[DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
4         https://bugs.webkit.org/show_bug.cgi?id=185802
5
6         Reviewed by Saam Barati.
7
8         * dfg/DFGConstantFoldingPhase.cpp:
9         (JSC::DFG::ConstantFoldingPhase::foldConstants):
10
11 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
12
13         DFG should inline InstanceOf ICs
14         https://bugs.webkit.org/show_bug.cgi?id=185695
15
16         Reviewed by Yusuke Suzuki.
17         
18         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
19         be folded to a CheckStructure + JSConstant.
20         
21         In the process of testing this, I found a bug where LICM was not hoisting things that
22         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
23         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
24         
25         This is a ~5% speed-up on boyer.
26         
27         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
28         instanceof-sometimes-hit microbenchmarks.
29
30         * JavaScriptCore.xcodeproj/project.pbxproj:
31         * Sources.txt:
32         * bytecode/GetByIdStatus.cpp:
33         (JSC::GetByIdStatus::appendVariant):
34         (JSC::GetByIdStatus::filter):
35         * bytecode/GetByIdStatus.h:
36         (JSC::GetByIdStatus::operator bool const):
37         (JSC::GetByIdStatus::operator! const): Deleted.
38         * bytecode/GetByIdVariant.h:
39         (JSC::GetByIdVariant::operator bool const):
40         (JSC::GetByIdVariant::operator! const): Deleted.
41         * bytecode/ICStatusUtils.h: Added.
42         (JSC::appendICStatusVariant):
43         (JSC::filterICStatusVariants):
44         * bytecode/InstanceOfStatus.cpp: Added.
45         (JSC::InstanceOfStatus::appendVariant):
46         (JSC::InstanceOfStatus::computeFor):
47         (JSC::InstanceOfStatus::computeForStubInfo):
48         (JSC::InstanceOfStatus::commonPrototype const):
49         (JSC::InstanceOfStatus::filter):
50         * bytecode/InstanceOfStatus.h: Added.
51         (JSC::InstanceOfStatus::InstanceOfStatus):
52         (JSC::InstanceOfStatus::state const):
53         (JSC::InstanceOfStatus::isSet const):
54         (JSC::InstanceOfStatus::operator bool const):
55         (JSC::InstanceOfStatus::isSimple const):
56         (JSC::InstanceOfStatus::takesSlowPath const):
57         (JSC::InstanceOfStatus::numVariants const):
58         (JSC::InstanceOfStatus::variants const):
59         (JSC::InstanceOfStatus::at const):
60         (JSC::InstanceOfStatus::operator[] const):
61         * bytecode/InstanceOfVariant.cpp: Added.
62         (JSC::InstanceOfVariant::InstanceOfVariant):
63         (JSC::InstanceOfVariant::attemptToMerge):
64         (JSC::InstanceOfVariant::dump const):
65         (JSC::InstanceOfVariant::dumpInContext const):
66         * bytecode/InstanceOfVariant.h: Added.
67         (JSC::InstanceOfVariant::InstanceOfVariant):
68         (JSC::InstanceOfVariant::operator bool const):
69         (JSC::InstanceOfVariant::structureSet const):
70         (JSC::InstanceOfVariant::structureSet):
71         (JSC::InstanceOfVariant::conditionSet const):
72         (JSC::InstanceOfVariant::prototype const):
73         (JSC::InstanceOfVariant::isHit const):
74         * bytecode/StructureStubInfo.cpp:
75         (JSC::StructureStubInfo::StructureStubInfo):
76         * bytecode/StructureStubInfo.h:
77         (JSC::StructureStubInfo::considerCaching):
78         * dfg/DFGAbstractInterpreterInlines.h:
79         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
80         * dfg/DFGByteCodeParser.cpp:
81         (JSC::DFG::ByteCodeParser::parseBlock):
82         * dfg/DFGClobberize.h:
83         (JSC::DFG::clobberize):
84         * dfg/DFGConstantFoldingPhase.cpp:
85         (JSC::DFG::ConstantFoldingPhase::foldConstants):
86         * dfg/DFGDoesGC.cpp:
87         (JSC::DFG::doesGC):
88         * dfg/DFGFixupPhase.cpp:
89         (JSC::DFG::FixupPhase::fixupNode):
90         * dfg/DFGGraph.cpp:
91         (JSC::DFG::Graph::dump):
92         * dfg/DFGGraph.h:
93         * dfg/DFGLICMPhase.cpp:
94         (JSC::DFG::LICMPhase::attemptHoist):
95         * dfg/DFGNode.cpp:
96         (JSC::DFG::Node::remove):
97         * dfg/DFGNode.h:
98         (JSC::DFG::Node::hasMatchStructureData):
99         (JSC::DFG::Node::matchStructureData):
100         * dfg/DFGNodeType.h:
101         * dfg/DFGSafeToExecute.h:
102         (JSC::DFG::safeToExecute):
103         * dfg/DFGSpeculativeJIT.cpp:
104         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
105         * dfg/DFGSpeculativeJIT.h:
106         * dfg/DFGSpeculativeJIT32_64.cpp:
107         (JSC::DFG::SpeculativeJIT::compile):
108         * dfg/DFGSpeculativeJIT64.cpp:
109         (JSC::DFG::SpeculativeJIT::compile):
110         * ftl/FTLCapabilities.cpp:
111         (JSC::FTL::canCompile):
112         * ftl/FTLLowerDFGToB3.cpp:
113         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
114         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
115
116 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
117
118         [JSC] JSC should have consistent InById IC
119         https://bugs.webkit.org/show_bug.cgi?id=185682
120
121         Reviewed by Filip Pizlo.
122
123         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
124         when we found that DFG::In's parameter is constant string. We should
125         align this IC to the other ById ICs to clean up and remove adhoc code
126         in DFG and FTL.
127
128         This patch cleans up our "In" IC by aligning it to the other ById ICs.
129         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
130         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
131         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
132         has a inline access cache for own property case, which is the same to
133         JITGetByIdGenerator.
134
135         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
136         to the original In DFG node. DFG AI attempts to lower InByVal to InById
137         if AI figured out that the property name is a constant string. And in
138         InById node, we use JITInByIdGenerator code.
139
140         This patch cleans up DFG and FTL's adhoc In IC code.
141
142         In a subsequent patch, we should introduce InByIdStatus to optimize
143         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
144         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
145         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
146
147         * bytecode/AccessCase.cpp:
148         (JSC::AccessCase::fromStructureStubInfo):
149         (JSC::AccessCase::generateWithGuard):
150         * bytecode/BytecodeDumper.cpp:
151         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
152         (JSC::BytecodeDumper<Block>::dumpBytecode):
153         * bytecode/BytecodeDumper.h:
154         * bytecode/BytecodeList.json:
155         * bytecode/BytecodeUseDef.h:
156         (JSC::computeUsesForBytecodeOffset):
157         (JSC::computeDefsForBytecodeOffset):
158         * bytecode/CodeBlock.cpp:
159         (JSC::CodeBlock::finishCreation):
160         * bytecode/InlineAccess.cpp:
161         (JSC::InlineAccess::generateSelfInAccess):
162         * bytecode/InlineAccess.h:
163         * bytecode/StructureStubInfo.cpp:
164         (JSC::StructureStubInfo::initInByIdSelf):
165         (JSC::StructureStubInfo::deref):
166         (JSC::StructureStubInfo::aboutToDie):
167         (JSC::StructureStubInfo::reset):
168         (JSC::StructureStubInfo::visitWeakReferences):
169         (JSC::StructureStubInfo::propagateTransitions):
170         * bytecode/StructureStubInfo.h:
171         (JSC::StructureStubInfo::patchableJump):
172         * bytecompiler/BytecodeGenerator.cpp:
173         (JSC::BytecodeGenerator::emitInByVal):
174         (JSC::BytecodeGenerator::emitInById):
175         (JSC::BytecodeGenerator::emitIn): Deleted.
176         * bytecompiler/BytecodeGenerator.h:
177         * bytecompiler/NodesCodegen.cpp:
178         (JSC::InNode::emitBytecode):
179         * dfg/DFGAbstractInterpreterInlines.h:
180         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
181         * dfg/DFGByteCodeParser.cpp:
182         (JSC::DFG::ByteCodeParser::parseBlock):
183         * dfg/DFGCapabilities.cpp:
184         (JSC::DFG::capabilityLevel):
185         * dfg/DFGClobberize.h:
186         (JSC::DFG::clobberize):
187         * dfg/DFGConstantFoldingPhase.cpp:
188         (JSC::DFG::ConstantFoldingPhase::foldConstants):
189         * dfg/DFGDoesGC.cpp:
190         (JSC::DFG::doesGC):
191         * dfg/DFGFixupPhase.cpp:
192         (JSC::DFG::FixupPhase::fixupNode):
193         * dfg/DFGJITCompiler.cpp:
194         (JSC::DFG::JITCompiler::link):
195         * dfg/DFGJITCompiler.h:
196         (JSC::DFG::JITCompiler::addInById):
197         (JSC::DFG::InRecord::InRecord): Deleted.
198         (JSC::DFG::JITCompiler::addIn): Deleted.
199         * dfg/DFGNode.h:
200         (JSC::DFG::Node::convertToInById):
201         (JSC::DFG::Node::hasIdentifier):
202         (JSC::DFG::Node::hasArrayMode):
203         * dfg/DFGNodeType.h:
204         * dfg/DFGPredictionPropagationPhase.cpp:
205         * dfg/DFGSafeToExecute.h:
206         (JSC::DFG::safeToExecute):
207         * dfg/DFGSpeculativeJIT.cpp:
208         (JSC::DFG::SpeculativeJIT::compileInById):
209         (JSC::DFG::SpeculativeJIT::compileInByVal):
210         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
211         * dfg/DFGSpeculativeJIT.h:
212         * dfg/DFGSpeculativeJIT32_64.cpp:
213         (JSC::DFG::SpeculativeJIT::compile):
214         * dfg/DFGSpeculativeJIT64.cpp:
215         (JSC::DFG::SpeculativeJIT::compile):
216         * ftl/FTLCapabilities.cpp:
217         (JSC::FTL::canCompile):
218         * ftl/FTLLowerDFGToB3.cpp:
219         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
220         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
221         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
222         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
223         * jit/ICStats.h:
224         * jit/JIT.cpp:
225         (JSC::JIT::JIT):
226         (JSC::JIT::privateCompileMainPass):
227         (JSC::JIT::privateCompileSlowCases):
228         (JSC::JIT::link):
229         * jit/JIT.h:
230         * jit/JITInlineCacheGenerator.cpp:
231         (JSC::JITInByIdGenerator::JITInByIdGenerator):
232         (JSC::JITInByIdGenerator::generateFastPath):
233         * jit/JITInlineCacheGenerator.h:
234         (JSC::JITInByIdGenerator::JITInByIdGenerator):
235         * jit/JITOperations.cpp:
236         * jit/JITOperations.h:
237         * jit/JITPropertyAccess.cpp:
238         (JSC::JIT::emit_op_in_by_id):
239         (JSC::JIT::emitSlow_op_in_by_id):
240         * jit/JITPropertyAccess32_64.cpp:
241         (JSC::JIT::emit_op_in_by_id):
242         (JSC::JIT::emitSlow_op_in_by_id):
243         * jit/Repatch.cpp:
244         (JSC::tryCacheInByID):
245         (JSC::repatchInByID):
246         (JSC::resetInByID):
247         (JSC::tryCacheIn): Deleted.
248         (JSC::repatchIn): Deleted.
249         (JSC::resetIn): Deleted.
250         * jit/Repatch.h:
251         * llint/LowLevelInterpreter.asm:
252         * llint/LowLevelInterpreter64.asm:
253         * parser/NodeConstructors.h:
254         (JSC::InNode::InNode):
255         * runtime/CommonSlowPaths.cpp:
256         (JSC::SLOW_PATH_DECL):
257         * runtime/CommonSlowPaths.h:
258         (JSC::CommonSlowPaths::opInByVal):
259         (JSC::CommonSlowPaths::opIn): Deleted.
260
261 2018-05-18  Commit Queue  <commit-queue@webkit.org>
262
263         Unreviewed, rolling out r231982.
264         https://bugs.webkit.org/show_bug.cgi?id=185793
265
266         Caused layout test failures (Requested by realdawei on
267         #webkit).
268
269         Reverted changeset:
270
271         "Complete fix for enabling modern EME by default"
272         https://bugs.webkit.org/show_bug.cgi?id=185770
273         https://trac.webkit.org/changeset/231982
274
275 2018-05-18  Keith Miller  <keith_miller@apple.com>
276
277         op_in should mark if it sees out of bounds accesses
278         https://bugs.webkit.org/show_bug.cgi?id=185792
279
280         Reviewed by Filip Pizlo.
281
282         This would used to cause us to OSR loop since we would always speculate
283         we were in bounds in HasIndexedProperty.
284
285         * bytecode/ArrayProfile.cpp:
286         (JSC::ArrayProfile::observeIndexedRead):
287         * bytecode/ArrayProfile.h:
288         * runtime/CommonSlowPaths.h:
289         (JSC::CommonSlowPaths::opIn):
290
291 2018-05-18  Mark Lam  <mark.lam@apple.com>
292
293         Add missing exception check.
294         https://bugs.webkit.org/show_bug.cgi?id=185786
295         <rdar://problem/35686560>
296
297         Reviewed by Michael Saboff.
298
299         * runtime/JSPropertyNameEnumerator.h:
300         (JSC::propertyNameEnumerator):
301
302 2018-05-18  Jer Noble  <jer.noble@apple.com>
303
304         Complete fix for enabling modern EME by default
305         https://bugs.webkit.org/show_bug.cgi?id=185770
306         <rdar://problem/40368220>
307
308         Reviewed by Eric Carlson.
309
310         * Configurations/FeatureDefines.xcconfig:
311
312 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
313
314         Unreviewed, fix exception checking, part 2
315         https://bugs.webkit.org/show_bug.cgi?id=185350
316
317         * dfg/DFGOperations.cpp:
318         (JSC::DFG::putByValInternal):
319         * jit/JITOperations.cpp:
320         * runtime/CommonSlowPaths.h:
321         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
322
323 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
324
325         JSC should have InstanceOf inline caching
326         https://bugs.webkit.org/show_bug.cgi?id=185652
327
328         Reviewed by Saam Barati.
329         
330         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
331         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
332         too many cases, we emit the generic instanceof implementation instead.
333         
334         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
335         abstraction.
336         
337         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
338         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
339
340         * API/tests/testapi.mm:
341         (testObjectiveCAPIMain):
342         * JavaScriptCore.xcodeproj/project.pbxproj:
343         * Sources.txt:
344         * b3/B3Effects.h:
345         (JSC::B3::Effects::forReadOnlyCall):
346         * bytecode/AccessCase.cpp:
347         (JSC::AccessCase::guardedByStructureCheck const):
348         (JSC::AccessCase::canReplace const):
349         (JSC::AccessCase::visitWeak const):
350         (JSC::AccessCase::generateWithGuard):
351         (JSC::AccessCase::generateImpl):
352         * bytecode/AccessCase.h:
353         * bytecode/InstanceOfAccessCase.cpp: Added.
354         (JSC::InstanceOfAccessCase::create):
355         (JSC::InstanceOfAccessCase::dumpImpl const):
356         (JSC::InstanceOfAccessCase::clone const):
357         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
358         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
359         * bytecode/InstanceOfAccessCase.h: Added.
360         (JSC::InstanceOfAccessCase::prototype const):
361         * bytecode/ObjectPropertyCondition.h:
362         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
363         (JSC::ObjectPropertyCondition::hasPrototype):
364         * bytecode/ObjectPropertyConditionSet.cpp:
365         (JSC::generateConditionsForInstanceOf):
366         * bytecode/ObjectPropertyConditionSet.h:
367         * bytecode/PolymorphicAccess.cpp:
368         (JSC::PolymorphicAccess::addCases):
369         (JSC::PolymorphicAccess::regenerate):
370         (WTF::printInternal):
371         * bytecode/PropertyCondition.cpp:
372         (JSC::PropertyCondition::dumpInContext const):
373         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
374         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
375         (WTF::printInternal):
376         * bytecode/PropertyCondition.h:
377         (JSC::PropertyCondition::absenceWithoutBarrier):
378         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
379         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
380         (JSC::PropertyCondition::hasPrototype):
381         (JSC::PropertyCondition::hasPrototype const):
382         (JSC::PropertyCondition::prototype const):
383         (JSC::PropertyCondition::hash const):
384         (JSC::PropertyCondition::operator== const):
385         * bytecode/StructureStubInfo.cpp:
386         (JSC::StructureStubInfo::StructureStubInfo):
387         (JSC::StructureStubInfo::reset):
388         * bytecode/StructureStubInfo.h:
389         (JSC::StructureStubInfo::considerCaching):
390         * dfg/DFGByteCodeParser.cpp:
391         (JSC::DFG::ByteCodeParser::parseBlock):
392         * dfg/DFGFixupPhase.cpp:
393         (JSC::DFG::FixupPhase::fixupNode):
394         * dfg/DFGInlineCacheWrapper.h:
395         * dfg/DFGInlineCacheWrapperInlines.h:
396         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
397         * dfg/DFGJITCompiler.cpp:
398         (JSC::DFG::JITCompiler::link):
399         * dfg/DFGJITCompiler.h:
400         (JSC::DFG::JITCompiler::addInstanceOf):
401         * dfg/DFGOperations.cpp:
402         * dfg/DFGSpeculativeJIT.cpp:
403         (JSC::DFG::SpeculativeJIT::usedRegisters):
404         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
405         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
406         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
407         * dfg/DFGSpeculativeJIT.h:
408         * dfg/DFGSpeculativeJIT64.cpp:
409         (JSC::DFG::SpeculativeJIT::cachedGetById):
410         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
411         * ftl/FTLLowerDFGToB3.cpp:
412         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
413         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
414         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
415         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
416         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
417         (JSC::FTL::DFG::LowerDFGToB3::getById):
418         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
419         * jit/ICStats.h:
420         * jit/JIT.cpp:
421         (JSC::JIT::privateCompileSlowCases):
422         (JSC::JIT::link):
423         * jit/JIT.h:
424         * jit/JITInlineCacheGenerator.cpp:
425         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
426         (JSC::JITInlineCacheGenerator::finalize):
427         (JSC::JITByIdGenerator::JITByIdGenerator):
428         (JSC::JITByIdGenerator::finalize):
429         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
430         (JSC::JITInstanceOfGenerator::generateFastPath):
431         (JSC::JITInstanceOfGenerator::finalize):
432         * jit/JITInlineCacheGenerator.h:
433         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
434         (JSC::JITInlineCacheGenerator::slowPathBegin const):
435         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
436         (JSC::finalizeInlineCaches):
437         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
438         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
439         * jit/JITOpcodes.cpp:
440         (JSC::JIT::emit_op_instanceof):
441         (JSC::JIT::emitSlow_op_instanceof):
442         * jit/JITOperations.cpp:
443         * jit/JITOperations.h:
444         * jit/JITPropertyAccess.cpp:
445         (JSC::JIT::privateCompileGetByValWithCachedId):
446         (JSC::JIT::privateCompilePutByValWithCachedId):
447         * jit/RegisterSet.cpp:
448         (JSC::RegisterSet::stubUnavailableRegisters):
449         * jit/Repatch.cpp:
450         (JSC::tryCacheIn):
451         (JSC::tryCacheInstanceOf):
452         (JSC::repatchInstanceOf):
453         (JSC::resetPatchableJump):
454         (JSC::resetIn):
455         (JSC::resetInstanceOf):
456         * jit/Repatch.h:
457         * runtime/Options.h:
458         * runtime/Structure.h:
459
460 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
461
462         Unreviewed, fix exception checking
463         https://bugs.webkit.org/show_bug.cgi?id=185350
464
465         * runtime/CommonSlowPaths.h:
466         (JSC::CommonSlowPaths::putDirectWithReify):
467         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
468
469 2018-05-17  Michael Saboff  <msaboff@apple.com>
470
471         We don't throw SyntaxErrors for runtime generated regular expressions with errors
472         https://bugs.webkit.org/show_bug.cgi?id=185755
473
474         Reviewed by Keith Miller.
475
476         Added a new helper that creates the correct exception to throw for each type of error when
477         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
478         where we create a new RegExp from an existing one.  Also refactored other places that we
479         throw SyntaxErrors after a failed RegExp compile to use the new helper.
480
481         * runtime/RegExp.h:
482         * runtime/RegExpConstructor.cpp:
483         (JSC::regExpCreate):
484         (JSC::constructRegExp):
485         * runtime/RegExpPrototype.cpp:
486         (JSC::regExpProtoFuncCompile):
487         * yarr/YarrErrorCode.cpp:
488         (JSC::Yarr::errorToThrow):
489         * yarr/YarrErrorCode.h:
490
491 2018-05-17  Saam Barati  <sbarati@apple.com>
492
493         Remove shrinkFootprint test from apitests since it's flaky
494         https://bugs.webkit.org/show_bug.cgi?id=185754
495
496         Reviewed by Mark Lam.
497
498         This test is flaky as it keeps failing on certain people's machines.
499         Having a test about OS footprint seems like it'll forever be doomed
500         to being flaky.
501
502         * API/tests/testapi.mm:
503         (testObjectiveCAPIMain):
504
505 2018-05-17  Saam Barati  <sbarati@apple.com>
506
507         defaultConstructorSourceCode needs to makeSource every time it's called
508         https://bugs.webkit.org/show_bug.cgi?id=185753
509
510         Rubber-stamped by Mark Lam.
511
512         The bug here is multiple VMs can be running concurrently to one another
513         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
514         if we copy a static SourceCode. instead, we create a new one each time
515         this function is called.
516
517         * builtins/BuiltinExecutables.cpp:
518         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
519
520 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
521
522         [JSC] Use AssemblyHelpers' type checking functions as much as possible
523         https://bugs.webkit.org/show_bug.cgi?id=185730
524
525         Reviewed by Saam Barati.
526
527         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
528         bit and register operations for type tagging of JSValue. It is really useful when we would like
529         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
530         the named function is more readable than some branching operations.
531
532         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
533         to AssemblyHelpers' one.
534
535         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
536         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
537         semantics is aligned to the existing branchIfCell / branchIfNotCell.
538
539         * bytecode/AccessCase.cpp:
540         (JSC::AccessCase::generateWithGuard):
541         * dfg/DFGSpeculativeJIT.cpp:
542         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
543         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
544         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
545         (JSC::DFG::SpeculativeJIT::compileSpread):
546         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
547         (JSC::DFG::SpeculativeJIT::speculateCellType):
548         (JSC::DFG::SpeculativeJIT::speculateNumber):
549         (JSC::DFG::SpeculativeJIT::speculateMisc):
550         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
551         (JSC::DFG::SpeculativeJIT::compileCreateThis):
552         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
553         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
554         * dfg/DFGSpeculativeJIT32_64.cpp:
555         (JSC::DFG::SpeculativeJIT::emitCall):
556         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
557         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
558         (JSC::DFG::SpeculativeJIT::compile):
559         * dfg/DFGSpeculativeJIT64.cpp:
560         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
561         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
562         (JSC::DFG::SpeculativeJIT::emitCall):
563         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
564         (JSC::DFG::SpeculativeJIT::compile):
565         (JSC::DFG::SpeculativeJIT::convertAnyInt):
566         * ftl/FTLLowerDFGToB3.cpp:
567         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
568         * jit/AssemblyHelpers.h:
569         (JSC::AssemblyHelpers::branchIfInt32):
570         (JSC::AssemblyHelpers::branchIfNotInt32):
571         (JSC::AssemblyHelpers::branchIfNumber):
572         (JSC::AssemblyHelpers::branchIfNotNumber):
573         (JSC::AssemblyHelpers::branchIfBoolean):
574         (JSC::AssemblyHelpers::branchIfNotBoolean):
575         (JSC::AssemblyHelpers::branchIfEmpty):
576         (JSC::AssemblyHelpers::branchIfNotEmpty):
577         (JSC::AssemblyHelpers::branchIfUndefined):
578         (JSC::AssemblyHelpers::branchIfNotUndefined):
579         (JSC::AssemblyHelpers::branchIfNull):
580         (JSC::AssemblyHelpers::branchIfNotNull):
581         * jit/JIT.h:
582         * jit/JITArithmetic.cpp:
583         (JSC::JIT::emit_compareAndJump):
584         (JSC::JIT::emit_compareAndJumpSlow):
585         * jit/JITArithmetic32_64.cpp:
586         (JSC::JIT::emit_compareAndJump):
587         (JSC::JIT::emit_op_unsigned):
588         (JSC::JIT::emit_op_inc):
589         (JSC::JIT::emit_op_dec):
590         (JSC::JIT::emitBinaryDoubleOp):
591         (JSC::JIT::emit_op_mod):
592         * jit/JITCall.cpp:
593         (JSC::JIT::compileCallEval):
594         (JSC::JIT::compileOpCall):
595         * jit/JITCall32_64.cpp:
596         (JSC::JIT::compileCallEval):
597         (JSC::JIT::compileOpCall):
598         * jit/JITInlines.h:
599         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
600         (JSC::JIT::emitJumpIfBothJSCells):
601         (JSC::JIT::emitJumpSlowCaseIfJSCell):
602         (JSC::JIT::emitJumpIfNotInt):
603         (JSC::JIT::emitJumpSlowCaseIfNotInt):
604         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
605         (JSC::JIT::emitJumpIfCellObject): Deleted.
606         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
607         (JSC::JIT::emitJumpIfJSCell): Deleted.
608         (JSC::JIT::emitJumpIfInt): Deleted.
609         * jit/JITOpcodes.cpp:
610         (JSC::JIT::emit_op_instanceof):
611         (JSC::JIT::emit_op_is_undefined):
612         (JSC::JIT::emit_op_is_cell_with_type):
613         (JSC::JIT::emit_op_is_object):
614         (JSC::JIT::emit_op_to_primitive):
615         (JSC::JIT::emit_op_jeq_null):
616         (JSC::JIT::emit_op_jneq_null):
617         (JSC::JIT::compileOpStrictEq):
618         (JSC::JIT::compileOpStrictEqJump):
619         (JSC::JIT::emit_op_to_number):
620         (JSC::JIT::emit_op_to_string):
621         (JSC::JIT::emit_op_to_object):
622         (JSC::JIT::emit_op_eq_null):
623         (JSC::JIT::emit_op_neq_null):
624         (JSC::JIT::emit_op_to_this):
625         (JSC::JIT::emit_op_create_this):
626         (JSC::JIT::emit_op_check_tdz):
627         (JSC::JIT::emitNewFuncExprCommon):
628         (JSC::JIT::emit_op_profile_type):
629         * jit/JITOpcodes32_64.cpp:
630         (JSC::JIT::emit_op_instanceof):
631         (JSC::JIT::emit_op_is_undefined):
632         (JSC::JIT::emit_op_is_cell_with_type):
633         (JSC::JIT::emit_op_is_object):
634         (JSC::JIT::emit_op_to_primitive):
635         (JSC::JIT::emit_op_not):
636         (JSC::JIT::emit_op_jeq_null):
637         (JSC::JIT::emit_op_jneq_null):
638         (JSC::JIT::emit_op_jneq_ptr):
639         (JSC::JIT::emit_op_eq):
640         (JSC::JIT::emit_op_jeq):
641         (JSC::JIT::emit_op_neq):
642         (JSC::JIT::emit_op_jneq):
643         (JSC::JIT::compileOpStrictEq):
644         (JSC::JIT::compileOpStrictEqJump):
645         (JSC::JIT::emit_op_eq_null):
646         (JSC::JIT::emit_op_neq_null):
647         (JSC::JIT::emit_op_to_number):
648         (JSC::JIT::emit_op_to_string):
649         (JSC::JIT::emit_op_to_object):
650         (JSC::JIT::emit_op_create_this):
651         (JSC::JIT::emit_op_to_this):
652         (JSC::JIT::emit_op_check_tdz):
653         (JSC::JIT::emit_op_profile_type):
654         * jit/JITPropertyAccess.cpp:
655         (JSC::JIT::emit_op_get_by_val):
656         (JSC::JIT::emitGetByValWithCachedId):
657         (JSC::JIT::emitGenericContiguousPutByVal):
658         (JSC::JIT::emitPutByValWithCachedId):
659         (JSC::JIT::emit_op_get_from_scope):
660         (JSC::JIT::emit_op_put_to_scope):
661         (JSC::JIT::emitWriteBarrier):
662         (JSC::JIT::emitIntTypedArrayPutByVal):
663         (JSC::JIT::emitFloatTypedArrayPutByVal):
664         * jit/JITPropertyAccess32_64.cpp:
665         (JSC::JIT::emit_op_get_by_val):
666         (JSC::JIT::emitContiguousLoad):
667         (JSC::JIT::emitArrayStorageLoad):
668         (JSC::JIT::emitGetByValWithCachedId):
669         (JSC::JIT::emitGenericContiguousPutByVal):
670         (JSC::JIT::emitPutByValWithCachedId):
671         (JSC::JIT::emit_op_get_from_scope):
672         (JSC::JIT::emit_op_put_to_scope):
673         * jit/JSInterfaceJIT.h:
674         (JSC::JSInterfaceJIT::emitLoadJSCell):
675         (JSC::JSInterfaceJIT::emitLoadInt32):
676         (JSC::JSInterfaceJIT::emitLoadDouble):
677         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
678         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
679         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
680         * jit/Repatch.cpp:
681         (JSC::linkPolymorphicCall):
682         * jit/ThunkGenerators.cpp:
683         (JSC::virtualThunkFor):
684         (JSC::absThunkGenerator):
685         * tools/JSDollarVM.cpp:
686         (WTF::DOMJITNode::checkSubClassSnippet):
687         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
688
689 2018-05-17  Saam Barati  <sbarati@apple.com>
690
691         Unreviewed. Fix the build after my attempted build fix broke the build.
692
693         * builtins/BuiltinExecutables.cpp:
694         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
695         (JSC::BuiltinExecutables::createDefaultConstructor):
696         * builtins/BuiltinExecutables.h:
697
698 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
699
700         [JSC] Remove reifyPropertyNameIfNeeded
701         https://bugs.webkit.org/show_bug.cgi?id=185350
702
703         Reviewed by Saam Barati.
704
705         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
706         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
707         cost, we should remove this from the critical path.
708
709         This patch removes this function call from the critical path. And in our slow paths, we call
710         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
711         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
712         and care the edge cases. The other callsites of putDirect should know the type of the given
713         object and the name of the property (And avoid these edge cases).
714
715         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
716         regressions of the existing tests.
717
718                                            baseline                  patched
719         Kraken:
720             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
721
722         SixSpeed:
723             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
724
725         * dfg/DFGOperations.cpp:
726         (JSC::DFG::putByValInternal):
727         (JSC::DFG::putByValCellInternal):
728         * jit/JITOperations.cpp:
729         * llint/LLIntSlowPaths.cpp:
730         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
731         * runtime/ClassInfo.h:
732         * runtime/CommonSlowPaths.h:
733         (JSC::CommonSlowPaths::putDirectWithReify):
734         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
735         * runtime/JSCell.cpp:
736         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
737         * runtime/JSCell.h:
738         * runtime/JSFunction.cpp:
739         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
740         * runtime/JSFunction.h:
741         * runtime/JSObject.cpp:
742         (JSC::JSObject::putDirectAccessor):
743         (JSC::JSObject::putDirectNonIndexAccessor):
744         * runtime/JSObject.h:
745         * runtime/JSObjectInlines.h:
746         (JSC::JSObject::putDirectInternal):
747
748 2018-05-17  Saam Barati  <sbarati@apple.com>
749
750         Unreviewed. Try to fix windows build.
751
752         * builtins/BuiltinExecutables.cpp:
753         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
754
755 2018-05-16  Saam Barati  <sbarati@apple.com>
756
757         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
758         https://bugs.webkit.org/show_bug.cgi?id=185637
759
760         Reviewed by Keith Miller.
761
762         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
763         source code. However, we were only using this for default class constructors. There
764         are only two types of default class constructors. This patch makes it so that
765         we just store this information inside of a single bit, and ask for the source
766         code as needed instead of holding it in a nullable field that is 24 bytes in size.
767         
768         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
769         This has the consequence of making it allocated out of a 160 byte size class
770         instead of a 224 byte size class. This should bring down its memory footprint
771         by ~40%.
772
773         * builtins/BuiltinExecutables.cpp:
774         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
775         (JSC::BuiltinExecutables::createDefaultConstructor):
776         (JSC::BuiltinExecutables::createExecutable):
777         * builtins/BuiltinExecutables.h:
778         * bytecode/UnlinkedFunctionExecutable.cpp:
779         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
780         (JSC::UnlinkedFunctionExecutable::link):
781         * bytecode/UnlinkedFunctionExecutable.h:
782         * runtime/CodeCache.cpp:
783         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
784
785 2018-05-16  Saam Barati  <sbarati@apple.com>
786
787         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
788         https://bugs.webkit.org/show_bug.cgi?id=185707
789
790         Reviewed by Mark Lam.
791
792         * runtime/VM.cpp:
793         (JSC::VM::shrinkFootprint):
794
795 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
796
797         [ESNext][BigInt] Implement support for "/" operation
798         https://bugs.webkit.org/show_bug.cgi?id=183996
799
800         Reviewed by Yusuke Suzuki.
801
802         This patch is introducing the support for BigInt into divide
803         operation int LLInt and JIT layers.
804
805         * dfg/DFGOperations.cpp:
806         * runtime/CommonSlowPaths.cpp:
807         (JSC::SLOW_PATH_DECL):
808         * runtime/JSBigInt.cpp:
809         (JSC::JSBigInt::divide):
810         (JSC::JSBigInt::copy):
811         (JSC::JSBigInt::unaryMinus):
812         (JSC::JSBigInt::absoluteCompare):
813         (JSC::JSBigInt::absoluteDivLarge):
814         (JSC::JSBigInt::productGreaterThan):
815         (JSC::JSBigInt::inplaceAdd):
816         (JSC::JSBigInt::inplaceSub):
817         (JSC::JSBigInt::inplaceRightShift):
818         (JSC::JSBigInt::specialLeftShift):
819         (JSC::JSBigInt::digit):
820         (JSC::JSBigInt::setDigit):
821         * runtime/JSBigInt.h:
822
823 2018-05-16  Saam Barati  <sbarati@apple.com>
824
825         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
826         https://bugs.webkit.org/show_bug.cgi?id=185670
827
828         Reviewed by Yusuke Suzuki.
829
830         This patch makes it so that we constant fold CheckTypeInfoFlags for
831         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
832         fold in three ways:
833         - When the incoming value is a constant, we just look at its inline type
834         flags. Since those flags never change after an object is created, this
835         is sound.
836         - Based on the incoming value having a finite structure set. We just iterate
837         all structures and ensure they have the bit set.
838         - Based on speculated type. To do this, I split up SpecFunction into two
839         subheaps where one is for functions that have the bit set, and one for
840         functions that don't have the bit set. The latter is currently only comprised
841         of JSBoundFunctions. To constant fold, we check that the incoming
842         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
843
844         * bytecode/SpeculatedType.cpp:
845         (JSC::speculationFromClassInfo):
846         * bytecode/SpeculatedType.h:
847         * dfg/DFGAbstractInterpreterInlines.h:
848         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
849         * dfg/DFGConstantFoldingPhase.cpp:
850         (JSC::DFG::ConstantFoldingPhase::foldConstants):
851         * dfg/DFGSpeculativeJIT.cpp:
852         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
853         * dfg/DFGStrengthReductionPhase.cpp:
854         (JSC::DFG::StrengthReductionPhase::handleNode):
855         * runtime/JSFunction.cpp:
856         (JSC::JSFunction::JSFunction):
857         (JSC::JSFunction::assertTypeInfoFlagInvariants):
858         * runtime/JSFunction.h:
859         (JSC::JSFunction::assertTypeInfoFlagInvariants):
860         * runtime/JSFunctionInlines.h:
861         (JSC::JSFunction::JSFunction):
862
863 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
864
865         Web Inspector: create a navigation item for toggling the overlay rulers/guides
866         https://bugs.webkit.org/show_bug.cgi?id=185644
867
868         Reviewed by Matt Baker.
869
870         * inspector/protocol/OverlayTypes.json:
871         * inspector/protocol/Page.json:
872
873 2018-05-16  Commit Queue  <commit-queue@webkit.org>
874
875         Unreviewed, rolling out r231845.
876         https://bugs.webkit.org/show_bug.cgi?id=185702
877
878         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
879         caiolima on #webkit).
880
881         Reverted changeset:
882
883         "[ESNext][BigInt] Implement support for "/" operation"
884         https://bugs.webkit.org/show_bug.cgi?id=183996
885         https://trac.webkit.org/changeset/231845
886
887 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
888
889         DFG models InstanceOf incorrectly
890         https://bugs.webkit.org/show_bug.cgi?id=185694
891
892         Reviewed by Keith Miller.
893         
894         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
895         hoist it.
896
897         * dfg/DFGAbstractInterpreterInlines.h:
898         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
899         * dfg/DFGClobberize.h:
900         (JSC::DFG::clobberize):
901         * dfg/DFGHeapLocation.cpp:
902         (WTF::printInternal):
903         * dfg/DFGHeapLocation.h:
904         * dfg/DFGNodeType.h:
905
906 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
907
908         Add support for Intl NumberFormat formatToParts
909         https://bugs.webkit.org/show_bug.cgi?id=185375
910
911         Reviewed by Yusuke Suzuki.
912
913         Add flag for NumberFormat formatToParts. Implement formatToParts using
914         unum_formatDoubleForFields. Because the fields are nested and come back
915         in no guaranteed order, the simple algorithm to convert them to the
916         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
917         it appears to perform well enough for the initial implementation. Another
918         issue has been created to improve this algorithm.
919
920         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
921         on macOS, since only v57 is available.
922
923         * Configurations/FeatureDefines.xcconfig:
924         * runtime/IntlNumberFormat.cpp:
925         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
926         (JSC::IntlNumberFormat::partTypeString):
927         (JSC::IntlNumberFormat::formatToParts):
928         * runtime/IntlNumberFormat.h:
929         * runtime/IntlNumberFormatPrototype.cpp:
930         (JSC::IntlNumberFormatPrototype::create):
931         (JSC::IntlNumberFormatPrototype::finishCreation):
932         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
933         * runtime/IntlNumberFormatPrototype.h:
934         * runtime/Options.h:
935
936 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
937
938         [ESNext][BigInt] Implement support for "/" operation
939         https://bugs.webkit.org/show_bug.cgi?id=183996
940
941         Reviewed by Yusuke Suzuki.
942
943         This patch is introducing the support for BigInt into divide
944         operation int LLInt and JIT layers.
945
946         * dfg/DFGOperations.cpp:
947         * runtime/CommonSlowPaths.cpp:
948         (JSC::SLOW_PATH_DECL):
949         * runtime/JSBigInt.cpp:
950         (JSC::JSBigInt::divide):
951         (JSC::JSBigInt::copy):
952         (JSC::JSBigInt::unaryMinus):
953         (JSC::JSBigInt::absoluteCompare):
954         (JSC::JSBigInt::absoluteDivLarge):
955         (JSC::JSBigInt::productGreaterThan):
956         (JSC::JSBigInt::inplaceAdd):
957         (JSC::JSBigInt::inplaceSub):
958         (JSC::JSBigInt::inplaceRightShift):
959         (JSC::JSBigInt::specialLeftShift):
960         (JSC::JSBigInt::digit):
961         (JSC::JSBigInt::setDigit):
962         * runtime/JSBigInt.h:
963
964 2018-05-16  Alberto Garcia  <berto@igalia.com>
965
966         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
967         https://bugs.webkit.org/show_bug.cgi?id=182622
968
969         Reviewed by Michael Catanzaro.
970
971         We were linking JavaScriptCore against libatomic in MIPS because
972         in that architecture __atomic_fetch_add_8() is not a compiler
973         intrinsic and is provided by that library instead. However other
974         architectures (e.g armel) are in the same situation, so we need a
975         generic test.
976
977         That test already exists in WebKit/CMakeLists.txt, so we just have
978         to move it to a common file (WebKitCompilerFlags.cmake) and use
979         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
980
981         * CMakeLists.txt:
982
983 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
984
985         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
986         https://bugs.webkit.org/show_bug.cgi?id=185601
987
988         Reviewed by Saam Barati.
989
990         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
991         before calling getCallData when we would like to check whether a given object is callable
992         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
993         is fine. But if we would like to check whether the object is callable, we can have non
994         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
995
996         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
997         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
998         OverridesGetCallData checking before calling getCallData.
999
1000         We found that this virtual call exists in JSON.stringify's critial path. Checking
1001         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
1002
1003                                                baseline                  patched
1004
1005             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
1006
1007         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
1008         since major cases are covered by this fast JSFunctionType checking.
1009
1010         * API/JSCallbackObject.h:
1011         * dfg/DFGAbstractInterpreterInlines.h:
1012         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1013         * dfg/DFGOperations.cpp:
1014         * dfg/DFGSpeculativeJIT.cpp:
1015         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
1016         (JSC::DFG::SpeculativeJIT::compileIsFunction):
1017         * ftl/FTLLowerDFGToB3.cpp:
1018         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
1019         * jit/AssemblyHelpers.h:
1020         (JSC::AssemblyHelpers::emitTypeOf):
1021         * runtime/ExceptionHelpers.cpp:
1022         (JSC::createError):
1023         (JSC::createInvalidFunctionApplyParameterError):
1024         * runtime/FunctionPrototype.cpp:
1025         (JSC::functionProtoFuncToString):
1026         * runtime/InternalFunction.h:
1027         * runtime/JSCJSValue.h:
1028         * runtime/JSCJSValueInlines.h:
1029         (JSC::JSValue::isFunction const):
1030         (JSC::JSValue::isCallable const):
1031         * runtime/JSCell.h:
1032         * runtime/JSCellInlines.h:
1033         (JSC::JSCell::isFunction):
1034         ALWAYS_INLINE works well for my environment.
1035         (JSC::JSCell::isCallable):
1036         * runtime/JSFunction.h:
1037         * runtime/JSONObject.cpp:
1038         (JSC::Stringifier::toJSON):
1039         (JSC::Stringifier::toJSONImpl):
1040         (JSC::Stringifier::appendStringifiedValue):
1041         * runtime/JSObjectInlines.h:
1042         (JSC::createListFromArrayLike):
1043         * runtime/JSTypeInfo.h:
1044         (JSC::TypeInfo::overridesGetCallData const):
1045         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
1046         * runtime/Operations.cpp:
1047         (JSC::jsTypeStringForValue):
1048         (JSC::jsIsObjectTypeOrNull):
1049         * runtime/ProxyObject.h:
1050         * runtime/RuntimeType.cpp:
1051         (JSC::runtimeTypeForValue):
1052         * runtime/RuntimeType.h:
1053         * runtime/Structure.cpp:
1054         (JSC::Structure::Structure):
1055         * runtime/TypeProfilerLog.cpp:
1056         (JSC::TypeProfilerLog::TypeProfilerLog):
1057         (JSC::TypeProfilerLog::processLogEntries):
1058         * runtime/TypeProfilerLog.h:
1059         * runtime/VM.cpp:
1060         (JSC::VM::enableTypeProfiler):
1061         * tools/JSDollarVM.cpp:
1062         (JSC::functionFindTypeForExpression):
1063         (JSC::functionReturnTypeFor):
1064         (JSC::functionHasBasicBlockExecuted):
1065         (JSC::functionBasicBlockExecutionCount):
1066         * wasm/js/JSWebAssemblyHelpers.h:
1067         (JSC::getWasmBufferFromValue):
1068         * wasm/js/JSWebAssemblyInstance.cpp:
1069         (JSC::JSWebAssemblyInstance::create):
1070         * wasm/js/WebAssemblyFunction.cpp:
1071         (JSC::callWebAssemblyFunction):
1072         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1073         (JSC::constructJSWebAssemblyInstance):
1074         * wasm/js/WebAssemblyModuleRecord.cpp:
1075         (JSC::WebAssemblyModuleRecord::link):
1076         * wasm/js/WebAssemblyPrototype.cpp:
1077         (JSC::webAssemblyInstantiateFunc):
1078         (JSC::webAssemblyInstantiateStreamingInternal):
1079         * wasm/js/WebAssemblyWrapperFunction.cpp:
1080         (JSC::WebAssemblyWrapperFunction::finishCreation):
1081
1082 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
1083
1084         Web Inspector: Add rulers and guides
1085         https://bugs.webkit.org/show_bug.cgi?id=32263
1086         <rdar://problem/19281564>
1087
1088         Reviewed by Matt Baker.
1089
1090         * inspector/protocol/OverlayTypes.json:
1091
1092 2018-05-14  Keith Miller  <keith_miller@apple.com>
1093
1094         Remove butterflyMask from DFGAbstractHeap
1095         https://bugs.webkit.org/show_bug.cgi?id=185640
1096
1097         Reviewed by Saam Barati.
1098
1099         We don't have a butterfly indexing mask anymore so we don't need
1100         the abstract heap information for it anymore.
1101
1102         * dfg/DFGAbstractHeap.h:
1103         * dfg/DFGClobberize.h:
1104         (JSC::DFG::clobberize):
1105
1106 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
1107
1108         [INTL] Handle error in defineProperty for supported locales length
1109         https://bugs.webkit.org/show_bug.cgi?id=185623
1110
1111         Reviewed by Saam Barati.
1112
1113         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
1114         length of the supported locales array.
1115
1116         * runtime/IntlObject.cpp:
1117         (JSC::supportedLocales):
1118
1119 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1120
1121         [JSC] Tweak LiteralParser to improve lexing performance
1122         https://bugs.webkit.org/show_bug.cgi?id=185541
1123
1124         Reviewed by Saam Barati.
1125
1126         This patch attemps to improve LiteralParser performance.
1127
1128         This patch improves Kraken/json-parse-financial by roughly ~10%.
1129                                            baseline                  patched
1130
1131             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
1132
1133         * parser/Lexer.cpp:
1134         (JSC::Lexer<T>::Lexer):
1135         * runtime/ArgList.h:
1136         (JSC::MarkedArgumentBuffer::takeLast):
1137         Add takeLast() for idiomatic last() + removeLast() calls.
1138
1139         * runtime/LiteralParser.cpp:
1140         (JSC::LiteralParser<CharType>::Lexer::lex):
1141         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
1142         We should not include this mode in its template parameter to reduce the code size.
1143         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
1144         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
1145
1146         (JSC::LiteralParser<CharType>::Lexer::next):
1147         (JSC::isSafeStringCharacter):
1148         Take mode in its template parameter. But do not take terminator character in its template parameter.
1149
1150         (JSC::LiteralParser<CharType>::Lexer::lexString):
1151         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
1152         Duplicate while statements manually since this is a critical path.
1153
1154         (JSC::LiteralParser<CharType>::parse):
1155         Use takeLast().
1156
1157         * runtime/LiteralParser.h:
1158
1159 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
1160
1161         [MIPS] Use btpz to compare against 0 instead of bpeq
1162         https://bugs.webkit.org/show_bug.cgi?id=185607
1163
1164         Reviewed by Yusuke Suzuki.
1165
1166         Fixes build on MIPS since MIPS doesn't have an instruction to
1167         compare a register against an immediate. Since the immediate is just 0
1168         in this case the simplest solution is just to use btpz instead of bpeq
1169         to compare to 0.
1170
1171         * llint/LowLevelInterpreter.asm:
1172
1173 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
1174
1175         CachedCall::call() should be faster
1176         https://bugs.webkit.org/show_bug.cgi?id=185583
1177
1178         Reviewed by Yusuke Suzuki.
1179         
1180         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
1181         Unfortunately, because of a combination of abstraction and assertions, this code path had a
1182         lot of overhead. This patch reduces this overhead by:
1183         
1184         - Turning off some assertions. These assertions don't look to have security value; they're
1185           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
1186           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
1187           call, considering that the caller would have already been strongly assuming that the JSLock
1188           is held.
1189         
1190         - Making more things inlineable.
1191         
1192         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
1193
1194         * JavaScriptCore.xcodeproj/project.pbxproj:
1195         * interpreter/CachedCall.h:
1196         (JSC::CachedCall::call):
1197         * interpreter/Interpreter.cpp:
1198         (JSC::checkedReturn): Deleted.
1199         * interpreter/Interpreter.h:
1200         (JSC::Interpreter::checkedReturn):
1201         * interpreter/InterpreterInlines.h:
1202         (JSC::Interpreter::execute):
1203         * jit/JITCode.cpp:
1204         (JSC::JITCode::execute): Deleted.
1205         * jit/JITCodeInlines.h: Added.
1206         (JSC::JITCode::execute):
1207         * llint/LowLevelInterpreter.asm:
1208         * runtime/StringPrototype.cpp:
1209
1210 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
1211
1212         [INTL] Improve spec & test262 compliance for Intl APIs
1213         https://bugs.webkit.org/show_bug.cgi?id=185578
1214
1215         Reviewed by Yusuke Suzuki.
1216
1217         Use putDirectIndex over push for lists to arrays.
1218         Update default options to construct with a null prototype.
1219         Define constructor and toStringTag on prototypes.
1220         Add proper time clipping.
1221         Remove some outdated comment spec text, use url instead.
1222
1223         * runtime/IntlCollator.cpp:
1224         (JSC::IntlCollator::initializeCollator):
1225         * runtime/IntlCollatorConstructor.cpp:
1226         (JSC::IntlCollatorConstructor::finishCreation):
1227         * runtime/IntlCollatorPrototype.cpp:
1228         (JSC::IntlCollatorPrototype::finishCreation):
1229         * runtime/IntlDateTimeFormatConstructor.cpp:
1230         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1231         * runtime/IntlDateTimeFormatPrototype.cpp:
1232         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1233         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1234         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1235         * runtime/IntlNumberFormat.cpp:
1236         (JSC::IntlNumberFormat::initializeNumberFormat):
1237         * runtime/IntlNumberFormatConstructor.cpp:
1238         (JSC::IntlNumberFormatConstructor::finishCreation):
1239         * runtime/IntlNumberFormatPrototype.cpp:
1240         (JSC::IntlNumberFormatPrototype::finishCreation):
1241         * runtime/IntlObject.cpp:
1242         (JSC::lookupSupportedLocales):
1243         (JSC::supportedLocales):
1244         (JSC::intlObjectFuncGetCanonicalLocales):
1245         * runtime/IntlPluralRules.cpp:
1246         (JSC::IntlPluralRules::resolvedOptions):
1247         * runtime/IntlPluralRulesConstructor.cpp:
1248         (JSC::IntlPluralRulesConstructor::finishCreation):
1249
1250 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
1251
1252         [ESNext][BigInt] Implement support for "*" operation
1253         https://bugs.webkit.org/show_bug.cgi?id=183721
1254
1255         Reviewed by Yusuke Suzuki.
1256
1257         Added BigInt support into times binary operator into LLInt and on
1258         JITOperations profiledMul and unprofiledMul. We are also replacing all
1259         uses of int to unsigned when there is no negative values for
1260         variables.
1261
1262         * dfg/DFGConstantFoldingPhase.cpp:
1263         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1264         * jit/JITOperations.cpp:
1265         * runtime/CommonSlowPaths.cpp:
1266         (JSC::SLOW_PATH_DECL):
1267         * runtime/JSBigInt.cpp:
1268         (JSC::JSBigInt::JSBigInt):
1269         (JSC::JSBigInt::allocationSize):
1270         (JSC::JSBigInt::createWithLength):
1271         (JSC::JSBigInt::toString):
1272         (JSC::JSBigInt::multiply):
1273         (JSC::JSBigInt::digitDiv):
1274         (JSC::JSBigInt::internalMultiplyAdd):
1275         (JSC::JSBigInt::multiplyAccumulate):
1276         (JSC::JSBigInt::equals):
1277         (JSC::JSBigInt::absoluteDivSmall):
1278         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1279         (JSC::JSBigInt::toStringGeneric):
1280         (JSC::JSBigInt::rightTrim):
1281         (JSC::JSBigInt::allocateFor):
1282         (JSC::JSBigInt::parseInt):
1283         (JSC::JSBigInt::digit):
1284         (JSC::JSBigInt::setDigit):
1285         * runtime/JSBigInt.h:
1286         * runtime/JSCJSValue.h:
1287         * runtime/JSCJSValueInlines.h:
1288         (JSC::JSValue::toNumeric const):
1289         * runtime/Operations.h:
1290         (JSC::jsMul):
1291
1292 2018-05-11  Commit Queue  <commit-queue@webkit.org>
1293
1294         Unreviewed, rolling out r231316 and r231332.
1295         https://bugs.webkit.org/show_bug.cgi?id=185564
1296
1297         Appears to be a Speedometer2/MotionMark regression (Requested
1298         by keith_miller on #webkit).
1299
1300         Reverted changesets:
1301
1302         "Remove the prototype caching for get_by_id in the LLInt"
1303         https://bugs.webkit.org/show_bug.cgi?id=185226
1304         https://trac.webkit.org/changeset/231316
1305
1306         "Unreviewed, fix 32-bit profile offset for change in bytecode"
1307         https://trac.webkit.org/changeset/231332
1308
1309 2018-05-11  Michael Saboff  <msaboff@apple.com>
1310
1311         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
1312         https://bugs.webkit.org/show_bug.cgi?id=185328
1313
1314         Reviewed by Keith Miller.
1315
1316         Fixed a typo from when this code was added in r228968 where resultGPR
1317         was assigned the input register instead of the result.gpr().
1318
1319         * dfg/DFGSpeculativeJIT64.cpp:
1320         (JSC::DFG::SpeculativeJIT::compile):
1321
1322 2018-05-11  Saam Barati  <sbarati@apple.com>
1323
1324         Don't use inferred types when the JIT is disabled
1325         https://bugs.webkit.org/show_bug.cgi?id=185539
1326
1327         Reviewed by Yusuke Suzuki.
1328
1329         There are many JSC API clients that run with the JIT disabled. They were
1330         all allocating and tracking inferred types for no benefit. Inferred types
1331         only benefit programs when they make it to the DFG/FTL. I was seeing cases
1332         where the inferred type machinery used ~0.5MB. This patch makes is so we
1333         don't allocate that machinery when the JIT is disabled.
1334
1335         * runtime/Structure.cpp:
1336         (JSC::Structure::willStoreValueSlow):
1337         * runtime/Structure.h:
1338
1339 2018-05-11  Saam Barati  <sbarati@apple.com>
1340
1341         Don't allocate value profiles when the JIT is disabled
1342         https://bugs.webkit.org/show_bug.cgi?id=185525
1343
1344         Reviewed by Michael Saboff.
1345
1346         There are many JSC API clients that run with the JIT disabled. We were
1347         still allocating a ton of value profiles in this use case even though
1348         these clients get no benefit from doing value profiling. This patch makes
1349         it so that we don't allocate value profiles or argument value profiles
1350         when we're not using the JIT. We now just make all value profiles in
1351         the instruction stream point to a global value profile that the VM owns.
1352         And we make the argument value profile array have zero length and teach
1353         the LLInt how to handle that. Heap clears the global value profile on each GC.
1354
1355         In an app that I'm testing this against, this saves ~1MB of memory.
1356
1357         * bytecode/CodeBlock.cpp:
1358         (JSC::CodeBlock::finishCreation):
1359         (JSC::CodeBlock::setNumParameters):
1360         * bytecode/CodeBlock.h:
1361         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1362         (JSC::CodeBlock::valueProfileForArgument):
1363         * bytecompiler/BytecodeGenerator.cpp:
1364         (JSC::BytecodeGenerator::emitProfiledOpcode):
1365         * heap/Heap.cpp:
1366         (JSC::Heap::runEndPhase):
1367         * llint/LowLevelInterpreter.asm:
1368         * runtime/VM.cpp:
1369         (JSC::VM::VM):
1370         * runtime/VM.h:
1371
1372 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1373
1374         [JSC][GLIB] Add introspectable alternatives to functions using vargars
1375         https://bugs.webkit.org/show_bug.cgi?id=185508
1376
1377         Reviewed by Michael Catanzaro.
1378
1379         * API/glib/JSCClass.cpp:
1380         (jscClassCreateConstructor):
1381         (jsc_class_add_constructor):
1382         (jsc_class_add_constructorv):
1383         (jscClassAddMethod):
1384         (jsc_class_add_method):
1385         (jsc_class_add_methodv):
1386         * API/glib/JSCClass.h:
1387         * API/glib/JSCValue.cpp:
1388         (jsObjectCall):
1389         (jscValueCallFunction):
1390         (jsc_value_object_invoke_methodv):
1391         (jscValueFunctionCreate):
1392         (jsc_value_new_function):
1393         (jsc_value_new_functionv):
1394         (jsc_value_function_callv):
1395         (jsc_value_constructor_callv):
1396         * API/glib/JSCValue.h:
1397         * API/glib/docs/jsc-glib-4.0-sections.txt:
1398
1399 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1400
1401         [JSC] Make return types of construction functions tight
1402         https://bugs.webkit.org/show_bug.cgi?id=185509
1403
1404         Reviewed by Saam Barati.
1405
1406         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
1407
1408         * runtime/ArrayConstructor.cpp:
1409         (JSC::constructArrayWithSizeQuirk):
1410         * runtime/ArrayConstructor.h:
1411         * runtime/ObjectConstructor.h:
1412         (JSC::constructEmptyObject):
1413
1414 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1415
1416         [JSC] Object.assign for final objects should be faster
1417         https://bugs.webkit.org/show_bug.cgi?id=185348
1418
1419         Reviewed by Saam Barati.
1420
1421         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
1422         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
1423
1424         If enumerating properties of source objects and putting properties to target object are non observable,
1425         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
1426         and put them to target object. This patch adds this fast path to Object.assign implementation.
1427
1428         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
1429         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
1430         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
1431
1432         This improves object-assign.es6 by 1.85x.
1433
1434                                         baseline                  patched
1435
1436             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
1437
1438         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
1439
1440         * runtime/JSObject.h:
1441         * runtime/JSObjectInlines.h:
1442         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
1443         (JSC::JSObject::canPerformFastPutInline):
1444         * runtime/ObjectConstructor.cpp:
1445         (JSC::objectConstructorAssign):
1446         * runtime/Structure.cpp:
1447         (JSC::Structure::Structure):
1448         * runtime/Structure.h:
1449         * runtime/StructureInlines.h:
1450         (JSC::Structure::forEachProperty):
1451         (JSC::Structure::add):
1452
1453 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
1454
1455         DFG CFA should pick the right time to inject OSR entry data
1456         https://bugs.webkit.org/show_bug.cgi?id=185530
1457
1458         Reviewed by Saam Barati.
1459         
1460         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
1461         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
1462         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
1463         would eventually LUB to non-constant.
1464         
1465         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
1466         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
1467         useless regexp/string execution in the compiler.
1468
1469         * dfg/DFGBlockSet.h:
1470         (JSC::DFG::BlockSet::remove):
1471         * dfg/DFGCFAPhase.cpp:
1472         (JSC::DFG::CFAPhase::run):
1473         (JSC::DFG::CFAPhase::injectOSR):
1474         (JSC::DFG::CFAPhase::performBlockCFA):
1475
1476 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1477
1478         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
1479         https://bugs.webkit.org/show_bug.cgi?id=185452
1480
1481         Reviewed by Michael Saboff.
1482         
1483         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
1484         from the block head to InPlaceAbstractState::m_variables. It is necessary for
1485         InPlaceAbstractState to have its own copy since we need to mutate it separately from
1486         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
1487         of superfluous work.
1488         
1489         This change adds a bitvector called m_activeVariables that tracks which variables have been
1490         copied. We lazily copy the variables on first use. Variables that were never copied also have
1491         a simplified merging path, which just needs to consider if the variable got clobbered between
1492         head and tail.
1493         
1494         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
1495
1496         * bytecode/Operands.h:
1497         (JSC::Operands::argumentIndex const):
1498         (JSC::Operands::localIndex const):
1499         (JSC::Operands::argument):
1500         (JSC::Operands::argument const):
1501         (JSC::Operands::local):
1502         (JSC::Operands::local const):
1503         (JSC::Operands::operandIndex const):
1504         * dfg/DFGAbstractValue.h:
1505         (JSC::DFG::AbstractValue::fastForwardFromTo):
1506         * dfg/DFGCFAPhase.cpp:
1507         (JSC::DFG::CFAPhase::performForwardCFA):
1508         * dfg/DFGInPlaceAbstractState.cpp:
1509         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1510         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1511         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
1512         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1513         (JSC::DFG::InPlaceAbstractState::activateVariable):
1514         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
1515         * dfg/DFGInPlaceAbstractState.h:
1516         (JSC::DFG::InPlaceAbstractState::variableAt):
1517         (JSC::DFG::InPlaceAbstractState::operand):
1518         (JSC::DFG::InPlaceAbstractState::local):
1519         (JSC::DFG::InPlaceAbstractState::argument):
1520         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
1521         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
1522
1523 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
1524
1525         [ESNext][BigInt] Implement support for "==" operation
1526         https://bugs.webkit.org/show_bug.cgi?id=184474
1527
1528         Reviewed by Yusuke Suzuki.
1529
1530         This patch is implementing support of BigInt for equals operator
1531         following the spec semantics[1].
1532
1533         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
1534
1535         * runtime/JSBigInt.cpp:
1536         (JSC::JSBigInt::parseInt):
1537         (JSC::JSBigInt::stringToBigInt):
1538         (JSC::JSBigInt::toString):
1539         (JSC::JSBigInt::setDigit):
1540         (JSC::JSBigInt::equalsToNumber):
1541         (JSC::JSBigInt::compareToDouble):
1542         * runtime/JSBigInt.h:
1543         * runtime/JSCJSValueInlines.h:
1544         (JSC::JSValue::equalSlowCaseInline):
1545
1546 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1547
1548         Speed up AbstractInterpreter::executeEdges
1549         https://bugs.webkit.org/show_bug.cgi?id=185457
1550
1551         Reviewed by Saam Barati.
1552
1553         This patch started out with the desire to make executeEdges() faster by making filtering faster.
1554         However, when I studied the disassembly, I found that there are many opportunities for
1555         improvement and I implemented all of them:
1556         
1557         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
1558           for non-cells.
1559         
1560         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
1561           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
1562         
1563         - Similarly, edge verification doesn't need to fast-forward in the common case.
1564         
1565         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
1566         
1567         - The edge doesn't even have to be considered for execution if it's UntypedUse.
1568         
1569         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
1570         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
1571         it means proving that the value could either be formatted as a double (with impure NaN values),
1572         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
1573         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
1574         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
1575         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
1576         SpecBytecodeNumber (if returning a JSValueRep).
1577         
1578         But that fix revealed an amazing timeout in
1579         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
1580         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
1581         ever realizing that we should jettison something. The problem was with how
1582         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
1583         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
1584         
1585         This is a 1% improvement in V8Spider-CompileTime.
1586
1587         * bytecode/ExitKind.cpp:
1588         (JSC::exitKindMayJettison):
1589         * dfg/DFGAbstractInterpreter.h:
1590         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
1591         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
1592         * dfg/DFGAbstractInterpreterInlines.h:
1593         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
1594         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
1595         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
1596         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
1597         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1598         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1599         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1600         * dfg/DFGAbstractValue.cpp:
1601         (JSC::DFG::AbstractValue::filterSlow):
1602         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
1603         * dfg/DFGAbstractValue.h:
1604         (JSC::DFG::AbstractValue::filter):
1605         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
1606         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
1607         (JSC::DFG::AbstractValue::makeTop):
1608         * dfg/DFGAtTailAbstractState.h:
1609         (JSC::DFG::AtTailAbstractState::fastForward):
1610         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
1611         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
1612         * dfg/DFGGraph.h:
1613         (JSC::DFG::Graph::doToChildren):
1614         * dfg/DFGInPlaceAbstractState.h:
1615         (JSC::DFG::InPlaceAbstractState::fastForward):
1616         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
1617         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
1618         * dfg/DFGOSRExit.cpp:
1619         (JSC::DFG::OSRExit::executeOSRExit):
1620         * dfg/DFGOSRExitCompilerCommon.cpp:
1621         (JSC::DFG::handleExitCounts):
1622         * dfg/DFGOperations.cpp:
1623         * dfg/DFGOperations.h:
1624
1625 2018-05-09  Saam Barati  <sbarati@apple.com>
1626
1627         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
1628         https://bugs.webkit.org/show_bug.cgi?id=185441
1629         <rdar://problem/39999414>
1630
1631         Reviewed by Keith Miller.
1632
1633         This patch adds JSVirtualMachine SPI to release as much memory as possible.
1634         The SPI does:
1635         - Deletes all code caches.
1636         - Synchronous GC.
1637         - Run the scavenger.
1638
1639         * API/JSVirtualMachine.mm:
1640         (-[JSVirtualMachine shrinkFootprint]):
1641         * API/JSVirtualMachinePrivate.h: Added.
1642         * API/tests/testapi.mm:
1643         (testObjectiveCAPIMain):
1644         * JavaScriptCore.xcodeproj/project.pbxproj:
1645         * runtime/VM.cpp:
1646         (JSC::VM::shrinkFootprint):
1647         * runtime/VM.h:
1648
1649 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
1650
1651         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
1652         Error found in the following Test262 tests:
1653
1654         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
1655         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
1656         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
1657
1658         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
1659         presenting a length > 2**32-1
1660         https://bugs.webkit.org/show_bug.cgi?id=185476
1661
1662         Reviewed by Yusuke Suzuki.
1663
1664         * runtime/ArrayPrototype.cpp:
1665
1666 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
1667
1668         [WPE] Build cleanly with GCC 8 and ICU 60
1669         https://bugs.webkit.org/show_bug.cgi?id=185462
1670
1671         Reviewed by Carlos Alberto Lopez Perez.
1672
1673         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
1674         (jsc_class_add_constructor):
1675         (jsc_class_add_method):
1676         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
1677         (jsc_value_object_define_property_accessor):
1678         (jsc_value_new_function):
1679         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
1680         problem with GCC 7 too, but might as well fix it now.
1681         * assembler/ProbeContext.h:
1682         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
1683         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
1684         * b3/air/AirArg.h:
1685         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
1686         * builtins/BuiltinNames.cpp:
1687         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
1688         * builtins/BuiltinNames.h:
1689         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
1690         * dfg/DFGDoubleFormatState.h:
1691         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
1692         * heap/MarkedBlockInlines.h:
1693         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
1694         * runtime/ConfigFile.cpp:
1695         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
1696         with the wrong length parameter and the result is not null-terminated. Also, silence a
1697         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
1698         * runtime/IntlDateTimeFormat.cpp:
1699         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
1700         * runtime/JSGlobalObject.cpp:
1701         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
1702         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
1703
1704 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1705
1706         [ARMv7] Drop ARMv7 disassembler in favor of capstone
1707         https://bugs.webkit.org/show_bug.cgi?id=185423
1708
1709         Reviewed by Michael Catanzaro.
1710
1711         This patch removes ARMv7Disassembler in our tree.
1712         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
1713
1714         * CMakeLists.txt:
1715         * JavaScriptCore.xcodeproj/project.pbxproj:
1716         * Sources.txt:
1717         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
1718         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
1719         * disassembler/ARMv7Disassembler.cpp: Removed.
1720
1721 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
1722
1723         [MIPS] Optimize generated JIT code using r2
1724         https://bugs.webkit.org/show_bug.cgi?id=184584
1725
1726         Reviewed by Yusuke Suzuki.
1727
1728         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
1729         Also, done some code size optimizations that were discovered in meantime.
1730
1731         * assembler/MIPSAssembler.h:
1732         (JSC::MIPSAssembler::ext):
1733         (JSC::MIPSAssembler::mfhc1):
1734         * assembler/MacroAssemblerMIPS.cpp:
1735         * assembler/MacroAssemblerMIPS.h:
1736         (JSC::MacroAssemblerMIPS::isPowerOf2):
1737         (JSC::MacroAssemblerMIPS::bitPosition):
1738         (JSC::MacroAssemblerMIPS::loadAddress):
1739         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1740         (JSC::MacroAssemblerMIPS::load8):
1741         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1742         (JSC::MacroAssemblerMIPS::load32):
1743         (JSC::MacroAssemblerMIPS::load16Unaligned):
1744         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
1745         (JSC::MacroAssemblerMIPS::load16):
1746         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1747         (JSC::MacroAssemblerMIPS::store8):
1748         (JSC::MacroAssemblerMIPS::store16):
1749         (JSC::MacroAssemblerMIPS::store32):
1750         (JSC::MacroAssemblerMIPS::branchTest32):
1751         (JSC::MacroAssemblerMIPS::loadFloat):
1752         (JSC::MacroAssemblerMIPS::loadDouble):
1753         (JSC::MacroAssemblerMIPS::storeFloat):
1754         (JSC::MacroAssemblerMIPS::storeDouble):
1755
1756 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1757
1758         [JSC][GTK][JSCONLY] Use capstone disassembler
1759         https://bugs.webkit.org/show_bug.cgi?id=185283
1760
1761         Reviewed by Michael Catanzaro.
1762
1763         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
1764         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
1765
1766         And we remove ARM LLVM disassembler.
1767
1768         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
1769
1770         * CMakeLists.txt:
1771         * Sources.txt:
1772         * disassembler/ARMLLVMDisassembler.cpp: Removed.
1773         * disassembler/CapstoneDisassembler.cpp: Added.
1774         (JSC::tryToDisassemble):
1775
1776 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
1777
1778         [MIPS] Use mfhc1 and mthc1 to fix assembler error
1779         https://bugs.webkit.org/show_bug.cgi?id=185464
1780
1781         Reviewed by Yusuke Suzuki.
1782
1783         The binutils-assembler started to report failures for copying words between
1784         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
1785         of mfc1 and mtc1 for conversion.
1786
1787         * offlineasm/mips.rb:
1788
1789 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
1790
1791         [MIPS] Collect callee-saved register using inline assembly
1792         https://bugs.webkit.org/show_bug.cgi?id=185428
1793
1794         Reviewed by Yusuke Suzuki.
1795
1796         MIPS used setjmp instead of collecting registers with inline assembly like
1797         other architectures.
1798
1799         * heap/RegisterState.h:
1800
1801 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1802
1803         [BigInt] Simplifying JSBigInt by using bool addition
1804         https://bugs.webkit.org/show_bug.cgi?id=185374
1805
1806         Reviewed by Alex Christensen.
1807
1808         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
1809         Just adding overflow flag to carry/borrow produces setb + add in x86.
1810
1811         Also we annotate small helper functions and accessors with `inline` not to call these functions
1812         inside internalMultiplyAdd loop.
1813
1814         * runtime/JSBigInt.cpp:
1815         (JSC::JSBigInt::isZero):
1816         (JSC::JSBigInt::inplaceMultiplyAdd):
1817         (JSC::JSBigInt::digitAdd):
1818         (JSC::JSBigInt::digitSub):
1819         (JSC::JSBigInt::digitMul):
1820         (JSC::JSBigInt::digitPow):
1821         (JSC::JSBigInt::digitDiv):
1822         (JSC::JSBigInt::offsetOfData):
1823         (JSC::JSBigInt::dataStorage):
1824         (JSC::JSBigInt::digit):
1825         (JSC::JSBigInt::setDigit):
1826
1827 2018-05-08  Michael Saboff  <msaboff@apple.com>
1828
1829         Replace multiple Watchpoint Set fireAll() methods with templates
1830         https://bugs.webkit.org/show_bug.cgi?id=185456
1831
1832         Reviewed by Saam Barati.
1833
1834         Refactored to minimize duplicate code.
1835
1836         * bytecode/Watchpoint.h:
1837         (JSC::WatchpointSet::fireAll):
1838         (JSC::InlineWatchpointSet::fireAll):
1839
1840 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
1841
1842         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
1843         https://bugs.webkit.org/show_bug.cgi?id=185453
1844
1845         Reviewed by Michael Saboff.
1846         
1847         Tiny improvement for compile times.
1848
1849         * dfg/DFGFlowMap.h:
1850         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
1851         * dfg/DFGInPlaceAbstractState.cpp:
1852         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
1853
1854 2018-05-08  Michael Saboff  <msaboff@apple.com>
1855
1856         Deferred firing of structure transition watchpoints is racy
1857         https://bugs.webkit.org/show_bug.cgi?id=185438
1858
1859         Reviewed by Saam Barati.
1860
1861         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
1862         and fire them in the destructor.  When the watchpoints are taken from the
1863         original WatchpointSet, that WatchpointSet if marked invalid.
1864
1865         * bytecode/Watchpoint.cpp:
1866         (JSC::WatchpointSet::fireAllSlow):
1867         (JSC::WatchpointSet::take):
1868         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
1869         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
1870         (JSC::DeferredWatchpointFire::fireAll):
1871         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
1872         * bytecode/Watchpoint.h:
1873         (JSC::WatchpointSet::fireAll):
1874         (JSC::InlineWatchpointSet::fireAll):
1875         * runtime/JSObject.cpp:
1876         (JSC::JSObject::setPrototypeDirect):
1877         (JSC::JSObject::convertToDictionary):
1878         * runtime/JSObjectInlines.h:
1879         (JSC::JSObject::putDirectInternal):
1880         * runtime/Structure.cpp:
1881         (JSC::Structure::Structure):
1882         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
1883         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
1884         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
1885         (JSC::Structure::didTransitionFromThisStructure const):
1886         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
1887         * runtime/Structure.h:
1888         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
1889
1890 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
1891
1892         Consecutive messages logged as JSON are coalesced
1893         https://bugs.webkit.org/show_bug.cgi?id=185432
1894
1895         Reviewed by Joseph Pecoraro.
1896
1897         * inspector/ConsoleMessage.cpp:
1898         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
1899
1900 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
1901
1902         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
1903         https://bugs.webkit.org/show_bug.cgi?id=185365
1904
1905         Reviewed by Saam Barati.
1906         
1907         This patch does three things to improve compile times:
1908         
1909         - Fixes some inlining goofs.
1910         
1911         - Adds the ability to measure compile times with run-jsc-benchmarks.
1912         
1913         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
1914           code that clears abstract values. It turns out that on constant folding "needed" this, in the
1915           sense that this was the only thing protecting it from loading the abstract value of a no-result
1916           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
1917           Any node that produces a result will explicitly set its abstract value, so this problem can
1918           also be guarded by just having constant folding check if the node it wants to fold returns any
1919           result.
1920         
1921         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
1922         
1923         Rolling back in after fixing cloop build.
1924
1925         * dfg/DFGAbstractInterpreterInlines.h:
1926         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1927         * dfg/DFGAbstractValue.cpp:
1928         (JSC::DFG::AbstractValue::set):
1929         * dfg/DFGAbstractValue.h:
1930         (JSC::DFG::AbstractValue::merge):
1931         * dfg/DFGConstantFoldingPhase.cpp:
1932         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1933         * dfg/DFGGraph.h:
1934         (JSC::DFG::Graph::doToChildrenWithNode):
1935         (JSC::DFG::Graph::doToChildren):
1936         * dfg/DFGInPlaceAbstractState.cpp:
1937         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1938         * jit/JIT.cpp:
1939         (JSC::JIT::totalCompileTime):
1940         * jit/JIT.h:
1941         * jsc.cpp:
1942         (GlobalObject::finishCreation):
1943         (functionTotalCompileTime):
1944
1945 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
1946
1947         Unreviewed, rolling out r231468.
1948
1949         Broke the CLoop build
1950
1951         Reverted changeset:
1952
1953         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
1954         any abstract values"
1955         https://bugs.webkit.org/show_bug.cgi?id=185365
1956         https://trac.webkit.org/changeset/231468
1957
1958 2018-05-07  Daniel Bates  <dabates@apple.com>
1959
1960         Check X-Frame-Options and CSP frame-ancestors in network process
1961         https://bugs.webkit.org/show_bug.cgi?id=185410
1962         <rdar://problem/37733934>
1963
1964         Reviewed by Ryosuke Niwa.
1965
1966         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
1967
1968         * runtime/ConsoleTypes.h:
1969
1970 2018-05-07  Saam Barati  <sbarati@apple.com>
1971
1972         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
1973         https://bugs.webkit.org/show_bug.cgi?id=185329
1974         <rdar://problem/39961536>
1975
1976         Reviewed by Michael Saboff.
1977
1978         I was made aware of a memory goof inside of JSC where we would inefficiently
1979         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
1980         
1981         We did two things badly:
1982         1. We used a HashMap instead of a Vector to represent the environment. Having
1983         a HashMap is useful when looking things up when generating bytecode, but it's
1984         space inefficient. Because UnlinkedFunctionExecutables live a long time because
1985         of the code cache, we should have them store this information efficiently
1986         inside of a Vector.
1987         
1988         2. We didn't hash-cons these environments together. If you think about how
1989         some programs are structured, hash-consing these together is hugely profitable.
1990         Consider some code like this:
1991         ```
1992         const/let V_1 = ...;
1993         const/let V_2 = ...;
1994         ...
1995         const/let V_n = ...;
1996         
1997         function f_1() { ... };
1998         function f_2() { ... };
1999         ...
2000         function f_n() { ... };
2001         ```
2002         
2003         Each f_i would store an identical hash map for its parent TDZ variables
2004         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
2005         each f_i just holds onto a reference to the environment.
2006         
2007         I benchmarked this change against an app that made heavy use of the
2008         above code pattern and it reduced its peak memory footprint from ~220MB
2009         to ~160MB.
2010
2011         * bytecode/UnlinkedFunctionExecutable.cpp:
2012         (JSC::generateUnlinkedFunctionCodeBlock):
2013         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2014         * bytecode/UnlinkedFunctionExecutable.h:
2015         * parser/VariableEnvironment.cpp:
2016         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
2017         (JSC::CompactVariableEnvironment::operator== const):
2018         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
2019         (JSC::CompactVariableMap::get):
2020         (JSC::CompactVariableMap::Handle::~Handle):
2021         * parser/VariableEnvironment.h:
2022         (JSC::VariableEnvironmentEntry::bits const):
2023         (JSC::VariableEnvironmentEntry::operator== const):
2024         (JSC::VariableEnvironment::isEverythingCaptured const):
2025         (JSC::CompactVariableEnvironment::hash const):
2026         (JSC::CompactVariableMapKey::CompactVariableMapKey):
2027         (JSC::CompactVariableMapKey::hash):
2028         (JSC::CompactVariableMapKey::equal):
2029         (JSC::CompactVariableMapKey::makeDeletedValue):
2030         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
2031         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
2032         (JSC::CompactVariableMapKey::environment):
2033         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
2034         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
2035         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
2036         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
2037         (JSC::CompactVariableMap::Handle::Handle):
2038         (JSC::CompactVariableMap::Handle::environment const):
2039         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
2040         * runtime/VM.cpp:
2041         (JSC::VM::VM):
2042         * runtime/VM.h:
2043
2044 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2045
2046         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
2047         https://bugs.webkit.org/show_bug.cgi?id=185371
2048
2049         Reviewed by Mark Lam.
2050
2051         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
2052         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
2053         but actually MIPS have much more registers.
2054
2055         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
2056         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
2057         have extra mechanism.
2058
2059         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
2060
2061         * dfg/DFGByteCodeParser.cpp:
2062         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2063         * dfg/DFGFixupPhase.cpp:
2064         (JSC::DFG::FixupPhase::fixupNode):
2065         * dfg/DFGSpeculativeJIT32_64.cpp:
2066         (JSC::DFG::SpeculativeJIT::compile):
2067         * jit/CCallHelpers.h:
2068         * jit/GPRInfo.h:
2069         (JSC::GPRInfo::toRegister):
2070         (JSC::GPRInfo::toIndex):
2071         * offlineasm/mips.rb:
2072
2073 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2074
2075         DFG AI should have O(1) clobbering
2076         https://bugs.webkit.org/show_bug.cgi?id=185287
2077
2078         Reviewed by Saam Barati.
2079         
2080         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
2081         would traverse all of the state available to the AI at that time and clobber it.
2082         
2083         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
2084         
2085         This is a ~1% speed-up for compile times.
2086
2087         * JavaScriptCore.xcodeproj/project.pbxproj:
2088         * Sources.txt:
2089         * dfg/DFGAbstractInterpreter.h:
2090         (JSC::DFG::AbstractInterpreter::forNode):
2091         (JSC::DFG::AbstractInterpreter::setForNode):
2092         (JSC::DFG::AbstractInterpreter::clearForNode):
2093         (JSC::DFG::AbstractInterpreter::variables): Deleted.
2094         * dfg/DFGAbstractInterpreterInlines.h:
2095         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2096         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
2097         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2098         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
2099         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2100         * dfg/DFGAbstractValue.cpp:
2101         (JSC::DFG::AbstractValue::fastForwardToSlow):
2102         * dfg/DFGAbstractValue.h:
2103         (JSC::DFG::AbstractValue::fastForwardTo):
2104         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
2105         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
2106         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
2107         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
2108         (JSC::DFG::AbstractValueClobberEpoch::dump const):
2109         * dfg/DFGAbstractValueClobberEpoch.h: Added.
2110         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
2111         (JSC::DFG::AbstractValueClobberEpoch::first):
2112         (JSC::DFG::AbstractValueClobberEpoch::clobber):
2113         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
2114         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
2115         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
2116         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
2117         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
2118         * dfg/DFGAtTailAbstractState.h:
2119         (JSC::DFG::AtTailAbstractState::setForNode):
2120         (JSC::DFG::AtTailAbstractState::clearForNode):
2121         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
2122         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
2123         (JSC::DFG::AtTailAbstractState::operand):
2124         (JSC::DFG::AtTailAbstractState::local):
2125         (JSC::DFG::AtTailAbstractState::argument):
2126         (JSC::DFG::AtTailAbstractState::clobberStructures):
2127         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
2128         (JSC::DFG::AtTailAbstractState::variables): Deleted.
2129         * dfg/DFGCFAPhase.cpp:
2130         (JSC::DFG::CFAPhase::performBlockCFA):
2131         * dfg/DFGConstantFoldingPhase.cpp:
2132         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2133         * dfg/DFGFlowMap.h:
2134         (JSC::DFG::FlowMap::at):
2135         (JSC::DFG::FlowMap::atShadow):
2136         (JSC::DFG::FlowMap::at const):
2137         (JSC::DFG::FlowMap::atShadow const):
2138         * dfg/DFGInPlaceAbstractState.cpp:
2139         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2140         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2141         * dfg/DFGInPlaceAbstractState.h:
2142         (JSC::DFG::InPlaceAbstractState::forNode):
2143         (JSC::DFG::InPlaceAbstractState::setForNode):
2144         (JSC::DFG::InPlaceAbstractState::clearForNode):
2145         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
2146         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
2147         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
2148         (JSC::DFG::InPlaceAbstractState::operand):
2149         (JSC::DFG::InPlaceAbstractState::local):
2150         (JSC::DFG::InPlaceAbstractState::argument):
2151         (JSC::DFG::InPlaceAbstractState::variableAt):
2152         (JSC::DFG::InPlaceAbstractState::clobberStructures):
2153         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
2154         (JSC::DFG::InPlaceAbstractState::fastForward):
2155         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
2156         * dfg/DFGSpeculativeJIT64.cpp:
2157         (JSC::DFG::SpeculativeJIT::compile):
2158         * ftl/FTLLowerDFGToB3.cpp:
2159         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
2160
2161 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
2162
2163         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
2164         https://bugs.webkit.org/show_bug.cgi?id=185365
2165
2166         Reviewed by Saam Barati.
2167         
2168         This patch does three things to improve compile times:
2169         
2170         - Fixes some inlining goofs.
2171         
2172         - Adds the ability to measure compile times with run-jsc-benchmarks.
2173         
2174         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
2175           code that clears abstract values. It turns out that on constant folding "needed" this, in the
2176           sense that this was the only thing protecting it from loading the abstract value of a no-result
2177           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
2178           Any node that produces a result will explicitly set its abstract value, so this problem can
2179           also be guarded by just having constant folding check if the node it wants to fold returns any
2180           result.
2181         
2182         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
2183
2184         * dfg/DFGAbstractInterpreterInlines.h:
2185         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2186         * dfg/DFGAbstractValue.cpp:
2187         (JSC::DFG::AbstractValue::set):
2188         * dfg/DFGAbstractValue.h:
2189         (JSC::DFG::AbstractValue::merge):
2190         * dfg/DFGConstantFoldingPhase.cpp:
2191         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2192         * dfg/DFGGraph.h:
2193         (JSC::DFG::Graph::doToChildrenWithNode):
2194         (JSC::DFG::Graph::doToChildren):
2195         * dfg/DFGInPlaceAbstractState.cpp:
2196         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2197         * jit/JIT.cpp:
2198         (JSC::JIT::totalCompileTime):
2199         * jit/JIT.h:
2200         * jsc.cpp:
2201         (GlobalObject::finishCreation):
2202         (functionTotalCompileTime):
2203
2204 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2205
2206         DFG AI doesn't need to merge valuesAtTail - it can just assign them
2207         https://bugs.webkit.org/show_bug.cgi?id=185355
2208
2209         Reviewed by Mark Lam.
2210         
2211         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
2212         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
2213         merging will get the same answer because the value computed this time will be either the same
2214         as or more general than the value computed last time. If the value does change for some
2215         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
2216         changes, then we have no reason to believe that this new value is less right than the last
2217         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
2218         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
2219
2220         * dfg/DFGInPlaceAbstractState.cpp:
2221         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2222
2223 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
2224
2225         Remove defunct email address
2226         https://bugs.webkit.org/show_bug.cgi?id=185396
2227
2228         Reviewed by Mark Lam.
2229
2230         The email address thetalecrafter@gmail.com is no longer valid, as the
2231         associated google account has been closed. This updates the email
2232         address so questions about these Intl contributions go to the right
2233         place.
2234
2235         * builtins/DatePrototype.js:
2236         * builtins/NumberPrototype.js:
2237         * builtins/StringPrototype.js:
2238         * runtime/IntlCollator.cpp:
2239         * runtime/IntlCollator.h:
2240         * runtime/IntlCollatorConstructor.cpp:
2241         * runtime/IntlCollatorConstructor.h:
2242         * runtime/IntlCollatorPrototype.cpp:
2243         * runtime/IntlCollatorPrototype.h:
2244         * runtime/IntlDateTimeFormat.cpp:
2245         * runtime/IntlDateTimeFormat.h:
2246         * runtime/IntlDateTimeFormatConstructor.cpp:
2247         * runtime/IntlDateTimeFormatConstructor.h:
2248         * runtime/IntlDateTimeFormatPrototype.cpp:
2249         * runtime/IntlDateTimeFormatPrototype.h:
2250         * runtime/IntlNumberFormat.cpp:
2251         * runtime/IntlNumberFormat.h:
2252         * runtime/IntlNumberFormatConstructor.cpp:
2253         * runtime/IntlNumberFormatConstructor.h:
2254         * runtime/IntlNumberFormatPrototype.cpp:
2255         * runtime/IntlNumberFormatPrototype.h:
2256         * runtime/IntlObject.cpp:
2257         * runtime/IntlObject.h:
2258         * runtime/IntlPluralRules.cpp:
2259         * runtime/IntlPluralRules.h:
2260         * runtime/IntlPluralRulesConstructor.cpp:
2261         * runtime/IntlPluralRulesConstructor.h:
2262         * runtime/IntlPluralRulesPrototype.cpp:
2263         * runtime/IntlPluralRulesPrototype.h:
2264
2265 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2266
2267         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
2268         https://bugs.webkit.org/show_bug.cgi?id=185362
2269
2270         Reviewed by Sam Weinig.
2271
2272         "namespace std" may include many names. It can conflict with names defined by our code,
2273         and the other platform provided headers. For example, std::byte conflicts with Windows'
2274         ::byte.
2275         This patch removes "using namespace std;" from JSC and bmalloc.
2276
2277         * API/JSClassRef.cpp:
2278         (OpaqueJSClass::create):
2279         * bytecode/Opcode.cpp:
2280         * bytecompiler/BytecodeGenerator.cpp:
2281         (JSC::BytecodeGenerator::newRegister):
2282         * heap/Heap.cpp:
2283         (JSC::Heap::updateAllocationLimits):
2284         * interpreter/Interpreter.cpp:
2285         * jit/JIT.cpp:
2286         * parser/Parser.cpp:
2287         * runtime/JSArray.cpp:
2288         * runtime/JSLexicalEnvironment.cpp:
2289         * runtime/JSModuleEnvironment.cpp:
2290         * runtime/Structure.cpp:
2291         * shell/DLLLauncherMain.cpp:
2292         (getStringValue):
2293         (applePathFromRegistry):
2294         (appleApplicationSupportDirectory):
2295         (copyEnvironmentVariable):
2296         (prependPath):
2297         (fatalError):
2298         (directoryExists):
2299         (modifyPath):
2300         (getLastErrorString):
2301         (wWinMain):
2302
2303 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2304
2305         DFG CFA phase should only do clobber asserts in debug
2306         https://bugs.webkit.org/show_bug.cgi?id=185354
2307
2308         Reviewed by Saam Barati.
2309         
2310         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
2311         unless asserts are enabled.
2312
2313         * dfg/DFGCFAPhase.cpp:
2314         (JSC::DFG::CFAPhase::performBlockCFA):
2315
2316 2018-05-04  Keith Miller  <keith_miller@apple.com>
2317
2318         isCacheableArrayLength should return true for undecided arrays
2319         https://bugs.webkit.org/show_bug.cgi?id=185309
2320
2321         Reviewed by Michael Saboff.
2322
2323         Undecided arrays have butterflies so there is no reason why we
2324         should not be able to cache their length.
2325
2326         * bytecode/InlineAccess.cpp:
2327         (JSC::InlineAccess::isCacheableArrayLength):
2328
2329 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2330
2331         Remove std::random_shuffle
2332         https://bugs.webkit.org/show_bug.cgi?id=185292
2333
2334         Reviewed by Darin Adler.
2335
2336         std::random_shuffle is deprecated in C++14 and removed in C++17,
2337         since std::random_shuffle relies on rand and srand.
2338         Use std::shuffle instead.
2339
2340         * jit/BinarySwitch.cpp:
2341         (JSC::RandomNumberGenerator::RandomNumberGenerator):
2342         (JSC::RandomNumberGenerator::operator()):
2343         (JSC::RandomNumberGenerator::min):
2344         (JSC::RandomNumberGenerator::max):
2345         (JSC::BinarySwitch::build):
2346
2347 2018-05-03  Saam Barati  <sbarati@apple.com>
2348
2349         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
2350         https://bugs.webkit.org/show_bug.cgi?id=185177
2351
2352         Reviewed by Filip Pizlo.
2353
2354         This patch teaches the DFG/FTL how to constant fold CreateThis with
2355         a known poly proto Structure to NewObject. We do it by emitting a NewObject
2356         followed by a PutByOffset for the prototype value.
2357         
2358         We make it so that ObjectAllocationProfile holds the prototype value.
2359         This is sound because JSFunction clears that profile when its 'prototype'
2360         field changes.
2361         
2362         This patch also renames underscoreProtoPrivateName to polyProtoName since
2363         that name was nonsensical: it was only used for poly proto.
2364         
2365         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
2366         regressed that benchmark when I first introduced poly proto.
2367
2368         * builtins/BuiltinNames.cpp:
2369         * builtins/BuiltinNames.h:
2370         (JSC::BuiltinNames::BuiltinNames):
2371         (JSC::BuiltinNames::polyProtoName const):
2372         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
2373         * bytecode/ObjectAllocationProfile.h:
2374         (JSC::ObjectAllocationProfile::prototype):
2375         (JSC::ObjectAllocationProfile::clear):
2376         (JSC::ObjectAllocationProfile::visitAggregate):
2377         * bytecode/ObjectAllocationProfileInlines.h:
2378         (JSC::ObjectAllocationProfile::initializeProfile):
2379         * dfg/DFGAbstractInterpreterInlines.h:
2380         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2381         * dfg/DFGByteCodeParser.cpp:
2382         (JSC::DFG::ByteCodeParser::parseBlock):
2383         * dfg/DFGConstantFoldingPhase.cpp:
2384         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2385         * dfg/DFGOperations.cpp:
2386         * runtime/CommonSlowPaths.cpp:
2387         (JSC::SLOW_PATH_DECL):
2388         * runtime/FunctionRareData.h:
2389         * runtime/Structure.cpp:
2390         (JSC::Structure::create):
2391
2392 2018-05-03  Michael Saboff  <msaboff@apple.com>
2393
2394         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
2395         https://bugs.webkit.org/show_bug.cgi?id=185281
2396
2397         Reviewed by Saam Barati.
2398
2399         When we compute bytecode block reachability, we need to take into account blocks
2400         containing try/catch.
2401
2402         * jit/JIT.cpp:
2403         (JSC::JIT::privateCompileMainPass):
2404
2405 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2406
2407         ARM: Wrong offset for operand rt in disassembler
2408         https://bugs.webkit.org/show_bug.cgi?id=184083
2409
2410         Reviewed by Yusuke Suzuki.
2411
2412         * disassembler/ARMv7/ARMv7DOpcode.h:
2413         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
2414         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
2415
2416 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2417
2418         ARM: Support vstr in disassembler
2419         https://bugs.webkit.org/show_bug.cgi?id=184084
2420
2421         Reviewed by Yusuke Suzuki.
2422
2423         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2424         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
2425         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
2426         * disassembler/ARMv7/ARMv7DOpcode.h:
2427         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
2428         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
2429         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
2430         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
2431         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
2432         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
2433         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
2434
2435 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2436
2437         Invoke ensureArrayStorage for all arguments
2438         https://bugs.webkit.org/show_bug.cgi?id=185247
2439
2440         Reviewed by Yusuke Suzuki.
2441
2442         ensureArrayStorage was only invoked for first argument in each loop iteration.
2443
2444         * jsc.cpp:
2445         (functionEnsureArrayStorage):
2446
2447 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2448
2449         Make it easy to log compile times for all optimizing tiers
2450         https://bugs.webkit.org/show_bug.cgi?id=185270
2451
2452         Reviewed by Keith Miller.
2453         
2454         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
2455         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
2456         it.
2457         
2458         This should help us reduce compile times by telling us where to look. So, far, it looks like
2459         CFA is the worst.
2460
2461         * JavaScriptCore.xcodeproj/project.pbxproj:
2462         * Sources.txt:
2463         * b3/B3Common.cpp:
2464         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
2465         * b3/B3Common.h:
2466         * b3/B3TimingScope.cpp: Removed.
2467         * b3/B3TimingScope.h:
2468         (JSC::B3::TimingScope::TimingScope):
2469         * dfg/DFGPhase.h:
2470         (JSC::DFG::runAndLog):
2471         * dfg/DFGPlan.cpp:
2472         (JSC::DFG::Plan::compileInThread):
2473         * tools/CompilerTimingScope.cpp: Added.
2474         (JSC::CompilerTimingScope::CompilerTimingScope):
2475         (JSC::CompilerTimingScope::~CompilerTimingScope):
2476         * tools/CompilerTimingScope.h: Added.
2477         * runtime/Options.cpp:
2478         (JSC::recomputeDependentOptions):
2479         * runtime/Options.h:
2480
2481 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2482
2483         Strings should not be allocated in a gigacage
2484         https://bugs.webkit.org/show_bug.cgi?id=185218
2485
2486         Reviewed by Saam Barati.
2487
2488         * runtime/JSBigInt.cpp:
2489         (JSC::JSBigInt::toStringGeneric):
2490         * runtime/JSString.cpp:
2491         (JSC::JSRopeString::resolveRopeToAtomicString const):
2492         (JSC::JSRopeString::resolveRope const):
2493         * runtime/JSString.h:
2494         (JSC::JSString::create):
2495         (JSC::JSString::createHasOtherOwner):
2496         * runtime/VM.h:
2497         (JSC::VM::gigacageAuxiliarySpace):
2498
2499 2018-05-03  Keith Miller  <keith_miller@apple.com>
2500
2501         Unreviewed, fix 32-bit profile offset for change in bytecode
2502         length of the get_by_id and get_array_length opcodes.
2503
2504         * llint/LowLevelInterpreter32_64.asm:
2505
2506 2018-05-03  Michael Saboff  <msaboff@apple.com>
2507
2508         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
2509         https://bugs.webkit.org/show_bug.cgi?id=185231
2510
2511         Reviewed by Saam Barati.
2512
2513         We weren't clearing the scratch register cache when switching back and forth between 
2514         allowing scratch register usage.  We disallow scratch register usage when we are in
2515         code that will freely allocate and use any register.  Such usage can change the
2516         contents of scratch registers.  For ARM64, where we cache the contents of scratch
2517         registers to reuse some or all of the contained values, we need to invalidate these
2518         caches.  We do this when re-enabling scratch register usage, that is when we transition
2519         from disallow to allow scratch register usage.
2520
2521         Added a new Air regression test.
2522
2523         * assembler/AllowMacroScratchRegisterUsage.h:
2524         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
2525         * assembler/AllowMacroScratchRegisterUsageIf.h:
2526         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
2527         * assembler/DisallowMacroScratchRegisterUsage.h:
2528         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
2529         * b3/air/testair.cpp:
2530
2531 2018-05-03  Keith Miller  <keith_miller@apple.com>
2532
2533         Remove the prototype caching for get_by_id in the LLInt
2534         https://bugs.webkit.org/show_bug.cgi?id=185226
2535
2536         Reviewed by Michael Saboff.
2537
2538         There is no evidence that this is actually a speedup and we keep
2539         getting bugs with it. At this point it seems like we should just
2540         remove this code.
2541
2542         * CMakeLists.txt:
2543         * JavaScriptCore.xcodeproj/project.pbxproj:
2544         * Sources.txt:
2545         * bytecode/BytecodeDumper.cpp:
2546         (JSC::BytecodeDumper<Block>::printGetByIdOp):
2547         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
2548         (JSC::BytecodeDumper<Block>::dumpBytecode):
2549         * bytecode/BytecodeList.json:
2550         * bytecode/BytecodeUseDef.h:
2551         (JSC::computeUsesForBytecodeOffset):
2552         (JSC::computeDefsForBytecodeOffset):
2553         * bytecode/CodeBlock.cpp:
2554         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2555         * bytecode/CodeBlock.h:
2556         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
2557         * bytecode/GetByIdStatus.cpp:
2558         (JSC::GetByIdStatus::computeFromLLInt):
2559         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
2560         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
2561         * bytecompiler/BytecodeGenerator.cpp:
2562         (JSC::BytecodeGenerator::emitGetById):
2563         * dfg/DFGByteCodeParser.cpp:
2564         (JSC::DFG::ByteCodeParser::parseBlock):
2565         * dfg/DFGCapabilities.cpp:
2566         (JSC::DFG::capabilityLevel):
2567         * jit/JIT.cpp:
2568         (JSC::JIT::privateCompileMainPass):
2569         (JSC::JIT::privateCompileSlowCases):
2570         * llint/LLIntSlowPaths.cpp:
2571         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2572         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
2573         * llint/LowLevelInterpreter32_64.asm:
2574         * llint/LowLevelInterpreter64.asm:
2575         * runtime/Options.h:
2576
2577 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
2578
2579         Unreviewed, rolling out r231197.
2580
2581         The test added with this change crashes on the 32-bit JSC bot.
2582
2583         Reverted changeset:
2584
2585         "Correctly detect string overflow when using the 'Function'
2586         constructor"
2587         https://bugs.webkit.org/show_bug.cgi?id=184883
2588         https://trac.webkit.org/changeset/231197
2589
2590 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2591
2592         Disable usage of fused multiply-add instructions for JSC with compiler flag
2593         https://bugs.webkit.org/show_bug.cgi?id=184909
2594
2595         Reviewed by Yusuke Suzuki.
2596
2597         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
2598         like parseInt() do not return slightly different results depending on whether the
2599         compiler was able to use fused multiply-add instructions or not.
2600
2601         * CMakeLists.txt:
2602
2603 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2604
2605         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
2606         https://bugs.webkit.org/show_bug.cgi?id=185192
2607
2608         compareDouble relies on MacroAssembler::invert function.
2609
2610         * assembler/MacroAssembler.h:
2611         (JSC::MacroAssembler::compareDouble):
2612         * assembler/MacroAssemblerARM.h:
2613         (JSC::MacroAssemblerARM::compareDouble): Deleted.
2614         * assembler/MacroAssemblerARMv7.h:
2615         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
2616         * assembler/MacroAssemblerMIPS.h:
2617         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
2618
2619 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2620
2621         [JSC] Add MacroAssembler::and16 and store16
2622         https://bugs.webkit.org/show_bug.cgi?id=185188
2623
2624         Reviewed by Mark Lam.
2625
2626         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
2627         This patch adds these methods for ARM.
2628
2629         * assembler/MacroAssemblerARM.h:
2630         (JSC::MacroAssemblerARM::and16):
2631         (JSC::MacroAssemblerARM::store16):
2632
2633 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2634
2635         [DFG] Unify compare related code in 32bit and 64bit
2636         https://bugs.webkit.org/show_bug.cgi?id=185189
2637
2638         Reviewed by Mark Lam.
2639
2640         This patch unifies some part of compare related code in 32bit and 64bit
2641         to reduce the size of 32bit specific DFG code.
2642
2643         * dfg/DFGSpeculativeJIT.cpp:
2644         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
2645         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
2646         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2647         * dfg/DFGSpeculativeJIT32_64.cpp:
2648         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2649         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2650         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2651         * dfg/DFGSpeculativeJIT64.cpp:
2652         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2653         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2654         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2655
2656 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2657
2658         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
2659         https://bugs.webkit.org/show_bug.cgi?id=185192
2660
2661         Reviewed by Mark Lam.
2662
2663         Now Object.is starts using compareDouble. So we would like to have
2664         efficient implementation for compareDouble and compareFloat for
2665         major architectures, ARM64, X86, and X86_64.
2666
2667         This patch adds compareDouble and compareFloat implementations for
2668         these architectures. And generic implementation is moved to each
2669         architecture's MacroAssembler implementation.
2670
2671         We also add tests for them in testmasm. To implement this test
2672         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
2673         major architectures.
2674
2675         * assembler/MacroAssembler.h:
2676         (JSC::MacroAssembler::compareDouble): Deleted.
2677         (JSC::MacroAssembler::compareFloat): Deleted.
2678         * assembler/MacroAssemblerARM.h:
2679         (JSC::MacroAssemblerARM::compareDouble):
2680         * assembler/MacroAssemblerARM64.h:
2681         (JSC::MacroAssemblerARM64::compareDouble):
2682         (JSC::MacroAssemblerARM64::compareFloat):
2683         (JSC::MacroAssemblerARM64::loadFloat):
2684         (JSC::MacroAssemblerARM64::floatingPointCompare):
2685         * assembler/MacroAssemblerARMv7.h:
2686         (JSC::MacroAssemblerARMv7::compareDouble):
2687         * assembler/MacroAssemblerMIPS.h:
2688         (JSC::MacroAssemblerMIPS::compareDouble):
2689         * assembler/MacroAssemblerX86Common.h:
2690         (JSC::MacroAssemblerX86Common::loadFloat):
2691         (JSC::MacroAssemblerX86Common::compareDouble):
2692         (JSC::MacroAssemblerX86Common::compareFloat):
2693         (JSC::MacroAssemblerX86Common::floatingPointCompare):
2694         * assembler/X86Assembler.h:
2695         (JSC::X86Assembler::movss_mr):
2696         (JSC::X86Assembler::movss_rm):
2697         * assembler/testmasm.cpp:
2698         (JSC::floatOperands):
2699         (JSC::testCompareFloat):
2700         (JSC::run):
2701
2702 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2703
2704         Unreviewed, fix 32bit DFG code
2705         https://bugs.webkit.org/show_bug.cgi?id=185065
2706
2707         * dfg/DFGSpeculativeJIT.cpp:
2708         (JSC::DFG::SpeculativeJIT::compileSameValue):
2709
2710 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
2711
2712         JSC should know how to cache custom getter accesses on the prototype chain
2713         https://bugs.webkit.org/show_bug.cgi?id=185213
2714
2715         Reviewed by Keith Miller.
2716
2717         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
2718
2719         * jit/Repatch.cpp:
2720         (JSC::tryCacheGetByID):
2721
2722 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
2723
2724         JSC should be able to cache custom setter calls on the prototype chain
2725         https://bugs.webkit.org/show_bug.cgi?id=185174
2726
2727         Reviewed by Saam Barati.
2728
2729         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
2730         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
2731         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
2732         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
2733         custom accessors because it won't find the custom property in the structure.
2734
2735         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
2736
2737         This is a 4x speed-up on assign-custom-setter.js.
2738
2739         * bytecode/AccessCase.cpp:
2740         (JSC::AccessCase::hasAlternateBase const):
2741         (JSC::AccessCase::alternateBase const):
2742         (JSC::AccessCase::generateImpl):
2743         * bytecode/AccessCase.h:
2744         (JSC::AccessCase::alternateBase const): Deleted.
2745         * bytecode/GetterSetterAccessCase.cpp:
2746         (JSC::GetterSetterAccessCase::hasAlternateBase const):
2747         (JSC::GetterSetterAccessCase::alternateBase const):
2748         * bytecode/GetterSetterAccessCase.h:
2749         * bytecode/ObjectPropertyConditionSet.cpp:
2750         (JSC::generateConditionsForPrototypePropertyHitCustom):
2751         * bytecode/ObjectPropertyConditionSet.h:
2752         * jit/Repatch.cpp:
2753         (JSC::tryCacheGetByID):
2754         (JSC::tryCachePutByID):
2755
2756 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
2757
2758         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
2759         https://bugs.webkit.org/show_bug.cgi?id=185195
2760
2761         Reviewed by Mark Lam.
2762
2763         This implements the given function for MIPS, such that it builds again.
2764
2765         * assembler/MacroAssemblerMIPS.h:
2766         (JSC::MacroAssemblerMIPS::and16):
2767         (JSC::MacroAssemblerMIPS::store16):
2768
2769 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
2770
2771         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
2772         https://bugs.webkit.org/show_bug.cgi?id=185043
2773
2774         Reviewed by Filip Pizlo.
2775
2776         * jsc.cpp:
2777         (GlobalObject::finishCreation):
2778         (functionDollarAgentMonotonicNow):
2779
2780 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
2781
2782         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
2783         https://bugs.webkit.org/show_bug.cgi?id=185196
2784
2785         Reviewed by Mark Lam.
2786
2787         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
2788
2789         * assembler/MacroAssemblerARMv7.h:
2790         (JSC::MacroAssemblerARMv7::and16):
2791         (JSC::MacroAssemblerARMv7::store16):
2792
2793 2018-05-02  Robin Morisset  <rmorisset@apple.com>
2794
2795         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
2796         https://bugs.webkit.org/show_bug.cgi?id=183172
2797
2798         Reviewed by Filip Pizlo.
2799
2800         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
2801         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
2802
2803         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
2804         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
2805         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
2806
2807         * dfg/DFGArgumentsEliminationPhase.cpp:
2808         * dfg/DFGArgumentsUtilities.cpp:
2809         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2810
2811 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2812
2813         Unreviewed, stackPointer signature is different from declaration
2814         https://bugs.webkit.org/show_bug.cgi?id=184790
2815
2816         * runtime/MachineContext.h:
2817         (JSC::MachineContext::stackPointer):
2818
2819 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2820
2821         [JSC] Add SameValue DFG node
2822         https://bugs.webkit.org/show_bug.cgi?id=185065
2823
2824         Reviewed by Saam Barati.
2825
2826         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
2827         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
2828         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
2829         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
2830         implementations for these SameValue nodes.
2831
2832         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
2833         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
2834         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
2835         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
2836         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
2837         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
2838
2839         Added microbenchmark shows performance improvement.
2840
2841             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
2842
2843         * assembler/MacroAssembler.h:
2844         * assembler/MacroAssemblerX86Common.h:
2845         (JSC::MacroAssemblerX86Common::compareDouble):
2846         * assembler/MacroAssemblerX86_64.h:
2847         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
2848         * assembler/testmasm.cpp:
2849         (JSC::doubleOperands):
2850         (JSC::testCompareDouble):
2851         (JSC::run):
2852         * dfg/DFGAbstractInterpreterInlines.h:
2853         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2854         * dfg/DFGByteCodeParser.cpp:
2855         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2856         * dfg/DFGClobberize.h:
2857         (JSC::DFG::clobberize):
2858         * dfg/DFGConstantFoldingPhase.cpp:
2859         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2860         * dfg/DFGDoesGC.cpp:
2861         (JSC::DFG::doesGC):
2862         * dfg/DFGFixupPhase.cpp:
2863         (JSC::DFG::FixupPhase::fixupNode):
2864         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2865         * dfg/DFGNodeType.h:
2866         * dfg/DFGOperations.cpp:
2867         * dfg/DFGOperations.h:
2868         * dfg/DFGPredictionPropagationPhase.cpp:
2869         * dfg/DFGSafeToExecute.h:
2870         (JSC::DFG::safeToExecute):
2871         * dfg/DFGSpeculativeJIT.cpp:
2872         (JSC::DFG::SpeculativeJIT::compileSameValue):
2873         * dfg/DFGSpeculativeJIT.h:
2874         * dfg/DFGSpeculativeJIT32_64.cpp:
2875         (JSC::DFG::SpeculativeJIT::compile):
2876         * dfg/DFGSpeculativeJIT64.cpp:
2877         (JSC::DFG::SpeculativeJIT::compile):
2878         * dfg/DFGValidate.cpp:
2879         * ftl/FTLCapabilities.cpp:
2880         (JSC::FTL::canCompile):
2881         * ftl/FTLLowerDFGToB3.cpp:
2882         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2883         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
2884         * runtime/Intrinsic.cpp:
2885         (JSC::intrinsicName):
2886         * runtime/Intrinsic.h:
2887         * runtime/ObjectConstructor.cpp:
2888
2889 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
2890
2891         B3::demoteValues should be able to handle patchpoint terminals
2892         https://bugs.webkit.org/show_bug.cgi?id=185151
2893
2894         Reviewed by Saam Barati.
2895         
2896         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
2897         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
2898         longer the last thing in the block.
2899         
2900         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
2901         really do that because demotion happens as a prerequisite to other transformations.
2902         
2903         One solution might have been to make demoteValues insert a basic block whenever it encounters
2904         this problem. But that would break clients that do CFG analysis before demoteValues and use
2905         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
2906         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
2907         so it's not bad to introduce that requirement.
2908         
2909         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
2910         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
2911         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
2912         successors of the patchpoint terminal.
2913         
2914         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
2915         a unit test in testb3.
2916
2917         * b3/B3BreakCriticalEdges.cpp:
2918         (JSC::B3::breakCriticalEdges):
2919         * b3/B3BreakCriticalEdges.h:
2920         * b3/B3FixSSA.cpp:
2921         (JSC::B3::demoteValues):
2922         (JSC::B3::fixSSA):
2923         * b3/B3FixSSA.h:
2924         * b3/B3Value.cpp:
2925         (JSC::B3::Value::foldIdentity const):
2926         (JSC::B3::Value::performSubstitution):
2927         * b3/B3Value.h:
2928         * b3/testb3.cpp:
2929         (JSC::B3::testDemotePatchpointTerminal):
2930         (JSC::B3::run):
2931
2932 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2933
2934         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
2935         https://bugs.webkit.org/show_bug.cgi?id=184772
2936         <rdar://problem/39146327>
2937
2938         Reviewed by Filip Pizlo.
2939
2940         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
2941         This patch now makes sure that the check correctly detects if there is an integer overflow.
2942
2943         * runtime/JSArray.cpp:
2944         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2945
2946 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2947
2948         Correctly detect string overflow when using the 'Function' constructor
2949         https://bugs.webkit.org/show_bug.cgi?id=184883
2950         <rdar://problem/36320331>
2951
2952         Reviewed by Filip Pizlo.
2953
2954         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
2955         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
2956
2957         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
2958         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
2959         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
2960
2961         * runtime/FunctionConstructor.cpp:
2962         (JSC::constructFunctionSkippingEvalEnabledCheck):
2963         * runtime/JSONObject.cpp:
2964         (JSC::Stringifier::appendStringifiedValue):
2965
2966 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2967
2968         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
2969         https://bugs.webkit.org/show_bug.cgi?id=185162
2970
2971         Reviewed by Filip Pizlo.
2972
2973         * runtime/IntlObject.cpp:
2974         (JSC::removeUnicodeLocaleExtension):
2975
2976 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
2977
2978         Add SetCallee as DFG-Operation
2979         https://bugs.webkit.org/show_bug.cgi?id=184582
2980
2981         Reviewed by Filip Pizlo.
2982
2983         For recursive tail calls not only the argument count can change but also the
2984         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
2985         Also update the callee when optimizing a recursive tail call.
2986         Enable recursive tail call optimization also for closures.
2987
2988         * dfg/DFGAbstractInterpreterInlines.h:
2989         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2990         * dfg/DFGByteCodeParser.cpp:
2991         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2992         (JSC::DFG::ByteCodeParser::handleCallVariant):
2993         * dfg/DFGClobberize.h:
2994         (JSC::DFG::clobberize):
2995         * dfg/DFGDoesGC.cpp:
2996         (JSC::DFG::doesGC):
2997         * dfg/DFGFixupPhase.cpp:
2998         (JSC::DFG::FixupPhase::fixupNode):
2999         * dfg/DFGMayExit.cpp:
3000         * dfg/DFGNodeType.h:
3001         * dfg/DFGPredictionPropagationPhase.cpp:
3002         * dfg/DFGSafeToExecute.h:
3003         (JSC::DFG::safeToExecute):
3004         * dfg/DFGSpeculativeJIT.cpp:
3005         (JSC::DFG::SpeculativeJIT::compileSetCallee):
3006         * dfg/DFGSpeculativeJIT.h:
3007         * dfg/DFGSpeculativeJIT32_64.cpp:
3008         (JSC::DFG::SpeculativeJIT::compile):
3009         * dfg/DFGSpeculativeJIT64.cpp:
3010         (JSC::DFG::SpeculativeJIT::compile):
3011         * ftl/FTLCapabilities.cpp:
3012         (JSC::FTL::canCompile):
3013         * ftl/FTLLowerDFGToB3.cpp:
3014         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3015         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
3016
3017 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
3018
3019         WebAssembly: add support for stream APIs - JavaScript API
3020         https://bugs.webkit.org/show_bug.cgi?id=183442
3021
3022         Reviewed by Yusuke Suzuki and JF Bastien.
3023
3024         Add WebAssembly stream API. Current patch only add functions
3025         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
3026         does not add streaming way of the implementation. So in current version it
3027         only wait for load whole module, than start to parse.
3028
3029         * CMakeLists.txt:
3030         * Configurations/FeatureDefines.xcconfig:
3031         * DerivedSources.make:
3032         * JavaScriptCore.xcodeproj/project.pbxproj:
3033         * builtins/BuiltinNames.h:
3034         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
3035         (compileStreaming):
3036         (instantiateStreaming):
3037         * jsc.cpp:
3038         * runtime/JSGlobalObject.cpp:
3039         (JSC::JSGlobalObject::init):
3040         * runtime/JSGlobalObject.h:
3041         * runtime/Options.h:
3042         * runtime/PromiseDeferredTimer.cpp:
3043         (JSC::PromiseDeferredTimer::hasPendingPromise):
3044         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
3045         * runtime/PromiseDeferredTimer.h:
3046         * wasm/js/WebAssemblyPrototype.cpp:
3047         (JSC::webAssemblyModuleValidateAsyncInternal):
3048         (JSC::webAssemblyCompileFunc):
3049         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
3050         (JSC::webAssemblyModuleInstantinateAsyncInternal):
3051         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
3052         (JSC::webAssemblyCompileStreamingInternal):
3053         (JSC::webAssemblyInstantiateStreamingInternal):
3054         (JSC::WebAssemblyPrototype::create):
3055         (JSC::WebAssemblyPrototype::finishCreation):
3056         * wasm/js/WebAssemblyPrototype.h:
3057
3058 2018-04-30  Saam Barati  <sbarati@apple.com>
3059
3060         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
3061         https://bugs.webkit.org/show_bug.cgi?id=185149
3062         <rdar://problem/39455917>
3063
3064         Reviewed by Filip Pizlo.
3065
3066         The bug was that we were deleting checks that we shouldn't have deleted.
3067         This patch makes a helper inside strength reduction that converts to
3068         a LazyJSConstant while maintaining checks, and switches users of the
3069         node API inside strength reduction to instead call the helper function.
3070         
3071         This patch also fixes a potential bug where StringReplace and
3072         StringReplaceRegExp may not preserve all their checks.
3073
3074
3075         * dfg/DFGStrengthReductionPhase.cpp:
3076         (JSC::DFG::StrengthReductionPhase::handleNode):
3077         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
3078
3079 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
3080
3081         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
3082         https://bugs.webkit.org/show_bug.cgi?id=185126
3083
3084         Reviewed by Saam Barati.
3085         
3086         This change is just restoring functionality that we've already had for a while. It had been
3087         accidentally broken due to an unrelated CodeBlock refactoring.
3088
3089         * dfg/DFGLICMPhase.cpp:
3090         (JSC::DFG::LICMPhase::attemptHoist):
3091
3092 2018-04-30  Mark Lam  <mark.lam@apple.com>
3093
3094         Apply PtrTags to the MetaAllocator and friends.
3095         https://bugs.webkit.org/show_bug.cgi?id=185110
3096         <rdar://problem/39533895>
3097
3098         Reviewed by Saam Barati.
3099
3100         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
3101         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
3102            and add a sanity check to verify that allocated code buffers are within those
3103            bounds.
3104
3105         * assembler/LinkBuffer.cpp:
3106         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
3107         (JSC::LinkBuffer::copyCompactAndLinkCode):
3108         (JSC::LinkBuffer::linkCode):
3109         (JSC::LinkBuffer::allocate):
3110         * assembler/LinkBuffer.h:
3111         (JSC::LinkBuffer::LinkBuffer):
3112         (JSC::LinkBuffer::debugAddress):
3113         (JSC::LinkBuffer::code):
3114         * assembler/MacroAssemblerCodeRef.h:
3115         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3116         * bytecode/InlineAccess.cpp:
3117         (JSC::linkCodeInline):
3118         (JSC::InlineAccess::rewireStubAsJump):
3119         * dfg/DFGJITCode.cpp:
3120         (JSC::DFG::JITCode::findPC):
3121         * ftl/FTLJITCode.cpp:
3122         (JSC::FTL::JITCode::findPC):
3123         * jit/ExecutableAllocator.cpp:
3124         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
3125         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
3126         (JSC::ExecutableAllocator::allocate):
3127         * jit/ExecutableAllocator.h:
3128         (JSC::isJITPC):
3129         (JSC::performJITMemcpy):
3130         * jit/JIT.cpp:
3131         (JSC::JIT::link):
3132         * jit/JITMathIC.h:
3133         (JSC::isProfileEmpty):
3134         * runtime/JSCPtrTag.h:
3135         * wasm/WasmCallee.cpp:
3136         (JSC::Wasm::Callee::Callee):
3137         * wasm/WasmFaultSignalHandler.cpp:
3138         (JSC::Wasm::trapHandler):
3139
3140 2018-04-30  Keith Miller  <keith_miller@apple.com>
3141
3142         Move the MayBePrototype JSCell header bit to InlineTypeFlags
3143         https://bugs.webkit.org/show_bug.cgi?id=185143
3144
3145         Reviewed by Mark Lam.
3146
3147         * runtime/IndexingType.h:
3148         * runtime/JSCellInlines.h:
3149         (JSC::JSCell::setStructure):
3150         (JSC::JSCell::mayBePrototype const):
3151         (JSC::JSCell::didBecomePrototype):
3152         * runtime/JSTypeInfo.h:
3153         (JSC::TypeInfo::mayBePrototype):
3154         (JSC::TypeInfo::mergeInlineTypeFlags):
3155
3156 2018-04-30  Keith Miller  <keith_miller@apple.com>
3157
3158         Remove unneeded exception check from String.fromCharCode
3159         https://bugs.webkit.org/show_bug.cgi?id=185083
3160
3161         Reviewed by Mark Lam.
3162
3163         * runtime/StringConstructor.cpp:
3164         (JSC::stringFromCharCode):
3165
3166 2018-04-30  Keith Miller  <keith_miller@apple.com>
3167
3168         Move StructureIsImmortal to out of line flags.
3169         https://bugs.webkit.org/show_bug.cgi?id=185101
3170
3171         Reviewed by Saam Barati.
3172
3173         This will free up a bit in the inline flags where we can move the
3174         isPrototype bit to. This will, in turn, free a bit for use in
3175         implementing copy on write butterflies.
3176
3177         Also, this patch removes an assertion from Structure::typeInfo()
3178         that inadvertently makes the function invalid to call while
3179         cleaning up the vm.
3180
3181         * heap/HeapCellType.cpp:
3182         (JSC::DefaultDestroyFunc::operator() const):
3183         * runtime/JSCell.h:
3184         * runtime/JSCellInlines.h:
3185         (JSC::JSCell::callDestructor): Deleted.
3186         * runtime/JSTypeInfo.h:
3187         (JSC::TypeInfo::hasStaticPropertyTable):
3188         (JSC::TypeInfo::structureIsImmortal const):
3189         * runtime/Structure.h:
3190
3191 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3192
3193         [JSC] Remove arity fixup check if the number of parameters is 1
3194         https://bugs.webkit.org/show_bug.cgi?id=183984
3195
3196         Reviewed by Mark Lam.
3197
3198         If the number of parameters is one (|this|), we never hit arity fixup check.
3199         We do not need to emit arity fixup check code.
3200
3201         * dfg/DFGDriver.cpp:
3202         (JSC::DFG::compileImpl):
3203         * dfg/DFGJITCompiler.cpp:
3204         (JSC::DFG::JITCompiler::compileFunction):
3205         * dfg/DFGJITCompiler.h:
3206         * ftl/FTLLink.cpp:
3207         (JSC::FTL::link):
3208         * jit/JIT.cpp:
3209         (JSC::JIT::compileWithoutLinking):
3210
3211 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3212
3213         Use WordLock instead of std::mutex for Threading
3214         https://bugs.webkit.org/show_bug.cgi?id=185121
3215
3216         Reviewed by Geoffrey Garen.
3217
3218         ThreadGroup starts using WordLock.
3219
3220         * heap/MachineStackMarker.h:
3221         (JSC::MachineThreads::getLock):
3222
3223 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
3224
3225         B3 should run tail duplication at the bitter end
3226         https://bugs.webkit.org/show_bug.cgi?id=185123
3227
3228         Reviewed by Geoffrey Garen.
3229         
3230         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
3231         everywhere else.
3232         
3233         The goal of this change is to allow us to run path specialization after switch lowering but
3234         before tail duplication.
3235
3236         * b3/B3Generate.cpp:
3237         (JSC::B3::generateToAir):
3238         * runtime/Options.h:
3239
3240 2018-04-29  Commit Queue  <commit-queue@webkit.org>
3241
3242         Unreviewed, rolling out r231137.
3243         https://bugs.webkit.org/show_bug.cgi?id=185118
3244
3245         It is breaking Test262 language/expressions/multiplication
3246         /order-of-evaluation.js (Requested by caiolima on #webkit).
3247
3248         Reverted changeset:
3249
3250         "[ESNext][BigInt] Implement support for "*" operation"
3251         https://bugs.webkit.org/show_bug.cgi?id=183721
3252         https://trac.webkit.org/changeset/231137
3253
3254 2018-04-28  Saam Barati  <sbarati@apple.com>
3255
3256         We don't model regexp effects properly
3257         https://bugs.webkit.org/show_bug.cgi?id=185059
3258         <rdar://problem/39736150>
3259
3260         Reviewed by Filip Pizlo.
3261
3262         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
3263         the regexp is global.
3264
3265         * dfg/DFGAbstractInterpreterInlines.h:
3266         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3267         * dfg/DFGClobberize.h:
3268         (JSC::DFG::clobberize):
3269
3270 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
3271
3272         Token misspelled "tocken" in error message string
3273         https://bugs.webkit.org/show_bug.cgi?id=185030
3274
3275         Reviewed by Saam Barati.
3276
3277         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
3278         (JSC::Parser<LexerType>::Parser):
3279         (JSC::Parser<LexerType>::didFinishParsing):
3280         (JSC::Parser<LexerType>::parseSourceElements):
3281         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
3282         (JSC::Parser<LexerType>::parseVariableDeclaration):
3283         (JSC::Parser<LexerType>::parseWhileStatement):
3284         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3285         (JSC::Parser<LexerType>::createBindingPattern):
3286         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
3287         (JSC::Parser<LexerType>::parseObjectRestElement):
3288         (JSC::Parser<LexerType>::parseDestructuringPattern):
3289         (JSC::Parser<LexerType>::parseForStatement):
3290         (JSC::Parser<LexerType>::parseBreakStatement):
3291         (JSC::Parser<LexerType>::parseContinueStatement):
3292         (JSC::Parser<LexerType>::parseThrowStatement):
3293         (JSC::Parser<LexerType>::parseWithStatement):
3294         (JSC::Parser<LexerType>::parseSwitchStatement):
3295         (JSC::Parser<LexerType>::parseSwitchClauses):
3296         (JSC::Parser<LexerType>::parseTryStatement):
3297         (JSC::Parser<LexerType>::parseBlockStatement):
3298         (JSC::Parser<LexerType>::parseFormalParameters):
3299         (JSC::Parser<LexerType>::parseFunctionParameters):
3300         (JSC::Parser<LexerType>::parseFunctionInfo):
3301         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
3302         (JSC::Parser<LexerType>::parseExpressionStatement):
3303         (JSC::Parser<LexerType>::parseIfStatement):
3304         (JSC::Parser<LexerType>::parseAssignmentExpression):
3305         (JSC::Parser<LexerType>::parseConditionalExpression):
3306         (JSC::Parser<LexerType>::parseBinaryExpression):
3307         (JSC::Parser<LexerType>::parseObjectLiteral):
3308         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
3309         (JSC::Parser<LexerType>::parseArrayLiteral):
3310         (JSC::Parser<LexerType>::parseArguments):
3311         (JSC::Parser<LexerType>::parseMemberExpression):
3312         (JSC::operatorString):
3313         (JSC::Parser<LexerType>::parseUnaryExpression):
3314         (JSC::Parser<LexerType>::printUnexpectedTokenText):
3315
3316 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
3317
3318         [ESNext][BigInt] Implement support for "*" operation
3319         https://bugs.webkit.org/show_bug.cgi?id=183721
3320
3321         Reviewed by Saam Barati.
3322
3323         Added BigInt support into times binary operator into LLInt and on
3324         JITOperations profiledMul and unprofiledMul. We are also replacing all
3325         uses of int to unsigned when there is no negative values for
3326         variables.
3327
3328         * dfg/DFGConstantFoldingPhase.cpp:
3329         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3330         * jit/JITOperations.cpp:
3331         * runtime/CommonSlowPaths.cpp:
3332         (JSC::SLOW_PATH_DECL):
3333         * runtime/JSBigInt.cpp:
3334         (JSC::JSBigInt::JSBigInt):
3335         (JSC::JSBigInt::allocationSize):
3336         (JSC::JSBigInt::createWithLength):
3337         (JSC::JSBigInt::toString):
3338         (JSC::JSBigInt::multiply):
3339         (JSC::JSBigInt::digitDiv):
3340         (JSC::JSBigInt::internalMultiplyAdd):
3341         (JSC::JSBigInt::multiplyAccumulate):
3342         (JSC::JSBigInt::equals):
3343         (JSC::JSBigInt::absoluteDivSmall):
3344         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3345         (JSC::JSBigInt::toStringGeneric):
3346         (JSC::JSBigInt::rightTrim):
3347         (JSC::JSBigInt::allocateFor):
3348         (JSC::JSBigInt::parseInt):
3349         (JSC::JSBigInt::digit):
3350         (JSC::JSBigInt::setDigit):
3351         * runtime/JSBigInt.h:
3352         * runtime/Operations.h:
3353         (JSC::jsMul):
3354
3355 2018-04-28  Commit Queue  <commit-queue@webkit.org>
3356
3357         Unreviewed, rolling out r231131.
3358         https://bugs.webkit.org/show_bug.cgi?id=185112
3359
3360         It is breaking Debug build due to unchecked exception
3361         (Requested by caiolima on #webkit).
3362
3363         Reverted changeset:
3364
3365         "[ESNext][BigInt] Implement support for "*" operation"
3366         https://bugs.webkit.org/show_bug.cgi?id=183721
3367         https://trac.webkit.org/changeset/231131
3368
3369 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
3370
3371         [ESNext][BigInt] Implement support for "*" operation
3372         https://bugs.webkit.org/show_bug.cgi?id=183721
3373
3374         Reviewed by Saam Barati.
3375
3376         Added BigInt support into times binary operator into LLInt and on
3377         JITOperations profiledMul and unprofiledMul. We are also replacing all
3378         uses of int to unsigned when there is no negative values for
3379         variables.
3380
3381         * dfg/DFGConstantFoldingPhase.cpp:
3382         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3383         * jit/JITOperations.cpp: