There is no good reason for WeakBlock to care about newly allocated objects
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-14  Filip Pizlo  <fpizlo@apple.com>
2
3         There is no good reason for WeakBlock to care about newly allocated objects
4         https://bugs.webkit.org/show_bug.cgi?id=162006
5
6         Reviewed by Geoffrey Garen.
7
8         WeakBlock scans itself in two modes:
9
10         visit: if a Weak in the block belongs to an unmarked object, ask the Weak to consider whether
11             it should do things.
12         
13         reap: if a Weak in a block belongs to an unmarked object, delete the Weak.
14
15         Except that "unmarked" has a peculiar meaning: WeakBlock defines it as
16         !markedOrNewlyAllocated. So, a newly allocated object will never be consulted about anything. 
17         That sounds scary until you realize that newlyAllocated must have been cleared before we even
18         got here.
19
20         So, we were paying the price of checking newlyAllocated for no reason. This switches the code
21         to using isMarked(). I don't know why the code previously checked newlyAllocated, but I do
22         trust my reasoning.
23
24         * heap/LargeAllocation.h:
25         (JSC::LargeAllocation::isMarkedDuringWeakVisiting):
26         (JSC::LargeAllocation::isMarkedOrNewlyAllocatedDuringWeakVisiting): Deleted.
27         * heap/MarkedBlock.h:
28         (JSC::MarkedBlock::isMarkedDuringWeakVisiting):
29         (JSC::MarkedBlock::isMarkedOrNewlyAllocatedDuringWeakVisiting): Deleted.
30         * heap/WeakBlock.cpp:
31         (JSC::WeakBlock::specializedVisit):
32         (JSC::WeakBlock::reap):
33
34 2016-09-15  Commit Queue  <commit-queue@webkit.org>
35
36         Unreviewed, rolling out r205931.
37         https://bugs.webkit.org/show_bug.cgi?id=162021
38
39         Tests for this change fail on 32-bit JSC bots (Requested by
40         ryanhaddad on #webkit).
41
42         Reverted changeset:
43
44         "[JSC] Make the rounding-related nodes support any type"
45         https://bugs.webkit.org/show_bug.cgi?id=161895
46         http://trac.webkit.org/changeset/205931
47
48 2016-09-15  Joseph Pecoraro  <pecoraro@apple.com>
49
50         test262: Should be a SyntaxError for duplicate parameter names in function with default parameters
51         https://bugs.webkit.org/show_bug.cgi?id=162013
52
53         Reviewed by Saam Barati.
54
55         https://tc39.github.io/ecma262/#sec-function-definitions-static-semantics-early-errors
56         It is a Syntax Error if IsSimpleParameterList of FormalParameterList is
57         false and BoundNames of FormalParameterList contains any duplicate elements.
58
59         Non-simple parameter lists include rest parameters, destructuring,
60         and default parameters.
61
62         * parser/Parser.cpp:
63         (JSC::Parser<LexerType>::parseFormalParameters):
64         Previously, we were not failing if there were default parameters
65         early in the parameter list that were not yet identified as duplicates
66         and simple parameters later were duplicates. Now, we fail if there
67         are default parameters anywhere in the parameter list with a duplicate.
68
69 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
70
71         ASSERT_NOT_REACHED when using spread inside an array literal with Function.prototype.apply
72         https://bugs.webkit.org/show_bug.cgi?id=162003
73
74         Reviewed by Saam Barati.
75
76         * bytecompiler/NodesCodegen.cpp:
77         (JSC::ArrayNode::isSimpleArray):
78         Don't treat an Array that has a spread expression inside it as simple.
79         This avoids a fast path for f.apply(x, simpleArray) that was not handling
80         spread expressions within arrays, and instead taking a path that can
81         handle the spreading.
82
83 2016-09-14  Commit Queue  <commit-queue@webkit.org>
84
85         Unreviewed, rolling out r205933 and r205936.
86         https://bugs.webkit.org/show_bug.cgi?id=162002
87
88         broke the build (Requested by keith_miller on #webkit).
89
90         Reverted changesets:
91
92         "Pragma out undefined-var-template warnings in JSC for
93         JSObjects that are templatized"
94         https://bugs.webkit.org/show_bug.cgi?id=161985
95         http://trac.webkit.org/changeset/205933
96
97         "Unreviewed, fix the Windows build."
98         http://trac.webkit.org/changeset/205936
99
100 2016-09-14  Chris Dumez  <cdumez@apple.com>
101
102         REGRESSION (r205670): ASSERTION FAILED: methodTable(vm)->toThis(this, exec, NotStrictMode) == this
103         https://bugs.webkit.org/show_bug.cgi?id=161982
104
105         Reviewed by Saam Barati.
106
107         Update JSProxy::setPrototype() to return false unconditionally instead
108         of forwarding the call to its target. We used to forward to the target
109         and then the JSDOMWindow's [[SetPrototypeOf]] would return false.
110         However, the JSC tests use a different GlobalObject and forwarding
111         the setPrototypeOf() call to the GlobalObject lead to hitting an
112         assertion. This patch aligns the behavior of the GlobalObject used by
113         the JSC tests with JSDOMWindow.
114
115         * runtime/JSProxy.cpp:
116         (JSC::JSProxy::setPrototype):
117
118 2016-09-14  Michael Saboff  <msaboff@apple.com>
119
120         YARR doesn't check for invalid flags for literal regular expressions
121         https://bugs.webkit.org/show_bug.cgi?id=161995
122
123         Reviewed by Mark Lam.
124
125         Added a new error and a check that the flags are valid when we create a
126         literal regular expression.
127
128         * runtime/RegExp.cpp:
129         (JSC::RegExp::finishCreation):
130         * yarr/YarrPattern.cpp:
131         (JSC::Yarr::YarrPattern::errorMessage):
132         (JSC::Yarr::YarrPattern::compile):
133         * yarr/YarrPattern.h:
134
135 2016-09-14  Keith Miller  <keith_miller@apple.com>
136
137         Unreviewed, fix the Windows build.
138
139         * runtime/HashMapImpl.cpp:
140
141 2016-09-14  Keith Miller  <keith_miller@apple.com>
142
143         Pragma out undefined-var-template warnings in JSC for JSObjects that are templatized
144         https://bugs.webkit.org/show_bug.cgi?id=161985
145
146         Reviewed by Geoffrey Garen.
147
148         I started a true fix for this in
149         https://bugs.webkit.org/show_bug.cgi?id=161979, however the fix
150         for this issue is not sustainable. Since the scope of this issue
151         is just limited to the static const ClassInfo member it is
152         simpler to just pragma out this warning. This works because
153         COMDAT will, AFAIK, pick the actual specialization.  If, in the
154         future, we want to expose these classes to WebCore we will need to
155         do what we do for JSGenericTypedArrayViews and create a custom
156         info() function with a switch.
157
158         This patch also fixes a bunch of weak external symbols due to one of:
159         1) out of line template member definitions functions not being marked inline.
160         2) inline member functions definitions being marked as exported.
161         3) missing header file includes for forward function declarations.
162
163         * API/JSCallbackObject.h:
164         * b3/B3ValueInlines.h:
165         (JSC::B3::Value::as):
166         * runtime/HashMapImpl.h:
167         * runtime/JSCJSValue.h:
168         (JSC::toUInt32): Deleted.
169         * runtime/JSGenericTypedArrayView.h:
170         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
171         * runtime/JSGenericTypedArrayViewConstructor.h:
172         * runtime/JSGenericTypedArrayViewPrototype.h:
173         * runtime/MathCommon.h:
174         (JSC::toUInt32):
175         * runtime/TypedArrayAdaptors.h:
176         * runtime/VM.h:
177         (JSC::VM::watchdog):
178         (JSC::VM::heapProfiler):
179         (JSC::VM::samplingProfiler):
180
181 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
182
183         test262: TypedArray constructors length should be 3 and configurable
184         https://bugs.webkit.org/show_bug.cgi?id=161955
185
186         Reviewed by Mark Lam.
187
188         https://tc39.github.io/ecma262/#sec-ecmascript-standard-built-in-objects
189         Unless otherwise specified, the length property of a built-in Function
190         object has the attributes:
191         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.
192
193         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
194         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
195
196 2016-09-14  Benjamin Poulain  <bpoulain@apple.com>
197
198         [JSC] Make the rounding-related nodes support any type
199         https://bugs.webkit.org/show_bug.cgi?id=161895
200
201         Reviewed by Geoffrey Garen.
202
203         This patch changes ArithRound, ArithFloor, ArithCeil and ArithTrunc
204         to support polymorphic input without exiting on entry.
205
206         * dfg/DFGAbstractInterpreterInlines.h:
207         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
208         * dfg/DFGByteCodeParser.cpp:
209         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
210         The 4 functions ignore any input past the first argument. It is okay
211         to use the nodes with the first argument and let the Phantoms keep
212         the remaining arguments live.
213
214         * dfg/DFGClobberize.h:
215         (JSC::DFG::clobberize):
216         * dfg/DFGFixupPhase.cpp:
217         (JSC::DFG::FixupPhase::fixupNode):
218         Our fixup had the issue we have seen on previous nodes: unaryArithShouldSpeculateInt32()
219         prevents us from picking a good type if we do not see any double.
220
221         * dfg/DFGNodeType.h:
222         * dfg/DFGOperations.cpp:
223         * dfg/DFGOperations.h:
224         * dfg/DFGPredictionPropagationPhase.cpp:
225         Prediction propagation of those nodes are fully determined
226         from their flags and results's prediction. They are moved
227         to the invariant processing.
228
229         * dfg/DFGSpeculativeJIT.cpp:
230         (JSC::DFG::SpeculativeJIT::compileArithRounding):
231         * ftl/FTLLowerDFGToB3.cpp:
232         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
233         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
234         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
235         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
236
237 2016-09-14  Filip Pizlo  <fpizlo@apple.com>
238
239         Remove Heap::setMarked()
240
241         Rubber stamped by Keith Miller.
242         
243         Nobody uses this function.
244
245         * heap/Heap.h:
246         * heap/HeapInlines.h:
247         (JSC::Heap::setMarked): Deleted.
248         * heap/LargeAllocation.h:
249         (JSC::LargeAllocation::testAndSetMarked):
250         (JSC::LargeAllocation::setMarked): Deleted.
251         * heap/MarkedBlock.h:
252
253 2016-09-14  Mark Lam  <mark.lam@apple.com>
254
255         Use Options::validateExceptionChecks() instead of VM::m_verifyExceptionEvents.
256         https://bugs.webkit.org/show_bug.cgi?id=161975
257
258         Reviewed by Keith Miller.
259
260         This makes it less burdensome (no longer needs a rebuild to enable checks) to do
261         incremental work towards enabling checks all the time.
262
263         * runtime/Options.h:
264         * runtime/VM.cpp:
265         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
266         * runtime/VM.h:
267
268 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
269
270         TaggedTemplateString function calls should emit tail position calls
271         https://bugs.webkit.org/show_bug.cgi?id=161948
272
273         Reviewed by Yusuke Suzuki.
274
275         * bytecompiler/NodesCodegen.cpp:
276         (JSC::TaggedTemplateNode::emitBytecode):
277         The tagged template string function call can be a tail call:
278         https://tc39.github.io/ecma262/#sec-tagged-templates-runtime-semantics-evaluation
279
280 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
281
282         test262: Array.prototype.slice should always set length
283         https://bugs.webkit.org/show_bug.cgi?id=161953
284
285         Reviewed by Mark Lam.
286
287         * runtime/ArrayPrototype.cpp:
288         (JSC::arrayProtoFuncSplice):
289
290 2016-09-13  Michael Saboff  <msaboff@apple.com>
291
292         Promises aren't resolved properly when making a ObjC API callback
293         https://bugs.webkit.org/show_bug.cgi?id=161929
294
295         Reviewed by Geoffrey Garen.
296
297         When we go to call out to an Objective C function registered via the API,
298         we first drop all JSC locks to make the call.  As part of dropping the locks,
299         we drain the microtask queue that is used among other things for handling deferred
300         promise resolution.  The DropAllLocks scope class that drops the locks while in
301         scope, resets the current thread's AtomicStringTable to the default table.  This
302         is wrong for two reasons, first it happens before we drain the microtask queue and
303         second it isn't needed as JSLock::willReleaseLock() restores the current thread's
304         AtomicStringTable to the table before the lock was acquired.
305
306         In fact, the manipulation of the current thread's AtomicStringTable is already 
307         properly handled as a stack in JSLock::didAcquireLock() and willReleaseLock().
308         Therefore the manipulation of the AtomicStringTable in DropAllLocks constructor
309         and destructor should be removed.
310
311         * API/tests/testapi.mm:
312         (testObjectiveCAPIMain): Added a new test.
313         * runtime/JSLock.cpp:
314         (JSC::JSLock::DropAllLocks::DropAllLocks):
315         (JSC::JSLock::DropAllLocks::~DropAllLocks):
316
317 2016-09-13  Filip Pizlo  <fpizlo@apple.com>
318
319         Remove Heap::isLive()
320         https://bugs.webkit.org/show_bug.cgi?id=161933
321
322         Reviewed by Mark Lam.
323         
324         Before I put any more effort into maintaining this weird function, I decided to check how it
325         was used. It turns out it's not.
326
327         * heap/Heap.h:
328         * heap/HeapInlines.h:
329         (JSC::Heap::isLive): Deleted.
330
331 2016-09-13  Mark Lam  <mark.lam@apple.com>
332
333         DFG NewArrayBuffer node should watch for "have a bad time" state change.
334         https://bugs.webkit.org/show_bug.cgi?id=161927
335         <rdar://problem/27995222>
336
337         Reviewed by Geoffrey Garen.
338
339         * dfg/DFGFixupPhase.cpp:
340         (JSC::DFG::FixupPhase::fixupNode):
341
342 2016-09-13  JF Bastien  <jfbastien@apple.com>
343
344         Support jsc shell builtin `read`
345         https://bugs.webkit.org/show_bug.cgi?id=161662
346
347         Reviewed by Keith Miller.
348
349         The jsc shell currently supports a `readFile` method which returns
350         a string. SpiderMonkey's js shell and V8's d8 shell both support
351         similar file-to-string functions, as well as a
352         binary-file-to-Uint8Array function. jsc should support a similar
353         binary file method to simplify testing, including testing of
354         WebAssembly blobs.
355
356         Emscripten's shell.js (which is also used for some WebAssembly
357         things) has a polyfill [1] for a builtin called `read`. jsc should
358         therefore have a builtin with the same name if we want things to
359         "Just Work".
360
361           [1]: https://github.com/kripken/emscripten/blob/5f0918409a1407dd168f57cfa34b109cd1770a8a/src/shell.js#L138
362
363         * jsc.cpp:
364         (GlobalObject::finishCreation): add `read`, make `readFile` take up to 2 arguments.
365         (functionReadFile): support binary files, as per SpiderMonkey.
366         * runtime/Error.h:
367         (JSC::throwVMError): convenience function, I'll add more uses in a follow-up
368         * runtime/JSTypedArrays.cpp:
369         (JSC::createUint8TypedArray): JS private export of JSUint8Array::create.
370         * runtime/JSTypedArrays.h: expose private export.
371
372 2016-09-12  Skachkov Oleksandr  <gskachkov@gmail.com>
373
374         ES6: Classes: Should be allowed to create a static method with name "arguments"
375         https://bugs.webkit.org/show_bug.cgi?id=152985
376
377         Reviewed by Keith Miller.
378
379         Current patch covered 16.2 Forbidden Extensions - first topic 
380         (https://tc39.github.io/ecma262/#sec-forbidden-extensions) ECMAScript Functions 
381         should not have own properties named "caller" or "arguments".
382         Also added possibility to declare static methods and getters with 
383         name 'arguments' and 'caller' for classes. i.e.:
384         class A { static arguments() { return 'value'; } }
385         A.arguments() === 'value';
386         To implement this patch 'caller' and 'arguments' were put to the FunctionPrototype
387         object. Also was changed approach to init throwTypeErrorArgumentsCalleeAndCallerGetterSetter
388         property from Lazy to common because it necessary to use execState during init of the accessors 
389         properties.
390
391         * runtime/Executable.h:
392         * runtime/FunctionPrototype.cpp:
393         (JSC::FunctionPrototype::initRestrictedProperties):
394         (JSC::FunctionPrototype::addFunctionProperties): Deleted.
395         * runtime/FunctionPrototype.h:
396         * runtime/JSFunction.cpp:
397         (JSC::JSFunction::getOwnPropertySlot):
398         (JSC::JSFunction::getOwnNonIndexPropertyNames):
399         (JSC::JSFunction::put):
400         (JSC::JSFunction::deleteProperty):
401         (JSC::JSFunction::defineOwnProperty):
402         * runtime/JSGlobalObject.cpp:
403         (JSC::JSGlobalObject::init):
404         (JSC::JSGlobalObject::visitChildren):
405         * runtime/JSGlobalObject.h:
406         (JSC::JSGlobalObject::throwTypeErrorArgumentsCalleeAndCallerGetterSetter):
407
408 2016-09-12  Filip Pizlo  <fpizlo@apple.com>
409
410         MarkedBlock should be able to use flipIfNecessary() as the "I'm not empty" trigger
411         https://bugs.webkit.org/show_bug.cgi?id=161869
412
413         Reviewed by Saam Barati.
414         
415         In bug 161581, I'm going to use flipIfNecessary() during marking to trigger the "I'm not
416         empty" hook, which will set a bit in the markingNotEmpty bitvector.
417         
418         For this to work, we need to ensure that nobody else uses flipIfNecessary() during marking.
419         If anyone else does it but they aren't marking new objects, then this prevents
420         flipIfNecessary() from triggering when the first object is marked, which means we won't
421         always detect when a block became non-empty.
422         
423         I addressed this by adding a isMarking flag, and asserting in flipIfNecessary() that the flag
424         isn't set. flipIfNecessaryDuringMarking() is used only on the marking path, so that code
425         knows that it can trigger something like noteMarked(). The only places that were using
426         flipIfNecessary() should have been using needsFlip() anyway.
427
428         * heap/CellContainer.h:
429         * heap/CellContainerInlines.h:
430         (JSC::CellContainer::needsFlip):
431         * heap/Heap.cpp:
432         (JSC::Heap::markRoots):
433         (JSC::Heap::beginMarking):
434         (JSC::Heap::endMarking):
435         (JSC::Heap::clearLivenessData): Deleted.
436         (JSC::Heap::converge): Deleted.
437         (JSC::Heap::resetVisitors): Deleted.
438         * heap/Heap.h:
439         * heap/HeapInlines.h:
440         (JSC::Heap::testAndSetMarked):
441         * heap/LargeAllocation.h:
442         (JSC::LargeAllocation::flipIfNecessaryDuringMarking):
443         (JSC::LargeAllocation::flipIfNecessaryConcurrently): Deleted.
444         * heap/MarkedBlock.cpp:
445         (JSC::MarkedBlock::flipIfNecessarySlow):
446         (JSC::MarkedBlock::flipIfNecessaryDuringMarkingSlow):
447         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow): Deleted.
448         * heap/MarkedBlock.h:
449         (JSC::MarkedBlock::flipIfNecessaryDuringMarking):
450         (JSC::MarkedBlock::Handle::flipIfNecessaryDuringMarking):
451         (JSC::MarkedBlock::flipIfNecessaryConcurrently): Deleted.
452         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently): Deleted.
453         * heap/MarkedSpace.h:
454         (JSC::MarkedSpace::isMarking):
455         (JSC::MarkedSpace::setIsMarking):
456         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
457         * heap/SlotVisitor.cpp:
458         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
459         * heap/WeakBlock.cpp:
460         (JSC::WeakBlock::visit):
461
462 2016-09-12  Saam Barati  <sbarati@apple.com>
463
464         HashMapImpl should take into account m_deleteCount in its load factor and it should be able to rehash the table to be smaller
465         https://bugs.webkit.org/show_bug.cgi?id=161640
466
467         Reviewed by Geoffrey Garen.
468
469         HashMapImpl now takes into account m_deleteCount in its load factor.
470         It now knows how to rehash to either decrease its capacity, stay at
471         the same capacity, or increase its capacity. The reason we can sometimes
472         stay at the same capacity is that we can reduce the load factor enough
473         by rehashing that growing isn't warranted. The reason for this is that
474         anytime we rehash, we remove all deleted sentinels from the buffer.
475         Therefore, staying at the same same capacity, when there are deleted entries,
476         can still reduce the load factor because it removes all deleted sentinels.
477
478         * runtime/HashMapImpl.h:
479         (JSC::HashMapBuffer::create):
480         (JSC::HashMapBuffer::reset):
481         (JSC::HashMapImpl::HashMapImpl):
482         (JSC::HashMapImpl::add):
483         (JSC::HashMapImpl::remove):
484         (JSC::HashMapImpl::size):
485         (JSC::HashMapImpl::clear):
486         (JSC::HashMapImpl::approximateSize):
487         (JSC::HashMapImpl::shouldRehashAfterAdd):
488         (JSC::HashMapImpl::shouldShrink):
489         (JSC::HashMapImpl::rehash):
490         (JSC::HashMapImpl::checkConsistency):
491         (JSC::HashMapImpl::makeAndSetNewBuffer):
492         (JSC::HashMapImpl::assertBufferIsEmpty):
493
494 2016-09-12  Benjamin Poulain  <bpoulain@apple.com>
495
496         [JSC] Use GetArrayLength for JSArray.length even when the array type is undecided
497         https://bugs.webkit.org/show_bug.cgi?id=161671
498
499         Reviewed by Geoffrey Garen.
500
501         UndecidedShape is a type with storage. When we allocate an uninitialized JSArray,
502         it gets a butterfly with its length.
503         When we were querying that length, we were generating a generic GetById with inline cache.
504
505         This patch adds the missing bits to treat Undecided like the other types with storage.
506
507         * dfg/DFGArrayMode.cpp:
508         (JSC::DFG::canBecomeGetArrayLength):
509         (JSC::DFG::ArrayMode::refine):
510         * dfg/DFGArrayMode.h:
511         (JSC::DFG::ArrayMode::usesButterfly):
512         (JSC::DFG::ArrayMode::lengthNeedsStorage):
513         * dfg/DFGClobberize.h:
514         (JSC::DFG::clobberize):
515         * dfg/DFGFixupPhase.cpp:
516         (JSC::DFG::FixupPhase::checkArray):
517         * dfg/DFGSpeculativeJIT.cpp:
518         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
519         * ftl/FTLCapabilities.cpp:
520         (JSC::FTL::canCompile):
521         * ftl/FTLLowerDFGToB3.cpp:
522         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
523
524 2016-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
525
526         [DFG][FTL] Add ArithTan
527         https://bugs.webkit.org/show_bug.cgi?id=161857
528
529         Reviewed by Filip Pizlo.
530
531         While ArithSin and ArithCos are supported, ArithTan is not supported yet.
532         And we also find that Math.tan is included in MotionMark's Multiply benchmark.
533
534         This patch adds ArithTan support in DFG and FTL. And it also cleans up the
535         existing ArithSin, ArithCos, and ArithLog compilations by unifying them.
536         The microbenchmark shows the 9% perf improvement.
537
538             tan    322.4819+-0.3766     ^    295.8700+-0.3094        ^ definitely 1.0899x faster
539
540         * dfg/DFGAbstractInterpreterInlines.h:
541         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
542         * dfg/DFGByteCodeParser.cpp:
543         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
544         * dfg/DFGClobberize.h:
545         (JSC::DFG::clobberize):
546         * dfg/DFGDoesGC.cpp:
547         (JSC::DFG::doesGC):
548         * dfg/DFGFixupPhase.cpp:
549         (JSC::DFG::FixupPhase::fixupNode):
550         * dfg/DFGNodeType.h:
551         * dfg/DFGOperations.cpp:
552         * dfg/DFGOperations.h:
553         * dfg/DFGPredictionPropagationPhase.cpp:
554         * dfg/DFGSafeToExecute.h:
555         (JSC::DFG::safeToExecute):
556         * dfg/DFGSpeculativeJIT.cpp:
557         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
558         (JSC::DFG::SpeculativeJIT::compileArithCos):
559         (JSC::DFG::SpeculativeJIT::compileArithTan):
560         (JSC::DFG::SpeculativeJIT::compileArithSin):
561         (JSC::DFG::SpeculativeJIT::compileArithLog):
562         * dfg/DFGSpeculativeJIT.h:
563         * dfg/DFGSpeculativeJIT32_64.cpp:
564         (JSC::DFG::SpeculativeJIT::compile):
565         * dfg/DFGSpeculativeJIT64.cpp:
566         (JSC::DFG::SpeculativeJIT::compile):
567         * ftl/FTLCapabilities.cpp:
568         (JSC::FTL::canCompile):
569         * ftl/FTLLowerDFGToB3.cpp:
570         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
571         (JSC::FTL::DFG::LowerDFGToB3::compileArithTan):
572         * ftl/FTLOutput.cpp:
573         (JSC::FTL::Output::doubleTan):
574         * ftl/FTLOutput.h:
575         * runtime/Intrinsic.h:
576         * runtime/MathObject.cpp:
577         (JSC::MathObject::finishCreation):
578
579 2016-09-12  Saam Barati  <sbarati@apple.com>
580
581         MapHash should do constant folding when it has a constant argument and its legal to hash that value
582         https://bugs.webkit.org/show_bug.cgi?id=161639
583
584         Reviewed by Filip Pizlo.
585
586         We now constant fold the MapHash node. We're careful to not resolve
587         ropes from the compiler thread, and to only hash strings if they're
588         not too large. The microbenchmark I added runs about 12% faster with
589         this patch.
590
591         * dfg/DFGAbstractInterpreterInlines.h:
592         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
593         * runtime/HashMapImpl.h:
594         (JSC::wangsInt64Hash):
595         (JSC::jsMapHash):
596         (JSC::concurrentJSMapHash):
597
598 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
599
600         DFG::forAllKilledOperands() could use a faster bitvector scan in the same-inline-stack fast path
601         https://bugs.webkit.org/show_bug.cgi?id=161849
602
603         Reviewed by Saam Barati.
604         
605         This is a fairly obvious change. This turns a loop that would query each bit individually
606         into a loop that will process a word at a time. I would expect a very tiny progression in
607         DFG compile times.
608         
609         This also gave me an opportunity to test and fix the new FastBitVector functionality.
610
611         * dfg/DFGForAllKills.h:
612         (JSC::DFG::forAllKilledOperands):
613
614 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
615
616         FastBitVector should have efficient and easy-to-use vector-vector operations
617         https://bugs.webkit.org/show_bug.cgi?id=161847
618
619         Reviewed by Saam Barati.
620         
621         Adapt existing users of FastBitVector to the new API.
622
623         * bytecode/BytecodeLivenessAnalysis.cpp:
624         (JSC::BytecodeLivenessAnalysis::computeKills):
625         (JSC::BytecodeLivenessAnalysis::dumpResults):
626         * bytecode/BytecodeLivenessAnalysisInlines.h:
627         (JSC::operandThatIsNotAlwaysLiveIsLive):
628         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
629         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
630         * bytecode/CodeBlock.cpp:
631         (JSC::CodeBlock::validate):
632         * dfg/DFGByteCodeParser.cpp:
633         (JSC::DFG::ByteCodeParser::flushForTerminal):
634         * dfg/DFGForAllKills.h:
635         (JSC::DFG::forAllKilledOperands):
636         * dfg/DFGGraph.h:
637         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
638         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
639         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException):
640         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
641         * dfg/DFGNaturalLoops.cpp:
642         (JSC::DFG::NaturalLoops::NaturalLoops):
643         * dfg/DFGPlan.cpp:
644         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
645
646 2016-09-10  Chris Dumez  <cdumez@apple.com>
647
648         parseHTMLInteger() should take a StringView in parameter
649         https://bugs.webkit.org/show_bug.cgi?id=161669
650
651         Reviewed by Ryosuke Niwa.
652
653         * runtime/DateConversion.cpp:
654         (JSC::formatDateTime):
655         Explicitly construct a String from the const WCHAR* on Windows because
656         it is ambiguous otherwise now that there is a StringBuilder::append()
657         overload taking an AtomicString in.
658
659 2016-09-08  Keith Miller  <keith_miller@apple.com>
660
661         WASM should support if-then-else
662         https://bugs.webkit.org/show_bug.cgi?id=161778
663
664         Reviewed by Michael Saboff.
665
666         This patch makes some major changes to the way that the WASM
667         function parser works. First, the control stack has been moved
668         from the parser's context to the parser itself. This simplifies
669         the way that the parser works and allows us to make the decoder
670         iterative rather than recursive. Since the control stack has been
671         moved to the parser, any context operation that refers to some
672         block now receives that block by reference.
673
674         For any if block, regardless of whether or not it is an
675         if-then-else or not, we will allocate both the entire control flow
676         diamond. This is not a major issue in the if-then case since B3
677         will immediately cleanup these blocks. In order to support if-then
678         and if-then-else we needed to be able to distinguish what the type
679         of the top block on the control stack is. This will be necessary
680         when validating the else opcode in the future. In the B3 IR
681         generator we decide to the type of the block strictly by the
682         shape.
683
684         Currently, if blocks don't handle passed and returned stack values
685         correctly. I plan to fix this when I add support for the block
686         signatures. See: https://github.com/WebAssembly/design/pull/765
687
688         * testWASM.cpp:
689         (runWASMTests):
690         * wasm/WASMB3IRGenerator.cpp:
691         (dumpProcedure):
692         (JSC::WASM::parseAndCompile):
693         * wasm/WASMB3IRGenerator.h:
694         * wasm/WASMFunctionParser.h:
695         (JSC::WASM::FunctionParser<Context>::parseBlock):
696         (JSC::WASM::FunctionParser<Context>::parseExpression):
697         (JSC::WASM::FunctionParser<Context>::parseUnreachableExpression):
698         * wasm/WASMOps.h:
699
700 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
701
702         jsc.cpp should call initializeMainThread() to make sure that GC thread assertions work
703         https://bugs.webkit.org/show_bug.cgi?id=161801
704
705         Reviewed by Keith Miller.
706         
707         The GC has debug assertions that certain things don't happen on GC threads. Those assertions
708         are no-ops unless initializeGCThreads() is called, and I think the most canonical way to do
709         that is to call initializeMainThread().
710
711         * jsc.cpp:
712         (jscmain):
713
714 2016-09-09  Saam Barati  <sbarati@apple.com>
715
716         Make hasOwnProperty ALWAYS_INLINE
717         https://bugs.webkit.org/show_bug.cgi?id=161775
718
719         Reviewed by Ryosuke Niwa.
720
721         Speedometer spends around 2.5% of its time in hasOwnProperty.
722         Let's reduce the overhead of calling that function by marking
723         it as inline. Also, it's likely that the function will call into
724         JSObject::getOwnPropertySlot. I added a check to see if that's
725         the function we're calling, if it is, we do a direct call instead
726         of an indirect call.
727
728         * runtime/JSObject.cpp:
729         (JSC::JSObject::hasOwnProperty): Deleted.
730         * runtime/JSObjectInlines.h:
731         (JSC::JSObject::hasOwnProperty):
732
733 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
734
735         HashMapImpl needs to m_buffer.clear() in its constructor
736         https://bugs.webkit.org/show_bug.cgi?id=161796
737
738         Reviewed by Keith Miller.
739         
740         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
741         itself. That seemed like a good idea because maybe sometimes the user knows better how to
742         initialize it. But, it's not worth it if it's a constant source of bugs.
743         
744         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
745         m_value.
746
747         * runtime/AuxiliaryBarrier.h:
748         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
749         * runtime/DirectArguments.cpp:
750         (JSC::DirectArguments::DirectArguments):
751
752 2016-09-09  Youenn Fablet  <youenn@apple.com>
753
754         ASSERTION FAILED: promise.inherits(JSPromise::info())
755         https://bugs.webkit.org/show_bug.cgi?id=161632
756         <rdar://problem/28184743>
757
758         Reviewed by Mark Lam.
759
760         * runtime/JSPromiseDeferred.cpp:
761         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
762
763 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
764
765         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
766         https://bugs.webkit.org/show_bug.cgi?id=161760
767
768         Reviewed by Mark Lam.
769         
770         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
771         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
772         
773         This introduces three unnecessary overheads:
774         
775         - isLive() is not called by marking, so that change was not necessary.
776         
777         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
778           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
779           isMarked().
780         
781         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
782           return false if the flip is necessary.
783         
784         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
785         during marking.
786         
787         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
788         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
789         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
790         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
791         thing.
792
793         * bytecode/CodeBlock.cpp:
794         (JSC::CodeBlock::visitWeakly):
795         (JSC::CodeBlock::shouldJettisonDueToOldAge):
796         (JSC::shouldMarkTransition):
797         (JSC::CodeBlock::propagateTransitions):
798         (JSC::CodeBlock::determineLiveness):
799         * bytecode/PolymorphicAccess.cpp:
800         (JSC::AccessCase::propagateTransitions):
801         * heap/Heap.h:
802         * heap/HeapInlines.h:
803         (JSC::Heap::isLive):
804         (JSC::Heap::isMarked):
805         (JSC::Heap::isMarkedConcurrently):
806         * heap/MarkedBlock.cpp:
807         (JSC::MarkedBlock::flipIfNecessarySlow):
808         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
809         (JSC::MarkedBlock::needsFlip):
810         * heap/MarkedBlock.h:
811         (JSC::MarkedBlock::needsFlip):
812         (JSC::MarkedBlock::flipIfNecessary):
813         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
814         * heap/SlotVisitor.cpp:
815         (JSC::SlotVisitor::appendToMarkStack):
816         (JSC::SlotVisitor::markAuxiliary):
817         (JSC::SlotVisitor::visitChildren):
818         * runtime/Structure.cpp:
819         (JSC::Structure::isCheapDuringGC):
820         (JSC::Structure::markIfCheap):
821
822 2016-09-08  Saam Barati  <sbarati@apple.com>
823
824         We should inline operationConvertJSValueToBoolean into JIT code
825         https://bugs.webkit.org/show_bug.cgi?id=161729
826
827         Reviewed by Filip Pizlo.
828
829         This patch introduces an AssemblyHelpers emitter function
830         that replaces operationConvertJSValueToBoolean. This operation
831         was showing up when I was doing performance analysis for the
832         speedometer benchmark. I saw that it was spending about 1% of
833         its time in this function. Hopefully this patch can help us speedup
834         up speedometer by a little bit.
835
836         * dfg/DFGSpeculativeJIT32_64.cpp:
837         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
838         (JSC::DFG::SpeculativeJIT::emitBranch):
839         * dfg/DFGSpeculativeJIT64.cpp:
840         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
841         (JSC::DFG::SpeculativeJIT::emitBranch):
842         * jit/AssemblyHelpers.cpp:
843         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
844         * jit/AssemblyHelpers.h:
845         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
846         * jit/JIT.cpp:
847         (JSC::JIT::privateCompileSlowCases):
848         * jit/JIT.h:
849         * jit/JITOpcodes.cpp:
850         (JSC::JIT::emit_op_jfalse):
851         (JSC::JIT::emit_op_jtrue):
852         (JSC::JIT::emitSlow_op_jfalse): Deleted.
853         (JSC::JIT::emitSlow_op_jtrue): Deleted.
854         * jit/JITOpcodes32_64.cpp:
855         (JSC::JIT::emit_op_jfalse):
856         (JSC::JIT::emit_op_jtrue):
857         (JSC::JIT::emitSlow_op_jfalse): Deleted.
858         (JSC::JIT::emitSlow_op_jtrue): Deleted.
859         * jit/JITOperations.cpp:
860         * jit/JITOperations.h:
861
862 2016-09-08  Chris Dumez  <cdumez@apple.com>
863
864         Align proto getter / setter behavior with other browsers
865         https://bugs.webkit.org/show_bug.cgi?id=161455
866
867         Reviewed by Saam Barati.
868
869         Drop allowsAccessFrom from the methodTable and delegate cross-origin
870         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
871         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
872
873         * jsc.cpp:
874         * runtime/JSGlobalObject.cpp:
875         * runtime/JSGlobalObject.h:
876         * runtime/JSGlobalObjectFunctions.cpp:
877         (JSC::globalFuncProtoGetter):
878         (JSC::globalFuncProtoSetter):
879         (JSC::globalFuncBuiltinLog): Deleted.
880         * runtime/JSGlobalObjectFunctions.h:
881         * runtime/JSObject.cpp:
882         (JSC::JSObject::setPrototypeWithCycleCheck):
883         Remove check added in r197648. This check was added to match
884         the latest EcmaScript spec:
885         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
886         This check allowed for [[Prototype]] chain cycles if the prototype
887         chain includes objects that do not use the ordinary object definitions
888         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
889         The issue is that the rest of our code base does not properly handle
890         such cycles and we can end up in infinite loops. This became obvious
891         because this patch updates Window / Location so that they no longer
892         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
893         remove this check, I get an infinite loop in
894         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
895         called from JSObject::setPrototypeDirect(), when running the following
896         layout test:
897         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
898         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
899         issue.
900
901         * runtime/JSObject.h:
902         (JSC::JSObject::getArrayLength): Deleted.
903         * runtime/JSProxy.cpp:
904         (JSC::JSProxy::setPrototype):
905         (JSC::JSProxy::getPrototype):
906         * runtime/JSProxy.h:
907         * runtime/ObjectConstructor.cpp:
908         (JSC::objectConstructorGetPrototypeOf):
909         (JSC::objectConstructorSetPrototypeOf):
910         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
911         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
912         * runtime/ObjectConstructor.h:
913         * runtime/ReflectObject.cpp:
914         (JSC::reflectObjectGetPrototypeOf):
915         (JSC::reflectObjectSetPrototypeOf):
916
917 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
918
919         Remove CopiedSpace and use MarkedSpace instead
920         https://bugs.webkit.org/show_bug.cgi?id=159658
921
922         Reviewed by Keith Miller.
923         
924         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
925         is a simple change.
926         
927         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
928         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
929         
930         The rest of this patch is deleting CopiedSpace.
931
932         * API/JSObjectRef.cpp:
933         * CMakeLists.txt:
934         * JavaScriptCore.xcodeproj/project.pbxproj:
935         * dfg/DFGOperations.cpp:
936         * heap/ConservativeRoots.cpp:
937         (JSC::ConservativeRoots::genericAddPointer):
938         * heap/CopiedAllocator.h: Removed.
939         * heap/CopiedBlock.cpp: Removed.
940         * heap/CopiedBlock.h: Removed.
941         * heap/CopiedBlockInlines.h: Removed.
942         * heap/CopiedSpace.cpp: Removed.
943         * heap/CopiedSpace.h: Removed.
944         * heap/CopiedSpaceInlines.h: Removed.
945         * heap/CopyBarrier.h: Removed.
946         * heap/CopyToken.h: Removed.
947         * heap/CopyVisitor.cpp: Removed.
948         * heap/CopyVisitor.h: Removed.
949         * heap/CopyVisitorInlines.h: Removed.
950         * heap/CopyWorkList.h: Removed.
951         * heap/Heap.cpp:
952         (JSC::Heap::Heap):
953         (JSC::Heap::isPagedOut):
954         (JSC::Heap::updateObjectCounts):
955         (JSC::Heap::size):
956         (JSC::Heap::capacity):
957         (JSC::Heap::collectImpl):
958         (JSC::Heap::stopAllocation):
959         (JSC::Heap::updateAllocationLimits):
960         (JSC::Heap::copyBackingStores): Deleted.
961         (JSC::Heap::threadBytesCopied): Deleted.
962         * heap/Heap.h:
963         (JSC::Heap::objectSpace):
964         (JSC::Heap::allocatorForAuxiliaryData):
965         (JSC::Heap::storageSpace): Deleted.
966         (JSC::Heap::storageAllocator): Deleted.
967         * heap/HeapCellInlines.h:
968         * heap/HeapInlines.h:
969         (JSC::Heap::tryAllocateStorage): Deleted.
970         (JSC::Heap::tryReallocateStorage): Deleted.
971         * heap/HeapVerifier.cpp:
972         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
973         (JSC::HeapVerifier::reportObject):
974         (JSC::getButterflyDetails): Deleted.
975         * heap/SlotVisitor.cpp:
976         (JSC::SlotVisitor::copyLater): Deleted.
977         * heap/SlotVisitor.h:
978         * jit/AssemblyHelpers.h:
979         * jit/JITOpcodes.cpp:
980         * jsc.cpp:
981         * runtime/ArrayConstructor.cpp:
982         * runtime/ArrayPrototype.cpp:
983         * runtime/Butterfly.h:
984         * runtime/ButterflyInlines.h:
985         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
986         * runtime/ClassInfo.h:
987         * runtime/DirectArguments.cpp:
988         (JSC::DirectArguments::visitChildren):
989         (JSC::DirectArguments::overrideThings):
990         (JSC::DirectArguments::copyBackingStore): Deleted.
991         * runtime/DirectArguments.h:
992         * runtime/JSArray.cpp:
993         * runtime/JSCell.cpp:
994         (JSC::JSCell::copyBackingStore): Deleted.
995         * runtime/JSCell.h:
996         * runtime/JSLexicalEnvironment.h:
997         * runtime/JSObject.cpp:
998         * runtime/JSTypedArrays.cpp:
999         * runtime/LiteralParser.cpp:
1000         * runtime/ObjectConstructor.cpp:
1001         * runtime/RegExpObject.cpp:
1002         * runtime/StringPrototype.cpp:
1003         * runtime/WeakMapData.cpp:
1004         * tools/JSDollarVMPrototype.cpp:
1005         (JSC::JSDollarVMPrototype::isInStorageSpace):
1006
1007 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
1008
1009         Heap version should be 32-bit
1010         https://bugs.webkit.org/show_bug.cgi?id=161751
1011
1012         Reviewed by Mark Lam.
1013         
1014         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
1015         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
1016         easy to handle.
1017
1018         * heap/CellContainer.h:
1019         * heap/CellContainerInlines.h:
1020         (JSC::CellContainer::flipIfNecessary):
1021         * heap/ConservativeRoots.cpp:
1022         (JSC::ConservativeRoots::genericAddPointer):
1023         (JSC::ConservativeRoots::genericAddSpan):
1024         * heap/ConservativeRoots.h:
1025         * heap/Heap.h:
1026         * heap/HeapInlines.h:
1027         (JSC::Heap::testAndSetMarked):
1028         * heap/HeapUtil.h:
1029         (JSC::HeapUtil::findGCObjectPointersForMarking):
1030         * heap/MarkedBlock.cpp:
1031         (JSC::MarkedBlock::MarkedBlock):
1032         * heap/MarkedBlock.h:
1033         (JSC::MarkedBlock::flipIfNecessary):
1034         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
1035         (JSC::MarkedBlock::Handle::flipIfNecessary):
1036         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
1037         * heap/MarkedSpace.cpp:
1038         (JSC::MarkedSpace::flip):
1039         * heap/MarkedSpace.h:
1040         (JSC::MarkedSpace::version):
1041         * heap/SlotVisitor.cpp:
1042         (JSC::SlotVisitor::SlotVisitor):
1043         * heap/SlotVisitor.h:
1044
1045 2016-09-08  Mark Lam  <mark.lam@apple.com>
1046
1047         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
1048         https://bugs.webkit.org/show_bug.cgi?id=161724
1049
1050         Reviewed by Filip Pizlo.
1051
1052         ARM architectures support ternary sub instructions.  We should make use of them
1053         in emitAllocateWithNonNullAllocator().
1054
1055         * assembler/MacroAssemblerARM.h:
1056         (JSC::MacroAssemblerARM::sub32):
1057         * assembler/MacroAssemblerARM64.h:
1058         (JSC::MacroAssemblerARM64::sub32):
1059         * assembler/MacroAssemblerARMv7.h:
1060         (JSC::MacroAssemblerARMv7::sub32):
1061         * assembler/MacroAssemblerSH4.h:
1062         (JSC::MacroAssemblerSH4::sub32):
1063         * assembler/MacroAssemblerX86Common.h:
1064         (JSC::MacroAssemblerX86Common::sub32):
1065         * b3/air/AirOpcode.opcodes:
1066         * b3/testb3.cpp:
1067         (JSC::B3::testTernarySubInstructionSelection):
1068         (JSC::B3::run):
1069         * jit/AssemblyHelpers.h:
1070         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1071
1072 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
1073
1074         Move JSMap/JSSet over to Auxiliary MarkedSpace
1075         https://bugs.webkit.org/show_bug.cgi?id=161744
1076
1077         Reviewed by Saam Barati.
1078         
1079         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
1080         
1081         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
1082         speak of CopiedSpace.
1083         
1084         This is a purely mechanical change.
1085
1086         * JavaScriptCore.xcodeproj/project.pbxproj:
1087         * heap/CopyToken.h:
1088         * runtime/HashMapImpl.cpp:
1089         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1090         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
1091         * runtime/HashMapImpl.h:
1092         (JSC::HashMapBuffer::create):
1093         * runtime/JSMapIterator.cpp:
1094         * runtime/JSMapIterator.h:
1095         * runtime/JSSetIterator.cpp:
1096         * runtime/JSSetIterator.h:
1097         * runtime/MapBase.cpp:
1098         * runtime/MapData.h: Removed.
1099         * runtime/MapDataInlines.h: Removed.
1100         * runtime/MapPrototype.cpp:
1101         * runtime/SetConstructor.cpp:
1102         * runtime/SetPrototype.cpp:
1103         * runtime/VM.cpp:
1104
1105 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
1106
1107         Typed arrays should use MarkedSpace instead of CopiedSpace
1108         https://bugs.webkit.org/show_bug.cgi?id=161100
1109
1110         Reviewed by Geoffrey Garen.
1111         
1112         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
1113         
1114         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
1115         everything that typed arrays want.
1116
1117         * dfg/DFGOperations.cpp:
1118         (JSC::DFG::newTypedArrayWithSize):
1119         * dfg/DFGOperations.h:
1120         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1121         * dfg/DFGSpeculativeJIT.cpp:
1122         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1123         * dfg/DFGSpeculativeJIT.h:
1124         (JSC::DFG::SpeculativeJIT::callOperation):
1125         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
1126         * ftl/FTLLowerDFGToB3.cpp:
1127         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1128         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1129         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
1130         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
1131         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
1132         * heap/CopyToken.h:
1133         * heap/SlotVisitor.cpp:
1134         (JSC::SlotVisitor::markAuxiliary):
1135         * jit/JITOperations.h:
1136         * runtime/JSArrayBufferView.cpp:
1137         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1138         (JSC::JSArrayBufferView::JSArrayBufferView):
1139         * runtime/JSArrayBufferView.h:
1140         * runtime/JSGenericTypedArrayView.h:
1141         * runtime/JSGenericTypedArrayViewInlines.h:
1142         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
1143         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1144         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1145         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
1146
1147 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
1148
1149         [Win64] Compile fixes.
1150         https://bugs.webkit.org/show_bug.cgi?id=161682
1151
1152         Reviewed by Brent Fulgham.
1153
1154         * dfg/DFGSpeculativeJIT64.cpp:
1155         (JSC::DFG::SpeculativeJIT::emitCall):
1156         * jit/JITCall.cpp:
1157         (JSC::JIT::compileOpCall):
1158         * runtime/ArrayConventions.cpp:
1159         (JSC::clearArrayMemset):
1160
1161 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
1162
1163         [Win] Exception fuzz tests fail
1164         https://bugs.webkit.org/show_bug.cgi?id=140928
1165
1166         Reviewed by Mark Lam.
1167
1168         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
1169         The tests depend on the output to stdout being written in the correct order.
1170
1171         * runtime/ExceptionFuzz.cpp:
1172         (JSC::doExceptionFuzzing):
1173
1174 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
1175
1176         Enable the <meter> element on iOS
1177         https://bugs.webkit.org/show_bug.cgi?id=161714
1178         rdar://problem/8978410
1179
1180         Reviewed by Tim Horton.
1181
1182         Define ENABLE_METER_ELEMENT unconditionally now.
1183
1184         * Configurations/FeatureDefines.xcconfig:
1185
1186 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
1187
1188         Modernize Debugger to use nullptr
1189         https://bugs.webkit.org/show_bug.cgi?id=161718
1190
1191         Reviewed by Mark Lam.
1192
1193         * debugger/Debugger.cpp:
1194         (JSC::Debugger::Debugger):
1195         (JSC::Debugger::~Debugger):
1196         (JSC::Debugger::detach):
1197         (JSC::Debugger::stepOutOfFunction):
1198         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
1199         * debugger/Debugger.h:
1200
1201 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
1202
1203         Web Inspector: Remove always false case in Debugger
1204         https://bugs.webkit.org/show_bug.cgi?id=161717
1205
1206         Reviewed by Brian Burg.
1207
1208         * debugger/Debugger.cpp:
1209         (JSC::Debugger::didExecuteProgram):
1210         We would have earlier returned a few statements ago if this case was true.
1211         And we would have crashed in the previous statement if this case was true.
1212
1213 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1214
1215         Unreviewed, build fix after r205569
1216
1217         Tweak CMakeLists.txt
1218
1219         * CMakeLists.txt:
1220
1221 2016-09-07  Mark Lam  <mark.lam@apple.com>
1222
1223         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
1224         https://bugs.webkit.org/show_bug.cgi?id=161498
1225
1226         Reviewed by Geoffrey Garen.
1227
1228         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
1229         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
1230         introduced.
1231
1232         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
1233         which is a more suitable name now.
1234
1235         Note: exception scope verification is still disabled by default.  There are still
1236         many places that need to be fixed up or re-expressed in a way that is friendly
1237         to the verification.  I'll address those in subsequent patches.
1238
1239         After this patch, the code will statically enforce that:
1240         1. all calls to throwException() go through a ThrowScope.
1241         2. all calls to clearException() go through a CatchScope.
1242         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
1243            or CatchScope.
1244
1245         A Summary of how to use ExceptionScopes
1246         =======================================
1247         1. If a function can throw a JS exception, it should declare a ThrowScope at the
1248            top of the function (as early as possible).
1249
1250         2. If a function can clear JS exceptions, it should declare a CatchScope at the
1251            top of the function (as early as possible).
1252
1253         Declaring a ThrowScope in a function means that the function may throw an exception
1254         that its caller will have to handle.  Declaring a CatchScope in a function means
1255         that the function intends to clear pending exceptions before returning to its
1256         caller. 
1257
1258         For more details, see the notes below.
1259         
1260         Everything you may want to know about ExceptionScopes
1261         =====================================================
1262         ExceptionScope verification works to simulate exception throws and detect cases
1263         where exception checks are missing.  The notes below will cover:
1264
1265             1. The VM::m_needExceptionCheck bit
1266             2. ThrowScopes and CatchScopes
1267             3. Verification of needed exception checks
1268             3. Checking Exceptions
1269             4. Simulating throws
1270             5. Using ThrowScope::release()
1271             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
1272             7. Checking exceptions by checking callee results
1273             8. Debugging verification errors
1274
1275         1. The VM::m_needExceptionCheck bit
1276
1277            The VM has a m_needExceptionCheck bit that indicates when an exception may be
1278            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
1279            throw.
1280
1281         2. ThrowScopes and CatchScopes
1282
1283            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
1284
1285            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
1286            at the top of its function (as early as possible) e.g.
1287  
1288                 void foo(...)
1289                 {
1290                     auto scope = DECLARE_THROW_SCOPE(vm);
1291                     ...
1292                     throwException(exec, scope, ...);
1293                 }
1294
1295            Note: by convention, every throw helper function must take a ThrowScope argument
1296            instead of instantiating its own ThrowScope.  This allows the throw to be
1297            attributed to the client code rather than the throw helper itself.
1298
1299            Every catch site (i.e. a site that calls clearException()) must declare a
1300            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
1301
1302            If a function can both throw or clear exceptions, then the ThrowScope should
1303            be declared first so that it can simulate a throw to the function's caller.
1304
1305            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
1306            can be aware if there's an enclosing CatchScope between it and the point where
1307            C++ code returns to JS code.  This is needed to determine if the ThrowScope
1308            should simulate a re-throw or not.  See (4) below for more details on returning
1309            to JS code.
1310
1311         3. Verification of needed exception checks
1312
1313            a. On construction, each ThrowScope and CatchScope will verify that
1314               VM::m_needExceptionCheck is not set.
1315  
1316               This ensures that the caller of the current function has checked for exceptions
1317               where needed before doing more work which lead to calling the current function.
1318
1319            b. On destruction, each ThrowScope and CatchScope will verify that
1320               VM::m_needExceptionCheck is not set. This verification will be skipped if
1321               the ThrowScope has been released (see (5) below).
1322
1323               This ensures that the function that owns this exception scope is not missing
1324               any exception checks before returning.
1325
1326            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
1327               is not already set, unless it's been ask to rethrow the same Exception object.
1328
1329         4. Simulating throws
1330
1331            Throws are simulated by setting the m_needExceptionCheck bit.
1332
1333            The bit will only be set in the ThrowScope destructor except when the ThrowScope
1334            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
1335            check for exceptions after a host C++ function returns to it.  However, they will
1336            not clear the m_needExceptionCheck bit.
1337
1338            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
1339            it will just skip the setting of the bit.
1340
1341            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
1342            throwException methods.  This is because, in practice, we always return
1343            immediately after throwing an exception.  It doesn't make sense to set the bit in
1344            the throw just to have to clear it immediately after before we do verification in
1345            the ThrowScope destructor.
1346
1347         5. Using ThrowScope::release()
1348
1349            Calling release() means that the scope is released from its obligation to
1350            verify the VM::m_needExceptionCheck bit on destruction.
1351
1352            release() should only be used at the bottom of a function if:
1353
1354            a. This function is going to let its caller check and handle the exception, e.g.
1355
1356                 void foo(...)
1357                 {
1358                     auto scope = DECLARE_THROW_SCOPE(vm);
1359                     auto result = goo(); // may throw.
1360
1361                     ... // Code that will are not affected by a pending exceptions.
1362
1363                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1364                     return result;
1365                 }
1366
1367            b. This function is going to do a tail call that may throw.
1368
1369                 void foo(...)
1370                 {
1371                     auto scope = DECLARE_THROW_SCOPE(vm);
1372                     ...
1373                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1374                     return goo(); // may throw.
1375                 }
1376
1377               release() should not be used in code paths that branch. For example:
1378
1379                 void foo(...)
1380                 {
1381                     auto scope = DECLARE_THROW_SCOPE(vm);
1382
1383                     auto result = goo1(); // may throw.
1384                     scope.release(); // WRONG !!! Don't do this.
1385                     if (result)
1386                         return;
1387
1388                     result = goo2(); // may throw.
1389                     ...
1390                     return result;
1391                 }
1392
1393             The above will result in a verification error in goo2()'s ThrowScope.  The
1394             proper way to fix this verification is to do either (6) or (7) below.
1395
1396          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
1397
1398             ThrowScope/CatchScope::exception() returns the thrown Exception object if
1399             there is one pending.  Else, it returns nullptr.
1400
1401             It also clears the m_needExceptionCheck bit thereby indicating that we've
1402             satisfied the needed exception check.  For example,
1403
1404                 void foo(...)
1405                 {
1406                     auto scope = DECLARE_THROW_SCOPE(vm);
1407
1408                     auto result = goo1(); // may throw.
1409                     if (scope.exception())
1410                         return;
1411
1412                     result = goo2(); // may throw.
1413                     ...
1414                     return result;
1415                 }
1416
1417             But sometimes, for optimization reasons, we may choose to test the result of
1418             the callee function instead doing a load of the VM exception value.  See (7)
1419             below.
1420
1421          7. Checking exceptions by checking callee results
1422
1423             This approach should only be applied when it makes a difference to performance.
1424             If we need to do this, we should add an ASSERT() that invokes the scope's
1425             exception() method to verify the result.  Since exception scope verification
1426             is only done on DEBUG builds, this ASSERT will satisfy the verification
1427             requirements without impacting performance.  For example,
1428
1429                 void foo(...)
1430                 {
1431                     auto scope = DECLARE_THROW_SCOPE(vm);
1432
1433                     bool failed = goo1(); // may throw.
1434                     ASSERT(!!scope.exception() == failed)
1435                     if (failed)
1436                         return;
1437
1438                     result = goo2(); // may throw.
1439                     ...
1440                     return result;
1441                 }
1442
1443          8. Debugging verification errors
1444
1445             a. When verification fails, you will see a message followed by an assertion
1446                failure.  For example:
1447
1448             ERROR: Unchecked JS exception:
1449                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
1450                     (ExceptionScope::m_recursionDepth was ...)
1451                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
1452                     (ExceptionScope::m_recursionDepth was ...)
1453                 [ backtrace here ]
1454
1455                The message tells you that failure was detected at in varargsSetup() at
1456                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
1457                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
1458                line 1245 and it.
1459
1460                If that is insufficient information, you can ...
1461
1462             b. Dump simulated throws
1463
1464                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
1465                back traces at each simulated throw.
1466
1467             c. Narrowing down the source of a simulated throw
1468
1469                Another technique for narrowing down the source of simulated throws is by
1470                further dividing a function to smaller regions by separating each region
1471                with additional local throw scopes.  For example,
1472
1473                 ... // Region 1
1474                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1475                 ... // Region 2
1476                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1477                 ... // Region 3
1478
1479         * API/APIUtils.h:
1480         (handleExceptionIfNeeded):
1481         * CMakeLists.txt:
1482         * JavaScriptCore.xcodeproj/project.pbxproj:
1483         * bindings/ScriptFunctionCall.cpp:
1484         (Deprecated::ScriptFunctionCall::call):
1485         * bindings/ScriptValue.cpp:
1486         (Deprecated::ScriptValue::toString):
1487         * debugger/Debugger.cpp:
1488         (JSC::Debugger::pauseIfNeeded):
1489         * debugger/DebuggerCallFrame.cpp:
1490         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1491         * dfg/DFGOSRExitCompiler.cpp:
1492         * dfg/DFGOperations.cpp:
1493         (JSC::DFG::operationPutByValInternal):
1494         * inspector/InjectedScriptManager.cpp:
1495         (Inspector::InjectedScriptManager::createInjectedScript):
1496         * inspector/JSGlobalObjectInspectorController.cpp:
1497         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1498         * inspector/JSInjectedScriptHost.cpp:
1499         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1500         (Inspector::JSInjectedScriptHost::getInternalProperties):
1501         (Inspector::JSInjectedScriptHost::weakMapEntries):
1502         (Inspector::JSInjectedScriptHost::weakSetEntries):
1503         (Inspector::JSInjectedScriptHost::iteratorEntries):
1504         * inspector/JSJavaScriptCallFrame.cpp:
1505         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1506         * inspector/ScriptCallStackFactory.cpp:
1507         (Inspector::extractSourceInformationFromException):
1508         * interpreter/CachedCall.h:
1509         (JSC::CachedCall::CachedCall):
1510         * interpreter/CallFrame.h:
1511         (JSC::ExecState::clearException): Deleted.
1512         (JSC::ExecState::exception): Deleted.
1513         (JSC::ExecState::hadException): Deleted.
1514         (JSC::ExecState::lastException): Deleted.
1515         (JSC::ExecState::clearLastException): Deleted.
1516         * interpreter/Interpreter.cpp:
1517         (JSC::eval):
1518         (JSC::sizeOfVarargs):
1519         (JSC::notifyDebuggerOfUnwinding):
1520         (JSC::Interpreter::unwind):
1521         (JSC::Interpreter::execute):
1522         (JSC::Interpreter::executeCall):
1523         (JSC::Interpreter::executeConstruct):
1524         (JSC::Interpreter::prepareForRepeatCall):
1525         (JSC::Interpreter::debug):
1526         * interpreter/Interpreter.h:
1527         (JSC::SuspendExceptionScope::SuspendExceptionScope):
1528         * interpreter/ShadowChicken.cpp:
1529         (JSC::ShadowChicken::functionsOnStack):
1530         * jit/JITCode.cpp:
1531         (JSC::JITCode::execute):
1532         * jit/JITExceptions.cpp:
1533         (JSC::genericUnwind):
1534         * jit/JITOperations.cpp:
1535         (JSC::getByVal):
1536         * jsc.cpp:
1537         (WTF::ImpureGetter::getOwnPropertySlot):
1538         (GlobalObject::moduleLoaderResolve):
1539         (GlobalObject::moduleLoaderFetch):
1540         (functionCreateElement):
1541         (functionRun):
1542         (functionRunString):
1543         (functionLoad):
1544         (functionLoadString):
1545         (functionReadFile):
1546         (functionCheckSyntax):
1547         (functionSetRandomSeed):
1548         (functionLoadModule):
1549         (functionCreateBuiltin):
1550         (functionCheckModuleSyntax):
1551         (functionGenerateHeapSnapshot):
1552         (functionSamplingProfilerStackTraces):
1553         (dumpException):
1554         (checkUncaughtException):
1555         (runWithScripts):
1556         (runInteractive):
1557         * llint/LLIntExceptions.cpp:
1558         (JSC::LLInt::returnToThrow):
1559         (JSC::LLInt::callToThrow):
1560         * llint/LLIntSlowPaths.cpp:
1561         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1562         * profiler/ProfilerBytecodeSequence.cpp:
1563         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
1564         * profiler/ProfilerCompilation.cpp:
1565         (JSC::Profiler::Compilation::toJS):
1566         * profiler/ProfilerDatabase.cpp:
1567         (JSC::Profiler::Database::toJS):
1568         * profiler/ProfilerOSRExitSite.cpp:
1569         (JSC::Profiler::OSRExitSite::toJS):
1570         * profiler/ProfilerOriginStack.cpp:
1571         (JSC::Profiler::OriginStack::toJS):
1572         * runtime/ArrayPrototype.cpp:
1573         (JSC::speciesConstructArray):
1574         (JSC::shift):
1575         (JSC::unshift):
1576         (JSC::arrayProtoFuncToString):
1577         (JSC::arrayProtoFuncToLocaleString):
1578         (JSC::slowJoin):
1579         (JSC::fastJoin):
1580         (JSC::arrayProtoFuncJoin):
1581         (JSC::arrayProtoFuncPop):
1582         (JSC::arrayProtoFuncPush):
1583         (JSC::arrayProtoFuncReverse):
1584         (JSC::arrayProtoFuncShift):
1585         (JSC::arrayProtoFuncSlice):
1586         (JSC::arrayProtoFuncSplice):
1587         (JSC::arrayProtoFuncUnShift):
1588         (JSC::arrayProtoFuncIndexOf):
1589         (JSC::arrayProtoFuncLastIndexOf):
1590         (JSC::moveElements):
1591         (JSC::concatAppendOne):
1592         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1593         * runtime/BooleanConstructor.cpp:
1594         (JSC::constructWithBooleanConstructor):
1595         * runtime/CallData.cpp:
1596         (JSC::call):
1597         * runtime/CatchScope.cpp: Added.
1598         (JSC::CatchScope::CatchScope):
1599         (JSC::CatchScope::~CatchScope):
1600         * runtime/CatchScope.h: Added.
1601         (JSC::CatchScope::clearException):
1602         (JSC::CatchScope::CatchScope):
1603         * runtime/CommonSlowPaths.cpp:
1604         (JSC::SLOW_PATH_DECL):
1605         * runtime/CommonSlowPaths.h:
1606         (JSC::CommonSlowPaths::opIn):
1607         * runtime/CommonSlowPathsExceptions.cpp:
1608         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1609         * runtime/Completion.cpp:
1610         (JSC::evaluate):
1611         (JSC::rejectPromise):
1612         (JSC::loadAndEvaluateModule):
1613         (JSC::loadModule):
1614         * runtime/ConsoleObject.cpp:
1615         (JSC::consoleProtoFuncAssert):
1616         (JSC::consoleProtoFuncProfile):
1617         (JSC::consoleProtoFuncProfileEnd):
1618         (JSC::consoleProtoFuncTakeHeapSnapshot):
1619         (JSC::consoleProtoFuncTime):
1620         (JSC::consoleProtoFuncTimeEnd):
1621         * runtime/DateConstructor.cpp:
1622         (JSC::constructDate):
1623         (JSC::dateParse):
1624         * runtime/DatePrototype.cpp:
1625         (JSC::dateProtoFuncToPrimitiveSymbol):
1626         (JSC::dateProtoFuncToJSON):
1627         * runtime/ErrorConstructor.cpp:
1628         (JSC::Interpreter::constructWithErrorConstructor):
1629         * runtime/ErrorInstance.cpp:
1630         (JSC::ErrorInstance::sanitizedToString):
1631         * runtime/ErrorPrototype.cpp:
1632         (JSC::errorProtoFuncToString):
1633         * runtime/ExceptionEventLocation.cpp: Added.
1634         (WTF::printInternal):
1635         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
1636         (JSC::ExceptionEventLocation::ExceptionEventLocation):
1637         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
1638         * runtime/ExceptionHelpers.h:
1639         * runtime/ExceptionScope.cpp: Added.
1640         (JSC::ExceptionScope::ExceptionScope):
1641         (JSC::ExceptionScope::~ExceptionScope):
1642         * runtime/ExceptionScope.h: Added.
1643         (JSC::ExceptionScope::vm):
1644         (JSC::ExceptionScope::recursionDepth):
1645         (JSC::ExceptionScope::exception):
1646         (JSC::ExceptionScope::ExceptionScope):
1647         * runtime/FunctionConstructor.cpp:
1648         (JSC::constructFunctionSkippingEvalEnabledCheck):
1649         * runtime/FunctionPrototype.cpp:
1650         (JSC::functionProtoFuncBind):
1651         * runtime/GenericArgumentsInlines.h:
1652         (JSC::GenericArguments<Type>::copyToArguments):
1653         * runtime/GetterSetter.cpp:
1654         (JSC::callGetter):
1655         * runtime/InspectorInstrumentationObject.cpp:
1656         (JSC::inspectorInstrumentationObjectLog):
1657         * runtime/InternalFunction.cpp:
1658         (JSC::InternalFunction::createSubclassStructure):
1659         * runtime/IntlCollator.cpp:
1660         (JSC::IntlCollator::initializeCollator):
1661         (JSC::IntlCollator::createCollator):
1662         (JSC::IntlCollator::resolvedOptions):
1663         * runtime/IntlCollatorConstructor.cpp:
1664         (JSC::constructIntlCollator):
1665         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1666         * runtime/IntlCollatorPrototype.cpp:
1667         (JSC::IntlCollatorFuncCompare):
1668         (JSC::IntlCollatorPrototypeGetterCompare):
1669         * runtime/IntlDateTimeFormat.cpp:
1670         (JSC::toDateTimeOptionsAnyDate):
1671         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1672         (JSC::IntlDateTimeFormat::resolvedOptions):
1673         (JSC::IntlDateTimeFormat::format):
1674         * runtime/IntlDateTimeFormatConstructor.cpp:
1675         (JSC::constructIntlDateTimeFormat):
1676         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1677         * runtime/IntlDateTimeFormatPrototype.cpp:
1678         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1679         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1680         * runtime/IntlNumberFormat.cpp:
1681         (JSC::IntlNumberFormat::initializeNumberFormat):
1682         (JSC::IntlNumberFormat::createNumberFormat):
1683         (JSC::IntlNumberFormat::resolvedOptions):
1684         * runtime/IntlNumberFormatConstructor.cpp:
1685         (JSC::constructIntlNumberFormat):
1686         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1687         * runtime/IntlNumberFormatPrototype.cpp:
1688         (JSC::IntlNumberFormatFuncFormatNumber):
1689         (JSC::IntlNumberFormatPrototypeGetterFormat):
1690         * runtime/IntlObject.cpp:
1691         (JSC::intlBooleanOption):
1692         (JSC::intlStringOption):
1693         (JSC::intlNumberOption):
1694         (JSC::canonicalizeLocaleList):
1695         (JSC::supportedLocales):
1696         * runtime/IntlObjectInlines.h:
1697         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1698         * runtime/IteratorOperations.cpp:
1699         (JSC::iteratorNext):
1700         (JSC::iteratorStep):
1701         (JSC::iteratorClose):
1702         (JSC::iteratorForIterable):
1703         * runtime/IteratorOperations.h:
1704         (JSC::forEachInIterable):
1705         * runtime/JSArray.cpp:
1706         (JSC::JSArray::pop):
1707         (JSC::JSArray::push):
1708         (JSC::JSArray::copyToArguments):
1709         * runtime/JSArrayBufferConstructor.cpp:
1710         (JSC::constructArrayBuffer):
1711         * runtime/JSArrayBufferPrototype.cpp:
1712         (JSC::arrayBufferProtoFuncSlice):
1713         * runtime/JSArrayInlines.h:
1714         (JSC::getLength):
1715         (JSC::toLength):
1716         * runtime/JSBoundFunction.cpp:
1717         (JSC::getBoundFunctionStructure):
1718         (JSC::JSBoundFunction::create):
1719         * runtime/JSCJSValue.cpp:
1720         (JSC::JSValue::putToPrimitive):
1721         (JSC::JSValue::putToPrimitiveByIndex):
1722         (JSC::JSValue::toStringSlowCase):
1723         * runtime/JSCJSValueInlines.h:
1724         (JSC::toPreferredPrimitiveType):
1725         (JSC::JSValue::getPropertySlot):
1726         (JSC::JSValue::equalSlowCaseInline):
1727         * runtime/JSDataViewPrototype.cpp:
1728         (JSC::getData):
1729         (JSC::setData):
1730         * runtime/JSFunction.cpp:
1731         (JSC::JSFunction::setFunctionName):
1732         * runtime/JSGenericTypedArrayView.h:
1733         (JSC::JSGenericTypedArrayView::setIndex):
1734         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1735         (JSC::constructGenericTypedArrayViewFromIterator):
1736         (JSC::constructGenericTypedArrayViewWithArguments):
1737         (JSC::constructGenericTypedArrayView):
1738         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1739         (JSC::speciesConstruct):
1740         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1741         (JSC::genericTypedArrayViewProtoFuncIncludes):
1742         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1743         (JSC::genericTypedArrayViewProtoFuncJoin):
1744         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1745         (JSC::genericTypedArrayViewProtoFuncSlice):
1746         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1747         * runtime/JSGlobalObject.h:
1748         (JSC::constructEmptyArray):
1749         (JSC::constructArray):
1750         (JSC::constructArrayNegativeIndexed):
1751         * runtime/JSGlobalObjectFunctions.cpp:
1752         (JSC::globalFuncEval):
1753         * runtime/JSJob.cpp:
1754         (JSC::JSJobMicrotask::run):
1755         * runtime/JSModuleEnvironment.cpp:
1756         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1757         * runtime/JSModuleLoader.cpp:
1758         (JSC::JSModuleLoader::fetch):
1759         * runtime/JSModuleNamespaceObject.cpp:
1760         (JSC::JSModuleNamespaceObject::finishCreation):
1761         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1762         * runtime/JSModuleRecord.cpp:
1763         (JSC::JSModuleRecord::instantiateDeclarations):
1764         * runtime/JSONObject.cpp:
1765         (JSC::Stringifier::Stringifier):
1766         (JSC::Stringifier::stringify):
1767         (JSC::Stringifier::toJSON):
1768         (JSC::Stringifier::appendStringifiedValue):
1769         (JSC::Stringifier::Holder::appendNextProperty):
1770         (JSC::Walker::walk):
1771         (JSC::JSONProtoFuncParse):
1772         * runtime/JSObject.cpp:
1773         (JSC::ordinarySetSlow):
1774         (JSC::JSObject::setPrototypeWithCycleCheck):
1775         (JSC::callToPrimitiveFunction):
1776         (JSC::JSObject::ordinaryToPrimitive):
1777         (JSC::JSObject::defaultHasInstance):
1778         (JSC::JSObject::getPropertyNames):
1779         (JSC::JSObject::toNumber):
1780         (JSC::JSObject::toString):
1781         (JSC::JSObject::defineOwnNonIndexProperty):
1782         (JSC::JSObject::getGenericPropertyNames):
1783         (JSC::JSObject::getMethod):
1784         * runtime/JSObjectInlines.h:
1785         (JSC::createListFromArrayLike):
1786         (JSC::JSObject::getPropertySlot):
1787         (JSC::JSObject::getNonIndexPropertySlot):
1788         * runtime/JSPromiseConstructor.cpp:
1789         (JSC::constructPromise):
1790         * runtime/JSPropertyNameEnumerator.h:
1791         (JSC::propertyNameEnumerator):
1792         * runtime/JSPropertyNameIterator.cpp:
1793         (JSC::JSPropertyNameIterator::create):
1794         * runtime/JSScope.cpp:
1795         (JSC::isUnscopable):
1796         (JSC::JSScope::resolve):
1797         * runtime/JSString.cpp:
1798         (JSC::JSString::equalSlowCase):
1799         * runtime/JSStringJoiner.cpp:
1800         (JSC::JSStringJoiner::join):
1801         * runtime/LiteralParser.cpp:
1802         (JSC::LiteralParser<CharType>::parse):
1803         * runtime/MapConstructor.cpp:
1804         (JSC::constructMap):
1805         * runtime/MathObject.cpp:
1806         (JSC::mathProtoFuncClz32):
1807         (JSC::mathProtoFuncHypot):
1808         (JSC::mathProtoFuncIMul):
1809         * runtime/ModuleLoaderPrototype.cpp:
1810         (JSC::moduleLoaderPrototypeParseModule):
1811         (JSC::moduleLoaderPrototypeRequestedModules):
1812         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1813         * runtime/NativeErrorConstructor.cpp:
1814         (JSC::Interpreter::constructWithNativeErrorConstructor):
1815         * runtime/NumberConstructor.cpp:
1816         (JSC::constructWithNumberConstructor):
1817         * runtime/ObjectConstructor.cpp:
1818         (JSC::constructObject):
1819         (JSC::objectConstructorGetPrototypeOf):
1820         (JSC::objectConstructorSetPrototypeOf):
1821         (JSC::objectConstructorGetOwnPropertyDescriptor):
1822         (JSC::objectConstructorGetOwnPropertyDescriptors):
1823         (JSC::objectConstructorGetOwnPropertyNames):
1824         (JSC::objectConstructorGetOwnPropertySymbols):
1825         (JSC::objectConstructorKeys):
1826         (JSC::ownEnumerablePropertyKeys):
1827         (JSC::toPropertyDescriptor):
1828         (JSC::objectConstructorDefineProperty):
1829         (JSC::defineProperties):
1830         (JSC::objectConstructorSeal):
1831         (JSC::objectConstructorFreeze):
1832         (JSC::objectConstructorIsSealed):
1833         (JSC::objectConstructorIsFrozen):
1834         (JSC::objectConstructorIsExtensible):
1835         (JSC::ownPropertyKeys):
1836         * runtime/ObjectConstructor.h:
1837         (JSC::constructObjectFromPropertyDescriptor):
1838         * runtime/ObjectPrototype.cpp:
1839         (JSC::objectProtoFuncHasOwnProperty):
1840         (JSC::objectProtoFuncIsPrototypeOf):
1841         (JSC::objectProtoFuncDefineGetter):
1842         (JSC::objectProtoFuncDefineSetter):
1843         (JSC::objectProtoFuncLookupGetter):
1844         (JSC::objectProtoFuncLookupSetter):
1845         (JSC::objectProtoFuncPropertyIsEnumerable):
1846         (JSC::objectProtoFuncToLocaleString):
1847         (JSC::objectProtoFuncToString):
1848         * runtime/Operations.cpp:
1849         (JSC::jsAddSlowCase):
1850         * runtime/Options.h:
1851         * runtime/PropertyDescriptor.cpp:
1852         (JSC::PropertyDescriptor::slowGetterSetter):
1853         * runtime/ProxyConstructor.cpp:
1854         (JSC::makeRevocableProxy):
1855         * runtime/ProxyObject.cpp:
1856         (JSC::ProxyObject::toStringName):
1857         (JSC::performProxyGet):
1858         (JSC::ProxyObject::performGet):
1859         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1860         (JSC::ProxyObject::performHasProperty):
1861         (JSC::ProxyObject::performPut):
1862         (JSC::ProxyObject::putByIndexCommon):
1863         (JSC::performProxyCall):
1864         (JSC::performProxyConstruct):
1865         (JSC::ProxyObject::performDelete):
1866         (JSC::ProxyObject::performPreventExtensions):
1867         (JSC::ProxyObject::performIsExtensible):
1868         (JSC::ProxyObject::performDefineOwnProperty):
1869         (JSC::ProxyObject::performGetOwnPropertyNames):
1870         (JSC::ProxyObject::performSetPrototype):
1871         (JSC::ProxyObject::performGetPrototype):
1872         * runtime/ReflectObject.cpp:
1873         (JSC::reflectObjectConstruct):
1874         (JSC::reflectObjectDefineProperty):
1875         (JSC::reflectObjectGet):
1876         (JSC::reflectObjectGetOwnPropertyDescriptor):
1877         (JSC::reflectObjectIsExtensible):
1878         (JSC::reflectObjectPreventExtensions):
1879         (JSC::reflectObjectSet):
1880         (JSC::reflectObjectSetPrototypeOf):
1881         * runtime/RegExpConstructor.cpp:
1882         (JSC::toFlags):
1883         (JSC::regExpCreate):
1884         (JSC::constructRegExp):
1885         * runtime/RegExpConstructor.h:
1886         (JSC::isRegExp):
1887         * runtime/RegExpObject.cpp:
1888         (JSC::collectMatches):
1889         (JSC::RegExpObject::matchGlobal):
1890         * runtime/RegExpPrototype.cpp:
1891         (JSC::regExpProtoFuncCompile):
1892         (JSC::flagsString):
1893         (JSC::regExpProtoFuncToString):
1894         (JSC::regExpProtoGetterFlags):
1895         (JSC::regExpProtoFuncSearchFast):
1896         (JSC::regExpProtoFuncSplitFast):
1897         * runtime/SetConstructor.cpp:
1898         (JSC::constructSet):
1899         * runtime/StringConstructor.cpp:
1900         (JSC::stringFromCodePoint):
1901         (JSC::constructWithStringConstructor):
1902         * runtime/StringObject.cpp:
1903         (JSC::StringObject::defineOwnProperty):
1904         * runtime/StringPrototype.cpp:
1905         (JSC::replaceUsingRegExpSearch):
1906         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1907         (JSC::replaceUsingStringSearch):
1908         (JSC::replace):
1909         (JSC::stringProtoFuncReplaceUsingRegExp):
1910         (JSC::stringProtoFuncReplaceUsingStringSearch):
1911         (JSC::stringProtoFuncCodePointAt):
1912         (JSC::stringProtoFuncSlice):
1913         (JSC::stringProtoFuncSplitFast):
1914         (JSC::stringProtoFuncSubstr):
1915         (JSC::stringProtoFuncSubstring):
1916         (JSC::stringProtoFuncLocaleCompare):
1917         (JSC::toLocaleCase):
1918         (JSC::stringProtoFuncBig):
1919         (JSC::stringProtoFuncSmall):
1920         (JSC::stringProtoFuncBlink):
1921         (JSC::stringProtoFuncBold):
1922         (JSC::stringProtoFuncFixed):
1923         (JSC::stringProtoFuncItalics):
1924         (JSC::stringProtoFuncStrike):
1925         (JSC::stringProtoFuncSub):
1926         (JSC::stringProtoFuncSup):
1927         (JSC::stringProtoFuncFontcolor):
1928         (JSC::stringProtoFuncFontsize):
1929         (JSC::stringProtoFuncAnchor):
1930         (JSC::stringProtoFuncLink):
1931         (JSC::trimString):
1932         (JSC::stringProtoFuncStartsWith):
1933         (JSC::stringProtoFuncEndsWith):
1934         (JSC::stringIncludesImpl):
1935         (JSC::stringProtoFuncIncludes):
1936         (JSC::builtinStringIncludesInternal):
1937         (JSC::stringProtoFuncNormalize):
1938         * runtime/SymbolConstructor.cpp:
1939         (JSC::symbolConstructorFor):
1940         * runtime/TemplateRegistry.cpp:
1941         (JSC::TemplateRegistry::getTemplateObject):
1942         * runtime/ThrowScope.cpp:
1943         (JSC::ThrowScope::ThrowScope):
1944         (JSC::ThrowScope::~ThrowScope):
1945         (JSC::ThrowScope::throwException):
1946         (JSC::ThrowScope::simulateThrow):
1947         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1948         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1949         * runtime/ThrowScope.h:
1950         (JSC::ThrowScope::release):
1951         (JSC::ThrowScope::ThrowScope):
1952         (JSC::ThrowScope::throwException):
1953         (JSC::ThrowScope::vm): Deleted.
1954         (JSC::ThrowScope::exception): Deleted.
1955         * runtime/ThrowScopeLocation.h: Removed.
1956         * runtime/VM.cpp:
1957         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1958         * runtime/VM.h:
1959         (JSC::VM::exception):
1960         (JSC::VM::clearException):
1961         (JSC::VM::setException): Deleted.
1962         * runtime/WeakMapConstructor.cpp:
1963         (JSC::constructWeakMap):
1964         * runtime/WeakSetConstructor.cpp:
1965         (JSC::constructWeakSet):
1966         * tools/JSDollarVMPrototype.cpp:
1967         (JSC::functionPrint):
1968
1969 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1970
1971         [INTL] some valid language tags cause errors in Intl constructors
1972         https://bugs.webkit.org/show_bug.cgi?id=161672
1973
1974         Reviewed by Mark Lam.
1975
1976         Fix private use tag parsing to match spec, allowing single character parts.
1977         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1978
1979         ```
1980         privateuse    = "x" 1*("-" (1*8alphanum))
1981         ```
1982
1983         * runtime/IntlObject.cpp:
1984         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1985
1986 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1987
1988         [JSC] Remove a couple of useless forward declaration
1989         https://bugs.webkit.org/show_bug.cgi?id=161676
1990
1991         Reviewed by Mark Lam.
1992
1993         JITMathICForwards.h should take care of declarating the Math ICs.
1994
1995         * bytecode/CodeBlock.h:
1996         * jit/JITOperations.h:
1997
1998 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1999
2000         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
2001         https://bugs.webkit.org/show_bug.cgi?id=161706
2002
2003         Reviewed by Geoffrey Garen.
2004         
2005         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
2006         have to do something different.
2007
2008         * jit/AssemblyHelpers.h:
2009         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2010
2011 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
2012
2013         Unreviewed CMake build fix after r205552
2014
2015         * CMakeLists.txt:
2016
2017 2016-09-03  Keith Miller  <keith_miller@apple.com>
2018
2019         Add support for WASM Loops and Branches
2020         https://bugs.webkit.org/show_bug.cgi?id=161569
2021
2022         Reviewed by Benjamin Poulain.
2023
2024         This patch adds support for loops and branches to WASM. In order
2025         to support loops, we needed to change the way the B3IRGenerator
2026         tracked control information. Now, the control data holds three
2027         pieces of information: The continuation block, the loop branch
2028         target, and variables exiting the block. Whenever we branch to
2029         some control point we first check if it is a loop by checking that
2030         the loop branch target is non-null. If the branch is not targeting
2031         a loop, we map the stack values to the associated B3 variables for
2032         that stack slot.
2033
2034         Another interesting thing of note is that we now only allocate the
2035         continuation basic block lazily. This is beneficial when the
2036         continuation would just fall through to another block anyway. For
2037         example, in code like: (block ... (block (add 1 2) end) end) the
2038         continuation for the inner block just falls through to the outer
2039         block's continuation so we don't need an extra block.
2040
2041         * B3CallingConventions.cpp:
2042         (JSC::B3::jscCallingConvention): Deleted.
2043         * B3CallingConventions.h:
2044         (JSC::B3::CallingConvention::CallingConvention): Deleted.
2045         (JSC::B3::CallingConvention::iterate): Deleted.
2046         (JSC::B3::nextJSCOffset): Deleted.
2047         * JavaScriptCore.xcodeproj/project.pbxproj:
2048         * b3/B3Type.h:
2049         * testWASM.cpp:
2050         (runWASMTests):
2051         * wasm/WASMB3IRGenerator.cpp:
2052         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
2053         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
2054         (JSC::WASM::B3IRGenerator::LazyBlock::get):
2055         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
2056         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
2057         (JSC::WASM::B3IRGenerator::ControlData::dump):
2058         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
2059         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
2060         (JSC::WASM::B3IRGenerator::addLocal):
2061         (JSC::WASM::B3IRGenerator::addArguments):
2062         (JSC::WASM::B3IRGenerator::setLocal):
2063         (JSC::WASM::B3IRGenerator::addBlock):
2064         (JSC::WASM::B3IRGenerator::addLoop):
2065         (JSC::WASM::B3IRGenerator::endBlock):
2066         (JSC::WASM::B3IRGenerator::addReturn):
2067         (JSC::WASM::B3IRGenerator::addBranch):
2068         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
2069         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
2070         (JSC::WASM::B3IRGenerator::controlDataForLevel):
2071         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
2072         (JSC::WASM::parseAndCompile):
2073         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
2074         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
2075         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
2076         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
2077         (JSC::WASM::jscCallingConvention):
2078         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
2079         (JSC::WASM::CallingConvention::CallingConvention):
2080         (JSC::WASM::CallingConvention::iterate):
2081         (JSC::WASM::nextJSCOffset):
2082         * wasm/WASMFormat.h:
2083         (JSC::WASM::toB3Type):
2084         (JSC::WASM::isValueType):
2085         * wasm/WASMFunctionParser.h:
2086         (JSC::WASM::FunctionParser<Context>::parse):
2087         (JSC::WASM::FunctionParser<Context>::parseExpression):
2088         * wasm/WASMModuleParser.cpp:
2089         (JSC::WASM::ModuleParser::parseFunctionTypes):
2090         * wasm/WASMOps.h:
2091
2092 2016-09-07  Youenn Fablet  <youenn@apple.com>
2093
2094         [Streams API] Separate compile flag for ReadableStream and WritableStream
2095         https://bugs.webkit.org/show_bug.cgi?id=161044
2096
2097         Reviewed by Alex Christensen.
2098
2099         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
2100         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
2101
2102         * Configurations/FeatureDefines.xcconfig:
2103         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
2104         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2105         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2106
2107 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
2108
2109         Fix the ENABLE(WEBASSEMBLY) build on Linux
2110         https://bugs.webkit.org/show_bug.cgi?id=161685
2111
2112         Unreviewed buildfix.
2113
2114         * wasm/JSWASMModule.cpp:
2115
2116 2016-09-06  Saam Barati  <sbarati@apple.com>
2117
2118         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
2119         https://bugs.webkit.org/show_bug.cgi?id=161558
2120
2121         Reviewed by Benjamin Poulain.
2122
2123         ProxyObject had ObjectPrototype as its direct prototype.
2124         This could lead to infinite loops when doing a getDirectPrototype()
2125         loop.
2126
2127         Fixing this bug revealed another bug, which I made when implementing Proxy.
2128         We should not special case "__proto__" in get and set for Proxy Object's
2129         hooks. "__proto__" should just go through the normal set and get path.
2130
2131         * runtime/JSGlobalObject.cpp:
2132         (JSC::JSGlobalObject::init):
2133         * runtime/ProxyObject.cpp:
2134         (JSC::performProxyGet):
2135         (JSC::ProxyObject::put):
2136
2137 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2138
2139         Make JSC::PrivateName copyable
2140         https://bugs.webkit.org/show_bug.cgi?id=161666
2141
2142         Reviewed by Ryosuke Niwa.
2143
2144         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
2145         And since the custom copy constructor deletes the default move constructor, we explcitly define
2146         it by `= default;`.
2147
2148         * runtime/PrivateName.h:
2149         (JSC::PrivateName::PrivateName):
2150
2151 2016-09-06  Daniel Bates  <dabates@apple.com>
2152
2153         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
2154         https://bugs.webkit.org/show_bug.cgi?id=161296
2155
2156         Reviewed by Dan Bernstein.
2157
2158         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
2159         with the iOS 10 beta SDK.
2160
2161         * Configurations/Base.xcconfig:
2162
2163 2016-09-06  Saam Barati  <sbarati@apple.com>
2164
2165         Unreviewed build fix for 32-bit platforms after r205520.
2166
2167         * dfg/DFGSpeculativeJIT.h:
2168         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
2169
2170 2016-09-06  Saam Barati  <sbarati@apple.com>
2171
2172         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
2173         https://bugs.webkit.org/show_bug.cgi?id=160870
2174
2175         Reviewed by Darin Adler.
2176
2177         Credit goes to Jonathan Bedard for finding this bug using the undefined
2178         behavior sanitizer.
2179
2180         The rule for MaterializeNewObject inside AI was assuming that the graph
2181         is in SSA form. This used to be true when MaterializeNewObject was only
2182         inserted by the allocation sinking phase. However, Filip added more uses
2183         of MaterializeNewObject in his RegExp constant folding patch. This fixes
2184         the bug by using the structure set inside the Node's OpInfo rather than
2185         generating it from m_phiChildren inside AI.
2186
2187         * dfg/DFGAbstractInterpreterInlines.h:
2188         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2189
2190 2016-09-06  Saam Barati  <sbarati@apple.com>
2191
2192         Make JSMap and JSSet faster
2193         https://bugs.webkit.org/show_bug.cgi?id=160989
2194
2195         Reviewed by Filip Pizlo.
2196
2197         This patch revamps how we implement Map and Set. It uses
2198         a new hash map implementation. The hash map uses linear
2199         probing and it uses Wang's 64 bit hash function for JSValues
2200         that aren't strings. Strings use StringImpl's hash function.
2201         The reason I wanted to roll our own HashTable is twofold:
2202         I didn't want to inline WTF::HashMap's implementation into our
2203         JIT, since that seems error prone and unmaintainable. Also, I wanted
2204         a different structure for hash map buckets where buckets also exist in
2205         a linked list.
2206
2207         The reason for making buckets part of a linked list is that iteration
2208         is now simple. Iteration works by just traversing a linked list.
2209         This design also allows for a simple implementation when doing iteration
2210         while the hash table is mutating. Whenever we remove a bucket from
2211         the hash table, it is removed from the list, meaning items in the
2212         list don't point to it. However, the removed bucket will still point
2213         to things that are either in the list, or have also been removed.
2214         e.g, from a removed bucket, you can always follow pointers until you
2215         either find an item in the list, or you find the tail of the list.
2216         This is a really nice property because it means that a Map or Set
2217         does not need to reason about the all the iterators that point
2218         into its list. Also, whenever we add items to the Map or Set, we
2219         hijack the tail as the new item, and make the new item point to a newly
2220         created tail. This means that any iterator that pointed to the "tail" now
2221         points to non-tail items. This makes the implementation of adding things
2222         to the Map/Set while iterating easy.
2223
2224         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
2225         into intrinsics in the DFG. The IR can now reason about hash map
2226         operations and can even do CSE over Wang's hash function, hash map
2227         bucket lookups, hash map bucket loads, and testing if a key is in
2228         the hash table. This makes code patterns for Map like so, super fast
2229         in the FTL, since we will only be doing a single hash and hash bucket lookup:
2230
2231         ```
2232         function getKeyIfPresent(map, key) {
2233             if (map.has(key))
2234                 return map.get(key);
2235         }
2236         ```
2237
2238         This patch is roughly an 8% speedup on ES6SampleBench.
2239
2240
2241         * CMakeLists.txt:
2242         * JavaScriptCore.xcodeproj/project.pbxproj:
2243         * assembler/MacroAssemblerARM64.h:
2244         (JSC::MacroAssemblerARM64::not64):
2245         * bytecode/SpeculatedType.cpp:
2246         (JSC::speculationFromClassInfo):
2247         * bytecode/SpeculatedType.h:
2248         * dfg/DFGAbstractInterpreterInlines.h:
2249         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2250         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
2251         * dfg/DFGByteCodeParser.cpp:
2252         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2253         * dfg/DFGClobberize.h:
2254         (JSC::DFG::clobberize):
2255         * dfg/DFGDoesGC.cpp:
2256         (JSC::DFG::doesGC):
2257         * dfg/DFGEdge.h:
2258         (JSC::DFG::Edge::shift):
2259         (JSC::DFG::Edge::makeWord):
2260         * dfg/DFGFixupPhase.cpp:
2261         (JSC::DFG::FixupPhase::fixupNode):
2262         * dfg/DFGHeapLocation.cpp:
2263         (WTF::printInternal):
2264         * dfg/DFGHeapLocation.h:
2265         * dfg/DFGNode.h:
2266         (JSC::DFG::Node::hasHeapPrediction):
2267         * dfg/DFGNodeType.h:
2268         * dfg/DFGOperations.cpp:
2269         * dfg/DFGOperations.h:
2270         * dfg/DFGPredictionPropagationPhase.cpp:
2271         * dfg/DFGSafeToExecute.h:
2272         (JSC::DFG::SafeToExecuteEdge::operator()):
2273         (JSC::DFG::safeToExecute):
2274         * dfg/DFGSpeculativeJIT.cpp:
2275         (JSC::DFG::SpeculativeJIT::speculateMapObject):
2276         (JSC::DFG::SpeculativeJIT::speculateSetObject):
2277         (JSC::DFG::SpeculativeJIT::speculate):
2278         * dfg/DFGSpeculativeJIT.h:
2279         (JSC::DFG::SpeculativeJIT::callOperation):
2280         * dfg/DFGSpeculativeJIT32_64.cpp:
2281         (JSC::DFG::SpeculativeJIT::compile):
2282         * dfg/DFGSpeculativeJIT64.cpp:
2283         (JSC::DFG::SpeculativeJIT::compile):
2284         * dfg/DFGUseKind.cpp:
2285         (WTF::printInternal):
2286         * dfg/DFGUseKind.h:
2287         (JSC::DFG::typeFilterFor):
2288         (JSC::DFG::isCell):
2289         * ftl/FTLAbstractHeapRepository.h:
2290         * ftl/FTLCapabilities.cpp:
2291         (JSC::FTL::canCompile):
2292         * ftl/FTLLowerDFGToB3.cpp:
2293         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2294         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2295         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2296         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2297         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2298         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2299         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2300         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2301         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2302         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2303         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2304         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2305         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2306         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2307         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2308         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2309         * jit/AssemblyHelpers.cpp:
2310         (JSC::AssemblyHelpers::wangsInt64Hash):
2311         * jit/AssemblyHelpers.h:
2312         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2313         * jit/JITOperations.h:
2314         * parser/ModuleAnalyzer.cpp:
2315         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2316         * runtime/HashMapImpl.cpp: Added.
2317         (JSC::HashMapBucket<Data>::visitChildren):
2318         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2319         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2320         * runtime/HashMapImpl.h: Added.
2321         (JSC::HashMapBucket::selectStructure):
2322         (JSC::HashMapBucket::createStructure):
2323         (JSC::HashMapBucket::create):
2324         (JSC::HashMapBucket::HashMapBucket):
2325         (JSC::HashMapBucket::setNext):
2326         (JSC::HashMapBucket::setPrev):
2327         (JSC::HashMapBucket::setKey):
2328         (JSC::HashMapBucket::setValue):
2329         (JSC::HashMapBucket::key):
2330         (JSC::HashMapBucket::value):
2331         (JSC::HashMapBucket::next):
2332         (JSC::HashMapBucket::prev):
2333         (JSC::HashMapBucket::deleted):
2334         (JSC::HashMapBucket::setDeleted):
2335         (JSC::HashMapBucket::offsetOfKey):
2336         (JSC::HashMapBucket::offsetOfValue):
2337         (JSC::HashMapBuffer::allocationSize):
2338         (JSC::HashMapBuffer::buffer):
2339         (JSC::HashMapBuffer::create):
2340         (JSC::areKeysEqual):
2341         (JSC::normalizeMapKey):
2342         (JSC::jsMapHash):
2343         (JSC::HashMapImpl::selectStructure):
2344         (JSC::HashMapImpl::createStructure):
2345         (JSC::HashMapImpl::create):
2346         (JSC::HashMapImpl::HashMapImpl):
2347         (JSC::HashMapImpl::buffer):
2348         (JSC::HashMapImpl::finishCreation):
2349         (JSC::HashMapImpl::emptyValue):
2350         (JSC::HashMapImpl::isEmpty):
2351         (JSC::HashMapImpl::deletedValue):
2352         (JSC::HashMapImpl::isDeleted):
2353         (JSC::HashMapImpl::findBucket):
2354         (JSC::HashMapImpl::get):
2355         (JSC::HashMapImpl::has):
2356         (JSC::HashMapImpl::add):
2357         (JSC::HashMapImpl::remove):
2358         (JSC::HashMapImpl::size):
2359         (JSC::HashMapImpl::clear):
2360         (JSC::HashMapImpl::bufferSizeInBytes):
2361         (JSC::HashMapImpl::offsetOfBuffer):
2362         (JSC::HashMapImpl::offsetOfCapacity):
2363         (JSC::HashMapImpl::head):
2364         (JSC::HashMapImpl::tail):
2365         (JSC::HashMapImpl::approximateSize):
2366         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2367         (JSC::HashMapImpl::rehash):
2368         (JSC::HashMapImpl::makeAndSetNewBuffer):
2369         * runtime/Intrinsic.h:
2370         * runtime/JSCJSValue.h:
2371         * runtime/JSCJSValueInlines.h:
2372         (JSC::sameValue):
2373         * runtime/JSGlobalObject.cpp:
2374         (JSC::JSGlobalObject::init):
2375         * runtime/JSMap.cpp:
2376         (JSC::JSMap::destroy): Deleted.
2377         (JSC::JSMap::estimatedSize): Deleted.
2378         (JSC::JSMap::visitChildren): Deleted.
2379         (JSC::JSMap::copyBackingStore): Deleted.
2380         (JSC::JSMap::has): Deleted.
2381         (JSC::JSMap::size): Deleted.
2382         (JSC::JSMap::get): Deleted.
2383         (JSC::JSMap::set): Deleted.
2384         (JSC::JSMap::clear): Deleted.
2385         (JSC::JSMap::remove): Deleted.
2386         * runtime/JSMap.h:
2387         (JSC::JSMap::createStructure):
2388         (JSC::JSMap::create):
2389         (JSC::JSMap::get):
2390         (JSC::JSMap::set):
2391         (JSC::JSMap::JSMap):
2392         (JSC::JSMap::Entry::key): Deleted.
2393         (JSC::JSMap::Entry::value): Deleted.
2394         (JSC::JSMap::Entry::visitChildren): Deleted.
2395         (JSC::JSMap::Entry::setKey): Deleted.
2396         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2397         (JSC::JSMap::Entry::setValue): Deleted.
2398         (JSC::JSMap::Entry::clear): Deleted.
2399         * runtime/JSMapIterator.cpp:
2400         (JSC::JSMapIterator::finishCreation):
2401         (JSC::JSMapIterator::visitChildren):
2402         (JSC::JSMapIterator::clone):
2403         * runtime/JSMapIterator.h:
2404         (JSC::JSMapIterator::advanceIter):
2405         (JSC::JSMapIterator::next):
2406         (JSC::JSMapIterator::nextKeyValue):
2407         (JSC::JSMapIterator::JSMapIterator):
2408         (JSC::JSMapIterator::setIterator):
2409         (JSC::JSMapIterator::finish): Deleted.
2410         (JSC::JSMapIterator::iteratorData): Deleted.
2411         * runtime/JSModuleLoader.cpp:
2412         (JSC::JSModuleLoader::finishCreation):
2413         * runtime/JSModuleLoader.h:
2414         (JSC::JSModuleLoader::create):
2415         * runtime/JSModuleRecord.cpp:
2416         (JSC::JSModuleRecord::finishCreation):
2417         * runtime/JSModuleRecord.h:
2418         (JSC::JSModuleRecord::create):
2419         * runtime/JSSet.cpp:
2420         (JSC::JSSet::destroy): Deleted.
2421         (JSC::JSSet::estimatedSize): Deleted.
2422         (JSC::JSSet::visitChildren): Deleted.
2423         (JSC::JSSet::copyBackingStore): Deleted.
2424         (JSC::JSSet::has): Deleted.
2425         (JSC::JSSet::size): Deleted.
2426         (JSC::JSSet::add): Deleted.
2427         (JSC::JSSet::clear): Deleted.
2428         (JSC::JSSet::remove): Deleted.
2429         * runtime/JSSet.h:
2430         (JSC::JSSet::createStructure):
2431         (JSC::JSSet::create):
2432         (JSC::JSSet::add):
2433         (JSC::JSSet::JSSet):
2434         (JSC::JSSet::Entry::key): Deleted.
2435         (JSC::JSSet::Entry::value): Deleted.
2436         (JSC::JSSet::Entry::visitChildren): Deleted.
2437         (JSC::JSSet::Entry::setKey): Deleted.
2438         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2439         (JSC::JSSet::Entry::setValue): Deleted.
2440         (JSC::JSSet::Entry::clear): Deleted.
2441         * runtime/JSSetIterator.cpp:
2442         (JSC::JSSetIterator::finishCreation):
2443         (JSC::JSSetIterator::visitChildren):
2444         (JSC::JSSetIterator::clone):
2445         * runtime/JSSetIterator.h:
2446         (JSC::JSSetIterator::advanceIter):
2447         (JSC::JSSetIterator::next):
2448         (JSC::JSSetIterator::JSSetIterator):
2449         (JSC::JSSetIterator::setIterator):
2450         (JSC::JSSetIterator::finish): Deleted.
2451         (JSC::JSSetIterator::iteratorData): Deleted.
2452         * runtime/JSType.h:
2453         * runtime/MapBase.cpp: Added.
2454         (JSC::MapBase<HashMapBucketType>::visitChildren):
2455         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2456         * runtime/MapBase.h: Added.
2457         (JSC::MapBase::size):
2458         (JSC::MapBase::has):
2459         (JSC::MapBase::clear):
2460         (JSC::MapBase::remove):
2461         (JSC::MapBase::findBucket):
2462         (JSC::MapBase::offsetOfHashMapImpl):
2463         (JSC::MapBase::impl):
2464         (JSC::MapBase::finishCreation):
2465         (JSC::MapBase::MapBase):
2466         * runtime/MapConstructor.cpp:
2467         (JSC::constructMap):
2468         * runtime/MapIteratorPrototype.cpp:
2469         (JSC::MapIteratorPrototypeFuncNext):
2470         * runtime/MapPrototype.cpp:
2471         (JSC::MapPrototype::finishCreation):
2472         (JSC::getMap):
2473         (JSC::privateFuncIsMap):
2474         (JSC::privateFuncMapIteratorNext):
2475         * runtime/PropertyDescriptor.cpp:
2476         (JSC::sameValue): Deleted.
2477         * runtime/PropertyDescriptor.h:
2478         * runtime/SetConstructor.cpp:
2479         (JSC::constructSet):
2480         * runtime/SetIteratorPrototype.cpp:
2481         (JSC::SetIteratorPrototypeFuncNext):
2482         * runtime/SetPrototype.cpp:
2483         (JSC::SetPrototype::finishCreation):
2484         (JSC::getSet):
2485         (JSC::privateFuncSetIteratorNext):
2486         * runtime/VM.cpp:
2487         (JSC::VM::VM):
2488         * runtime/VM.h:
2489
2490 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
2491
2492         [JSC] Make ArithClz32 work with Cell arguments
2493         https://bugs.webkit.org/show_bug.cgi?id=161369
2494
2495         Reviewed by Geoffrey Garen.
2496
2497         ArithClz32 was already working with all primitive types
2498         thanks to the magic of ValueToInt32.
2499         This patch adds support for cell arguments through a function
2500         call.
2501
2502         * dfg/DFGAbstractInterpreterInlines.h:
2503         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2504         * dfg/DFGClobberize.h:
2505         (JSC::DFG::clobberize):
2506         * dfg/DFGFixupPhase.cpp:
2507         (JSC::DFG::FixupPhase::fixupNode):
2508         * dfg/DFGNodeType.h:
2509         * dfg/DFGOperations.cpp:
2510         * dfg/DFGOperations.h:
2511         * dfg/DFGSpeculativeJIT.cpp:
2512         (JSC::DFG::SpeculativeJIT::compileArithClz32):
2513         * dfg/DFGSpeculativeJIT.h:
2514         (JSC::DFG::SpeculativeJIT::callOperation):
2515         * ftl/FTLLowerDFGToB3.cpp:
2516         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
2517
2518 2016-09-06  Mark Lam  <mark.lam@apple.com>
2519
2520         Gardening: change to use old header guard to appease Win EWS.
2521
2522         Not reviewed.
2523
2524         * runtime/AuxiliaryBarrier.h:
2525
2526 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2527
2528         Unreviewed, rolling out r205494.
2529         https://bugs.webkit.org/show_bug.cgi?id=161646
2530
2531         This change broke the Windows build (Requested by ryanhaddad
2532         on #webkit).
2533
2534         Reverted changeset:
2535
2536         "Typed arrays should use MarkedSpace instead of CopiedSpace"
2537         https://bugs.webkit.org/show_bug.cgi?id=161100
2538         http://trac.webkit.org/changeset/205494
2539
2540 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2541
2542         Unreviewed, rolling out r205504.
2543         https://bugs.webkit.org/show_bug.cgi?id=161645
2544
2545         Broke the iOS device build (Requested by ryanhaddad on
2546         #webkit).
2547
2548         Reverted changeset:
2549
2550         "Make JSMap and JSSet faster"
2551         https://bugs.webkit.org/show_bug.cgi?id=160989
2552         http://trac.webkit.org/changeset/205504
2553
2554 2016-09-06  Saam Barati  <sbarati@apple.com>
2555
2556         Make JSMap and JSSet faster
2557         https://bugs.webkit.org/show_bug.cgi?id=160989
2558
2559         Reviewed by Filip Pizlo.
2560
2561         This patch revamps how we implement Map and Set. It uses
2562         a new hash map implementation. The hash map uses linear
2563         probing and it uses Wang's 64 bit hash function for JSValues
2564         that aren't strings. Strings use StringImpl's hash function.
2565         The reason I wanted to roll our own HashTable is twofold:
2566         I didn't want to inline WTF::HashMap's implementation into our
2567         JIT, since that seems error prone and unmaintainable. Also, I wanted
2568         a different structure for hash map buckets where buckets also exist in
2569         a linked list.
2570
2571         The reason for making buckets part of a linked list is that iteration
2572         is now simple. Iteration works by just traversing a linked list.
2573         This design also allows for a simple implementation when doing iteration
2574         while the hash table is mutating. Whenever we remove a bucket from
2575         the hash table, it is removed from the list, meaning items in the
2576         list don't point to it. However, the removed bucket will still point
2577         to things that are either in the list, or have also been removed.
2578         e.g, from a removed bucket, you can always follow pointers until you
2579         either find an item in the list, or you find the tail of the list.
2580         This is a really nice property because it means that a Map or Set
2581         does not need to reason about the all the iterators that point
2582         into its list. Also, whenever we add items to the Map or Set, we
2583         hijack the tail as the new item, and make the new item point to a newly
2584         created tail. This means that any iterator that pointed to the "tail" now
2585         points to non-tail items. This makes the implementation of adding things
2586         to the Map/Set while iterating easy.
2587
2588         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
2589         into intrinsics in the DFG. The IR can now reason about hash map
2590         operations and can even do CSE over Wang's hash function, hash map
2591         bucket lookups, hash map bucket loads, and testing if a key is in
2592         the hash table. This makes code patterns for Map like so, super fast
2593         in the FTL, since we will only be doing a single hash and hash bucket lookup:
2594
2595         ```
2596         function getKeyIfPresent(map, key) {
2597             if (map.has(key))
2598                 return map.get(key);
2599         }
2600         ```
2601
2602         This patch is roughly an 8% speedup on ES6SampleBench.
2603
2604         * CMakeLists.txt:
2605         * JavaScriptCore.xcodeproj/project.pbxproj:
2606         * bytecode/SpeculatedType.cpp:
2607         (JSC::speculationFromClassInfo):
2608         * bytecode/SpeculatedType.h:
2609         * dfg/DFGAbstractInterpreterInlines.h:
2610         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2611         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
2612         * dfg/DFGByteCodeParser.cpp:
2613         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2614         * dfg/DFGClobberize.h:
2615         (JSC::DFG::clobberize):
2616         * dfg/DFGDoesGC.cpp:
2617         (JSC::DFG::doesGC):
2618         * dfg/DFGEdge.h:
2619         (JSC::DFG::Edge::shift):
2620         (JSC::DFG::Edge::makeWord):
2621         * dfg/DFGFixupPhase.cpp:
2622         (JSC::DFG::FixupPhase::fixupNode):
2623         * dfg/DFGHeapLocation.cpp:
2624         (WTF::printInternal):
2625         * dfg/DFGHeapLocation.h:
2626         * dfg/DFGNode.h:
2627         (JSC::DFG::Node::hasHeapPrediction):
2628         * dfg/DFGNodeType.h:
2629         * dfg/DFGOperations.cpp:
2630         * dfg/DFGOperations.h:
2631         * dfg/DFGPredictionPropagationPhase.cpp:
2632         * dfg/DFGSafeToExecute.h:
2633         (JSC::DFG::SafeToExecuteEdge::operator()):
2634         (JSC::DFG::safeToExecute):
2635         * dfg/DFGSpeculativeJIT.cpp:
2636         (JSC::DFG::SpeculativeJIT::speculateMapObject):
2637         (JSC::DFG::SpeculativeJIT::speculateSetObject):
2638         (JSC::DFG::SpeculativeJIT::speculate):
2639         * dfg/DFGSpeculativeJIT.h:
2640         (JSC::DFG::SpeculativeJIT::callOperation):
2641         * dfg/DFGSpeculativeJIT32_64.cpp:
2642         (JSC::DFG::SpeculativeJIT::compile):
2643         * dfg/DFGSpeculativeJIT64.cpp:
2644         (JSC::DFG::SpeculativeJIT::compile):
2645         * dfg/DFGUseKind.cpp:
2646         (WTF::printInternal):
2647         * dfg/DFGUseKind.h:
2648         (JSC::DFG::typeFilterFor):
2649         (JSC::DFG::isCell):
2650         * ftl/FTLAbstractHeapRepository.h:
2651         * ftl/FTLCapabilities.cpp:
2652         (JSC::FTL::canCompile):
2653         * ftl/FTLLowerDFGToB3.cpp:
2654         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2655         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2656         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2657         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2658         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2659         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2660         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2661         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2662         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2663         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2664         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2665         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2666         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2667         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2668         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2669         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2670         * jit/AssemblyHelpers.cpp:
2671         (JSC::AssemblyHelpers::wangsInt64Hash):
2672         * jit/AssemblyHelpers.h:
2673         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2674         * jit/JITOperations.h:
2675         * parser/ModuleAnalyzer.cpp:
2676         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2677         * runtime/HashMapImpl.cpp: Added.
2678         (JSC::HashMapBucket<Data>::visitChildren):
2679         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2680         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2681         * runtime/HashMapImpl.h: Added.
2682         (JSC::HashMapBucket::selectStructure):
2683         (JSC::HashMapBucket::createStructure):
2684         (JSC::HashMapBucket::create):
2685         (JSC::HashMapBucket::HashMapBucket):
2686         (JSC::HashMapBucket::setNext):
2687         (JSC::HashMapBucket::setPrev):
2688         (JSC::HashMapBucket::setKey):
2689         (JSC::HashMapBucket::setValue):
2690         (JSC::HashMapBucket::key):
2691         (JSC::HashMapBucket::value):
2692         (JSC::HashMapBucket::next):
2693         (JSC::HashMapBucket::prev):
2694         (JSC::HashMapBucket::deleted):
2695         (JSC::HashMapBucket::setDeleted):
2696         (JSC::HashMapBucket::offsetOfKey):
2697         (JSC::HashMapBucket::offsetOfValue):
2698         (JSC::HashMapBuffer::allocationSize):
2699         (JSC::HashMapBuffer::buffer):
2700         (JSC::HashMapBuffer::create):
2701         (JSC::areKeysEqual):
2702         (JSC::normalizeMapKey):
2703         (JSC::jsMapHash):
2704         (JSC::HashMapImpl::selectStructure):
2705         (JSC::HashMapImpl::createStructure):
2706         (JSC::HashMapImpl::create):
2707         (JSC::HashMapImpl::HashMapImpl):
2708         (JSC::HashMapImpl::buffer):
2709         (JSC::HashMapImpl::finishCreation):
2710         (JSC::HashMapImpl::emptyValue):
2711         (JSC::HashMapImpl::isEmpty):
2712         (JSC::HashMapImpl::deletedValue):
2713         (JSC::HashMapImpl::isDeleted):
2714         (JSC::HashMapImpl::findBucket):
2715         (JSC::HashMapImpl::get):
2716         (JSC::HashMapImpl::has):
2717         (JSC::HashMapImpl::add):
2718         (JSC::HashMapImpl::remove):
2719         (JSC::HashMapImpl::size):
2720         (JSC::HashMapImpl::clear):
2721         (JSC::HashMapImpl::bufferSizeInBytes):
2722         (JSC::HashMapImpl::offsetOfBuffer):
2723         (JSC::HashMapImpl::offsetOfCapacity):
2724         (JSC::HashMapImpl::head):
2725         (JSC::HashMapImpl::tail):
2726         (JSC::HashMapImpl::approximateSize):
2727         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2728         (JSC::HashMapImpl::rehash):
2729         (JSC::HashMapImpl::makeAndSetNewBuffer):
2730         * runtime/Intrinsic.h:
2731         * runtime/JSCJSValue.h:
2732         * runtime/JSCJSValueInlines.h:
2733         (JSC::sameValue):
2734         * runtime/JSGlobalObject.cpp:
2735         (JSC::JSGlobalObject::init):
2736         * runtime/JSMap.cpp:
2737         (JSC::JSMap::destroy): Deleted.
2738         (JSC::JSMap::estimatedSize): Deleted.
2739         (JSC::JSMap::visitChildren): Deleted.
2740         (JSC::JSMap::copyBackingStore): Deleted.
2741         (JSC::JSMap::has): Deleted.
2742         (JSC::JSMap::size): Deleted.
2743         (JSC::JSMap::get): Deleted.
2744         (JSC::JSMap::set): Deleted.
2745         (JSC::JSMap::clear): Deleted.
2746         (JSC::JSMap::remove): Deleted.
2747         * runtime/JSMap.h:
2748         (JSC::JSMap::createStructure):
2749         (JSC::JSMap::create):
2750         (JSC::JSMap::get):
2751         (JSC::JSMap::set):
2752         (JSC::JSMap::JSMap):
2753         (JSC::JSMap::Entry::key): Deleted.
2754         (JSC::JSMap::Entry::value): Deleted.
2755         (JSC::JSMap::Entry::visitChildren): Deleted.
2756         (JSC::JSMap::Entry::setKey): Deleted.
2757         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2758         (JSC::JSMap::Entry::setValue): Deleted.
2759         (JSC::JSMap::Entry::clear): Deleted.
2760         * runtime/JSMapIterator.cpp:
2761         (JSC::JSMapIterator::finishCreation):
2762         (JSC::JSMapIterator::visitChildren):
2763         (JSC::JSMapIterator::clone):
2764         * runtime/JSMapIterator.h:
2765         (JSC::JSMapIterator::advanceIter):
2766         (JSC::JSMapIterator::next):
2767         (JSC::JSMapIterator::nextKeyValue):
2768         (JSC::JSMapIterator::JSMapIterator):
2769         (JSC::JSMapIterator::setIterator):
2770         (JSC::JSMapIterator::finish): Deleted.
2771         (JSC::JSMapIterator::iteratorData): Deleted.
2772         * runtime/JSModuleLoader.cpp:
2773         (JSC::JSModuleLoader::finishCreation):
2774         * runtime/JSModuleLoader.h:
2775         (JSC::JSModuleLoader::create):
2776         * runtime/JSModuleRecord.cpp:
2777         (JSC::JSModuleRecord::finishCreation):
2778         * runtime/JSModuleRecord.h:
2779         (JSC::JSModuleRecord::create):
2780         * runtime/JSSet.cpp:
2781         (JSC::JSSet::destroy): Deleted.
2782         (JSC::JSSet::estimatedSize): Deleted.
2783         (JSC::JSSet::visitChildren): Deleted.
2784         (JSC::JSSet::copyBackingStore): Deleted.
2785         (JSC::JSSet::has): Deleted.
2786         (JSC::JSSet::size): Deleted.
2787         (JSC::JSSet::add): Deleted.
2788         (JSC::JSSet::clear): Deleted.
2789         (JSC::JSSet::remove): Deleted.
2790         * runtime/JSSet.h:
2791         (JSC::JSSet::createStructure):
2792         (JSC::JSSet::create):
2793         (JSC::JSSet::add):
2794         (JSC::JSSet::JSSet):
2795         (JSC::JSSet::Entry::key): Deleted.
2796         (JSC::JSSet::Entry::value): Deleted.
2797         (JSC::JSSet::Entry::visitChildren): Deleted.
2798         (JSC::JSSet::Entry::setKey): Deleted.
2799         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2800         (JSC::JSSet::Entry::setValue): Deleted.
2801         (JSC::JSSet::Entry::clear): Deleted.
2802         * runtime/JSSetIterator.cpp:
2803         (JSC::JSSetIterator::finishCreation):
2804         (JSC::JSSetIterator::visitChildren):
2805         (JSC::JSSetIterator::clone):
2806         * runtime/JSSetIterator.h:
2807         (JSC::JSSetIterator::advanceIter):
2808         (JSC::JSSetIterator::next):
2809         (JSC::JSSetIterator::JSSetIterator):
2810         (JSC::JSSetIterator::setIterator):
2811         (JSC::JSSetIterator::finish): Deleted.
2812         (JSC::JSSetIterator::iteratorData): Deleted.
2813         * runtime/JSType.h:
2814         * runtime/MapBase.cpp: Added.
2815         (JSC::MapBase<HashMapBucketType>::visitChildren):
2816         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2817         * runtime/MapBase.h: Added.
2818         (JSC::MapBase::size):
2819         (JSC::MapBase::has):
2820         (JSC::MapBase::clear):
2821         (JSC::MapBase::remove):
2822         (JSC::MapBase::findBucket):
2823         (JSC::MapBase::offsetOfHashMapImpl):
2824         (JSC::MapBase::impl):
2825         (JSC::MapBase::finishCreation):
2826         (JSC::MapBase::MapBase):
2827         * runtime/MapConstructor.cpp:
2828         (JSC::constructMap):
2829         * runtime/MapIteratorPrototype.cpp:
2830         (JSC::MapIteratorPrototypeFuncNext):
2831         * runtime/MapPrototype.cpp:
2832         (JSC::MapPrototype::finishCreation):
2833         (JSC::getMap):
2834         (JSC::privateFuncIsMap):
2835         (JSC::privateFuncMapIteratorNext):
2836         * runtime/PropertyDescriptor.cpp:
2837         (JSC::sameValue): Deleted.
2838         * runtime/PropertyDescriptor.h:
2839         * runtime/SetConstructor.cpp:
2840         (JSC::constructSet):
2841         * runtime/SetIteratorPrototype.cpp:
2842         (JSC::SetIteratorPrototypeFuncNext):
2843         * runtime/SetPrototype.cpp:
2844         (JSC::SetPrototype::finishCreation):
2845         (JSC::getSet):
2846         (JSC::privateFuncSetIteratorNext):
2847         * runtime/VM.cpp:
2848         (JSC::VM::VM):
2849         * runtime/VM.h:
2850
2851 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2852
2853         Typed arrays should use MarkedSpace instead of CopiedSpace
2854         https://bugs.webkit.org/show_bug.cgi?id=161100
2855
2856         Reviewed by Geoffrey Garen.
2857         
2858         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2859         
2860         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2861         everything that typed arrays want.
2862
2863         * dfg/DFGOperations.cpp:
2864         (JSC::DFG::newTypedArrayWithSize):
2865         * dfg/DFGOperations.h:
2866         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2867         * dfg/DFGSpeculativeJIT.cpp:
2868         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2869         * dfg/DFGSpeculativeJIT.h:
2870         (JSC::DFG::SpeculativeJIT::callOperation):
2871         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2872         * ftl/FTLLowerDFGToB3.cpp:
2873         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2874         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2875         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2876         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2877         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2878         * heap/CopyToken.h:
2879         * heap/SlotVisitor.cpp:
2880         (JSC::SlotVisitor::markAuxiliary):
2881         * jit/JITOperations.h:
2882         * runtime/JSArrayBufferView.cpp:
2883         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2884         (JSC::JSArrayBufferView::JSArrayBufferView):
2885         * runtime/JSArrayBufferView.h:
2886         * runtime/JSGenericTypedArrayView.h:
2887         * runtime/JSGenericTypedArrayViewInlines.h:
2888         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2889         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2890         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2891         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2892
2893 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2894
2895         Silence GCC warning spam introduced in r205462
2896
2897         Rubber-stamped by Filip Pizlo.
2898
2899         * bytecode/Opcode.h:
2900         (JSC::padOpcodeName):
2901
2902 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2903
2904         Heap::isMarked() should use concurrent lazy flipping
2905         https://bugs.webkit.org/show_bug.cgi?id=161613
2906
2907         Reviewed by Michael Catanzaro.
2908         
2909         I found out about this race condition via
2910         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2911         
2912         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2913         phase. So, they need to lazy-flip in a non-racy way.
2914
2915         * heap/HeapInlines.h:
2916         (JSC::Heap::isLive):
2917         (JSC::Heap::isMarked):
2918
2919 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2920
2921         Unreviewed, reset generator test results after the butterflies.
2922
2923         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2924         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2925         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2926         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2927         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2928         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2929         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2930         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2931         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2932         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2933         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2934         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2935         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2936         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2937
2938 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2939
2940         Unreviewed, fix cloop build.
2941
2942         * bytecode/SuperSampler.cpp:
2943
2944 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2945
2946         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2947         https://bugs.webkit.org/show_bug.cgi?id=160125
2948
2949         Reviewed by Geoffrey Garen and Keith Miller.
2950
2951         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2952         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2953         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2954         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2955         to get rid of copied space. This change moves copied space's biggest client over to marked
2956         space.
2957         
2958         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2959         allocation path. This is a fairly mechanical change, but it caused performance regressions
2960         everywhere, so this change also fixes MarkedSpace's performance issues.
2961         
2962         At a high level the mechanical changes are:
2963         
2964         - We use AuxiliaryBarrier instead of CopyBarrier.
2965         
2966         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2967           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2968         
2969         - The JITs have to emit inlined marked space allocations instead of inline copy space
2970           allocations.
2971         
2972         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2973           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2974           space doesn't.
2975         
2976         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2977         optimizations that amounted to a major MarkedSpace rewrite:
2978         
2979         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2980           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2981           size class. I got around this by making array allocations usually round up vectorLength to
2982           the maximum allowed by the size class that we would have allocated in. Also,
2983           ensureLengthSlow() and friends first make sure that the requested length can't just be
2984           fulfilled with the current allocation size. This safeguard means that not every array
2985           allocation has to do size class queries. For example, the fast path of new Array(length)
2986           never does any size class queries, under the assumption that (1) the speed gained from
2987           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2988           size class query, is too small to offset the speed lost by doing the query on every
2989           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2990           likely.
2991         
2992         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2993           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2994           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2995           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2996           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2997           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2998           size (80 bytes), we proceed using a geometric progression, but round up each size to
2999           minimize slop at the end of the block. This naturally causes the geometric progression to
3000           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
3001           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
3002         
3003         - Large allocations caused massive internal fragmentation, since the smallest large
3004           allocation had to use exactly blockSize, and the largest small allocation used
3005           blockSize / 2. The next size up - the first large allocation size to require two blocks -
3006           also had 50% internal fragmentation. This is because we required large allocations to be
3007           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
3008           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
3009           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
3010           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
3011           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
3012           out great since (1) typed arrays won't use large allocations anyway since they have their
3013           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
3014           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
3015           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
3016           rare as possible; for example, ExecState::vm() skips the check because we know that callees
3017           must be small allocations. It's also possible to use template tricks to do one check for
3018           cell container kind, and then invoke a function specialized for MarkedBlock or a function
3019           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
3020           that get used from functions that are template-specialized like this. That's mostly to
3021           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
3022           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
3023           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
3024           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
3025           cutoff for large allocations is runtime-configurable, so long as you don't choose something
3026           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
3027           that the MarkedBlock size classes end up being:
3028           
3029           16, 32, 48, 64, 80, 112, 160, 224, 320
3030           
3031           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
3032           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
3033           size classes you end up with by doing --dumpSizeClasses=true.
3034         
3035         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
3036           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
3037           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
3038           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
3039           side, for better locality during a sequential walk. It's no longer necessary to scan
3040           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
3041           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
3042           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
3043           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
3044           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
3045           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
3046           together, these optimizations allowed me to reduce block size to 16KB without losing much
3047           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
3048           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
3049           progression on membuster. That's not possible yet, since there is still enough per-block
3050           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
3051           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
3052         
3053         - Even after all of that, copying butterflies was still faster because it allowed us to skip
3054           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
3055           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
3056           larger than O(live), especially in an eden collection. Copying satisfies this premise while
3057           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
3058           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
3059           that we walk the block to build a free list. This means walking dead space. The new
3060           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
3061           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
3062           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
3063           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
3064           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
3065           is completely empty, which is the common case because of the generational hypothesis: the
3066           number of objects that survive an eden collection is a tiny fraction of the number of
3067           objects that had been allocated, and this fraction is so small that there are typically
3068           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
3069           win over tip-of-tree.
3070         
3071         - FTL now shares the same allocation fast paths as everything else, which is great, because
3072           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
3073           control flow, since it won't be able to improve the machine code we write ourselves. GC
3074           fast paths are best written in assembly. So, I've empowered B3 to have even better support
3075           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
3076           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
3077           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
3078           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
3079           ability to constant-fold some allocator logic (in case we first assume that we're doing a
3080           variable-length allocation but then realize that the length is known). I think it makes
3081           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
3082           since this makes lowering easier (you can constant fold during lowering more easily) and it
3083           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
3084           constant-fold this code. That would require allowing loads to be constant-folded, which is
3085           doable but hella tricky.
3086         
3087         - It used to be that if a logical object allocation required two physical allocations (first
3088           the butterfly and then the cell), then the JIT would emit the code in such a way that a
3089           failure in the second fast path would cause us to forget the successful first physical
3090           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
3091           register to storing either the butterfly or null, because the butterfly register is anyway
3092           going to be free inside the first allocation. The only overhead here is zeroing the
3093           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
3094           path, which can then either allocate a butterfly or not. So now we never waste a successful
3095           allocation. This patch implements such a solution both in DFG (where it's easy to do this
3096           since we control registers already) and in FTL (where it's annoying, because mutable
3097           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
3098           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
3099           one version of this patch, this wastage would resonate with some Kraken benchmark: the
3100           benchmark would always allocate N small things followed by one bigger thing. The problem
3101           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
3102           the JSObject size class, which both the small and big thing shared for their cell, could
3103           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
3104           it allocated the big thing. So, it would end up having to allocate the big thing's large
3105           butterfly twice, every single time! Ouch!
3106         
3107         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
3108           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
3109           of the allocator to initialize the object to whatever state they need. It used to be that
3110           we would just use a dumb loop. I initially changed this so that we would end up in memset
3111           for large allocations, but this didn't actually help performance that much. I got a much
3112           better result by playing with different memsets written in assembly. First I wrote one
3113           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
3114           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
3115           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
3116           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
3117           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
3118           of stores (if the size is known), but those paths in the JIT won't trigger for
3119           NewArrayWithSize() if the size is large, since that takes us to the
3120           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
3121           optimizations here are all in JSArray::create() - that's the hot place for large arrays
3122           that need to be filled with holes.
3123         
3124         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
3125         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
3126         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
3127         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
3128         difference, but take the hit for now because it's a crazy corner case. By comparison, the
3129         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
3130         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
3131         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
3132         marking barrier and we simply won't need a copying barrier. This change gets us there for
3133         the purposes of our benchmarks, since the remaining clients of copied space are not very
3134         important. On the other hand, if we keep copying, then getting barrier-ready would mean
3135         adding back the copy barrier, which costs more perf.
3136         
3137         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
3138         typed arrays and a few other weird things over to Aux MarkedSpace.
3139         
3140         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
3141         and CellContainer meant that I had to include those files from everywhere. Fortunately,
3142         just including JSCInlines.h (instead of manually including the files that includes) is
3143         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
3144         that we were already basically doing. In places where JSCInlines.h would be too much, I just
3145         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
3146         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
3147         meant having to manually include HeapInlines.h from the places that previously got it
3148         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
3149         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
3150         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
3151         made it impossible to include it from outside JSC. This was a lot of work, but it was
3152         necessary to get the patch to build on all ports. It's also a net win. There were many places
3153         in WebCore that were transitively including a *ton* of JSC headers just because of the
3154         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
3155         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
3156
3157         * API/JSManagedValue.mm:
3158         (-[JSManagedValue initWithValue:]):
3159         * API/JSTypedArray.cpp:
3160         * API/ObjCCallbackFunction.mm:
3161         * API/tests/testapi.mm:
3162         (testObjectiveCAPI):
3163         (testWeakValue): Deleted.
3164         * CMakeLists.txt:
3165         * JavaScriptCore.xcodeproj/project.pbxproj:
3166         * Scripts/builtins/builtins_generate_combined_implementation.py:
3167         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3168         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
3169         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
3170         * Scripts/builtins/builtins_generate_separate_implementation.py:
3171         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3172         * assembler/AbstractMacroAssembler.h:
3173         (JSC::AbstractMacroAssembler::JumpList::link):
3174         (JSC::AbstractMacroAssembler::JumpList::linkTo):
3175         * assembler/MacroAssembler.h:
3176         * assembler/MacroAssemblerARM64.h:
3177         (JSC::MacroAssemblerARM64::add32):
3178         * assembler/MacroAssemblerCodeRef.cpp: Added.
3179         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
3180         (JSC::MacroAssemblerCodePtr::dumpWithName):
3181         (JSC::MacroAssemblerCodePtr::dump):
3182         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
3183         (JSC::MacroAssemblerCodeRef::dump):
3184         * assembler/MacroAssemblerCodeRef.h:
3185         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
3186         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
3187         (JSC::MacroAssemblerCodePtr::dump): Deleted.
3188         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
3189         (JSC::MacroAssemblerCodeRef::dump): Deleted.
3190         * b3/B3BasicBlock.cpp:
3191         (JSC::B3::BasicBlock::appendBoolConstant):
3192         * b3/B3BasicBlock.h:
3193         * b3/B3DuplicateTails.cpp:
3194         * b3/B3StackmapGenerationParams.h:
3195         * b3/testb3.cpp:
3196         (JSC::B3::testPatchpointTerminalReturnValue):
3197         (JSC::B3::run):
3198         * bindings/ScriptValue.cpp:
3199         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
3200         * bytecode/BytecodeBasicBlock.cpp:
3201         * bytecode/BytecodeLivenessAnalysis.cpp:
3202         * bytecode/BytecodeUseDef.h:
3203         * bytecode/CallLinkInfo.cpp:
3204         (JSC::CallLinkInfo::callTypeFor):
3205         * bytecode/CallLinkInfo.h:
3206         (JSC::CallLinkInfo::callTypeFor): Deleted.
3207         * bytecode/CallLinkStatus.cpp:
3208         * bytecode/CodeBlock.cpp:
3209         (JSC::CodeBlock::finishCreation):
3210         (JSC::CodeBlock::clearLLIntGetByIdCache):
3211         (JSC::CodeBlock::predictedMachineCodeSize):
3212         * bytecode/CodeBlock.h:
3213         (JSC::CodeBlock::jitCodeMap): Deleted.
3214         (JSC::clearLLIntGetByIdCache): Deleted.
3215         * bytecode/ExecutionCounter.h:
3216         * bytecode/Instruction.h:
3217         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3218         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3219         * bytecode/ObjectAllocationProfile.h:
3220         (JSC::ObjectAllocationProfile::isNull):
3221         (JSC::ObjectAllocationProfile::initialize):
3222         * bytecode/Opcode.h:
3223         (JSC::padOpcodeName):
3224         * bytecode/PolymorphicAccess.cpp:
3225         (JSC::AccessCase::generateImpl):
3226         (JSC::PolymorphicAccess::regenerate):
3227         * bytecode/PolymorphicAccess.h:
3228         * bytecode/PreciseJumpTargets.cpp:
3229         * bytecode/StructureStubInfo.cpp:
3230         * bytecode/StructureStubInfo.h:
3231         * bytecode/UnlinkedCodeBlock.cpp:
3232         (JSC::UnlinkedCodeBlock::vm): Deleted.
3233         * bytecode/UnlinkedCodeBlock.h:
3234         * bytecode/UnlinkedInstructionStream.cpp:
3235         * bytecode/UnlinkedInstructionStream.h:
3236         * dfg/DFGOperations.cpp:
3237         * dfg/DFGSpeculativeJIT.cpp:
3238         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3239         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3240         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3241         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3242         * dfg/DFGSpeculativeJIT.h:
3243         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3244         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3245         * dfg/DFGSpeculativeJIT32_64.cpp:
3246         (JSC::DFG::SpeculativeJIT::compile):
3247         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3248         * dfg/DFGSpeculativeJIT64.cpp:
3249         (JSC::DFG::SpeculativeJIT::compile):
3250         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3251         * dfg/DFGStrengthReductionPhase.cpp:
3252         (JSC::DFG::StrengthReductionPhase::handleNode):
3253         * ftl/FTLAbstractHeapRepository.h:
3254         * ftl/FTLCompile.cpp:
3255         * ftl/FTLJITFinalizer.cpp:
3256         * ftl/FTLLowerDFGToB3.cpp:
3257         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3258         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3259         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
3260         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
3261         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3262         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3263         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
3264         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3265         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3266         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
3267         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3268         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3269         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
3270         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3271         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
3272         * ftl/FTLOutput.cpp:
3273         (JSC::FTL::Output::constBool):
3274         (JSC::FTL::Output::add):
3275         (JSC::FTL::Output::shl):
3276         (JSC::FTL::Output::aShr):
3277         (JSC::FTL::Output::lShr):
3278         (JSC::FTL::Output::zeroExt):
3279         (JSC::FTL::Output::equal):
3280         (JSC::FTL::Output::notEqual):
3281         (JSC::FTL::Output::above):
3282         (JSC::FTL::Output::aboveOrEqual):
3283         (JSC::FTL::Output::below):
3284         (JSC::FTL::Output::belowOrEqual):
3285         (JSC::FTL::Output::greaterThan):
3286         (JSC::FTL::Output::greaterThanOrEqual):
3287         (JSC::FTL::Output::lessThan):
3288         (JSC::FTL::Output::lessThanOrEqual):
3289         (JSC::FTL::Output::select):
3290         (JSC::FTL::Output::appendSuccessor):
3291         (JSC::FTL::Output::addIncomingToPhi):
3292         * ftl/FTLOutput.h:
3293         * ftl/FTLValueFromBlock.h:
3294         (JSC::FTL::ValueFromBlock::operator bool):
3295         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
3296</