8942d1a9325b7c1ae9263bd6f917fc793806bdb8
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-06-22  Saam Barati  <sbarati@apple.com>
2
3         ensureWritableX should only convert away from CoW when it will succeed
4         https://bugs.webkit.org/show_bug.cgi?id=186898
5
6         Reviewed by Keith Miller.
7
8         Otherwise, when we OSR exit, we'll end up profiling the array after
9         it has been converted away from CoW. It's better for the ArrayProfile
10         to see the array as it's still in CoW mode.
11         
12         This patch also renames ensureWritableX to tryMakeWritableX since these
13         were never really "ensure" operations -- they may fail and return null.
14
15         * dfg/DFGOperations.cpp:
16         * runtime/JSObject.cpp:
17         (JSC::JSObject::tryMakeWritableInt32Slow):
18         (JSC::JSObject::tryMakeWritableDoubleSlow):
19         (JSC::JSObject::tryMakeWritableContiguousSlow):
20         (JSC::JSObject::ensureWritableInt32Slow): Deleted.
21         (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
22         (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
23         * runtime/JSObject.h:
24         (JSC::JSObject::tryMakeWritableInt32):
25         (JSC::JSObject::tryMakeWritableDouble):
26         (JSC::JSObject::tryMakeWritableContiguous):
27         (JSC::JSObject::ensureWritableInt32): Deleted.
28         (JSC::JSObject::ensureWritableDouble): Deleted.
29         (JSC::JSObject::ensureWritableContiguous): Deleted.
30
31 2018-06-22  Keith Miller  <keith_miller@apple.com>
32
33         We should call visitChildren on Base not the exact typename
34         https://bugs.webkit.org/show_bug.cgi?id=186928
35
36         Reviewed by Mark Lam.
37
38         A lot of places were not properly calling visitChildren on their
39         superclass. For most of them it didn't matter because they had
40         immortal structures. If code changed in the future this might
41         break things however.
42
43         Also, block off more of the MethodTable for GetterSetter objects.
44
45         * bytecode/CodeBlock.cpp:
46         (JSC::CodeBlock::visitChildren):
47         * bytecode/ExecutableToCodeBlockEdge.cpp:
48         (JSC::ExecutableToCodeBlockEdge::visitChildren):
49         * debugger/DebuggerScope.cpp:
50         (JSC::DebuggerScope::visitChildren):
51         * runtime/EvalExecutable.cpp:
52         (JSC::EvalExecutable::visitChildren):
53         * runtime/FunctionExecutable.cpp:
54         (JSC::FunctionExecutable::visitChildren):
55         * runtime/FunctionRareData.cpp:
56         (JSC::FunctionRareData::visitChildren):
57         * runtime/GenericArgumentsInlines.h:
58         (JSC::GenericArguments<Type>::visitChildren):
59         * runtime/GetterSetter.cpp:
60         (JSC::GetterSetter::visitChildren):
61         * runtime/GetterSetter.h:
62         * runtime/InferredType.cpp:
63         (JSC::InferredType::visitChildren):
64         * runtime/InferredTypeTable.cpp:
65         (JSC::InferredTypeTable::visitChildren):
66         * runtime/InferredValue.cpp:
67         (JSC::InferredValue::visitChildren):
68         * runtime/JSArrayBufferView.cpp:
69         (JSC::JSArrayBufferView::visitChildren):
70         * runtime/JSGenericTypedArrayViewInlines.h:
71         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
72         * runtime/ModuleProgramExecutable.cpp:
73         (JSC::ModuleProgramExecutable::visitChildren):
74         * runtime/ProgramExecutable.cpp:
75         (JSC::ProgramExecutable::visitChildren):
76         * runtime/ScopedArguments.cpp:
77         (JSC::ScopedArguments::visitChildren):
78         * runtime/ScopedArguments.h:
79         * runtime/Structure.cpp:
80         (JSC::Structure::visitChildren):
81         * runtime/StructureRareData.cpp:
82         (JSC::StructureRareData::visitChildren):
83         * runtime/SymbolTable.cpp:
84         (JSC::SymbolTable::visitChildren):
85
86 2018-06-20  Darin Adler  <darin@apple.com>
87
88         [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
89         https://bugs.webkit.org/show_bug.cgi?id=186875
90
91         Reviewed by Anders Carlsson.
92
93         * API/tests/testapi.mm:
94         (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
95
96 2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>
97
98         [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
99         https://bugs.webkit.org/show_bug.cgi?id=186915
100
101         Reviewed by Žan Doberšek.
102
103         Update StartAutomationSession message handling to receive a dictionary of session capabilities.
104
105         * inspector/remote/glib/RemoteInspectorServer.cpp:
106         (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
107
108 2018-06-21  Mark Lam  <mark.lam@apple.com>
109
110         WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
111         https://bugs.webkit.org/show_bug.cgi?id=185947
112         <rdar://problem/40131933>
113
114         Reviewed by Saam Barati.
115
116         Newer Clang versions (due to C++17 support) is not happy with how I implemented
117         conversions between CodeLocation types.  We'll fix this by adding a conversion
118         operator for converting between CodeLocation types.
119
120         * assembler/CodeLocation.h:
121         (JSC::CodeLocationCommon::operator T):
122
123 2018-06-21  Saam Barati  <sbarati@apple.com>
124
125         Do some CoW cleanup
126         https://bugs.webkit.org/show_bug.cgi?id=186896
127
128         Reviewed by Mark Lam.
129
130         * bytecode/UnlinkedCodeBlock.h:
131         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
132         We don't need to WTFMove() ints
133
134         * dfg/DFGByteCodeParser.cpp:
135         (JSC::DFG::ByteCodeParser::parseBlock):
136         remove a TODO.
137
138         * runtime/JSObject.cpp:
139         (JSC::JSObject::putByIndex):
140         We were checking for isCopyOnWrite even after we converted away
141         from CoW in above code.
142         (JSC::JSObject::ensureWritableInt32Slow):
143         Model this in the same way the other ensureWritableXSlow are modeled.
144
145 2018-06-20  Keith Miller  <keith_miller@apple.com>
146
147         flattenDictionaryStruture needs to zero inline storage.
148         https://bugs.webkit.org/show_bug.cgi?id=186869
149
150         Reviewed by Saam Barati.
151
152         This patch also adds the assetion that unused property storage is
153         zero or JSValue() to putDirectInternal. Additionally, functions
154         have been added to $vm that flatten dictionary objects and return
155         the inline capacity of an object.
156
157         * runtime/JSObjectInlines.h:
158         (JSC::JSObject::putDirectInternal):
159         * runtime/Structure.cpp:
160         (JSC::Structure::flattenDictionaryStructure):
161         * tools/JSDollarVM.cpp:
162         (JSC::functionInlineCapacity):
163         (JSC::functionFlattenDictionaryObject):
164         (JSC::JSDollarVM::finishCreation):
165
166 2018-06-21  Mark Lam  <mark.lam@apple.com>
167
168         Use IsoCellSets to track Executables with clearable code.
169         https://bugs.webkit.org/show_bug.cgi?id=186877
170
171         Reviewed by Filip Pizlo.
172
173         Here’s an example of the results that this fix may yield: 
174         1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
175         2. Statistics on memory touched and memory freed by VM::deleteAllCode():
176
177            Visiting Executables:
178                                                         Old             New
179            Number of objects visited:                   70897           14264
180            Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
181            Number of memory pages visited:              3224            1602
182            Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
183
184            Visitng UnlinkedFunctionExecutables:
185                                                         Old             New
186            Number of objects visited:                   105454          17231
187            Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
188            Number of memory pages visited:              4796            1349
189            Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
190
191         ** The number of objects differ because the old code only visit unlinked
192            executables indirectly via linked executables, whereas the new behavior visit
193            all unlinked executables with deletable code directly.  This means:
194
195            a. we used to not visit unlinked executables that have not been linked yet
196               i.e. deleteAllCode() may not delete all code (especially code that is not
197               used).
198            b. we had to visit all linked executables to check if they of type
199               FunctionExecutable, before going on to visit their unlinked executable, and
200               this includes the ones that do not have deletable code.  This means that we
201               would touch more memory in the process.
202
203            Both of these these issues are now fixed with the new code.
204
205         This code was tested with manually inserted instrumentation to track the above
206         statistics.  It is not feasible to write an automated test for this without
207         leaving a lot of invasive instrumentation in the code.
208
209         * bytecode/UnlinkedFunctionExecutable.cpp:
210         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
211         * bytecode/UnlinkedFunctionExecutable.h:
212         * heap/CodeBlockSetInlines.h:
213         (JSC::CodeBlockSet::iterateViaSubspaces):
214         * heap/Heap.cpp:
215         (JSC::Heap::deleteAllCodeBlocks):
216         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
217         (JSC::Heap::deleteUnmarkedCompiledCode):
218         (JSC::Heap::clearUnmarkedExecutables): Deleted.
219         (JSC::Heap::addExecutable): Deleted.
220         * heap/Heap.h:
221         * runtime/DirectEvalExecutable.h:
222
223         * runtime/ExecutableBase.cpp:
224         (JSC::ExecutableBase::hasClearableCode const):
225         - this is written based on the implementation of ExecutableBase::clearCode().
226
227         * runtime/ExecutableBase.h:
228         * runtime/FunctionExecutable.h:
229         * runtime/IndirectEvalExecutable.h:
230         * runtime/ModuleProgramExecutable.h:
231         * runtime/ProgramExecutable.h:
232         * runtime/ScriptExecutable.cpp:
233         (JSC::ScriptExecutable::clearCode):
234         (JSC::ScriptExecutable::installCode):
235         * runtime/ScriptExecutable.h:
236         (JSC::ScriptExecutable::finishCreation):
237         * runtime/VM.cpp:
238         (JSC::VM::VM):
239         * runtime/VM.h:
240         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
241         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
242         (JSC::VM::forEachScriptExecutableSpace):
243         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
244         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
245
246 2018-06-21  Zan Dobersek  <zdobersek@igalia.com>
247
248         [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
249         https://bugs.webkit.org/show_bug.cgi?id=186884
250
251         Reviewed by Carlos Garcia Campos.
252
253         Add a tuple array input parameter to the StartAutomationSession DBus
254         message, representing a list of host-and-certificate pairs that have to
255         be allowed for a given session. This array is then unpacked and used to
256         fill out the certificates Vector object in the SessionCapabilities
257         struct.
258
259         * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
260         String pairs representing hosts and the certificate file paths.
261         * inspector/remote/glib/RemoteInspectorServer.cpp:
262
263 2018-06-20  Keith Miller  <keith_miller@apple.com>
264
265         Expand concurrent GC assertion to accept JSValue() or 0
266         https://bugs.webkit.org/show_bug.cgi?id=186855
267
268         Reviewed by Mark Lam.
269
270         We tend to set unused property slots to either JSValue() or 0
271         depending on the context. On 64-bit these are the same but on
272         32-bit JSValue() has a NaN tag. This patch makes it so we
273         the accept either JSValue() or 0.
274
275         * runtime/JSObjectInlines.h:
276         (JSC::JSObject::prepareToPutDirectWithoutTransition):
277
278 2018-06-20  Guillaume Emont  <guijemont@igalia.com>
279
280         [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
281         https://bugs.webkit.org/show_bug.cgi?id=186765
282
283         Reviewed by Michael Saboff.
284
285         This widens the check for 0 so that we handle that case more correctly.
286
287         * assembler/LinkBuffer.h:
288         (JSC::LinkBuffer::executableOffsetFor):
289
290 2018-06-19  Keith Miller  <keith_miller@apple.com>
291
292         Fix broken assertion on 32-bit
293         https://bugs.webkit.org/show_bug.cgi?id=186830
294
295         Reviewed by Mark Lam.
296
297         The assertion was intended to catch concurrent GC issues. We don't
298         run them on 32-bit so we don't need this assertion there. The
299         assertion was broken because zero is not JSValue() on 32-bit.
300
301         * runtime/JSObjectInlines.h:
302         (JSC::JSObject::prepareToPutDirectWithoutTransition):
303
304 2018-06-19  Keith Miller  <keith_miller@apple.com>
305
306         flattenDictionaryStructure needs to zero properties that have been compressed away
307         https://bugs.webkit.org/show_bug.cgi?id=186828
308
309         Reviewed by Mark Lam.
310
311         This patch fixes a bunch of crashing Mozilla tests on the bots.
312
313         * runtime/Structure.cpp:
314         (JSC::Structure::flattenDictionaryStructure):
315
316 2018-06-19  Saam Barati  <sbarati@apple.com>
317
318         DirectArguments::create needs to initialize to undefined instead of the empty value
319         https://bugs.webkit.org/show_bug.cgi?id=186818
320         <rdar://problem/38415177>
321
322         Reviewed by Filip Pizlo.
323
324         The bug here is that we will emit code that just loads from DirectArguments as
325         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
326         The arguments object has at least enough capacity to hold the declared parameters.
327         When we materialized this object in OSR exit, we initialized up to to the capacity
328         with JSValue(). In OSR exit, though, we only filled up to the length of the
329         object with actual values. So we'd end up with a DirectArguments object with
330         capacity minus length slots of JSValue(). To fix this, we need initialize up to
331         capacity with jsUndefined during construction. The invariant of this object is
332         that the capacity minus length slots at the end are filled in with jsUndefined.
333
334         * runtime/DirectArguments.cpp:
335         (JSC::DirectArguments::create):
336
337 2018-06-19  Michael Saboff  <msaboff@apple.com>
338
339         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
340         https://bugs.webkit.org/show_bug.cgi?id=186827
341
342         Reviewed by Saam Barati.
343
344         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
345
346         * runtime/JSLock.cpp:
347         (JSC::JSLock::didAcquireLock):
348
349 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
350
351         ShadowChicken crashes with stack overflow in the LLInt
352         https://bugs.webkit.org/show_bug.cgi?id=186540
353         <rdar://problem/39682133>
354
355         Reviewed by Saam Barati.
356
357         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
358         with debug opcodes because it was accessing the scope of the incomplete top
359         frame, which hadn't been set yet. Check that we have moved past the first
360         opcode (enter) and that the scope is not undefined (enter will
361         initialize it to undefined).
362
363         * interpreter/ShadowChicken.cpp:
364         (JSC::ShadowChicken::update):
365
366 2018-06-19  Keith Miller  <keith_miller@apple.com>
367
368         constructArray variants should take the slow path for subclasses of Array
369         https://bugs.webkit.org/show_bug.cgi?id=186812
370
371         Reviewed by Saam Barati and Mark Lam.
372
373         This patch fixes a crashing test in ObjectInitializationScope where we would
374         allocate a new structure for an indexing type change while initializing
375         a subclass of Array. Since the new array hasn't been fully initialized
376         if the GC ran it would see garbage and we might crash.
377
378         * runtime/JSArray.cpp:
379         (JSC::constructArray):
380         (JSC::constructArrayNegativeIndexed):
381         * runtime/JSArray.h:
382         (JSC::constructArray): Deleted.
383         (JSC::constructArrayNegativeIndexed): Deleted.
384
385 2018-06-19  Saam Barati  <sbarati@apple.com>
386
387         Wasm: Any function argument of type Void should be a validation error
388         https://bugs.webkit.org/show_bug.cgi?id=186794
389         <rdar://problem/41140257>
390
391         Reviewed by Keith Miller.
392
393         * wasm/WasmModuleParser.cpp:
394         (JSC::Wasm::ModuleParser::parseType):
395
396 2018-06-18  Keith Miller  <keith_miller@apple.com>
397
398         JSImmutableButterfly should assert m_header is adjacent to the data
399         https://bugs.webkit.org/show_bug.cgi?id=186795
400
401         Reviewed by Saam Barati.
402
403         * runtime/JSImmutableButterfly.cpp:
404         * runtime/JSImmutableButterfly.h:
405
406 2018-06-18  Keith Miller  <keith_miller@apple.com>
407
408         Unreviewed, fix the build...
409
410         * runtime/JSArray.cpp:
411         (JSC::JSArray::tryCreateUninitializedRestricted):
412
413 2018-06-18  Keith Miller  <keith_miller@apple.com>
414
415         Unreviewed, remove bad assertion.
416
417         * runtime/JSArray.cpp:
418         (JSC::JSArray::tryCreateUninitializedRestricted):
419
420 2018-06-18  Keith Miller  <keith_miller@apple.com>
421
422         Properly zero unused property storage offsets
423         https://bugs.webkit.org/show_bug.cgi?id=186692
424
425         Reviewed by Filip Pizlo.
426
427         Since the concurrent GC might see a property slot before the mutator has actually
428         stored the value there, we need to ensure that slot doesn't have garbage in it.
429
430         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
431         or creating a RegExp matches array, we never cleared the unused
432         property storage. ObjectIntializationScope has also been upgraded
433         to look for our invariants around property storage. Additionally,
434         a new assertion has been added to check for JSValue() when adding
435         a new property.
436
437         We used to put undefined into deleted property offsets. To
438         make things simpler, this patch causes us to store JSValue() there
439         instead.
440
441         Lastly, this patch fixes an issue where we would initialize the
442         array storage of RegExpMatchesArray twice. First with 0 and
443         secondly with the actual result. Now we only zero memory between
444         vector length and public length.
445
446         * runtime/Butterfly.h:
447         (JSC::Butterfly::offsetOfVectorLength):
448         * runtime/ButterflyInlines.h:
449         (JSC::Butterfly::tryCreateUninitialized):
450         (JSC::Butterfly::createUninitialized):
451         (JSC::Butterfly::tryCreate):
452         (JSC::Butterfly::create):
453         (JSC::Butterfly::createOrGrowPropertyStorage):
454         (JSC::Butterfly::createOrGrowArrayRight):
455         (JSC::Butterfly::growArrayRight):
456         (JSC::Butterfly::resizeArray):
457         * runtime/JSArray.cpp:
458         (JSC::JSArray::tryCreateUninitializedRestricted):
459         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
460         * runtime/JSArray.h:
461         (JSC::tryCreateArrayButterfly):
462         * runtime/JSObject.cpp:
463         (JSC::JSObject::createArrayStorageButterfly):
464         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
465         (JSC::JSObject::deleteProperty):
466         (JSC::JSObject::shiftButterflyAfterFlattening):
467         * runtime/JSObject.h:
468         * runtime/JSObjectInlines.h:
469         (JSC::JSObject::prepareToPutDirectWithoutTransition):
470         * runtime/ObjectInitializationScope.cpp:
471         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
472         * runtime/ObjectInitializationScope.h:
473         (JSC::ObjectInitializationScope::release):
474         * runtime/RegExpMatchesArray.h:
475         (JSC::tryCreateUninitializedRegExpMatchesArray):
476         (JSC::createRegExpMatchesArray):
477
478         * runtime/Butterfly.h:
479         (JSC::Butterfly::offsetOfVectorLength):
480         * runtime/ButterflyInlines.h:
481         (JSC::Butterfly::tryCreateUninitialized):
482         (JSC::Butterfly::createUninitialized):
483         (JSC::Butterfly::tryCreate):
484         (JSC::Butterfly::create):
485         (JSC::Butterfly::createOrGrowPropertyStorage):
486         (JSC::Butterfly::createOrGrowArrayRight):
487         (JSC::Butterfly::growArrayRight):
488         (JSC::Butterfly::resizeArray):
489         * runtime/JSArray.cpp:
490         (JSC::JSArray::tryCreateUninitializedRestricted):
491         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
492         * runtime/JSArray.h:
493         (JSC::tryCreateArrayButterfly):
494         * runtime/JSObject.cpp:
495         (JSC::JSObject::createArrayStorageButterfly):
496         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
497         (JSC::JSObject::deleteProperty):
498         (JSC::JSObject::shiftButterflyAfterFlattening):
499         * runtime/JSObject.h:
500         * runtime/JSObjectInlines.h:
501         (JSC::JSObject::prepareToPutDirectWithoutTransition):
502         * runtime/ObjectInitializationScope.cpp:
503         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
504         * runtime/RegExpMatchesArray.cpp:
505         (JSC::createEmptyRegExpMatchesArray):
506         * runtime/RegExpMatchesArray.h:
507         (JSC::tryCreateUninitializedRegExpMatchesArray):
508         (JSC::createRegExpMatchesArray):
509
510 2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>
511
512         Share structure across instances of classes exported through the ObjC API
513         https://bugs.webkit.org/show_bug.cgi?id=186579
514         <rdar://problem/40969212>
515
516         Reviewed by Saam Barati.
517
518         A new structure was being created for each instance of exported ObjC
519         classes due to setting the prototype in the structure for every object,
520         since prototype transitions are not cached by the structure. Cache the
521         Structure in the JSObjcClassInfo to avoid the transition.
522
523         * API/JSWrapperMap.mm:
524         (-[JSObjCClassInfo wrapperForObject:inContext:]):
525         (-[JSObjCClassInfo structureInContext:]):
526         * API/tests/JSWrapperMapTests.h: Added.
527         * API/tests/JSWrapperMapTests.mm: Added.
528         (+[JSWrapperMapTests testStructureIdentity]):
529         (runJSWrapperMapTests):
530         * API/tests/testapi.mm:
531         (testObjectiveCAPIMain):
532         * JavaScriptCore.xcodeproj/project.pbxproj:
533
534 2018-06-18  Michael Saboff  <msaboff@apple.com>
535
536         Support Unicode 11 in RegExp
537         https://bugs.webkit.org/show_bug.cgi?id=186685
538
539         Reviewed by Mark Lam.
540
541         Updated the UCD tables used to generate RegExp property tables to version 11.0.
542
543         * Scripts/generateYarrUnicodePropertyTables.py:
544         * ucd/CaseFolding.txt:
545         * ucd/DerivedBinaryProperties.txt:
546         * ucd/DerivedCoreProperties.txt:
547         * ucd/DerivedNormalizationProps.txt:
548         * ucd/PropList.txt:
549         * ucd/PropertyAliases.txt:
550         * ucd/PropertyValueAliases.txt:
551         * ucd/ScriptExtensions.txt:
552         * ucd/Scripts.txt:
553         * ucd/UnicodeData.txt:
554         * ucd/emoji-data.txt:
555
556 2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
557
558         [WTF] Remove workarounds needed to support libstdc++-4
559         https://bugs.webkit.org/show_bug.cgi?id=186762
560
561         Reviewed by Michael Catanzaro.
562
563         Revert r226299, r226300 r226301 and r226302.
564
565         * API/tests/TypedArrayCTest.cpp:
566         (assertEqualsAsNumber):
567
568 2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>
569
570         REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
571         https://bugs.webkit.org/show_bug.cgi?id=182923
572
573         Reviewed by Mark Lam.
574
575         The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
576         Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
577
578         * heap/MarkedBlock.h:
579
580 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
581
582         [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
583         https://bugs.webkit.org/show_bug.cgi?id=186723
584
585         Reviewed by Mark Lam.
586
587         Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
588         to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
589
590         This patch improves SixSpeed/spread-literal.es5.
591
592                                      baseline                  patched
593
594         spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
595
596         * runtime/JSArrayInlines.h:
597         (JSC::JSArray::pushInline):
598         * runtime/Structure.cpp:
599         (JSC::Structure::nonPropertyTransitionSlow):
600         (JSC::Structure::nonPropertyTransition): Deleted.
601         * runtime/Structure.h:
602         * runtime/StructureInlines.h:
603         (JSC::Structure::nonPropertyTransition):
604
605 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
606
607         [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
608         https://bugs.webkit.org/show_bug.cgi?id=186721
609
610         Reviewed by Keith Miller.
611
612         We still have several other OSRExits, but this patch reduces that.
613
614         1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
615         So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
616
617         2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
618         non-appropriate.
619
620         These changes a bit fix Kraken/crypto-aes regression.
621
622                                       baseline                  patched
623
624         stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
625
626
627         * dfg/DFGByteCodeParser.cpp:
628         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
629         * ftl/FTLOperations.cpp:
630         (JSC::FTL::operationMaterializeObjectInOSR):
631         * runtime/CommonSlowPaths.cpp:
632         (JSC::SLOW_PATH_DECL):
633
634 2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
635
636         [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
637         https://bugs.webkit.org/show_bug.cgi?id=186460
638
639         Reviewed by Saam Barati.
640
641         Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
642         We should return JSFixedArray for Spread. This patch adds a code generating
643         a JSFixedArray from JSImmutableButterfly.
644
645         Merging JSFixedArray into JSImmutableButterfly is possible future extension.
646
647         * ftl/FTLLowerDFGToB3.cpp:
648         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
649         * runtime/JSFixedArray.h:
650
651 2018-06-15  Saam Barati  <sbarati@apple.com>
652
653         Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
654         https://bugs.webkit.org/show_bug.cgi?id=186687
655         <rdar://problem/40071332>
656
657         Reviewed by Keith Miller.
658
659         * API/JSVirtualMachinePrivate.h:
660
661 2018-06-15  Saam Barati  <sbarati@apple.com>
662
663         Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
664         https://bugs.webkit.org/show_bug.cgi?id=186648
665
666         Reviewed by Michael Saboff.
667
668         This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
669         regressed with my first version of ForceOSRExit CFG pruning. This patch makes
670         ForceOSRExit CFG pruning more aggressive by not ignoring everything that
671         can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
672         if it's the plan's osr entry bytecode target. The goal is to get a speedometer
673         2 speedup with this change on iOS.
674
675         * dfg/DFGByteCodeParser.cpp:
676         (JSC::DFG::ByteCodeParser::parse):
677
678 2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>
679
680         Unreviewed, rolling out r232816.
681
682         Suggested by Caitlin:
683         "this patch clearly does get some things wrong, and it's not
684         easy to find what those things are"
685
686         Reverted changeset:
687
688         "[LLInt] use loadp consistently for
689         get_from_scope/put_to_scope"
690         https://bugs.webkit.org/show_bug.cgi?id=132333
691         https://trac.webkit.org/changeset/232816
692
693 2018-06-14  Michael Saboff  <msaboff@apple.com>
694
695         REGRESSION(232741): Crash running ARES-6
696         https://bugs.webkit.org/show_bug.cgi?id=186630
697
698         Reviewed by Saam Barati.
699
700         The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
701         treated edges between identical predecessor->successor pairs independently.
702         This fixes the issue by handling such edges once, using the added intermediate
703         pad for all instances of the edges between the same pairs.
704
705         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
706         (JSC::DFG::CriticalEdgeBreakingPhase::run):
707         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
708
709 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
710
711         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
712         https://bugs.webkit.org/show_bug.cgi?id=186560
713
714         Reviewed by Brian Burg.
715
716         Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
717         that always receives the session capabilities.
718
719         * inspector/remote/RemoteInspector.h:
720         * inspector/remote/RemoteInspectorConstants.h:
721         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
722         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
723         WebKit here and fill the SessionCapabilities instead.
724         * inspector/remote/glib/RemoteInspectorGlib.cpp:
725         (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
726         * inspector/remote/glib/RemoteInspectorServer.cpp:
727         (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
728         * inspector/remote/glib/RemoteInspectorServer.h:
729
730 2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>
731
732         [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
733         https://bugs.webkit.org/show_bug.cgi?id=186588
734
735         Reviewed by Carlos Garcia Campos.
736
737         Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
738         for resource paths, which avoids needing a switcheroo depending on the port.
739
740         * inspector/remote/glib/RemoteInspectorUtils.cpp:
741
742 2018-06-13  Caitlin Potter  <caitp@igalia.com>
743
744         [LLInt] use loadp consistently for get_from_scope/put_to_scope
745         https://bugs.webkit.org/show_bug.cgi?id=132333
746
747         Reviewed by Mark Lam.
748
749         Using `loadis` for register indexes and `loadp` for constant scopes /
750         symboltables makes sense, but is problematic for big-endian
751         architectures.
752
753         Consistently treating the operand as a pointer simplifies determining
754         how to access the operand, and helps avoid bad accesses and crashes on
755         big-endian ports.
756
757         * bytecode/CodeBlock.cpp:
758         (JSC::CodeBlock::finishCreation):
759         * bytecode/Instruction.h:
760         * jit/JITOperations.cpp:
761         * llint/LLIntSlowPaths.cpp:
762         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
763         * llint/LowLevelInterpreter32_64.asm:
764         * llint/LowLevelInterpreter64.asm:
765         * runtime/CommonSlowPaths.h:
766         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
767         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
768
769 2018-06-13  Keith Miller  <keith_miller@apple.com>
770
771         AutomaticThread should have a way to provide a thread name
772         https://bugs.webkit.org/show_bug.cgi?id=186604
773
774         Reviewed by Filip Pizlo.
775
776         Add names for JSC's automatic threads.
777
778         * dfg/DFGWorklist.cpp:
779         * heap/Heap.cpp:
780         * jit/JITWorklist.cpp:
781         * runtime/VMTraps.cpp:
782         * wasm/WasmWorklist.cpp:
783
784 2018-06-13  Saam Barati  <sbarati@apple.com>
785
786         CFGSimplificationPhase should de-dupe jettisonedBlocks
787         https://bugs.webkit.org/show_bug.cgi?id=186583
788
789         Reviewed by Filip Pizlo.
790
791         When making the predecessors list unique in r232741, it revealed a bug inside
792         of CFG simplification, where we try to remove the same predecessor more than
793         once from a blocks predecessors list. We built the list of blocks to remove
794         from the list of successors, which is not unique, causing us to try to remove
795         the same predecessor more than once. The solution here is to just add to this
796         list of blocks to remove only if the block is not already in the list.
797
798         * dfg/DFGCFGSimplificationPhase.cpp:
799         (JSC::DFG::CFGSimplificationPhase::run):
800
801 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
802
803         [JSC] Always use Nuke & Set procedure for x86
804         https://bugs.webkit.org/show_bug.cgi?id=186592
805
806         Reviewed by Keith Miller.
807
808         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
809         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
810         threads.
811
812         * runtime/JSObject.cpp:
813         (JSC::JSObject::convertContiguousToArrayStorage):
814
815 2018-06-12  Saam Barati  <sbarati@apple.com>
816
817         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
818         https://bugs.webkit.org/show_bug.cgi?id=186071
819
820         Reviewed by Mark Lam.
821
822         * API/JSVirtualMachine.mm:
823         (-[JSVirtualMachine shrinkFootprint]): Deleted.
824         * API/JSVirtualMachinePrivate.h:
825
826 2018-06-11  Saam Barati  <sbarati@apple.com>
827
828         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
829         https://bugs.webkit.org/show_bug.cgi?id=181409
830         <rdar://problem/36383749>
831
832         Reviewed by Keith Miller.
833
834         This patch is me redoing r226655. This is a patch I wrote when
835         profiling Speedometer. Fil rolled this change out in r230928. He
836         showed this slowed down a sunspider tests by ~2x. This sunspider
837         regression revealed a real performance bug in the original change:
838         we would kill blocks that reached OSR entry targets, sometimes leading
839         us to not do OSR entry into the DFG, since we could end up deleting
840         entire loops from the CFG. The reason for this is that code that has run
841         ~once and that reaches loops often has ForceOSRExits inside of it. The
842         solution to this is to not perform this optimization on blocks that can
843         reach OSR entry targets.
844         
845         The reason I'm redoing this patch is that it turns out Fil rolling
846         out the change was a Speedometer 2 regression.
847         
848         This is a modified version of the original ChangeLog I wrote in r226655:
849         
850         When I was looking at profiler data for Speedometer, I noticed that one of
851         the hottest functions in Speedometer is around 1100 bytecode operations long.
852         Only about 100 of those bytecode ops ever execute. However, we ended up
853         spending a lot of time compiling basic blocks that never executed. We often
854         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
855         This is the case when such a node never executes.
856         
857         This patch makes it so that anytime a block has a ForceOSRExit, and that block
858         can not reach an OSR entry target, we replace its terminal node with an Unreachable
859         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
860         size since it removes control flow edges from the CFG. This allows us to get
861         rid of huge chunks of the CFG in certain programs. When doing this transformation,
862         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
863         live-in to the ForceOSRExit.
864         
865         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
866         does not get rid of all the CFG that it could. If we decide it's worth
867         it, we could use additional inputs into this mechanism. For example, we could
868         profile if a basic block ever executes inside the LLInt/Baseline, and
869         remove parts of the CFG based on that.
870         
871         When running Speedometer with the concurrent JIT turned off, this patch
872         improves DFG/FTL compile times by around 5%.
873
874         * dfg/DFGByteCodeParser.cpp:
875         (JSC::DFG::ByteCodeParser::addToGraph):
876         (JSC::DFG::ByteCodeParser::inlineCall):
877         (JSC::DFG::ByteCodeParser::parse):
878         * dfg/DFGGraph.cpp:
879         (JSC::DFG::Graph::blocksInPostOrder):
880
881 2018-06-11  Saam Barati  <sbarati@apple.com>
882
883         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
884         https://bugs.webkit.org/show_bug.cgi?id=184829
885
886         Reviewed by Michael Saboff.
887
888         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
889         In B3/Air, this just meant writing a validation rule. In DFG, this meant
890         ensuring this property when building up the predecessors list, and also adding
891         a validation rule. The NaturalLoops algorithm relies on this property.
892
893         * b3/B3Validate.cpp:
894         * b3/air/AirValidate.cpp:
895         * b3/testb3.cpp:
896         (JSC::B3::testLoopWithMultipleHeaderEdges):
897         (JSC::B3::run):
898         * dfg/DFGGraph.cpp:
899         (JSC::DFG::Graph::handleSuccessor):
900         * dfg/DFGValidate.cpp:
901
902 2018-06-11  Keith Miller  <keith_miller@apple.com>
903
904         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
905         https://bugs.webkit.org/show_bug.cgi?id=186467
906
907         Reviewed by Simon Fraser.
908
909         This patch adds a LazyFireDetail that wraps ScopedLambda so that
910         we don't actually malloc any strings for firing unless those
911         Strings are actually going to be printed.
912
913         * bytecode/Watchpoint.h:
914         (JSC::LazyFireDetail::LazyFireDetail):
915         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
916         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
917         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
918         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
919         * runtime/ArrayPrototype.cpp:
920         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
921
922 2018-06-11  Mark Lam  <mark.lam@apple.com>
923
924         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
925         https://bugs.webkit.org/show_bug.cgi?id=186451
926         <rdar://problem/40875792>
927
928         Reviewed by Tim Horton.
929
930         Enhance setOptions() to be able to take a comma separated options string in
931         addition to white space separated options strings.
932
933         * runtime/Options.cpp:
934         (JSC::isSeparator):
935         (JSC::Options::setOptions):
936
937 2018-06-11  Michael Saboff  <msaboff@apple.com>
938
939         JavaScriptCore: Disable 32-bit JIT on Windows
940         https://bugs.webkit.org/show_bug.cgi?id=185989
941
942         Reviewed by Mark Lam.
943
944         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
945
946         * llint/LLIntData.h:
947         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
948         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
949         have a case label because these aren't opcodes.
950         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
951         on the JIT being enabled.
952         (JSC::recomputeDependentOptions):
953
954 2018-06-11  Michael Saboff  <msaboff@apple.com>
955
956         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
957         https://bugs.webkit.org/show_bug.cgi?id=186477
958
959         Reviewed by Filip Pizlo.
960
961         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
962         YARR interpreter nodes.  This caused us to overwrite other frame information.
963
964         Added frame offset debugging code to YARR interpreter.
965
966         * yarr/YarrInterpreter.cpp:
967         (JSC::Yarr::ByteCompiler::emitDisjunction):
968         (JSC::Yarr::ByteCompiler::dumpDisjunction):
969
970 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
971
972         [JSC] Array.prototype.sort should rejects null comparator
973         https://bugs.webkit.org/show_bug.cgi?id=186458
974
975         Reviewed by Keith Miller.
976
977         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
978         the behavior to Chrome and Firefox.
979
980         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
981         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
982         the spec issue.
983
984         * builtins/ArrayPrototype.js:
985         (sort):
986
987 2018-06-09  Dan Bernstein  <mitz@apple.com>
988
989         [Xcode] Clean up and modernize some build setting definitions
990         https://bugs.webkit.org/show_bug.cgi?id=186463
991
992         Reviewed by Sam Weinig.
993
994         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
995           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
996           is true for all supported Xcode versions.
997         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
998         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
999           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
1000         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
1001         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
1002
1003 2018-06-09  Dan Bernstein  <mitz@apple.com>
1004
1005         Added missing file references to the Configuration group.
1006
1007         * JavaScriptCore.xcodeproj/project.pbxproj:
1008
1009 2018-06-08  Darin Adler  <darin@apple.com>
1010
1011         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
1012         https://bugs.webkit.org/show_bug.cgi?id=186436
1013
1014         Reviewed by Anders Carlsson.
1015
1016         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
1017         objc-internal.h and explicitly declaring the alternative.
1018
1019 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
1020
1021         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
1022         https://bugs.webkit.org/show_bug.cgi?id=186442
1023         <rdar://problem/40879364>
1024
1025         Reviewed by Tim Horton.
1026
1027         * Configurations/FeatureDefines.xcconfig:
1028
1029 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
1030
1031         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
1032         https://bugs.webkit.org/show_bug.cgi?id=186446
1033         <rdar://problem/40949995>
1034
1035         Reviewed by Mark Lam.
1036
1037         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
1038         boolean literals, but it would only work for false. Change it so that it
1039         takes the fast path for true, false, null and undefined.
1040
1041         * llint/LowLevelInterpreter.asm:
1042         * llint/LowLevelInterpreter64.asm:
1043
1044 2018-06-08  Brian Burg  <bburg@apple.com>
1045
1046         [Cocoa] Web Automation: include browser name and version in listing for automation targets
1047         https://bugs.webkit.org/show_bug.cgi?id=186204
1048         <rdar://problem/36950423>
1049
1050         Reviewed by Darin Adler.
1051
1052         Ask the client what the reported browser name and version should be, then
1053         send this as part of the listing for an automation target.
1054
1055         * inspector/remote/RemoteInspectorConstants.h:
1056         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1057         (Inspector::RemoteInspector::listingForAutomationTarget const):
1058
1059 2018-06-07  Chris Dumez  <cdumez@apple.com>
1060
1061         Add base class to get WeakPtrFactory member and avoid some boilerplate code
1062         https://bugs.webkit.org/show_bug.cgi?id=186407
1063
1064         Reviewed by Brent Fulgham.
1065
1066         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
1067         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
1068         This also gets rid of old-style createWeakPtr() methods in favor of the newer
1069         makeWeakPtr().
1070
1071         * wasm/WasmInstance.h:
1072         * wasm/WasmMemory.cpp:
1073         (JSC::Wasm::Memory::registerInstance):
1074
1075 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
1076
1077         Don't try to allocate JIT memory if we don't have the JIT entitlement
1078         https://bugs.webkit.org/show_bug.cgi?id=182605
1079         <rdar://problem/38271229>
1080
1081         Reviewed by Mark Lam.
1082
1083         Check that the current process has the correct entitlements before
1084         trying to allocate JIT memory to silence warnings.
1085
1086         * jit/ExecutableAllocator.cpp:
1087         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
1088         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
1089
1090 2018-06-07  Saam Barati  <sbarati@apple.com>
1091
1092         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
1093         https://bugs.webkit.org/show_bug.cgi?id=186386
1094
1095         Reviewed by Filip Pizlo.
1096
1097         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
1098
1099         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1100         (JSC::DFG::TierUpCheckInjectionPhase::run):
1101
1102 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
1103
1104         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
1105         https://bugs.webkit.org/show_bug.cgi?id=186237
1106
1107         Reviewed by Saam Barati.
1108
1109         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
1110         that means that we never notice that it fired if it fires between when the DFG decides to
1111         watch it and when it actually adds the watchpoint.
1112         
1113         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
1114         reason for being initialized blind: that's how we knew to ignore changes to the prototype
1115         before the first allocation. However, that functionality also arose out of the fact that the
1116         rare data is created lazily and usually won't exist until the first allocation.
1117         
1118         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
1119         object allocation profile.
1120         
1121         It's hard to repro this race, however it started causing spurious test failures for me after
1122         bug 164904.
1123
1124         * runtime/FunctionRareData.cpp:
1125         (JSC::FunctionRareData::FunctionRareData):
1126         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1127
1128 2018-06-07  Saam Barati  <sbarati@apple.com>
1129
1130         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
1131         https://bugs.webkit.org/show_bug.cgi?id=186218
1132         <rdar://problem/38449540>
1133
1134         Reviewed by Filip Pizlo.
1135
1136         This patch makes tierUpCommon a tad bit more sane. There are a few things
1137         that I did:
1138         - There were a few release asserts that were crashing. Those release asserts
1139         were incorrect. They were making assumptions about how the code and data
1140         structures were ordered that were wrong. This patch removes them. The code
1141         was using the loop hierarchy vector to make assumptions about which loop we
1142         were currently executing in, which is incorrect. The only information that
1143         can be used about where we're currently executing is the bytecode index we're
1144         at.
1145         - This makes it so that we go back to trying to compile outer loops before
1146         inner loops. JF accidentally reverted this behavior that Ben implemented.
1147         JF made it so that we just compiled the inner most loop. I make this
1148         functionality work by first triggering a compile for the outer most loop
1149         that the code is currently executing in and that can perform OSR entry.
1150         However, some programs can get stuck in inner loops. The code works by
1151         progressively asking inner loops to compile if program execution has not
1152         yet reached an outer loop.
1153
1154         * dfg/DFGOperations.cpp:
1155
1156 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
1157
1158         ArityFixup should adjust SP first on 32-bit platforms too
1159         https://bugs.webkit.org/show_bug.cgi?id=186351
1160
1161         Reviewed by Yusuke Suzuki.
1162
1163         * jit/ThunkGenerators.cpp:
1164         (JSC::arityFixupGenerator):
1165
1166 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1167
1168         [DFG] Compare operations do not respect negative zeros
1169         https://bugs.webkit.org/show_bug.cgi?id=183729
1170
1171         Reviewed by Saam Barati.
1172
1173         Compare operations do not respect negative zeros. So propagating this can
1174         reduce the size of the produced code for negative zero case. This pattern
1175         can be seen in Kraken stanford-crypto-aes.
1176
1177         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
1178         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
1179         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
1180
1181         * bytecode/SpeculatedType.cpp:
1182         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1183         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
1184         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
1185         SpecDoubleReal.
1186
1187         * dfg/DFGBackwardsPropagationPhase.cpp:
1188         (JSC::DFG::BackwardsPropagationPhase::propagate):
1189
1190 2018-06-06  Saam Barati  <sbarati@apple.com>
1191
1192         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
1193         https://bugs.webkit.org/show_bug.cgi?id=186363
1194
1195         Rubber-stamped by Filip Pizlo.
1196
1197         The code was assuming that the object it was creating an OPC for always
1198         had a non-poly-proto structure. However, this assumption was wrong. For
1199         example, an object in the prototype chain could be poly proto. That type 
1200         of object graph would cause a crash in this code. This patch makes it so
1201         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
1202         object as we traverse the prototype chain.
1203
1204         * bytecode/ObjectPropertyConditionSet.cpp:
1205         (JSC::generateConditionsForInstanceOf):
1206
1207 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
1208
1209         Adjust compile and runtime flags to match shippable state of features
1210         https://bugs.webkit.org/show_bug.cgi?id=186319
1211         <rdar://problem/40352045>
1212
1213         Reviewed by Maciej Stachowiak, Jon Lee, and others.
1214
1215         This patch revises the compile time and runtime state for various features to match their
1216         suitability for end-user releases.
1217
1218         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
1219         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
1220         Cocoa builds.
1221         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
1222         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
1223         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
1224         at runtime for non-production builds.
1225
1226 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
1227
1228         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
1229         https://bugs.webkit.org/show_bug.cgi?id=186286
1230         <rdar://problem/40782992>
1231
1232         Reviewed by Dan Bernstein.
1233
1234         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
1235         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
1236         change this flag when preparing for a production release.
1237
1238         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
1239         whether experimental features should be enabled, and use it to properly define the
1240         feature flag.
1241
1242 2018-06-05  Darin Adler  <darin@apple.com>
1243
1244         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
1245         https://bugs.webkit.org/show_bug.cgi?id=186301
1246
1247         Reviewed by Anders Carlsson.
1248
1249         * API/JSContext.mm:
1250         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
1251         (-[JSContext setName:]): Removed unnecessary call to copy, since the
1252         JSStringCreateWithCFString function already reads the characters out
1253         of the string and does not retain the string, so there is no need to
1254         make an immutable copy. And used __bridge for typecast.
1255         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1256         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
1257         Ditto.
1258
1259         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1260         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
1261         Use CFBridgingRelease instead of autorelease for a CF dictionary that
1262         we return as an NSDictionary.
1263
1264 2018-06-04  Keith Miller  <keith_miller@apple.com>
1265
1266         Remove missing files from JavaScriptCore Xcode project
1267         https://bugs.webkit.org/show_bug.cgi?id=186297
1268
1269         Reviewed by Saam Barati.
1270
1271         * JavaScriptCore.xcodeproj/project.pbxproj:
1272
1273 2018-06-04  Keith Miller  <keith_miller@apple.com>
1274
1275         Add test for CoW conversions in the DFG/FTL
1276         https://bugs.webkit.org/show_bug.cgi?id=186295
1277
1278         Reviewed by Saam Barati.
1279
1280         Add a function to $vm that returns a JSString containing the
1281         dataLog dump of the indexingMode of an Object.
1282
1283         * tools/JSDollarVM.cpp:
1284         (JSC::functionIndexingMode):
1285         (JSC::JSDollarVM::finishCreation):
1286
1287 2018-06-04  Saam Barati  <sbarati@apple.com>
1288
1289         Set the activeLength of all ScratchBuffers to zero when exiting the VM
1290         https://bugs.webkit.org/show_bug.cgi?id=186284
1291         <rdar://problem/40780738>
1292
1293         Reviewed by Keith Miller.
1294
1295         Simon recently found instances where we leak global objects from the
1296         ScratchBuffer. Yusuke found that we forgot to set the active length
1297         back to zero when doing catch OSR entry in the DFG/FTL. His solution
1298         to this was adding a node that cleared the active length. This is
1299         a good node to have, but it's not a complete solution: the DFG/FTL
1300         could OSR exit before that node executes, which would cause us to leak
1301         the data in it.
1302         
1303         This patch makes it so that we set each scratch buffer's active length
1304         to zero on VM exit. This helps prevent leaks for JS code that eventually
1305         exits the VM (which is essentially all code on the web and all API users).
1306
1307         * runtime/VM.cpp:
1308         (JSC::VM::clearScratchBuffers):
1309         * runtime/VM.h:
1310         * runtime/VMEntryScope.cpp:
1311         (JSC::VMEntryScope::~VMEntryScope):
1312
1313 2018-06-04  Keith Miller  <keith_miller@apple.com>
1314
1315         JSLock should clear last exception when releasing the lock
1316         https://bugs.webkit.org/show_bug.cgi?id=186277
1317
1318         Reviewed by Mark Lam.
1319
1320         If we don't clear the last exception we essentially leak the
1321         object and everything referenced by it until another exception is
1322         thrown.
1323
1324         * runtime/JSLock.cpp:
1325         (JSC::JSLock::willReleaseLock):
1326
1327 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1328
1329         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
1330         https://bugs.webkit.org/show_bug.cgi?id=180248
1331
1332         Reviewed by Sam Weinig.
1333
1334         As a final step, this patch removes ListableHandler from JSC.
1335         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
1336
1337         * CMakeLists.txt:
1338         * JavaScriptCore.xcodeproj/project.pbxproj:
1339         * heap/Heap.h:
1340         * heap/ListableHandler.h: Removed.
1341
1342 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1343
1344         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
1345         https://bugs.webkit.org/show_bug.cgi?id=186223
1346
1347         Reviewed by Keith Miller.
1348
1349         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
1350         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
1351
1352         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
1353         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
1354         this ClearCatchLocals valid.
1355
1356         The existing tests for ExtractCatchLocal just pass.
1357
1358         * dfg/DFGAbstractHeap.h:
1359         * dfg/DFGAbstractInterpreterInlines.h:
1360         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1361         * dfg/DFGByteCodeParser.cpp:
1362         (JSC::DFG::ByteCodeParser::parseBlock):
1363         * dfg/DFGClobberize.h:
1364         (JSC::DFG::clobberize):
1365         * dfg/DFGDoesGC.cpp:
1366         (JSC::DFG::doesGC):
1367         * dfg/DFGFixupPhase.cpp:
1368         (JSC::DFG::FixupPhase::fixupNode):
1369         * dfg/DFGMayExit.cpp:
1370         * dfg/DFGNodeType.h:
1371         * dfg/DFGOSREntry.cpp:
1372         (JSC::DFG::prepareCatchOSREntry):
1373         * dfg/DFGPredictionPropagationPhase.cpp:
1374         * dfg/DFGSafeToExecute.h:
1375         (JSC::DFG::safeToExecute):
1376         * dfg/DFGSpeculativeJIT.cpp:
1377         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
1378         * dfg/DFGSpeculativeJIT.h:
1379         * dfg/DFGSpeculativeJIT32_64.cpp:
1380         (JSC::DFG::SpeculativeJIT::compile):
1381         * dfg/DFGSpeculativeJIT64.cpp:
1382         (JSC::DFG::SpeculativeJIT::compile):
1383         * ftl/FTLCapabilities.cpp:
1384         (JSC::FTL::canCompile):
1385         * ftl/FTLLowerDFGToB3.cpp:
1386         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1387         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
1388
1389 2018-06-02  Darin Adler  <darin@apple.com>
1390
1391         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
1392         https://bugs.webkit.org/show_bug.cgi?id=186227
1393
1394         Reviewed by Dan Bernstein.
1395
1396         * API/JSContext.mm:
1397         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
1398         * API/JSValue.mm:
1399         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
1400         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
1401         ARC-compatible, but more efficient.
1402         (valueToString): Use CFBridgingRelease instead of autorelease.
1403
1404 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
1405
1406         [ESNext][BigInt] Implement support for addition operations
1407         https://bugs.webkit.org/show_bug.cgi?id=179002
1408
1409         Reviewed by Yusuke Suzuki.
1410
1411         This patch is implementing support to BigInt Operands into binary "+"
1412         and binary "-" operators. Right now, we have limited support to DFG
1413         and FTL JIT layers, but we plan to fix this support in future
1414         patches.
1415
1416         * jit/JITOperations.cpp:
1417         * runtime/CommonSlowPaths.cpp:
1418         (JSC::SLOW_PATH_DECL):
1419         * runtime/JSBigInt.cpp:
1420         (JSC::JSBigInt::parseInt):
1421         (JSC::JSBigInt::stringToBigInt):
1422         (JSC::JSBigInt::toString):
1423         (JSC::JSBigInt::multiply):
1424         (JSC::JSBigInt::divide):
1425         (JSC::JSBigInt::remainder):
1426         (JSC::JSBigInt::add):
1427         (JSC::JSBigInt::sub):
1428         (JSC::JSBigInt::absoluteAdd):
1429         (JSC::JSBigInt::absoluteSub):
1430         (JSC::JSBigInt::toStringGeneric):
1431         (JSC::JSBigInt::allocateFor):
1432         (JSC::JSBigInt::toNumber const):
1433         (JSC::JSBigInt::getPrimitiveNumber const):
1434         * runtime/JSBigInt.h:
1435         * runtime/JSCJSValueInlines.h:
1436         * runtime/Operations.cpp:
1437         (JSC::jsAddSlowCase):
1438         * runtime/Operations.h:
1439         (JSC::jsSub):
1440
1441 2018-06-02  Commit Queue  <commit-queue@webkit.org>
1442
1443         Unreviewed, rolling out r232439.
1444         https://bugs.webkit.org/show_bug.cgi?id=186238
1445
1446         It breaks gtk-linux-32-release (Requested by caiolima on
1447         #webkit).
1448
1449         Reverted changeset:
1450
1451         "[ESNext][BigInt] Implement support for addition operations"
1452         https://bugs.webkit.org/show_bug.cgi?id=179002
1453         https://trac.webkit.org/changeset/232439
1454
1455 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1456
1457         Baseline op_jtrue emits an insane amount of code
1458         https://bugs.webkit.org/show_bug.cgi?id=185708
1459
1460         Reviewed by Filip Pizlo.
1461
1462         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
1463
1464         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
1465            to jump directly. This tightens the code.
1466
1467         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
1468
1469         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
1470
1471         [  12] jtrue             arg1, 6(->18)
1472               0x7f233170162c: mov 0x30(%rbp), %rax
1473               0x7f2331701630: mov %rax, %rsi
1474               0x7f2331701633: xor $0x6, %rsi
1475               0x7f2331701637: test $0xfffffffffffffffe, %rsi
1476               0x7f233170163e: jnz 0x7f2331701654
1477               0x7f2331701644: cmp $0x7, %eax
1478               0x7f2331701647: setz %sil
1479               0x7f233170164b: movzx %sil, %esi
1480               0x7f233170164f: jmp 0x7f2331701705
1481               0x7f2331701654: test %rax, %r14
1482               0x7f2331701657: jz 0x7f233170169c
1483               0x7f233170165d: cmp %r14, %rax
1484               0x7f2331701660: jb 0x7f2331701675
1485               0x7f2331701666: test %eax, %eax
1486               0x7f2331701668: setnz %sil
1487               0x7f233170166c: movzx %sil, %esi
1488               0x7f2331701670: jmp 0x7f2331701705
1489               0x7f2331701675: lea (%r14,%rax), %rsi
1490               0x7f2331701679: movq %rsi, %xmm0
1491               0x7f233170167e: xorps %xmm1, %xmm1
1492               0x7f2331701681: ucomisd %xmm1, %xmm0
1493               0x7f2331701685: jz 0x7f2331701695
1494               0x7f233170168b: mov $0x1, %esi
1495               0x7f2331701690: jmp 0x7f2331701705
1496               0x7f2331701695: xor %esi, %esi
1497               0x7f2331701697: jmp 0x7f2331701705
1498               0x7f233170169c: test %rax, %r15
1499               0x7f233170169f: jnz 0x7f2331701703
1500               0x7f23317016a5: cmp $0x1, 0x5(%rax)
1501               0x7f23317016a9: jnz 0x7f23317016c1
1502               0x7f23317016af: mov 0x8(%rax), %esi
1503               0x7f23317016b2: test %esi, %esi
1504               0x7f23317016b4: setnz %sil
1505               0x7f23317016b8: movzx %sil, %esi
1506               0x7f23317016bc: jmp 0x7f2331701705
1507               0x7f23317016c1: test $0x1, 0x6(%rax)
1508               0x7f23317016c5: jz 0x7f23317016f9
1509               0x7f23317016cb: mov (%rax), %esi
1510               0x7f23317016cd: mov $0x7f23315000c8, %rdx
1511               0x7f23317016d7: mov (%rdx), %rdx
1512               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
1513               0x7f23317016de: mov $0x7f2330de0000, %rdx
1514               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
1515               0x7f23317016ec: jnz 0x7f23317016f9
1516               0x7f23317016f2: xor %esi, %esi
1517               0x7f23317016f4: jmp 0x7f2331701705
1518               0x7f23317016f9: mov $0x1, %esi
1519               0x7f23317016fe: jmp 0x7f2331701705
1520               0x7f2331701703: xor %esi, %esi
1521               0x7f2331701705: test %esi, %esi
1522               0x7f2331701707: jnz 0x7f233170171b
1523
1524         [  12] jtrue             arg1, 6(->18)
1525               0x7f6c8710156c: mov 0x30(%rbp), %rax
1526               0x7f6c87101570: test %rax, %r15
1527               0x7f6c87101573: jnz 0x7f6c871015c8
1528               0x7f6c87101579: cmp $0x1, 0x5(%rax)
1529               0x7f6c8710157d: jnz 0x7f6c87101592
1530               0x7f6c87101583: cmp $0x0, 0x8(%rax)
1531               0x7f6c87101587: jnz 0x7f6c87101623
1532               0x7f6c8710158d: jmp 0x7f6c87101615
1533               0x7f6c87101592: test $0x1, 0x6(%rax)
1534               0x7f6c87101596: jz 0x7f6c87101623
1535               0x7f6c8710159c: mov (%rax), %esi
1536               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
1537               0x7f6c871015a8: mov (%rdx), %rdx
1538               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
1539               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
1540               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
1541               0x7f6c871015bd: jnz 0x7f6c87101623
1542               0x7f6c871015c3: jmp 0x7f6c87101615
1543               0x7f6c871015c8: cmp %r14, %rax
1544               0x7f6c871015cb: jb 0x7f6c871015de
1545               0x7f6c871015d1: test %eax, %eax
1546               0x7f6c871015d3: jnz 0x7f6c87101623
1547               0x7f6c871015d9: jmp 0x7f6c87101615
1548               0x7f6c871015de: test %rax, %r14
1549               0x7f6c871015e1: jz 0x7f6c87101602
1550               0x7f6c871015e7: lea (%r14,%rax), %rsi
1551               0x7f6c871015eb: movq %rsi, %xmm0
1552               0x7f6c871015f0: xorps %xmm1, %xmm1
1553               0x7f6c871015f3: ucomisd %xmm1, %xmm0
1554               0x7f6c871015f7: jz 0x7f6c87101615
1555               0x7f6c871015fd: jmp 0x7f6c87101623
1556               0x7f6c87101602: mov $0x7, %r11
1557               0x7f6c8710160c: cmp %r11, %rax
1558               0x7f6c8710160f: jz 0x7f6c87101623
1559
1560         * dfg/DFGSpeculativeJIT32_64.cpp:
1561         (JSC::DFG::SpeculativeJIT::emitBranch):
1562         * dfg/DFGSpeculativeJIT64.cpp:
1563         (JSC::DFG::SpeculativeJIT::emitBranch):
1564         * jit/AssemblyHelpers.cpp:
1565         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1566         (JSC::AssemblyHelpers::branchIfValue):
1567         * jit/AssemblyHelpers.h:
1568         (JSC::AssemblyHelpers::branchIfTruthy):
1569         (JSC::AssemblyHelpers::branchIfFalsey):
1570         * jit/JIT.h:
1571         * jit/JITInlines.h:
1572         (JSC::JIT::addJump):
1573         * jit/JITOpcodes.cpp:
1574         (JSC::JIT::emit_op_jfalse):
1575         (JSC::JIT::emit_op_jtrue):
1576         * jit/JITOpcodes32_64.cpp:
1577         (JSC::JIT::emit_op_jfalse):
1578         (JSC::JIT::emit_op_jtrue):
1579
1580 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1581
1582         [JSC] Remove WeakReferenceHarvester
1583         https://bugs.webkit.org/show_bug.cgi?id=186102
1584
1585         Reviewed by Filip Pizlo.
1586
1587         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
1588         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
1589         by using output constraints & Subspace iteration.
1590
1591         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
1592         output constraint set iterates marked JSWeakMap by using Subspace.
1593
1594         And we also add locking for JSWeakMap's rehash and output constraint visiting.
1595
1596         Attached microbenchmark does not show any regression.
1597
1598         * API/JSAPIWrapperObject.h:
1599         * CMakeLists.txt:
1600         * JavaScriptCore.xcodeproj/project.pbxproj:
1601         * heap/Heap.cpp:
1602         (JSC::Heap::endMarking):
1603         (JSC::Heap::addCoreConstraints):
1604         * heap/Heap.h:
1605         * heap/SlotVisitor.cpp:
1606         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
1607         * heap/SlotVisitor.h:
1608         * heap/WeakReferenceHarvester.h: Removed.
1609         * runtime/WeakMapImpl.cpp:
1610         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
1611         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
1612         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
1613         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
1614         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
1615         * runtime/WeakMapImpl.h:
1616         (JSC::WeakMapImpl::WeakMapImpl):
1617         (JSC::WeakMapImpl::finishCreation):
1618         (JSC::WeakMapImpl::rehash):
1619         (JSC::WeakMapImpl::makeAndSetNewBuffer):
1620         (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
1621
1622 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1623
1624         [JSC] Object.create should have intrinsic
1625         https://bugs.webkit.org/show_bug.cgi?id=186200
1626
1627         Reviewed by Filip Pizlo.
1628
1629         Object.create is used in various JS code. `Object.create(null)` is particularly used
1630         to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
1631         call in ARES-6/Babylon code.
1632
1633         This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
1634         DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
1635         object is null. It offers significant performance boost for `Object.create(null)`.
1636
1637                                                          baseline                  patched
1638
1639         object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
1640         object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
1641         object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
1642
1643         * dfg/DFGAbstractInterpreterInlines.h:
1644         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1645         * dfg/DFGByteCodeParser.cpp:
1646         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1647         * dfg/DFGClobberize.h:
1648         (JSC::DFG::clobberize):
1649         * dfg/DFGConstantFoldingPhase.cpp:
1650         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1651         * dfg/DFGDoesGC.cpp:
1652         (JSC::DFG::doesGC):
1653         * dfg/DFGFixupPhase.cpp:
1654         (JSC::DFG::FixupPhase::fixupNode):
1655         * dfg/DFGNode.h:
1656         (JSC::DFG::Node::convertToNewObject):
1657         * dfg/DFGNodeType.h:
1658         * dfg/DFGOperations.cpp:
1659         * dfg/DFGOperations.h:
1660         * dfg/DFGPredictionPropagationPhase.cpp:
1661         * dfg/DFGSafeToExecute.h:
1662         (JSC::DFG::safeToExecute):
1663         * dfg/DFGSpeculativeJIT.cpp:
1664         (JSC::DFG::SpeculativeJIT::compileObjectCreate):
1665         * dfg/DFGSpeculativeJIT.h:
1666         * dfg/DFGSpeculativeJIT32_64.cpp:
1667         (JSC::DFG::SpeculativeJIT::compile):
1668         * dfg/DFGSpeculativeJIT64.cpp:
1669         (JSC::DFG::SpeculativeJIT::compile):
1670         * ftl/FTLCapabilities.cpp:
1671         (JSC::FTL::canCompile):
1672         * ftl/FTLLowerDFGToB3.cpp:
1673         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1674         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
1675         * runtime/Intrinsic.cpp:
1676         (JSC::intrinsicName):
1677         * runtime/Intrinsic.h:
1678         * runtime/JSGlobalObject.cpp:
1679         (JSC::JSGlobalObject::init):
1680         (JSC::JSGlobalObject::visitChildren):
1681         * runtime/JSGlobalObject.h:
1682         (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
1683         * runtime/ObjectConstructor.cpp:
1684
1685 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
1686
1687         [ESNext][BigInt] Implement support for addition operations
1688         https://bugs.webkit.org/show_bug.cgi?id=179002
1689
1690         Reviewed by Yusuke Suzuki.
1691
1692         This patch is implementing support to BigInt Operands into binary "+"
1693         and binary "-" operators. Right now, we have limited support to DFG
1694         and FTL JIT layers, but we plan to fix this support in future
1695         patches.
1696
1697         * jit/JITOperations.cpp:
1698         * runtime/CommonSlowPaths.cpp:
1699         (JSC::SLOW_PATH_DECL):
1700         * runtime/JSBigInt.cpp:
1701         (JSC::JSBigInt::parseInt):
1702         (JSC::JSBigInt::stringToBigInt):
1703         (JSC::JSBigInt::toString):
1704         (JSC::JSBigInt::multiply):
1705         (JSC::JSBigInt::divide):
1706         (JSC::JSBigInt::remainder):
1707         (JSC::JSBigInt::add):
1708         (JSC::JSBigInt::sub):
1709         (JSC::JSBigInt::absoluteAdd):
1710         (JSC::JSBigInt::absoluteSub):
1711         (JSC::JSBigInt::toStringGeneric):
1712         (JSC::JSBigInt::allocateFor):
1713         (JSC::JSBigInt::toNumber const):
1714         (JSC::JSBigInt::getPrimitiveNumber const):
1715         * runtime/JSBigInt.h:
1716         * runtime/JSCJSValueInlines.h:
1717         * runtime/Operations.cpp:
1718         (JSC::jsAddSlowCase):
1719         * runtime/Operations.h:
1720         (JSC::jsSub):
1721
1722 2018-06-01  Wenson Hsieh  <wenson_hsieh@apple.com>
1723
1724         Fix the watchOS build after r232385
1725         https://bugs.webkit.org/show_bug.cgi?id=186203
1726
1727         Reviewed by Keith Miller.
1728
1729         Add a missing header include for JSImmutableButterfly.
1730
1731         * runtime/ArrayPrototype.cpp:
1732
1733 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1734
1735         [JSC] Add Symbol.prototype.description getter
1736         https://bugs.webkit.org/show_bug.cgi?id=186053
1737
1738         Reviewed by Keith Miller.
1739
1740         Symbol.prototype.description accessor  is now stage 3[1].
1741         This adds a getter to retrieve [[Description]] value from Symbol.
1742         Previously, Symbol#toString() returns `Symbol(${description})` value.
1743         So users need to extract `description` part if they want it.
1744
1745         [1]: https://tc39.github.io/proposal-Symbol-description/
1746
1747         * runtime/Symbol.cpp:
1748         (JSC::Symbol::description const):
1749         * runtime/Symbol.h:
1750         * runtime/SymbolPrototype.cpp:
1751         (JSC::tryExtractSymbol):
1752         (JSC::symbolProtoGetterDescription):
1753         (JSC::symbolProtoFuncToString):
1754         (JSC::symbolProtoFuncValueOf):
1755
1756 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1757
1758         [JSC] Correct values and members of JSBigInt appropriately
1759         https://bugs.webkit.org/show_bug.cgi?id=186196
1760
1761         Reviewed by Darin Adler.
1762
1763         This patch cleans up a bit to select more appropriate values and members of JSBigInt.
1764
1765         1. JSBigInt's structure should be StructureIsImmortal.
1766         2. JSBigInt::allocationSize should be annotated with `inline`.
1767         3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
1768         4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
1769
1770         * runtime/JSBigInt.cpp:
1771         (JSC::JSBigInt::allocationSize):
1772         (JSC::JSBigInt::allocateFor):
1773         (JSC::JSBigInt::compareToDouble):
1774         (JSC::JSBigInt::visitChildren): Deleted.
1775         (JSC::JSBigInt::finishCreation): Deleted.
1776         * runtime/JSBigInt.h:
1777
1778 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1779
1780         [DFG] InById should be converted to MatchStructure
1781         https://bugs.webkit.org/show_bug.cgi?id=185803
1782
1783         Reviewed by Keith Miller.
1784
1785         MatchStructure is introduced for instanceof optimization. But this node
1786         is also useful for InById node. This patch converts InById to MatchStructure
1787         node with CheckStructures if possible by using InByIdStatus.
1788
1789         Added microbenchmarks show improvements.
1790
1791                                    baseline                  patched
1792
1793         in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
1794         in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
1795
1796         * JavaScriptCore.xcodeproj/project.pbxproj:
1797         * Sources.txt:
1798         * bytecode/InByIdStatus.cpp: Added.
1799         (JSC::InByIdStatus::appendVariant):
1800         (JSC::InByIdStatus::computeFor):
1801         (JSC::InByIdStatus::hasExitSite):
1802         (JSC::InByIdStatus::computeForStubInfo):
1803         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1804         (JSC::InByIdStatus::filter):
1805         (JSC::InByIdStatus::dump const):
1806         * bytecode/InByIdStatus.h: Added.
1807         (JSC::InByIdStatus::InByIdStatus):
1808         (JSC::InByIdStatus::state const):
1809         (JSC::InByIdStatus::isSet const):
1810         (JSC::InByIdStatus::operator bool const):
1811         (JSC::InByIdStatus::isSimple const):
1812         (JSC::InByIdStatus::numVariants const):
1813         (JSC::InByIdStatus::variants const):
1814         (JSC::InByIdStatus::at const):
1815         (JSC::InByIdStatus::operator[] const):
1816         (JSC::InByIdStatus::takesSlowPath const):
1817         * bytecode/InByIdVariant.cpp: Added.
1818         (JSC::InByIdVariant::InByIdVariant):
1819         (JSC::InByIdVariant::attemptToMerge):
1820         (JSC::InByIdVariant::dump const):
1821         (JSC::InByIdVariant::dumpInContext const):
1822         * bytecode/InByIdVariant.h: Added.
1823         (JSC::InByIdVariant::isSet const):
1824         (JSC::InByIdVariant::operator bool const):
1825         (JSC::InByIdVariant::structureSet const):
1826         (JSC::InByIdVariant::structureSet):
1827         (JSC::InByIdVariant::conditionSet const):
1828         (JSC::InByIdVariant::offset const):
1829         (JSC::InByIdVariant::isHit const):
1830         * bytecode/PolyProtoAccessChain.h:
1831         * dfg/DFGByteCodeParser.cpp:
1832         (JSC::DFG::ByteCodeParser::parseBlock):
1833
1834 2018-06-01  Keith Miller  <keith_miller@apple.com>
1835
1836         move should only emit the move if it's actually needed
1837         https://bugs.webkit.org/show_bug.cgi?id=186123
1838
1839         Reviewed by Saam Barati.
1840
1841         This patch relpaces move with moveToDestinationIfNeeded. This
1842         will prevent us from emiting moves to the same location. The old
1843         move, has been renamed to emitMove and made private.
1844
1845         * bytecompiler/BytecodeGenerator.cpp:
1846         (JSC::BytecodeGenerator::BytecodeGenerator):
1847         (JSC::BytecodeGenerator::emitMove):
1848         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
1849         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1850         (JSC::BytecodeGenerator::move): Deleted.
1851         * bytecompiler/BytecodeGenerator.h:
1852         (JSC::BytecodeGenerator::move):
1853         (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
1854         * bytecompiler/NodesCodegen.cpp:
1855         (JSC::ThisNode::emitBytecode):
1856         (JSC::SuperNode::emitBytecode):
1857         (JSC::NewTargetNode::emitBytecode):
1858         (JSC::ResolveNode::emitBytecode):
1859         (JSC::TaggedTemplateNode::emitBytecode):
1860         (JSC::ArrayNode::emitBytecode):
1861         (JSC::ObjectLiteralNode::emitBytecode):
1862         (JSC::EvalFunctionCallNode::emitBytecode):
1863         (JSC::FunctionCallResolveNode::emitBytecode):
1864         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
1865         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1866         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
1867         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
1868         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
1869         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
1870         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1871         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
1872         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
1873         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
1874         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
1875         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
1876         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
1877         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
1878         (JSC::CallFunctionCallDotNode::emitBytecode):
1879         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1880         (JSC::emitPostIncOrDec):
1881         (JSC::PostfixNode::emitBracket):
1882         (JSC::PostfixNode::emitDot):
1883         (JSC::PrefixNode::emitResolve):
1884         (JSC::PrefixNode::emitBracket):
1885         (JSC::PrefixNode::emitDot):
1886         (JSC::LogicalOpNode::emitBytecode):
1887         (JSC::ReadModifyResolveNode::emitBytecode):
1888         (JSC::AssignResolveNode::emitBytecode):
1889         (JSC::AssignDotNode::emitBytecode):
1890         (JSC::AssignBracketNode::emitBytecode):
1891         (JSC::FunctionNode::emitBytecode):
1892         (JSC::ClassExprNode::emitBytecode):
1893         (JSC::DestructuringAssignmentNode::emitBytecode):
1894         (JSC::ArrayPatternNode::emitDirectBinding):
1895         (JSC::ObjectPatternNode::bindValue const):
1896         (JSC::AssignmentElementNode::bindValue const):
1897         (JSC::ObjectSpreadExpressionNode::emitBytecode):
1898
1899 2018-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1900
1901         [Baseline] Store constant directly in emit_op_mov
1902         https://bugs.webkit.org/show_bug.cgi?id=186182
1903
1904         Reviewed by Saam Barati.
1905
1906         In the old code, we first move a constant to a register and store it to the specified address.
1907         But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
1908         generated code size. Since the old code was emitting a constant in a code anyway, this change
1909         never increases the size of the generated code.
1910
1911         * jit/JITInlines.h:
1912         (JSC::JIT::emitGetVirtualRegister):
1913         We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
1914         from the stack. If we transfer values in registers without loading values from the stack, it
1915         breaks this assumption.
1916
1917         * jit/JITOpcodes.cpp:
1918         (JSC::JIT::emit_op_mov):
1919
1920 2018-05-31  Caio Lima  <ticaiolima@gmail.com>
1921
1922         [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
1923         https://bugs.webkit.org/show_bug.cgi?id=185929
1924
1925         Reviewed by Yusuke Suzuki.
1926
1927         This patch is introducing support to BigInt operands into ">=" and
1928         "<=" operators.
1929         Here we introduce ```bigIntCompareResult``` that is a helper function
1930         to reuse code between "less than" and "less than or equal" operators.
1931
1932         * runtime/JSBigInt.h:
1933         * runtime/Operations.h:
1934         (JSC::bigIntCompareResult):
1935         (JSC::bigIntCompare):
1936         (JSC::jsLess):
1937         (JSC::jsLessEq):
1938         (JSC::bigIntCompareLess): Deleted.
1939
1940 2018-05-31  Saam Barati  <sbarati@apple.com>
1941
1942         Cache toString results for CoW arrays
1943         https://bugs.webkit.org/show_bug.cgi?id=186160
1944
1945         Reviewed by Keith Miller.
1946
1947         This patch makes it so that we cache the result of toString on
1948         arrays with a CoW butterfly. This cache lives on Heap and is
1949         cleared after every GC. We only cache the toString result when
1950         the CoW butterfly doesn't have a hole (currently, all CoW arrays
1951         have a hole, but this isn't an invariant we want to rely on). The
1952         reason for this is that if there is a hole, the value may be loaded
1953         from the prototype, and the cache may produce a stale result.
1954         
1955         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
1956         progression on ARES.
1957
1958         * heap/Heap.cpp:
1959         (JSC::Heap::finalize):
1960         (JSC::Heap::addCoreConstraints):
1961         * heap/Heap.h:
1962         * runtime/ArrayPrototype.cpp:
1963         (JSC::canUseFastJoin):
1964         (JSC::holesMustForwardToPrototype):
1965         (JSC::isHole):
1966         (JSC::containsHole):
1967         (JSC::fastJoin):
1968         (JSC::arrayProtoFuncToString):
1969
1970 2018-05-31  Saam Barati  <sbarati@apple.com>
1971
1972         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
1973         https://bugs.webkit.org/show_bug.cgi?id=186169
1974
1975         Reviewed by Mark Lam.
1976
1977         If we don't do this, the CFA validation rule about StructureID being
1978         clobbered but AI not clobbering or folding a clobber will cause us
1979         to crash. Simon was running into this yesterday on arstechnica.com.
1980         I couldn't come up with a test case for this, but it's obvious
1981         what the issue is by looking at the IR dump at the time of the crash.
1982
1983         * dfg/DFGAbstractInterpreterInlines.h:
1984         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1985
1986 2018-05-31  Saam Barati  <sbarati@apple.com>
1987
1988         JSImmutableButterfly should align its variable storage
1989         https://bugs.webkit.org/show_bug.cgi?id=186159
1990
1991         Reviewed by Mark Lam.
1992
1993         I'm also making the use of reinterpret_cast and bitwise_cast consistent
1994         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
1995
1996         * runtime/JSImmutableButterfly.h:
1997         (JSC::JSImmutableButterfly::toButterfly const):
1998         (JSC::JSImmutableButterfly::fromButterfly):
1999         (JSC::JSImmutableButterfly::offsetOfData):
2000         (JSC::JSImmutableButterfly::allocationSize):
2001
2002 2018-05-31  Keith Miller  <keith_miller@apple.com>
2003
2004         DFGArrayModes needs to know more about CoW arrays
2005         https://bugs.webkit.org/show_bug.cgi?id=186162
2006
2007         Reviewed by Filip Pizlo.
2008
2009         This patch fixes two issues in DFGArrayMode.
2010
2011         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
2012         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
2013         to vend an accurate original structure.
2014
2015         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
2016         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
2017         action it is expecting when being dumped.
2018
2019         * bytecode/ArrayProfile.h:
2020         (JSC::hasSeenWritableArray):
2021         * dfg/DFGArrayMode.cpp:
2022         (JSC::DFG::ArrayMode::fromObserved):
2023         (JSC::DFG::ArrayMode::refine const):
2024         (JSC::DFG::ArrayMode::originalArrayStructure const):
2025         (JSC::DFG::arrayActionToString):
2026         (JSC::DFG::arrayClassToString):
2027         (JSC::DFG::ArrayMode::dump const):
2028         (WTF::printInternal):
2029         * dfg/DFGArrayMode.h:
2030         (JSC::DFG::ArrayMode::withProfile const):
2031         (JSC::DFG::ArrayMode::isJSArray const):
2032         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
2033         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
2034         * dfg/DFGByteCodeParser.cpp:
2035         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2036         (JSC::DFG::ByteCodeParser::parseBlock):
2037         * dfg/DFGFixupPhase.cpp:
2038         (JSC::DFG::FixupPhase::fixupNode):
2039         * dfg/DFGSpeculativeJIT.cpp:
2040         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2041         * ftl/FTLLowerDFGToB3.cpp:
2042         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2043
2044 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2045
2046         [JSC] Pass VM& parameter as much as possible
2047         https://bugs.webkit.org/show_bug.cgi?id=186085
2048
2049         Reviewed by Saam Barati.
2050
2051         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
2052         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
2053         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
2054         This patch attempts to pass VM& parameter to such functions as much as possible.
2055
2056         * API/APICast.h:
2057         (toJS):
2058         (toJSForGC):
2059         * API/JSCallbackObjectFunctions.h:
2060         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
2061         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
2062         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2063         * API/JSObjectRef.cpp:
2064         (JSObjectIsConstructor):
2065         * API/JSTypedArray.cpp:
2066         (JSObjectGetTypedArrayBuffer):
2067         * API/JSValueRef.cpp:
2068         (JSValueIsInstanceOfConstructor):
2069         * bindings/ScriptFunctionCall.cpp:
2070         (Deprecated::ScriptFunctionCall::call):
2071         * bindings/ScriptValue.cpp:
2072         (Inspector::jsToInspectorValue):
2073         * bytecode/AccessCase.cpp:
2074         (JSC::AccessCase::generateImpl):
2075         * bytecode/CodeBlock.cpp:
2076         (JSC::CodeBlock::CodeBlock):
2077         * bytecode/ObjectAllocationProfileInlines.h:
2078         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2079         * bytecode/ObjectPropertyConditionSet.cpp:
2080         (JSC::generateConditionsForInstanceOf):
2081         * bytecode/PropertyCondition.cpp:
2082         (JSC::PropertyCondition::isWatchableWhenValid const):
2083         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
2084         * bytecode/StructureStubClearingWatchpoint.cpp:
2085         (JSC::StructureStubClearingWatchpoint::fireInternal):
2086         * debugger/Debugger.cpp:
2087         (JSC::Debugger::detach):
2088         * debugger/DebuggerScope.cpp:
2089         (JSC::DebuggerScope::create):
2090         (JSC::DebuggerScope::put):
2091         (JSC::DebuggerScope::deleteProperty):
2092         (JSC::DebuggerScope::getOwnPropertyNames):
2093         (JSC::DebuggerScope::defineOwnProperty):
2094         * dfg/DFGAbstractInterpreterInlines.h:
2095         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2096         * dfg/DFGAbstractValue.cpp:
2097         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2098         * dfg/DFGArgumentsEliminationPhase.cpp:
2099         * dfg/DFGArrayMode.cpp:
2100         (JSC::DFG::ArrayMode::refine const):
2101         * dfg/DFGByteCodeParser.cpp:
2102         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2103         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
2104         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2105         (JSC::DFG::ByteCodeParser::check):
2106         * dfg/DFGConstantFoldingPhase.cpp:
2107         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2108         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2109         * dfg/DFGFixupPhase.cpp:
2110         (JSC::DFG::FixupPhase::fixupNode):
2111         * dfg/DFGGraph.cpp:
2112         (JSC::DFG::Graph::tryGetConstantProperty):
2113         * dfg/DFGOperations.cpp:
2114         * dfg/DFGSpeculativeJIT.cpp:
2115         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2116         * dfg/DFGStrengthReductionPhase.cpp:
2117         (JSC::DFG::StrengthReductionPhase::handleNode):
2118         * ftl/FTLLowerDFGToB3.cpp:
2119         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2120         * ftl/FTLOperations.cpp:
2121         (JSC::FTL::operationPopulateObjectInOSR):
2122         * inspector/InjectedScriptManager.cpp:
2123         (Inspector::InjectedScriptManager::createInjectedScript):
2124         * inspector/JSJavaScriptCallFrame.cpp:
2125         (Inspector::JSJavaScriptCallFrame::caller const):
2126         (Inspector::JSJavaScriptCallFrame::scopeChain const):
2127         * interpreter/CallFrame.cpp:
2128         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
2129         * interpreter/Interpreter.cpp:
2130         (JSC::Interpreter::executeProgram):
2131         (JSC::Interpreter::executeCall):
2132         (JSC::Interpreter::executeConstruct):
2133         (JSC::Interpreter::execute):
2134         (JSC::Interpreter::executeModuleProgram):
2135         * jit/JITOperations.cpp:
2136         (JSC::getByVal):
2137         * jit/Repatch.cpp:
2138         (JSC::tryCacheInByID):
2139         * jsc.cpp:
2140         (functionDollarAgentReceiveBroadcast):
2141         (functionHasCustomProperties):
2142         * llint/LLIntSlowPaths.cpp:
2143         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2144         (JSC::LLInt::setupGetByIdPrototypeCache):
2145         (JSC::LLInt::getByVal):
2146         (JSC::LLInt::handleHostCall):
2147         (JSC::LLInt::llint_throw_stack_overflow_error):
2148         * runtime/AbstractModuleRecord.cpp:
2149         (JSC::AbstractModuleRecord::finishCreation):
2150         * runtime/ArrayConstructor.cpp:
2151         (JSC::constructArrayWithSizeQuirk):
2152         * runtime/ArrayPrototype.cpp:
2153         (JSC::speciesWatchpointIsValid):
2154         (JSC::arrayProtoFuncToString):
2155         (JSC::arrayProtoFuncToLocaleString):
2156         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2157         * runtime/AsyncFunctionConstructor.cpp:
2158         (JSC::callAsyncFunctionConstructor):
2159         (JSC::constructAsyncFunctionConstructor):
2160         * runtime/AsyncGeneratorFunctionConstructor.cpp:
2161         (JSC::callAsyncGeneratorFunctionConstructor):
2162         (JSC::constructAsyncGeneratorFunctionConstructor):
2163         * runtime/BooleanConstructor.cpp:
2164         (JSC::constructWithBooleanConstructor):
2165         * runtime/ClonedArguments.cpp:
2166         (JSC::ClonedArguments::createEmpty):
2167         (JSC::ClonedArguments::createWithInlineFrame):
2168         (JSC::ClonedArguments::createWithMachineFrame):
2169         (JSC::ClonedArguments::createByCopyingFrom):
2170         (JSC::ClonedArguments::getOwnPropertySlot):
2171         (JSC::ClonedArguments::materializeSpecials):
2172         * runtime/CommonSlowPaths.cpp:
2173         (JSC::SLOW_PATH_DECL):
2174         * runtime/CommonSlowPaths.h:
2175         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2176         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2177         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
2178         * runtime/ConstructData.cpp:
2179         (JSC::construct):
2180         * runtime/DateConstructor.cpp:
2181         (JSC::constructWithDateConstructor):
2182         * runtime/DatePrototype.cpp:
2183         (JSC::dateProtoFuncToJSON):
2184         * runtime/DirectArguments.cpp:
2185         (JSC::DirectArguments::overrideThings):
2186         * runtime/Error.cpp:
2187         (JSC::getStackTrace):
2188         * runtime/ErrorConstructor.cpp:
2189         (JSC::Interpreter::constructWithErrorConstructor):
2190         (JSC::Interpreter::callErrorConstructor):
2191         * runtime/FunctionConstructor.cpp:
2192         (JSC::constructWithFunctionConstructor):
2193         (JSC::callFunctionConstructor):
2194         * runtime/GeneratorFunctionConstructor.cpp:
2195         (JSC::callGeneratorFunctionConstructor):
2196         (JSC::constructGeneratorFunctionConstructor):
2197         * runtime/GenericArgumentsInlines.h:
2198         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2199         * runtime/InferredStructureWatchpoint.cpp:
2200         (JSC::InferredStructureWatchpoint::fireInternal):
2201         * runtime/InferredType.cpp:
2202         (JSC::InferredType::removeStructure):
2203         * runtime/InferredType.h:
2204         * runtime/InferredTypeInlines.h:
2205         (JSC::InferredType::finalizeUnconditionally):
2206         * runtime/IntlCollator.cpp:
2207         (JSC::IntlCollator::initializeCollator):
2208         * runtime/IntlCollatorConstructor.cpp:
2209         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
2210         * runtime/IntlCollatorPrototype.cpp:
2211         (JSC::IntlCollatorPrototypeGetterCompare):
2212         * runtime/IntlDateTimeFormat.cpp:
2213         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2214         (JSC::IntlDateTimeFormat::formatToParts):
2215         * runtime/IntlDateTimeFormatConstructor.cpp:
2216         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
2217         * runtime/IntlDateTimeFormatPrototype.cpp:
2218         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2219         * runtime/IntlNumberFormat.cpp:
2220         (JSC::IntlNumberFormat::initializeNumberFormat):
2221         (JSC::IntlNumberFormat::formatToParts):
2222         * runtime/IntlNumberFormatConstructor.cpp:
2223         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
2224         * runtime/IntlNumberFormatPrototype.cpp:
2225         (JSC::IntlNumberFormatPrototypeGetterFormat):
2226         * runtime/IntlObject.cpp:
2227         (JSC::canonicalizeLocaleList):
2228         (JSC::defaultLocale):
2229         (JSC::lookupSupportedLocales):
2230         (JSC::intlObjectFuncGetCanonicalLocales):
2231         * runtime/IntlPluralRules.cpp:
2232         (JSC::IntlPluralRules::initializePluralRules):
2233         (JSC::IntlPluralRules::resolvedOptions):
2234         * runtime/IntlPluralRulesConstructor.cpp:
2235         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
2236         * runtime/IteratorOperations.cpp:
2237         (JSC::iteratorNext):
2238         (JSC::iteratorClose):
2239         (JSC::iteratorForIterable):
2240         * runtime/JSArray.cpp:
2241         (JSC::JSArray::shiftCountWithArrayStorage):
2242         (JSC::JSArray::unshiftCountWithArrayStorage):
2243         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
2244         * runtime/JSArrayBufferConstructor.cpp:
2245         (JSC::JSArrayBufferConstructor::finishCreation):
2246         (JSC::constructArrayBuffer):
2247         * runtime/JSArrayBufferPrototype.cpp:
2248         (JSC::arrayBufferProtoFuncSlice):
2249         * runtime/JSArrayBufferView.cpp:
2250         (JSC::JSArrayBufferView::unsharedJSBuffer):
2251         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
2252         * runtime/JSAsyncFunction.cpp:
2253         (JSC::JSAsyncFunction::createImpl):
2254         (JSC::JSAsyncFunction::create):
2255         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
2256         * runtime/JSAsyncGeneratorFunction.cpp:
2257         (JSC::JSAsyncGeneratorFunction::createImpl):
2258         (JSC::JSAsyncGeneratorFunction::create):
2259         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
2260         * runtime/JSBoundFunction.cpp:
2261         (JSC::boundThisNoArgsFunctionCall):
2262         (JSC::boundFunctionCall):
2263         (JSC::boundThisNoArgsFunctionConstruct):
2264         (JSC::boundFunctionConstruct):
2265         (JSC::getBoundFunctionStructure):
2266         (JSC::JSBoundFunction::create):
2267         (JSC::JSBoundFunction::boundArgsCopy):
2268         * runtime/JSCJSValue.cpp:
2269         (JSC::JSValue::putToPrimitive):
2270         * runtime/JSCellInlines.h:
2271         (JSC::JSCell::setStructure):
2272         (JSC::JSCell::methodTable const):
2273         (JSC::JSCell::toBoolean const):
2274         * runtime/JSFunction.h:
2275         (JSC::JSFunction::createImpl):
2276         * runtime/JSGeneratorFunction.cpp:
2277         (JSC::JSGeneratorFunction::createImpl):
2278         (JSC::JSGeneratorFunction::create):
2279         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
2280         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2281         (JSC::constructGenericTypedArrayViewWithArguments):
2282         (JSC::constructGenericTypedArrayView):
2283         * runtime/JSGenericTypedArrayViewInlines.h:
2284         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
2285         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
2286         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
2287         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2288         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2289         (JSC::genericTypedArrayViewProtoFuncSlice):
2290         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2291         * runtime/JSGlobalObject.cpp:
2292         (JSC::JSGlobalObject::init):
2293         (JSC::JSGlobalObject::exposeDollarVM):
2294         (JSC::JSGlobalObject::finishCreation):
2295         * runtime/JSGlobalObject.h:
2296         * runtime/JSGlobalObjectFunctions.cpp:
2297         (JSC::globalFuncEval):
2298         * runtime/JSInternalPromise.cpp:
2299         (JSC::JSInternalPromise::then):
2300         * runtime/JSInternalPromiseConstructor.cpp:
2301         (JSC::constructPromise):
2302         * runtime/JSJob.cpp:
2303         (JSC::JSJobMicrotask::run):
2304         * runtime/JSLexicalEnvironment.cpp:
2305         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2306         (JSC::JSLexicalEnvironment::put):
2307         * runtime/JSMap.cpp:
2308         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2309         * runtime/JSMapIterator.cpp:
2310         (JSC::JSMapIterator::createPair):
2311         * runtime/JSModuleLoader.cpp:
2312         (JSC::JSModuleLoader::provideFetch):
2313         (JSC::JSModuleLoader::loadAndEvaluateModule):
2314         (JSC::JSModuleLoader::loadModule):
2315         (JSC::JSModuleLoader::linkAndEvaluateModule):
2316         (JSC::JSModuleLoader::requestImportModule):
2317         * runtime/JSONObject.cpp:
2318         (JSC::JSONProtoFuncParse):
2319         * runtime/JSObject.cpp:
2320         (JSC::JSObject::putInlineSlow):
2321         (JSC::JSObject::putByIndex):
2322         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2323         (JSC::JSObject::createInitialIndexedStorage):
2324         (JSC::JSObject::createArrayStorage):
2325         (JSC::JSObject::convertUndecidedToArrayStorage):
2326         (JSC::JSObject::convertInt32ToArrayStorage):
2327         (JSC::JSObject::convertDoubleToArrayStorage):
2328         (JSC::JSObject::convertContiguousToArrayStorage):
2329         (JSC::JSObject::convertFromCopyOnWrite):
2330         (JSC::JSObject::ensureWritableInt32Slow):
2331         (JSC::JSObject::ensureWritableDoubleSlow):
2332         (JSC::JSObject::ensureWritableContiguousSlow):
2333         (JSC::JSObject::ensureArrayStorageSlow):
2334         (JSC::JSObject::setPrototypeDirect):
2335         (JSC::JSObject::deleteProperty):
2336         (JSC::callToPrimitiveFunction):
2337         (JSC::JSObject::hasInstance):
2338         (JSC::JSObject::getOwnNonIndexPropertyNames):
2339         (JSC::JSObject::preventExtensions):
2340         (JSC::JSObject::isExtensible):
2341         (JSC::JSObject::reifyAllStaticProperties):
2342         (JSC::JSObject::fillGetterPropertySlot):
2343         (JSC::JSObject::defineOwnIndexedProperty):
2344         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2345         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2346         (JSC::JSObject::putByIndexBeyondVectorLength):
2347         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2348         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2349         (JSC::JSObject::getNewVectorLength):
2350         (JSC::JSObject::increaseVectorLength):
2351         (JSC::JSObject::reallocateAndShrinkButterfly):
2352         (JSC::JSObject::shiftButterflyAfterFlattening):
2353         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
2354         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
2355         (JSC::JSObject::needsSlowPutIndexing const):
2356         (JSC::JSObject::suggestedArrayStorageTransition const):
2357         * runtime/JSObject.h:
2358         (JSC::JSObject::mayInterceptIndexedAccesses):
2359         (JSC::JSObject::hasIndexingHeader const):
2360         (JSC::JSObject::hasCustomProperties):
2361         (JSC::JSObject::hasGetterSetterProperties):
2362         (JSC::JSObject::hasCustomGetterSetterProperties):
2363         (JSC::JSObject::isExtensibleImpl):
2364         (JSC::JSObject::isStructureExtensible):
2365         (JSC::JSObject::indexingShouldBeSparse):
2366         (JSC::JSObject::staticPropertiesReified):
2367         (JSC::JSObject::globalObject const):
2368         (JSC::JSObject::finishCreation):
2369         (JSC::JSNonFinalObject::finishCreation):
2370         (JSC::getCallData):
2371         (JSC::getConstructData):
2372         (JSC::JSObject::getOwnNonIndexPropertySlot):
2373         (JSC::JSObject::putOwnDataProperty):
2374         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
2375         (JSC::JSObject::butterflyPreCapacity):
2376         (JSC::JSObject::butterflyTotalSize):
2377         * runtime/JSObjectInlines.h:
2378         (JSC::JSObject::putDirectInternal):
2379         * runtime/JSPromise.cpp:
2380         (JSC::JSPromise::initialize):
2381         (JSC::JSPromise::resolve):
2382         * runtime/JSPromiseConstructor.cpp:
2383         (JSC::constructPromise):
2384         * runtime/JSPromiseDeferred.cpp:
2385         (JSC::newPromiseCapability):
2386         (JSC::callFunction):
2387         * runtime/JSScope.cpp:
2388         (JSC::abstractAccess):
2389         * runtime/JSScope.h:
2390         (JSC::JSScope::globalObject): Deleted.
2391         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
2392
2393         * runtime/JSSet.cpp:
2394         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2395         * runtime/JSSetIterator.cpp:
2396         (JSC::JSSetIterator::createPair):
2397         * runtime/JSStringIterator.cpp:
2398         (JSC::JSStringIterator::clone):
2399         * runtime/Lookup.cpp:
2400         (JSC::reifyStaticAccessor):
2401         (JSC::setUpStaticFunctionSlot):
2402         * runtime/Lookup.h:
2403         (JSC::getStaticPropertySlotFromTable):
2404         (JSC::replaceStaticPropertySlot):
2405         (JSC::reifyStaticProperty):
2406         * runtime/MapConstructor.cpp:
2407         (JSC::constructMap):
2408         * runtime/NumberConstructor.cpp:
2409         (JSC::NumberConstructor::finishCreation):
2410         * runtime/ObjectConstructor.cpp:
2411         (JSC::constructObject):
2412         (JSC::objectConstructorAssign):
2413         (JSC::toPropertyDescriptor):
2414         * runtime/ObjectPrototype.cpp:
2415         (JSC::objectProtoFuncDefineGetter):
2416         (JSC::objectProtoFuncDefineSetter):
2417         (JSC::objectProtoFuncToLocaleString):
2418         * runtime/Operations.cpp:
2419         (JSC::jsIsFunctionType): Deleted.
2420         Replace it with JSValue::isFunction(VM&).
2421
2422         * runtime/Operations.h:
2423         * runtime/ProgramExecutable.cpp:
2424         (JSC::ProgramExecutable::initializeGlobalProperties):
2425         * runtime/RegExpConstructor.cpp:
2426         (JSC::constructWithRegExpConstructor):
2427         (JSC::callRegExpConstructor):
2428         * runtime/SamplingProfiler.cpp:
2429         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2430         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
2431         * runtime/ScopedArguments.cpp:
2432         (JSC::ScopedArguments::overrideThings):
2433         * runtime/ScriptExecutable.cpp:
2434         (JSC::ScriptExecutable::newCodeBlockFor):
2435         (JSC::ScriptExecutable::prepareForExecutionImpl):
2436         * runtime/SetConstructor.cpp:
2437         (JSC::constructSet):
2438         * runtime/SparseArrayValueMap.cpp:
2439         (JSC::SparseArrayValueMap::putEntry):
2440         (JSC::SparseArrayValueMap::putDirect):
2441         * runtime/StringConstructor.cpp:
2442         (JSC::constructWithStringConstructor):
2443         * runtime/StringPrototype.cpp:
2444         (JSC::replaceUsingRegExpSearch):
2445         (JSC::replaceUsingStringSearch):
2446         (JSC::stringProtoFuncIterator):
2447         * runtime/Structure.cpp:
2448         (JSC::Structure::materializePropertyTable):
2449         (JSC::Structure::willStoreValueSlow):
2450         * runtime/StructureCache.cpp:
2451         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
2452         * runtime/StructureInlines.h:
2453         (JSC::Structure::get):
2454         * runtime/WeakMapConstructor.cpp:
2455         (JSC::constructWeakMap):
2456         * runtime/WeakSetConstructor.cpp:
2457         (JSC::constructWeakSet):
2458         * tools/HeapVerifier.cpp:
2459         (JSC::HeapVerifier::reportCell):
2460         * tools/JSDollarVM.cpp:
2461         (JSC::functionGlobalObjectForObject):
2462         (JSC::JSDollarVM::finishCreation):
2463         * wasm/js/JSWebAssemblyInstance.cpp:
2464         (JSC::JSWebAssemblyInstance::finalizeCreation):
2465         * wasm/js/WasmToJS.cpp:
2466         (JSC::Wasm::handleBadI64Use):
2467         (JSC::Wasm::wasmToJSException):
2468         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2469         (JSC::constructJSWebAssemblyCompileError):
2470         (JSC::callJSWebAssemblyCompileError):
2471         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2472         (JSC::constructJSWebAssemblyLinkError):
2473         (JSC::callJSWebAssemblyLinkError):
2474         * wasm/js/WebAssemblyModuleRecord.cpp:
2475         (JSC::WebAssemblyModuleRecord::evaluate):
2476         * wasm/js/WebAssemblyPrototype.cpp:
2477         (JSC::instantiate):
2478         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2479         (JSC::constructJSWebAssemblyRuntimeError):
2480         (JSC::callJSWebAssemblyRuntimeError):
2481         * wasm/js/WebAssemblyToJSCallee.cpp:
2482         (JSC::WebAssemblyToJSCallee::create):
2483
2484 2018-05-30  Saam Barati  <sbarati@apple.com>
2485
2486         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
2487         https://bugs.webkit.org/show_bug.cgi?id=186121
2488         <rdar://problem/39377796>
2489
2490         Reviewed by Keith Miller.
2491
2492         DFG's combined liveness was reporting that the machine CodeBlock's |this|
2493         argument was dead at certain points in the program. However, a CodeBlock's
2494         arguments are considered live for the entire function. This fixes a bug
2495         where object allocation sinking phase skipped materializing an allocation
2496         because it thought that the argument it was associated with, |this|, was dead.
2497
2498         * dfg/DFGCombinedLiveness.cpp:
2499         (JSC::DFG::liveNodesAtHead):
2500
2501 2018-05-30  Daniel Bates  <dabates@apple.com>
2502
2503         Web Inspector: Annotate Same-Site cookies
2504         https://bugs.webkit.org/show_bug.cgi?id=184897
2505         <rdar://problem/35178209>
2506
2507         Reviewed by Brian Burg.
2508
2509         Update protocol to include cookie Same-Site policy.
2510
2511         * inspector/protocol/Page.json:
2512
2513 2018-05-29  Keith Miller  <keith_miller@apple.com>
2514
2515         Error instances should not strongly hold onto StackFrames
2516         https://bugs.webkit.org/show_bug.cgi?id=185996
2517
2518         Reviewed by Mark Lam.
2519
2520         Previously, we would hold onto all the StackFrames until the the user
2521         looked at one of the properties on the Error object. This patch makes us
2522         only weakly retain the StackFrames and collect all the information
2523         if we are about to collect any frame.
2524
2525         This patch also adds a method to $vm that returns the heaps count
2526         of live global objects.
2527
2528         * heap/Heap.cpp:
2529         (JSC::Heap::finalizeUnconditionalFinalizers):
2530         * interpreter/Interpreter.cpp:
2531         (JSC::Interpreter::stackTraceAsString):
2532         * interpreter/Interpreter.h:
2533         * runtime/Error.cpp:
2534         (JSC::addErrorInfo):
2535         * runtime/ErrorInstance.cpp:
2536         (JSC::ErrorInstance::finalizeUnconditionally):
2537         (JSC::ErrorInstance::computeErrorInfo):
2538         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2539         (JSC::ErrorInstance::visitChildren): Deleted.
2540         * runtime/ErrorInstance.h:
2541         (JSC::ErrorInstance::subspaceFor):
2542         * runtime/JSFunction.cpp:
2543         (JSC::getCalculatedDisplayName):
2544         * runtime/StackFrame.h:
2545         (JSC::StackFrame::isMarked const):
2546         * runtime/VM.cpp:
2547         (JSC::VM::VM):
2548         * runtime/VM.h:
2549         * tools/JSDollarVM.cpp:
2550         (JSC::functionGlobalObjectCount):
2551         (JSC::JSDollarVM::finishCreation):
2552
2553 2018-05-30  Keith Miller  <keith_miller@apple.com>
2554
2555         LLInt get_by_id prototype caching doesn't properly handle changes
2556         https://bugs.webkit.org/show_bug.cgi?id=186112
2557
2558         Reviewed by Filip Pizlo.
2559
2560         The caching would sometimes fail to track that a prototype had changed
2561         and wouldn't update its set of watchpoints.
2562
2563         * bytecode/CodeBlock.cpp:
2564         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2565         * bytecode/CodeBlock.h:
2566         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2567         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
2568         * bytecode/ObjectPropertyConditionSet.h:
2569         (JSC::ObjectPropertyConditionSet::size const):
2570         * bytecode/Watchpoint.h:
2571         (JSC::Watchpoint::Watchpoint): Deleted.
2572         * llint/LLIntSlowPaths.cpp:
2573         (JSC::LLInt::setupGetByIdPrototypeCache):
2574
2575 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
2576
2577         [ESNext][BigInt] Implement support for "%" operation
2578         https://bugs.webkit.org/show_bug.cgi?id=184327
2579
2580         Reviewed by Yusuke Suzuki.
2581
2582         We are introducing the support of BigInt into remainder (a.k.a mod)
2583         operation.
2584
2585         * runtime/CommonSlowPaths.cpp:
2586         (JSC::SLOW_PATH_DECL):
2587         * runtime/JSBigInt.cpp:
2588         (JSC::JSBigInt::remainder):
2589         (JSC::JSBigInt::rightTrim):
2590         * runtime/JSBigInt.h:
2591
2592 2018-05-30  Saam Barati  <sbarati@apple.com>
2593
2594         AI for Atomics.load() is too conservative in always clobbering world
2595         https://bugs.webkit.org/show_bug.cgi?id=185738
2596         <rdar://problem/40342214>
2597
2598         Reviewed by Yusuke Suzuki.
2599
2600         It fails the assertion that Fil added for catching disagreements between
2601         AI and clobberize. This patch fixes that. You'd run into this if you
2602         manually enabled SAB in a build and ran any SAB tests.
2603
2604         * dfg/DFGAbstractInterpreterInlines.h:
2605         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2606
2607 2018-05-30  Michael Saboff  <msaboff@apple.com>
2608
2609         REGRESSION(r232212): Broke Win32 Builds
2610         https://bugs.webkit.org/show_bug.cgi?id=186061
2611
2612         Reviewed by Yusuke Suzuki.
2613
2614         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
2615         instead of LowLevelInterpreterWin.asm.
2616
2617         * CMakeLists.txt:
2618
2619 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
2620
2621         [MIPS] Fix build on MIPS32r1
2622         https://bugs.webkit.org/show_bug.cgi?id=185944
2623
2624         Reviewed by Yusuke Suzuki.
2625
2626         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
2627         on MIPS32r1.
2628
2629         * offlineasm/mips.rb:
2630
2631 2018-05-29  Saam Barati  <sbarati@apple.com>
2632
2633         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
2634         https://bugs.webkit.org/show_bug.cgi?id=186064
2635
2636         Reviewed by Mark Lam.
2637
2638         shrinkFootprint was implemented as:
2639         ```
2640         sanitizeStackForVM(this);
2641         deleteAllCode(DeleteAllCodeIfNotCollecting);
2642         heap.collectNow(Synchronousness::Sync);
2643         WTF::releaseFastMallocFreeMemory();
2644         ```
2645         
2646         However, for correctness reasons, deleteAllCode is implemented to do
2647         work when the VM is idle: no JS is running on the stack. This means
2648         that if shrinkFootprint is called when JS is running on the stack, it
2649         ends up freeing less memory than it could have if it waited to run until
2650         the VM goes idle.
2651         
2652         This patch makes it so we wait until idle before doing work. I'm seeing a
2653         10% footprint progression when testing this against a client of the JSC SPI.
2654         
2655         Because this is a semantic change in how the SPI works, this patch
2656         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
2657         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
2658         Once that happens, we will delete shrinkFootprint. Until then,
2659         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
2660
2661         * API/JSVirtualMachine.mm:
2662         (-[JSVirtualMachine shrinkFootprint]):
2663         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
2664         * API/JSVirtualMachinePrivate.h:
2665         * runtime/VM.cpp:
2666         (JSC::VM::shrinkFootprintWhenIdle):
2667         (JSC::VM::shrinkFootprint): Deleted.
2668         * runtime/VM.h:
2669
2670 2018-05-29  Saam Barati  <sbarati@apple.com>
2671
2672         shrinkFootprint needs to request a full collection
2673         https://bugs.webkit.org/show_bug.cgi?id=186069
2674
2675         Reviewed by Mark Lam.
2676
2677         * runtime/VM.cpp:
2678         (JSC::VM::shrinkFootprint):
2679
2680 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
2681
2682         [ESNext][BigInt] Implement support for "<" and ">" relational operation
2683         https://bugs.webkit.org/show_bug.cgi?id=185379
2684
2685         Reviewed by Yusuke Suzuki.
2686
2687         This patch is changing the ``jsLess``` operation to follow the
2688         semantics of Abstract Relational Comparison[1] that supports BigInt.
2689         For that, we create 2 new helper functions ```bigIntCompareLess``` and
2690         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
2691         compared.
2692
2693         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
2694
2695         * runtime/JSBigInt.cpp:
2696         (JSC::JSBigInt::unequalSign):
2697         (JSC::JSBigInt::absoluteGreater):
2698         (JSC::JSBigInt::absoluteLess):
2699         (JSC::JSBigInt::compare):
2700         (JSC::JSBigInt::absoluteCompare):
2701         * runtime/JSBigInt.h:
2702         * runtime/JSCJSValueInlines.h:
2703         (JSC::JSValue::isPrimitive const):
2704         * runtime/Operations.h:
2705         (JSC::bigIntCompareLess):
2706         (JSC::toPrimitiveNumeric):
2707         (JSC::jsLess):
2708
2709 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2710
2711         [Baseline] Merge loading functionalities
2712         https://bugs.webkit.org/show_bug.cgi?id=185907
2713
2714         Reviewed by Saam Barati.
2715
2716         This patch unifies emitXXXLoad functions in 32bit and 64bit.
2717
2718         * jit/JITInlines.h:
2719         (JSC::JIT::emitDoubleGetByVal):
2720         * jit/JITPropertyAccess.cpp:
2721         (JSC::JIT::emitDoubleLoad):
2722         (JSC::JIT::emitContiguousLoad):
2723         (JSC::JIT::emitArrayStorageLoad):
2724         (JSC::JIT::emitIntTypedArrayGetByVal):
2725         (JSC::JIT::emitFloatTypedArrayGetByVal):
2726         Define register usage first, and share the same code in 32bit and 64bit.
2727
2728         * jit/JITPropertyAccess32_64.cpp:
2729         (JSC::JIT::emitSlow_op_put_by_val):
2730         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
2731         We can remove this special handling.
2732
2733         (JSC::JIT::emitContiguousLoad): Deleted.
2734         (JSC::JIT::emitDoubleLoad): Deleted.
2735         (JSC::JIT::emitArrayStorageLoad): Deleted.
2736
2737 2018-05-29  Saam Barati  <sbarati@apple.com>
2738
2739         JSC should put bmalloc's scavenger into mini mode
2740         https://bugs.webkit.org/show_bug.cgi?id=185988
2741
2742         Reviewed by Michael Saboff.
2743
2744         When we InitializeThreading, we'll now enable bmalloc's mini mode
2745         if the VM is in mini mode. This is an 8-10% progression on the footprint
2746         at end score in run-testmem, making it a 4-5% memory score progression.
2747         It's between a 0-1% regression in its time score.
2748
2749         * runtime/InitializeThreading.cpp:
2750         (JSC::initializeThreading):
2751
2752 2018-05-29  Caitlin Potter  <caitp@igalia.com>
2753
2754         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
2755         https://bugs.webkit.org/show_bug.cgi?id=184267
2756
2757         Reviewed by Saam Barati.
2758
2759         Before this patch, the fast case for Array.prototype.concat was taken if
2760         there was a single argument passed to the function, which is either a
2761         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
2762         This incorrectly prevented Proxy objects from being spread when
2763         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
2764
2765         * builtins/ArrayPrototype.js:
2766         (concat):
2767
2768 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2769
2770         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
2771         https://bugs.webkit.org/show_bug.cgi?id=186022
2772
2773         Reviewed by Darin Adler.
2774
2775         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
2776         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
2777         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
2778         in asm.
2779
2780         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
2781         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
2782         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
2783         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
2784         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
2785         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
2786
2787         This patch also fixes naming convention for constant values.
2788
2789         * runtime/JSBigInt.cpp:
2790         (JSC::JSBigInt::digitMul):
2791         (JSC::JSBigInt::digitDiv):
2792         * runtime/JSBigInt.h:
2793
2794 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2795
2796         [WTF] Add clz32 / clz64 for MSVC
2797         https://bugs.webkit.org/show_bug.cgi?id=186023
2798
2799         Reviewed by Daniel Bates.
2800
2801         Move clz32 and clz64 to WTF.
2802
2803         * runtime/MathCommon.h:
2804         (JSC::clz32): Deleted.
2805         (JSC::clz64): Deleted.
2806
2807 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
2808
2809         [ESNext][BigInt] Implement "+" and "-" unary operation
2810         https://bugs.webkit.org/show_bug.cgi?id=182214
2811
2812         Reviewed by Yusuke Suzuki.
2813
2814         This Patch is implementing support to "-" unary operation on BigInt.
2815         It is also changing the logic of ASTBuilder::makeNegateNode to
2816         calculate BigInt literals with properly sign, avoiding
2817         unecessary operation. It required a refactoring into
2818         JSBigInt::parseInt to consider the sign as parameter.
2819
2820         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
2821         operations. With the introduction of BigInt, it is not true
2822         that every negate operation returns a Number. As ArithNegate is a
2823         node that considers its result is always a Number, like all other
2824         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
2825         speculation indicates that the operand is a BigInt.
2826         This design is following the same distinction between ArithAdd and
2827         ValueAdd. Also, this new node will make simpler the introduction of
2828         optimizations when we create speculation paths for BigInt in future
2829         patches.
2830
2831         In the case of "+" unary operation on BigInt, the current semantic we already have
2832         is correctly, since it needs to throw TypeError because of ToNumber call[1].
2833         In such case, we are adding tests to verify other edge cases.
2834
2835         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
2836
2837         * bytecompiler/BytecodeGenerator.cpp:
2838         (JSC::BytecodeGenerator::addBigIntConstant):
2839         * bytecompiler/BytecodeGenerator.h:
2840         * bytecompiler/NodesCodegen.cpp:
2841         (JSC::BigIntNode::jsValue const):
2842         * dfg/DFGAbstractInterpreterInlines.h:
2843         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2844         * dfg/DFGByteCodeParser.cpp:
2845         (JSC::DFG::ByteCodeParser::makeSafe):
2846         (JSC::DFG::ByteCodeParser::parseBlock):
2847         * dfg/DFGClobberize.h:
2848         (JSC::DFG::clobberize):
2849         * dfg/DFGDoesGC.cpp:
2850         (JSC::DFG::doesGC):
2851         * dfg/DFGFixupPhase.cpp:
2852         (JSC::DFG::FixupPhase::fixupNode):
2853         * dfg/DFGNode.h:
2854         (JSC::DFG::Node::arithNodeFlags):
2855         * dfg/DFGNodeType.h:
2856         * dfg/DFGPredictionPropagationPhase.cpp:
2857         * dfg/DFGSafeToExecute.h:
2858         (JSC::DFG::safeToExecute):
2859         * dfg/DFGSpeculativeJIT.cpp:
2860         (JSC::DFG::SpeculativeJIT::compileValueNegate):
2861         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2862         * dfg/DFGSpeculativeJIT.h:
2863         * dfg/DFGSpeculativeJIT32_64.cpp:
2864         (JSC::DFG::SpeculativeJIT::compile):
2865         * dfg/DFGSpeculativeJIT64.cpp:
2866         (JSC::DFG::SpeculativeJIT::compile):
2867         * ftl/FTLCapabilities.cpp:
2868         (JSC::FTL::canCompile):
2869         * ftl/FTLLowerDFGToB3.cpp:
2870         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2871         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
2872         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2873         * jit/JITOperations.cpp:
2874         * parser/ASTBuilder.h:
2875         (JSC::ASTBuilder::createBigIntWithSign):
2876         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
2877         (JSC::ASTBuilder::makeNegateNode):
2878         * parser/NodeConstructors.h:
2879         (JSC::BigIntNode::BigIntNode):
2880         * parser/Nodes.h:
2881         * runtime/CommonSlowPaths.cpp:
2882         (JSC::updateArithProfileForUnaryArithOp):
2883         (JSC::SLOW_PATH_DECL):
2884         * runtime/JSBigInt.cpp:
2885         (JSC::JSBigInt::parseInt):
2886         * runtime/JSBigInt.h:
2887         * runtime/JSCJSValueInlines.h:
2888         (JSC::JSValue::strictEqualSlowCaseInline):
2889
2890 2018-05-27  Dan Bernstein  <mitz@apple.com>
2891
2892         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
2893
2894         * jit/JITOperations.cpp:
2895
2896 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2897
2898         [JSC] Rename Array#flatten to flat
2899         https://bugs.webkit.org/show_bug.cgi?id=186012
2900
2901         Reviewed by Saam Barati.
2902
2903         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
2904         conflicts with the mootools' function name.
2905
2906         * builtins/ArrayPrototype.js:
2907         (globalPrivate.flatIntoArray):
2908         (flat):
2909         (globalPrivate.flatIntoArrayWithCallback):
2910         (flatMap):
2911         (globalPrivate.flattenIntoArray): Deleted.
2912         (flatten): Deleted.
2913         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
2914         * runtime/ArrayPrototype.cpp:
2915         (JSC::ArrayPrototype::finishCreation):
2916
2917 2018-05-25  Mark Lam  <mark.lam@apple.com>
2918
2919         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
2920         https://bugs.webkit.org/show_bug.cgi?id=185995
2921         <rdar://problem/40173142>
2922
2923         Reviewed by Saam Barati.
2924
2925         This is because there's no guarantee that any of the loop bodies will be
2926         executed.  Hence, there's no guarantee that the TDZ variables will have been
2927         initialized after each loop body.
2928
2929         * bytecompiler/BytecodeGenerator.cpp:
2930         (JSC::BytecodeGenerator::preserveTDZStack):
2931         (JSC::BytecodeGenerator::restoreTDZStack):
2932         * bytecompiler/BytecodeGenerator.h:
2933         * bytecompiler/NodesCodegen.cpp:
2934         (JSC::ForInNode::emitBytecode):
2935
2936 2018-05-25  Mark Lam  <mark.lam@apple.com>
2937
2938         MachineContext's instructionPointer() should handle null PCs correctly.
2939         https://bugs.webkit.org/show_bug.cgi?id=186004
2940         <rdar://problem/40570067>
2941
2942         Reviewed by Saam Barati.
2943
2944         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
2945         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
2946         assert accordingly with a debug ASSERT.  This is inconsequential for release
2947         builds, but to avoid this assertion failure, we should check for a null PC and
2948         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
2949         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
2950
2951         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
2952         for null pointers, but I rather not do that yet.  In general,
2953         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
2954         leave it that way for now.
2955
2956         Note: this assertion failure only manifests when we have signal traps enabled,
2957         and encounter a null pointer deref.
2958
2959         * runtime/MachineContext.h:
2960         (JSC::MachineContext::instructionPointer):
2961
2962 2018-05-25  Mark Lam  <mark.lam@apple.com>
2963
2964         Enforce invariant that GetterSetter objects are invariant.
2965         https://bugs.webkit.org/show_bug.cgi?id=185968
2966         <rdar://problem/40541416>
2967
2968         Reviewed by Saam Barati.
2969
2970         The code already assumes the invariant that GetterSetter objects are immutable.
2971         For example, the use of @tryGetById in builtins expect this invariant to be true.
2972         The existing code mostly enforces this except for one case: JSObject's
2973         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
2974         object.
2975
2976         This patch enforces this invariant by removing the setGetter and setSetter methods
2977         of GetterSetter, and requiring the getter/setter callback functions to be
2978         specified at construction time.
2979
2980         * jit/JITOperations.cpp:
2981         * llint/LLIntSlowPaths.cpp:
2982         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2983         * runtime/GetterSetter.cpp:
2984         (JSC::GetterSetter::withGetter): Deleted.
2985         (JSC::GetterSetter::withSetter): Deleted.
2986         * runtime/GetterSetter.h:
2987         * runtime/JSGlobalObject.cpp:
2988         (JSC::JSGlobalObject::init):
2989         * runtime/JSObject.cpp:
2990         (JSC::JSObject::putIndexedDescriptor):
2991         (JSC::JSObject::putDirectNativeIntrinsicGetter):
2992         (JSC::putDescriptor):
2993         (JSC::validateAndApplyPropertyDescriptor):
2994         * runtime/JSTypedArrayViewPrototype.cpp:
2995         (JSC::JSTypedArrayViewPrototype::finishCreation):
2996         * runtime/Lookup.cpp:
2997         (JSC::reifyStaticAccessor):
2998         * runtime/PropertyDescriptor.cpp:
2999         (JSC::PropertyDescriptor::slowGetterSetter):
3000
3001 2018-05-25  Saam Barati  <sbarati@apple.com>
3002
3003         Make JSC have a mini mode that kicks in when the JIT is disabled
3004         https://bugs.webkit.org/show_bug.cgi?id=185931
3005
3006         Reviewed by Mark Lam.
3007
3008         This patch makes JSC have a mini VM mode. This currently only kicks in
3009         when the process can't JIT. Mini VM now means a few things:
3010         - We always use a 1.27x heap growth factor. This number was the best tradeoff
3011           between memory use progression and time regression in run-testmem. We may
3012           want to tune this more in the future as we make other mini VM changes.
3013         - We always sweep synchronously.
3014         - We disable generational GC.
3015         
3016         I'm going to continue to extend what mini VM mode means in future changes.
3017         
3018         This patch is a 50% memory progression and an ~8-9% time regression
3019         on run-testmem when running in mini VM mode with the JIT disabled.
3020
3021         * heap/Heap.cpp:
3022         (JSC::Heap::collectNow):
3023         (JSC::Heap::finalize):
3024         (JSC::Heap::useGenerationalGC):
3025         (JSC::Heap::shouldSweepSynchronously):
3026         (JSC::Heap::shouldDoFullCollection):
3027         * heap/Heap.h:
3028         * runtime/Options.h:
3029         * runtime/VM.cpp:
3030         (JSC::VM::isInMiniMode):
3031         * runtime/VM.h:
3032
3033 2018-05-25  Saam Barati  <sbarati@apple.com>
3034
3035         Have a memory test where we can validate JSCs mini memory mode
3036         https://bugs.webkit.org/show_bug.cgi?id=185932
3037
3038         Reviewed by Mark Lam.
3039
3040         This patch adds the testmem CLI. It takes as input a file to run
3041         and the number of iterations to run it (by default it runs it
3042         20 times). Each iteration runs in a new JSContext. Each JSContext
3043         belongs to a VM that is created once. When finished, the CLI dumps
3044         out the peak memory usage of the process, the memory usage at the end
3045         of running all the iterations of the process, and the total time it
3046         took to run all the iterations.
3047
3048         * JavaScriptCore.xcodeproj/project.pbxproj:
3049         * testmem: Added.
3050         * testmem/testmem.mm: Added.
3051         (description):
3052         (Footprint::now):
3053         (main):
3054
3055 2018-05-25  David Kilzer  <ddkilzer@apple.com>
3056
3057         Fix issues with -dealloc methods found by clang static analyzer
3058         <https://webkit.org/b/185887>
3059
3060         Reviewed by Joseph Pecoraro.
3061
3062         * API/JSValue.mm:
3063         (-[JSValue dealloc]):
3064         (-[JSValue description]):
3065         - Move method implementations from (Internal) category to the
3066           main category since these are public API.  This fixes the
3067           false positive warning about a missing -dealloc method.
3068
3069 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3070
3071         [Baseline] Remove a hack for DCE removal of NewFunction
3072         https://bugs.webkit.org/show_bug.cgi?id=185945
3073
3074         Reviewed by Saam Barati.
3075
3076         This `undefined` check in baseline is originally introduced in r177871. The problem was,
3077         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
3078         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
3079         retrieve this into the stack since the scope is not referenced from anywhere.
3080
3081         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
3082         implementation. But rather than that, just emitting `Phantom` for this scope is clean
3083         and consistent to the other DFG nodes like GetClosureVar.
3084
3085         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
3086         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
3087         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
3088         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
3089         since it conservatively guards the scope, and it does not introduce any additional overhead
3090         compared to the current status.
3091
3092         * dfg/DFGByteCodeParser.cpp:
3093         (JSC::DFG::ByteCodeParser::parseBlock):
3094         * jit/JITOpcodes.cpp:
3095         (JSC::JIT::emitNewFuncExprCommon):
3096
3097 2018-05-23  Keith Miller  <keith_miller@apple.com>
3098
3099         Expose $vm if window.internals is exposed
3100         https://bugs.webkit.org/show_bug.cgi?id=185900
3101
3102         Reviewed by Mark Lam.
3103
3104         This is useful for testing vm internals when running LayoutTests.
3105
3106         * runtime/JSGlobalObject.cpp:
3107         (JSC::JSGlobalObject::init):
3108         (JSC::JSGlobalObject::visitChildren):
3109         (JSC::JSGlobalObject::exposeDollarVM):
3110         * runtime/JSGlobalObject.h:
3111
3112 2018-05-23  Keith Miller  <keith_miller@apple.com>
3113
3114         Define length on CoW array should properly convert to writable
3115         https://bugs.webkit.org/show_bug.cgi?id=185927
3116
3117         Reviewed by Yusuke Suzuki.
3118
3119         * runtime/JSArray.cpp:
3120         (JSC::JSArray::setLength):
3121
3122 2018-05-23  Keith Miller  <keith_miller@apple.com>
3123
3124         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
3125         https://bugs.webkit.org/show_bug.cgi?id=185923
3126
3127         Reviewed by Saam Barati.
3128
3129         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
3130         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
3131
3132         Block 1:
3133         @1: GetLocal(loc42, FlushedInt32);
3134         @2: PutStructure(Check: Cell: @1);
3135         @3: Jump(Block 1);
3136
3137         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
3138         the type of an local cannot change without writing to it.
3139
3140         This fixes a crash in destructuring-rest-element.js
3141
3142         * dfg/DFGInPlaceAbstractState.cpp:
3143         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3144
3145 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
3146
3147         Speed up JetStream/base64
3148         https://bugs.webkit.org/show_bug.cgi?id=185914
3149
3150         Reviewed by Michael Saboff.
3151         
3152         Make allocation fast paths ALWAYS_INLINE.
3153         
3154         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
3155         ~6%.
3156
3157         * CMakeLists.txt:
3158         * JavaScriptCore.xcodeproj/project.pbxproj:
3159         * heap/AllocatorInlines.h:
3160         (JSC::Allocator::allocate const):
3161         * heap/CompleteSubspace.cpp:
3162         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
3163         * heap/CompleteSubspace.h:
3164         * heap/CompleteSubspaceInlines.h: Added.
3165         (JSC::CompleteSubspace::allocateNonVirtual):
3166         * heap/FreeListInlines.h:
3167         (JSC::FreeList::allocate):
3168         * heap/IsoSubspace.cpp:
3169         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
3170         * heap/IsoSubspace.h:
3171         (JSC::IsoSubspace::allocatorForNonVirtual):
3172         * heap/IsoSubspaceInlines.h: Added.
3173         (JSC::IsoSubspace::allocateNonVirtual):
3174         * runtime/JSCellInlines.h:
3175         * runtime/VM.h:
3176
3177 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
3178
3179         Conversion misspelled "Convertion" in error message string
3180         https://bugs.webkit.org/show_bug.cgi?id=185436
3181
3182         Reviewed by Saam Barati, Michael Saboff
3183
3184         * runtime/JSBigInt.cpp:
3185         (JSC::JSBigInt::toNumber const):
3186
3187 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3188
3189         [JSC] Clean up stringGetByValStubGenerator
3190         https://bugs.webkit.org/show_bug.cgi?id=185864
3191
3192         Reviewed by Saam Barati.
3193
3194         We clean up stringGetByValStubGenerator.
3195
3196         1. Unify 32bit and 64bit implementations.
3197         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
3198         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
3199         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
3200         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
3201
3202         * jit/JIT.h:
3203         * jit/JITPropertyAccess.cpp:
3204         (JSC::JIT::emitSlow_op_get_by_val):
3205         (JSC::JIT::stringGetByValStubGenerator): Deleted.
3206         * jit/JITPropertyAccess32_64.cpp:
3207         (JSC::JIT::emit_op_get_by_val):
3208         (JSC::JIT::emitSlow_op_get_by_val):
3209         (JSC::JIT::stringGetByValStubGenerator): Deleted.
3210         * jit/ThunkGenerators.cpp:
3211         (JSC::stringGetByValGenerator):
3212         * jit/ThunkGenerators.h:
3213
3214 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3215
3216         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
3217         https://bugs.webkit.org/show_bug.cgi?id=185810
3218
3219         Reviewed by Saam Barati.
3220
3221         Let's use branchIfString/branchIfNotString helper functions instead of
3222         checking structure with jsString's structure. It's easy to read. And
3223         it emits less code since we do not need to embed string structure's
3224         raw pointer in 32bit environment.
3225
3226         * jit/JIT.h:
3227         * jit/JITInlines.h:
3228         (JSC::JIT::emitLoadCharacterString):
3229         (JSC::JIT::checkStructure): Deleted.
3230         * jit/JITOpcodes32_64.cpp:
3231         (JSC::JIT::emitSlow_op_eq):
3232         (JSC::JIT::compileOpEqJumpSlow):
3233         (JSC::JIT::emitSlow_op_neq):
3234         * jit/JITPropertyAccess.cpp:
3235         (JSC::JIT::stringGetByValStubGenerator):
3236         (JSC::JIT::emitSlow_op_get_by_val):
3237         (JSC::JIT::emitByValIdentifierCheck):
3238         * jit/JITPropertyAccess32_64.cpp:
3239         (JSC::JIT::stringGetByValStubGenerator):
3240         (JSC::JIT::emitSlow_op_get_by_val):
3241         * jit/JSInterfaceJIT.h:
3242         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
3243         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
3244         * jit/SpecializedThunkJIT.h:
3245         (JSC::SpecializedThunkJIT::loadJSStringArgument):
3246         * jit/ThunkGenerators.cpp:
3247         (JSC::stringCharLoad):
3248         (JSC::charCodeAtThunkGenerator):
3249         (JSC::charAtThunkGenerator):
3250         * runtime/JSString.h:
3251
3252 2018-05-22  Mark Lam  <mark.lam@apple.com>
3253
3254         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
3255         https://bugs.webkit.org/show_bug.cgi?id=185896
3256         <rdar://problem/40471403>
3257
3258         Reviewed by Saam Barati.
3259
3260         * bytecode/BytecodeGeneratorification.cpp:
3261         (JSC::BytecodeGeneratorification::run):
3262
3263 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3264
3265         [JSC] Fix CachedCall's argument count if RegExp has named captures
3266         https://bugs.webkit.org/show_bug.cgi?id=185587
3267
3268         Reviewed by Mark Lam.
3269
3270         If the given RegExp has named captures, the argument count of CachedCall in String#replace
3271         should be increased by one. This causes crash with assertion in test262. This patch corrects
3272         the argument count.
3273
3274         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
3275         the same.
3276
3277         * runtime/StringPrototype.cpp:
3278         (JSC::replaceUsingRegExpSearch):
3279
3280 2018-05-22  Mark Lam  <mark.lam@apple.com>
3281
3282         StringImpl utf8 conversion should not fail silently.
3283         https://bugs.webkit.org/show_bug.cgi?id=185888
3284         <rdar://problem/40464506>
3285
3286         Reviewed by Filip Pizlo.
3287
3288         * dfg/DFGLazyJSValue.cpp:
3289         (JSC::DFG::LazyJSValue::dumpInContext const):
3290         * runtime/DateConstructor.cpp:
3291         (JSC::constructDate):
3292         (JSC::dateParse):
3293         * runtime/JSDateMath.cpp:
3294         (JSC::parseDate):
3295         * runtime/JSDateMath.h:
3296
3297 2018-05-22  Keith Miller  <keith_miller@apple.com>
3298
3299         Remove the UnconditionalFinalizer class
3300         https://bugs.webkit.org/show_bug.cgi?id=185881
3301
3302         Reviewed by Filip Pizlo.
3303
3304         The only remaining user of this API is
3305         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
3306         to use the newer template based API and removes the old class.
3307
3308         * JavaScriptCore.xcodeproj/project.pbxproj:
3309         * bytecode/CodeBlock.h:
3310         * heap/Heap.cpp:
3311         (JSC::Heap::finalizeUnconditionalFinalizers):
3312         * heap/Heap.h:
3313         * heap/SlotVisitor.cpp:
3314         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
3315         * heap/SlotVisitor.h:
3316         * heap/UnconditionalFinalizer.h: Removed.
3317         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3318         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3319         (JSC::JSWebAssemblyCodeBlock::visitChildren):
3320         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
3321         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3322         * wasm/js/JSWebAssemblyCodeBlock.h:
3323         * wasm/js/JSWebAssemblyModule.h:
3324
3325         * CMakeLists.txt:
3326         * JavaScriptCore.xcodeproj/project.pbxproj:
3327         * bytecode/CodeBlock.h:
3328         * heap/Heap.cpp:
3329         (JSC::Heap::finalizeUnconditionalFinalizers):
3330         * heap/Heap.h:
3331         * heap/SlotVisitor.cpp:
3332         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
3333         * heap/SlotVisitor.h:
3334         * heap/UnconditionalFinalizer.h: Removed.
3335         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3336         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3337         (JSC::JSWebAssemblyCodeBlock::visitChildren):
3338         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
3339         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3340         * wasm/js/JSWebAssemblyCodeBlock.h:
3341         * wasm/js/JSWebAssemblyModule.h:
3342
3343 2018-05-22  Keith Miller  <keith_miller@apple.com>
3344
3345         Unreviewed, fix internal build.
3346
3347         * runtime/JSImmutableButterfly.cpp:
3348
3349 2018-05-22  Saam Barati  <sbarati@apple.com>
3350
3351         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
3352         https://bugs.webkit.org/show_bug.cgi?id=144525
3353
3354         Reviewed by Filip Pizlo.
3355
3356         This patch teaches LICM to fall back to hoisting a node's type checks when
3357         hoisting the entire node fails.
3358         
3359         This patch follow the same principles we use when deciding to hoist nodes in general:
3360         - If the pre header is control equivalent to where the current check is, we
3361         go ahead and hoist the check.
3362         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
3363         hoist the check. If hoisting failed in the past, we will not hoist the check.
3364
3365         * dfg/DFGLICMPhase.cpp:
3366         (JSC::DFG::LICMPhase::attemptHoist):
3367         * dfg/DFGUseKind.h:
3368         (JSC::DFG::checkMayCrashIfInputIsEmpty):
3369
3370 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
3371
3372         Get rid of TLCs
3373         https://bugs.webkit.org/show_bug.cgi?id=185846
3374
3375         Rubber stamped by Geoffrey Garen.
3376         
3377         This removes support for thread-local caches from the GC in order to speed up allocation a
3378         bit.
3379         
3380         We added TLCs as part of Spectre mitigations, which we have since removed.
3381         
3382         We will want some kind of TLCs eventually, since they allow us to:
3383         
3384         - have a global GC, which may be a perf optimization at some point.
3385         - allocate objects from JIT threads, which we've been wanting to do for a while.
3386         
3387         This change keeps the most interesting aspect of TLCs, which is the
3388         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
3389         TLCs again in the future if we wanted this feature.
3390         
3391         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
3392         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
3393         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
3394         you can directly use it to allocate. This removes two loads and a check from the allocation
3395         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
3396         allowed us to have a statically known set of LocalAllocators. This would have removed the
3397         bounds check (one load and one branch) and it would have made it possible to CSE the load of
3398         the TLC data structure, since that would no longer resize. But that's a harder change that
3399         this patch, and we don't need it right now.
3400         
3401         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
3402         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
3403         that check already. Previously, the TLC bounds check doubled as this check.
3404         
3405         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
3406         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
3407         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
3408         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
3409
3410         * JavaScriptCore.xcodeproj/project.pbxproj:
3411         * Sources.txt:
3412         * bytecode/ObjectAllocationProfileInlines.h:
3413         (JSC::ObjectAllocationProfile::initializeProfile):
3414         * dfg/DFGSpeculativeJIT.cpp:
3415         (JSC::DFG::SpeculativeJIT::compileCreateThis):
3416         * ftl/FTLLowerDFGToB3.cpp:
3417         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3418         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3419         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3420         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3421         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3422         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3423         * heap/Allocator.cpp:
3424         (JSC::Allocator::cellSize const):
3425         * heap/Allocator.h:
3426         (JSC::Allocator::Allocator):
3427         (JSC::Allocator::localAllocator const):
3428         (JSC::Allocator::operator== const):
3429         (JSC::Allocator::offset const): Deleted.
3430         * heap/AllocatorInlines.h:
3431         (JSC::Allocator::allocate const):
3432         (JSC::Allocator::tryAllocate const): Deleted.
3433         * heap/BlockDirectory.cpp:
3434         (JSC::BlockDirectory::BlockDirectory):
3435         (JSC::BlockDirectory::~BlockDirectory):
3436         * heap/BlockDirectory.h:
3437         (JSC::BlockDirectory::allocator const): Deleted.
3438         * heap/CompleteSubspace.cpp:
3439         (JSC::CompleteSubspace::allocateNonVirtual):
3440         (JSC::CompleteSubspace::allocatorForSlow):
3441         (JSC::CompleteSubspace::tryAllocateSlow):
3442         * heap/CompleteSubspace.h:
3443         * heap/Heap.cpp:
3444         (JSC::Heap::Heap):
3445         * heap/Heap.h:
3446         (JSC::Heap::threadLocalCacheLayout): Deleted.
3447         * heap/IsoSubspace.cpp:
3448         (JSC::IsoSubspace::IsoSubspace):
3449         (JSC::IsoSubspace::allocateNonVirtual):
3450         * heap/IsoSubspace.h:
3451         (JSC::IsoSubspace::allocatorForNonVirtual):
3452         * heap/LocalAllocator.cpp:
3453         (JSC::LocalAllocator::LocalAllocator):
3454         (JSC::LocalAllocator::~LocalAllocator):
3455         * heap/LocalAllocator.h:
3456         (JSC::LocalAllocator::cellSize const):
3457         (JSC::LocalAllocator::tlc const): Deleted.
3458         * heap/ThreadLocalCache.cpp: Removed.
3459         * heap/ThreadLocalCache.h: Removed.
3460         * heap/ThreadLocalCacheInlines.h: Removed.
3461         * heap/ThreadLocalCacheLayout.cpp: Removed.
3462         * heap/ThreadLocalCacheLayout.h: Removed.
3463         * jit/AssemblyHelpers.cpp:
3464         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3465         (JSC::AssemblyHelpers::emitAllocate):
3466         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3467         * jit/JITOpcodes.cpp:
3468         (JSC::JIT::emit_op_create_this):
3469         * runtime/JSLock.cpp:
3470         (JSC::JSLock::didAcquireLock):
3471         * runtime/VM.cpp:
3472         (JSC::VM::VM):
3473         (JSC::VM::~VM):
3474         * runtime/VM.h:
3475         * runtime/VMEntryScope.cpp:
3476         (JSC::VMEntryScope::~VMEntryScope):
3477         * runtime/VMEntryScope.h:
3478
3479 2018-05-22  Keith Miller  <keith_miller@apple.com>
3480
3481         We should have a CoW storage for NewArrayBuffer arrays.
3482         https://bugs.webkit.org/show_bug.cgi?id=185003
3483
3484         Reviewed by Filip Pizlo.
3485
3486         This patch adds copy on write storage for new array buffers. In
3487         order to do this there needed to be significant changes to the
3488         layout of IndexingType. The new indexing type has the following
3489         shape:
3490
3491         struct IndexingTypeAndMisc {
3492             struct IndexingModeIncludingHistory {
3493                 struct IndexingMode {
3494                     struct IndexingType {
3495                         uint8_t isArray:1;          // bit 0
3496                         uint8_t shape:3;            // bit 1 - 3
3497                     };
3498                     uint8_t copyOnWrite:1;          // bit 4
3499                 };
3500                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
3501             };
3502             uint8_t cellLockBits:2;                 // bit 6 - 7
3503         };
3504
3505         For simplicity ArrayStorage shapes cannot be CoW. So the only
3506         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
3507         ArrayWithContiguous.
3508
3509         The backing store for a CoW array is a new class
3510         JSImmutableButterfly, which looks exactly the same as a normal
3511         butterfly except that it has a JSCell header. Like other
3512         butterflies, JSImmutableButterfies are allocated out of the
3513         Auxiliary Gigacage and are pointed to by JSCells in the same
3514         way. However, when marking JSImmutableButterflies they are marked
3515         as if they were a property.
3516
3517         With CoW arrays, the new_array_buffer bytecode will reallocate the
3518         shared JSImmutableButterfly if it sees from the allocation profile
3519         that the last array it allocated has transitioned to a different
3520         indexing type. From then on, all arrays created by that
3521         new_array_buffer bytecode will have the promoted indexing
3522         type. This is more or less the same as what we used to do. The
3523         only difference is that we don't promote all the way to array
3524         storage even if we have seen it before.
3525
3526         Transitioning from a CoW indexing mode occurs whenever someone
3527         tries to store to an element, grow the array, or add properties.
3528         Storing or growing the array will call into code that does the
3529         stupid thing of copying the butterfly then continue into the old
3530         code. This doesn't end up costing us as future allocations will
3531         use any upgraded indexing shape.  We get adding properties for
3532         free by just changing the indexing mode on transition (our C++
3533         code always updates the indexing mode).
3534
3535         * JavaScriptCore.xcodeproj/project.pbxproj:
3536         * Sources.txt:
3537         * bytecode/ArrayAllocationProfile.cpp:
3538         (JSC::ArrayAllocationProfile::updateProfile):
3539         * bytecode/ArrayAllocationProfile.h:
3540         (JSC::ArrayAllocationProfile::initializeIndexingMode):
3541         * bytecode/ArrayProfile.cpp:
3542         (JSC::dumpArrayModes):
3543         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3544         * bytecode/ArrayProfile.h:
3545         (JSC::asArrayModes):
3546         (JSC::arrayModeFromStructure):
3547         (JSC::arrayModesInclude):
3548         (JSC::hasSeenCopyOnWriteArray):
3549         * bytecode/BytecodeList.json:
3550         * bytecode/CodeBlock.cpp:
3551         (JSC::CodeBlock::finishCreation):
3552         * bytecode/InlineAccess.cpp:
3553         (JSC::InlineAccess::generateArrayLength):
3554         * bytecode/UnlinkedCodeBlock.h:
3555         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
3556         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3557         * bytecompiler/BytecodeGenerator.cpp:
3558         (JSC::BytecodeGenerator::newArrayAllocationProfile):
3559         (JSC::BytecodeGenerator::emitNewArrayBuffer):
3560         (JSC::BytecodeGenerator::emitNewArray):
3561         (JSC::BytecodeGenerator::emitNewArrayWithSize):
3562         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3563         * bytecompiler/BytecodeGenerator.h:
3564         * bytecompiler/NodesCodegen.cpp:
3565         (JSC::ArrayNode::emitBytecode):
3566         (JSC::ArrayPatternNode::bindValue const):
3567         (JSC::ArrayPatternNode::emitDirectBinding):
3568         * dfg/DFGAbstractInterpreterInlines.h:
3569         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3570         * dfg/DFGArgumentsEliminationPhase.cpp:
3571         * dfg/DFGArgumentsUtilities.cpp:
3572         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3573         * dfg/DFGArrayMode.cpp:
3574         (JSC::DFG::ArrayMode::fromObserved):
3575         (JSC::DFG::ArrayMode::refine const):
3576         (JSC::DFG::ArrayMode::alreadyChecked const):
3577         * dfg/DFGArrayMode.h:
3578         (JSC::DFG::ArrayMode::ArrayMode):
3579         (JSC::DFG::ArrayMode::action const):
3580         (JSC::DFG::ArrayMode::withSpeculation const):
3581         (JSC::DFG::ArrayMode::withArrayClass const):
3582         (JSC::DFG::ArrayMode::withType const):
3583         (JSC::DFG::ArrayMode::withConversion const):
3584         (JSC::DFG::ArrayMode::withTypeAndConversion const):
3585         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
3586         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
3587         * dfg/DFGByteCodeParser.cpp:
3588         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3589         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3590         (JSC::DFG::ByteCodeParser::parseBlock):
3591         * dfg/DFGClobberize.h:
3592         (JSC::DFG::clobberize):
3593         * dfg/DFGConstantFoldingPhase.cpp:
3594         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3595         * dfg/DFGFixupPhase.cpp:
3596         (JSC::DFG::FixupPhase::fixupNode):
3597         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
3598         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3599         * dfg/DFGGraph.cpp:
3600         (JSC::DFG::Graph::dump):
3601         * dfg/DFGNode.h:
3602         (JSC::DFG::Node::indexingType):
3603         (JSC::DFG::Node::indexingMode):
3604         * dfg/DFGOSRExit.cpp:
3605         (JSC::DFG::OSRExit::compileExit):
3606         * dfg/DFGOperations.cpp:
3607         * dfg/DFGOperations.h:
3608         * dfg/DFGSpeculativeJIT.cpp:
3609         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3610         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3611         (JSC::DFG::SpeculativeJIT::arrayify):
3612         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3613         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3614         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3615         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3616         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3617         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3618         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
3619         * dfg/DFGSpeculativeJIT32_64.cpp:
3620         (JSC::DFG::SpeculativeJIT::compile):
3621         * dfg/DFGSpeculativeJIT64.cpp:
3622         (JSC::DFG::SpeculativeJIT::compile):
3623         * dfg/DFGValidate.cpp:
3624         * ftl/FTLAbstractHeapRepository.h:
3625         * ftl/FTLLowerDFGToB3.cpp:
3626         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
3627         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
3628         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3629         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3630         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3631         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
3632         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
3633         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
3634         * ftl/FTLOperations.cpp:
3635         (JSC::FTL::operationMaterializeObjectInOSR):
3636         * generate-bytecode-files:
3637         * interpreter/Interpreter.cpp:
3638         (JSC::sizeOfVarargs):
3639         (JSC::loadVarargs):
3640         * jit/AssemblyHelpers.cpp:
3641         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3642         * jit/AssemblyHelpers.h:
3643         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3644         * jit/JITOperations.cpp:
3645         * jit/JITPropertyAccess.cpp:
3646         (JSC::JIT::emit_op_put_by_val):
3647         (JSC::JIT::emitSlow_op_put_by_val):
3648         * jit/Repatch.cpp:
3649         (JSC::tryCachePutByID):
3650         * llint/LowLevelInterpreter.asm:
3651         * llint/LowLevelInterpreter32_64.asm:
3652         * llint/LowLevelInterpreter64.asm:
3653         * runtime/Butterfly.h:
3654         (JSC::ContiguousData::Data::Data):
3655         (JSC::ContiguousData::Data::operator bool const):
3656         (JSC::ContiguousData::Data::operator=):
3657         (JSC::ContiguousData::Data::operator const T& const):
3658         (JSC::ContiguousData::Data::set):
3659         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
3660         (JSC::ContiguousData::Data::clear):
3661         (JSC::ContiguousData::Data::get const):
3662         (JSC::ContiguousData::atUnsafe):
3663         (JSC::ContiguousData::at const): Deleted.
3664         (JSC::ContiguousData::at): Deleted.
3665         * runtime/ButterflyInlines.h:
3666         (JSC::ContiguousData<T>::at const):
3667         (JSC::ContiguousData<T>::at):
3668         * runtime/ClonedArguments.cpp:
3669         (JSC::ClonedArguments::createEmpty):
3670         * runtime/CommonSlowPaths.cpp:
3671         (JSC::SLOW_PATH_DECL):
3672         * runtime/CommonSlowPaths.h:
3673         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
3674         * runtime/IndexingType.cpp:
3675         (JSC::leastUpperBoundOfIndexingTypeAndType):
3676         (JSC::leastUpperBoundOfIndexingTypeAndValue):
3677         (JSC::dumpIndexingType):
3678         * runtime/IndexingType.h:
3679         (JSC::hasIndexedProperties):
3680         (JSC::hasUndecided):
3681         (JSC::hasInt32):
3682         (JSC::hasDouble):
3683         (JSC::hasContiguous):
3684         (JSC::hasArrayStorage):
3685         (JSC::hasAnyArrayStorage):
3686         (JSC::hasSlowPutArrayStorage):
3687         (JSC::shouldUseSlowPut):
3688         (JSC::isCopyOnWrite):
3689         (JSC::arrayIndexFromIndexingType):
3690         * runtime/JSArray.cpp:
3691         (JSC::JSArray::tryCreateUninitializedRestricted):
3692         (JSC::JSArray::put):
3693         (JSC::JSArray::appendMemcpy):
3694         (JSC::JSArray::setLength):
3695         (JSC::JSArray::pop):
3696         (JSC::JSArray::fastSlice):
3697         (JSC::JSArray::shiftCountWithAnyIndexingType):
3698         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3699         (JSC::JSArray::fillArgList):
3700         (JSC::JSArray::copyToArguments):
3701         * runtime/JSArrayInlines.h:
3702         (JSC::JSArray::pushInline):
3703         * runtime/JSCell.h:
3704         * runtime/JSCellInlines.h:
3705         (JSC::JSCell::JSCell):
3706         (JSC::JSCell::finishCreation):
3707         (JSC::JSCell::indexingType const):
3708         (JSC::JSCell::indexingMode const):
3709         (JSC::JSCell::setStructure):
3710         * runtime/JSFixedArray.h:
3711         * runtime/JSGlobalObject.cpp:
3712         (JSC::JSGlobalObject::init):
3713         (JSC::JSGlobalObject::haveABadTime):
3714         (JSC::JSGlobalObject::visitChildren):
3715         * runtime/JSGlobalObject.h:
3716         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
3717         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
3718         (JSC::JSGlobalObject::isOriginalArrayStructure):
3719         * runtime/JSImmutableButterfly.cpp: Added.
3720         (JSC::JSImmutableButterfly::visitChildren):
3721         (JSC::JSImmutableButterfly::copyToArguments):
3722         * runtime/JSImmutableButterfly.h: Added.
3723         (JSC::JSImmutableButterfly::createStructure):
3724         (JSC::JSImmutableButterfly::tryCreate):
3725         (JSC::JSImmutableButterfly::create):
3726         (JSC::JSImmutableButterfly::publicLength const):
3727         (JSC::JSImmutableButterfly::vectorLength const):
3728         (JSC::JSImmutableButterfly::length const):
3729         (JSC::JSImmutableButterfly::toButterfly const):
3730         (JSC::JSImmutableButterfly::fromButterfly):
3731         (JSC::JSImmutableButterfly::get const):
3732         (JSC::JSImmutableButterfly::subspaceFor):
3733         (JSC::JSImmutableButterfly::setIndex):
3734         (JSC::JSImmutableButterfly::allocationSize):
3735         (JSC::JSImmutableButterfly::JSImmutableButterfly):
3736         * runtime/JSObject.cpp:
3737         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
3738         (JSC::JSObject::visitButterflyImpl):
3739         (JSC::JSObject::getOwnPropertySlotByIndex):
3740         (JSC::JSObject::putByIndex):
3741         (JSC::JSObject::createInitialInt32):
3742         (JSC::JSObject::createInitialDouble):
3743         (JSC::JSObject::createInitialContiguous):
3744         (JSC::JSObject::convertUndecidedToInt32):
3745         (JSC::JSObject::convertUndecidedToDouble):
3746         (JSC::JSObject::convertUndecidedToContiguous):
3747         (JSC::JSObject::convertInt32ToDouble):
3748         (JSC::JSObject::convertInt32ToArrayStorage):
3749         (JSC::JSObject::convertDoubleToContiguous):
3750         (JSC::JSObject::convertDoubleToArrayStorage):
3751         (JSC::JSObject::convertContiguousToArrayStorage):
3752         (JSC::JSObject::createInitialForValueAndSet):
3753         (JSC::JSObject::convertInt32ForValue):
3754         (JSC::JSObject::convertFromCopyOnWrite):
3755         (JSC::JSObject::ensureWritableInt32Slow):
3756         (JSC::JSObject::ensureWritableDoubleSlow):
3757         (JSC::JSObject::ensureWritableContiguousSlow):
3758         (JSC::JSObject::ensureArrayStorageSlow):
3759         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
3760         (JSC::JSObject::switchToSlowPutArrayStorage):
3761         (JSC::JSObject::deletePropertyByIndex):
3762         (JSC::JSObject::getOwnPropertyNames):
3763         (JSC::canDoFastPutDirectIndex):
3764         (JSC::JSObject::defineOwnIndexedProperty):
3765         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3766         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3767         (JSC::JSObject::putByIndexBeyondVectorLength):
3768         (JSC::JSObject::countElements):
3769         (JSC::JSObject::ensureLengthSlow):
3770         (JSC::JSObject::getEnumerableLength):
3771         (JSC::JSObject::ensureInt32Slow): Deleted.
3772         (JSC::JSObject::ensureDoubleSlow): Deleted.
3773         (JSC::JSObject::ensureContiguousSlow): Deleted.
3774         * runtime/JSObject.h:
3775         (JSC::JSObject::putDirectIndex):
3776         (JSC::JSObject::canGetIndexQuickly):
3777         (JSC::JSObject::getIndexQuickly):
3778         (JSC::JSObject::tryGetIndexQuickly const):
3779         (JSC::JSObject::canSetIndexQuickly):
3780         (JSC::JSObject::setIndexQuickly):
3781         (JSC::JSObject::initializeIndex):
3782         (JSC::JSObject::initializeIndexWithoutBarrier):
3783         (JSC::JSObject::ensureWritableInt32):
3784         (JSC::JSObject::ensureWritableDouble):
3785         (JSC::JSObject::ensureWritableContiguous):
3786         (JSC::JSObject::ensureLength):
3787         (JSC::JSObject::ensureInt32): Deleted.
3788         (JSC::JSObject::ensureDouble): Deleted.
3789         (JSC::JSObject::ensureContiguous): Deleted.
3790         * runtime/JSObjectInlines.h:
3791         (JSC::JSObject::putDirectInternal):
3792         * runtime/JSType.h:
3793         * runtime/RegExpMatchesArray.h:
3794         (JSC::tryCreateUninitializedRegExpMatchesArray):
3795         * runtime/Structure.cpp:
3796         (JSC::Structure::Structure):
3797         (JSC::Structure::addNewPropertyTransition):
3798         (JSC::Structure::nonPropertyTransition):
3799         * runtime/Structure.h:
3800         * runtime/StructureIDBlob.h:
3801         (JSC::StructureIDBlob::StructureIDBlob):
3802         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
3803         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
3804         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
3805         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
3806         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
3807         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
3808         * runtime/StructureTransitionTable.h:
3809         (JSC::newIndexingType):
3810         * runtime/VM.cpp:
3811         (JSC::VM::VM):
3812         * runtime/VM.h:
3813
3814 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
3815
3816         Unreviewed, rolling out r232052.
3817
3818         Breaks internal builds.
3819
3820         Reverted changeset:
3821
3822         "Use more C++17"
3823         https://bugs.webkit.org/show_bug.cgi?id=185176
3824         https://trac.webkit.org/changeset/232052
3825
3826 2018-05-22  Alberto Garcia  <berto@igalia.com>
3827
3828         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
3829         https://bugs.webkit.org/show_bug.cgi?id=182622
3830         <rdar://problem/40292317>
3831
3832         Reviewed by Michael Catanzaro.
3833
3834         We were linking JavaScriptCore against libatomic in MIPS because
3835         in that architecture __atomic_fetch_add_8() is not a compiler
3836         intrinsic and is provided by that library instead. However other
3837         architectures (e.g armel) are in the same situation, so we need a
3838         generic test.
3839
3840         That test already exists in WebKit/CMakeLists.txt, so we just have
3841         to move it to a common file (WebKitCompilerFlags.cmake) and use
3842         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
3843
3844         * CMakeLists.txt:
3845
3846 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
3847
3848         Unreviewed, rolling out r231843.
3849
3850         Broke cross build
3851
3852         Reverted changeset:
3853
3854         "[CMake] Properly detect compiler flags, needed libs, and
3855         fallbacks for usage of 64-bit atomic operations"
3856         https://bugs.webkit.org/show_bug.cgi?id=182622
3857         https://trac.webkit.org/changeset/231843
3858
3859 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3860
3861         Use more C++17
3862         https://bugs.webkit.org/show_bug.cgi?id=185176
3863
3864         Reviewed by JF Bastien.
3865
3866         * Configurations/Base.xcconfig:
3867
3868 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3869
3870         [JSC] Remove duplicate methods in JSInterfaceJIT
3871         https://bugs.webkit.org/show_bug.cgi?id=185813
3872
3873         Reviewed by Saam Barati.
3874
3875         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
3876         This patch removes these ones and use AssemblyHelpers' ones instead.
3877
3878         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
3879
3880         * jit/AssemblyHelpers.h:
3881         (JSC::AssemblyHelpers::tagFor):
3882         (JSC::AssemblyHelpers::payloadFor):
3883         * jit/JIT.h:
3884         * jit/JITArithmetic.cpp:
3885         (JSC::JIT::emit_op_unsigned):
3886         (JSC::JIT::emit_compareUnsigned):
3887         (JSC::JIT::emit_op_inc):
3888         (JSC::JIT::emit_op_dec):
3889         (JSC::JIT::emit_op_mod):
3890         * jit/JITCall32_64.cpp:
3891         (JSC::JIT::compileOpCall):
3892         * jit/JITInlines.h:
3893         (JSC::JIT::emitPutIntToCallFrameHeader):
3894         (JSC::JIT::updateTopCallFrame):
3895         (JSC::JIT::emitInitRegister):
3896         (JSC::JIT::emitLoad):
3897         (JSC::JIT::emitStore):
3898         (JSC::JIT::emitStoreInt32):
3899         (JSC::JIT::emitStoreCell):
3900         (JSC::JIT::emitStoreBool):
3901         (JSC::JIT::emitGetVirtualRegister):
3902         (JSC::JIT::emitPutVirtualRegister):
3903         (JSC::JIT::emitTagBool): Deleted.
3904         * jit/JITOpcodes.cpp:
3905         (JSC::JIT::emit_op_overrides_has_instance):
3906         (JSC::JIT::emit_op_is_empty):
3907         (JSC::JIT::emit_op_is_undefined):
3908         (JSC::JIT::emit_op_is_boolean):
3909         (JSC::JIT::emit_op_is_number):
3910         (JSC::JIT::emit_op_is_cell_with_type):
3911         (JSC::JIT::emit_op_is_object):
3912         (JSC::JIT::emit_op_eq):
3913         (JSC::JIT::emit_op_neq):
3914         (JSC::JIT::compileOpStrictEq):
3915         (JSC::JIT::emit_op_eq_null):
3916         (JSC::JIT::emit_op_neq_null):
3917         (JSC::JIT::emitSlow_op_eq):
3918         (JSC::JIT::emitSlow_op_neq):
3919         (JSC::JIT::emitSlow_op_instanceof_custom):
3920         (JSC::JIT::emitNewFuncExprCommon):
3921         * jit/JSInterfaceJIT.h:
3922         (JSC::JSInterfaceJIT::emitLoadInt32):
3923         (JSC::JSInterfaceJIT::emitLoadDouble):
3924         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
3925