8c82f3ef4ba80d0ecdc84d7c069c59747c0e25c3
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-11  Mark Lam  <mark.lam@apple.com>
2
3         More exception check book-keeping needed found by 32-bit JSC test failures.
4         https://bugs.webkit.org/show_bug.cgi?id=176742
5
6         Reviewed by Michael Saboff and Keith Miller.
7
8         * dfg/DFGOperations.cpp:
9
10 2017-09-11  Mark Lam  <mark.lam@apple.com>
11
12         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
13         https://bugs.webkit.org/show_bug.cgi?id=176722
14
15         Reviewed by Saam Barati.
16
17         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
18         in effect when jsc is invoked.
19
20         * jsc.cpp:
21         (CommandLine::parseArguments):
22
23 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
24
25         Unreviewed, rolling out r221854.
26
27         The test added with this change fails on 32-bit JSC bots.
28
29         Reverted changeset:
30
31         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
32         https://bugs.webkit.org/show_bug.cgi?id=176010
33         http://trac.webkit.org/changeset/221854
34
35 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
36
37         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
38         https://bugs.webkit.org/show_bug.cgi?id=176010
39
40         Reviewed by Filip Pizlo.
41
42         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
43         It is used for meta property for objects (see peekMeta function in Ember.js).
44
45         This patch optimizes WeakMap#get.
46
47         1. We use inlineGet to inline WeakMap#get operation in the native function.
48         Since this native function itself is very small, we should inline HashMap#get
49         entirely in this function.
50
51         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
52         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
53         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
54         ObjectUse, and Int32Use.
55
56         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
57         calculate hash value for the key's Object and use this hash value to look up value from
58         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
59         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
60         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
61         patches.
62
63         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
64         not used in Ember.js right now.
65
66         This patch optimizes WeakMap#get by 50%.
67
68                                  baseline                  patched
69
70         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
71
72         * bytecode/DirectEvalCodeCache.h:
73         (JSC::DirectEvalCodeCache::tryGet):
74         * bytecode/SpeculatedType.cpp:
75         (JSC::dumpSpeculation):
76         (JSC::speculationFromClassInfo):
77         (JSC::speculationFromJSType):
78         (JSC::speculationFromString):
79         * bytecode/SpeculatedType.h:
80         * dfg/DFGAbstractInterpreterInlines.h:
81         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
82         * dfg/DFGByteCodeParser.cpp:
83         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
84         * dfg/DFGClobberize.h:
85         (JSC::DFG::clobberize):
86         * dfg/DFGDoesGC.cpp:
87         (JSC::DFG::doesGC):
88         * dfg/DFGFixupPhase.cpp:
89         (JSC::DFG::FixupPhase::fixupNode):
90         * dfg/DFGHeapLocation.cpp:
91         (WTF::printInternal):
92         * dfg/DFGHeapLocation.h:
93         * dfg/DFGNode.h:
94         (JSC::DFG::Node::hasHeapPrediction):
95         * dfg/DFGNodeType.h:
96         * dfg/DFGOperations.cpp:
97         * dfg/DFGOperations.h:
98         * dfg/DFGPredictionPropagationPhase.cpp:
99         * dfg/DFGSafeToExecute.h:
100         (JSC::DFG::SafeToExecuteEdge::operator()):
101         (JSC::DFG::safeToExecute):
102         * dfg/DFGSpeculativeJIT.cpp:
103         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
104         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
105         (JSC::DFG::SpeculativeJIT::speculate):
106         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
107         * dfg/DFGSpeculativeJIT.h:
108         (JSC::DFG::SpeculativeJIT::callOperation):
109         * dfg/DFGSpeculativeJIT32_64.cpp:
110         (JSC::DFG::SpeculativeJIT::compile):
111         * dfg/DFGSpeculativeJIT64.cpp:
112         (JSC::DFG::SpeculativeJIT::compile):
113         * dfg/DFGUseKind.cpp:
114         (WTF::printInternal):
115         * dfg/DFGUseKind.h:
116         (JSC::DFG::typeFilterFor):
117         (JSC::DFG::isCell):
118         * ftl/FTLCapabilities.cpp:
119         (JSC::FTL::canCompile):
120         * ftl/FTLLowerDFGToB3.cpp:
121         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
122         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
123         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
124         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
125         (JSC::FTL::DFG::LowerDFGToB3::speculate):
126         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
127         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
128         * jit/JITOperations.h:
129         * runtime/Intrinsic.cpp:
130         (JSC::intrinsicName):
131         * runtime/Intrinsic.h:
132         * runtime/JSType.h:
133         * runtime/JSWeakMap.h:
134         (JSC::isJSWeakMap):
135         * runtime/JSWeakSet.h:
136         (JSC::isJSWeakSet):
137         * runtime/WeakMapBase.cpp:
138         (JSC::WeakMapBase::get):
139         * runtime/WeakMapBase.h:
140         (JSC::WeakMapBase::HashTranslator::hash):
141         (JSC::WeakMapBase::HashTranslator::equal):
142         (JSC::WeakMapBase::inlineGet):
143         * runtime/WeakMapPrototype.cpp:
144         (JSC::WeakMapPrototype::finishCreation):
145         (JSC::getWeakMap):
146         (JSC::protoFuncWeakMapGet):
147         * runtime/WeakSetPrototype.cpp:
148         (JSC::getWeakSet):
149
150 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
151
152         [JSC] Optimize Object.keys by using careful array allocation
153         https://bugs.webkit.org/show_bug.cgi?id=176654
154
155         Reviewed by Darin Adler.
156
157         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
158         function in JS apps. Luckily Object.keys has several good features.
159
160         1. Once PropertyNameArray is allocated, we know the length of the result array since
161         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
162         but it rarely appears. ProxyObject case goes to the generic path.
163
164         2. Object.keys does not need to access object after listing PropertyNameArray. It means
165         that we do not need to worry about enumeration attribute change by touching object.
166
167         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
168         with the size and ArrayContiguous indexing shape.
169
170         This further improves SixSpeed object-assign.es5 by 13%.
171
172                                             baseline                  patched
173         Microbenchmarks:
174            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
175            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
176
177                                             baseline                  patched
178         SixSpeed:
179            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
180
181         BTW, the further optimization of Object.keys can be considered: introducing own property keys
182         cache which is similar to the current enumeration cache. But this patch is orthogonal to
183         this optimization!
184
185         * runtime/ObjectConstructor.cpp:
186         (JSC::objectConstructorValues):
187         (JSC::ownPropertyKeys):
188         * runtime/ObjectConstructor.h:
189
190 2017-09-10  Mark Lam  <mark.lam@apple.com>
191
192         Fix all ExceptionScope verification failures in JavaScriptCore.
193         https://bugs.webkit.org/show_bug.cgi?id=176662
194         <rdar://problem/34352085>
195
196         Reviewed by Filip Pizlo.
197
198         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
199            verification for release builds too (though this requires manually setting
200            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
201
202            This is useful because it allows us to run the tests more quickly to check
203            if any regressions have occurred.  Debug builds run so much slower and not
204            good for a quick turn around.  Debug builds are necessary though to get
205            trace information without inlining by the C++ compiler.  This is necessary to
206            diagnose where the missing exception check is.
207
208         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
209            simulated throw when an exception scope verification fails.
210
211            Previously, this option dumps the stack trace on all simulated throws.  That
212            turned out to not be very useful, and slows down the debugging process.
213            Instead, the new implementation captures the stack trace and only dumps it
214            if we have a verification failure.
215
216         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
217            to pass with JSC_validateExceptionChecks=true.
218
219         * bytecode/CodeBlock.cpp:
220         (JSC::CodeBlock::finishCreation):
221         * dfg/DFGOSRExit.cpp:
222         (JSC::DFG::OSRExit::executeOSRExit):
223         * dfg/DFGOperations.cpp:
224         * interpreter/Interpreter.cpp:
225         (JSC::eval):
226         (JSC::loadVarargs):
227         (JSC::Interpreter::unwind):
228         (JSC::Interpreter::executeProgram):
229         (JSC::Interpreter::executeCall):
230         (JSC::Interpreter::executeConstruct):
231         (JSC::Interpreter::prepareForRepeatCall):
232         (JSC::Interpreter::execute):
233         (JSC::Interpreter::executeModuleProgram):
234         * jit/JITOperations.cpp:
235         (JSC::getByVal):
236         * jsc.cpp:
237         (WTF::CustomGetter::customGetterAcessor):
238         (GlobalObject::moduleLoaderImportModule):
239         (GlobalObject::moduleLoaderResolve):
240         * llint/LLIntSlowPaths.cpp:
241         (JSC::LLInt::getByVal):
242         (JSC::LLInt::setUpCall):
243         * parser/Parser.h:
244         (JSC::Parser::popScopeInternal):
245         * runtime/AbstractModuleRecord.cpp:
246         (JSC::AbstractModuleRecord::hostResolveImportedModule):
247         (JSC::AbstractModuleRecord::resolveImport):
248         (JSC::AbstractModuleRecord::resolveExportImpl):
249         (JSC::getExportedNames):
250         (JSC::AbstractModuleRecord::getModuleNamespace):
251         * runtime/ArrayPrototype.cpp:
252         (JSC::getProperty):
253         (JSC::unshift):
254         (JSC::arrayProtoFuncToString):
255         (JSC::arrayProtoFuncToLocaleString):
256         (JSC::arrayProtoFuncJoin):
257         (JSC::arrayProtoFuncPop):
258         (JSC::arrayProtoFuncPush):
259         (JSC::arrayProtoFuncReverse):
260         (JSC::arrayProtoFuncShift):
261         (JSC::arrayProtoFuncSlice):
262         (JSC::arrayProtoFuncSplice):
263         (JSC::arrayProtoFuncUnShift):
264         (JSC::arrayProtoFuncIndexOf):
265         (JSC::arrayProtoFuncLastIndexOf):
266         (JSC::concatAppendOne):
267         (JSC::arrayProtoPrivateFuncConcatMemcpy):
268         (JSC::arrayProtoPrivateFuncAppendMemcpy):
269         * runtime/CatchScope.h:
270         * runtime/CommonSlowPaths.cpp:
271         (JSC::SLOW_PATH_DECL):
272         * runtime/DatePrototype.cpp:
273         (JSC::dateProtoFuncSetTime):
274         (JSC::setNewValueFromTimeArgs):
275         * runtime/DirectArguments.h:
276         (JSC::DirectArguments::length const):
277         * runtime/ErrorPrototype.cpp:
278         (JSC::errorProtoFuncToString):
279         * runtime/ExceptionFuzz.cpp:
280         (JSC::doExceptionFuzzing):
281         * runtime/ExceptionScope.h:
282         (JSC::ExceptionScope::needExceptionCheck):
283         (JSC::ExceptionScope::assertNoException):
284         * runtime/GenericArgumentsInlines.h:
285         (JSC::GenericArguments<Type>::defineOwnProperty):
286         * runtime/HashMapImpl.h:
287         (JSC::HashMapImpl::rehash):
288         * runtime/IntlDateTimeFormat.cpp:
289         (JSC::IntlDateTimeFormat::formatToParts):
290         * runtime/JSArray.cpp:
291         (JSC::JSArray::defineOwnProperty):
292         (JSC::JSArray::put):
293         * runtime/JSCJSValue.cpp:
294         (JSC::JSValue::putToPrimitive):
295         (JSC::JSValue::putToPrimitiveByIndex):
296         * runtime/JSCJSValueInlines.h:
297         (JSC::JSValue::toIndex const):
298         (JSC::JSValue::get const):
299         (JSC::JSValue::getPropertySlot const):
300         (JSC::JSValue::equalSlowCaseInline):
301         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
302         (JSC::constructGenericTypedArrayViewFromIterator):
303         (JSC::constructGenericTypedArrayViewWithArguments):
304         * runtime/JSGenericTypedArrayViewInlines.h:
305         (JSC::JSGenericTypedArrayView<Adaptor>::set):
306         * runtime/JSGlobalObject.cpp:
307         (JSC::JSGlobalObject::put):
308         * runtime/JSGlobalObjectFunctions.cpp:
309         (JSC::decode):
310         (JSC::globalFuncEval):
311         (JSC::globalFuncProtoGetter):
312         (JSC::globalFuncProtoSetter):
313         (JSC::globalFuncImportModule):
314         * runtime/JSInternalPromise.cpp:
315         (JSC::JSInternalPromise::then):
316         * runtime/JSInternalPromiseDeferred.cpp:
317         (JSC::JSInternalPromiseDeferred::create):
318         * runtime/JSJob.cpp:
319         (JSC::JSJobMicrotask::run):
320         * runtime/JSModuleEnvironment.cpp:
321         (JSC::JSModuleEnvironment::getOwnPropertySlot):
322         (JSC::JSModuleEnvironment::put):
323         (JSC::JSModuleEnvironment::deleteProperty):
324         * runtime/JSModuleLoader.cpp:
325         (JSC::JSModuleLoader::provide):
326         (JSC::JSModuleLoader::loadAndEvaluateModule):
327         (JSC::JSModuleLoader::loadModule):
328         (JSC::JSModuleLoader::linkAndEvaluateModule):
329         (JSC::JSModuleLoader::requestImportModule):
330         * runtime/JSModuleRecord.cpp:
331         (JSC::JSModuleRecord::link):
332         (JSC::JSModuleRecord::instantiateDeclarations):
333         * runtime/JSONObject.cpp:
334         (JSC::Stringifier::stringify):
335         (JSC::Stringifier::toJSON):
336         (JSC::JSONProtoFuncParse):
337         * runtime/JSObject.cpp:
338         (JSC::JSObject::calculatedClassName):
339         (JSC::ordinarySetSlow):
340         (JSC::JSObject::putInlineSlow):
341         (JSC::JSObject::ordinaryToPrimitive const):
342         (JSC::JSObject::toPrimitive const):
343         (JSC::JSObject::hasInstance):
344         (JSC::JSObject::getPropertyNames):
345         (JSC::JSObject::toNumber const):
346         (JSC::JSObject::defineOwnIndexedProperty):
347         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
348         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
349         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
350         (JSC::validateAndApplyPropertyDescriptor):
351         (JSC::JSObject::defineOwnNonIndexProperty):
352         (JSC::JSObject::getGenericPropertyNames):
353         * runtime/JSObject.h:
354         (JSC::JSObject::get const):
355         * runtime/JSObjectInlines.h:
356         (JSC::JSObject::getPropertySlot const):
357         (JSC::JSObject::getPropertySlot):
358         (JSC::JSObject::getNonIndexPropertySlot):
359         (JSC::JSObject::putInlineForJSObject):
360         * runtime/JSPromiseConstructor.cpp:
361         (JSC::constructPromise):
362         * runtime/JSPromiseDeferred.cpp:
363         (JSC::JSPromiseDeferred::create):
364         * runtime/JSScope.cpp:
365         (JSC::abstractAccess):
366         (JSC::JSScope::resolve):
367         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
368         (JSC::JSScope::abstractResolve):
369         * runtime/LiteralParser.cpp:
370         (JSC::LiteralParser<CharType>::tryJSONPParse):
371         (JSC::LiteralParser<CharType>::parse):
372         * runtime/Lookup.h:
373         (JSC::putEntry):
374         * runtime/MapConstructor.cpp:
375         (JSC::constructMap):
376         * runtime/NumberPrototype.cpp:
377         (JSC::numberProtoFuncToString):
378         * runtime/ObjectConstructor.cpp:
379         (JSC::objectConstructorSetPrototypeOf):
380         (JSC::objectConstructorGetOwnPropertyDescriptor):
381         (JSC::objectConstructorGetOwnPropertyDescriptors):
382         (JSC::objectConstructorAssign):
383         (JSC::objectConstructorValues):
384         (JSC::toPropertyDescriptor):
385         (JSC::objectConstructorDefineProperty):
386         (JSC::defineProperties):
387         (JSC::objectConstructorDefineProperties):
388         (JSC::ownPropertyKeys):
389         * runtime/ObjectPrototype.cpp:
390         (JSC::objectProtoFuncHasOwnProperty):
391         (JSC::objectProtoFuncIsPrototypeOf):
392         (JSC::objectProtoFuncLookupGetter):
393         (JSC::objectProtoFuncLookupSetter):
394         (JSC::objectProtoFuncToLocaleString):
395         (JSC::objectProtoFuncToString):
396         * runtime/Options.h:
397         * runtime/ParseInt.h:
398         (JSC::toStringView):
399         * runtime/ProxyObject.cpp:
400         (JSC::performProxyGet):
401         (JSC::ProxyObject::performPut):
402         * runtime/ReflectObject.cpp:
403         (JSC::reflectObjectDefineProperty):
404         * runtime/RegExpConstructor.cpp:
405         (JSC::toFlags):
406         (JSC::regExpCreate):
407         (JSC::constructRegExp):
408         * runtime/RegExpObject.cpp:
409         (JSC::collectMatches):
410         * runtime/RegExpObjectInlines.h:
411         (JSC::RegExpObject::execInline):
412         (JSC::RegExpObject::matchInline):
413         * runtime/RegExpPrototype.cpp:
414         (JSC::regExpProtoFuncTestFast):
415         (JSC::regExpProtoFuncExec):
416         (JSC::regExpProtoFuncMatchFast):
417         (JSC::regExpProtoFuncToString):
418         (JSC::regExpProtoFuncSplitFast):
419         * runtime/ScriptExecutable.cpp:
420         (JSC::ScriptExecutable::newCodeBlockFor):
421         (JSC::ScriptExecutable::prepareForExecutionImpl):
422         * runtime/SetConstructor.cpp:
423         (JSC::constructSet):
424         * runtime/ThrowScope.cpp:
425         (JSC::ThrowScope::simulateThrow):
426         * runtime/VM.cpp:
427         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
428         * runtime/VM.h:
429         * runtime/WeakMapPrototype.cpp:
430         (JSC::protoFuncWeakMapSet):
431         * runtime/WeakSetPrototype.cpp:
432         (JSC::protoFuncWeakSetAdd):
433         * wasm/js/WebAssemblyModuleConstructor.cpp:
434         (JSC::WebAssemblyModuleConstructor::createModule):
435         * wasm/js/WebAssemblyModuleRecord.cpp:
436         (JSC::WebAssemblyModuleRecord::link):
437         * wasm/js/WebAssemblyPrototype.cpp:
438         (JSC::reject):
439         (JSC::webAssemblyCompileFunc):
440         (JSC::resolve):
441         (JSC::webAssemblyInstantiateFunc):
442
443 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
444
445         Error should compute .stack and friends lazily
446         https://bugs.webkit.org/show_bug.cgi?id=176645
447
448         Reviewed by Saam Barati.
449         
450         Building the string portion of the stack trace after we walk the stack accounts for most of
451         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
452         Vector<StackFrame> so that it can build the string only once it's really needed.
453         
454         This is an enormous speed-up for programs that allocate and throw exceptions.
455         
456         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
457         
458         It's a 2.2x speed-up for throwing and catching an Error.
459         
460         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
461         
462         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
463         delta-blue-try-catch is 1.16x faster.
464
465         * interpreter/Interpreter.cpp:
466         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
467         (JSC::GetStackTraceFunctor::operator() const):
468         (JSC::Interpreter::getStackTrace):
469         * interpreter/Interpreter.h:
470         * runtime/Error.cpp:
471         (JSC::getStackTrace):
472         (JSC::getBytecodeOffset):
473         (JSC::addErrorInfo):
474         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
475         * runtime/Error.h:
476         * runtime/ErrorInstance.cpp:
477         (JSC::ErrorInstance::ErrorInstance):
478         (JSC::ErrorInstance::finishCreation):
479         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
480         (JSC::ErrorInstance::visitChildren):
481         (JSC::ErrorInstance::getOwnPropertySlot):
482         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
483         (JSC::ErrorInstance::defineOwnProperty):
484         (JSC::ErrorInstance::put):
485         (JSC::ErrorInstance::deleteProperty):
486         * runtime/ErrorInstance.h:
487         * runtime/Exception.cpp:
488         (JSC::Exception::visitChildren):
489         (JSC::Exception::finishCreation):
490         * runtime/Exception.h:
491         * runtime/StackFrame.cpp:
492         (JSC::StackFrame::visitChildren):
493         * runtime/StackFrame.h:
494         (JSC::StackFrame::StackFrame):
495
496 2017-09-09  Mark Lam  <mark.lam@apple.com>
497
498         [Re-landing] Use JIT probes for DFG OSR exit.
499         https://bugs.webkit.org/show_bug.cgi?id=175144
500         <rdar://problem/33437050>
501
502         Not reviewed.  Original patch reviewed by Saam Barati.
503
504         Relanding r221774.
505
506         * JavaScriptCore.xcodeproj/project.pbxproj:
507         * assembler/MacroAssembler.cpp:
508         (JSC::stdFunctionCallback):
509         * assembler/MacroAssemblerPrinter.cpp:
510         (JSC::Printer::printCallback):
511         * assembler/ProbeContext.h:
512         (JSC::Probe::CPUState::gpr const):
513         (JSC::Probe::CPUState::spr const):
514         (JSC::Probe::Context::Context):
515         (JSC::Probe::Context::arg):
516         (JSC::Probe::Context::gpr):
517         (JSC::Probe::Context::spr):
518         (JSC::Probe::Context::fpr):
519         (JSC::Probe::Context::gprName):
520         (JSC::Probe::Context::sprName):
521         (JSC::Probe::Context::fprName):
522         (JSC::Probe::Context::gpr const):
523         (JSC::Probe::Context::spr const):
524         (JSC::Probe::Context::fpr const):
525         (JSC::Probe::Context::pc):
526         (JSC::Probe::Context::fp):
527         (JSC::Probe::Context::sp):
528         (JSC::Probe:: const): Deleted.
529         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
530         * assembler/ProbeStack.cpp:
531         (JSC::Probe::Page::Page):
532         * assembler/ProbeStack.h:
533         (JSC::Probe::Page::get):
534         (JSC::Probe::Page::set):
535         (JSC::Probe::Page::physicalAddressFor):
536         (JSC::Probe::Stack::lowWatermark):
537         (JSC::Probe::Stack::get):
538         (JSC::Probe::Stack::set):
539         * bytecode/ArithProfile.cpp:
540         * bytecode/ArithProfile.h:
541         * bytecode/ArrayProfile.h:
542         (JSC::ArrayProfile::observeArrayMode):
543         * bytecode/CodeBlock.cpp:
544         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
545         * bytecode/CodeBlock.h:
546         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
547         * bytecode/ExecutionCounter.h:
548         (JSC::ExecutionCounter::hasCrossedThreshold const):
549         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
550         * bytecode/MethodOfGettingAValueProfile.cpp:
551         (JSC::MethodOfGettingAValueProfile::reportValue):
552         * bytecode/MethodOfGettingAValueProfile.h:
553         * dfg/DFGDriver.cpp:
554         (JSC::DFG::compileImpl):
555         * dfg/DFGJITCode.cpp:
556         (JSC::DFG::JITCode::findPC): Deleted.
557         * dfg/DFGJITCode.h:
558         * dfg/DFGJITCompiler.cpp:
559         (JSC::DFG::JITCompiler::linkOSRExits):
560         (JSC::DFG::JITCompiler::link):
561         * dfg/DFGOSRExit.cpp:
562         (JSC::DFG::jsValueFor):
563         (JSC::DFG::restoreCalleeSavesFor):
564         (JSC::DFG::saveCalleeSavesFor):
565         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
566         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
567         (JSC::DFG::saveOrCopyCalleeSavesFor):
568         (JSC::DFG::createDirectArgumentsDuringExit):
569         (JSC::DFG::createClonedArgumentsDuringExit):
570         (JSC::DFG::OSRExit::OSRExit):
571         (JSC::DFG::emitRestoreArguments):
572         (JSC::DFG::OSRExit::executeOSRExit):
573         (JSC::DFG::reifyInlinedCallFrames):
574         (JSC::DFG::adjustAndJumpToTarget):
575         (JSC::DFG::printOSRExit):
576         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
577         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
578         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
579         (JSC::DFG::OSRExit::correctJump): Deleted.
580         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
581         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
582         (JSC::DFG::OSRExit::compileExit): Deleted.
583         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
584         * dfg/DFGOSRExit.h:
585         (JSC::DFG::OSRExitState::OSRExitState):
586         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
587         * dfg/DFGOSRExitCompilerCommon.cpp:
588         * dfg/DFGOSRExitCompilerCommon.h:
589         * dfg/DFGOperations.cpp:
590         * dfg/DFGOperations.h:
591         * dfg/DFGThunks.cpp:
592         (JSC::DFG::osrExitThunkGenerator):
593         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
594         * dfg/DFGThunks.h:
595         * jit/AssemblyHelpers.cpp:
596         (JSC::AssemblyHelpers::debugCall): Deleted.
597         * jit/AssemblyHelpers.h:
598         * jit/JITOperations.cpp:
599         * jit/JITOperations.h:
600         * profiler/ProfilerOSRExit.h:
601         (JSC::Profiler::OSRExit::incCount):
602         * runtime/JSCJSValue.h:
603         * runtime/JSCJSValueInlines.h:
604         * runtime/VM.h:
605
606 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
607
608         Unreviewed, rolling out r221774.
609
610         This change introduced three debug JSC test timeouts.
611
612         Reverted changeset:
613
614         "Use JIT probes for DFG OSR exit."
615         https://bugs.webkit.org/show_bug.cgi?id=175144
616         http://trac.webkit.org/changeset/221774
617
618 2017-09-09  Mark Lam  <mark.lam@apple.com>
619
620         Avoid duplicate computations of ExecState::vm().
621         https://bugs.webkit.org/show_bug.cgi?id=176647
622
623         Reviewed by Saam Barati.
624
625         Because while computing ExecState::vm() is cheap, it is not free.
626
627         This patch also:
628         1. gets rids of some convenience methods in CallFrame that implicitly does a
629            ExecState::vm() computation.  This minimizes the chance of us accidentally
630            computing ExecState::vm() more than necessary.
631         2. passes vm (when available) to methodTable().
632         3. passes vm (when available) to JSLockHolder.
633
634         * API/JSBase.cpp:
635         (JSCheckScriptSyntax):
636         (JSGarbageCollect):
637         (JSReportExtraMemoryCost):
638         (JSSynchronousGarbageCollectForDebugging):
639         (JSSynchronousEdenCollectForDebugging):
640         * API/JSCallbackConstructor.h:
641         (JSC::JSCallbackConstructor::create):
642         * API/JSCallbackObject.h:
643         (JSC::JSCallbackObject::create):
644         * API/JSContext.mm:
645         (-[JSContext setException:]):
646         * API/JSContextRef.cpp:
647         (JSContextGetGlobalObject):
648         (JSContextCreateBacktrace):
649         * API/JSManagedValue.mm:
650         (-[JSManagedValue value]):
651         * API/JSObjectRef.cpp:
652         (JSObjectMake):
653         (JSObjectMakeFunctionWithCallback):
654         (JSObjectMakeConstructor):
655         (JSObjectMakeFunction):
656         (JSObjectSetPrototype):
657         (JSObjectHasProperty):
658         (JSObjectGetProperty):
659         (JSObjectSetProperty):
660         (JSObjectSetPropertyAtIndex):
661         (JSObjectDeleteProperty):
662         (JSObjectGetPrivateProperty):
663         (JSObjectSetPrivateProperty):
664         (JSObjectDeletePrivateProperty):
665         (JSObjectIsFunction):
666         (JSObjectCallAsFunction):
667         (JSObjectCallAsConstructor):
668         (JSObjectCopyPropertyNames):
669         (JSPropertyNameAccumulatorAddName):
670         * API/JSScriptRef.cpp:
671         * API/JSTypedArray.cpp:
672         (JSValueGetTypedArrayType):
673         (JSObjectMakeTypedArrayWithArrayBuffer):
674         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
675         (JSObjectGetTypedArrayBytesPtr):
676         (JSObjectGetTypedArrayBuffer):
677         (JSObjectMakeArrayBufferWithBytesNoCopy):
678         (JSObjectGetArrayBufferBytesPtr):
679         * API/JSWeakObjectMapRefPrivate.cpp:
680         * API/JSWrapperMap.mm:
681         (constructorHasInstance):
682         (makeWrapper):
683         * API/ObjCCallbackFunction.mm:
684         (objCCallbackFunctionForInvocation):
685         * bytecode/CodeBlock.cpp:
686         (JSC::CodeBlock::CodeBlock):
687         (JSC::CodeBlock::jettison):
688         * bytecode/CodeBlock.h:
689         (JSC::CodeBlock::addConstant):
690         (JSC::CodeBlock::replaceConstant):
691         * bytecode/PutByIdStatus.cpp:
692         (JSC::PutByIdStatus::computeFromLLInt):
693         (JSC::PutByIdStatus::computeFor):
694         * dfg/DFGDesiredWatchpoints.cpp:
695         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
696         * dfg/DFGGraph.h:
697         (JSC::DFG::Graph::globalThisObjectFor):
698         * dfg/DFGOperations.cpp:
699         * ftl/FTLOSRExitCompiler.cpp:
700         (JSC::FTL::compileFTLOSRExit):
701         * ftl/FTLOperations.cpp:
702         (JSC::FTL::operationPopulateObjectInOSR):
703         (JSC::FTL::operationMaterializeObjectInOSR):
704         * heap/GCAssertions.h:
705         * inspector/InjectedScriptHost.cpp:
706         (Inspector::InjectedScriptHost::wrapper):
707         * inspector/JSInjectedScriptHost.cpp:
708         (Inspector::JSInjectedScriptHost::subtype):
709         (Inspector::constructInternalProperty):
710         (Inspector::JSInjectedScriptHost::getInternalProperties):
711         (Inspector::JSInjectedScriptHost::weakMapEntries):
712         (Inspector::JSInjectedScriptHost::weakSetEntries):
713         (Inspector::JSInjectedScriptHost::iteratorEntries):
714         * inspector/JSJavaScriptCallFrame.cpp:
715         (Inspector::valueForScopeLocation):
716         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
717         (Inspector::toJS):
718         * inspector/ScriptCallStackFactory.cpp:
719         (Inspector::extractSourceInformationFromException):
720         (Inspector::createScriptArguments):
721         * interpreter/CachedCall.h:
722         (JSC::CachedCall::CachedCall):
723         * interpreter/CallFrame.h:
724         (JSC::ExecState::atomicStringTable const): Deleted.
725         (JSC::ExecState::propertyNames const): Deleted.
726         (JSC::ExecState::emptyList const): Deleted.
727         (JSC::ExecState::interpreter): Deleted.
728         (JSC::ExecState::heap): Deleted.
729         * interpreter/Interpreter.cpp:
730         (JSC::Interpreter::executeProgram):
731         (JSC::Interpreter::execute):
732         (JSC::Interpreter::executeModuleProgram):
733         * jit/JIT.cpp:
734         (JSC::JIT::privateCompileMainPass):
735         * jit/JITOperations.cpp:
736         * jit/JITWorklist.cpp:
737         (JSC::JITWorklist::compileNow):
738         * jsc.cpp:
739         (WTF::RuntimeArray::create):
740         (WTF::RuntimeArray::getOwnPropertySlot):
741         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
742         (WTF::DOMJITFunctionObject::unsafeFunction):
743         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
744         (GlobalObject::moduleLoaderFetch):
745         (functionDumpCallFrame):
746         (functionCreateRoot):
747         (functionGetElement):
748         (functionSetElementRoot):
749         (functionCreateSimpleObject):
750         (functionSetHiddenValue):
751         (functionCreateProxy):
752         (functionCreateImpureGetter):
753         (functionCreateCustomGetterObject):
754         (functionCreateDOMJITNodeObject):
755         (functionCreateDOMJITGetterObject):
756         (functionCreateDOMJITGetterComplexObject):
757         (functionCreateDOMJITFunctionObject):
758         (functionCreateDOMJITCheckSubClassObject):
759         (functionGCAndSweep):
760         (functionFullGC):
761         (functionEdenGC):
762         (functionHeapSize):
763         (functionShadowChickenFunctionsOnStack):
764         (functionSetGlobalConstRedeclarationShouldNotThrow):
765         (functionJSCOptions):
766         (functionFailNextNewCodeBlock):
767         (functionMakeMasquerader):
768         (functionDumpTypesForAllVariables):
769         (functionFindTypeForExpression):
770         (functionReturnTypeFor):
771         (functionDumpBasicBlockExecutionRanges):
772         (functionBasicBlockExecutionCount):
773         (functionDrainMicrotasks):
774         (functionGenerateHeapSnapshot):
775         (functionEnsureArrayStorage):
776         (functionStartSamplingProfiler):
777         (runInteractive):
778         * llint/LLIntSlowPaths.cpp:
779         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
780         * parser/ModuleAnalyzer.cpp:
781         (JSC::ModuleAnalyzer::ModuleAnalyzer):
782         * profiler/ProfilerBytecode.cpp:
783         (JSC::Profiler::Bytecode::toJS const):
784         * profiler/ProfilerBytecodeSequence.cpp:
785         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
786         * profiler/ProfilerBytecodes.cpp:
787         (JSC::Profiler::Bytecodes::toJS const):
788         * profiler/ProfilerCompilation.cpp:
789         (JSC::Profiler::Compilation::toJS const):
790         * profiler/ProfilerCompiledBytecode.cpp:
791         (JSC::Profiler::CompiledBytecode::toJS const):
792         * profiler/ProfilerDatabase.cpp:
793         (JSC::Profiler::Database::toJS const):
794         * profiler/ProfilerEvent.cpp:
795         (JSC::Profiler::Event::toJS const):
796         * profiler/ProfilerOSRExit.cpp:
797         (JSC::Profiler::OSRExit::toJS const):
798         * profiler/ProfilerOrigin.cpp:
799         (JSC::Profiler::Origin::toJS const):
800         * profiler/ProfilerProfiledBytecodes.cpp:
801         (JSC::Profiler::ProfiledBytecodes::toJS const):
802         * runtime/AbstractModuleRecord.cpp:
803         (JSC::identifierToJSValue):
804         (JSC::AbstractModuleRecord::resolveExportImpl):
805         (JSC::getExportedNames):
806         * runtime/ArrayPrototype.cpp:
807         (JSC::arrayProtoFuncToString):
808         (JSC::arrayProtoFuncToLocaleString):
809         * runtime/BooleanConstructor.cpp:
810         (JSC::constructBooleanFromImmediateBoolean):
811         * runtime/CallData.cpp:
812         (JSC::call):
813         * runtime/CommonSlowPaths.cpp:
814         (JSC::SLOW_PATH_DECL):
815         * runtime/CommonSlowPaths.h:
816         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
817         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
818         * runtime/Completion.cpp:
819         (JSC::checkSyntax):
820         (JSC::evaluate):
821         (JSC::loadAndEvaluateModule):
822         (JSC::loadModule):
823         (JSC::linkAndEvaluateModule):
824         (JSC::importModule):
825         * runtime/ConstructData.cpp:
826         (JSC::construct):
827         * runtime/DatePrototype.cpp:
828         (JSC::dateProtoFuncToJSON):
829         * runtime/DirectArguments.h:
830         (JSC::DirectArguments::length const):
831         * runtime/DirectEvalExecutable.cpp:
832         (JSC::DirectEvalExecutable::create):
833         * runtime/ErrorPrototype.cpp:
834         (JSC::errorProtoFuncToString):
835         * runtime/ExceptionHelpers.cpp:
836         (JSC::createUndefinedVariableError):
837         (JSC::errorDescriptionForValue):
838         * runtime/FunctionConstructor.cpp:
839         (JSC::constructFunction):
840         * runtime/GenericArgumentsInlines.h:
841         (JSC::GenericArguments<Type>::getOwnPropertyNames):
842         * runtime/IdentifierInlines.h:
843         (JSC::Identifier::add):
844         * runtime/IndirectEvalExecutable.cpp:
845         (JSC::IndirectEvalExecutable::create):
846         * runtime/InternalFunction.cpp:
847         (JSC::InternalFunction::finishCreation):
848         (JSC::InternalFunction::createSubclassStructureSlow):
849         * runtime/JSArray.cpp:
850         (JSC::JSArray::getOwnPropertySlot):
851         (JSC::JSArray::put):
852         (JSC::JSArray::deleteProperty):
853         (JSC::JSArray::getOwnNonIndexPropertyNames):
854         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
855         * runtime/JSArray.h:
856         (JSC::JSArray::shiftCountForShift):
857         * runtime/JSCJSValue.cpp:
858         (JSC::JSValue::dumpForBacktrace const):
859         * runtime/JSDataView.cpp:
860         (JSC::JSDataView::getOwnPropertySlot):
861         (JSC::JSDataView::deleteProperty):
862         (JSC::JSDataView::getOwnNonIndexPropertyNames):
863         * runtime/JSFunction.cpp:
864         (JSC::JSFunction::getOwnPropertySlot):
865         (JSC::JSFunction::deleteProperty):
866         (JSC::JSFunction::reifyName):
867         * runtime/JSGlobalObjectFunctions.cpp:
868         (JSC::globalFuncEval):
869         * runtime/JSInternalPromise.cpp:
870         (JSC::JSInternalPromise::then):
871         * runtime/JSLexicalEnvironment.cpp:
872         (JSC::JSLexicalEnvironment::deleteProperty):
873         * runtime/JSMap.cpp:
874         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
875         * runtime/JSMapIterator.h:
876         (JSC::JSMapIterator::advanceIter):
877         * runtime/JSModuleEnvironment.cpp:
878         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
879         * runtime/JSModuleLoader.cpp:
880         (JSC::printableModuleKey):
881         (JSC::JSModuleLoader::provide):
882         (JSC::JSModuleLoader::loadAndEvaluateModule):
883         (JSC::JSModuleLoader::loadModule):
884         (JSC::JSModuleLoader::linkAndEvaluateModule):
885         (JSC::JSModuleLoader::requestImportModule):
886         * runtime/JSModuleNamespaceObject.h:
887         * runtime/JSModuleRecord.cpp:
888         (JSC::JSModuleRecord::evaluate):
889         * runtime/JSONObject.cpp:
890         (JSC::Stringifier::Stringifier):
891         (JSC::Stringifier::appendStringifiedValue):
892         (JSC::Stringifier::Holder::appendNextProperty):
893         * runtime/JSObject.cpp:
894         (JSC::JSObject::calculatedClassName):
895         (JSC::JSObject::putByIndex):
896         (JSC::JSObject::ordinaryToPrimitive const):
897         (JSC::JSObject::toPrimitive const):
898         (JSC::JSObject::hasInstance):
899         (JSC::JSObject::getOwnPropertyNames):
900         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
901         (JSC::getCustomGetterSetterFunctionForGetterSetter):
902         (JSC::JSObject::getOwnPropertyDescriptor):
903         (JSC::JSObject::getMethod):
904         * runtime/JSObject.h:
905         (JSC::JSObject::createRawObject):
906         (JSC::JSFinalObject::create):
907         * runtime/JSObjectInlines.h:
908         (JSC::JSObject::canPerformFastPutInline):
909         (JSC::JSObject::putInlineForJSObject):
910         (JSC::JSObject::hasOwnProperty const):
911         * runtime/JSScope.cpp:
912         (JSC::isUnscopable):
913         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
914         * runtime/JSSet.cpp:
915         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
916         * runtime/JSSetIterator.h:
917         (JSC::JSSetIterator::advanceIter):
918         * runtime/JSString.cpp:
919         (JSC::JSString::getStringPropertyDescriptor):
920         * runtime/JSString.h:
921         (JSC::JSString::getStringPropertySlot):
922         * runtime/MapConstructor.cpp:
923         (JSC::constructMap):
924         * runtime/ModuleProgramExecutable.cpp:
925         (JSC::ModuleProgramExecutable::create):
926         * runtime/ObjectPrototype.cpp:
927         (JSC::objectProtoFuncToLocaleString):
928         * runtime/ProgramExecutable.h:
929         * runtime/RegExpObject.cpp:
930         (JSC::RegExpObject::getOwnPropertySlot):
931         (JSC::RegExpObject::deleteProperty):
932         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
933         (JSC::RegExpObject::getPropertyNames):
934         (JSC::RegExpObject::getGenericPropertyNames):
935         (JSC::RegExpObject::put):
936         * runtime/ScopedArguments.h:
937         (JSC::ScopedArguments::length const):
938         * runtime/StrictEvalActivation.h:
939         (JSC::StrictEvalActivation::create):
940         * runtime/StringObject.cpp:
941         (JSC::isStringOwnProperty):
942         (JSC::StringObject::deleteProperty):
943         (JSC::StringObject::getOwnNonIndexPropertyNames):
944         * tools/JSDollarVMPrototype.cpp:
945         (JSC::JSDollarVMPrototype::gc):
946         (JSC::JSDollarVMPrototype::edenGC):
947         * wasm/js/WebAssemblyModuleRecord.cpp:
948         (JSC::WebAssemblyModuleRecord::evaluate):
949
950 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
951
952         [DFG] NewArrayWithSize(size)'s size does not care negative zero
953         https://bugs.webkit.org/show_bug.cgi?id=176300
954
955         Reviewed by Saam Barati.
956
957         NewArrayWithSize(size)'s size does not care negative zero as
958         is the same to NewTypedArray. We propagate this information
959         in DFGBackwardsPropagationPhase. This removes negative zero
960         check in kraken fft's deinterleave function.
961
962         * dfg/DFGBackwardsPropagationPhase.cpp:
963         (JSC::DFG::BackwardsPropagationPhase::propagate):
964
965 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
966
967         [DFG] PutByVal with Array::Generic is too generic
968         https://bugs.webkit.org/show_bug.cgi?id=176345
969
970         Reviewed by Filip Pizlo.
971
972         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
973         We could have the case like,
974
975             dst[key] = src[key];
976
977         with string or symbol keys. But they are handled in slow path.
978         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
979         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
980
981         This improves SixSpeed object-assign.es5 by 9.1%.
982
983         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
984
985         * dfg/DFGFixupPhase.cpp:
986         (JSC::DFG::FixupPhase::fixupNode):
987         * dfg/DFGOperations.cpp:
988         (JSC::DFG::putByVal):
989         (JSC::DFG::putByValInternal):
990         (JSC::DFG::putByValCellInternal):
991         (JSC::DFG::putByValCellStringInternal):
992         (JSC::DFG::operationPutByValInternal): Deleted.
993         * dfg/DFGOperations.h:
994         * dfg/DFGSpeculativeJIT.cpp:
995         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
996         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
997         * dfg/DFGSpeculativeJIT.h:
998         (JSC::DFG::SpeculativeJIT::callOperation):
999         * dfg/DFGSpeculativeJIT32_64.cpp:
1000         (JSC::DFG::SpeculativeJIT::compile):
1001         * dfg/DFGSpeculativeJIT64.cpp:
1002         (JSC::DFG::SpeculativeJIT::compile):
1003         * ftl/FTLLowerDFGToB3.cpp:
1004         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1005         * jit/JITOperations.h:
1006
1007 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1008
1009         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
1010         https://bugs.webkit.org/show_bug.cgi?id=176590
1011
1012         Reviewed by Saam Barati.
1013
1014         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
1015
1016                                          baseline                  patched
1017
1018         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
1019         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
1020
1021         * dfg/DFGFixupPhase.cpp:
1022         (JSC::DFG::FixupPhase::fixupNode):
1023         * dfg/DFGOperations.cpp:
1024         (JSC::DFG::getByValObject):
1025         * dfg/DFGOperations.h:
1026         * dfg/DFGSpeculativeJIT.cpp:
1027         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
1028         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
1029         * dfg/DFGSpeculativeJIT.h:
1030         * dfg/DFGSpeculativeJIT32_64.cpp:
1031         (JSC::DFG::SpeculativeJIT::compile):
1032         * dfg/DFGSpeculativeJIT64.cpp:
1033         (JSC::DFG::SpeculativeJIT::compile):
1034         * ftl/FTLLowerDFGToB3.cpp:
1035         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1036
1037 2017-09-07  Mark Lam  <mark.lam@apple.com>
1038
1039         Use JIT probes for DFG OSR exit.
1040         https://bugs.webkit.org/show_bug.cgi?id=175144
1041         <rdar://problem/33437050>
1042
1043         Reviewed by Saam Barati.
1044
1045         This patch does the following:
1046         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
1047            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
1048            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
1049            generates a thunk that just executes the OSR exit.
1050
1051            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
1052            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
1053            CPU registers, and providing the Probe::Stack mechanism for modifying the
1054            stack frame.
1055
1056            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
1057            OSRExit::compileExit().  It is basically a re-write of those functions to
1058            execute the OSR exit work instead of compiling code to execute the work.
1059
1060            As a result, we get the following savings:
1061            a. no more OSR exit ramp compilation time.
1062            b. no use of JIT executable memory for storing each unique OSR exit ramp.
1063
1064            On the negative side, we incur these costs:
1065
1066            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
1067               version of the ramp.  However, OSR exits are rare.  Hence, this small
1068               difference should not matter much.  It is also offset by the savings from
1069               (a).
1070
1071            d. the Probe::Stack allocates 1K pages for memory for buffering stack
1072               modifcations.  The number of these pages depends on the span of stack memory
1073               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
1074               tends to only modify values in the current DFG frame and the current
1075               VMEntryRecord, the number of pages tends to only be 1 or 2.
1076
1077               Using the jsc tests as a workload, the vast majority of tests that do OSR
1078               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
1079               A few tests that are pathological uses up to 14 pages, and one particularly
1080               bad test (function-apply-many-args.js) uses 513 pages.
1081
1082            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
1083            only executed once to compute some values for the exit site that is used by
1084            all exit operations from that site, and a 2nd part to execute the exit.  The
1085            1st part is protected by a checking if exit.exitState has already been
1086            initialized.  The computed values are cached in exit.exitState.
1087
1088            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
1089            longer need the facility to patch the site that jumps to the OSR exit ramp.
1090            The DFG::JITCompiler has been modified to remove this patching code.
1091
1092         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
1093            std::memcpy to avoid strict aliasing issues.
1094
1095            Also optimized the implementation of Probe::Stack::physicalAddressFor().
1096
1097         3. Miscellaneous convenience methods added to make the Probe::Context easier of
1098            use.
1099
1100         4. Added a Probe::Frame class that makes it easier to get/set operands and
1101            arguments in a given frame using the deferred write properties of the
1102            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
1103            the OSR exit ramp.
1104
1105         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
1106            JIT versions of these functions are still left in place because they are still
1107            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
1108            These functions include:
1109
1110            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
1111                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
1112            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
1113                DFGOSRExit.cpp's reifyInlinedCallFrames()
1114            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
1115                DFGOSRExit.cpp's adjustAndJumpToTarget()
1116
1117            MethodOfGettingAValueProfile::emitReportValue() ==>
1118                MethodOfGettingAValueProfile::reportValue()
1119
1120            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
1121                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
1122            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
1123                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
1124
1125         * JavaScriptCore.xcodeproj/project.pbxproj:
1126         * assembler/MacroAssembler.cpp:
1127         (JSC::stdFunctionCallback):
1128         * assembler/MacroAssemblerPrinter.cpp:
1129         (JSC::Printer::printCallback):
1130         * assembler/ProbeContext.h:
1131         (JSC::Probe::CPUState::gpr const):
1132         (JSC::Probe::CPUState::spr const):
1133         (JSC::Probe::Context::Context):
1134         (JSC::Probe::Context::arg):
1135         (JSC::Probe::Context::gpr):
1136         (JSC::Probe::Context::spr):
1137         (JSC::Probe::Context::fpr):
1138         (JSC::Probe::Context::gprName):
1139         (JSC::Probe::Context::sprName):
1140         (JSC::Probe::Context::fprName):
1141         (JSC::Probe::Context::gpr const):
1142         (JSC::Probe::Context::spr const):
1143         (JSC::Probe::Context::fpr const):
1144         (JSC::Probe::Context::pc):
1145         (JSC::Probe::Context::fp):
1146         (JSC::Probe::Context::sp):
1147         (JSC::Probe:: const): Deleted.
1148         * assembler/ProbeFrame.h: Added.
1149         (JSC::Probe::Frame::Frame):
1150         (JSC::Probe::Frame::getArgument):
1151         (JSC::Probe::Frame::getOperand):
1152         (JSC::Probe::Frame::get):
1153         (JSC::Probe::Frame::setArgument):
1154         (JSC::Probe::Frame::setOperand):
1155         (JSC::Probe::Frame::set):
1156         * assembler/ProbeStack.cpp:
1157         (JSC::Probe::Page::Page):
1158         * assembler/ProbeStack.h:
1159         (JSC::Probe::Page::get):
1160         (JSC::Probe::Page::set):
1161         (JSC::Probe::Page::physicalAddressFor):
1162         (JSC::Probe::Stack::lowWatermark):
1163         (JSC::Probe::Stack::get):
1164         (JSC::Probe::Stack::set):
1165         * bytecode/ArithProfile.cpp:
1166         * bytecode/ArithProfile.h:
1167         * bytecode/ArrayProfile.h:
1168         (JSC::ArrayProfile::observeArrayMode):
1169         * bytecode/CodeBlock.cpp:
1170         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1171         * bytecode/CodeBlock.h:
1172         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1173         * bytecode/ExecutionCounter.h:
1174         (JSC::ExecutionCounter::hasCrossedThreshold const):
1175         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1176         * bytecode/MethodOfGettingAValueProfile.cpp:
1177         (JSC::MethodOfGettingAValueProfile::reportValue):
1178         * bytecode/MethodOfGettingAValueProfile.h:
1179         * dfg/DFGDriver.cpp:
1180         (JSC::DFG::compileImpl):
1181         * dfg/DFGJITCode.cpp:
1182         (JSC::DFG::JITCode::findPC): Deleted.
1183         * dfg/DFGJITCode.h:
1184         * dfg/DFGJITCompiler.cpp:
1185         (JSC::DFG::JITCompiler::linkOSRExits):
1186         (JSC::DFG::JITCompiler::link):
1187         * dfg/DFGOSRExit.cpp:
1188         (JSC::DFG::jsValueFor):
1189         (JSC::DFG::restoreCalleeSavesFor):
1190         (JSC::DFG::saveCalleeSavesFor):
1191         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1192         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1193         (JSC::DFG::saveOrCopyCalleeSavesFor):
1194         (JSC::DFG::createDirectArgumentsDuringExit):
1195         (JSC::DFG::createClonedArgumentsDuringExit):
1196         (JSC::DFG::OSRExit::OSRExit):
1197         (JSC::DFG::emitRestoreArguments):
1198         (JSC::DFG::OSRExit::executeOSRExit):
1199         (JSC::DFG::reifyInlinedCallFrames):
1200         (JSC::DFG::adjustAndJumpToTarget):
1201         (JSC::DFG::printOSRExit):
1202         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1203         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1204         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1205         (JSC::DFG::OSRExit::correctJump): Deleted.
1206         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1207         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1208         (JSC::DFG::OSRExit::compileExit): Deleted.
1209         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
1210         * dfg/DFGOSRExit.h:
1211         (JSC::DFG::OSRExitState::OSRExitState):
1212         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1213         * dfg/DFGOSRExitCompilerCommon.cpp:
1214         * dfg/DFGOSRExitCompilerCommon.h:
1215         * dfg/DFGOperations.cpp:
1216         * dfg/DFGOperations.h:
1217         * dfg/DFGThunks.cpp:
1218         (JSC::DFG::osrExitThunkGenerator):
1219         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
1220         * dfg/DFGThunks.h:
1221         * jit/AssemblyHelpers.cpp:
1222         (JSC::AssemblyHelpers::debugCall): Deleted.
1223         * jit/AssemblyHelpers.h:
1224         * jit/JITOperations.cpp:
1225         * jit/JITOperations.h:
1226         * profiler/ProfilerOSRExit.h:
1227         (JSC::Profiler::OSRExit::incCount):
1228         * runtime/JSCJSValue.h:
1229         * runtime/JSCJSValueInlines.h:
1230         * runtime/VM.h:
1231
1232 2017-09-07  Michael Saboff  <msaboff@apple.com>
1233
1234         Add support for RegExp named capture groups
1235         https://bugs.webkit.org/show_bug.cgi?id=176435
1236
1237         Reviewed by Filip Pizlo.
1238
1239         Added parsing for both naming a captured parenthesis as well and using a named group in
1240         a back reference.  Also added support for using named groups with String.prototype.replace().
1241
1242         This patch does not throw Syntax Errors as described in the current spec text for the two
1243         cases of malformed back references in String.prototype.replace() as I believe that it
1244         is inconsistent with the current semantics for handling of other malformed replacement
1245         tokens.  I filed an issue for the requested change to the proposed spec and also filed
1246         a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
1247
1248         This patch does not implement strength reduction in the optimizing JITs for named capture
1249         groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
1250
1251         * dfg/DFGAbstractInterpreterInlines.h:
1252         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1253         * dfg/DFGStrengthReductionPhase.cpp:
1254         (JSC::DFG::StrengthReductionPhase::handleNode):
1255         * runtime/CommonIdentifiers.h:
1256         * runtime/JSGlobalObject.cpp:
1257         (JSC::JSGlobalObject::init):
1258         (JSC::JSGlobalObject::haveABadTime):
1259         * runtime/JSGlobalObject.h:
1260         (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
1261         * runtime/RegExp.cpp:
1262         (JSC::RegExp::finishCreation):
1263         * runtime/RegExp.h:
1264         * runtime/RegExpMatchesArray.cpp:
1265         (JSC::createStructureImpl):
1266         (JSC::createRegExpMatchesArrayWithGroupsStructure):
1267         (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
1268         * runtime/RegExpMatchesArray.h:
1269         (JSC::createRegExpMatchesArray):
1270         * runtime/StringPrototype.cpp:
1271         (JSC::substituteBackreferencesSlow):
1272         (JSC::replaceUsingRegExpSearch):
1273         * yarr/YarrParser.h:
1274         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
1275         (JSC::Yarr::Parser::parseEscape):
1276         (JSC::Yarr::Parser::parseParenthesesBegin):
1277         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
1278         (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
1279         (JSC::Yarr::Parser::isIdentifierStart):
1280         (JSC::Yarr::Parser::isIdentifierPart):
1281         (JSC::Yarr::Parser::tryConsumeGroupName):
1282         * yarr/YarrPattern.cpp:
1283         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
1284         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
1285         (JSC::Yarr::YarrPattern::errorMessage):
1286         * yarr/YarrPattern.h:
1287         (JSC::Yarr::YarrPattern::reset):
1288         * yarr/YarrSyntaxChecker.cpp:
1289         (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
1290         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
1291
1292 2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>
1293
1294         [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
1295         https://bugs.webkit.org/show_bug.cgi?id=176561
1296
1297         Reviewed by Brent Fulgham.
1298
1299         * runtime/IntlObject.cpp:
1300         (JSC::defaultLocale):
1301
1302 2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>
1303
1304         Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
1305         https://bugs.webkit.org/show_bug.cgi?id=176563
1306         <rdar://problem/19639583>
1307
1308         Reviewed by Matt Baker.
1309
1310         * inspector/protocol/DOM.json:
1311         Add an event that is useful for augmented inspectors to inspect
1312         a node. Web pages will still prefer Inspector.inspect.
1313
1314 2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1315
1316         [JSC] Remove "malloc" and "free" from JSC/API
1317         https://bugs.webkit.org/show_bug.cgi?id=176331
1318
1319         Reviewed by Keith Miller.
1320
1321         Remove "malloc" and "free" manual calls in JSC/API.
1322
1323         * API/JSValue.mm:
1324         (createStructHandlerMap):
1325         * API/JSWrapperMap.mm:
1326         (parsePropertyAttributes):
1327         (makeSetterName):
1328         (copyPrototypeProperties):
1329         Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
1330
1331         * API/ObjcRuntimeExtras.h:
1332         (adoptSystem):
1333         Add adoptSystem to automate calling system free().
1334
1335         (protocolImplementsProtocol):
1336         (forEachProtocolImplementingProtocol):
1337         (forEachMethodInClass):
1338         (forEachMethodInProtocol):
1339         (forEachPropertyInProtocol):
1340         (StringRange::StringRange):
1341         (StringRange::operator const char* const):
1342         (StringRange::get const):
1343         Use CString for backend.
1344
1345         (StructBuffer::StructBuffer):
1346         (StructBuffer::~StructBuffer):
1347         (StringRange::~StringRange): Deleted.
1348         Use fastAlignedMalloc/astAlignedFree to get aligned memory.
1349
1350 2017-09-06  Mark Lam  <mark.lam@apple.com>
1351
1352         constructGenericTypedArrayViewWithArguments() is missing an exception check.
1353         https://bugs.webkit.org/show_bug.cgi?id=176485
1354         <rdar://problem/33898874>
1355
1356         Reviewed by Keith Miller.
1357
1358         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1359         (JSC::constructGenericTypedArrayViewWithArguments):
1360
1361 2017-09-06  Saam Barati  <sbarati@apple.com>
1362
1363         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
1364         https://bugs.webkit.org/show_bug.cgi?id=176346
1365
1366         Reviewed by Mark Lam.
1367
1368         * b3/B3Procedure.cpp:
1369         (JSC::B3::Procedure::Procedure):
1370         (JSC::B3::Procedure::setNumEntrypoints):
1371         * b3/B3Procedure.h:
1372         (JSC::B3::Procedure::setNumEntrypoints): Deleted.
1373         * b3/air/AirCode.cpp:
1374         (JSC::B3::Air::defaultPrologueGenerator):
1375         (JSC::B3::Air::Code::Code):
1376         (JSC::B3::Air::Code::setNumEntrypoints):
1377         * b3/air/AirCode.h:
1378         (JSC::B3::Air::Code::setPrologueForEntrypoint):
1379         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
1380         (JSC::B3::Air::Code::setEntrypoints):
1381         (JSC::B3::Air::Code::setEntrypointLabels):
1382         * b3/air/AirGenerate.cpp:
1383         (JSC::B3::Air::generate):
1384         * ftl/FTLLowerDFGToB3.cpp:
1385         (JSC::FTL::DFG::LowerDFGToB3::lower):
1386
1387 2017-09-06  Saam Barati  <sbarati@apple.com>
1388
1389         ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
1390         https://bugs.webkit.org/show_bug.cgi?id=176470
1391
1392         Reviewed by Mark Lam.
1393
1394         Update Node::convertToCheckStructureImmediate's assertion to allow
1395         the node to either be a CheckStructure or CheckStructureOrEmpty.
1396
1397         * dfg/DFGNode.h:
1398         (JSC::DFG::Node::convertToCheckStructureImmediate):
1399
1400 2017-09-05  Saam Barati  <sbarati@apple.com>
1401
1402         isNotCellSpeculation is wrong with respect to SpecEmpty
1403         https://bugs.webkit.org/show_bug.cgi?id=176429
1404
1405         Reviewed by Michael Saboff.
1406
1407         The isNotCellSpeculation(SpeculatedType t) function was not taking into account
1408         SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
1409         the empty value will fail a NotCell check. This bug would cause us to erroneously
1410         generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
1411
1412         * bytecode/SpeculatedType.h:
1413         (JSC::isNotCellSpeculation):
1414
1415 2017-09-05  Saam Barati  <sbarati@apple.com>
1416
1417         Make the distinction between entrypoints and CFG roots more clear by naming things better
1418         https://bugs.webkit.org/show_bug.cgi?id=176336
1419
1420         Reviewed by Mark Lam and Keith Miller and Michael Saboff.
1421
1422         This patch does renaming to make the distinction between Graph::m_entrypoints
1423         and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
1424         Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
1425         Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
1426         size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
1427         to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
1428         field to m_rootToArguments.
1429         
1430         Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
1431         when compiling with EntrySwitch. It represents the logical number of entrypoints
1432         the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
1433         cases.
1434
1435         * dfg/DFGByteCodeParser.cpp:
1436         (JSC::DFG::ByteCodeParser::parseBlock):
1437         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1438         * dfg/DFGCFG.h:
1439         (JSC::DFG::CFG::roots):
1440         (JSC::DFG::CPSCFG::CPSCFG):
1441         * dfg/DFGCPSRethreadingPhase.cpp:
1442         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1443         * dfg/DFGDCEPhase.cpp:
1444         (JSC::DFG::DCEPhase::run):
1445         * dfg/DFGGraph.cpp:
1446         (JSC::DFG::Graph::dump):
1447         (JSC::DFG::Graph::determineReachability):
1448         (JSC::DFG::Graph::blocksInPreOrder):
1449         (JSC::DFG::Graph::blocksInPostOrder):
1450         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1451         * dfg/DFGGraph.h:
1452         (JSC::DFG::Graph::isRoot):
1453         (JSC::DFG::Graph::isEntrypoint): Deleted.
1454         * dfg/DFGInPlaceAbstractState.cpp:
1455         (JSC::DFG::InPlaceAbstractState::initialize):
1456         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1457         (JSC::DFG::createPreHeader):
1458         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1459         (JSC::DFG::MaximalFlushInsertionPhase::run):
1460         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1461         * dfg/DFGOSREntrypointCreationPhase.cpp:
1462         (JSC::DFG::OSREntrypointCreationPhase::run):
1463         * dfg/DFGPredictionInjectionPhase.cpp:
1464         (JSC::DFG::PredictionInjectionPhase::run):
1465         * dfg/DFGSSAConversionPhase.cpp:
1466         (JSC::DFG::SSAConversionPhase::run):
1467         * dfg/DFGSpeculativeJIT.cpp:
1468         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1469         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1470         * dfg/DFGTypeCheckHoistingPhase.cpp:
1471         (JSC::DFG::TypeCheckHoistingPhase::run):
1472         * dfg/DFGValidate.cpp:
1473
1474 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
1475
1476         test262: Completion values for control flow do not match the spec
1477         https://bugs.webkit.org/show_bug.cgi?id=171265
1478
1479         Reviewed by Saam Barati.
1480
1481         * bytecompiler/BytecodeGenerator.h:
1482         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
1483         When we care about having proper completion values (global code
1484         in programs, modules, and eval) insert undefined results for
1485         control flow statements.
1486
1487         * bytecompiler/NodesCodegen.cpp:
1488         (JSC::SourceElements::emitBytecode):
1489         Reduce writing a default `undefined` value to the completion result to
1490         only once before the last statement we know will produce a value.
1491
1492         (JSC::IfElseNode::emitBytecode):
1493         (JSC::WithNode::emitBytecode):
1494         (JSC::WhileNode::emitBytecode):
1495         (JSC::ForNode::emitBytecode):
1496         (JSC::ForInNode::emitBytecode):
1497         (JSC::ForOfNode::emitBytecode):
1498         (JSC::SwitchNode::emitBytecode):
1499         Insert an undefined to handle cases where code may break out of an
1500         if/else or with statement (break/continue).
1501
1502         (JSC::TryNode::emitBytecode):
1503         Same handling for break cases. Also, finally block statement completion
1504         values are always ignored for the try statement result.
1505
1506         (JSC::ClassDeclNode::emitBytecode):
1507         Class declarations, like function declarations, produce an empty result.
1508
1509         * parser/Nodes.cpp:
1510         (JSC::SourceElements::lastStatement):
1511         (JSC::SourceElements::hasCompletionValue):
1512         (JSC::SourceElements::hasEarlyBreakOrContinue):
1513         (JSC::BlockNode::lastStatement):
1514         (JSC::BlockNode::singleStatement):
1515         (JSC::BlockNode::hasCompletionValue):
1516         (JSC::BlockNode::hasEarlyBreakOrContinue):
1517         (JSC::ScopeNode::singleStatement):
1518         (JSC::ScopeNode::hasCompletionValue):
1519         (JSC::ScopeNode::hasEarlyBreakOrContinue):
1520         The only non-trivial cases need to loop through their list of statements
1521         to determine if this has a completion value or not. Likewise for
1522         determining if there is an early break / continue, meaning a break or
1523         continue statement with no preceding statement that has a completion value.
1524
1525         * parser/Nodes.h:
1526         (JSC::StatementNode::next):
1527         (JSC::StatementNode::hasCompletionValue):
1528         Helper to check if a statement nodes produces a completion value or not.
1529
1530 2017-09-04  Saam Barati  <sbarati@apple.com>
1531
1532         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
1533         https://bugs.webkit.org/show_bug.cgi?id=176317
1534
1535         Reviewed by Keith Miller.
1536
1537         It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
1538         the SetLocal of a particular value where the value is the empty JSValue.
1539         On 64-bit platforms, the empty value is zero. This means that the empty value
1540         passes a cell check. This will lead to a crash when we dereference null to load
1541         the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
1542         in the structure checks it hoists. On 64-bit platforms, instead of emitting a
1543         CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
1544         the empty value to flow through. If the value isn't empty, it'll perform the normal
1545         structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
1546         on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
1547         value to flow through.
1548
1549         * dfg/DFGAbstractInterpreterInlines.h:
1550         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1551         * dfg/DFGArgumentsEliminationPhase.cpp:
1552         * dfg/DFGClobberize.h:
1553         (JSC::DFG::clobberize):
1554         * dfg/DFGConstantFoldingPhase.cpp:
1555         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1556         * dfg/DFGDoesGC.cpp:
1557         (JSC::DFG::doesGC):
1558         * dfg/DFGFixupPhase.cpp:
1559         (JSC::DFG::FixupPhase::fixupNode):
1560         * dfg/DFGNode.h:
1561         (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
1562         (JSC::DFG::Node::hasStructureSet):
1563         * dfg/DFGNodeType.h:
1564         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1565         * dfg/DFGPredictionPropagationPhase.cpp:
1566         * dfg/DFGSafeToExecute.h:
1567         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
1568         (JSC::DFG::SafeToExecuteEdge::operator()):
1569         (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
1570         (JSC::DFG::safeToExecute):
1571         * dfg/DFGSpeculativeJIT.cpp:
1572         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
1573         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
1574         * dfg/DFGSpeculativeJIT.h:
1575         * dfg/DFGSpeculativeJIT32_64.cpp:
1576         (JSC::DFG::SpeculativeJIT::compile):
1577         * dfg/DFGSpeculativeJIT64.cpp:
1578         (JSC::DFG::SpeculativeJIT::compile):
1579         * dfg/DFGTypeCheckHoistingPhase.cpp:
1580         (JSC::DFG::TypeCheckHoistingPhase::run):
1581         * dfg/DFGValidate.cpp:
1582         * ftl/FTLCapabilities.cpp:
1583         (JSC::FTL::canCompile):
1584         * ftl/FTLLowerDFGToB3.cpp:
1585         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1586         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
1587
1588 2017-09-04  Saam Barati  <sbarati@apple.com>
1589
1590         Support compiling catch in the FTL
1591         https://bugs.webkit.org/show_bug.cgi?id=175396
1592
1593         Reviewed by Filip Pizlo.
1594
1595         This patch implements op_catch in the FTL. It extends the DFG implementation
1596         by supporting multiple entrypoints in DFG-SSA. This patch implements this
1597         by introducing an EntrySwitch node. When converting to SSA, we introduce a new
1598         root block with an EntrySwitch that has the previous DFG entrypoints as its
1599         successors. By convention, we pick the zeroth entry point index to be the
1600         op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
1601         switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
1602         simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
1603         SSAConversion creates can not exit because we would both not know where to exit
1604         to in the program: we would not have valid OSR exit state. This design also
1605         mandates that anything we hoist above EntrySwitch in the new root block
1606         can not exit since they also do not have valid OSR exit state.
1607         
1608         This patch also adds a new metadata node named InitializeEntrypointArguments.
1609         InitializeEntrypointArguments is a metadata node that initializes the flush format for
1610         the arguments at a given entrypoint. For a given entrypoint index, this node
1611         tells AI and OSRAvailabilityAnalysis what the flush format for each argument
1612         is. This allows each individual entrypoint to have an independent set of
1613         argument types. Currently, this won't happen in practice because ArgumentPosition
1614         unifies flush formats, but this is an implementation detail we probably want
1615         to modify in the future. SSAConversion will add InitializeEntrypointArguments
1616         to the beginning of each of the original DFG entrypoint blocks.
1617         
1618         This patch also adds the ability to specify custom prologue code generators in Air.
1619         This allows the FTL to specify a custom prologue for catch entrypoints that
1620         matches the op_catch OSR entry calling convention that the DFG uses. This way,
1621         the baseline JIT code OSR enters into op_catch the same way both in the DFG
1622         and the FTL. In the future, we can use this same mechanism to perform stack
1623         overflow checks instead of using a patchpoint.
1624
1625         * b3/air/AirCode.cpp:
1626         (JSC::B3::Air::Code::isEntrypoint):
1627         (JSC::B3::Air::Code::entrypointIndex):
1628         * b3/air/AirCode.h:
1629         (JSC::B3::Air::Code::setPrologueForEntrypoint):
1630         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
1631         * b3/air/AirGenerate.cpp:
1632         (JSC::B3::Air::generate):
1633         * dfg/DFGAbstractInterpreterInlines.h:
1634         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1635         * dfg/DFGBasicBlock.h:
1636         * dfg/DFGByteCodeParser.cpp:
1637         (JSC::DFG::ByteCodeParser::parseBlock):
1638         (JSC::DFG::ByteCodeParser::parse):
1639         * dfg/DFGCFG.h:
1640         (JSC::DFG::selectCFG):
1641         * dfg/DFGClobberize.h:
1642         (JSC::DFG::clobberize):
1643         * dfg/DFGClobbersExitState.cpp:
1644         (JSC::DFG::clobbersExitState):
1645         * dfg/DFGCommonData.cpp:
1646         (JSC::DFG::CommonData::shrinkToFit):
1647         (JSC::DFG::CommonData::finalizeCatchEntrypoints):
1648         * dfg/DFGCommonData.h:
1649         (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
1650         (JSC::DFG::CommonData::appendCatchEntrypoint):
1651         * dfg/DFGDoesGC.cpp:
1652         (JSC::DFG::doesGC):
1653         * dfg/DFGFixupPhase.cpp:
1654         (JSC::DFG::FixupPhase::fixupNode):
1655         * dfg/DFGGraph.cpp:
1656         (JSC::DFG::Graph::dump):
1657         (JSC::DFG::Graph::invalidateCFG):
1658         (JSC::DFG::Graph::ensureCPSCFG):
1659         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1660         * dfg/DFGGraph.h:
1661         (JSC::DFG::Graph::isEntrypoint):
1662         * dfg/DFGInPlaceAbstractState.cpp:
1663         (JSC::DFG::InPlaceAbstractState::initialize):
1664         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1665         * dfg/DFGJITCode.cpp:
1666         (JSC::DFG::JITCode::shrinkToFit):
1667         (JSC::DFG::JITCode::finalizeOSREntrypoints):
1668         * dfg/DFGJITCode.h:
1669         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
1670         (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
1671         * dfg/DFGJITCompiler.cpp:
1672         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1673         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
1674         * dfg/DFGMayExit.cpp:
1675         * dfg/DFGNode.h:
1676         (JSC::DFG::Node::isEntrySwitch):
1677         (JSC::DFG::Node::isTerminal):
1678         (JSC::DFG::Node::entrySwitchData):
1679         (JSC::DFG::Node::numSuccessors):
1680         (JSC::DFG::Node::successor):
1681         (JSC::DFG::Node::entrypointIndex):
1682         * dfg/DFGNodeType.h:
1683         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1684         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1685         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1686         * dfg/DFGOSREntry.cpp:
1687         (JSC::DFG::prepareCatchOSREntry):
1688         * dfg/DFGOSREntry.h:
1689         * dfg/DFGOSREntrypointCreationPhase.cpp:
1690         (JSC::DFG::OSREntrypointCreationPhase::run):
1691         * dfg/DFGPredictionPropagationPhase.cpp:
1692         * dfg/DFGSSAConversionPhase.cpp:
1693         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
1694         (JSC::DFG::SSAConversionPhase::run):
1695         * dfg/DFGSafeToExecute.h:
1696         (JSC::DFG::safeToExecute):
1697         * dfg/DFGSpeculativeJIT.cpp:
1698         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1699         * dfg/DFGSpeculativeJIT32_64.cpp:
1700         (JSC::DFG::SpeculativeJIT::compile):
1701         * dfg/DFGSpeculativeJIT64.cpp:
1702         (JSC::DFG::SpeculativeJIT::compile):
1703         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1704         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
1705         * dfg/DFGValidate.cpp:
1706         * ftl/FTLCapabilities.cpp:
1707         (JSC::FTL::canCompile):
1708         * ftl/FTLCompile.cpp:
1709         (JSC::FTL::compile):
1710         * ftl/FTLLowerDFGToB3.cpp:
1711         (JSC::FTL::DFG::LowerDFGToB3::lower):
1712         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1713         (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
1714         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
1715         (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
1716         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1717         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
1718         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
1719         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
1720         * ftl/FTLOutput.cpp:
1721         (JSC::FTL::Output::entrySwitch):
1722         * ftl/FTLOutput.h:
1723         * jit/JITOperations.cpp:
1724
1725 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1726
1727         [DFG][FTL] Efficiently execute number#toString()
1728         https://bugs.webkit.org/show_bug.cgi?id=170007
1729
1730         Reviewed by Keith Miller.
1731
1732         In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
1733         However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.
1734
1735         While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
1736         So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
1737         Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
1738         speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
1739         It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).
1740
1741         In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
1742         throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
1743         conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
1744         radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
1745         We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
1746         It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.
1747
1748         Added microbenchmarks show performance improvement.
1749
1750                                                       baseline                  patched
1751
1752         number-to-string-with-radix-cse           43.8312+-1.3017     ^      7.4930+-0.5105        ^ definitely 5.8496x faster
1753         number-to-string-with-radix-10             7.2775+-0.5225     ^      2.1906+-0.1864        ^ definitely 3.3222x faster
1754         number-to-string-with-radix               39.7378+-1.4921     ^     16.6137+-0.7776        ^ definitely 2.3919x faster
1755         number-to-string-strength-reduction       94.9667+-2.7157     ^      9.3060+-0.7202        ^ definitely 10.2049x faster
1756
1757         * dfg/DFGAbstractInterpreterInlines.h:
1758         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1759         * dfg/DFGClobberize.h:
1760         (JSC::DFG::clobberize):
1761         * dfg/DFGConstantFoldingPhase.cpp:
1762         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1763         * dfg/DFGDoesGC.cpp:
1764         (JSC::DFG::doesGC):
1765         * dfg/DFGFixupPhase.cpp:
1766         (JSC::DFG::FixupPhase::fixupNode):
1767         * dfg/DFGGraph.h:
1768         (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
1769         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
1770         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
1771         * dfg/DFGNode.h:
1772         (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
1773         (JSC::DFG::Node::hasValidRadixConstant):
1774         (JSC::DFG::Node::validRadixConstant):
1775         * dfg/DFGNodeType.h:
1776         * dfg/DFGPredictionPropagationPhase.cpp:
1777         * dfg/DFGSafeToExecute.h:
1778         (JSC::DFG::safeToExecute):
1779         * dfg/DFGSpeculativeJIT.cpp:
1780         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
1781         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
1782         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
1783         * dfg/DFGSpeculativeJIT.h:
1784         * dfg/DFGSpeculativeJIT32_64.cpp:
1785         (JSC::DFG::SpeculativeJIT::compile):
1786         * dfg/DFGSpeculativeJIT64.cpp:
1787         (JSC::DFG::SpeculativeJIT::compile):
1788         * dfg/DFGStrengthReductionPhase.cpp:
1789         (JSC::DFG::StrengthReductionPhase::handleNode):
1790         * ftl/FTLCapabilities.cpp:
1791         (JSC::FTL::canCompile):
1792         * ftl/FTLLowerDFGToB3.cpp:
1793         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1794         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
1795         * runtime/JSGlobalObject.cpp:
1796         (JSC::JSGlobalObject::JSGlobalObject):
1797         (JSC::JSGlobalObject::init):
1798         (JSC::JSGlobalObject::visitChildren):
1799         * runtime/JSGlobalObject.h:
1800         (JSC::JSGlobalObject::numberToStringWatchpoint):
1801         (JSC::JSGlobalObject::numberProtoToStringFunction const):
1802         * runtime/NumberPrototype.cpp:
1803         (JSC::NumberPrototype::finishCreation):
1804         (JSC::toStringWithRadixInternal):
1805         (JSC::toStringWithRadix):
1806         (JSC::int32ToStringInternal):
1807         (JSC::numberToStringInternal):
1808         * runtime/NumberPrototype.h:
1809
1810 2017-09-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1811
1812         [DFG] Consider increasing the number of DFG worklist threads
1813         https://bugs.webkit.org/show_bug.cgi?id=176222
1814
1815         Reviewed by Saam Barati.
1816
1817         Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
1818         very long time if the target function is very large. However, DFG worklist
1819         has only one thread before this patch. Therefore, one function that takes
1820         too much time to be compiled can prevent the other functions from being
1821         compiled in DFG or upper tiers.
1822
1823         One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
1824         super long time (447 ms) because of its super large size of the function.
1825         While this function never gets compiled in FTL due to its large size,
1826         it can be compiled in DFG and takes super long time. Subsequent "a8" function
1827         compilation in DFG is blocked by this "a1". As a consequence, the benchmark
1828         takes very long time in a1/Baseline code, which is slower than DFG of course.
1829
1830         While FTL has a bit more threads, DFG worklist has only one thread. This patch
1831         adds one more thread to DFG worklist to alleviate the above situation. This
1832         change significantly improves Octane/zlib performance.
1833
1834                                     baseline                  patched
1835
1836         zlib           x2     482.32825+-6.07640    ^   408.66072+-14.03856      ^ definitely 1.1803x faster
1837
1838         * runtime/Options.h:
1839
1840 2017-09-04  Sam Weinig  <sam@webkit.org>
1841
1842         [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
1843         https://bugs.webkit.org/show_bug.cgi?id=176312
1844
1845         Reviewed by Darin Adler.
1846
1847         * runtime/CommonIdentifiers.h:
1848
1849             Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
1850             to WebCoreBuiltinNames in WebCore.
1851
1852 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1853
1854         Remove "malloc" and "free" use
1855         https://bugs.webkit.org/show_bug.cgi?id=176310
1856
1857         Reviewed by Darin Adler.
1858
1859         Use Vector instead.
1860
1861         * API/JSWrapperMap.mm:
1862         (selectorToPropertyName):
1863
1864 2017-09-03  Darin Adler  <darin@apple.com>
1865
1866         Try to fix Windows build.
1867
1868         * runtime/JSGlobalObjectFunctions.cpp: #include <unicode/utf8.h>.
1869
1870 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1871
1872         [WTF] Add C++03 allocator interface for GCC < 6
1873         https://bugs.webkit.org/show_bug.cgi?id=176301
1874
1875         Reviewed by Darin Adler.
1876
1877         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1878
1879 2017-09-03  Chris Dumez  <cdumez@apple.com>
1880
1881         Unreviewed, rolling out r221555.
1882
1883         Did not fix Windows build
1884
1885         Reverted changeset:
1886
1887         "Unreviewed attempt to fix Windows build."
1888         http://trac.webkit.org/changeset/221555
1889
1890 2017-09-03  Chris Dumez  <cdumez@apple.com>
1891
1892         Unreviewed attempt to fix Windows build.
1893
1894         * runtime/JSGlobalObjectFunctions.cpp:
1895
1896 2017-09-03  Chris Dumez  <cdumez@apple.com>
1897
1898         Unreviewed, rolling out r221552.
1899
1900         Broke the build
1901
1902         Reverted changeset:
1903
1904         "[WTF] Add C++03 allocator interface for GCC < 6"
1905         https://bugs.webkit.org/show_bug.cgi?id=176301
1906         http://trac.webkit.org/changeset/221552
1907
1908 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1909
1910         [WTF] Add C++03 allocator interface for GCC < 6
1911         https://bugs.webkit.org/show_bug.cgi?id=176301
1912
1913         Reviewed by Darin Adler.
1914
1915         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1916
1917 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1918
1919         [JSC] Clean up BytecodeLivenessAnalysis
1920         https://bugs.webkit.org/show_bug.cgi?id=176295
1921
1922         Reviewed by Saam Barati.
1923
1924         Previously, computeDefsForBytecodeOffset was a bit customizable.
1925         This is used for try-catch handler's liveness analysis. But after
1926         careful generatorification implementation, it is now not necessary.
1927         This patch drops this customizability.
1928
1929         * bytecode/BytecodeGeneratorification.cpp:
1930         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
1931         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
1932         * bytecode/BytecodeLivenessAnalysis.cpp:
1933         (JSC::BytecodeLivenessAnalysis::computeKills):
1934         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
1935         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
1936         * bytecode/BytecodeLivenessAnalysis.h:
1937         * bytecode/BytecodeLivenessAnalysisInlines.h:
1938         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
1939         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
1940         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
1941         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
1942         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
1943         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
1944         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
1945         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
1946         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
1947         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.
1948
1949 2017-09-03  Sam Weinig  <sam@webkit.org>
1950
1951         Remove CanvasProxy
1952         https://bugs.webkit.org/show_bug.cgi?id=176288
1953
1954         Reviewed by Yusuke Suzuki.
1955
1956         CanvasProxy does not appear to be in any current HTML spec
1957         and was disabled and unimplemented in our tree. Time to 
1958         get rid of it.
1959
1960         * Configurations/FeatureDefines.xcconfig:
1961
1962 2017-09-02  Oliver Hunt  <oliver@apple.com>
1963
1964         Need an API to get the global context from JSObjectRef
1965         https://bugs.webkit.org/show_bug.cgi?id=176291
1966
1967         Reviewed by Saam Barati.
1968
1969         Very simple additional API, starting off as SPI on principle.
1970
1971         * API/JSObjectRef.cpp:
1972         (JSObjectGetGlobalContext):
1973         * API/JSObjectRefPrivate.h:
1974         * API/tests/testapi.c:
1975         (main):
1976
1977 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1978
1979         [DFG] Relax arity requirement
1980         https://bugs.webkit.org/show_bug.cgi?id=175523
1981
1982         Reviewed by Saam Barati.
1983
1984         Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
1985         It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
1986         of the pre-ES6.
1987
1988         This patch removes the above restriction by performing the arity fixup in DFG.
1989
1990         SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
1991
1992                                        baseline                  patched
1993
1994         defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
1995         rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
1996         spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
1997         generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster
1998
1999         * bytecode/InlineCallFrame.cpp:
2000         (JSC::InlineCallFrame::dumpInContext const):
2001         * bytecode/InlineCallFrame.h:
2002         (JSC::InlineCallFrame::InlineCallFrame):
2003         * dfg/DFGAbstractInterpreterInlines.h:
2004         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2005         * dfg/DFGArgumentsEliminationPhase.cpp:
2006         * dfg/DFGArgumentsUtilities.cpp:
2007         (JSC::DFG::argumentsInvolveStackSlot):
2008         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2009         * dfg/DFGByteCodeParser.cpp:
2010         (JSC::DFG::ByteCodeParser::setLocal):
2011         (JSC::DFG::ByteCodeParser::setArgument):
2012         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
2013         (JSC::DFG::ByteCodeParser::flush):
2014         (JSC::DFG::ByteCodeParser::getArgumentCount):
2015         (JSC::DFG::ByteCodeParser::inliningCost):
2016         (JSC::DFG::ByteCodeParser::inlineCall):
2017         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2018         (JSC::DFG::ByteCodeParser::parseBlock):
2019         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2020         * dfg/DFGCommonData.cpp:
2021         (JSC::DFG::CommonData::validateReferences):
2022         * dfg/DFGConstantFoldingPhase.cpp:
2023         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2024         * dfg/DFGGraph.cpp:
2025         (JSC::DFG::Graph::isLiveInBytecode):
2026         * dfg/DFGGraph.h:
2027         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2028         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2029         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2030         * dfg/DFGOSRExit.cpp:
2031         (JSC::DFG::OSRExit::emitRestoreArguments):
2032         * dfg/DFGOSRExitCompilerCommon.cpp:
2033         (JSC::DFG::reifyInlinedCallFrames):
2034         * dfg/DFGPreciseLocalClobberize.h:
2035         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2036         * dfg/DFGSpeculativeJIT.cpp:
2037         (JSC::DFG::SpeculativeJIT::emitGetLength):
2038         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2039         * dfg/DFGStackLayoutPhase.cpp:
2040         (JSC::DFG::StackLayoutPhase::run):
2041         * ftl/FTLCompile.cpp:
2042         (JSC::FTL::compile):
2043         * ftl/FTLLowerDFGToB3.cpp:
2044         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2045         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
2046         * ftl/FTLOperations.cpp:
2047         (JSC::FTL::operationMaterializeObjectInOSR):
2048         * interpreter/StackVisitor.cpp:
2049         (JSC::StackVisitor::readInlinedFrame):
2050         * jit/AssemblyHelpers.h:
2051         (JSC::AssemblyHelpers::argumentsStart):
2052         * jit/SetupVarargsFrame.cpp:
2053         (JSC::emitSetupVarargsFrameFastCase):
2054         * runtime/ClonedArguments.cpp:
2055         (JSC::ClonedArguments::createWithInlineFrame):
2056         * runtime/CommonSlowPaths.h:
2057         (JSC::CommonSlowPaths::numberOfExtraSlots):
2058         (JSC::CommonSlowPaths::numberOfStackPaddingSlots):
2059         (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots):
2060         (JSC::CommonSlowPaths::arityCheckFor):
2061         * runtime/StackAlignment.h:
2062         (JSC::stackAlignmentBytes):
2063         (JSC::stackAlignmentRegisters):
2064
2065 2017-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2066
2067         [FTL] FTL allocation for async Function is incorrect
2068         https://bugs.webkit.org/show_bug.cgi?id=176214
2069
2070         Reviewed by Saam Barati.
2071
2072         In FTL, allocating async function / async generator function was incorrectly using
2073         JSFunction logic. While it is not observable right now since sizeof(JSFunction) == sizeof(JSAsyncFunction),
2074         but it is a bug.
2075
2076         * ftl/FTLLowerDFGToB3.cpp:
2077         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2078
2079 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2080
2081         [JSC] Fix "name" and "length" of Proxy revoke function
2082         https://bugs.webkit.org/show_bug.cgi?id=176155
2083
2084         Reviewed by Mark Lam.
2085
2086         ProxyRevoke's length should be configurable. And it does not have
2087         its own name. We add NameVisibility enum to InternalFunction to
2088         control visibility of the name.
2089
2090         * runtime/InternalFunction.cpp:
2091         (JSC::InternalFunction::finishCreation):
2092         * runtime/InternalFunction.h:
2093         * runtime/ProxyRevoke.cpp:
2094         (JSC::ProxyRevoke::finishCreation):
2095
2096 2017-08-31  Saam Barati  <sbarati@apple.com>
2097
2098         Throwing an exception in the DFG/FTL should not cause a jettison
2099         https://bugs.webkit.org/show_bug.cgi?id=176060
2100         <rdar://problem/34143348>
2101
2102         Reviewed by Keith Miller.
2103
2104         Throwing an exception is not something that should be a jettison-able
2105         OSR exit. We used to count Throw/ThrowStaticError towards our OSR exit
2106         counts which could cause a CodeBlock to jettison and recompile. This
2107         was dumb. Throwing an exception is not a reason to jettison and
2108         recompile in the way that a speculation failure is. This patch
2109         treats Throw/ThrowStaticError as true terminals in DFG IR.
2110
2111         * bytecode/BytecodeUseDef.h:
2112         (JSC::computeUsesForBytecodeOffset):
2113         * dfg/DFGAbstractInterpreterInlines.h:
2114         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2115         * dfg/DFGByteCodeParser.cpp:
2116         (JSC::DFG::ByteCodeParser::parseBlock):
2117         * dfg/DFGClobberize.h:
2118         (JSC::DFG::clobberize):
2119         * dfg/DFGFixupPhase.cpp:
2120         (JSC::DFG::FixupPhase::fixupNode):
2121         * dfg/DFGInPlaceAbstractState.cpp:
2122         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2123         * dfg/DFGNode.h:
2124         (JSC::DFG::Node::isTerminal):
2125         (JSC::DFG::Node::isPseudoTerminal):
2126         (JSC::DFG::Node::errorType):
2127         * dfg/DFGNodeType.h:
2128         * dfg/DFGOperations.cpp:
2129         * dfg/DFGOperations.h:
2130         * dfg/DFGPredictionPropagationPhase.cpp:
2131         * dfg/DFGSpeculativeJIT.cpp:
2132         (JSC::DFG::SpeculativeJIT::compileThrow):
2133         (JSC::DFG::SpeculativeJIT::compileThrowStaticError):
2134         * dfg/DFGSpeculativeJIT.h:
2135         (JSC::DFG::SpeculativeJIT::callOperation):
2136         * dfg/DFGSpeculativeJIT32_64.cpp:
2137         (JSC::DFG::SpeculativeJIT::compile):
2138         * dfg/DFGSpeculativeJIT64.cpp:
2139         (JSC::DFG::SpeculativeJIT::compile):
2140         * ftl/FTLLowerDFGToB3.cpp:
2141         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2142         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
2143         (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
2144         * jit/JITOperations.h:
2145
2146 2017-08-31  Saam Barati  <sbarati@apple.com>
2147
2148         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
2149         https://bugs.webkit.org/show_bug.cgi?id=176206
2150
2151         Reviewed by Keith Miller.
2152
2153         Mark fixed the main issue in Graph::methodOfGettingAValueProfileFor in r208560
2154         when he fixed it from overwriting invalid parts of the ArithProfile when the
2155         currentNode and the operandNode are from the same bytecode. However, the
2156         mechanism used to determine same bytecode was comparing NodeOrigin. That's
2157         slightly wrong. We need to compare semantic origin, since two NodeOrigins can
2158         have the same semantic origin, but differ only in exitOK. For example,
2159         in the below IR, the DoubleRep and the Phi have the same semantic
2160         origin, but different NodeOrigins.
2161
2162         43 Phi(JS|PureInt, NonBoolInt32|NonIntAsdouble, W:SideState, bc#63, ExitInvalid)
2163         58 ExitOK(MustGen, W:SideState, bc#63)
2164         51 DoubleRep(Check:Number:Kill:@43, Double|PureInt, BytecodeDouble, Exits, bc#63)
2165         54 ArithNegate(DoubleRep:Kill:@51<Double>, Double|UseAsOther|MayHaveDoubleResult, AnyIntAsDouble|NonIntAsdouble, NotSet, Exits, bc#63)
2166
2167         * dfg/DFGGraph.cpp:
2168         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2169
2170 2017-08-31  Don Olmstead  <don.olmstead@sony.com>
2171
2172         [CMake] Make USE_CF conditional within Windows
2173         https://bugs.webkit.org/show_bug.cgi?id=176173
2174
2175         Reviewed by Alex Christensen.
2176
2177         * PlatformWin.cmake:
2178
2179 2017-08-31  Saam Barati  <sbarati@apple.com>
2180
2181         useSeparatedWXHeap should never be true when not on iOS
2182         https://bugs.webkit.org/show_bug.cgi?id=176190
2183
2184         Reviewed by JF Bastien.
2185
2186         If you set useSeparatedWXHeap to true on X86_64, and launch the jsc shell,
2187         the process insta-crashes. Let's silently ignore that option and set it
2188         to false when not on iOS.
2189
2190         * runtime/Options.cpp:
2191         (JSC::recomputeDependentOptions):
2192
2193 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
2194
2195         Fix debug crashes.
2196
2197         Rubber stamped by Mark Lam.
2198
2199         * runtime/JSArrayBufferView.cpp:
2200         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2201
2202 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
2203
2204         All of the different ArrayBuffer::data's should be CagedPtr<>
2205         https://bugs.webkit.org/show_bug.cgi?id=175515
2206
2207         Reviewed by Michael Saboff.
2208         
2209         This straightforwardly implements what the title says.
2210
2211         * runtime/ArrayBuffer.cpp:
2212         (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
2213         (JSC::ArrayBufferContents::destroy):
2214         (JSC::ArrayBufferContents::tryAllocate):
2215         (JSC::ArrayBufferContents::makeShared):
2216         (JSC::ArrayBufferContents::copyTo):
2217         (JSC::ArrayBuffer::createFromBytes):
2218         (JSC::ArrayBuffer::transferTo):
2219         * runtime/ArrayBuffer.h:
2220         (JSC::SharedArrayBufferContents::data const):
2221         (JSC::ArrayBufferContents::data const):
2222         (JSC::ArrayBuffer::data):
2223         (JSC::ArrayBuffer::data const):
2224         * runtime/ArrayBufferView.h:
2225         (JSC::ArrayBufferView::baseAddress const):
2226         * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid.
2227         * runtime/DataView.h:
2228         (JSC::DataView::get):
2229         (JSC::DataView::set):
2230         * runtime/JSArrayBufferView.cpp:
2231         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2232         * runtime/JSArrayBufferView.h:
2233         (JSC::JSArrayBufferView::ConstructionContext::vector const):
2234         (JSC::JSArrayBufferView::vector const):
2235         * runtime/JSGenericTypedArrayViewInlines.h:
2236         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2237
2238 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
2239
2240         Strings need to be in some kind of gigacage
2241         https://bugs.webkit.org/show_bug.cgi?id=174924
2242
2243         Reviewed by Oliver Hunt.
2244
2245         * runtime/JSString.cpp:
2246         (JSC::JSRopeString::resolveRopeToAtomicString const):
2247         (JSC::JSRopeString::resolveRope const):
2248         * runtime/JSString.h:
2249         (JSC::JSString::create):
2250         (JSC::JSString::createHasOtherOwner):
2251         * runtime/JSStringBuilder.h:
2252         * runtime/VM.h:
2253         (JSC::VM::gigacageAuxiliarySpace):
2254
2255 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2256
2257         [JSC] Use reifying system for "name" property of builtin JSFunction
2258         https://bugs.webkit.org/show_bug.cgi?id=175260
2259
2260         Reviewed by Saam Barati.
2261
2262         Currently builtin JSFunction uses direct property for "name", which is different
2263         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
2264         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
2265         JSFunction::createBuiltinFunction.
2266
2267         We would like to store the "correct" name in FunctionExecutable. For example,
2268         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
2269         instead of specifying name when creating JSFunction. To do so, we add a new
2270         annotations, @getter and @overriddenName. When @getter is specified, the name of
2271         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
2272         the name of the function becomes "xxx".
2273
2274         We also treat @xxx as anonymous builtin functions that cannot be achieved in
2275         the current JS without privilege.
2276
2277         * Scripts/builtins/builtins_generate_combined_header.py:
2278         (generate_section_for_code_table_macro):
2279         * Scripts/builtins/builtins_generate_combined_implementation.py:
2280         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2281         * Scripts/builtins/builtins_generate_separate_header.py:
2282         (generate_section_for_code_table_macro):
2283         * Scripts/builtins/builtins_generate_separate_implementation.py:
2284         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2285         * Scripts/builtins/builtins_model.py:
2286         (BuiltinFunction.__init__):
2287         (BuiltinFunction.fromString):
2288         * Scripts/builtins/builtins_templates.py:
2289         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
2290         (overriddenName.string_appeared_here.match):
2291         (intrinsic.RegExpTestIntrinsic.test):
2292         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
2293         (overriddenName.string_appeared_here.match):
2294         (intrinsic.RegExpTestIntrinsic.test):
2295         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2296         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2297         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2298         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2299         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2300         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2301         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2302         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2303         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2304         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2305         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2306         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2307         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2308         * builtins/AsyncIteratorPrototype.js:
2309         (symbolAsyncIteratorGetter): Deleted.
2310         * builtins/BuiltinExecutables.cpp:
2311         (JSC::BuiltinExecutables::BuiltinExecutables):
2312         * builtins/BuiltinExecutables.h:
2313         * builtins/BuiltinNames.h:
2314         * builtins/FunctionPrototype.js:
2315         (symbolHasInstance): Deleted.
2316         * builtins/GlobalOperations.js:
2317         (globalPrivate.speciesGetter): Deleted.
2318         * builtins/IteratorPrototype.js:
2319         (symbolIteratorGetter): Deleted.
2320         * builtins/PromiseConstructor.js:
2321         (all.newResolveElement.return.resolve):
2322         (all.newResolveElement):
2323         (all):
2324         * builtins/PromiseOperations.js:
2325         (globalPrivate.newPromiseCapability.executor):
2326         (globalPrivate.newPromiseCapability):
2327         (globalPrivate.createResolvingFunctions.resolve):
2328         (globalPrivate.createResolvingFunctions.reject):
2329         (globalPrivate.createResolvingFunctions):
2330         * builtins/RegExpPrototype.js:
2331         (match): Deleted.
2332         (replace): Deleted.
2333         (search): Deleted.
2334         (split): Deleted.
2335         * jsc.cpp:
2336         (functionCreateBuiltin):
2337         * runtime/AsyncIteratorPrototype.cpp:
2338         (JSC::AsyncIteratorPrototype::finishCreation):
2339         * runtime/FunctionPrototype.cpp:
2340         (JSC::FunctionPrototype::addFunctionProperties):
2341         * runtime/IteratorPrototype.cpp:
2342         (JSC::IteratorPrototype::finishCreation):
2343         * runtime/JSFunction.cpp:
2344         (JSC::JSFunction::finishCreation):
2345         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2346         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2347         (JSC::JSFunction::createBuiltinFunction): Deleted.
2348         * runtime/JSFunction.h:
2349         * runtime/JSGlobalObject.cpp:
2350         (JSC::JSGlobalObject::init):
2351         * runtime/JSObject.cpp:
2352         (JSC::JSObject::putDirectBuiltinFunction):
2353         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
2354         * runtime/JSTypedArrayViewPrototype.cpp:
2355         (JSC::JSTypedArrayViewPrototype::finishCreation):
2356         * runtime/Lookup.cpp:
2357         (JSC::reifyStaticAccessor):
2358         * runtime/MapPrototype.cpp:
2359         (JSC::MapPrototype::finishCreation):
2360         * runtime/RegExpPrototype.cpp:
2361         (JSC::RegExpPrototype::finishCreation):
2362         * runtime/SetPrototype.cpp:
2363         (JSC::SetPrototype::finishCreation):
2364
2365 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
2366
2367         Unreviewed, rolling out r221327.
2368
2369         This change caused test262 failures.
2370
2371         Reverted changeset:
2372
2373         "[JSC] Use reifying system for "name" property of builtin
2374         JSFunction"
2375         https://bugs.webkit.org/show_bug.cgi?id=175260
2376         http://trac.webkit.org/changeset/221327
2377
2378 2017-08-30  Matt Lewis  <jlewis3@apple.com>
2379
2380         Unreviewed, rolling out r221384.
2381
2382         This patch caused multiple 32-bit JSC test failures.
2383
2384         Reverted changeset:
2385
2386         "Strings need to be in some kind of gigacage"
2387         https://bugs.webkit.org/show_bug.cgi?id=174924
2388         http://trac.webkit.org/changeset/221384
2389
2390 2017-08-30  Saam Barati  <sbarati@apple.com>
2391
2392         semicolon is being interpreted as an = in the LiteralParser
2393         https://bugs.webkit.org/show_bug.cgi?id=176114
2394
2395         Reviewed by Oliver Hunt.
2396
2397         When lexing a semicolon in the LiteralParser, we were properly
2398         setting the TokenType on the current token, however, we were
2399         *returning* the wrong TokenType. The lex function both returns
2400         the TokenType and sets it on the current token. Semicolon was
2401         setting the TokenType to semicolon, but returning the TokenType
2402         for '='. This caused programs like `x;123` to be interpreted as
2403         `x=123`.
2404
2405         * runtime/LiteralParser.cpp:
2406         (JSC::LiteralParser<CharType>::Lexer::lex):
2407         (JSC::LiteralParser<CharType>::Lexer::next):
2408
2409 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
2410
2411         Strings need to be in some kind of gigacage
2412         https://bugs.webkit.org/show_bug.cgi?id=174924
2413
2414         Reviewed by Oliver Hunt.
2415
2416         * runtime/JSString.cpp:
2417         (JSC::JSRopeString::resolveRopeToAtomicString const):
2418         (JSC::JSRopeString::resolveRope const):
2419         * runtime/JSString.h:
2420         (JSC::JSString::create):
2421         (JSC::JSString::createHasOtherOwner):
2422         * runtime/JSStringBuilder.h:
2423         * runtime/VM.h:
2424         (JSC::VM::gigacageAuxiliarySpace):
2425
2426 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
2427
2428         [ESNext] Async iteration - Implement async iteration statement: for-await-of
2429         https://bugs.webkit.org/show_bug.cgi?id=166698
2430
2431         Reviewed by Yusuke Suzuki.
2432
2433         Implementation of the for-await-of statement.
2434
2435         * bytecompiler/BytecodeGenerator.cpp:
2436         (JSC::BytecodeGenerator::emitEnumeration):
2437         (JSC::BytecodeGenerator::emitIteratorNext):
2438         * bytecompiler/BytecodeGenerator.h:
2439         * parser/ASTBuilder.h:
2440         (JSC::ASTBuilder::createForOfLoop):
2441         * parser/NodeConstructors.h:
2442         (JSC::ForOfNode::ForOfNode):
2443         * parser/Nodes.h:
2444         (JSC::ForOfNode::isForAwait const):
2445         * parser/Parser.cpp:
2446         (JSC::Parser<LexerType>::parseForStatement):
2447         * parser/Parser.h:
2448         (JSC::Scope::setSourceParseMode):
2449         (JSC::Scope::setIsFunction):
2450         (JSC::Scope::setIsAsyncGeneratorFunction):
2451         (JSC::Scope::setIsAsyncGeneratorFunctionBody):
2452         * parser/SyntaxChecker.h:
2453         (JSC::SyntaxChecker::createForOfLoop):
2454
2455 2017-08-29  Commit Queue  <commit-queue@webkit.org>
2456
2457         Unreviewed, rolling out r221317.
2458         https://bugs.webkit.org/show_bug.cgi?id=176090
2459
2460         "It broke a testing mode because we will never FTL compile a
2461         function that repeatedly throws" (Requested by saamyjoon on
2462         #webkit).
2463
2464         Reverted changeset:
2465
2466         "Throwing an exception in the DFG/FTL should not be a
2467         jettison-able OSR exit"
2468         https://bugs.webkit.org/show_bug.cgi?id=176060
2469         http://trac.webkit.org/changeset/221317
2470
2471 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2472
2473         [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
2474         https://bugs.webkit.org/show_bug.cgi?id=175895
2475
2476         Reviewed by Saam Barati.
2477
2478         We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
2479         are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
2480         But rather than introducing a special fixup edge (like, NonStringCellUse), converting
2481         CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
2482         In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
2483         if one side of the children is constant non String cell.
2484
2485         This slightly optimizes map/set iteration.
2486
2487         set-for-each          4.5064+-0.3072     ^      3.2862+-0.2098        ^ definitely 1.3713x faster
2488         large-map-iteration  56.2583+-1.6640           53.6798+-2.0097          might be 1.0480x faster
2489         set-for-of            8.8058+-0.5953     ^      7.5832+-0.3805        ^ definitely 1.1612x faster
2490         map-for-each          4.2633+-0.2694     ^      3.3967+-0.3013        ^ definitely 1.2551x faster
2491         map-for-of           13.1556+-0.5707           12.4911+-0.6004          might be 1.0532x faster
2492
2493         * dfg/DFGAbstractInterpreterInlines.h:
2494         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2495         * dfg/DFGConstantFoldingPhase.cpp:
2496         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2497         * dfg/DFGNode.h:
2498         (JSC::DFG::Node::convertToCompareEqPtr):
2499
2500 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2501
2502         [JSC] Use reifying system for "name" property of builtin JSFunction
2503         https://bugs.webkit.org/show_bug.cgi?id=175260
2504
2505         Reviewed by Saam Barati.
2506
2507         Currently builtin JSFunction uses direct property for "name", which is different
2508         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
2509         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
2510         JSFunction::createBuiltinFunction.
2511
2512         We would like to store the "correct" name in FunctionExecutable. For example,
2513         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
2514         instead of specifying name when creating JSFunction. To do so, we add a new
2515         annotations, @getter and @overriddenName. When @getter is specified, the name of
2516         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
2517         the name of the function becomes "xxx".
2518
2519         * Scripts/builtins/builtins_generate_combined_header.py:
2520         (generate_section_for_code_table_macro):
2521         * Scripts/builtins/builtins_generate_combined_implementation.py:
2522         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2523         * Scripts/builtins/builtins_generate_separate_header.py:
2524         (generate_section_for_code_table_macro):
2525         * Scripts/builtins/builtins_generate_separate_implementation.py:
2526         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2527         * Scripts/builtins/builtins_model.py:
2528         (BuiltinFunction.__init__):
2529         (BuiltinFunction.fromString):
2530         * Scripts/builtins/builtins_templates.py:
2531         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
2532         (overriddenName.string_appeared_here.match):
2533         (intrinsic.RegExpTestIntrinsic.test):
2534         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
2535         (overriddenName.string_appeared_here.match):
2536         (intrinsic.RegExpTestIntrinsic.test):
2537         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2538         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2539         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2540         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2541         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2542         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2543         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2544         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2545         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2546         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2547         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2548         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2549         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2550         * builtins/BuiltinExecutables.cpp:
2551         (JSC::BuiltinExecutables::BuiltinExecutables):
2552         * builtins/BuiltinExecutables.h:
2553         * builtins/FunctionPrototype.js:
2554         (symbolHasInstance): Deleted.
2555         * builtins/GlobalOperations.js:
2556         (globalPrivate.speciesGetter): Deleted.
2557         * builtins/IteratorPrototype.js:
2558         (symbolIteratorGetter): Deleted.
2559         * builtins/RegExpPrototype.js:
2560         (match): Deleted.
2561         (replace): Deleted.
2562         (search): Deleted.
2563         (split): Deleted.
2564         * jsc.cpp:
2565         (functionCreateBuiltin):
2566         * runtime/FunctionPrototype.cpp:
2567         (JSC::FunctionPrototype::addFunctionProperties):
2568         * runtime/IteratorPrototype.cpp:
2569         (JSC::IteratorPrototype::finishCreation):
2570         * runtime/JSFunction.cpp:
2571         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2572         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2573         (JSC::JSFunction::createBuiltinFunction): Deleted.
2574         * runtime/JSFunction.h:
2575         * runtime/JSGlobalObject.cpp:
2576         (JSC::JSGlobalObject::init):
2577         * runtime/JSObject.cpp:
2578         (JSC::JSObject::putDirectBuiltinFunction):
2579         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
2580         * runtime/JSTypedArrayViewPrototype.cpp:
2581         (JSC::JSTypedArrayViewPrototype::finishCreation):
2582         * runtime/Lookup.cpp:
2583         (JSC::reifyStaticAccessor):
2584         * runtime/RegExpPrototype.cpp:
2585         (JSC::RegExpPrototype::finishCreation):
2586
2587 2017-08-29  Saam Barati  <sbarati@apple.com>
2588
2589         Throwing an exception in the DFG/FTL should not be a jettison-able OSR exit
2590         https://bugs.webkit.org/show_bug.cgi?id=176060
2591
2592         Reviewed by Michael Saboff.
2593
2594         OSR exitting when we throw an exception is expected behavior. We should
2595         not count these exits towards our jettison OSR exit threshold.
2596
2597         * bytecode/ExitKind.cpp:
2598         (JSC::exitKindToString):
2599         (JSC::exitKindMayJettison):
2600         * bytecode/ExitKind.h:
2601         * dfg/DFGSpeculativeJIT32_64.cpp:
2602         (JSC::DFG::SpeculativeJIT::compile):
2603         * dfg/DFGSpeculativeJIT64.cpp:
2604         (JSC::DFG::SpeculativeJIT::compile):
2605         * ftl/FTLLowerDFGToB3.cpp:
2606         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
2607
2608 2017-08-29  Chris Dumez  <cdumez@apple.com>
2609
2610         Add initial support for dataTransferItem.webkitGetAsEntry()
2611         https://bugs.webkit.org/show_bug.cgi?id=176038
2612         <rdar://problem/34121095>
2613
2614         Reviewed by Wenson Hsieh.
2615
2616         Add CommonIdentifier needed by [EnabledAtRuntime].
2617
2618         * runtime/CommonIdentifiers.h:
2619
2620 2017-08-27  Devin Rousso  <webkit@devinrousso.com>
2621
2622         Web Inspector: Record actions performed on WebGLRenderingContext
2623         https://bugs.webkit.org/show_bug.cgi?id=174483
2624         <rdar://problem/34040722>
2625
2626         Reviewed by Matt Baker.
2627
2628         * inspector/protocol/Recording.json:
2629         * inspector/scripts/codegen/generator.py:
2630         Add type and mapping for WebGL: "canvas-webgl" => CanvasWebGL
2631
2632 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2633
2634         Unreviewed, suppress warnings in GTK port
2635
2636         The "block" variable hides the argument variable.
2637
2638         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2639         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
2640
2641 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2642
2643         Merge WeakMapData into JSWeakMap and JSWeakSet
2644         https://bugs.webkit.org/show_bug.cgi?id=143919
2645
2646         Reviewed by Darin Adler.
2647
2648         This patch changes WeakMapData from JSCell to JSDestructibleObject,
2649         renaming it to WeakMapBase, and JSWeakMap and JSWeakSet simply inherit
2650         it instead of separately allocating WeakMapData. This reduces memory
2651         consumption and allocation times.
2652
2653         Also this patch a bit optimizes sizeof(DeadKeyCleaner) by dropping m_target
2654         field. Since this class is always embedded in WeakMapBase, we can calculate
2655         WeakMapBase address from the address of DeadKeyCleaner.
2656
2657         This patch does not include the optimization changing WeakMapData to Set
2658         for JSWeakSet.
2659
2660         * CMakeLists.txt:
2661         * JavaScriptCore.xcodeproj/project.pbxproj:
2662         * inspector/JSInjectedScriptHost.cpp:
2663         (Inspector::JSInjectedScriptHost::weakMapSize):
2664         (Inspector::JSInjectedScriptHost::weakMapEntries):
2665         (Inspector::JSInjectedScriptHost::weakSetSize):
2666         (Inspector::JSInjectedScriptHost::weakSetEntries):
2667         * runtime/JSWeakMap.cpp:
2668         (JSC::JSWeakMap::finishCreation): Deleted.
2669         (JSC::JSWeakMap::visitChildren): Deleted.
2670         * runtime/JSWeakMap.h:
2671         (JSC::JSWeakMap::createStructure): Deleted.
2672         (JSC::JSWeakMap::create): Deleted.
2673         (JSC::JSWeakMap::weakMapData): Deleted.
2674         (JSC::JSWeakMap::JSWeakMap): Deleted.
2675         * runtime/JSWeakSet.cpp:
2676         (JSC::JSWeakSet::finishCreation): Deleted.
2677         (JSC::JSWeakSet::visitChildren): Deleted.
2678         * runtime/JSWeakSet.h:
2679         (JSC::JSWeakSet::createStructure): Deleted.
2680         (JSC::JSWeakSet::create): Deleted.
2681         (JSC::JSWeakSet::weakMapData): Deleted.
2682         (JSC::JSWeakSet::JSWeakSet): Deleted.
2683         * runtime/VM.cpp:
2684         (JSC::VM::VM):
2685         * runtime/VM.h:
2686         * runtime/WeakMapBase.cpp: Renamed from Source/JavaScriptCore/runtime/WeakMapData.cpp.
2687         (JSC::WeakMapBase::WeakMapBase):
2688         (JSC::WeakMapBase::destroy):
2689         (JSC::WeakMapBase::estimatedSize):
2690         (JSC::WeakMapBase::visitChildren):
2691         (JSC::WeakMapBase::set):
2692         (JSC::WeakMapBase::get):
2693         (JSC::WeakMapBase::remove):
2694         (JSC::WeakMapBase::contains):
2695         (JSC::WeakMapBase::clear):
2696         (JSC::WeakMapBase::DeadKeyCleaner::target):
2697         (JSC::WeakMapBase::DeadKeyCleaner::visitWeakReferences):
2698         (JSC::WeakMapBase::DeadKeyCleaner::finalizeUnconditionally):
2699         * runtime/WeakMapBase.h: Renamed from Source/JavaScriptCore/runtime/WeakMapData.h.
2700         (JSC::WeakMapBase::size const):
2701         * runtime/WeakMapPrototype.cpp:
2702         (JSC::getWeakMap):
2703         (JSC::protoFuncWeakMapDelete):
2704         (JSC::protoFuncWeakMapGet):
2705         (JSC::protoFuncWeakMapHas):
2706         (JSC::protoFuncWeakMapSet):
2707         (JSC::getWeakMapData): Deleted.
2708         * runtime/WeakSetPrototype.cpp:
2709         (JSC::getWeakSet):
2710         (JSC::protoFuncWeakSetDelete):
2711         (JSC::protoFuncWeakSetHas):
2712         (JSC::protoFuncWeakSetAdd):
2713         (JSC::getWeakMapData): Deleted.
2714
2715 2017-08-25  Daniel Bates  <dabates@apple.com>
2716
2717         Demarcate code added due to lack of NSDMI for aggregates
2718         https://bugs.webkit.org/show_bug.cgi?id=175990
2719
2720         Reviewed by Andy Estes.
2721
2722         * domjit/DOMJITEffect.h:
2723         (JSC::DOMJIT::Effect::Effect):
2724         (JSC::DOMJIT::Effect::forWrite):
2725         (JSC::DOMJIT::Effect::forRead):
2726         (JSC::DOMJIT::Effect::forReadWrite):
2727         (JSC::DOMJIT::Effect::forPure):
2728         (JSC::DOMJIT::Effect::forDef):
2729         * runtime/HasOwnPropertyCache.h:
2730         (JSC::HasOwnPropertyCache::Entry::Entry):
2731         (JSC::HasOwnPropertyCache::Entry::operator=): Deleted.
2732         * wasm/WasmFormat.h: Modernize some of the code while I am here. Also
2733         make some comments read well.
2734         (JSC::Wasm::CallableFunction::CallableFunction):
2735         * wasm/js/WebAssemblyFunction.cpp:
2736         (JSC::WebAssemblyFunction::WebAssemblyFunction):
2737         * wasm/js/WebAssemblyWrapperFunction.cpp:
2738         (JSC::WebAssemblyWrapperFunction::create):
2739
2740 2017-08-25  Saam Barati  <sbarati@apple.com>
2741
2742         Unreviewed. Fix 32-bit after r221196
2743
2744         * jit/JITOpcodes32_64.cpp:
2745         (JSC::JIT::emit_op_catch):
2746
2747 2017-08-25  Chris Dumez  <cdumez@apple.com>
2748
2749         Land stubs for File and Directory Entries API interfaces
2750         https://bugs.webkit.org/show_bug.cgi?id=175993
2751         <rdar://problem/34087477>
2752
2753         Reviewed by Ryosuke Niwa.
2754
2755         Add CommonIdentifiers needed for [EnabledAtRuntime].
2756
2757         * runtime/CommonIdentifiers.h:
2758
2759 2017-08-25  Brian Burg  <bburg@apple.com>
2760
2761         Web Automation: add capabilities to control ICE candidate filtering and insecure media capture
2762         https://bugs.webkit.org/show_bug.cgi?id=175563
2763         <rdar://problem/33734492>
2764
2765         Reviewed by Joseph Pecoraro.
2766
2767         Add macros for new capability protocol string names. Let's use a reverse
2768         domain name notification for these capabilities so we know whether they are
2769         intended for a particular client/port or any WebKit client, and what feature they
2770         are related to (i.e., webrtc).
2771
2772         * inspector/remote/RemoteInspectorConstants.h:
2773
2774 2017-08-24  Brian Burg  <bburg@apple.com>
2775
2776         Web Automation: use automation session configurations to propagate per-session settings
2777         https://bugs.webkit.org/show_bug.cgi?id=175562
2778         <rdar://problem/30853362>
2779
2780         Reviewed by Joseph Pecoraro.
2781
2782         Add a Cocoa-specific code path to forward capabilities when requesting
2783         a new session from the remote inspector (i.e., automation) client.
2784
2785         If other ports want to use this, then we can convert Cocoa types to WebKit types later.
2786
2787         * inspector/remote/RemoteInspector.h:
2788         * inspector/remote/RemoteInspectorConstants.h:
2789         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2790         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
2791
2792 2017-08-25  Saam Barati  <sbarati@apple.com>
2793
2794         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
2795         https://bugs.webkit.org/show_bug.cgi?id=175893
2796
2797         Reviewed by Mark Lam.
2798
2799         * dfg/DFGJITCode.cpp:
2800         (JSC::DFG::JITCode::finalizeOSREntrypoints):
2801         * dfg/DFGJITCode.h:
2802         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
2803         * dfg/DFGSpeculativeJIT.cpp:
2804         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2805
2806 2017-08-25  Saam Barati  <sbarati@apple.com>
2807
2808         Support compiling catch in the DFG
2809         https://bugs.webkit.org/show_bug.cgi?id=174590
2810         <rdar://problem/34047845>
2811
2812         Reviewed by Filip Pizlo.
2813
2814         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
2815         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
2816         
2817         To implement catch in the DFG, this patch introduces the concept of multiple
2818         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
2819         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
2820         patch contains many straight forward changes generalizing the code to handle more than
2821         one entrypoint.
2822         
2823         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
2824         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
2825         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
2826         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
2827         and SSANaturalLoops vs CPSNaturalLoops.
2828         
2829         The way we compile the catch entrypoint is by bootstrapping the state
2830         of the program by loading all live bytecode locals from a buffer. The OSR
2831         entry code will store all live values into that buffer before jumping to
2832         the entrypoint. The OSR entry code is also responsible for performing type
2833         proofs of the arguments before doing an OSR entry. If there is a type
2834         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
2835         each catch entrypoint knows the argument type proofs it must perform to enter
2836         into the DFG. Currently, all entrypoints' arguments flush format are unified
2837         via ArgumentPosition, but this is just an implementation detail. The code is
2838         written more generally to assume that each entrypoint may perform its own distinct
2839         proof.
2840         
2841         op_catch now performs value profiling for all live bytecode locals in the
2842         LLInt and baseline JIT. This information is then fed into the DFG via the
2843         ExtractCatchLocal node in the prediction propagation phase.
2844         
2845         This patch also changes how we generate op_catch in bytecode. All op_catches
2846         are now split out at the end of the program in bytecode. This ensures that
2847         no op_catch is inside a try block. This is needed to ensure correctness in
2848         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
2849         before SetLocals inside a try block. If an op_catch were in a try block, this
2850         would cause the phase to insert a Flush before one of the state bootstrapping
2851         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
2852         its own at the end of a bytecode stream seemed like the most elegant solution since
2853         it better represents that we treat op_catch as an entrypoint. This is true
2854         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
2855         via normal control flow. Because op_catch cannot throw, this will not break
2856         any previous semantics of op_catch. Logically, it'd be valid to split try
2857         blocks around any non-throwing bytecode operation.
2858
2859         * CMakeLists.txt:
2860         * JavaScriptCore.xcodeproj/project.pbxproj:
2861         * bytecode/BytecodeDumper.cpp:
2862         (JSC::BytecodeDumper<Block>::dumpBytecode):
2863         * bytecode/BytecodeList.json:
2864         * bytecode/BytecodeUseDef.h:
2865         (JSC::computeUsesForBytecodeOffset):
2866         * bytecode/CodeBlock.cpp:
2867         (JSC::CodeBlock::finishCreation):
2868         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
2869         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2870         (JSC::CodeBlock::validate):
2871         * bytecode/CodeBlock.h:
2872         * bytecode/ValueProfile.h:
2873         (JSC::ValueProfile::ValueProfile):
2874         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
2875         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
2876         (JSC::ValueProfileAndOperandBuffer::forEach):
2877         * bytecompiler/BytecodeGenerator.cpp:
2878         (JSC::BytecodeGenerator::generate):
2879         (JSC::BytecodeGenerator::BytecodeGenerator):
2880         (JSC::BytecodeGenerator::emitCatch):
2881         (JSC::BytecodeGenerator::emitEnumeration):
2882         * bytecompiler/BytecodeGenerator.h:
2883         * bytecompiler/NodesCodegen.cpp:
2884         (JSC::TryNode::emitBytecode):
2885         * dfg/DFGAbstractInterpreterInlines.h:
2886         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2887         * dfg/DFGBackwardsCFG.h:
2888         (JSC::DFG::BackwardsCFG::BackwardsCFG):
2889         * dfg/DFGBasicBlock.cpp:
2890         (JSC::DFG::BasicBlock::BasicBlock):
2891         * dfg/DFGBasicBlock.h:
2892         (JSC::DFG::BasicBlock::findTerminal const):
2893         * dfg/DFGByteCodeParser.cpp:
2894         (JSC::DFG::ByteCodeParser::setDirect):
2895         (JSC::DFG::ByteCodeParser::flush):
2896         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
2897         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
2898         (JSC::DFG::ByteCodeParser::parseBlock):
2899         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2900         (JSC::DFG::ByteCodeParser::parse):
2901         * dfg/DFGCFG.h:
2902         (JSC::DFG::CFG::root):
2903         (JSC::DFG::CFG::roots):
2904         (JSC::DFG::CPSCFG::CPSCFG):
2905         (JSC::DFG::selectCFG):
2906         * dfg/DFGCPSRethreadingPhase.cpp:
2907         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
2908         * dfg/DFGCSEPhase.cpp:
2909         * dfg/DFGClobberize.h:
2910         (JSC::DFG::clobberize):
2911         * dfg/DFGControlEquivalenceAnalysis.h:
2912         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
2913         * dfg/DFGDCEPhase.cpp:
2914         (JSC::DFG::DCEPhase::run):
2915         * dfg/DFGDisassembler.cpp:
2916         (JSC::DFG::Disassembler::createDumpList):
2917         * dfg/DFGDoesGC.cpp:
2918         (JSC::DFG::doesGC):
2919         * dfg/DFGDominators.h:
2920         (JSC::DFG::Dominators::Dominators):
2921         (JSC::DFG::ensureDominatorsForCFG):
2922         * dfg/DFGEdgeDominates.h:
2923         (JSC::DFG::EdgeDominates::EdgeDominates):
2924         (JSC::DFG::EdgeDominates::operator()):
2925         * dfg/DFGFixupPhase.cpp:
2926         (JSC::DFG::FixupPhase::fixupNode):
2927         (JSC::DFG::FixupPhase::fixupChecksInBlock):
2928         * dfg/DFGFlushFormat.h:
2929         * dfg/DFGGraph.cpp:
2930         (JSC::DFG::Graph::Graph):
2931         (JSC::DFG::unboxLoopNode):
2932         (JSC::DFG::Graph::dumpBlockHeader):
2933         (JSC::DFG::Graph::dump):
2934         (JSC::DFG::Graph::determineReachability):
2935         (JSC::DFG::Graph::invalidateCFG):
2936         (JSC::DFG::Graph::blocksInPreOrder):
2937         (JSC::DFG::Graph::blocksInPostOrder):
2938         (JSC::DFG::Graph::ensureCPSDominators):
2939         (JSC::DFG::Graph::ensureSSADominators):
2940         (JSC::DFG::Graph::ensureCPSNaturalLoops):
2941         (JSC::DFG::Graph::ensureSSANaturalLoops):
2942         (JSC::DFG::Graph::ensureBackwardsCFG):
2943         (JSC::DFG::Graph::ensureBackwardsDominators):
2944         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
2945         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2946         (JSC::DFG::Graph::clearCPSCFGData):
2947         (JSC::DFG::Graph::ensureDominators): Deleted.
2948         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
2949         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
2950         * dfg/DFGGraph.h:
2951         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
2952         (JSC::DFG::Graph::isEntrypoint const):
2953         * dfg/DFGInPlaceAbstractState.cpp:
2954         (JSC::DFG::InPlaceAbstractState::initialize):
2955         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2956         * dfg/DFGJITCode.cpp:
2957         (JSC::DFG::JITCode::shrinkToFit):
2958         * dfg/DFGJITCode.h:
2959         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
2960         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
2961         (JSC::DFG::JITCode::appendCatchEntrypoint):
2962         * dfg/DFGJITCompiler.cpp:
2963         (JSC::DFG::JITCompiler::compile):
2964         (JSC::DFG::JITCompiler::compileFunction):
2965         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2966         (JSC::DFG::JITCompiler::noticeOSREntry):
2967         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2968         * dfg/DFGJITCompiler.h:
2969         * dfg/DFGLICMPhase.cpp:
2970         (JSC::DFG::LICMPhase::run):
2971         (JSC::DFG::LICMPhase::attemptHoist):
2972         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2973         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
2974         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
2975         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
2976         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
2977         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
2978         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
2979         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2980         (JSC::DFG::createPreHeader):
2981         (JSC::DFG::LoopPreHeaderCreationPhase::run):
2982         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2983         (JSC::DFG::MaximalFlushInsertionPhase::run):
2984         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2985         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2986         * dfg/DFGMayExit.cpp:
2987         * dfg/DFGNaturalLoops.h:
2988         (JSC::DFG::NaturalLoops::NaturalLoops):
2989         * dfg/DFGNode.h:
2990         (JSC::DFG::Node::isSwitch const):
2991         (JSC::DFG::Node::successor):
2992         (JSC::DFG::Node::catchOSREntryIndex const):
2993         (JSC::DFG::Node::catchLocalPrediction):
2994         (JSC::DFG::Node::isSwitch): Deleted.
2995         * dfg/DFGNodeType.h:
2996         * dfg/DFGOSREntry.cpp:
2997         (JSC::DFG::prepareCatchOSREntry):
2998         * dfg/DFGOSREntry.h:
2999         * dfg/DFGOSREntrypointCreationPhase.cpp:
3000         (JSC::DFG::OSREntrypointCreationPhase::run):
3001         * dfg/DFGOSRExitCompilerCommon.cpp:
3002         (JSC::DFG::handleExitCounts):
3003         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3004         * dfg/DFGPlan.cpp:
3005         (JSC::DFG::Plan::compileInThreadImpl):
3006         * dfg/DFGPrePostNumbering.cpp:
3007         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
3008         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
3009         (WTF::printInternal): Deleted.
3010         * dfg/DFGPrePostNumbering.h:
3011         (): Deleted.
3012         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
3013         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
3014         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
3015         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
3016         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
3017         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
3018         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
3019         * dfg/DFGPredictionInjectionPhase.cpp:
3020         (JSC::DFG::PredictionInjectionPhase::run):
3021         * dfg/DFGPredictionPropagationPhase.cpp:
3022         * dfg/DFGPutStackSinkingPhase.cpp:
3023         * dfg/DFGSSACalculator.cpp:
3024         (JSC::DFG::SSACalculator::nonLocalReachingDef):
3025         (JSC::DFG::SSACalculator::reachingDefAtTail):
3026         * dfg/DFGSSACalculator.h:
3027         (JSC::DFG::SSACalculator::computePhis):
3028         * dfg/DFGSSAConversionPhase.cpp:
3029         (JSC::DFG::SSAConversionPhase::run):
3030         (JSC::DFG::performSSAConversion):
3031         * dfg/DFGSafeToExecute.h:
3032         (JSC::DFG::safeToExecute):
3033         * dfg/DFGSpeculativeJIT.cpp:
3034         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3035         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3036         (JSC::DFG::SpeculativeJIT::createOSREntries):
3037         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3038         * dfg/DFGSpeculativeJIT32_64.cpp:
3039         (JSC::DFG::SpeculativeJIT::compile):
3040         * dfg/DFGSpeculativeJIT64.cpp:
3041         (JSC::DFG::SpeculativeJIT::compile):
3042         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
3043         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
3044         * dfg/DFGStrengthReductionPhase.cpp:
3045         (JSC::DFG::StrengthReductionPhase::handleNode):
3046         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3047         (JSC::DFG::TierUpCheckInjectionPhase::run):
3048         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
3049         * dfg/DFGTypeCheckHoistingPhase.cpp:
3050         (JSC::DFG::TypeCheckHoistingPhase::run):
3051         * dfg/DFGValidate.cpp:
3052         * ftl/FTLLink.cpp:
3053         (JSC::FTL::link):
3054         * ftl/FTLLowerDFGToB3.cpp:
3055         (JSC::FTL::DFG::LowerDFGToB3::lower):
3056         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
3057         (JSC::FTL::DFG::LowerDFGToB3::isValid):
3058         * jit/JIT.h:
3059         * jit/JITInlines.h:
3060         (JSC::JIT::callOperation):
3061         * jit/JITOpcodes.cpp:
3062         (JSC::JIT::emit_op_catch):
3063         * jit/JITOpcodes32_64.cpp:
3064         (JSC::JIT::emit_op_catch):
3065         * jit/JITOperations.cpp:
3066         * jit/JITOperations.h:
3067         * llint/LLIntSlowPaths.cpp:
3068         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3069         * llint/LLIntSlowPaths.h:
3070         * llint/LowLevelInterpreter32_64.asm:
3071         * llint/LowLevelInterpreter64.asm:
3072
3073 2017-08-25  Keith Miller  <keith_miller@apple.com>
3074
3075         Explore increasing max JSString::m_length to UINT_MAX.
3076         https://bugs.webkit.org/show_bug.cgi?id=163955
3077         <rdar://problem/32001499>
3078
3079         Reviewed by JF Bastien.
3080
3081         This can cause us to release assert on some code paths. I don't
3082         see a reason to maintain this restriction.
3083
3084         * runtime/JSString.h:
3085         (JSC::JSString::length const):
3086         (JSC::JSString::setLength):
3087         (JSC::JSString::isValidLength): Deleted.
3088         * runtime/JSStringBuilder.h:
3089         (JSC::jsMakeNontrivialString):
3090
3091 2017-08-24  Commit Queue  <commit-queue@webkit.org>
3092
3093         Unreviewed, rolling out r221119, r221124, and r221143.
3094         https://bugs.webkit.org/show_bug.cgi?id=175973
3095
3096         "I think it regressed JSBench by 20%" (Requested by saamyjoon
3097         on #webkit).
3098
3099         Reverted changesets:
3100
3101         "Support compiling catch in the DFG"
3102         https://bugs.webkit.org/show_bug.cgi?id=174590
3103         http://trac.webkit.org/changeset/221119
3104
3105         "Unreviewed, build fix in GTK port"
3106         https://bugs.webkit.org/show_bug.cgi?id=174590
3107         http://trac.webkit.org/changeset/221124
3108
3109         "DFG::JITCode::osrEntry should get sorted since we perform a
3110         binary search on it"
3111         https://bugs.webkit.org/show_bug.cgi?id=175893
3112         http://trac.webkit.org/changeset/221143
3113
3114 2017-08-24  Michael Saboff  <msaboff@apple.com>
3115
3116         Enable moving fixed character class terms after fixed character terms for BMP only character classes
3117         https://bugs.webkit.org/show_bug.cgi?id=175958
3118
3119         Reviewed by Saam Barati.
3120
3121         Currently we don't perform the reordering optimiaztion of fixed character terms that
3122         follow fixed character class terms for Unicode patterns.
3123
3124         This change allows that reordering when the character class contains only BMP
3125         characters.
3126
3127         This fix is covered by existing tests.
3128
3129         * yarr/YarrJIT.cpp:
3130         (JSC::Yarr::YarrGenerator::optimizeAlternative):
3131
3132 2017-08-24  Michael Saboff  <msaboff@apple.com>
3133
3134         Add support for RegExp "dotAll" flag
3135         https://bugs.webkit.org/show_bug.cgi?id=175924
3136
3137         Reviewed by Keith Miller.
3138
3139         The dotAll RegExp flag, 's', changes . to match any character including line terminators.
3140         Added a the "dotAll" identifier as well as RegExp.prototype.dotAll getter.
3141         Added a new any character CharacterClass that is used to match . terms in a dotAll flags
3142         RegExp.  In the YARR pattern and parsing code, changed the NewlineClassID, which was only
3143         used for '.' processing, to DotClassID.  The selection of which builtin character class
3144         that DotClassID resolves to when generating the pattern is conditional on the dotAll flag.
3145         This NewlineClassID to DotClassID refactoring includes the atomBuiltInCharacterClass() in
3146         the WebCore content extensions code in the PatternParser class.
3147
3148         As an optimization, the Yarr JIT actually doesn't perform match checks against the builtin
3149         any character CharacterClass, it merely reads the character.  There is another optimization
3150         in our DotStart enclosure processing where a non-capturing regular expression in the form
3151         of .*<expression.*, with options beginning ^ and/or trailing $, match the contained
3152         expression and then look for the extents of the surrounding .*'s.  When used with the
3153         dotAll flag, that processing alwys results with the beinning of the string and the end
3154         of the string.  Therefore we short circuit the finding the beginning and end of the line
3155         or string with dotAll patterns.
3156
3157         * bytecode/BytecodeDumper.cpp:
3158         (JSC::regexpToSourceString):
3159         * runtime/CommonIdentifiers.h:
3160         * runtime/RegExp.cpp:
3161         (JSC::regExpFlags):
3162         (JSC::RegExpFunctionalTestCollector::outputOneTest):
3163         * runtime/RegExp.h:
3164         * runtime/RegExpKey.h:
3165         * runtime/RegExpPrototype.cpp:
3166         (JSC::RegExpPrototype::finishCreation):
3167         (JSC::flagsString):
3168         (JSC::regExpProtoGetterDotAll):
3169         * yarr/YarrInterpreter.cpp:
3170         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
3171         * yarr/YarrInterpreter.h:
3172         (JSC::Yarr::BytecodePattern::dotAll const):
3173         * yarr/YarrJIT.cpp:
3174         (JSC::Yarr::YarrGenerator::optimizeAlternative):
3175         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
3176         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
3177         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
3178         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
3179         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3180         * yarr/YarrParser.h:
3181         (JSC::Yarr::Parser::parseTokens):
3182         * yarr/YarrPattern.cpp:
3183         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
3184         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
3185         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
3186         (JSC::Yarr::YarrPattern::YarrPattern):
3187         (JSC::Yarr::PatternTerm::dump):
3188         (JSC::Yarr::anycharCreate):
3189         * yarr/YarrPattern.h:
3190         (JSC::Yarr::YarrPattern::reset):
3191         (JSC::Yarr::YarrPattern::anyCharacterClass):
3192         (JSC::Yarr::YarrPattern::dotAll const):
3193
3194 2017-08-23  Filip Pizlo  <fpizlo@apple.com>
3195
3196         Reduce Gigacage sizes
3197         https://bugs.webkit.org/show_bug.cgi?id=175920
3198
3199         Reviewed by Mark Lam.
3200
3201         Teach all of the code generators to use the right gigacage masks.
3202
3203         Also teach Wasm that it has much less memory for signaling memories. With 32GB, we have room for 7 signaling memories. But if
3204         we actually did that, then we'd have no memory left for anything else. So, this caps us at 4 signaling memories.
3205
3206         * ftl/FTLLowerDFGToB3.cpp:
3207         (JSC::FTL::DFG::LowerDFGToB3::caged):
3208         * jit/AssemblyHelpers.h:
3209         (JSC::AssemblyHelpers::cage):
3210         (JSC::AssemblyHelpers::cageConditionally):
3211         * llint/LowLevelInterpreter64.asm:
3212         * runtime/Options.h:
3213
3214 2017-08-24  Saam Barati  <sbarati@apple.com>
3215
3216         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
3217         https://bugs.webkit.org/show_bug.cgi?id=175893
3218
3219         Reviewed by Mark Lam.
3220
3221         * dfg/DFGJITCode.cpp:
3222         (JSC::DFG::JITCode::finalizeOSREntrypoints):
3223         * dfg/DFGJITCode.h:
3224         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
3225         * dfg/DFGSpeculativeJIT.cpp:
3226         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3227
3228 2017-08-23  Keith Miller  <keith_miller@apple.com>
3229
3230         Fix Titzer bench on iOS.
3231         https://bugs.webkit.org/show_bug.cgi?id=175917
3232
3233         Reviewed by Ryosuke Niwa.
3234
3235         Currently, Titzer bench doesn't run on iOS since the benchmark
3236         allocates lots of physical pages that it never actually writes
3237         to. We limited the total number wasm physical pages to the ram
3238         size of the phone, which caused us to fail a memory
3239         allocation. This patch changes it so we will allocate up to 3x ram
3240         size, which seems to fix the problem.
3241
3242         * wasm/WasmMemory.cpp:
3243
3244 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3245
3246         Unreviewed, fix for test262
3247         https://bugs.webkit.org/show_bug.cgi?id=175915
3248
3249         * runtime/MapPrototype.cpp:
3250         (JSC::MapPrototype::finishCreation):
3251         * runtime/SetPrototype.cpp:
3252         (JSC::SetPrototype::finishCreation):
3253
3254 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3255
3256         Unreviewed, build fix in GTK port
3257         https://bugs.webkit.org/show_bug.cgi?id=174590
3258
3259         * bytecompiler/BytecodeGenerator.cpp:
3260         (JSC::BytecodeGenerator::emitCatch):
3261         * bytecompiler/BytecodeGenerator.h:
3262
3263 2017-08-23  Saam Barati  <sbarati@apple.com>
3264
3265         Support compiling catch in the DFG
3266         https://bugs.webkit.org/show_bug.cgi?id=174590
3267
3268         Reviewed by Filip Pizlo.
3269
3270         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
3271         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
3272         
3273         To implement catch in the DFG, this patch introduces the concept of multiple
3274         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
3275         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
3276         patch contains many straight forward changes generalizing the code to handle more than
3277         one entrypoint.
3278         
3279         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
3280         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
3281         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
3282         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
3283         and SSANaturalLoops vs CPSNaturalLoops.
3284         
3285         The way we compile the catch entrypoint is by bootstrapping the state
3286         of the program by loading all live bytecode locals from a buffer. The OSR
3287         entry code will store all live values into that buffer before jumping to
3288         the entrypoint. The OSR entry code is also responsible for performing type
3289         proofs of the arguments before doing an OSR entry. If there is a type
3290         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
3291         each catch entrypoint knows the argument type proofs it must perform to enter
3292         into the DFG. Currently, all entrypoints' arguments flush format are unified
3293         via ArgumentPosition, but this is just an implementation detail. The code is
3294         written more generally to assume that each entrypoint may perform its own distinct
3295         proof.
3296         
3297         op_catch now performs value profiling for all live bytecode locals in the
3298         LLInt and baseline JIT. This information is then fed into the DFG via the
3299         ExtractCatchLocal node in the prediction propagation phase.
3300         
3301         This patch also changes how we generate op_catch in bytecode. All op_catches
3302         are now split out at the end of the program in bytecode. This ensures that
3303         no op_catch is inside a try block. This is needed to ensure correctness in
3304         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
3305         before SetLocals inside a try block. If an op_catch were in a try block, this
3306         would cause the phase to insert a Flush before one of the state bootstrapping
3307         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
3308         its own at the end of a bytecode stream seemed like the most elegant solution since
3309         it better represents that we treat op_catch as an entrypoint. This is true
3310         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
3311         via normal control flow. Because op_catch cannot throw, this will not break
3312         any previous semantics of op_catch. Logically, it'd be valid to split try
3313         blocks around any non-throwing bytecode operation.
3314
3315         * CMakeLists.txt:
3316         * JavaScriptCore.xcodeproj/project.pbxproj:
3317         * bytecode/BytecodeDumper.cpp:
3318         (JSC::BytecodeDumper<Block>::dumpBytecode):
3319         * bytecode/BytecodeList.json:
3320         * bytecode/BytecodeUseDef.h:
3321         (JSC::computeUsesForBytecodeOffset):
3322         * bytecode/CodeBlock.cpp:
3323         (JSC::CodeBlock::finishCreation):
3324         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
3325         (JSC::CodeBlock::validate):
3326         * bytecode/CodeBlock.h:
3327         * bytecode/ValueProfile.h:
3328         (JSC::ValueProfile::ValueProfile):
3329         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
3330         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
3331         (JSC::ValueProfileAndOperandBuffer::forEach):
3332         * bytecompiler/BytecodeGenerator.cpp:
3333         (JSC::BytecodeGenerator::generate):
3334         (JSC::BytecodeGenerator::BytecodeGenerator):
3335         (JSC::BytecodeGenerator::emitCatch):
3336         (JSC::BytecodeGenerator::emitEnumeration):
3337         * bytecompiler/BytecodeGenerator.h:
3338         * bytecompiler/NodesCodegen.cpp:
3339         (JSC::TryNode::emitBytecode):
3340         * dfg/DFGAbstractInterpreterInlines.h:
3341         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3342         * dfg/DFGBackwardsCFG.h:
3343         (JSC::DFG::BackwardsCFG::BackwardsCFG):
3344         * dfg/DFGBasicBlock.cpp:
3345         (JSC::DFG::BasicBlock::BasicBlock):
3346         * dfg/DFGBasicBlock.h:
3347         (JSC::DFG::BasicBlock::findTerminal const):
3348         * dfg/DFGByteCodeParser.cpp:
3349         (JSC::DFG::ByteCodeParser::setDirect):
3350         (JSC::DFG::ByteCodeParser::flush):
3351         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
3352         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
3353         (JSC::DFG::ByteCodeParser::parseBlock):
3354         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3355         (JSC::DFG::ByteCodeParser::parse):
3356         * dfg/DFGCFG.h:
3357         (JSC::DFG::CFG::root):
3358         (JSC::DFG::CFG::roots):
3359         (JSC::DFG::CPSCFG::CPSCFG):
3360         (JSC::DFG::selectCFG):
3361         * dfg/DFGCPSRethreadingPhase.cpp:
3362         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
3363         * dfg/DFGCSEPhase.cpp:
3364         * dfg/DFGClobberize.h:
3365         (JSC::DFG::clobberize):
3366         * dfg/DFGControlEquivalenceAnalysis.h:
3367         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
3368         * dfg/DFGDCEPhase.cpp:
3369         (JSC::DFG::DCEPhase::run):
3370         * dfg/DFGDisassembler.cpp:
3371         (JSC::DFG::Disassembler::createDumpList):
3372         * dfg/DFGDoesGC.cpp:
3373         (JSC::DFG::doesGC):
3374         * dfg/DFGDominators.h:
3375         (JSC::DFG::Dominators::Dominators):
3376         (JSC::DFG::ensureDominatorsForCFG):
3377         * dfg/DFGEdgeDominates.h:
3378         (JSC::DFG::EdgeDominates::EdgeDominates):
3379         (JSC::DFG::EdgeDominates::operator()):
3380         * dfg/DFGFixupPhase.cpp:
3381         (JSC::DFG::FixupPhase::fixupNode):
3382         (JSC::DFG::FixupPhase::fixupChecksInBlock):
3383         * dfg/DFGFlushFormat.h:
3384         * dfg/DFGGraph.cpp:
3385         (JSC::DFG::Graph::Graph):
3386         (JSC::DFG::unboxLoopNode):
3387         (JSC::DFG::Graph::dumpBlockHeader):
3388         (JSC::DFG::Graph::dump):
3389         (JSC::DFG::Graph::determineReachability):
3390         (JSC::DFG::Graph::invalidateCFG):
3391         (JSC::DFG::Graph::blocksInPreOrder):
3392         (JSC::DFG::Graph::blocksInPostOrder):
3393         (JSC::DFG::Graph::ensureCPSDominators):
3394         (JSC::DFG::Graph::ensureSSADominators):
3395         (JSC::DFG::Graph::ensureCPSNaturalLoops):
3396         (JSC::DFG::Graph::ensureSSANaturalLoops):
3397         (JSC::DFG::Graph::ensureBackwardsCFG):
3398         (JSC::DFG::Graph::ensureBackwardsDominators):
3399         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
3400         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3401         (JSC::DFG::Graph::clearCPSCFGData):
3402         (JSC::DFG::Graph::ensureDominators): Deleted.
3403         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
3404         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
3405         * dfg/DFGGraph.h:
3406         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
3407         (JSC::DFG::Graph::isEntrypoint const):
3408         * dfg/DFGInPlaceAbstractState.cpp:
3409         (JSC::DFG::InPlaceAbstractState::initialize):
3410         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3411         * dfg/DFGJITCode.cpp:
3412         (JSC::DFG::JITCode::shrinkToFit):
3413         * dfg/DFGJITCode.h:
3414         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
3415         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
3416         (JSC::DFG::JITCode::appendCatchEntrypoint):
3417         * dfg/DFGJITCompiler.cpp:
3418         (JSC::DFG::JITCompiler::compile):
3419         (JSC::DFG::JITCompiler::compileFunction):
3420         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3421         (JSC::DFG::JITCompiler::noticeOSREntry):
3422         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
3423         * dfg/DFGJITCompiler.h:
3424         * dfg/DFGLICMPhase.cpp:
3425         (JSC::DFG::LICMPhase::run):
3426         (JSC::DFG::LICMPhase::attemptHoist):
3427         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3428         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
3429         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
3430         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
3431         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
3432         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
3433         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
3434         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3435         (JSC::DFG::createPreHeader):
3436         (JSC::DFG::LoopPreHeaderCreationPhase::run):
3437         * dfg/DFGMaximalFlushInsertionPhase.cpp:
3438         (JSC::DFG::MaximalFlushInsertionPhase::run):
3439         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
3440         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
3441         * dfg/DFGMayExit.cpp:
3442         * dfg/DFGNaturalLoops.h:
3443         (JSC::DFG::NaturalLoops::NaturalLoops):
3444         * dfg/DFGNode.h:
3445         (JSC::DFG::Node::isSwitch const):
3446         (JSC::DFG::Node::successor):
3447         (JSC::DFG::Node::catchOSREntryIndex const):
3448         (JSC::DFG::Node::catchLocalPrediction):
3449         (JSC::DFG::Node::isSwitch): Deleted.
3450         * dfg/DFGNodeType.h:
3451         * dfg/DFGOSREntry.cpp:
3452         (JSC::DFG::prepareCatchOSREntry):
3453         * dfg/DFGOSREntry.h:
3454         * dfg/DFGOSREntrypointCreationPhase.cpp:
3455         (JSC::DFG::OSREntrypointCreationPhase::run):
3456         * dfg/DFGOSRExitCompilerCommon.cpp:
3457         (JSC::DFG::handleExitCounts):
3458         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3459         * dfg/DFGPlan.cpp:
3460         (JSC::DFG::Plan::compileInThreadImpl):
3461         * dfg/DFGPrePostNumbering.cpp:
3462         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
3463         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
3464         (WTF::printInternal): Deleted.
3465         * dfg/DFGPrePostNumbering.h:
3466         (): Deleted.
3467         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
3468         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
3469         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
3470         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
3471         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
3472         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
3473         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
3474         * dfg/DFGPredictionInjectionPhase.cpp:
3475         (JSC::DFG::PredictionInjectionPhase::run):
3476         * dfg/DFGPredictionPropagationPhase.cpp:
3477         * dfg/DFGPutStackSinkingPhase.cpp:
3478         * dfg/DFGSSACalculator.cpp:
3479         (JSC::DFG::SSACalculator::nonLocalReachingDef):
3480         (JSC::DFG::SSACalculator::reachingDefAtTail):
3481         * dfg/DFGSSACalculator.h:
3482         (JSC::DFG::SSACalculator::computePhis):
3483         * dfg/DFGSSAConversionPhase.cpp:
3484         (JSC::DFG::SSAConversionPhase::run):
3485         (JSC::DFG::performSSAConversion):
3486         * dfg/DFGSafeToExecute.h:
3487         (JSC::DFG::safeToExecute):
3488         * dfg/DFGSpeculativeJIT.cpp:
3489         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3490         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3491         (JSC::DFG::SpeculativeJIT::createOSREntries):
3492         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3493         * dfg/DFGSpeculativeJIT32_64.cpp:
3494         (JSC::DFG::SpeculativeJIT::compile):
3495         * dfg/DFGSpeculativeJIT64.cpp:
3496         (JSC::DFG::SpeculativeJIT::compile):
3497         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
3498         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
3499         * dfg/DFGStrengthReductionPhase.cpp:
3500         (JSC::DFG::StrengthReductionPhase::handleNode):
3501         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3502         (JSC::DFG::TierUpCheckInjectionPhase::run):
3503         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
3504         * dfg/DFGTypeCheckHoistingPhase.cpp:
3505         (JSC::DFG::TypeCheckHoistingPhase::run):
3506         * dfg/DFGValidate.cpp:
3507         * ftl/FTLLink.cpp:
3508         (JSC::FTL::link):
3509         * ftl/FTLLowerDFGToB3.cpp:
3510         (JSC::FTL::DFG::LowerDFGToB3::lower):
3511         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
3512         (JSC::FTL::DFG::LowerDFGToB3::isValid):
3513         * jit/JIT.h:
3514         * jit/JITInlines.h:
3515         (JSC::JIT::callOperation):
3516         * jit/JITOpcodes.cpp:
3517         (JSC::JIT::emit_op_catch):
3518         * jit/JITOpcodes32_64.cpp:
3519         (JSC::JIT::emit_op_catch):
3520         * jit/JITOperations.cpp:
3521         * jit/JITOperations.h:
3522         * llint/LLIntSlowPaths.cpp:
3523         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3524         * llint/LLIntSlowPaths.h:
3525         * llint/LowLevelInterpreter32_64.asm:
3526         * llint/LowLevelInterpreter64.asm:
3527
3528 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3529
3530         Unreviewed, debug build fix
3531         https://bugs.webkit.org/show_bug.cgi?id=174355
3532
3533         * ftl/FTLLowerDFGToB3.cpp:
3534         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
3535
3536 2017-08-23  Michael Saboff  <msaboff@apple.com>
3537
3538         REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137
3539         https://bugs.webkit.org/show_bug.cgi?id=175903
3540
3541         Reviewed by Saam Barati.
3542
3543         In generateCharacterClassGreedy we were incrementing the "count" register before checking
3544         for the end of the input string.  The at-end-of-input check is the final check before
3545         knowing that the current character matched.  In this case, the end of input check
3546         indicates that we ran out of prechecked characters and therefore should fail the match of
3547         the current character.  The backtracking code uses the value in the "count" register as
3548         the number of character that successfully matched, which shouldn't include the current
3549         character.  Therefore we need to move the incrementing of "count" to after the
3550         at end of input check.
3551
3552         Through code inspection of the expectations of other backtracking code, I determined that 
3553         the non greedy character class matching code had a similar issue.  I fixed that as well
3554         and added a new test case.
3555
3556         * yarr/YarrJIT.cpp:
3557         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
3558         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
3559
3560 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3561
3562         [JSC] Optimize Map iteration with intrinsic
3563         https://bugs.webkit.org/show_bug.cgi?id=174355
3564
3565         Reviewed by Saam Barati.
3566
3567         This patch optimizes Map/Set iteration by taking the approach similar to Array iteration.
3568         We create a simple iterator object instead of JSMapIterator and JSSetIterator. And we
3569         directly handles Map/Set buckets in JS builtins. We carefully create mapIteratorNext and
3570         setIteratorNext functions which should be inlined. This leads significant performance boost
3571         when they are inlined in for-of iteration.
3572
3573         This patch changes how DFG and FTL handles MapBucket if the bucket is not found.
3574         Previously, we use nullptr for that, and DFG and FTL specially handle this nullptr as bucket.
3575         Instead, this patch introduces sentinel buckets. They are marked as deleted, and not linked
3576         to any hash maps. And its key and value fields are filled with Undefined. By returning this
3577         sentinel bucket instead of returning nullptr, we simplify DFG and FTL's LoadXXXFromMapBucket
3578         code.
3579
3580         We still keep JSMapIterator and JSSetIterator because they are useful to serialize Map and Set
3581         in WebCore. So they are not used in user observable JS. We change them from JS objects to JS cells.
3582
3583         Existing microbenchmarks shows performance improvements.
3584
3585         large-map-iteration                           164.1622+-4.1618     ^     56.6284+-1.5355        ^ definitely 2.8989x faster
3586         set-for-of                                     15.4369+-1.0631     ^      9.2955+-0.5979        ^ definitely 1.6607x faster
3587         map-for-each                                    7.5889+-0.5792     ^      6.3011+-0.4816        ^ definitely 1.2044x faster
3588         map-for-of                                     32.3904+-1.3003     ^     12.6907+-0.6118        ^ definitely 2.5523x faster
3589         map-rehash                                     13.9275+-0.9187     ^     11.5367+-0.6430        ^ definitely 1.2072x faster
3590
3591         * CMakeLists.txt:
3592         * DerivedSources.make:
3593         * builtins/ArrayPrototype.js:
3594         (globalPrivate.createArrayIterator):
3595         * builtins/BuiltinNames.h:
3596         * builtins/MapIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
3597         (globalPrivate.mapIteratorNext):
3598         (next):
3599         * builtins/MapPrototype.js:
3600         (globalPrivate.createMapIterator):
3601         (values):
3602         (keys):
3603         (entries):
3604         (forEach):
3605         * builtins/SetIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
3606         (globalPrivate.setIteratorNext):
3607         (next):
3608         * builtins/SetPrototype.js:
3609         (globalPrivate.createSetIterator):
3610         (values):
3611         (entries):
3612         (forEach):
3613         * bytecode/BytecodeIntrinsicRegistry.cpp:
3614         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3615         * bytecode/BytecodeIntrinsicRegistry.h:
3616         * bytecode/SpeculatedType.h:
3617         * dfg/DFGAbstractInterpreterInlines.h:
3618         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3619         * dfg/DFGByteCodeParser.cpp:
3620         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3621         * dfg/DFGClobberize.h:
3622         (JSC::DFG::clobberize):
3623         * dfg/DFGDoesGC.cpp:
3624         (JSC::DFG::doesGC):
3625         * dfg/DFGFixupPhase.cpp:
3626         (JSC::DFG::FixupPhase::fixupNode):
3627         * dfg/DFGHeapLocation.cpp:
3628         (WTF::printInternal):
3629         * dfg/DFGHeapLocation.h:
3630         * dfg/DFGNode.h:
3631         (JSC::DFG::Node::hasHeapPrediction):
3632         (JSC::DFG::Node::hasBucketOwnerType):
3633         (JSC::DFG::Node::bucketOwnerType):
3634         (JSC::DFG::Node::OpInfoWrapper::as const):
3635         * dfg/DFGNodeType.h:
3636         * dfg/DFGOperations.cpp:
3637         * dfg/DFGPredictionPropagationPhase.cpp:
3638         * dfg/DFGSafeToExecute.h:
3639         (JSC::DFG::safeToExecute):
3640         * dfg/DFGSpeculativeJIT.cpp:
3641         (JSC::DFG::SpeculativeJIT::compileGetMapBucketHead):
3642         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
3643         (JSC::DFG::SpeculativeJIT::compileLoadKeyFromMapBucket):
3644         (JSC::DFG::SpeculativeJIT::compileLoadValueFromMapBucket):
3645         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr): Deleted.
3646         * dfg/DFGSpeculativeJIT.h:
3647         * dfg/DFGSpeculativeJIT32_64.cpp:
3648         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
3649         (JSC::DFG::SpeculativeJIT::compile):
3650         * dfg/DFGSpeculativeJIT64.cpp:
3651         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
3652         (JSC::DFG::SpeculativeJIT::compile):
3653         * ftl/FTLAbstractHeapRepository.h:
3654         * ftl/FTLCapabilities.cpp:
3655         (JSC::FTL::canCompile):
3656         * ftl/FTLLowerDFGToB3.cpp:
3657         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3658         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
3659         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketHead):
3660         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
3661         (JSC::FTL::DFG::LowerDFGToB3::compileLoadValueFromMapBucket):
3662         (JSC::FTL::DFG::LowerDFGToB3::compileLoadKeyFromMapBucket):
3663         (JSC::FTL::DFG::LowerDFGToB3::setStorage):
3664         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket): Deleted.
3665         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket): Deleted.
3666         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket): Deleted.
3667         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket): Deleted.
3668         * inspector/JSInjectedScriptHost.cpp:
3669         (Inspector::JSInjectedScriptHost::subtype):
3670         (Inspector::JSInjectedScriptHost::getInternalProperties):
3671         (Inspector::cloneMapIteratorObject):
3672         (Inspector::cloneSetIteratorObject):
3673         (Inspector::JSInjectedScriptHost::iteratorEntries):
3674         * runtime/HashMapImpl.h:
3675         (JSC::HashMapBucket::createSentinel):
3676         (JSC::HashMapBucket::offsetOfNext):
3677         (JSC::HashMapBucket::offsetOfDeleted):
3678         (JSC::HashMapImpl::offsetOfHead):
3679         * runtime/Intrinsic.cpp:
3680         (JSC::intrinsicName):
3681         * runtime/Intrinsic.h:
3682         * runtime/JSGlobalObject.cpp:
3683         (JSC::JSGlobalObject::init):
3684         * runtime/JSGlobalObject.h:
3685         * runtime/JSMap.h:
3686         * runtime/JSMapIterator.cpp:
3687         (JSC::JSMapIterator::clone): Deleted.
3688         * runtime/JSMapIterator.h:
3689         (JSC::JSMapIterator::iteratedValue const):
3690         * runtime/JSSet.h:
3691         * runtime/JSSetIterator.cpp:
3692         (JSC::JSSetIterator::clone): Deleted.
3693         * runtime/JSSetIterator.h:
3694         (JSC::JSSetIterator::iteratedValue const):
3695         * runtime/MapConstructor.cpp:
3696         (JSC::mapPrivateFuncMapBucketHead):
3697         (JSC::mapPrivateFuncMapBucketNext):
3698         (JSC::mapPrivateFuncMapBucketKey):
3699         (JSC::mapPrivateFuncMapBucketValue):
3700         * runtime/MapConstructor.h:
3701         * runtime/MapIteratorPrototype.cpp:
3702         (JSC::MapIteratorPrototype::finishCreation):
3703         (JSC::MapIteratorPrototypeFuncNext): Deleted.
3704         * runtime/MapPrototype.cpp:
3705         (JSC::MapPrototype::finishCreation):
3706         (JSC::mapProtoFuncValues): Deleted.
3707         (JSC::mapProtoFuncEntries): Deleted.
3708         (JSC::mapProtoFuncKeys): Deleted.
3709         (JSC::privateFuncMapIterator): Deleted.
3710         (JSC::privateFuncMapIteratorNext): Deleted.
3711         * runtime/MapPrototype.h:
3712         * runtime/SetConstructor.cpp:
3713         (JSC::setPrivateFuncSetBucketHead):
3714         (JSC::setPrivateFuncSetBucketNext):
3715         (JSC::setPrivateFuncSetBucketKey):
3716         * runtime/SetConstructor.h:
3717         * runtime/SetIteratorPrototype.cpp:
3718         (JSC::SetIteratorPrototype::finishCreation):
3719         (JSC::SetIteratorPrototypeFuncNext): Deleted.
3720         * runtime/SetPrototype.cpp:
3721         (JSC::SetPrototype::finishCreation):
3722         (JSC::setProtoFuncSize):
3723         (JSC::setProtoFuncValues): Deleted.
3724         (JSC::setProtoFuncEntries): Deleted.
3725         (JSC::privateFuncSetIterator): Deleted.
3726         (JSC::privateFuncSetIteratorNext): Deleted.
3727         * runtime/SetPrototype.h:
3728         * runtime/VM.cpp:
3729         (JSC::VM::VM):
3730         * runtime/VM.h:
3731
3732 2017-08-23  David Kilzer  <ddkilzer@apple.com>
3733
3734         Fix -Wcast-qual warnings in JavaScriptCore with new clang compiler
3735         <https://webkit.org/b/175889>
3736         <rdar://problem/33667497>
3737
3738         Reviewed by Mark Lam.
3739
3740         * API/ObjCCallbackFunction.mm:
3741         (JSC::objCCallbackFunctionCallAsConstructor): Use
3742         const_cast<JSObjectRef>() since JSValueRef is const while
3743         JSObjectRef is not.
3744         * API/tests/CurrentThisInsideBlockGetterTest.mm:
3745         (+[JSValue valueWithConstructorDescriptor:inContext:]): Use
3746         const_cast<void*>() since JSObjectMake() takes a void*, but
3747         CFBridgingRetain() returns const void*.
3748
3749 2017-08-23  Robin Morisset  <rmorisset@apple.com>
3750
3751         Make GetDynamicVar propagate heap predictions instead of saying HeapTop
3752         https://bugs.webkit.org/show_bug.cgi?id=175738
3753
3754         Reviewed by Saam Barati.
3755
3756         The heap prediction always end up in m_opInfo2. But GetDynamicVar was already storing getPutInfo in there.
3757         So we move that one into m_opInfo. We can do this because it is 32-bit, and the already present identifierNumber
3758         is also 32-bit, so we can pack both in m_opInfo (which is 64 bits).
3759
3760         * dfg/DFGByteCodeParser.cpp:
3761         (JSC::DFG::makeDynamicVarOpInfo):
3762         (JSC::DFG::ByteCodeParser::parseBlock):
3763         * dfg/DFGNode.h:
3764         (JSC::DFG::Node::getPutInfo):
3765         (JSC::DFG::Node::hasHeapPrediction):
3766         * dfg/DFGPredictionPropagationPhase.cpp:
3767
3768 2017-08-23  Skachkov Oleksandr  <gskachkov@gmail.com>
3769
3770         [ESNext] Async iteration - Implement Async Generator - runtime
3771         https://bugs.webkit.org/show_bug.cgi?id=175240
3772
3773         Reviewed by Yusuke Suzuki.
3774
3775         Current implementation is draft version of Async Iteration. 
3776         Link to spec https://tc39.github.io/proposal-async-iteration/
3777        
3778         To implement async generator added new states that show reason why async generator was suspended:
3779         # yield - return promise with result
3780         # await - wait until promise will be resolved and then continue
3781        
3782         The main difference between async function and async generator is that, 
3783         async function returns promise but async generator returns
3784         object with methods (next, throw and return) that return promise that 
3785         can be resolved with pair of properties value and done.
3786         Async generator functions are similar to generator functions, with the following differences:
3787         # When called, async generator functions return an object, an async generator 
3788         whose methods (next, throw, and return) return promises for { value, done }, 
3789         instead of directly returning { value, done }. 
3790         This automatically makes the returned async generator objects async iterators.
3791         # await expressions and for-await-of statements are allowed.
3792         # The behavior of yield* is modified to support 
3793           delegation to sync and async iterables
3794
3795         * CMakeLists.txt:
3796         * DerivedSources.make:
3797         * JavaScriptCore.xcodeproj/project.pbxproj:
3798         * builtins/AsyncFromSyncIteratorPrototype.js: Added.
3799         (next.try):
3800         (next):
3801         (return.try):
3802         (return):
3803         (throw.try):
3804         (throw):
3805         (globalPrivate.createAsyncFromSyncIterator):
3806         (globalPrivate.AsyncFromSyncIteratorConstructor):
3807         * builtins/AsyncGeneratorPrototype.js: Added.
3808         (globalPrivate.createAsyncGeneratorQueue):
3809         (globalPrivate.asyncGeneratorQueueIsEmpty):
3810         (globalPrivate.asyncGeneratorQueueCreateItem):
3811         (globalPrivate.asyncGeneratorQueueEnqueue):
3812         (globalPrivate.asyncGeneratorQueueDequeue):
3813         (globalPrivate.asyncGeneratorQueueGetFirstValue):
3814         (globalPrivate.asyncGeneratorDequeue):
3815         (globalPrivate.isExecutionState):
3816         (globalPrivate.isSuspendYieldState):
3817         (globalPrivate.asyncGeneratorReject):
3818         (globalPrivate.asyncGeneratorResolve):
3819         (asyncGeneratorYieldAwaited):
3820         (globalPrivate.asyncGeneratorYield):
3821         (const.onRejected):
3822         (globalPrivate.awaitValue):
3823         (const.onFulfilled):
3824         (globalPrivate.doAsyncGeneratorBodyCall):
3825         (globalPrivate.asyncGeneratorResumeNext.):
3826         (globalPrivate.asyncGeneratorResumeNext):
3827         (globalPrivate.asyncGeneratorEnqueue):
3828         (next):
3829         (return):
3830         (throw):
3831         * builtins/AsyncIteratorPrototype.js: Added.
3832         (symbolAsyncIteratorGetter):
3833         * builtins/BuiltinNames.h:
3834         * bytecode/BytecodeDumper.cpp:
3835         (JSC::BytecodeDumper<Block>::dumpBytecode):
3836         * bytecode/BytecodeIntrinsicRegistry.cpp:
3837         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3838         * bytecode/BytecodeIntrinsicRegistry.h:
3839         * bytecode/BytecodeList.json:
3840         * bytecode/BytecodeUseDef.h:
3841         (JSC::computeUsesForBytecodeOffset):
3842         (JSC::computeDefsForBytecodeOffset):
3843         * bytecompiler/BytecodeGenerator.cpp:
3844         (JSC::BytecodeGenerator::BytecodeGenerator):
3845         (JSC::BytecodeGenerator::emitCreateAsyncGeneratorQueue):
3846         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
3847         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
3848         (JSC::BytecodeGenerator::emitNewFunction):
3849         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
3850         (JSC::BytecodeGenerator::emitIteratorClose):
3851         (JSC::BytecodeGenerator::emitYieldPoint):
3852         (JSC::BytecodeGenerator::emitYield):
3853         (JSC::BytecodeGenerator::emitCallIterator):
3854         (JSC::BytecodeGenerator::emitAwait):
3855         (JSC::BytecodeGenerator::emitGetIterator):
3856         (JSC::BytecodeGenerator::emitGetAsyncIterator):
3857         (JSC::BytecodeGenerator::emitDelegateYield):
3858         * bytecompiler/BytecodeGenerator.h:
3859         * bytecompiler/NodesCodegen.cpp:
3860         (JSC::ReturnNode::emitBytecode):
3861         (JSC::FunctionNode::emitBytecode):
3862         (JSC::YieldExprNode::emitBytecode):
3863         (JSC::AwaitExprNode::emitBytecode):
3864         * dfg/DFGAbstractInterpreterInlines.h:
3865         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3866         * dfg/DFGByteCodeParser.cpp:
3867         (JSC::DFG::ByteCodeParser::parseBlock):
3868         * dfg/DFGCapabilities.cpp:
3869         (JSC::DFG::capabilityLevel):
3870         * dfg/DFGClobberize.h:
3871         (JSC::DFG::clobberize):
3872         * dfg/DFGClobbersExitState.cpp:
3873         (JSC::DFG::clobbersExitState):
3874         * dfg/DFGDoesGC.cpp:
3875         (JSC::DFG::doesGC):
3876         * dfg/DFGFixupPhase.cpp:
3877         (JSC::DFG::FixupPhase::fixupNode):
3878         * dfg/DFGMayExit.cpp:
3879         * dfg/DFGNode.h:
3880         (JSC::DFG::Node::convertToPhantomNewFunction):
3881         (JSC::DFG::Node::convertToPhantomNewAsyncGeneratorFunction):
3882         (JSC::DFG::Node::hasCellOperand):
3883         (JSC::DFG::Node::isFunctionAllocation):