTL::canCompile):
3545         * ftl/FTLLowerDFGToB3.cpp:
3546         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3547         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
3548
3549 2017-09-04  Saam Barati  <sbarati@apple.com>
3550
3551         Support compiling catch in the FTL
3552         https://bugs.webkit.org/show_bug.cgi?id=175396
3553
3554         Reviewed by Filip Pizlo.
3555
3556         This patch implements op_catch in the FTL. It extends the DFG implementation
3557         by supporting multiple entrypoints in DFG-SSA. This patch implements this
3558         by introducing an EntrySwitch node. When converting to SSA, we introduce a new
3559         root block with an EntrySwitch that has the previous DFG entrypoints as its
3560         successors. By convention, we pick the zeroth entry point index to be the
3561         op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
3562         switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
3563         simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
3564         SSAConversion creates can not exit because we would both not know where to exit
3565         to in the program: we would not have valid OSR exit state. This design also
3566         mandates that anything we hoist above EntrySwitch in the new root block
3567         can not exit since they also do not have valid OSR exit state.
3568         
3569         This patch also adds a new metadata node named InitializeEntrypointArguments.
3570         InitializeEntrypointArguments is a metadata node that initializes the flush format for
3571         the arguments at a given entrypoint. For a given entrypoint index, this node
3572         tells AI and OSRAvailabilityAnalysis what the flush format for each argument
3573         is. This allows each individual entrypoint to have an independent set of
3574         argument types. Currently, this won't happen in practice because ArgumentPosition
3575         unifies flush formats, but this is an implementation detail we probably want
3576         to modify in the future. SSAConversion will add InitializeEntrypointArguments
3577         to the beginning of each of the original DFG entrypoint blocks.
3578         
3579         This patch also adds the ability to specify custom prologue code generators in Air.
3580         This allows the FTL to specify a custom prologue for catch entrypoints that
3581         matches the op_catch OSR entry calling convention that the DFG uses. This way,
3582         the baseline JIT code OSR enters into op_catch the same way both in the DFG
3583         and the FTL. In the future, we can use this same mechanism to perform stack
3584         overflow checks instead of using a patchpoint.
3585
3586         * b3/air/AirCode.cpp:
3587         (JSC::B3::Air::Code::isEntrypoint):
3588         (JSC::B3::Air::Code::entrypointIndex):
3589         * b3/air/AirCode.h:
3590         (JSC::B3::Air::Code::setPrologueForEntrypoint):
3591         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
3592         * b3/air/AirGenerate.cpp:
3593         (JSC::B3::Air::generate):
3594         * dfg/DFGAbstractInterpreterInlines.h:
3595         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3596         * dfg/DFGBasicBlock.h:
3597         * dfg/DFGByteCodeParser.cpp:
3598         (JSC::DFG::ByteCodeParser::parseBlock):
3599         (JSC::DFG::ByteCodeParser::parse):
3600         * dfg/DFGCFG.h:
3601         (JSC::DFG::selectCFG):
3602         * dfg/DFGClobberize.h:
3603         (JSC::DFG::clobberize):
3604         * dfg/DFGClobbersExitState.cpp:
3605         (JSC::DFG::clobbersExitState):
3606         * dfg/DFGCommonData.cpp:
3607         (JSC::DFG::CommonData::shrinkToFit):
3608         (JSC::DFG::CommonData::finalizeCatchEntrypoints):
3609         * dfg/DFGCommonData.h:
3610         (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
3611         (JSC::DFG::CommonData::appendCatchEntrypoint):
3612         * dfg/DFGDoesGC.cpp:
3613         (JSC::DFG::doesGC):
3614         * dfg/DFGFixupPhase.cpp:
3615         (JSC::DFG::FixupPhase::fixupNode):
3616         * dfg/DFGGraph.cpp:
3617         (JSC::DFG::Graph::dump):
3618         (JSC::DFG::Graph::invalidateCFG):
3619         (JSC::DFG::Graph::ensureCPSCFG):
3620         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3621         * dfg/DFGGraph.h:
3622         (JSC::DFG::Graph::isEntrypoint):
3623         * dfg/DFGInPlaceAbstractState.cpp:
3624         (JSC::DFG::InPlaceAbstractState::initialize):
3625         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3626         * dfg/DFGJITCode.cpp:
3627         (JSC::DFG::JITCode::shrinkToFit):
3628         (JSC::DFG::JITCode::finalizeOSREntrypoints):
3629         * dfg/DFGJITCode.h:
3630         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
3631         (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
3632         * dfg/DFGJITCompiler.cpp:
3633         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3634         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
3635         * dfg/DFGMayExit.cpp:
3636         * dfg/DFGNode.h:
3637         (JSC::DFG::Node::isEntrySwitch):
3638         (JSC::DFG::Node::isTerminal):
3639         (JSC::DFG::Node::entrySwitchData):
3640         (JSC::DFG::Node::numSuccessors):
3641         (JSC::DFG::Node::successor):
3642         (JSC::DFG::Node::entrypointIndex):
3643         * dfg/DFGNodeType.h:
3644         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3645         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3646         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3647         * dfg/DFGOSREntry.cpp:
3648         (JSC::DFG::prepareCatchOSREntry):
3649         * dfg/DFGOSREntry.h:
3650         * dfg/DFGOSREntrypointCreationPhase.cpp:
3651         (JSC::DFG::OSREntrypointCreationPhase::run):
3652         * dfg/DFGPredictionPropagationPhase.cpp:
3653         * dfg/DFGSSAConversionPhase.cpp:
3654         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
3655         (JSC::DFG::SSAConversionPhase::run):
3656         * dfg/DFGSafeToExecute.h:
3657         (JSC::DFG::safeToExecute):
3658         * dfg/DFGSpeculativeJIT.cpp:
3659         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3660         * dfg/DFGSpeculativeJIT32_64.cpp:
3661         (JSC::DFG::SpeculativeJIT::compile):
3662         * dfg/DFGSpeculativeJIT64.cpp:
3663         (JSC::DFG::SpeculativeJIT::compile):
3664         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
3665         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
3666         * dfg/DFGValidate.cpp:
3667         * ftl/FTLCapabilities.cpp:
3668         (JSC::FTL::canCompile):
3669         * ftl/FTLCompile.cpp:
3670         (JSC::FTL::compile):
3671         * ftl/FTLLowerDFGToB3.cpp:
3672         (JSC::FTL::DFG::LowerDFGToB3::lower):
3673         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3674         (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
3675         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
3676         (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
3677         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3678         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
3679         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
3680         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
3681         * ftl/FTLOutput.cpp:
3682         (JSC::FTL::Output::entrySwitch):
3683         * ftl/FTLOutput.h:
3684         * jit/JITOperations.cpp:
3685
3686 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3687
3688         [DFG][FTL] Efficiently execute number#toString()
3689         https://bugs.webkit.org/show_bug.cgi?id=170007
3690
3691         Reviewed by Keith Miller.
3692
3693         In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
3694         However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.
3695
3696         While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
3697         So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
3698         Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
3699         speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
3700         It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).
3701
3702         In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
3703         throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
3704         conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
3705         radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
3706         We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
3707         It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.
3708
3709         Added microbenchmarks show performance improvement.
3710
3711                                                       baseline                  patched
3712
3713         number-to-string-with-radix-cse           43.8312+-1.3017     ^      7.4930+-0.5105        ^ definitely 5.8496x faster
3714         number-to-string-with-radix-10             7.2775+-0.5225     ^      2.1906+-0.1864        ^ definitely 3.3222x faster
3715         number-to-string-with-radix               39.7378+-1.4921     ^     16.6137+-0.7776        ^ definitely 2.3919x faster
3716         number-to-string-strength-reduction       94.9667+-2.7157     ^      9.3060+-0.7202        ^ definitely 10.2049x faster
3717
3718         * dfg/DFGAbstractInterpreterInlines.h:
3719         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3720         * dfg/DFGClobberize.h:
3721         (JSC::DFG::clobberize):
3722         * dfg/DFGConstantFoldingPhase.cpp:
3723         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3724         * dfg/DFGDoesGC.cpp:
3725         (JSC::DFG::doesGC):
3726         * dfg/DFGFixupPhase.cpp:
3727         (JSC::DFG::FixupPhase::fixupNode):
3728         * dfg/DFGGraph.h:
3729         (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
3730         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
3731         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
3732         * dfg/DFGNode.h:
3733         (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
3734         (JSC::DFG::Node::hasValidRadixConstant):
3735         (JSC::DFG::Node::validRadixConstant):
3736         * dfg/DFGNodeType.h:
3737         * dfg/DFGPredictionPropagationPhase.cpp:
3738         * dfg/DFGSafeToExecute.h:
3739         (JSC::DFG::safeToExecute):
3740         * dfg/DFGSpeculativeJIT.cpp:
3741         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
3742         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
3743         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
3744         * dfg/DFGSpeculativeJIT.h:
3745         * dfg/DFGSpeculativeJIT32_64.cpp:
3746         (JSC::DFG::SpeculativeJIT::compile):
3747         * dfg/DFGSpeculativeJIT64.cpp:
3748         (JSC::DFG::SpeculativeJIT::compile):
3749         * dfg/DFGStrengthReductionPhase.cpp:
3750         (JSC::DFG::StrengthReductionPhase::handleNode):
3751         * ftl/FTLCapabilities.cpp:
3752         (JSC::FTL::canCompile):
3753         * ftl/FTLLowerDFGToB3.cpp:
3754         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3755         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
3756         * runtime/JSGlobalObject.cpp:
3757         (JSC::JSGlobalObject::JSGlobalObject):
3758         (JSC::JSGlobalObject::init):
3759         (JSC::JSGlobalObject::visitChildren):
3760         * runtime/JSGlobalObject.h:
3761         (JSC::JSGlobalObject::numberToStringWatchpoint):
3762         (JSC::JSGlobalObject::numberProtoToStringFunction const):
3763         * runtime/NumberPrototype.cpp:
3764         (JSC::NumberPrototype::finishCreation):
3765         (JSC::toStringWithRadixInternal):
3766         (JSC::toStringWithRadix):
3767         (JSC::int32ToStringInternal):
3768         (JSC::numberToStringInternal):
3769         * runtime/NumberPrototype.h:
3770
3771 2017-09-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3772
3773         [DFG] Consider increasing the number of DFG worklist threads
3774         https://bugs.webkit.org/show_bug.cgi?id=176222
3775
3776         Reviewed by Saam Barati.
3777
3778         Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
3779         very long time if the target function is very large. However, DFG worklist
3780         has only one thread before this patch. Therefore, one function that takes
3781         too much time to be compiled can prevent the other functions from being
3782         compiled in DFG or upper tiers.
3783
3784         One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
3785         super long time (447 ms) because of its super large size of the function.
3786         While this function never gets compiled in FTL due to its large size,
3787         it can be compiled in DFG and takes super long time. Subsequent "a8" function
3788         compilation in DFG is blocked by this "a1". As a consequence, the benchmark
3789         takes very long time in a1/Baseline code, which is slower than DFG of course.
3790
3791         While FTL has a bit more threads, DFG worklist has only one thread. This patch
3792         adds one more thread to DFG worklist to alleviate the above situation. This
3793         change significantly improves Octane/zlib performance.
3794
3795                                     baseline                  patched
3796
3797         zlib           x2     482.32825+-6.07640    ^   408.66072+-14.03856      ^ definitely 1.1803x faster
3798
3799         * runtime/Options.h:
3800
3801 2017-09-04  Sam Weinig  <sam@webkit.org>
3802
3803         [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
3804         https://bugs.webkit.org/show_bug.cgi?id=176312
3805
3806         Reviewed by Darin Adler.
3807
3808         * runtime/CommonIdentifiers.h:
3809
3810             Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
3811             to WebCoreBuiltinNames in WebCore.
3812
3813 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3814
3815         Remove "malloc" and "free" use
3816         https://bugs.webkit.org/show_bug.cgi?id=176310
3817
3818         Reviewed by Darin Adler.
3819
3820         Use Vector instead.
3821
3822         * API/JSWrapperMap.mm:
3823         (selectorToPropertyName):
3824
3825 2017-09-03  Darin Adler  <darin@apple.com>
3826
3827         Try to fix Windows build.
3828
3829         * runtime/JSGlobalObjectFunctions.cpp: #include <unicode/utf8.h>.
3830
3831 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3832
3833         [WTF] Add C++03 allocator interface for GCC < 6
3834         https://bugs.webkit.org/show_bug.cgi?id=176301
3835
3836         Reviewed by Darin Adler.
3837
3838         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3839
3840 2017-09-03  Chris Dumez  <cdumez@apple.com>
3841
3842         Unreviewed, rolling out r221555.
3843
3844         Did not fix Windows build
3845
3846         Reverted changeset:
3847
3848         "Unreviewed attempt to fix Windows build."
3849         http://trac.webkit.org/changeset/221555
3850
3851 2017-09-03  Chris Dumez  <cdumez@apple.com>
3852
3853         Unreviewed attempt to fix Windows build.
3854
3855         * runtime/JSGlobalObjectFunctions.cpp:
3856
3857 2017-09-03  Chris Dumez  <cdumez@apple.com>
3858
3859         Unreviewed, rolling out r221552.
3860
3861         Broke the build
3862
3863         Reverted changeset:
3864
3865         "[WTF] Add C++03 allocator interface for GCC < 6"
3866         https://bugs.webkit.org/show_bug.cgi?id=176301
3867         http://trac.webkit.org/changeset/221552
3868
3869 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3870
3871         [WTF] Add C++03 allocator interface for GCC < 6
3872         https://bugs.webkit.org/show_bug.cgi?id=176301
3873
3874         Reviewed by Darin Adler.
3875
3876         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3877
3878 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3879
3880         [JSC] Clean up BytecodeLivenessAnalysis
3881         https://bugs.webkit.org/show_bug.cgi?id=176295
3882
3883         Reviewed by Saam Barati.
3884
3885         Previously, computeDefsForBytecodeOffset was a bit customizable.
3886         This is used for try-catch handler's liveness analysis. But after
3887         careful generatorification implementation, it is now not necessary.
3888         This patch drops this customizability.
3889
3890         * bytecode/BytecodeGeneratorification.cpp:
3891         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
3892         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
3893         * bytecode/BytecodeLivenessAnalysis.cpp:
3894         (JSC::BytecodeLivenessAnalysis::computeKills):
3895         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
3896         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
3897         * bytecode/Bytec