a1891757d632fafff4f4cd4fbf21f45513518cf1
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Remove duplicate methods in JSInterfaceJIT
4         https://bugs.webkit.org/show_bug.cgi?id=185813
5
6         Reviewed by Saam Barati.
7
8         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
9         This patch removes these ones and use AssemblyHelpers' ones instead.
10
11         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
12
13         * jit/AssemblyHelpers.h:
14         (JSC::AssemblyHelpers::tagFor):
15         (JSC::AssemblyHelpers::payloadFor):
16         * jit/JIT.h:
17         * jit/JITArithmetic.cpp:
18         (JSC::JIT::emit_op_unsigned):
19         (JSC::JIT::emit_compareUnsigned):
20         (JSC::JIT::emit_op_inc):
21         (JSC::JIT::emit_op_dec):
22         (JSC::JIT::emit_op_mod):
23         * jit/JITCall32_64.cpp:
24         (JSC::JIT::compileOpCall):
25         * jit/JITInlines.h:
26         (JSC::JIT::emitPutIntToCallFrameHeader):
27         (JSC::JIT::updateTopCallFrame):
28         (JSC::JIT::emitInitRegister):
29         (JSC::JIT::emitLoad):
30         (JSC::JIT::emitStore):
31         (JSC::JIT::emitStoreInt32):
32         (JSC::JIT::emitStoreCell):
33         (JSC::JIT::emitStoreBool):
34         (JSC::JIT::emitGetVirtualRegister):
35         (JSC::JIT::emitPutVirtualRegister):
36         (JSC::JIT::emitTagBool): Deleted.
37         * jit/JITOpcodes.cpp:
38         (JSC::JIT::emit_op_overrides_has_instance):
39         (JSC::JIT::emit_op_is_empty):
40         (JSC::JIT::emit_op_is_undefined):
41         (JSC::JIT::emit_op_is_boolean):
42         (JSC::JIT::emit_op_is_number):
43         (JSC::JIT::emit_op_is_cell_with_type):
44         (JSC::JIT::emit_op_is_object):
45         (JSC::JIT::emit_op_eq):
46         (JSC::JIT::emit_op_neq):
47         (JSC::JIT::compileOpStrictEq):
48         (JSC::JIT::emit_op_eq_null):
49         (JSC::JIT::emit_op_neq_null):
50         (JSC::JIT::emitSlow_op_eq):
51         (JSC::JIT::emitSlow_op_neq):
52         (JSC::JIT::emitSlow_op_instanceof_custom):
53         (JSC::JIT::emitNewFuncExprCommon):
54         * jit/JSInterfaceJIT.h:
55         (JSC::JSInterfaceJIT::emitLoadInt32):
56         (JSC::JSInterfaceJIT::emitLoadDouble):
57         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
58         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
59         (JSC::JSInterfaceJIT::tagFor): Deleted.
60         (JSC::JSInterfaceJIT::payloadFor): Deleted.
61         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
62         (JSC::JSInterfaceJIT::intTagFor): Deleted.
63         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
64         (JSC::JSInterfaceJIT::addressFor): Deleted.
65         * jit/SpecializedThunkJIT.h:
66         (JSC::SpecializedThunkJIT::returnDouble):
67         * jit/ThunkGenerators.cpp:
68         (JSC::nativeForGenerator):
69         (JSC::arityFixupGenerator):
70
71 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
72
73         Unreviewed, reland InById cache
74         https://bugs.webkit.org/show_bug.cgi?id=185682
75
76         Includes Dominik's 32bit fix.
77
78         * bytecode/AccessCase.cpp:
79         (JSC::AccessCase::fromStructureStubInfo):
80         (JSC::AccessCase::generateWithGuard):
81         (JSC::AccessCase::generateImpl):
82         * bytecode/BytecodeDumper.cpp:
83         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
84         (JSC::BytecodeDumper<Block>::dumpBytecode):
85         * bytecode/BytecodeDumper.h:
86         * bytecode/BytecodeList.json:
87         * bytecode/BytecodeUseDef.h:
88         (JSC::computeUsesForBytecodeOffset):
89         (JSC::computeDefsForBytecodeOffset):
90         * bytecode/CodeBlock.cpp:
91         (JSC::CodeBlock::finishCreation):
92         * bytecode/InlineAccess.cpp:
93         (JSC::InlineAccess::generateSelfInAccess):
94         * bytecode/InlineAccess.h:
95         * bytecode/StructureStubInfo.cpp:
96         (JSC::StructureStubInfo::initInByIdSelf):
97         (JSC::StructureStubInfo::deref):
98         (JSC::StructureStubInfo::aboutToDie):
99         (JSC::StructureStubInfo::reset):
100         (JSC::StructureStubInfo::visitWeakReferences):
101         (JSC::StructureStubInfo::propagateTransitions):
102         * bytecode/StructureStubInfo.h:
103         (JSC::StructureStubInfo::patchableJump):
104         * bytecompiler/BytecodeGenerator.cpp:
105         (JSC::BytecodeGenerator::emitInByVal):
106         (JSC::BytecodeGenerator::emitInById):
107         (JSC::BytecodeGenerator::emitIn): Deleted.
108         * bytecompiler/BytecodeGenerator.h:
109         * bytecompiler/NodesCodegen.cpp:
110         (JSC::InNode::emitBytecode):
111         * dfg/DFGAbstractInterpreterInlines.h:
112         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
113         * dfg/DFGByteCodeParser.cpp:
114         (JSC::DFG::ByteCodeParser::parseBlock):
115         * dfg/DFGCapabilities.cpp:
116         (JSC::DFG::capabilityLevel):
117         * dfg/DFGClobberize.h:
118         (JSC::DFG::clobberize):
119         * dfg/DFGConstantFoldingPhase.cpp:
120         (JSC::DFG::ConstantFoldingPhase::foldConstants):
121         * dfg/DFGDoesGC.cpp:
122         (JSC::DFG::doesGC):
123         * dfg/DFGFixupPhase.cpp:
124         (JSC::DFG::FixupPhase::fixupNode):
125         * dfg/DFGJITCompiler.cpp:
126         (JSC::DFG::JITCompiler::link):
127         * dfg/DFGJITCompiler.h:
128         (JSC::DFG::JITCompiler::addInById):
129         (JSC::DFG::InRecord::InRecord): Deleted.
130         (JSC::DFG::JITCompiler::addIn): Deleted.
131         * dfg/DFGNode.h:
132         (JSC::DFG::Node::convertToInById):
133         (JSC::DFG::Node::hasIdentifier):
134         (JSC::DFG::Node::hasArrayMode):
135         * dfg/DFGNodeType.h:
136         * dfg/DFGPredictionPropagationPhase.cpp:
137         * dfg/DFGSafeToExecute.h:
138         (JSC::DFG::safeToExecute):
139         * dfg/DFGSpeculativeJIT.cpp:
140         (JSC::DFG::SpeculativeJIT::compileInById):
141         (JSC::DFG::SpeculativeJIT::compileInByVal):
142         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
143         * dfg/DFGSpeculativeJIT.h:
144         * dfg/DFGSpeculativeJIT32_64.cpp:
145         (JSC::DFG::SpeculativeJIT::compile):
146         * dfg/DFGSpeculativeJIT64.cpp:
147         (JSC::DFG::SpeculativeJIT::compile):
148         * ftl/FTLCapabilities.cpp:
149         (JSC::FTL::canCompile):
150         * ftl/FTLLowerDFGToB3.cpp:
151         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
152         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
153         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
154         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
155         * jit/AssemblyHelpers.h:
156         (JSC::AssemblyHelpers::boxBoolean):
157         * jit/ICStats.h:
158         * jit/JIT.cpp:
159         (JSC::JIT::JIT):
160         (JSC::JIT::privateCompileMainPass):
161         (JSC::JIT::privateCompileSlowCases):
162         (JSC::JIT::link):
163         * jit/JIT.h:
164         * jit/JITInlineCacheGenerator.cpp:
165         (JSC::JITInByIdGenerator::JITInByIdGenerator):
166         (JSC::JITInByIdGenerator::generateFastPath):
167         * jit/JITInlineCacheGenerator.h:
168         (JSC::JITInByIdGenerator::JITInByIdGenerator):
169         * jit/JITOperations.cpp:
170         * jit/JITOperations.h:
171         * jit/JITPropertyAccess.cpp:
172         (JSC::JIT::emit_op_in_by_id):
173         (JSC::JIT::emitSlow_op_in_by_id):
174         * jit/JITPropertyAccess32_64.cpp:
175         (JSC::JIT::emit_op_in_by_id):
176         (JSC::JIT::emitSlow_op_in_by_id):
177         * jit/Repatch.cpp:
178         (JSC::tryCacheInByID):
179         (JSC::repatchInByID):
180         (JSC::resetInByID):
181         (JSC::tryCacheIn): Deleted.
182         (JSC::repatchIn): Deleted.
183         (JSC::resetIn): Deleted.
184         * jit/Repatch.h:
185         * llint/LowLevelInterpreter.asm:
186         * llint/LowLevelInterpreter64.asm:
187         * parser/NodeConstructors.h:
188         (JSC::InNode::InNode):
189         * runtime/CommonSlowPaths.cpp:
190         (JSC::SLOW_PATH_DECL):
191         * runtime/CommonSlowPaths.h:
192         (JSC::CommonSlowPaths::opInByVal):
193         (JSC::CommonSlowPaths::opIn): Deleted.
194
195 2018-05-21  Commit Queue  <commit-queue@webkit.org>
196
197         Unreviewed, rolling out r231998 and r232017.
198         https://bugs.webkit.org/show_bug.cgi?id=185842
199
200         causes crashes on 32 JSC bot (Requested by realdawei on
201         #webkit).
202
203         Reverted changesets:
204
205         "[JSC] JSC should have consistent InById IC"
206         https://bugs.webkit.org/show_bug.cgi?id=185682
207         https://trac.webkit.org/changeset/231998
208
209         "Unreviewed, fix 32bit and scope release"
210         https://bugs.webkit.org/show_bug.cgi?id=185682
211         https://trac.webkit.org/changeset/232017
212
213 2018-05-21  Jer Noble  <jer.noble@apple.com>
214
215         Complete fix for enabling modern EME by default
216         https://bugs.webkit.org/show_bug.cgi?id=185770
217         <rdar://problem/40368220>
218
219         Reviewed by Eric Carlson.
220
221         * Configurations/FeatureDefines.xcconfig:
222
223 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
224
225         Unreviewed, fix 32bit and scope release
226         https://bugs.webkit.org/show_bug.cgi?id=185682
227
228         * jit/JITOperations.cpp:
229         * jit/JITPropertyAccess32_64.cpp:
230         (JSC::JIT::emitSlow_op_in_by_id):
231
232 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
233
234         Revert the B3 compiler pipeline's treatment of taildup
235         https://bugs.webkit.org/show_bug.cgi?id=185808
236
237         Reviewed by Yusuke Suzuki.
238         
239         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
240         But then path specialization turned out to be a negative result. This reverts the pipeline to the
241         way it was before that work.
242         
243         1.5% progression on V8Spider-CompileTime.
244
245         * b3/B3Generate.cpp:
246         (JSC::B3::generateToAir):
247
248 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
249
250         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
251         https://bugs.webkit.org/show_bug.cgi?id=185802
252
253         Reviewed by Saam Barati.
254
255         * dfg/DFGConstantFoldingPhase.cpp:
256         (JSC::DFG::ConstantFoldingPhase::foldConstants):
257
258 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
259
260         DFG should inline InstanceOf ICs
261         https://bugs.webkit.org/show_bug.cgi?id=185695
262
263         Reviewed by Yusuke Suzuki.
264         
265         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
266         be folded to a CheckStructure + JSConstant.
267         
268         In the process of testing this, I found a bug where LICM was not hoisting things that
269         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
270         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
271         
272         This is a ~5% speed-up on boyer.
273         
274         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
275         instanceof-sometimes-hit microbenchmarks.
276
277         * JavaScriptCore.xcodeproj/project.pbxproj:
278         * Sources.txt:
279         * bytecode/GetByIdStatus.cpp:
280         (JSC::GetByIdStatus::appendVariant):
281         (JSC::GetByIdStatus::filter):
282         * bytecode/GetByIdStatus.h:
283         (JSC::GetByIdStatus::operator bool const):
284         (JSC::GetByIdStatus::operator! const): Deleted.
285         * bytecode/GetByIdVariant.h:
286         (JSC::GetByIdVariant::operator bool const):
287         (JSC::GetByIdVariant::operator! const): Deleted.
288         * bytecode/ICStatusUtils.h: Added.
289         (JSC::appendICStatusVariant):
290         (JSC::filterICStatusVariants):
291         * bytecode/InstanceOfStatus.cpp: Added.
292         (JSC::InstanceOfStatus::appendVariant):
293         (JSC::InstanceOfStatus::computeFor):
294         (JSC::InstanceOfStatus::computeForStubInfo):
295         (JSC::InstanceOfStatus::commonPrototype const):
296         (JSC::InstanceOfStatus::filter):
297         * bytecode/InstanceOfStatus.h: Added.
298         (JSC::InstanceOfStatus::InstanceOfStatus):
299         (JSC::InstanceOfStatus::state const):
300         (JSC::InstanceOfStatus::isSet const):
301         (JSC::InstanceOfStatus::operator bool const):
302         (JSC::InstanceOfStatus::isSimple const):
303         (JSC::InstanceOfStatus::takesSlowPath const):
304         (JSC::InstanceOfStatus::numVariants const):
305         (JSC::InstanceOfStatus::variants const):
306         (JSC::InstanceOfStatus::at const):
307         (JSC::InstanceOfStatus::operator[] const):
308         * bytecode/InstanceOfVariant.cpp: Added.
309         (JSC::InstanceOfVariant::InstanceOfVariant):
310         (JSC::InstanceOfVariant::attemptToMerge):
311         (JSC::InstanceOfVariant::dump const):
312         (JSC::InstanceOfVariant::dumpInContext const):
313         * bytecode/InstanceOfVariant.h: Added.
314         (JSC::InstanceOfVariant::InstanceOfVariant):
315         (JSC::InstanceOfVariant::operator bool const):
316         (JSC::InstanceOfVariant::structureSet const):
317         (JSC::InstanceOfVariant::structureSet):
318         (JSC::InstanceOfVariant::conditionSet const):
319         (JSC::InstanceOfVariant::prototype const):
320         (JSC::InstanceOfVariant::isHit const):
321         * bytecode/StructureStubInfo.cpp:
322         (JSC::StructureStubInfo::StructureStubInfo):
323         * bytecode/StructureStubInfo.h:
324         (JSC::StructureStubInfo::considerCaching):
325         * dfg/DFGAbstractInterpreterInlines.h:
326         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
327         * dfg/DFGByteCodeParser.cpp:
328         (JSC::DFG::ByteCodeParser::parseBlock):
329         * dfg/DFGClobberize.h:
330         (JSC::DFG::clobberize):
331         * dfg/DFGConstantFoldingPhase.cpp:
332         (JSC::DFG::ConstantFoldingPhase::foldConstants):
333         * dfg/DFGDoesGC.cpp:
334         (JSC::DFG::doesGC):
335         * dfg/DFGFixupPhase.cpp:
336         (JSC::DFG::FixupPhase::fixupNode):
337         * dfg/DFGGraph.cpp:
338         (JSC::DFG::Graph::dump):
339         * dfg/DFGGraph.h:
340         * dfg/DFGLICMPhase.cpp:
341         (JSC::DFG::LICMPhase::attemptHoist):
342         * dfg/DFGNode.cpp:
343         (JSC::DFG::Node::remove):
344         * dfg/DFGNode.h:
345         (JSC::DFG::Node::hasMatchStructureData):
346         (JSC::DFG::Node::matchStructureData):
347         * dfg/DFGNodeType.h:
348         * dfg/DFGSafeToExecute.h:
349         (JSC::DFG::safeToExecute):
350         * dfg/DFGSpeculativeJIT.cpp:
351         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
352         * dfg/DFGSpeculativeJIT.h:
353         * dfg/DFGSpeculativeJIT32_64.cpp:
354         (JSC::DFG::SpeculativeJIT::compile):
355         * dfg/DFGSpeculativeJIT64.cpp:
356         (JSC::DFG::SpeculativeJIT::compile):
357         * ftl/FTLCapabilities.cpp:
358         (JSC::FTL::canCompile):
359         * ftl/FTLLowerDFGToB3.cpp:
360         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
361         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
362
363 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
364
365         [JSC] JSC should have consistent InById IC
366         https://bugs.webkit.org/show_bug.cgi?id=185682
367
368         Reviewed by Filip Pizlo.
369
370         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
371         when we found that DFG::In's parameter is constant string. We should
372         align this IC to the other ById ICs to clean up and remove adhoc code
373         in DFG and FTL.
374
375         This patch cleans up our "In" IC by aligning it to the other ById ICs.
376         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
377         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
378         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
379         has a inline access cache for own property case, which is the same to
380         JITGetByIdGenerator.
381
382         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
383         to the original In DFG node. DFG AI attempts to lower InByVal to InById
384         if AI figured out that the property name is a constant string. And in
385         InById node, we use JITInByIdGenerator code.
386
387         This patch cleans up DFG and FTL's adhoc In IC code.
388
389         In a subsequent patch, we should introduce InByIdStatus to optimize
390         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
391         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
392         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
393
394         * bytecode/AccessCase.cpp:
395         (JSC::AccessCase::fromStructureStubInfo):
396         (JSC::AccessCase::generateWithGuard):
397         * bytecode/BytecodeDumper.cpp:
398         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
399         (JSC::BytecodeDumper<Block>::dumpBytecode):
400         * bytecode/BytecodeDumper.h:
401         * bytecode/BytecodeList.json:
402         * bytecode/BytecodeUseDef.h:
403         (JSC::computeUsesForBytecodeOffset):
404         (JSC::computeDefsForBytecodeOffset):
405         * bytecode/CodeBlock.cpp:
406         (JSC::CodeBlock::finishCreation):
407         * bytecode/InlineAccess.cpp:
408         (JSC::InlineAccess::generateSelfInAccess):
409         * bytecode/InlineAccess.h:
410         * bytecode/StructureStubInfo.cpp:
411         (JSC::StructureStubInfo::initInByIdSelf):
412         (JSC::StructureStubInfo::deref):
413         (JSC::StructureStubInfo::aboutToDie):
414         (JSC::StructureStubInfo::reset):
415         (JSC::StructureStubInfo::visitWeakReferences):
416         (JSC::StructureStubInfo::propagateTransitions):
417         * bytecode/StructureStubInfo.h:
418         (JSC::StructureStubInfo::patchableJump):
419         * bytecompiler/BytecodeGenerator.cpp:
420         (JSC::BytecodeGenerator::emitInByVal):
421         (JSC::BytecodeGenerator::emitInById):
422         (JSC::BytecodeGenerator::emitIn): Deleted.
423         * bytecompiler/BytecodeGenerator.h:
424         * bytecompiler/NodesCodegen.cpp:
425         (JSC::InNode::emitBytecode):
426         * dfg/DFGAbstractInterpreterInlines.h:
427         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
428         * dfg/DFGByteCodeParser.cpp:
429         (JSC::DFG::ByteCodeParser::parseBlock):
430         * dfg/DFGCapabilities.cpp:
431         (JSC::DFG::capabilityLevel):
432         * dfg/DFGClobberize.h:
433         (JSC::DFG::clobberize):
434         * dfg/DFGConstantFoldingPhase.cpp:
435         (JSC::DFG::ConstantFoldingPhase::foldConstants):
436         * dfg/DFGDoesGC.cpp:
437         (JSC::DFG::doesGC):
438         * dfg/DFGFixupPhase.cpp:
439         (JSC::DFG::FixupPhase::fixupNode):
440         * dfg/DFGJITCompiler.cpp:
441         (JSC::DFG::JITCompiler::link):
442         * dfg/DFGJITCompiler.h:
443         (JSC::DFG::JITCompiler::addInById):
444         (JSC::DFG::InRecord::InRecord): Deleted.
445         (JSC::DFG::JITCompiler::addIn): Deleted.
446         * dfg/DFGNode.h:
447         (JSC::DFG::Node::convertToInById):
448         (JSC::DFG::Node::hasIdentifier):
449         (JSC::DFG::Node::hasArrayMode):
450         * dfg/DFGNodeType.h:
451         * dfg/DFGPredictionPropagationPhase.cpp:
452         * dfg/DFGSafeToExecute.h:
453         (JSC::DFG::safeToExecute):
454         * dfg/DFGSpeculativeJIT.cpp:
455         (JSC::DFG::SpeculativeJIT::compileInById):
456         (JSC::DFG::SpeculativeJIT::compileInByVal):
457         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
458         * dfg/DFGSpeculativeJIT.h:
459         * dfg/DFGSpeculativeJIT32_64.cpp:
460         (JSC::DFG::SpeculativeJIT::compile):
461         * dfg/DFGSpeculativeJIT64.cpp:
462         (JSC::DFG::SpeculativeJIT::compile):
463         * ftl/FTLCapabilities.cpp:
464         (JSC::FTL::canCompile):
465         * ftl/FTLLowerDFGToB3.cpp:
466         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
467         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
468         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
469         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
470         * jit/ICStats.h:
471         * jit/JIT.cpp:
472         (JSC::JIT::JIT):
473         (JSC::JIT::privateCompileMainPass):
474         (JSC::JIT::privateCompileSlowCases):
475         (JSC::JIT::link):
476         * jit/JIT.h:
477         * jit/JITInlineCacheGenerator.cpp:
478         (JSC::JITInByIdGenerator::JITInByIdGenerator):
479         (JSC::JITInByIdGenerator::generateFastPath):
480         * jit/JITInlineCacheGenerator.h:
481         (JSC::JITInByIdGenerator::JITInByIdGenerator):
482         * jit/JITOperations.cpp:
483         * jit/JITOperations.h:
484         * jit/JITPropertyAccess.cpp:
485         (JSC::JIT::emit_op_in_by_id):
486         (JSC::JIT::emitSlow_op_in_by_id):
487         * jit/JITPropertyAccess32_64.cpp:
488         (JSC::JIT::emit_op_in_by_id):
489         (JSC::JIT::emitSlow_op_in_by_id):
490         * jit/Repatch.cpp:
491         (JSC::tryCacheInByID):
492         (JSC::repatchInByID):
493         (JSC::resetInByID):
494         (JSC::tryCacheIn): Deleted.
495         (JSC::repatchIn): Deleted.
496         (JSC::resetIn): Deleted.
497         * jit/Repatch.h:
498         * llint/LowLevelInterpreter.asm:
499         * llint/LowLevelInterpreter64.asm:
500         * parser/NodeConstructors.h:
501         (JSC::InNode::InNode):
502         * runtime/CommonSlowPaths.cpp:
503         (JSC::SLOW_PATH_DECL):
504         * runtime/CommonSlowPaths.h:
505         (JSC::CommonSlowPaths::opInByVal):
506         (JSC::CommonSlowPaths::opIn): Deleted.
507
508 2018-05-18  Commit Queue  <commit-queue@webkit.org>
509
510         Unreviewed, rolling out r231982.
511         https://bugs.webkit.org/show_bug.cgi?id=185793
512
513         Caused layout test failures (Requested by realdawei on
514         #webkit).
515
516         Reverted changeset:
517
518         "Complete fix for enabling modern EME by default"
519         https://bugs.webkit.org/show_bug.cgi?id=185770
520         https://trac.webkit.org/changeset/231982
521
522 2018-05-18  Keith Miller  <keith_miller@apple.com>
523
524         op_in should mark if it sees out of bounds accesses
525         https://bugs.webkit.org/show_bug.cgi?id=185792
526
527         Reviewed by Filip Pizlo.
528
529         This would used to cause us to OSR loop since we would always speculate
530         we were in bounds in HasIndexedProperty.
531
532         * bytecode/ArrayProfile.cpp:
533         (JSC::ArrayProfile::observeIndexedRead):
534         * bytecode/ArrayProfile.h:
535         * runtime/CommonSlowPaths.h:
536         (JSC::CommonSlowPaths::opIn):
537
538 2018-05-18  Mark Lam  <mark.lam@apple.com>
539
540         Add missing exception check.
541         https://bugs.webkit.org/show_bug.cgi?id=185786
542         <rdar://problem/35686560>
543
544         Reviewed by Michael Saboff.
545
546         * runtime/JSPropertyNameEnumerator.h:
547         (JSC::propertyNameEnumerator):
548
549 2018-05-18  Jer Noble  <jer.noble@apple.com>
550
551         Complete fix for enabling modern EME by default
552         https://bugs.webkit.org/show_bug.cgi?id=185770
553         <rdar://problem/40368220>
554
555         Reviewed by Eric Carlson.
556
557         * Configurations/FeatureDefines.xcconfig:
558
559 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
560
561         Unreviewed, fix exception checking, part 2
562         https://bugs.webkit.org/show_bug.cgi?id=185350
563
564         * dfg/DFGOperations.cpp:
565         (JSC::DFG::putByValInternal):
566         * jit/JITOperations.cpp:
567         * runtime/CommonSlowPaths.h:
568         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
569
570 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
571
572         JSC should have InstanceOf inline caching
573         https://bugs.webkit.org/show_bug.cgi?id=185652
574
575         Reviewed by Saam Barati.
576         
577         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
578         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
579         too many cases, we emit the generic instanceof implementation instead.
580         
581         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
582         abstraction.
583         
584         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
585         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
586
587         * API/tests/testapi.mm:
588         (testObjectiveCAPIMain):
589         * JavaScriptCore.xcodeproj/project.pbxproj:
590         * Sources.txt:
591         * b3/B3Effects.h:
592         (JSC::B3::Effects::forReadOnlyCall):
593         * bytecode/AccessCase.cpp:
594         (JSC::AccessCase::guardedByStructureCheck const):
595         (JSC::AccessCase::canReplace const):
596         (JSC::AccessCase::visitWeak const):
597         (JSC::AccessCase::generateWithGuard):
598         (JSC::AccessCase::generateImpl):
599         * bytecode/AccessCase.h:
600         * bytecode/InstanceOfAccessCase.cpp: Added.
601         (JSC::InstanceOfAccessCase::create):
602         (JSC::InstanceOfAccessCase::dumpImpl const):
603         (JSC::InstanceOfAccessCase::clone const):
604         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
605         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
606         * bytecode/InstanceOfAccessCase.h: Added.
607         (JSC::InstanceOfAccessCase::prototype const):
608         * bytecode/ObjectPropertyCondition.h:
609         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
610         (JSC::ObjectPropertyCondition::hasPrototype):
611         * bytecode/ObjectPropertyConditionSet.cpp:
612         (JSC::generateConditionsForInstanceOf):
613         * bytecode/ObjectPropertyConditionSet.h:
614         * bytecode/PolymorphicAccess.cpp:
615         (JSC::PolymorphicAccess::addCases):
616         (JSC::PolymorphicAccess::regenerate):
617         (WTF::printInternal):
618         * bytecode/PropertyCondition.cpp:
619         (JSC::PropertyCondition::dumpInContext const):
620         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
621         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
622         (WTF::printInternal):
623         * bytecode/PropertyCondition.h:
624         (JSC::PropertyCondition::absenceWithoutBarrier):
625         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
626         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
627         (JSC::PropertyCondition::hasPrototype):
628         (JSC::PropertyCondition::hasPrototype const):
629         (JSC::PropertyCondition::prototype const):
630         (JSC::PropertyCondition::hash const):
631         (JSC::PropertyCondition::operator== const):
632         * bytecode/StructureStubInfo.cpp:
633         (JSC::StructureStubInfo::StructureStubInfo):
634         (JSC::StructureStubInfo::reset):
635         * bytecode/StructureStubInfo.h:
636         (JSC::StructureStubInfo::considerCaching):
637         * dfg/DFGByteCodeParser.cpp:
638         (JSC::DFG::ByteCodeParser::parseBlock):
639         * dfg/DFGFixupPhase.cpp:
640         (JSC::DFG::FixupPhase::fixupNode):
641         * dfg/DFGInlineCacheWrapper.h:
642         * dfg/DFGInlineCacheWrapperInlines.h:
643         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
644         * dfg/DFGJITCompiler.cpp:
645         (JSC::DFG::JITCompiler::link):
646         * dfg/DFGJITCompiler.h:
647         (JSC::DFG::JITCompiler::addInstanceOf):
648         * dfg/DFGOperations.cpp:
649         * dfg/DFGSpeculativeJIT.cpp:
650         (JSC::DFG::SpeculativeJIT::usedRegisters):
651         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
652         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
653         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
654         * dfg/DFGSpeculativeJIT.h:
655         * dfg/DFGSpeculativeJIT64.cpp:
656         (JSC::DFG::SpeculativeJIT::cachedGetById):
657         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
658         * ftl/FTLLowerDFGToB3.cpp:
659         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
660         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
661         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
662         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
663         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
664         (JSC::FTL::DFG::LowerDFGToB3::getById):
665         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
666         * jit/ICStats.h:
667         * jit/JIT.cpp:
668         (JSC::JIT::privateCompileSlowCases):
669         (JSC::JIT::link):
670         * jit/JIT.h:
671         * jit/JITInlineCacheGenerator.cpp:
672         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
673         (JSC::JITInlineCacheGenerator::finalize):
674         (JSC::JITByIdGenerator::JITByIdGenerator):
675         (JSC::JITByIdGenerator::finalize):
676         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
677         (JSC::JITInstanceOfGenerator::generateFastPath):
678         (JSC::JITInstanceOfGenerator::finalize):
679         * jit/JITInlineCacheGenerator.h:
680         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
681         (JSC::JITInlineCacheGenerator::slowPathBegin const):
682         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
683         (JSC::finalizeInlineCaches):
684         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
685         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
686         * jit/JITOpcodes.cpp:
687         (JSC::JIT::emit_op_instanceof):
688         (JSC::JIT::emitSlow_op_instanceof):
689         * jit/JITOperations.cpp:
690         * jit/JITOperations.h:
691         * jit/JITPropertyAccess.cpp:
692         (JSC::JIT::privateCompileGetByValWithCachedId):
693         (JSC::JIT::privateCompilePutByValWithCachedId):
694         * jit/RegisterSet.cpp:
695         (JSC::RegisterSet::stubUnavailableRegisters):
696         * jit/Repatch.cpp:
697         (JSC::tryCacheIn):
698         (JSC::tryCacheInstanceOf):
699         (JSC::repatchInstanceOf):
700         (JSC::resetPatchableJump):
701         (JSC::resetIn):
702         (JSC::resetInstanceOf):
703         * jit/Repatch.h:
704         * runtime/Options.h:
705         * runtime/Structure.h:
706
707 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
708
709         Unreviewed, fix exception checking
710         https://bugs.webkit.org/show_bug.cgi?id=185350
711
712         * runtime/CommonSlowPaths.h:
713         (JSC::CommonSlowPaths::putDirectWithReify):
714         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
715
716 2018-05-17  Michael Saboff  <msaboff@apple.com>
717
718         We don't throw SyntaxErrors for runtime generated regular expressions with errors
719         https://bugs.webkit.org/show_bug.cgi?id=185755
720
721         Reviewed by Keith Miller.
722
723         Added a new helper that creates the correct exception to throw for each type of error when
724         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
725         where we create a new RegExp from an existing one.  Also refactored other places that we
726         throw SyntaxErrors after a failed RegExp compile to use the new helper.
727
728         * runtime/RegExp.h:
729         * runtime/RegExpConstructor.cpp:
730         (JSC::regExpCreate):
731         (JSC::constructRegExp):
732         * runtime/RegExpPrototype.cpp:
733         (JSC::regExpProtoFuncCompile):
734         * yarr/YarrErrorCode.cpp:
735         (JSC::Yarr::errorToThrow):
736         * yarr/YarrErrorCode.h:
737
738 2018-05-17  Saam Barati  <sbarati@apple.com>
739
740         Remove shrinkFootprint test from apitests since it's flaky
741         https://bugs.webkit.org/show_bug.cgi?id=185754
742
743         Reviewed by Mark Lam.
744
745         This test is flaky as it keeps failing on certain people's machines.
746         Having a test about OS footprint seems like it'll forever be doomed
747         to being flaky.
748
749         * API/tests/testapi.mm:
750         (testObjectiveCAPIMain):
751
752 2018-05-17  Saam Barati  <sbarati@apple.com>
753
754         defaultConstructorSourceCode needs to makeSource every time it's called
755         https://bugs.webkit.org/show_bug.cgi?id=185753
756
757         Rubber-stamped by Mark Lam.
758
759         The bug here is multiple VMs can be running concurrently to one another
760         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
761         if we copy a static SourceCode. instead, we create a new one each time
762         this function is called.
763
764         * builtins/BuiltinExecutables.cpp:
765         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
766
767 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
768
769         [JSC] Use AssemblyHelpers' type checking functions as much as possible
770         https://bugs.webkit.org/show_bug.cgi?id=185730
771
772         Reviewed by Saam Barati.
773
774         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
775         bit and register operations for type tagging of JSValue. It is really useful when we would like
776         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
777         the named function is more readable than some branching operations.
778
779         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
780         to AssemblyHelpers' one.
781
782         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
783         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
784         semantics is aligned to the existing branchIfCell / branchIfNotCell.
785
786         * bytecode/AccessCase.cpp:
787         (JSC::AccessCase::generateWithGuard):
788         * dfg/DFGSpeculativeJIT.cpp:
789         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
790         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
791         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
792         (JSC::DFG::SpeculativeJIT::compileSpread):
793         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
794         (JSC::DFG::SpeculativeJIT::speculateCellType):
795         (JSC::DFG::SpeculativeJIT::speculateNumber):
796         (JSC::DFG::SpeculativeJIT::speculateMisc):
797         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
798         (JSC::DFG::SpeculativeJIT::compileCreateThis):
799         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
800         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
801         * dfg/DFGSpeculativeJIT32_64.cpp:
802         (JSC::DFG::SpeculativeJIT::emitCall):
803         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
804         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
805         (JSC::DFG::SpeculativeJIT::compile):
806         * dfg/DFGSpeculativeJIT64.cpp:
807         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
808         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
809         (JSC::DFG::SpeculativeJIT::emitCall):
810         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
811         (JSC::DFG::SpeculativeJIT::compile):
812         (JSC::DFG::SpeculativeJIT::convertAnyInt):
813         * ftl/FTLLowerDFGToB3.cpp:
814         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
815         * jit/AssemblyHelpers.h:
816         (JSC::AssemblyHelpers::branchIfInt32):
817         (JSC::AssemblyHelpers::branchIfNotInt32):
818         (JSC::AssemblyHelpers::branchIfNumber):
819         (JSC::AssemblyHelpers::branchIfNotNumber):
820         (JSC::AssemblyHelpers::branchIfBoolean):
821         (JSC::AssemblyHelpers::branchIfNotBoolean):
822         (JSC::AssemblyHelpers::branchIfEmpty):
823         (JSC::AssemblyHelpers::branchIfNotEmpty):
824         (JSC::AssemblyHelpers::branchIfUndefined):
825         (JSC::AssemblyHelpers::branchIfNotUndefined):
826         (JSC::AssemblyHelpers::branchIfNull):
827         (JSC::AssemblyHelpers::branchIfNotNull):
828         * jit/JIT.h:
829         * jit/JITArithmetic.cpp:
830         (JSC::JIT::emit_compareAndJump):
831         (JSC::JIT::emit_compareAndJumpSlow):
832         * jit/JITArithmetic32_64.cpp:
833         (JSC::JIT::emit_compareAndJump):
834         (JSC::JIT::emit_op_unsigned):
835         (JSC::JIT::emit_op_inc):
836         (JSC::JIT::emit_op_dec):
837         (JSC::JIT::emitBinaryDoubleOp):
838         (JSC::JIT::emit_op_mod):
839         * jit/JITCall.cpp:
840         (JSC::JIT::compileCallEval):
841         (JSC::JIT::compileOpCall):
842         * jit/JITCall32_64.cpp:
843         (JSC::JIT::compileCallEval):
844         (JSC::JIT::compileOpCall):
845         * jit/JITInlines.h:
846         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
847         (JSC::JIT::emitJumpIfBothJSCells):
848         (JSC::JIT::emitJumpSlowCaseIfJSCell):
849         (JSC::JIT::emitJumpIfNotInt):
850         (JSC::JIT::emitJumpSlowCaseIfNotInt):
851         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
852         (JSC::JIT::emitJumpIfCellObject): Deleted.
853         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
854         (JSC::JIT::emitJumpIfJSCell): Deleted.
855         (JSC::JIT::emitJumpIfInt): Deleted.
856         * jit/JITOpcodes.cpp:
857         (JSC::JIT::emit_op_instanceof):
858         (JSC::JIT::emit_op_is_undefined):
859         (JSC::JIT::emit_op_is_cell_with_type):
860         (JSC::JIT::emit_op_is_object):
861         (JSC::JIT::emit_op_to_primitive):
862         (JSC::JIT::emit_op_jeq_null):
863         (JSC::JIT::emit_op_jneq_null):
864         (JSC::JIT::compileOpStrictEq):
865         (JSC::JIT::compileOpStrictEqJump):
866         (JSC::JIT::emit_op_to_number):
867         (JSC::JIT::emit_op_to_string):
868         (JSC::JIT::emit_op_to_object):
869         (JSC::JIT::emit_op_eq_null):
870         (JSC::JIT::emit_op_neq_null):
871         (JSC::JIT::emit_op_to_this):
872         (JSC::JIT::emit_op_create_this):
873         (JSC::JIT::emit_op_check_tdz):
874         (JSC::JIT::emitNewFuncExprCommon):
875         (JSC::JIT::emit_op_profile_type):
876         * jit/JITOpcodes32_64.cpp:
877         (JSC::JIT::emit_op_instanceof):
878         (JSC::JIT::emit_op_is_undefined):
879         (JSC::JIT::emit_op_is_cell_with_type):
880         (JSC::JIT::emit_op_is_object):
881         (JSC::JIT::emit_op_to_primitive):
882         (JSC::JIT::emit_op_not):
883         (JSC::JIT::emit_op_jeq_null):
884         (JSC::JIT::emit_op_jneq_null):
885         (JSC::JIT::emit_op_jneq_ptr):
886         (JSC::JIT::emit_op_eq):
887         (JSC::JIT::emit_op_jeq):
888         (JSC::JIT::emit_op_neq):
889         (JSC::JIT::emit_op_jneq):
890         (JSC::JIT::compileOpStrictEq):
891         (JSC::JIT::compileOpStrictEqJump):
892         (JSC::JIT::emit_op_eq_null):
893         (JSC::JIT::emit_op_neq_null):
894         (JSC::JIT::emit_op_to_number):
895         (JSC::JIT::emit_op_to_string):
896         (JSC::JIT::emit_op_to_object):
897         (JSC::JIT::emit_op_create_this):
898         (JSC::JIT::emit_op_to_this):
899         (JSC::JIT::emit_op_check_tdz):
900         (JSC::JIT::emit_op_profile_type):
901         * jit/JITPropertyAccess.cpp:
902         (JSC::JIT::emit_op_get_by_val):
903         (JSC::JIT::emitGetByValWithCachedId):
904         (JSC::JIT::emitGenericContiguousPutByVal):
905         (JSC::JIT::emitPutByValWithCachedId):
906         (JSC::JIT::emit_op_get_from_scope):
907         (JSC::JIT::emit_op_put_to_scope):
908         (JSC::JIT::emitWriteBarrier):
909         (JSC::JIT::emitIntTypedArrayPutByVal):
910         (JSC::JIT::emitFloatTypedArrayPutByVal):
911         * jit/JITPropertyAccess32_64.cpp:
912         (JSC::JIT::emit_op_get_by_val):
913         (JSC::JIT::emitContiguousLoad):
914         (JSC::JIT::emitArrayStorageLoad):
915         (JSC::JIT::emitGetByValWithCachedId):
916         (JSC::JIT::emitGenericContiguousPutByVal):
917         (JSC::JIT::emitPutByValWithCachedId):
918         (JSC::JIT::emit_op_get_from_scope):
919         (JSC::JIT::emit_op_put_to_scope):
920         * jit/JSInterfaceJIT.h:
921         (JSC::JSInterfaceJIT::emitLoadJSCell):
922         (JSC::JSInterfaceJIT::emitLoadInt32):
923         (JSC::JSInterfaceJIT::emitLoadDouble):
924         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
925         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
926         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
927         * jit/Repatch.cpp:
928         (JSC::linkPolymorphicCall):
929         * jit/ThunkGenerators.cpp:
930         (JSC::virtualThunkFor):
931         (JSC::absThunkGenerator):
932         * tools/JSDollarVM.cpp:
933         (WTF::DOMJITNode::checkSubClassSnippet):
934         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
935
936 2018-05-17  Saam Barati  <sbarati@apple.com>
937
938         Unreviewed. Fix the build after my attempted build fix broke the build.
939
940         * builtins/BuiltinExecutables.cpp:
941         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
942         (JSC::BuiltinExecutables::createDefaultConstructor):
943         * builtins/BuiltinExecutables.h:
944
945 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
946
947         [JSC] Remove reifyPropertyNameIfNeeded
948         https://bugs.webkit.org/show_bug.cgi?id=185350
949
950         Reviewed by Saam Barati.
951
952         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
953         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
954         cost, we should remove this from the critical path.
955
956         This patch removes this function call from the critical path. And in our slow paths, we call
957         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
958         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
959         and care the edge cases. The other callsites of putDirect should know the type of the given
960         object and the name of the property (And avoid these edge cases).
961
962         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
963         regressions of the existing tests.
964
965                                            baseline                  patched
966         Kraken:
967             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
968
969         SixSpeed:
970             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
971
972         * dfg/DFGOperations.cpp:
973         (JSC::DFG::putByValInternal):
974         (JSC::DFG::putByValCellInternal):
975         * jit/JITOperations.cpp:
976         * llint/LLIntSlowPaths.cpp:
977         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
978         * runtime/ClassInfo.h:
979         * runtime/CommonSlowPaths.h:
980         (JSC::CommonSlowPaths::putDirectWithReify):
981         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
982         * runtime/JSCell.cpp:
983         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
984         * runtime/JSCell.h:
985         * runtime/JSFunction.cpp:
986         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
987         * runtime/JSFunction.h:
988         * runtime/JSObject.cpp:
989         (JSC::JSObject::putDirectAccessor):
990         (JSC::JSObject::putDirectNonIndexAccessor):
991         * runtime/JSObject.h:
992         * runtime/JSObjectInlines.h:
993         (JSC::JSObject::putDirectInternal):
994
995 2018-05-17  Saam Barati  <sbarati@apple.com>
996
997         Unreviewed. Try to fix windows build.
998
999         * builtins/BuiltinExecutables.cpp:
1000         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1001
1002 2018-05-16  Saam Barati  <sbarati@apple.com>
1003
1004         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
1005         https://bugs.webkit.org/show_bug.cgi?id=185637
1006
1007         Reviewed by Keith Miller.
1008
1009         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
1010         source code. However, we were only using this for default class constructors. There
1011         are only two types of default class constructors. This patch makes it so that
1012         we just store this information inside of a single bit, and ask for the source
1013         code as needed instead of holding it in a nullable field that is 24 bytes in size.
1014         
1015         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
1016         This has the consequence of making it allocated out of a 160 byte size class
1017         instead of a 224 byte size class. This should bring down its memory footprint
1018         by ~40%.
1019
1020         * builtins/BuiltinExecutables.cpp:
1021         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1022         (JSC::BuiltinExecutables::createDefaultConstructor):
1023         (JSC::BuiltinExecutables::createExecutable):
1024         * builtins/BuiltinExecutables.h:
1025         * bytecode/UnlinkedFunctionExecutable.cpp:
1026         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1027         (JSC::UnlinkedFunctionExecutable::link):
1028         * bytecode/UnlinkedFunctionExecutable.h:
1029         * runtime/CodeCache.cpp:
1030         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1031
1032 2018-05-16  Saam Barati  <sbarati@apple.com>
1033
1034         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
1035         https://bugs.webkit.org/show_bug.cgi?id=185707
1036
1037         Reviewed by Mark Lam.
1038
1039         * runtime/VM.cpp:
1040         (JSC::VM::shrinkFootprint):
1041
1042 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
1043
1044         [ESNext][BigInt] Implement support for "/" operation
1045         https://bugs.webkit.org/show_bug.cgi?id=183996
1046
1047         Reviewed by Yusuke Suzuki.
1048
1049         This patch is introducing the support for BigInt into divide
1050         operation int LLInt and JIT layers.
1051
1052         * dfg/DFGOperations.cpp:
1053         * runtime/CommonSlowPaths.cpp:
1054         (JSC::SLOW_PATH_DECL):
1055         * runtime/JSBigInt.cpp:
1056         (JSC::JSBigInt::divide):
1057         (JSC::JSBigInt::copy):
1058         (JSC::JSBigInt::unaryMinus):
1059         (JSC::JSBigInt::absoluteCompare):
1060         (JSC::JSBigInt::absoluteDivLarge):
1061         (JSC::JSBigInt::productGreaterThan):
1062         (JSC::JSBigInt::inplaceAdd):
1063         (JSC::JSBigInt::inplaceSub):
1064         (JSC::JSBigInt::inplaceRightShift):
1065         (JSC::JSBigInt::specialLeftShift):
1066         (JSC::JSBigInt::digit):
1067         (JSC::JSBigInt::setDigit):
1068         * runtime/JSBigInt.h:
1069
1070 2018-05-16  Saam Barati  <sbarati@apple.com>
1071
1072         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
1073         https://bugs.webkit.org/show_bug.cgi?id=185670
1074
1075         Reviewed by Yusuke Suzuki.
1076
1077         This patch makes it so that we constant fold CheckTypeInfoFlags for
1078         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
1079         fold in three ways:
1080         - When the incoming value is a constant, we just look at its inline type
1081         flags. Since those flags never change after an object is created, this
1082         is sound.
1083         - Based on the incoming value having a finite structure set. We just iterate
1084         all structures and ensure they have the bit set.
1085         - Based on speculated type. To do this, I split up SpecFunction into two
1086         subheaps where one is for functions that have the bit set, and one for
1087         functions that don't have the bit set. The latter is currently only comprised
1088         of JSBoundFunctions. To constant fold, we check that the incoming
1089         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
1090
1091         * bytecode/SpeculatedType.cpp:
1092         (JSC::speculationFromClassInfo):
1093         * bytecode/SpeculatedType.h:
1094         * dfg/DFGAbstractInterpreterInlines.h:
1095         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1096         * dfg/DFGConstantFoldingPhase.cpp:
1097         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1098         * dfg/DFGSpeculativeJIT.cpp:
1099         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
1100         * dfg/DFGStrengthReductionPhase.cpp:
1101         (JSC::DFG::StrengthReductionPhase::handleNode):
1102         * runtime/JSFunction.cpp:
1103         (JSC::JSFunction::JSFunction):
1104         (JSC::JSFunction::assertTypeInfoFlagInvariants):
1105         * runtime/JSFunction.h:
1106         (JSC::JSFunction::assertTypeInfoFlagInvariants):
1107         * runtime/JSFunctionInlines.h:
1108         (JSC::JSFunction::JSFunction):
1109
1110 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
1111
1112         Web Inspector: create a navigation item for toggling the overlay rulers/guides
1113         https://bugs.webkit.org/show_bug.cgi?id=185644
1114
1115         Reviewed by Matt Baker.
1116
1117         * inspector/protocol/OverlayTypes.json:
1118         * inspector/protocol/Page.json:
1119
1120 2018-05-16  Commit Queue  <commit-queue@webkit.org>
1121
1122         Unreviewed, rolling out r231845.
1123         https://bugs.webkit.org/show_bug.cgi?id=185702
1124
1125         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
1126         caiolima on #webkit).
1127
1128         Reverted changeset:
1129
1130         "[ESNext][BigInt] Implement support for "/" operation"
1131         https://bugs.webkit.org/show_bug.cgi?id=183996
1132         https://trac.webkit.org/changeset/231845
1133
1134 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
1135
1136         DFG models InstanceOf incorrectly
1137         https://bugs.webkit.org/show_bug.cgi?id=185694
1138
1139         Reviewed by Keith Miller.
1140         
1141         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
1142         hoist it.
1143
1144         * dfg/DFGAbstractInterpreterInlines.h:
1145         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1146         * dfg/DFGClobberize.h:
1147         (JSC::DFG::clobberize):
1148         * dfg/DFGHeapLocation.cpp:
1149         (WTF::printInternal):
1150         * dfg/DFGHeapLocation.h:
1151         * dfg/DFGNodeType.h:
1152
1153 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
1154
1155         Add support for Intl NumberFormat formatToParts
1156         https://bugs.webkit.org/show_bug.cgi?id=185375
1157
1158         Reviewed by Yusuke Suzuki.
1159
1160         Add flag for NumberFormat formatToParts. Implement formatToParts using
1161         unum_formatDoubleForFields. Because the fields are nested and come back
1162         in no guaranteed order, the simple algorithm to convert them to the
1163         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
1164         it appears to perform well enough for the initial implementation. Another
1165         issue has been created to improve this algorithm.
1166
1167         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
1168         on macOS, since only v57 is available.
1169
1170         * Configurations/FeatureDefines.xcconfig:
1171         * runtime/IntlNumberFormat.cpp:
1172         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
1173         (JSC::IntlNumberFormat::partTypeString):
1174         (JSC::IntlNumberFormat::formatToParts):
1175         * runtime/IntlNumberFormat.h:
1176         * runtime/IntlNumberFormatPrototype.cpp:
1177         (JSC::IntlNumberFormatPrototype::create):
1178         (JSC::IntlNumberFormatPrototype::finishCreation):
1179         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1180         * runtime/IntlNumberFormatPrototype.h:
1181         * runtime/Options.h:
1182
1183 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
1184
1185         [ESNext][BigInt] Implement support for "/" operation
1186         https://bugs.webkit.org/show_bug.cgi?id=183996
1187
1188         Reviewed by Yusuke Suzuki.
1189
1190         This patch is introducing the support for BigInt into divide
1191         operation int LLInt and JIT layers.
1192
1193         * dfg/DFGOperations.cpp:
1194         * runtime/CommonSlowPaths.cpp:
1195         (JSC::SLOW_PATH_DECL):
1196         * runtime/JSBigInt.cpp:
1197         (JSC::JSBigInt::divide):
1198         (JSC::JSBigInt::copy):
1199         (JSC::JSBigInt::unaryMinus):
1200         (JSC::JSBigInt::absoluteCompare):
1201         (JSC::JSBigInt::absoluteDivLarge):
1202         (JSC::JSBigInt::productGreaterThan):
1203         (JSC::JSBigInt::inplaceAdd):
1204         (JSC::JSBigInt::inplaceSub):
1205         (JSC::JSBigInt::inplaceRightShift):
1206         (JSC::JSBigInt::specialLeftShift):
1207         (JSC::JSBigInt::digit):
1208         (JSC::JSBigInt::setDigit):
1209         * runtime/JSBigInt.h:
1210
1211 2018-05-16  Alberto Garcia  <berto@igalia.com>
1212
1213         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
1214         https://bugs.webkit.org/show_bug.cgi?id=182622
1215
1216         Reviewed by Michael Catanzaro.
1217
1218         We were linking JavaScriptCore against libatomic in MIPS because
1219         in that architecture __atomic_fetch_add_8() is not a compiler
1220         intrinsic and is provided by that library instead. However other
1221         architectures (e.g armel) are in the same situation, so we need a
1222         generic test.
1223
1224         That test already exists in WebKit/CMakeLists.txt, so we just have
1225         to move it to a common file (WebKitCompilerFlags.cmake) and use
1226         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
1227
1228         * CMakeLists.txt:
1229
1230 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1231
1232         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
1233         https://bugs.webkit.org/show_bug.cgi?id=185601
1234
1235         Reviewed by Saam Barati.
1236
1237         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
1238         before calling getCallData when we would like to check whether a given object is callable
1239         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
1240         is fine. But if we would like to check whether the object is callable, we can have non
1241         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
1242
1243         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
1244         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
1245         OverridesGetCallData checking before calling getCallData.
1246
1247         We found that this virtual call exists in JSON.stringify's critial path. Checking
1248         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
1249
1250                                                baseline                  patched
1251
1252             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
1253
1254         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
1255         since major cases are covered by this fast JSFunctionType checking.
1256
1257         * API/JSCallbackObject.h:
1258         * dfg/DFGAbstractInterpreterInlines.h:
1259         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1260         * dfg/DFGOperations.cpp:
1261         * dfg/DFGSpeculativeJIT.cpp:
1262         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
1263         (JSC::DFG::SpeculativeJIT::compileIsFunction):
1264         * ftl/FTLLowerDFGToB3.cpp:
1265         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
1266         * jit/AssemblyHelpers.h:
1267         (JSC::AssemblyHelpers::emitTypeOf):
1268         * runtime/ExceptionHelpers.cpp:
1269         (JSC::createError):
1270         (JSC::createInvalidFunctionApplyParameterError):
1271         * runtime/FunctionPrototype.cpp:
1272         (JSC::functionProtoFuncToString):
1273         * runtime/InternalFunction.h:
1274         * runtime/JSCJSValue.h:
1275         * runtime/JSCJSValueInlines.h:
1276         (JSC::JSValue::isFunction const):
1277         (JSC::JSValue::isCallable const):
1278         * runtime/JSCell.h:
1279         * runtime/JSCellInlines.h:
1280         (JSC::JSCell::isFunction):
1281         ALWAYS_INLINE works well for my environment.
1282         (JSC::JSCell::isCallable):
1283         * runtime/JSFunction.h:
1284         * runtime/JSONObject.cpp:
1285         (JSC::Stringifier::toJSON):
1286         (JSC::Stringifier::toJSONImpl):
1287         (JSC::Stringifier::appendStringifiedValue):
1288         * runtime/JSObjectInlines.h:
1289         (JSC::createListFromArrayLike):
1290         * runtime/JSTypeInfo.h:
1291         (JSC::TypeInfo::overridesGetCallData const):
1292         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
1293         * runtime/Operations.cpp:
1294         (JSC::jsTypeStringForValue):
1295         (JSC::jsIsObjectTypeOrNull):
1296         * runtime/ProxyObject.h:
1297         * runtime/RuntimeType.cpp:
1298         (JSC::runtimeTypeForValue):
1299         * runtime/RuntimeType.h:
1300         * runtime/Structure.cpp:
1301         (JSC::Structure::Structure):
1302         * runtime/TypeProfilerLog.cpp:
1303         (JSC::TypeProfilerLog::TypeProfilerLog):
1304         (JSC::TypeProfilerLog::processLogEntries):
1305         * runtime/TypeProfilerLog.h:
1306         * runtime/VM.cpp:
1307         (JSC::VM::enableTypeProfiler):
1308         * tools/JSDollarVM.cpp:
1309         (JSC::functionFindTypeForExpression):
1310         (JSC::functionReturnTypeFor):
1311         (JSC::functionHasBasicBlockExecuted):
1312         (JSC::functionBasicBlockExecutionCount):
1313         * wasm/js/JSWebAssemblyHelpers.h:
1314         (JSC::getWasmBufferFromValue):
1315         * wasm/js/JSWebAssemblyInstance.cpp:
1316         (JSC::JSWebAssemblyInstance::create):
1317         * wasm/js/WebAssemblyFunction.cpp:
1318         (JSC::callWebAssemblyFunction):
1319         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1320         (JSC::constructJSWebAssemblyInstance):
1321         * wasm/js/WebAssemblyModuleRecord.cpp:
1322         (JSC::WebAssemblyModuleRecord::link):
1323         * wasm/js/WebAssemblyPrototype.cpp:
1324         (JSC::webAssemblyInstantiateFunc):
1325         (JSC::webAssemblyInstantiateStreamingInternal):
1326         * wasm/js/WebAssemblyWrapperFunction.cpp:
1327         (JSC::WebAssemblyWrapperFunction::finishCreation):
1328
1329 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
1330
1331         Web Inspector: Add rulers and guides
1332         https://bugs.webkit.org/show_bug.cgi?id=32263
1333         <rdar://problem/19281564>
1334
1335         Reviewed by Matt Baker.
1336
1337         * inspector/protocol/OverlayTypes.json:
1338
1339 2018-05-14  Keith Miller  <keith_miller@apple.com>
1340
1341         Remove butterflyMask from DFGAbstractHeap
1342         https://bugs.webkit.org/show_bug.cgi?id=185640
1343
1344         Reviewed by Saam Barati.
1345
1346         We don't have a butterfly indexing mask anymore so we don't need
1347         the abstract heap information for it anymore.
1348
1349         * dfg/DFGAbstractHeap.h:
1350         * dfg/DFGClobberize.h:
1351         (JSC::DFG::clobberize):
1352
1353 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
1354
1355         [INTL] Handle error in defineProperty for supported locales length
1356         https://bugs.webkit.org/show_bug.cgi?id=185623
1357
1358         Reviewed by Saam Barati.
1359
1360         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
1361         length of the supported locales array.
1362
1363         * runtime/IntlObject.cpp:
1364         (JSC::supportedLocales):
1365
1366 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1367
1368         [JSC] Tweak LiteralParser to improve lexing performance
1369         https://bugs.webkit.org/show_bug.cgi?id=185541
1370
1371         Reviewed by Saam Barati.
1372
1373         This patch attemps to improve LiteralParser performance.
1374
1375         This patch improves Kraken/json-parse-financial by roughly ~10%.
1376                                            baseline                  patched
1377
1378             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
1379
1380         * parser/Lexer.cpp:
1381         (JSC::Lexer<T>::Lexer):
1382         * runtime/ArgList.h:
1383         (JSC::MarkedArgumentBuffer::takeLast):
1384         Add takeLast() for idiomatic last() + removeLast() calls.
1385
1386         * runtime/LiteralParser.cpp:
1387         (JSC::LiteralParser<CharType>::Lexer::lex):
1388         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
1389         We should not include this mode in its template parameter to reduce the code size.
1390         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
1391         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
1392
1393         (JSC::LiteralParser<CharType>::Lexer::next):
1394         (JSC::isSafeStringCharacter):
1395         Take mode in its template parameter. But do not take terminator character in its template parameter.
1396
1397         (JSC::LiteralParser<CharType>::Lexer::lexString):
1398         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
1399         Duplicate while statements manually since this is a critical path.
1400
1401         (JSC::LiteralParser<CharType>::parse):
1402         Use takeLast().
1403
1404         * runtime/LiteralParser.h:
1405
1406 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
1407
1408         [MIPS] Use btpz to compare against 0 instead of bpeq
1409         https://bugs.webkit.org/show_bug.cgi?id=185607
1410
1411         Reviewed by Yusuke Suzuki.
1412
1413         Fixes build on MIPS since MIPS doesn't have an instruction to
1414         compare a register against an immediate. Since the immediate is just 0
1415         in this case the simplest solution is just to use btpz instead of bpeq
1416         to compare to 0.
1417
1418         * llint/LowLevelInterpreter.asm:
1419
1420 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
1421
1422         CachedCall::call() should be faster
1423         https://bugs.webkit.org/show_bug.cgi?id=185583
1424
1425         Reviewed by Yusuke Suzuki.
1426         
1427         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
1428         Unfortunately, because of a combination of abstraction and assertions, this code path had a
1429         lot of overhead. This patch reduces this overhead by:
1430         
1431         - Turning off some assertions. These assertions don't look to have security value; they're
1432           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
1433           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
1434           call, considering that the caller would have already been strongly assuming that the JSLock
1435           is held.
1436         
1437         - Making more things inlineable.
1438         
1439         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
1440
1441         * JavaScriptCore.xcodeproj/project.pbxproj:
1442         * interpreter/CachedCall.h:
1443         (JSC::CachedCall::call):
1444         * interpreter/Interpreter.cpp:
1445         (JSC::checkedReturn): Deleted.
1446         * interpreter/Interpreter.h:
1447         (JSC::Interpreter::checkedReturn):
1448         * interpreter/InterpreterInlines.h:
1449         (JSC::Interpreter::execute):
1450         * jit/JITCode.cpp:
1451         (JSC::JITCode::execute): Deleted.
1452         * jit/JITCodeInlines.h: Added.
1453         (JSC::JITCode::execute):
1454         * llint/LowLevelInterpreter.asm:
1455         * runtime/StringPrototype.cpp:
1456
1457 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
1458
1459         [INTL] Improve spec & test262 compliance for Intl APIs
1460         https://bugs.webkit.org/show_bug.cgi?id=185578
1461
1462         Reviewed by Yusuke Suzuki.
1463
1464         Use putDirectIndex over push for lists to arrays.
1465         Update default options to construct with a null prototype.
1466         Define constructor and toStringTag on prototypes.
1467         Add proper time clipping.
1468         Remove some outdated comment spec text, use url instead.
1469
1470         * runtime/IntlCollator.cpp:
1471         (JSC::IntlCollator::initializeCollator):
1472         * runtime/IntlCollatorConstructor.cpp:
1473         (JSC::IntlCollatorConstructor::finishCreation):
1474         * runtime/IntlCollatorPrototype.cpp:
1475         (JSC::IntlCollatorPrototype::finishCreation):
1476         * runtime/IntlDateTimeFormatConstructor.cpp:
1477         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1478         * runtime/IntlDateTimeFormatPrototype.cpp:
1479         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1480         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1481         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1482         * runtime/IntlNumberFormat.cpp:
1483         (JSC::IntlNumberFormat::initializeNumberFormat):
1484         * runtime/IntlNumberFormatConstructor.cpp:
1485         (JSC::IntlNumberFormatConstructor::finishCreation):
1486         * runtime/IntlNumberFormatPrototype.cpp:
1487         (JSC::IntlNumberFormatPrototype::finishCreation):
1488         * runtime/IntlObject.cpp:
1489         (JSC::lookupSupportedLocales):
1490         (JSC::supportedLocales):
1491         (JSC::intlObjectFuncGetCanonicalLocales):
1492         * runtime/IntlPluralRules.cpp:
1493         (JSC::IntlPluralRules::resolvedOptions):
1494         * runtime/IntlPluralRulesConstructor.cpp:
1495         (JSC::IntlPluralRulesConstructor::finishCreation):
1496
1497 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
1498
1499         [ESNext][BigInt] Implement support for "*" operation
1500         https://bugs.webkit.org/show_bug.cgi?id=183721
1501
1502         Reviewed by Yusuke Suzuki.
1503
1504         Added BigInt support into times binary operator into LLInt and on
1505         JITOperations profiledMul and unprofiledMul. We are also replacing all
1506         uses of int to unsigned when there is no negative values for
1507         variables.
1508
1509         * dfg/DFGConstantFoldingPhase.cpp:
1510         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1511         * jit/JITOperations.cpp:
1512         * runtime/CommonSlowPaths.cpp:
1513         (JSC::SLOW_PATH_DECL):
1514         * runtime/JSBigInt.cpp:
1515         (JSC::JSBigInt::JSBigInt):
1516         (JSC::JSBigInt::allocationSize):
1517         (JSC::JSBigInt::createWithLength):
1518         (JSC::JSBigInt::toString):
1519         (JSC::JSBigInt::multiply):
1520         (JSC::JSBigInt::digitDiv):
1521         (JSC::JSBigInt::internalMultiplyAdd):
1522         (JSC::JSBigInt::multiplyAccumulate):
1523         (JSC::JSBigInt::equals):
1524         (JSC::JSBigInt::absoluteDivSmall):
1525         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1526         (JSC::JSBigInt::toStringGeneric):
1527         (JSC::JSBigInt::rightTrim):
1528         (JSC::JSBigInt::allocateFor):
1529         (JSC::JSBigInt::parseInt):
1530         (JSC::JSBigInt::digit):
1531         (JSC::JSBigInt::setDigit):
1532         * runtime/JSBigInt.h:
1533         * runtime/JSCJSValue.h:
1534         * runtime/JSCJSValueInlines.h:
1535         (JSC::JSValue::toNumeric const):
1536         * runtime/Operations.h:
1537         (JSC::jsMul):
1538
1539 2018-05-11  Commit Queue  <commit-queue@webkit.org>
1540
1541         Unreviewed, rolling out r231316 and r231332.
1542         https://bugs.webkit.org/show_bug.cgi?id=185564
1543
1544         Appears to be a Speedometer2/MotionMark regression (Requested
1545         by keith_miller on #webkit).
1546
1547         Reverted changesets:
1548
1549         "Remove the prototype caching for get_by_id in the LLInt"
1550         https://bugs.webkit.org/show_bug.cgi?id=185226
1551         https://trac.webkit.org/changeset/231316
1552
1553         "Unreviewed, fix 32-bit profile offset for change in bytecode"
1554         https://trac.webkit.org/changeset/231332
1555
1556 2018-05-11  Michael Saboff  <msaboff@apple.com>
1557
1558         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
1559         https://bugs.webkit.org/show_bug.cgi?id=185328
1560
1561         Reviewed by Keith Miller.
1562
1563         Fixed a typo from when this code was added in r228968 where resultGPR
1564         was assigned the input register instead of the result.gpr().
1565
1566         * dfg/DFGSpeculativeJIT64.cpp:
1567         (JSC::DFG::SpeculativeJIT::compile):
1568
1569 2018-05-11  Saam Barati  <sbarati@apple.com>
1570
1571         Don't use inferred types when the JIT is disabled
1572         https://bugs.webkit.org/show_bug.cgi?id=185539
1573
1574         Reviewed by Yusuke Suzuki.
1575
1576         There are many JSC API clients that run with the JIT disabled. They were
1577         all allocating and tracking inferred types for no benefit. Inferred types
1578         only benefit programs when they make it to the DFG/FTL. I was seeing cases
1579         where the inferred type machinery used ~0.5MB. This patch makes is so we
1580         don't allocate that machinery when the JIT is disabled.
1581
1582         * runtime/Structure.cpp:
1583         (JSC::Structure::willStoreValueSlow):
1584         * runtime/Structure.h:
1585
1586 2018-05-11  Saam Barati  <sbarati@apple.com>
1587
1588         Don't allocate value profiles when the JIT is disabled
1589         https://bugs.webkit.org/show_bug.cgi?id=185525
1590
1591         Reviewed by Michael Saboff.
1592
1593         There are many JSC API clients that run with the JIT disabled. We were
1594         still allocating a ton of value profiles in this use case even though
1595         these clients get no benefit from doing value profiling. This patch makes
1596         it so that we don't allocate value profiles or argument value profiles
1597         when we're not using the JIT. We now just make all value profiles in
1598         the instruction stream point to a global value profile that the VM owns.
1599         And we make the argument value profile array have zero length and teach
1600         the LLInt how to handle that. Heap clears the global value profile on each GC.
1601
1602         In an app that I'm testing this against, this saves ~1MB of memory.
1603
1604         * bytecode/CodeBlock.cpp:
1605         (JSC::CodeBlock::finishCreation):
1606         (JSC::CodeBlock::setNumParameters):
1607         * bytecode/CodeBlock.h:
1608         (JSC::CodeBlock::numberOfArgumentValueProfiles):
1609         (JSC::CodeBlock::valueProfileForArgument):
1610         * bytecompiler/BytecodeGenerator.cpp:
1611         (JSC::BytecodeGenerator::emitProfiledOpcode):
1612         * heap/Heap.cpp:
1613         (JSC::Heap::runEndPhase):
1614         * llint/LowLevelInterpreter.asm:
1615         * runtime/VM.cpp:
1616         (JSC::VM::VM):
1617         * runtime/VM.h:
1618
1619 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1620
1621         [JSC][GLIB] Add introspectable alternatives to functions using vargars
1622         https://bugs.webkit.org/show_bug.cgi?id=185508
1623
1624         Reviewed by Michael Catanzaro.
1625
1626         * API/glib/JSCClass.cpp:
1627         (jscClassCreateConstructor):
1628         (jsc_class_add_constructor):
1629         (jsc_class_add_constructorv):
1630         (jscClassAddMethod):
1631         (jsc_class_add_method):
1632         (jsc_class_add_methodv):
1633         * API/glib/JSCClass.h:
1634         * API/glib/JSCValue.cpp:
1635         (jsObjectCall):
1636         (jscValueCallFunction):
1637         (jsc_value_object_invoke_methodv):
1638         (jscValueFunctionCreate):
1639         (jsc_value_new_function):
1640         (jsc_value_new_functionv):
1641         (jsc_value_function_callv):
1642         (jsc_value_constructor_callv):
1643         * API/glib/JSCValue.h:
1644         * API/glib/docs/jsc-glib-4.0-sections.txt:
1645
1646 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1647
1648         [JSC] Make return types of construction functions tight
1649         https://bugs.webkit.org/show_bug.cgi?id=185509
1650
1651         Reviewed by Saam Barati.
1652
1653         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
1654
1655         * runtime/ArrayConstructor.cpp:
1656         (JSC::constructArrayWithSizeQuirk):
1657         * runtime/ArrayConstructor.h:
1658         * runtime/ObjectConstructor.h:
1659         (JSC::constructEmptyObject):
1660
1661 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1662
1663         [JSC] Object.assign for final objects should be faster
1664         https://bugs.webkit.org/show_bug.cgi?id=185348
1665
1666         Reviewed by Saam Barati.
1667
1668         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
1669         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
1670
1671         If enumerating properties of source objects and putting properties to target object are non observable,
1672         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
1673         and put them to target object. This patch adds this fast path to Object.assign implementation.
1674
1675         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
1676         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
1677         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
1678
1679         This improves object-assign.es6 by 1.85x.
1680
1681                                         baseline                  patched
1682
1683             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
1684
1685         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
1686
1687         * runtime/JSObject.h:
1688         * runtime/JSObjectInlines.h:
1689         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
1690         (JSC::JSObject::canPerformFastPutInline):
1691         * runtime/ObjectConstructor.cpp:
1692         (JSC::objectConstructorAssign):
1693         * runtime/Structure.cpp:
1694         (JSC::Structure::Structure):
1695         * runtime/Structure.h:
1696         * runtime/StructureInlines.h:
1697         (JSC::Structure::forEachProperty):
1698         (JSC::Structure::add):
1699
1700 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
1701
1702         DFG CFA should pick the right time to inject OSR entry data
1703         https://bugs.webkit.org/show_bug.cgi?id=185530
1704
1705         Reviewed by Saam Barati.
1706         
1707         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
1708         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
1709         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
1710         would eventually LUB to non-constant.
1711         
1712         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
1713         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
1714         useless regexp/string execution in the compiler.
1715
1716         * dfg/DFGBlockSet.h:
1717         (JSC::DFG::BlockSet::remove):
1718         * dfg/DFGCFAPhase.cpp:
1719         (JSC::DFG::CFAPhase::run):
1720         (JSC::DFG::CFAPhase::injectOSR):
1721         (JSC::DFG::CFAPhase::performBlockCFA):
1722
1723 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1724
1725         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
1726         https://bugs.webkit.org/show_bug.cgi?id=185452
1727
1728         Reviewed by Michael Saboff.
1729         
1730         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
1731         from the block head to InPlaceAbstractState::m_variables. It is necessary for
1732         InPlaceAbstractState to have its own copy since we need to mutate it separately from
1733         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
1734         of superfluous work.
1735         
1736         This change adds a bitvector called m_activeVariables that tracks which variables have been
1737         copied. We lazily copy the variables on first use. Variables that were never copied also have
1738         a simplified merging path, which just needs to consider if the variable got clobbered between
1739         head and tail.
1740         
1741         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
1742
1743         * bytecode/Operands.h:
1744         (JSC::Operands::argumentIndex const):
1745         (JSC::Operands::localIndex const):
1746         (JSC::Operands::argument):
1747         (JSC::Operands::argument const):
1748         (JSC::Operands::local):
1749         (JSC::Operands::local const):
1750         (JSC::Operands::operandIndex const):
1751         * dfg/DFGAbstractValue.h:
1752         (JSC::DFG::AbstractValue::fastForwardFromTo):
1753         * dfg/DFGCFAPhase.cpp:
1754         (JSC::DFG::CFAPhase::performForwardCFA):
1755         * dfg/DFGInPlaceAbstractState.cpp:
1756         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1757         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
1758         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
1759         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1760         (JSC::DFG::InPlaceAbstractState::activateVariable):
1761         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
1762         * dfg/DFGInPlaceAbstractState.h:
1763         (JSC::DFG::InPlaceAbstractState::variableAt):
1764         (JSC::DFG::InPlaceAbstractState::operand):
1765         (JSC::DFG::InPlaceAbstractState::local):
1766         (JSC::DFG::InPlaceAbstractState::argument):
1767         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
1768         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
1769
1770 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
1771
1772         [ESNext][BigInt] Implement support for "==" operation
1773         https://bugs.webkit.org/show_bug.cgi?id=184474
1774
1775         Reviewed by Yusuke Suzuki.
1776
1777         This patch is implementing support of BigInt for equals operator
1778         following the spec semantics[1].
1779
1780         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
1781
1782         * runtime/JSBigInt.cpp:
1783         (JSC::JSBigInt::parseInt):
1784         (JSC::JSBigInt::stringToBigInt):
1785         (JSC::JSBigInt::toString):
1786         (JSC::JSBigInt::setDigit):
1787         (JSC::JSBigInt::equalsToNumber):
1788         (JSC::JSBigInt::compareToDouble):
1789         * runtime/JSBigInt.h:
1790         * runtime/JSCJSValueInlines.h:
1791         (JSC::JSValue::equalSlowCaseInline):
1792
1793 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
1794
1795         Speed up AbstractInterpreter::executeEdges
1796         https://bugs.webkit.org/show_bug.cgi?id=185457
1797
1798         Reviewed by Saam Barati.
1799
1800         This patch started out with the desire to make executeEdges() faster by making filtering faster.
1801         However, when I studied the disassembly, I found that there are many opportunities for
1802         improvement and I implemented all of them:
1803         
1804         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
1805           for non-cells.
1806         
1807         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
1808           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
1809         
1810         - Similarly, edge verification doesn't need to fast-forward in the common case.
1811         
1812         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
1813         
1814         - The edge doesn't even have to be considered for execution if it's UntypedUse.
1815         
1816         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
1817         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
1818         it means proving that the value could either be formatted as a double (with impure NaN values),
1819         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
1820         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
1821         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
1822         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
1823         SpecBytecodeNumber (if returning a JSValueRep).
1824         
1825         But that fix revealed an amazing timeout in
1826         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
1827         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
1828         ever realizing that we should jettison something. The problem was with how
1829         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
1830         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
1831         
1832         This is a 1% improvement in V8Spider-CompileTime.
1833
1834         * bytecode/ExitKind.cpp:
1835         (JSC::exitKindMayJettison):
1836         * dfg/DFGAbstractInterpreter.h:
1837         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
1838         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
1839         * dfg/DFGAbstractInterpreterInlines.h:
1840         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
1841         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
1842         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
1843         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
1844         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1845         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1846         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1847         * dfg/DFGAbstractValue.cpp:
1848         (JSC::DFG::AbstractValue::filterSlow):
1849         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
1850         * dfg/DFGAbstractValue.h:
1851         (JSC::DFG::AbstractValue::filter):
1852         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
1853         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
1854         (JSC::DFG::AbstractValue::makeTop):
1855         * dfg/DFGAtTailAbstractState.h:
1856         (JSC::DFG::AtTailAbstractState::fastForward):
1857         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
1858         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
1859         * dfg/DFGGraph.h:
1860         (JSC::DFG::Graph::doToChildren):
1861         * dfg/DFGInPlaceAbstractState.h:
1862         (JSC::DFG::InPlaceAbstractState::fastForward):
1863         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
1864         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
1865         * dfg/DFGOSRExit.cpp:
1866         (JSC::DFG::OSRExit::executeOSRExit):
1867         * dfg/DFGOSRExitCompilerCommon.cpp:
1868         (JSC::DFG::handleExitCounts):
1869         * dfg/DFGOperations.cpp:
1870         * dfg/DFGOperations.h:
1871
1872 2018-05-09  Saam Barati  <sbarati@apple.com>
1873
1874         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
1875         https://bugs.webkit.org/show_bug.cgi?id=185441
1876         <rdar://problem/39999414>
1877
1878         Reviewed by Keith Miller.
1879
1880         This patch adds JSVirtualMachine SPI to release as much memory as possible.
1881         The SPI does:
1882         - Deletes all code caches.
1883         - Synchronous GC.
1884         - Run the scavenger.
1885
1886         * API/JSVirtualMachine.mm:
1887         (-[JSVirtualMachine shrinkFootprint]):
1888         * API/JSVirtualMachinePrivate.h: Added.
1889         * API/tests/testapi.mm:
1890         (testObjectiveCAPIMain):
1891         * JavaScriptCore.xcodeproj/project.pbxproj:
1892         * runtime/VM.cpp:
1893         (JSC::VM::shrinkFootprint):
1894         * runtime/VM.h:
1895
1896 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
1897
1898         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
1899         Error found in the following Test262 tests:
1900
1901         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
1902         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
1903         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
1904
1905         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
1906         presenting a length > 2**32-1
1907         https://bugs.webkit.org/show_bug.cgi?id=185476
1908
1909         Reviewed by Yusuke Suzuki.
1910
1911         * runtime/ArrayPrototype.cpp:
1912
1913 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
1914
1915         [WPE] Build cleanly with GCC 8 and ICU 60
1916         https://bugs.webkit.org/show_bug.cgi?id=185462
1917
1918         Reviewed by Carlos Alberto Lopez Perez.
1919
1920         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
1921         (jsc_class_add_constructor):
1922         (jsc_class_add_method):
1923         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
1924         (jsc_value_object_define_property_accessor):
1925         (jsc_value_new_function):
1926         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
1927         problem with GCC 7 too, but might as well fix it now.
1928         * assembler/ProbeContext.h:
1929         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
1930         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
1931         * b3/air/AirArg.h:
1932         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
1933         * builtins/BuiltinNames.cpp:
1934         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
1935         * builtins/BuiltinNames.h:
1936         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
1937         * dfg/DFGDoubleFormatState.h:
1938         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
1939         * heap/MarkedBlockInlines.h:
1940         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
1941         * runtime/ConfigFile.cpp:
1942         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
1943         with the wrong length parameter and the result is not null-terminated. Also, silence a
1944         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
1945         * runtime/IntlDateTimeFormat.cpp:
1946         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
1947         * runtime/JSGlobalObject.cpp:
1948         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
1949         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
1950
1951 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1952
1953         [ARMv7] Drop ARMv7 disassembler in favor of capstone
1954         https://bugs.webkit.org/show_bug.cgi?id=185423
1955
1956         Reviewed by Michael Catanzaro.
1957
1958         This patch removes ARMv7Disassembler in our tree.
1959         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
1960
1961         * CMakeLists.txt:
1962         * JavaScriptCore.xcodeproj/project.pbxproj:
1963         * Sources.txt:
1964         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
1965         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
1966         * disassembler/ARMv7Disassembler.cpp: Removed.
1967
1968 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
1969
1970         [MIPS] Optimize generated JIT code using r2
1971         https://bugs.webkit.org/show_bug.cgi?id=184584
1972
1973         Reviewed by Yusuke Suzuki.
1974
1975         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
1976         Also, done some code size optimizations that were discovered in meantime.
1977
1978         * assembler/MIPSAssembler.h:
1979         (JSC::MIPSAssembler::ext):
1980         (JSC::MIPSAssembler::mfhc1):
1981         * assembler/MacroAssemblerMIPS.cpp:
1982         * assembler/MacroAssemblerMIPS.h:
1983         (JSC::MacroAssemblerMIPS::isPowerOf2):
1984         (JSC::MacroAssemblerMIPS::bitPosition):
1985         (JSC::MacroAssemblerMIPS::loadAddress):
1986         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1987         (JSC::MacroAssemblerMIPS::load8):
1988         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1989         (JSC::MacroAssemblerMIPS::load32):
1990         (JSC::MacroAssemblerMIPS::load16Unaligned):
1991         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
1992         (JSC::MacroAssemblerMIPS::load16):
1993         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1994         (JSC::MacroAssemblerMIPS::store8):
1995         (JSC::MacroAssemblerMIPS::store16):
1996         (JSC::MacroAssemblerMIPS::store32):
1997         (JSC::MacroAssemblerMIPS::branchTest32):
1998         (JSC::MacroAssemblerMIPS::loadFloat):
1999         (JSC::MacroAssemblerMIPS::loadDouble):
2000         (JSC::MacroAssemblerMIPS::storeFloat):
2001         (JSC::MacroAssemblerMIPS::storeDouble):
2002
2003 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2004
2005         [JSC][GTK][JSCONLY] Use capstone disassembler
2006         https://bugs.webkit.org/show_bug.cgi?id=185283
2007
2008         Reviewed by Michael Catanzaro.
2009
2010         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
2011         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
2012
2013         And we remove ARM LLVM disassembler.
2014
2015         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
2016
2017         * CMakeLists.txt:
2018         * Sources.txt:
2019         * disassembler/ARMLLVMDisassembler.cpp: Removed.
2020         * disassembler/CapstoneDisassembler.cpp: Added.
2021         (JSC::tryToDisassemble):
2022
2023 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
2024
2025         [MIPS] Use mfhc1 and mthc1 to fix assembler error
2026         https://bugs.webkit.org/show_bug.cgi?id=185464
2027
2028         Reviewed by Yusuke Suzuki.
2029
2030         The binutils-assembler started to report failures for copying words between
2031         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
2032         of mfc1 and mtc1 for conversion.
2033
2034         * offlineasm/mips.rb:
2035
2036 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
2037
2038         [MIPS] Collect callee-saved register using inline assembly
2039         https://bugs.webkit.org/show_bug.cgi?id=185428
2040
2041         Reviewed by Yusuke Suzuki.
2042
2043         MIPS used setjmp instead of collecting registers with inline assembly like
2044         other architectures.
2045
2046         * heap/RegisterState.h:
2047
2048 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2049
2050         [BigInt] Simplifying JSBigInt by using bool addition
2051         https://bugs.webkit.org/show_bug.cgi?id=185374
2052
2053         Reviewed by Alex Christensen.
2054
2055         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
2056         Just adding overflow flag to carry/borrow produces setb + add in x86.
2057
2058         Also we annotate small helper functions and accessors with `inline` not to call these functions
2059         inside internalMultiplyAdd loop.
2060
2061         * runtime/JSBigInt.cpp:
2062         (JSC::JSBigInt::isZero):
2063         (JSC::JSBigInt::inplaceMultiplyAdd):
2064         (JSC::JSBigInt::digitAdd):
2065         (JSC::JSBigInt::digitSub):
2066         (JSC::JSBigInt::digitMul):
2067         (JSC::JSBigInt::digitPow):
2068         (JSC::JSBigInt::digitDiv):
2069         (JSC::JSBigInt::offsetOfData):
2070         (JSC::JSBigInt::dataStorage):
2071         (JSC::JSBigInt::digit):
2072         (JSC::JSBigInt::setDigit):
2073
2074 2018-05-08  Michael Saboff  <msaboff@apple.com>
2075
2076         Replace multiple Watchpoint Set fireAll() methods with templates
2077         https://bugs.webkit.org/show_bug.cgi?id=185456
2078
2079         Reviewed by Saam Barati.
2080
2081         Refactored to minimize duplicate code.
2082
2083         * bytecode/Watchpoint.h:
2084         (JSC::WatchpointSet::fireAll):
2085         (JSC::InlineWatchpointSet::fireAll):
2086
2087 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
2088
2089         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
2090         https://bugs.webkit.org/show_bug.cgi?id=185453
2091
2092         Reviewed by Michael Saboff.
2093         
2094         Tiny improvement for compile times.
2095
2096         * dfg/DFGFlowMap.h:
2097         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
2098         * dfg/DFGInPlaceAbstractState.cpp:
2099         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
2100
2101 2018-05-08  Michael Saboff  <msaboff@apple.com>
2102
2103         Deferred firing of structure transition watchpoints is racy
2104         https://bugs.webkit.org/show_bug.cgi?id=185438
2105
2106         Reviewed by Saam Barati.
2107
2108         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
2109         and fire them in the destructor.  When the watchpoints are taken from the
2110         original WatchpointSet, that WatchpointSet if marked invalid.
2111
2112         * bytecode/Watchpoint.cpp:
2113         (JSC::WatchpointSet::fireAllSlow):
2114         (JSC::WatchpointSet::take):
2115         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
2116         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
2117         (JSC::DeferredWatchpointFire::fireAll):
2118         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
2119         * bytecode/Watchpoint.h:
2120         (JSC::WatchpointSet::fireAll):
2121         (JSC::InlineWatchpointSet::fireAll):
2122         * runtime/JSObject.cpp:
2123         (JSC::JSObject::setPrototypeDirect):
2124         (JSC::JSObject::convertToDictionary):
2125         * runtime/JSObjectInlines.h:
2126         (JSC::JSObject::putDirectInternal):
2127         * runtime/Structure.cpp:
2128         (JSC::Structure::Structure):
2129         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
2130         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
2131         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
2132         (JSC::Structure::didTransitionFromThisStructure const):
2133         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
2134         * runtime/Structure.h:
2135         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
2136
2137 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
2138
2139         Consecutive messages logged as JSON are coalesced
2140         https://bugs.webkit.org/show_bug.cgi?id=185432
2141
2142         Reviewed by Joseph Pecoraro.
2143
2144         * inspector/ConsoleMessage.cpp:
2145         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
2146
2147 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
2148
2149         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
2150         https://bugs.webkit.org/show_bug.cgi?id=185365
2151
2152         Reviewed by Saam Barati.
2153         
2154         This patch does three things to improve compile times:
2155         
2156         - Fixes some inlining goofs.
2157         
2158         - Adds the ability to measure compile times with run-jsc-benchmarks.
2159         
2160         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
2161           code that clears abstract values. It turns out that on constant folding "needed" this, in the
2162           sense that this was the only thing protecting it from loading the abstract value of a no-result
2163           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
2164           Any node that produces a result will explicitly set its abstract value, so this problem can
2165           also be guarded by just having constant folding check if the node it wants to fold returns any
2166           result.
2167         
2168         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
2169         
2170         Rolling back in after fixing cloop build.
2171
2172         * dfg/DFGAbstractInterpreterInlines.h:
2173         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2174         * dfg/DFGAbstractValue.cpp:
2175         (JSC::DFG::AbstractValue::set):
2176         * dfg/DFGAbstractValue.h:
2177         (JSC::DFG::AbstractValue::merge):
2178         * dfg/DFGConstantFoldingPhase.cpp:
2179         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2180         * dfg/DFGGraph.h:
2181         (JSC::DFG::Graph::doToChildrenWithNode):
2182         (JSC::DFG::Graph::doToChildren):
2183         * dfg/DFGInPlaceAbstractState.cpp:
2184         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2185         * jit/JIT.cpp:
2186         (JSC::JIT::totalCompileTime):
2187         * jit/JIT.h:
2188         * jsc.cpp:
2189         (GlobalObject::finishCreation):
2190         (functionTotalCompileTime):
2191
2192 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2193
2194         Unreviewed, rolling out r231468.
2195
2196         Broke the CLoop build
2197
2198         Reverted changeset:
2199
2200         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
2201         any abstract values"
2202         https://bugs.webkit.org/show_bug.cgi?id=185365
2203         https://trac.webkit.org/changeset/231468
2204
2205 2018-05-07  Daniel Bates  <dabates@apple.com>
2206
2207         Check X-Frame-Options and CSP frame-ancestors in network process
2208         https://bugs.webkit.org/show_bug.cgi?id=185410
2209         <rdar://problem/37733934>
2210
2211         Reviewed by Ryosuke Niwa.
2212
2213         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
2214
2215         * runtime/ConsoleTypes.h:
2216
2217 2018-05-07  Saam Barati  <sbarati@apple.com>
2218
2219         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
2220         https://bugs.webkit.org/show_bug.cgi?id=185329
2221         <rdar://problem/39961536>
2222
2223         Reviewed by Michael Saboff.
2224
2225         I was made aware of a memory goof inside of JSC where we would inefficiently
2226         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
2227         
2228         We did two things badly:
2229         1. We used a HashMap instead of a Vector to represent the environment. Having
2230         a HashMap is useful when looking things up when generating bytecode, but it's
2231         space inefficient. Because UnlinkedFunctionExecutables live a long time because
2232         of the code cache, we should have them store this information efficiently
2233         inside of a Vector.
2234         
2235         2. We didn't hash-cons these environments together. If you think about how
2236         some programs are structured, hash-consing these together is hugely profitable.
2237         Consider some code like this:
2238         ```
2239         const/let V_1 = ...;
2240         const/let V_2 = ...;
2241         ...
2242         const/let V_n = ...;
2243         
2244         function f_1() { ... };
2245         function f_2() { ... };
2246         ...
2247         function f_n() { ... };
2248         ```
2249         
2250         Each f_i would store an identical hash map for its parent TDZ variables
2251         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
2252         each f_i just holds onto a reference to the environment.
2253         
2254         I benchmarked this change against an app that made heavy use of the
2255         above code pattern and it reduced its peak memory footprint from ~220MB
2256         to ~160MB.
2257
2258         * bytecode/UnlinkedFunctionExecutable.cpp:
2259         (JSC::generateUnlinkedFunctionCodeBlock):
2260         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2261         * bytecode/UnlinkedFunctionExecutable.h:
2262         * parser/VariableEnvironment.cpp:
2263         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
2264         (JSC::CompactVariableEnvironment::operator== const):
2265         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
2266         (JSC::CompactVariableMap::get):
2267         (JSC::CompactVariableMap::Handle::~Handle):
2268         * parser/VariableEnvironment.h:
2269         (JSC::VariableEnvironmentEntry::bits const):
2270         (JSC::VariableEnvironmentEntry::operator== const):
2271         (JSC::VariableEnvironment::isEverythingCaptured const):
2272         (JSC::CompactVariableEnvironment::hash const):
2273         (JSC::CompactVariableMapKey::CompactVariableMapKey):
2274         (JSC::CompactVariableMapKey::hash):
2275         (JSC::CompactVariableMapKey::equal):
2276         (JSC::CompactVariableMapKey::makeDeletedValue):
2277         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
2278         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
2279         (JSC::CompactVariableMapKey::environment):
2280         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
2281         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
2282         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
2283         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
2284         (JSC::CompactVariableMap::Handle::Handle):
2285         (JSC::CompactVariableMap::Handle::environment const):
2286         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
2287         * runtime/VM.cpp:
2288         (JSC::VM::VM):
2289         * runtime/VM.h:
2290
2291 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2292
2293         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
2294         https://bugs.webkit.org/show_bug.cgi?id=185371
2295
2296         Reviewed by Mark Lam.
2297
2298         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
2299         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
2300         but actually MIPS have much more registers.
2301
2302         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
2303         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
2304         have extra mechanism.
2305
2306         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
2307
2308         * dfg/DFGByteCodeParser.cpp:
2309         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2310         * dfg/DFGFixupPhase.cpp:
2311         (JSC::DFG::FixupPhase::fixupNode):
2312         * dfg/DFGSpeculativeJIT32_64.cpp:
2313         (JSC::DFG::SpeculativeJIT::compile):
2314         * jit/CCallHelpers.h:
2315         * jit/GPRInfo.h:
2316         (JSC::GPRInfo::toRegister):
2317         (JSC::GPRInfo::toIndex):
2318         * offlineasm/mips.rb:
2319
2320 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2321
2322         DFG AI should have O(1) clobbering
2323         https://bugs.webkit.org/show_bug.cgi?id=185287
2324
2325         Reviewed by Saam Barati.
2326         
2327         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
2328         would traverse all of the state available to the AI at that time and clobber it.
2329         
2330         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
2331         
2332         This is a ~1% speed-up for compile times.
2333
2334         * JavaScriptCore.xcodeproj/project.pbxproj:
2335         * Sources.txt:
2336         * dfg/DFGAbstractInterpreter.h:
2337         (JSC::DFG::AbstractInterpreter::forNode):
2338         (JSC::DFG::AbstractInterpreter::setForNode):
2339         (JSC::DFG::AbstractInterpreter::clearForNode):
2340         (JSC::DFG::AbstractInterpreter::variables): Deleted.
2341         * dfg/DFGAbstractInterpreterInlines.h:
2342         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2343         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
2344         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2345         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
2346         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2347         * dfg/DFGAbstractValue.cpp:
2348         (JSC::DFG::AbstractValue::fastForwardToSlow):
2349         * dfg/DFGAbstractValue.h:
2350         (JSC::DFG::AbstractValue::fastForwardTo):
2351         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
2352         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
2353         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
2354         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
2355         (JSC::DFG::AbstractValueClobberEpoch::dump const):
2356         * dfg/DFGAbstractValueClobberEpoch.h: Added.
2357         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
2358         (JSC::DFG::AbstractValueClobberEpoch::first):
2359         (JSC::DFG::AbstractValueClobberEpoch::clobber):
2360         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
2361         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
2362         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
2363         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
2364         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
2365         * dfg/DFGAtTailAbstractState.h:
2366         (JSC::DFG::AtTailAbstractState::setForNode):
2367         (JSC::DFG::AtTailAbstractState::clearForNode):
2368         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
2369         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
2370         (JSC::DFG::AtTailAbstractState::operand):
2371         (JSC::DFG::AtTailAbstractState::local):
2372         (JSC::DFG::AtTailAbstractState::argument):
2373         (JSC::DFG::AtTailAbstractState::clobberStructures):
2374         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
2375         (JSC::DFG::AtTailAbstractState::variables): Deleted.
2376         * dfg/DFGCFAPhase.cpp:
2377         (JSC::DFG::CFAPhase::performBlockCFA):
2378         * dfg/DFGConstantFoldingPhase.cpp:
2379         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2380         * dfg/DFGFlowMap.h:
2381         (JSC::DFG::FlowMap::at):
2382         (JSC::DFG::FlowMap::atShadow):
2383         (JSC::DFG::FlowMap::at const):
2384         (JSC::DFG::FlowMap::atShadow const):
2385         * dfg/DFGInPlaceAbstractState.cpp:
2386         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2387         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2388         * dfg/DFGInPlaceAbstractState.h:
2389         (JSC::DFG::InPlaceAbstractState::forNode):
2390         (JSC::DFG::InPlaceAbstractState::setForNode):
2391         (JSC::DFG::InPlaceAbstractState::clearForNode):
2392         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
2393         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
2394         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
2395         (JSC::DFG::InPlaceAbstractState::operand):
2396         (JSC::DFG::InPlaceAbstractState::local):
2397         (JSC::DFG::InPlaceAbstractState::argument):
2398         (JSC::DFG::InPlaceAbstractState::variableAt):
2399         (JSC::DFG::InPlaceAbstractState::clobberStructures):
2400         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
2401         (JSC::DFG::InPlaceAbstractState::fastForward):
2402         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
2403         * dfg/DFGSpeculativeJIT64.cpp:
2404         (JSC::DFG::SpeculativeJIT::compile):
2405         * ftl/FTLLowerDFGToB3.cpp:
2406         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
2407
2408 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
2409
2410         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
2411         https://bugs.webkit.org/show_bug.cgi?id=185365
2412
2413         Reviewed by Saam Barati.
2414         
2415         This patch does three things to improve compile times:
2416         
2417         - Fixes some inlining goofs.
2418         
2419         - Adds the ability to measure compile times with run-jsc-benchmarks.
2420         
2421         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
2422           code that clears abstract values. It turns out that on constant folding "needed" this, in the
2423           sense that this was the only thing protecting it from loading the abstract value of a no-result
2424           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
2425           Any node that produces a result will explicitly set its abstract value, so this problem can
2426           also be guarded by just having constant folding check if the node it wants to fold returns any
2427           result.
2428         
2429         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
2430
2431         * dfg/DFGAbstractInterpreterInlines.h:
2432         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2433         * dfg/DFGAbstractValue.cpp:
2434         (JSC::DFG::AbstractValue::set):
2435         * dfg/DFGAbstractValue.h:
2436         (JSC::DFG::AbstractValue::merge):
2437         * dfg/DFGConstantFoldingPhase.cpp:
2438         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2439         * dfg/DFGGraph.h:
2440         (JSC::DFG::Graph::doToChildrenWithNode):
2441         (JSC::DFG::Graph::doToChildren):
2442         * dfg/DFGInPlaceAbstractState.cpp:
2443         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2444         * jit/JIT.cpp:
2445         (JSC::JIT::totalCompileTime):
2446         * jit/JIT.h:
2447         * jsc.cpp:
2448         (GlobalObject::finishCreation):
2449         (functionTotalCompileTime):
2450
2451 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2452
2453         DFG AI doesn't need to merge valuesAtTail - it can just assign them
2454         https://bugs.webkit.org/show_bug.cgi?id=185355
2455
2456         Reviewed by Mark Lam.
2457         
2458         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
2459         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
2460         merging will get the same answer because the value computed this time will be either the same
2461         as or more general than the value computed last time. If the value does change for some
2462         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
2463         changes, then we have no reason to believe that this new value is less right than the last
2464         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
2465         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
2466
2467         * dfg/DFGInPlaceAbstractState.cpp:
2468         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2469
2470 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
2471
2472         Remove defunct email address
2473         https://bugs.webkit.org/show_bug.cgi?id=185396
2474
2475         Reviewed by Mark Lam.
2476
2477         The email address thetalecrafter@gmail.com is no longer valid, as the
2478         associated google account has been closed. This updates the email
2479         address so questions about these Intl contributions go to the right
2480         place.
2481
2482         * builtins/DatePrototype.js:
2483         * builtins/NumberPrototype.js:
2484         * builtins/StringPrototype.js:
2485         * runtime/IntlCollator.cpp:
2486         * runtime/IntlCollator.h:
2487         * runtime/IntlCollatorConstructor.cpp:
2488         * runtime/IntlCollatorConstructor.h:
2489         * runtime/IntlCollatorPrototype.cpp:
2490         * runtime/IntlCollatorPrototype.h:
2491         * runtime/IntlDateTimeFormat.cpp:
2492         * runtime/IntlDateTimeFormat.h:
2493         * runtime/IntlDateTimeFormatConstructor.cpp:
2494         * runtime/IntlDateTimeFormatConstructor.h:
2495         * runtime/IntlDateTimeFormatPrototype.cpp:
2496         * runtime/IntlDateTimeFormatPrototype.h:
2497         * runtime/IntlNumberFormat.cpp:
2498         * runtime/IntlNumberFormat.h:
2499         * runtime/IntlNumberFormatConstructor.cpp:
2500         * runtime/IntlNumberFormatConstructor.h:
2501         * runtime/IntlNumberFormatPrototype.cpp:
2502         * runtime/IntlNumberFormatPrototype.h:
2503         * runtime/IntlObject.cpp:
2504         * runtime/IntlObject.h:
2505         * runtime/IntlPluralRules.cpp:
2506         * runtime/IntlPluralRules.h:
2507         * runtime/IntlPluralRulesConstructor.cpp:
2508         * runtime/IntlPluralRulesConstructor.h:
2509         * runtime/IntlPluralRulesPrototype.cpp:
2510         * runtime/IntlPluralRulesPrototype.h:
2511
2512 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2513
2514         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
2515         https://bugs.webkit.org/show_bug.cgi?id=185362
2516
2517         Reviewed by Sam Weinig.
2518
2519         "namespace std" may include many names. It can conflict with names defined by our code,
2520         and the other platform provided headers. For example, std::byte conflicts with Windows'
2521         ::byte.
2522         This patch removes "using namespace std;" from JSC and bmalloc.
2523
2524         * API/JSClassRef.cpp:
2525         (OpaqueJSClass::create):
2526         * bytecode/Opcode.cpp:
2527         * bytecompiler/BytecodeGenerator.cpp:
2528         (JSC::BytecodeGenerator::newRegister):
2529         * heap/Heap.cpp:
2530         (JSC::Heap::updateAllocationLimits):
2531         * interpreter/Interpreter.cpp:
2532         * jit/JIT.cpp:
2533         * parser/Parser.cpp:
2534         * runtime/JSArray.cpp:
2535         * runtime/JSLexicalEnvironment.cpp:
2536         * runtime/JSModuleEnvironment.cpp:
2537         * runtime/Structure.cpp:
2538         * shell/DLLLauncherMain.cpp:
2539         (getStringValue):
2540         (applePathFromRegistry):
2541         (appleApplicationSupportDirectory):
2542         (copyEnvironmentVariable):
2543         (prependPath):
2544         (fatalError):
2545         (directoryExists):
2546         (modifyPath):
2547         (getLastErrorString):
2548         (wWinMain):
2549
2550 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
2551
2552         DFG CFA phase should only do clobber asserts in debug
2553         https://bugs.webkit.org/show_bug.cgi?id=185354
2554
2555         Reviewed by Saam Barati.
2556         
2557         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
2558         unless asserts are enabled.
2559
2560         * dfg/DFGCFAPhase.cpp:
2561         (JSC::DFG::CFAPhase::performBlockCFA):
2562
2563 2018-05-04  Keith Miller  <keith_miller@apple.com>
2564
2565         isCacheableArrayLength should return true for undecided arrays
2566         https://bugs.webkit.org/show_bug.cgi?id=185309
2567
2568         Reviewed by Michael Saboff.
2569
2570         Undecided arrays have butterflies so there is no reason why we
2571         should not be able to cache their length.
2572
2573         * bytecode/InlineAccess.cpp:
2574         (JSC::InlineAccess::isCacheableArrayLength):
2575
2576 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2577
2578         Remove std::random_shuffle
2579         https://bugs.webkit.org/show_bug.cgi?id=185292
2580
2581         Reviewed by Darin Adler.
2582
2583         std::random_shuffle is deprecated in C++14 and removed in C++17,
2584         since std::random_shuffle relies on rand and srand.
2585         Use std::shuffle instead.
2586
2587         * jit/BinarySwitch.cpp:
2588         (JSC::RandomNumberGenerator::RandomNumberGenerator):
2589         (JSC::RandomNumberGenerator::operator()):
2590         (JSC::RandomNumberGenerator::min):
2591         (JSC::RandomNumberGenerator::max):
2592         (JSC::BinarySwitch::build):
2593
2594 2018-05-03  Saam Barati  <sbarati@apple.com>
2595
2596         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
2597         https://bugs.webkit.org/show_bug.cgi?id=185177
2598
2599         Reviewed by Filip Pizlo.
2600
2601         This patch teaches the DFG/FTL how to constant fold CreateThis with
2602         a known poly proto Structure to NewObject. We do it by emitting a NewObject
2603         followed by a PutByOffset for the prototype value.
2604         
2605         We make it so that ObjectAllocationProfile holds the prototype value.
2606         This is sound because JSFunction clears that profile when its 'prototype'
2607         field changes.
2608         
2609         This patch also renames underscoreProtoPrivateName to polyProtoName since
2610         that name was nonsensical: it was only used for poly proto.
2611         
2612         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
2613         regressed that benchmark when I first introduced poly proto.
2614
2615         * builtins/BuiltinNames.cpp:
2616         * builtins/BuiltinNames.h:
2617         (JSC::BuiltinNames::BuiltinNames):
2618         (JSC::BuiltinNames::polyProtoName const):
2619         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
2620         * bytecode/ObjectAllocationProfile.h:
2621         (JSC::ObjectAllocationProfile::prototype):
2622         (JSC::ObjectAllocationProfile::clear):
2623         (JSC::ObjectAllocationProfile::visitAggregate):
2624         * bytecode/ObjectAllocationProfileInlines.h:
2625         (JSC::ObjectAllocationProfile::initializeProfile):
2626         * dfg/DFGAbstractInterpreterInlines.h:
2627         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2628         * dfg/DFGByteCodeParser.cpp:
2629         (JSC::DFG::ByteCodeParser::parseBlock):
2630         * dfg/DFGConstantFoldingPhase.cpp:
2631         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2632         * dfg/DFGOperations.cpp:
2633         * runtime/CommonSlowPaths.cpp:
2634         (JSC::SLOW_PATH_DECL):
2635         * runtime/FunctionRareData.h:
2636         * runtime/Structure.cpp:
2637         (JSC::Structure::create):
2638
2639 2018-05-03  Michael Saboff  <msaboff@apple.com>
2640
2641         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
2642         https://bugs.webkit.org/show_bug.cgi?id=185281
2643
2644         Reviewed by Saam Barati.
2645
2646         When we compute bytecode block reachability, we need to take into account blocks
2647         containing try/catch.
2648
2649         * jit/JIT.cpp:
2650         (JSC::JIT::privateCompileMainPass):
2651
2652 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2653
2654         ARM: Wrong offset for operand rt in disassembler
2655         https://bugs.webkit.org/show_bug.cgi?id=184083
2656
2657         Reviewed by Yusuke Suzuki.
2658
2659         * disassembler/ARMv7/ARMv7DOpcode.h:
2660         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
2661         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
2662
2663 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2664
2665         ARM: Support vstr in disassembler
2666         https://bugs.webkit.org/show_bug.cgi?id=184084
2667
2668         Reviewed by Yusuke Suzuki.
2669
2670         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2671         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
2672         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
2673         * disassembler/ARMv7/ARMv7DOpcode.h:
2674         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
2675         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
2676         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
2677         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
2678         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
2679         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
2680         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
2681
2682 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2683
2684         Invoke ensureArrayStorage for all arguments
2685         https://bugs.webkit.org/show_bug.cgi?id=185247
2686
2687         Reviewed by Yusuke Suzuki.
2688
2689         ensureArrayStorage was only invoked for first argument in each loop iteration.
2690
2691         * jsc.cpp:
2692         (functionEnsureArrayStorage):
2693
2694 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2695
2696         Make it easy to log compile times for all optimizing tiers
2697         https://bugs.webkit.org/show_bug.cgi?id=185270
2698
2699         Reviewed by Keith Miller.
2700         
2701         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
2702         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
2703         it.
2704         
2705         This should help us reduce compile times by telling us where to look. So, far, it looks like
2706         CFA is the worst.
2707
2708         * JavaScriptCore.xcodeproj/project.pbxproj:
2709         * Sources.txt:
2710         * b3/B3Common.cpp:
2711         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
2712         * b3/B3Common.h:
2713         * b3/B3TimingScope.cpp: Removed.
2714         * b3/B3TimingScope.h:
2715         (JSC::B3::TimingScope::TimingScope):
2716         * dfg/DFGPhase.h:
2717         (JSC::DFG::runAndLog):
2718         * dfg/DFGPlan.cpp:
2719         (JSC::DFG::Plan::compileInThread):
2720         * tools/CompilerTimingScope.cpp: Added.
2721         (JSC::CompilerTimingScope::CompilerTimingScope):
2722         (JSC::CompilerTimingScope::~CompilerTimingScope):
2723         * tools/CompilerTimingScope.h: Added.
2724         * runtime/Options.cpp:
2725         (JSC::recomputeDependentOptions):
2726         * runtime/Options.h:
2727
2728 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
2729
2730         Strings should not be allocated in a gigacage
2731         https://bugs.webkit.org/show_bug.cgi?id=185218
2732
2733         Reviewed by Saam Barati.
2734
2735         * runtime/JSBigInt.cpp:
2736         (JSC::JSBigInt::toStringGeneric):
2737         * runtime/JSString.cpp:
2738         (JSC::JSRopeString::resolveRopeToAtomicString const):
2739         (JSC::JSRopeString::resolveRope const):
2740         * runtime/JSString.h:
2741         (JSC::JSString::create):
2742         (JSC::JSString::createHasOtherOwner):
2743         * runtime/VM.h:
2744         (JSC::VM::gigacageAuxiliarySpace):
2745
2746 2018-05-03  Keith Miller  <keith_miller@apple.com>
2747
2748         Unreviewed, fix 32-bit profile offset for change in bytecode
2749         length of the get_by_id and get_array_length opcodes.
2750
2751         * llint/LowLevelInterpreter32_64.asm:
2752
2753 2018-05-03  Michael Saboff  <msaboff@apple.com>
2754
2755         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
2756         https://bugs.webkit.org/show_bug.cgi?id=185231
2757
2758         Reviewed by Saam Barati.
2759
2760         We weren't clearing the scratch register cache when switching back and forth between 
2761         allowing scratch register usage.  We disallow scratch register usage when we are in
2762         code that will freely allocate and use any register.  Such usage can change the
2763         contents of scratch registers.  For ARM64, where we cache the contents of scratch
2764         registers to reuse some or all of the contained values, we need to invalidate these
2765         caches.  We do this when re-enabling scratch register usage, that is when we transition
2766         from disallow to allow scratch register usage.
2767
2768         Added a new Air regression test.
2769
2770         * assembler/AllowMacroScratchRegisterUsage.h:
2771         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
2772         * assembler/AllowMacroScratchRegisterUsageIf.h:
2773         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
2774         * assembler/DisallowMacroScratchRegisterUsage.h:
2775         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
2776         * b3/air/testair.cpp:
2777
2778 2018-05-03  Keith Miller  <keith_miller@apple.com>
2779
2780         Remove the prototype caching for get_by_id in the LLInt
2781         https://bugs.webkit.org/show_bug.cgi?id=185226
2782
2783         Reviewed by Michael Saboff.
2784
2785         There is no evidence that this is actually a speedup and we keep
2786         getting bugs with it. At this point it seems like we should just
2787         remove this code.
2788
2789         * CMakeLists.txt:
2790         * JavaScriptCore.xcodeproj/project.pbxproj:
2791         * Sources.txt:
2792         * bytecode/BytecodeDumper.cpp:
2793         (JSC::BytecodeDumper<Block>::printGetByIdOp):
2794         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
2795         (JSC::BytecodeDumper<Block>::dumpBytecode):
2796         * bytecode/BytecodeList.json:
2797         * bytecode/BytecodeUseDef.h:
2798         (JSC::computeUsesForBytecodeOffset):
2799         (JSC::computeDefsForBytecodeOffset):
2800         * bytecode/CodeBlock.cpp:
2801         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2802         * bytecode/CodeBlock.h:
2803         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
2804         * bytecode/GetByIdStatus.cpp:
2805         (JSC::GetByIdStatus::computeFromLLInt):
2806         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
2807         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
2808         * bytecompiler/BytecodeGenerator.cpp:
2809         (JSC::BytecodeGenerator::emitGetById):
2810         * dfg/DFGByteCodeParser.cpp:
2811         (JSC::DFG::ByteCodeParser::parseBlock):
2812         * dfg/DFGCapabilities.cpp:
2813         (JSC::DFG::capabilityLevel):
2814         * jit/JIT.cpp:
2815         (JSC::JIT::privateCompileMainPass):
2816         (JSC::JIT::privateCompileSlowCases):
2817         * llint/LLIntSlowPaths.cpp:
2818         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2819         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
2820         * llint/LowLevelInterpreter32_64.asm:
2821         * llint/LowLevelInterpreter64.asm:
2822         * runtime/Options.h:
2823
2824 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
2825
2826         Unreviewed, rolling out r231197.
2827
2828         The test added with this change crashes on the 32-bit JSC bot.
2829
2830         Reverted changeset:
2831
2832         "Correctly detect string overflow when using the 'Function'
2833         constructor"
2834         https://bugs.webkit.org/show_bug.cgi?id=184883
2835         https://trac.webkit.org/changeset/231197
2836
2837 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
2838
2839         Disable usage of fused multiply-add instructions for JSC with compiler flag
2840         https://bugs.webkit.org/show_bug.cgi?id=184909
2841
2842         Reviewed by Yusuke Suzuki.
2843
2844         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
2845         like parseInt() do not return slightly different results depending on whether the
2846         compiler was able to use fused multiply-add instructions or not.
2847
2848         * CMakeLists.txt:
2849
2850 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2851
2852         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
2853         https://bugs.webkit.org/show_bug.cgi?id=185192
2854
2855         compareDouble relies on MacroAssembler::invert function.
2856
2857         * assembler/MacroAssembler.h:
2858         (JSC::MacroAssembler::compareDouble):
2859         * assembler/MacroAssemblerARM.h:
2860         (JSC::MacroAssemblerARM::compareDouble): Deleted.
2861         * assembler/MacroAssemblerARMv7.h:
2862         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
2863         * assembler/MacroAssemblerMIPS.h:
2864         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
2865
2866 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2867
2868         [JSC] Add MacroAssembler::and16 and store16
2869         https://bugs.webkit.org/show_bug.cgi?id=185188
2870
2871         Reviewed by Mark Lam.
2872
2873         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
2874         This patch adds these methods for ARM.
2875
2876         * assembler/MacroAssemblerARM.h:
2877         (JSC::MacroAssemblerARM::and16):
2878         (JSC::MacroAssemblerARM::store16):
2879
2880 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2881
2882         [DFG] Unify compare related code in 32bit and 64bit
2883         https://bugs.webkit.org/show_bug.cgi?id=185189
2884
2885         Reviewed by Mark Lam.
2886
2887         This patch unifies some part of compare related code in 32bit and 64bit
2888         to reduce the size of 32bit specific DFG code.
2889
2890         * dfg/DFGSpeculativeJIT.cpp:
2891         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
2892         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
2893         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2894         * dfg/DFGSpeculativeJIT32_64.cpp:
2895         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2896         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2897         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2898         * dfg/DFGSpeculativeJIT64.cpp:
2899         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
2900         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
2901         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2902
2903 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2904
2905         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
2906         https://bugs.webkit.org/show_bug.cgi?id=185192
2907
2908         Reviewed by Mark Lam.
2909
2910         Now Object.is starts using compareDouble. So we would like to have
2911         efficient implementation for compareDouble and compareFloat for
2912         major architectures, ARM64, X86, and X86_64.
2913
2914         This patch adds compareDouble and compareFloat implementations for
2915         these architectures. And generic implementation is moved to each
2916         architecture's MacroAssembler implementation.
2917
2918         We also add tests for them in testmasm. To implement this test
2919         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
2920         major architectures.
2921
2922         * assembler/MacroAssembler.h:
2923         (JSC::MacroAssembler::compareDouble): Deleted.
2924         (JSC::MacroAssembler::compareFloat): Deleted.
2925         * assembler/MacroAssemblerARM.h:
2926         (JSC::MacroAssemblerARM::compareDouble):
2927         * assembler/MacroAssemblerARM64.h:
2928         (JSC::MacroAssemblerARM64::compareDouble):
2929         (JSC::MacroAssemblerARM64::compareFloat):
2930         (JSC::MacroAssemblerARM64::loadFloat):
2931         (JSC::MacroAssemblerARM64::floatingPointCompare):
2932         * assembler/MacroAssemblerARMv7.h:
2933         (JSC::MacroAssemblerARMv7::compareDouble):
2934         * assembler/MacroAssemblerMIPS.h:
2935         (JSC::MacroAssemblerMIPS::compareDouble):
2936         * assembler/MacroAssemblerX86Common.h:
2937         (JSC::MacroAssemblerX86Common::loadFloat):
2938         (JSC::MacroAssemblerX86Common::compareDouble):
2939         (JSC::MacroAssemblerX86Common::compareFloat):
2940         (JSC::MacroAssemblerX86Common::floatingPointCompare):
2941         * assembler/X86Assembler.h:
2942         (JSC::X86Assembler::movss_mr):
2943         (JSC::X86Assembler::movss_rm):
2944         * assembler/testmasm.cpp:
2945         (JSC::floatOperands):
2946         (JSC::testCompareFloat):
2947         (JSC::run):
2948
2949 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2950
2951         Unreviewed, fix 32bit DFG code
2952         https://bugs.webkit.org/show_bug.cgi?id=185065
2953
2954         * dfg/DFGSpeculativeJIT.cpp:
2955         (JSC::DFG::SpeculativeJIT::compileSameValue):
2956
2957 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
2958
2959         JSC should know how to cache custom getter accesses on the prototype chain
2960         https://bugs.webkit.org/show_bug.cgi?id=185213
2961
2962         Reviewed by Keith Miller.
2963
2964         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
2965
2966         * jit/Repatch.cpp:
2967         (JSC::tryCacheGetByID):
2968
2969 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
2970
2971         JSC should be able to cache custom setter calls on the prototype chain
2972         https://bugs.webkit.org/show_bug.cgi?id=185174
2973
2974         Reviewed by Saam Barati.
2975
2976         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
2977         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
2978         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
2979         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
2980         custom accessors because it won't find the custom property in the structure.
2981
2982         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
2983
2984         This is a 4x speed-up on assign-custom-setter.js.
2985
2986         * bytecode/AccessCase.cpp:
2987         (JSC::AccessCase::hasAlternateBase const):
2988         (JSC::AccessCase::alternateBase const):
2989         (JSC::AccessCase::generateImpl):
2990         * bytecode/AccessCase.h:
2991         (JSC::AccessCase::alternateBase const): Deleted.
2992         * bytecode/GetterSetterAccessCase.cpp:
2993         (JSC::GetterSetterAccessCase::hasAlternateBase const):
2994         (JSC::GetterSetterAccessCase::alternateBase const):
2995         * bytecode/GetterSetterAccessCase.h:
2996         * bytecode/ObjectPropertyConditionSet.cpp:
2997         (JSC::generateConditionsForPrototypePropertyHitCustom):
2998         * bytecode/ObjectPropertyConditionSet.h:
2999         * jit/Repatch.cpp:
3000         (JSC::tryCacheGetByID):
3001         (JSC::tryCachePutByID):
3002
3003 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
3004
3005         [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
3006         https://bugs.webkit.org/show_bug.cgi?id=185195
3007
3008         Reviewed by Mark Lam.
3009
3010         This implements the given function for MIPS, such that it builds again.
3011
3012         * assembler/MacroAssemblerMIPS.h:
3013         (JSC::MacroAssemblerMIPS::and16):
3014         (JSC::MacroAssemblerMIPS::store16):
3015
3016 2018-05-02  Rick Waldron  <waldron.rick@gmail.com>
3017
3018         Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
3019         https://bugs.webkit.org/show_bug.cgi?id=185043
3020
3021         Reviewed by Filip Pizlo.
3022
3023         * jsc.cpp:
3024         (GlobalObject::finishCreation):
3025         (functionDollarAgentMonotonicNow):
3026
3027 2018-05-02  Dominik Infuehr  <dinfuehr@igalia.com>
3028
3029         [ARM] Implement and16 and store16 for MacroAssemblerARMv7
3030         https://bugs.webkit.org/show_bug.cgi?id=185196
3031
3032         Reviewed by Mark Lam.
3033
3034         This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
3035
3036         * assembler/MacroAssemblerARMv7.h:
3037         (JSC::MacroAssemblerARMv7::and16):
3038         (JSC::MacroAssemblerARMv7::store16):
3039
3040 2018-05-02  Robin Morisset  <rmorisset@apple.com>
3041
3042         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
3043         https://bugs.webkit.org/show_bug.cgi?id=183172
3044
3045         Reviewed by Filip Pizlo.
3046
3047         DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
3048         but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
3049
3050         I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
3051         Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
3052         a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
3053
3054         * dfg/DFGArgumentsEliminationPhase.cpp:
3055         * dfg/DFGArgumentsUtilities.cpp:
3056         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3057
3058 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3059
3060         Unreviewed, stackPointer signature is different from declaration
3061         https://bugs.webkit.org/show_bug.cgi?id=184790
3062
3063         * runtime/MachineContext.h:
3064         (JSC::MachineContext::stackPointer):
3065
3066 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3067
3068         [JSC] Add SameValue DFG node
3069         https://bugs.webkit.org/show_bug.cgi?id=185065
3070
3071         Reviewed by Saam Barati.
3072
3073         This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
3074         And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
3075         if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
3076         from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
3077         implementations for these SameValue nodes.
3078
3079         This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
3080         has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
3081         was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
3082         generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
3083         correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
3084         correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
3085
3086         Added microbenchmark shows performance improvement.
3087
3088             object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
3089
3090         * assembler/MacroAssembler.h:
3091         * assembler/MacroAssemblerX86Common.h:
3092         (JSC::MacroAssemblerX86Common::compareDouble):
3093         * assembler/MacroAssemblerX86_64.h:
3094         (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
3095         * assembler/testmasm.cpp:
3096         (JSC::doubleOperands):
3097         (JSC::testCompareDouble):
3098         (JSC::run):
3099         * dfg/DFGAbstractInterpreterInlines.h:
3100         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3101         * dfg/DFGByteCodeParser.cpp:
3102         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3103         * dfg/DFGClobberize.h:
3104         (JSC::DFG::clobberize):
3105         * dfg/DFGConstantFoldingPhase.cpp:
3106         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3107         * dfg/DFGDoesGC.cpp:
3108         (JSC::DFG::doesGC):
3109         * dfg/DFGFixupPhase.cpp:
3110         (JSC::DFG::FixupPhase::fixupNode):
3111         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
3112         * dfg/DFGNodeType.h:
3113         * dfg/DFGOperations.cpp:
3114         * dfg/DFGOperations.h:
3115         * dfg/DFGPredictionPropagationPhase.cpp:
3116         * dfg/DFGSafeToExecute.h:
3117         (JSC::DFG::safeToExecute):
3118         * dfg/DFGSpeculativeJIT.cpp:
3119         (JSC::DFG::SpeculativeJIT::compileSameValue):
3120         * dfg/DFGSpeculativeJIT.h:
3121         * dfg/DFGSpeculativeJIT32_64.cpp:
3122         (JSC::DFG::SpeculativeJIT::compile):
3123         * dfg/DFGSpeculativeJIT64.cpp:
3124         (JSC::DFG::SpeculativeJIT::compile):
3125         * dfg/DFGValidate.cpp:
3126         * ftl/FTLCapabilities.cpp:
3127         (JSC::FTL::canCompile):
3128         * ftl/FTLLowerDFGToB3.cpp:
3129         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3130         (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
3131         * runtime/Intrinsic.cpp:
3132         (JSC::intrinsicName):
3133         * runtime/Intrinsic.h:
3134         * runtime/ObjectConstructor.cpp:
3135
3136 2018-04-30  Filip Pizlo  <fpizlo@apple.com>
3137
3138         B3::demoteValues should be able to handle patchpoint terminals
3139         https://bugs.webkit.org/show_bug.cgi?id=185151
3140
3141         Reviewed by Saam Barati.
3142         
3143         If we try to demote a patchpoint terminal then prior to this change we would append a Set to
3144         the basic block that the patchpoint terminated. That's wrong because then the terminal is no
3145         longer the last thing in the block.
3146         
3147         Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
3148         really do that because demotion happens as a prerequisite to other transformations.
3149         
3150         One solution might have been to make demoteValues insert a basic block whenever it encounters
3151         this problem. But that would break clients that do CFG analysis before demoteValues and use
3152         the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
3153         also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
3154         so it's not bad to introduce that requirement.
3155         
3156         So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
3157         terminal as if it had multiple successors. This means that a patchpoint terminal's successors
3158         will only have it as their predecessor. Then, demoteValues just prepends the Set to the
3159         successors of the patchpoint terminal.
3160         
3161         This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
3162         a unit test in testb3.
3163
3164         * b3/B3BreakCriticalEdges.cpp:
3165         (JSC::B3::breakCriticalEdges):
3166         * b3/B3BreakCriticalEdges.h:
3167         * b3/B3FixSSA.cpp:
3168         (JSC::B3::demoteValues):
3169         (JSC::B3::fixSSA):
3170         * b3/B3FixSSA.h:
3171         * b3/B3Value.cpp:
3172         (JSC::B3::Value::foldIdentity const):
3173         (JSC::B3::Value::performSubstitution):
3174         * b3/B3Value.h:
3175         * b3/testb3.cpp:
3176         (JSC::B3::testDemotePatchpointTerminal):
3177         (JSC::B3::run):
3178
3179 2018-05-01  Robin Morisset  <rmorisset@apple.com>
3180
3181         Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
3182         https://bugs.webkit.org/show_bug.cgi?id=184772
3183         <rdar://problem/39146327>
3184
3185         Reviewed by Filip Pizlo.
3186
3187         Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
3188         This patch now makes sure that the check correctly detects if there is an integer overflow.
3189
3190         * runtime/JSArray.cpp:
3191         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3192
3193 2018-05-01  Robin Morisset  <rmorisset@apple.com>
3194
3195         Correctly detect string overflow when using the 'Function' constructor
3196         https://bugs.webkit.org/show_bug.cgi?id=184883
3197         <rdar://problem/36320331>
3198
3199         Reviewed by Filip Pizlo.
3200
3201         The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
3202         Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
3203
3204         I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
3205         In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
3206         I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
3207
3208         * runtime/FunctionConstructor.cpp:
3209         (JSC::constructFunctionSkippingEvalEnabledCheck):
3210         * runtime/JSONObject.cpp:
3211         (JSC::Stringifier::appendStringifiedValue):
3212
3213 2018-05-01  Robin Morisset  <rmorisset@apple.com>
3214
3215         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
3216         https://bugs.webkit.org/show_bug.cgi?id=185162
3217
3218         Reviewed by Filip Pizlo.
3219
3220         * runtime/IntlObject.cpp:
3221         (JSC::removeUnicodeLocaleExtension):
3222
3223 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
3224
3225         Add SetCallee as DFG-Operation
3226         https://bugs.webkit.org/show_bug.cgi?id=184582
3227
3228         Reviewed by Filip Pizlo.
3229
3230         For recursive tail calls not only the argument count can change but also the
3231         callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
3232         Also update the callee when optimizing a recursive tail call.
3233         Enable recursive tail call optimization also for closures.
3234
3235         * dfg/DFGAbstractInterpreterInlines.h:
3236         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3237         * dfg/DFGByteCodeParser.cpp:
3238         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3239         (JSC::DFG::ByteCodeParser::handleCallVariant):
3240         * dfg/DFGClobberize.h:
3241         (JSC::DFG::clobberize):
3242         * dfg/DFGDoesGC.cpp:
3243         (JSC::DFG::doesGC):
3244         * dfg/DFGFixupPhase.cpp:
3245         (JSC::DFG::FixupPhase::fixupNode):
3246         * dfg/DFGMayExit.cpp:
3247         * dfg/DFGNodeType.h:
3248         * dfg/DFGPredictionPropagationPhase.cpp:
3249         * dfg/DFGSafeToExecute.h:
3250         (JSC::DFG::safeToExecute):
3251         * dfg/DFGSpeculativeJIT.cpp:
3252         (JSC::DFG::SpeculativeJIT::compileSetCallee):
3253         * dfg/DFGSpeculativeJIT.h:
3254         * dfg/DFGSpeculativeJIT32_64.cpp:
3255         (JSC::DFG::SpeculativeJIT::compile):
3256         * dfg/DFGSpeculativeJIT64.cpp:
3257         (JSC::DFG::SpeculativeJIT::compile):
3258         * ftl/FTLCapabilities.cpp:
3259         (JSC::FTL::canCompile):
3260         * ftl/FTLLowerDFGToB3.cpp:
3261         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3262         (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
3263
3264 2018-05-01  Oleksandr Skachkov  <gskachkov@gmail.com>
3265
3266         WebAssembly: add support for stream APIs - JavaScript API
3267         https://bugs.webkit.org/show_bug.cgi?id=183442
3268
3269         Reviewed by Yusuke Suzuki and JF Bastien.
3270
3271         Add WebAssembly stream API. Current patch only add functions
3272         WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
3273         does not add streaming way of the implementation. So in current version it
3274         only wait for load whole module, than start to parse.
3275
3276         * CMakeLists.txt:
3277         * Configurations/FeatureDefines.xcconfig:
3278         * DerivedSources.make:
3279         * JavaScriptCore.xcodeproj/project.pbxproj:
3280         * builtins/BuiltinNames.h:
3281         * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
3282         (compileStreaming):
3283         (instantiateStreaming):
3284         * jsc.cpp:
3285         * runtime/JSGlobalObject.cpp:
3286         (JSC::JSGlobalObject::init):
3287         * runtime/JSGlobalObject.h:
3288         * runtime/Options.h:
3289         * runtime/PromiseDeferredTimer.cpp:
3290         (JSC::PromiseDeferredTimer::hasPendingPromise):
3291         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
3292         * runtime/PromiseDeferredTimer.h:
3293         * wasm/js/WebAssemblyPrototype.cpp:
3294         (JSC::webAssemblyModuleValidateAsyncInternal):
3295         (JSC::webAssemblyCompileFunc):
3296         (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
3297         (JSC::webAssemblyModuleInstantinateAsyncInternal):
3298         (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
3299         (JSC::webAssemblyCompileStreamingInternal):
3300         (JSC::webAssemblyInstantiateStreamingInternal):
3301         (JSC::WebAssemblyPrototype::create):
3302         (JSC::WebAssemblyPrototype::finishCreation):
3303         * wasm/js/WebAssemblyPrototype.h:
3304
3305 2018-04-30  Saam Barati  <sbarati@apple.com>
3306
3307         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
3308         https://bugs.webkit.org/show_bug.cgi?id=185149
3309         <rdar://problem/39455917>
3310
3311         Reviewed by Filip Pizlo.
3312
3313         The bug was that we were deleting checks that we shouldn't have deleted.
3314         This patch makes a helper inside strength reduction that converts to
3315         a LazyJSConstant while maintaining checks, and switches users of the
3316         node API inside strength reduction to instead call the helper function.
3317         
3318         This patch also fixes a potential bug where StringReplace and
3319         StringReplaceRegExp may not preserve all their checks.
3320
3321
3322         * dfg/DFGStrengthReductionPhase.cpp:
3323         (JSC::DFG::StrengthReductionPhase::handleNode):
3324         (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
3325
3326 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
3327
3328         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
3329         https://bugs.webkit.org/show_bug.cgi?id=185126
3330
3331         Reviewed by Saam Barati.
3332         
3333         This change is just restoring functionality that we've already had for a while. It had been
3334         accidentally broken due to an unrelated CodeBlock refactoring.
3335
3336         * dfg/DFGLICMPhase.cpp:
3337         (JSC::DFG::LICMPhase::attemptHoist):
3338
3339 2018-04-30  Mark Lam  <mark.lam@apple.com>
3340
3341         Apply PtrTags to the MetaAllocator and friends.
3342         https://bugs.webkit.org/show_bug.cgi?id=185110
3343         <rdar://problem/39533895>
3344
3345         Reviewed by Saam Barati.
3346
3347         1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
3348         2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
3349            and add a sanity check to verify that allocated code buffers are within those
3350            bounds.
3351
3352         * assembler/LinkBuffer.cpp:
3353         (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
3354         (JSC::LinkBuffer::copyCompactAndLinkCode):
3355         (JSC::LinkBuffer::linkCode):
3356         (JSC::LinkBuffer::allocate):
3357         * assembler/LinkBuffer.h:
3358         (JSC::LinkBuffer::LinkBuffer):
3359         (JSC::LinkBuffer::debugAddress):
3360         (JSC::LinkBuffer::code):
3361         * assembler/MacroAssemblerCodeRef.h:
3362         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3363         * bytecode/InlineAccess.cpp:
3364         (JSC::linkCodeInline):
3365         (JSC::InlineAccess::rewireStubAsJump):
3366         * dfg/DFGJITCode.cpp:
3367         (JSC::DFG::JITCode::findPC):
3368         * ftl/FTLJITCode.cpp:
3369         (JSC::FTL::JITCode::findPC):
3370         * jit/ExecutableAllocator.cpp:
3371         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
3372         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
3373         (JSC::ExecutableAllocator::allocate):
3374         * jit/ExecutableAllocator.h:
3375         (JSC::isJITPC):
3376         (JSC::performJITMemcpy):
3377         * jit/JIT.cpp:
3378         (JSC::JIT::link):
3379         * jit/JITMathIC.h:
3380         (JSC::isProfileEmpty):
3381         * runtime/JSCPtrTag.h:
3382         * wasm/WasmCallee.cpp:
3383         (JSC::Wasm::Callee::Callee):
3384         * wasm/WasmFaultSignalHandler.cpp:
3385         (JSC::Wasm::trapHandler):
3386
3387 2018-04-30  Keith Miller  <keith_miller@apple.com>
3388
3389         Move the MayBePrototype JSCell header bit to InlineTypeFlags
3390         https://bugs.webkit.org/show_bug.cgi?id=185143
3391
3392         Reviewed by Mark Lam.
3393
3394         * runtime/IndexingType.h:
3395         * runtime/JSCellInlines.h:
3396         (JSC::JSCell::setStructure):
3397         (JSC::JSCell::mayBePrototype const):
3398         (JSC::JSCell::didBecomePrototype):
3399         * runtime/JSTypeInfo.h:
3400         (JSC::TypeInfo::mayBePrototype):
3401         (JSC::TypeInfo::mergeInlineTypeFlags):
3402
3403 2018-04-30  Keith Miller  <keith_miller@apple.com>
3404
3405         Remove unneeded exception check from String.fromCharCode
3406         https://bugs.webkit.org/show_bug.cgi?id=185083
3407
3408         Reviewed by Mark Lam.
3409
3410         * runtime/StringConstructor.cpp:
3411         (JSC::stringFromCharCode):
3412
3413 2018-04-30  Keith Miller  <keith_miller@apple.com>
3414
3415         Move StructureIsImmortal to out of line flags.
3416         https://bugs.webkit.org/show_bug.cgi?id=185101
3417
3418         Reviewed by Saam Barati.
3419
3420         This will free up a bit in the inline flags where we can move the
3421         isPrototype bit to. This will, in turn, free a bit for use in
3422         implementing copy on write butterflies.
3423
3424         Also, this patch removes an assertion from Structure::typeInfo()
3425         that inadvertently makes the function invalid to call while
3426         cleaning up the vm.
3427
3428         * heap/HeapCellType.cpp:
3429         (JSC::DefaultDestroyFunc::operator() const):
3430         * runtime/JSCell.h:
3431         * runtime/JSCellInlines.h:
3432         (JSC::JSCell::callDestructor): Deleted.
3433         * runtime/JSTypeInfo.h:
3434         (JSC::TypeInfo::hasStaticPropertyTable):
3435         (JSC::TypeInfo::structureIsImmortal const):
3436         * runtime/Structure.h:
3437
3438 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3439
3440         [JSC] Remove arity fixup check if the number of parameters is 1
3441         https://bugs.webkit.org/show_bug.cgi?id=183984
3442
3443         Reviewed by Mark Lam.
3444
3445         If the number of parameters is one (|this|), we never hit arity fixup check.
3446         We do not need to emit arity fixup check code.
3447
3448         * dfg/DFGDriver.cpp:
3449         (JSC::DFG::compileImpl):
3450         * dfg/DFGJITCompiler.cpp:
3451         (JSC::DFG::JITCompiler::compileFunction):
3452         * dfg/DFGJITCompiler.h:
3453         * ftl/FTLLink.cpp:
3454         (JSC::FTL::link):
3455         * jit/JIT.cpp:
3456         (JSC::JIT::compileWithoutLinking):
3457
3458 2018-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3459
3460         Use WordLock instead of std::mutex for Threading
3461         https://bugs.webkit.org/show_bug.cgi?id=185121
3462
3463         Reviewed by Geoffrey Garen.
3464
3465         ThreadGroup starts using WordLock.
3466
3467         * heap/MachineStackMarker.h:
3468         (JSC::MachineThreads::getLock):
3469
3470 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
3471
3472         B3 should run tail duplication at the bitter end
3473         https://bugs.webkit.org/show_bug.cgi?id=185123
3474
3475         Reviewed by Geoffrey Garen.
3476         
3477         Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
3478         everywhere else.
3479         
3480         The goal of this change is to allow us to run path specialization after switch lowering but
3481         before tail duplication.
3482
3483         * b3/B3Generate.cpp:
3484         (JSC::B3::generateToAir):
3485         * runtime/Options.h:
3486
3487 2018-04-29  Commit Queue  <commit-queue@webkit.org>
3488
3489         Unreviewed, rolling out r231137.
3490         https://bugs.webkit.org/show_bug.cgi?id=185118
3491
3492         It is breaking Test262 language/expressions/multiplication
3493         /order-of-evaluation.js (Requested by caiolima on #webkit).
3494
3495         Reverted changeset:
3496
3497         "[ESNext][BigInt] Implement support for "*" operation"
3498         https://bugs.webkit.org/show_bug.cgi?id=183721
3499         https://trac.webkit.org/changeset/231137
3500
3501 2018-04-28  Saam Barati  <sbarati@apple.com>
3502
3503         We don't model regexp effects properly
3504         https://bugs.webkit.org/show_bug.cgi?id=185059
3505         <rdar://problem/39736150>
3506
3507         Reviewed by Filip Pizlo.
3508
3509         RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
3510         the regexp is global.
3511
3512         * dfg/DFGAbstractInterpreterInlines.h:
3513         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3514         * dfg/DFGClobberize.h:
3515         (JSC::DFG::clobberize):
3516
3517 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
3518
3519         Token misspelled "tocken" in error message string
3520         https://bugs.webkit.org/show_bug.cgi?id=185030
3521
3522         Reviewed by Saam Barati.
3523
3524         * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
3525         (JSC::Parser<LexerType>::Parser):
3526         (JSC::Parser<LexerType>::didFinishParsing):
3527         (JSC::Parser<LexerType>::parseSourceElements):
3528         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
3529         (JSC::Parser<LexerType>::parseVariableDeclaration):
3530         (JSC::Parser<LexerType>::parseWhileStatement):
3531         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3532         (JSC::Parser<LexerType>::createBindingPattern):
3533         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
3534         (JSC::Parser<LexerType>::parseObjectRestElement):
3535         (JSC::Parser<LexerType>::parseDestructuringPattern):
3536         (JSC::Parser<LexerType>::parseForStatement):
3537         (JSC::Parser<LexerType>::parseBreakStatement):
3538         (JSC::Parser<LexerType>::parseContinueStatement):
3539         (JSC::Parser<LexerType>::parseThrowStatement):
3540         (JSC::Parser<LexerType>::parseWithStatement):
3541         (JSC::Parser<LexerType>::parseSwitchStatement):
3542         (JSC::Parser<LexerType>::parseSwitchClauses):
3543         (JSC::Parser<LexerType>::parseTryStatement):
3544         (JSC::Parser<LexerType>::parseBlockStatement):
3545         (JSC::Parser<LexerType>::parseFormalParameters):
3546         (JSC::Parser<LexerType>::parseFunctionParameters):
3547         (JSC::Parser<LexerType>::parseFunctionInfo):
3548         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
3549         (JSC::Parser<LexerType>::parseExpressionStatement):
3550         (JSC::Parser<LexerType>::parseIfStatement):
3551         (JSC::Parser<LexerType>::parseAssignmentExpression):
3552         (JSC::Parser<LexerType>::parseConditionalExpression):
3553         (JSC::Parser<LexerType>::parseBinaryExpression):
3554         (JSC::Parser<LexerType>::parseObjectLiteral):
3555         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
3556         (JSC::Parser<LexerType>::parseArrayLiteral):
3557         (JSC::Parser<LexerType>::parseArguments):
3558         (JSC::Parser<LexerType>::parseMemberExpression):
3559         (JSC::operatorString):
3560         (JSC::Parser<LexerType>::parseUnaryExpression):
3561         (JSC::Parser<LexerType>::printUnexpectedTokenText):
3562
3563 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
3564
3565         [ESNext][BigInt] Implement support for "*" operation
3566         https://bugs.webkit.org/show_bug.cgi?id=183721
3567
3568         Reviewed by Saam Barati.
3569
3570         Added BigInt support into times binary operator into LLInt and on
3571         JITOperations profiledMul and unprofiledMul. We are also replacing all
3572         uses of int to unsigned when there is no negative values for
3573         variables.
3574
3575         * dfg/DFGConstantFoldingPhase.cpp:
3576         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3577         * jit/JITOperations.cpp:
3578         * runtime/CommonSlowPaths.cpp:
3579         (JSC::SLOW_PATH_DECL):
3580         * runtime/JSBigInt.cpp:
3581         (JSC::JSBigInt::JSBigInt):
3582         (JSC::JSBigInt::allocationSize):
3583         (JSC::JSBigInt::createWithLength):
3584         (JSC::JSBigInt::toString):
3585         (JSC::JSBigInt::multiply):
3586         (JSC::JSBigInt::digitDiv):
3587         (JSC::JSBigInt::internalMultiplyAdd):
3588         (JSC::JSBigInt::multiplyAccumulate):
3589         (JSC::JSBigInt::equals):
3590         (JSC::JSBigInt::absoluteDivSmall):
3591         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3592         (JSC::JSBigInt::toStringGeneric):
3593         (JSC::JSBigInt::rightTrim):
3594         (JSC::JSBigInt::allocateFor):
3595         (JSC::JSBigInt::parseInt):
3596         (JSC::JSBigInt::digit):
3597         (JSC::JSBigInt::setDigit):
3598         * runtime/JSBigInt.h:
3599         * runtime/Operations.h:
3600         (JSC::jsMul):
3601
3602 2018-04-28  Commit Queue  <commit-queue@webkit.org>
3603
3604         Unreviewed, rolling out r231131.
3605         https://bugs.webkit.org/show_bug.cgi?id=185112
3606
3607         It is breaking Debug build due to unchecked exception
3608         (Requested by caiolima on #webkit).
3609
3610         Reverted changeset:
3611
3612         "[ESNext][BigInt] Implement support for "*" operation"
3613         https://bugs.webkit.org/show_bug.cgi?id=183721
3614         https://trac.webkit.org/changeset/231131
3615
3616 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
3617
3618         [ESNext][BigInt] Implement support for "*" operation
3619         https://bugs.webkit.org/show_bug.cgi?id=183721
3620
3621         Reviewed by Saam Barati.
3622
3623         Added BigInt support into times binary operator into LLInt and on
3624         JITOperations profiledMul and unprofiledMul. We are also replacing all
3625         uses of int to unsigned when there is no negative values for
3626         variables.
3627
3628         * dfg/DFGConstantFoldingPhase.cpp:
3629         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3630         * jit/JITOperations.cpp:
3631         * runtime/CommonSlowPaths.cpp:
3632         (JSC::SLOW_PATH_DECL):
3633         * runtime/JSBigInt.cpp:
3634         (JSC::JSBigInt::JSBigInt):
3635         (JSC::JSBigInt::allocationSize):
3636         (JSC::JSBigInt::createWithLength):
3637         (JSC::JSBigInt::toString):
3638         (JSC::JSBigInt::multiply):
3639         (JSC::JSBigInt::digitDiv):
3640         (JSC::JSBigInt::internalMultiplyAdd):
3641         (JSC::JSBigInt::multiplyAccumulate):
3642         (JSC::JSBigInt::equals):
3643         (JSC::JSBigInt::absoluteDivSmall):
3644         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3645         (JSC::JSBigInt::toStringGeneric):
3646         (JSC::JSBigInt::rightTrim):
3647         (JSC::JSBigInt::allocateFor):
3648         (JSC::JSBigInt::parseInt):
3649         (JSC::JSBigInt::digit):
3650         (JSC::JSBigInt::setDigit):
3651         * runtime/JSBigInt.h:
3652         * runtime/Operations.h:
3653         (JSC::jsMul):
3654
3655 2018-04-27  JF Bastien  <jfbastien@apple.com>
3656
3657         Make the first 64 bits of JSString look like a double JSValue
3658         https://bugs.webkit.org/show_bug.cgi?id=185081
3659
3660         Reviewed by Filip Pizlo.
3661
3662         We can be clever about how we lay out JSString so that, were it
3663         reinterpreted as a JSValue, it would look like a double.
3664
3665         * assembler/MacroAssemblerX86Common.h:
3666         (JSC::MacroAssemblerX86Common::and16):
3667         * assembler/X86Assembler.h:
3668         (JSC::X86Assembler::andw_mr):
3669         * dfg/DFGSpeculativeJIT.cpp:
3670         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3671         * ftl/FTLLowerDFGToB3.cpp:
3672         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3673         * ftl/FTLOutput.h:
3674         (JSC::FTL::Output::store32As8):
3675         (JSC::FTL::Output::store32As16):
3676         * runtime/JSString.h:
3677         (JSC::JSString::JSString):
3678
3679 2018-04-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3680
3681         [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
3682         https://bugs.webkit.org/show_bug.cgi?id=185055
3683
3684         Reviewed by JF Bastien.
3685
3686         This patch is paving the way to emitting jscvt instruction if possible.
3687         To do that, we need to determine jscvt instruction is supported in the
3688         given CPU.
3689
3690         We add a function collectCPUFeatures, which is responsible to collect
3691         CPU features if necessary. In Linux, we can use auxiliary vector to get
3692         the information without parsing /proc/cpuinfo.
3693
3694         Currently, nobody calls this function. It is later called when we emit
3695         jscvt instruction. To make it possible, we also need to add disassembler
3696         support too.
3697
3698         * assembler/AbstractMacroAssembler.h:
3699         * assembler/MacroAssemblerARM64.cpp:
3700         (JSC::MacroAssemblerARM64::collectCPUFeatures):
3701         * assembler/MacroAssemblerARM64.h:
3702         * assembler/MacroAssemblerX86Common.h:
3703
3704 2018-04-26  Filip Pizlo  <fpizlo@apple.com>
3705
3706         Also run foldPathConstants before mussing up SSA
3707         https://bugs.webkit.org/show_bug.cgi?id=185069
3708
3709         Reviewed by Saam Barati.
3710         
3711         This isn't needed now, but will be once I implement the phase in bug 185060.
3712         
3713         This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
3714         Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
3715         be landed separately and measured separately from that phase.
3716         
3717         It's probably nice for sanity to have this and reduceStrength run before tail duplication and
3718         another round of reduceStrength, since that make for something that is closer to a fixpoint. But
3719         it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
3720         neutral. It all depends on what programs typically look like.
3721
3722         * b3/B3Generate.cpp:
3723         (JSC::B3::generateToAir):
3724
3725 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
3726
3727         Unreviewed, rolling out r231086.
3728
3729         Caused JSC test failures due to an unchecked exception.
3730
3731         Reverted changeset:
3732
3733         "[ESNext][BigInt] Implement support for "*" operation"
3734         https://bugs.webkit.org/show_bug.cgi?id=183721
3735         https://trac.webkit.org/changeset/231086
3736
3737 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
3738
3739         [ESNext][BigInt] Implement support for "*" operation
3740         https://bugs.webkit.org/show_bug.cgi?id=183721
3741
3742         Reviewed by Saam Barati.
3743
3744         Added BigInt support into times binary operator into LLInt and on
3745         JITOperations profiledMul and unprofiledMul. We are also replacing all
3746         uses of int to unsigned when there is no negative values for
3747         variables.
3748
3749         * dfg/DFGConstantFoldingPhase.cpp:
3750         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3751         * jit/JITOperations.cpp:
3752         * runtime/CommonSlowPaths.cpp:
3753         (JSC::SLOW_PATH_DECL):
3754         * runtime/JSBigInt.cpp:
3755         (JSC::JSBigInt::JSBigInt):
3756         (JSC::JSBigInt::allocationSize):
3757         (JSC::JSBigInt::createWithLength):
3758         (JSC::JSBigInt::toString):
3759         (JSC::JSBigInt::multiply):
3760         (JSC::JSBigInt::digitDiv):
3761         (JSC::JSBigInt::internalMultiplyAdd):
3762         (JSC::JSBigInt::multiplyAccumulate):
3763         (JSC::JSBigInt::equals):
3764         (JSC::JSBigInt::absoluteDivSmall):
3765         (JSC::JSBigInt::calculateMaximumCharactersRequired):
3766         (JSC::JSBigInt::toStringGeneric):
3767         (JSC::JSBigInt::rightTrim):
3768         (JSC::JSBigInt::allocateFor):
3769         (JSC::JSBigInt::parseInt):
3770         (JSC::JSBigInt::digit):
3771         (JSC::JSBigInt::setDigit):
3772         * runtime/JSBigInt.h:
3773         * runtime/Operations.h:
3774         (JSC::jsMul):
3775
3776 2018-04-26  Mark Lam  <mark.lam@apple.com>
3777
3778         Gardening: Speculative build fix for Windows.
3779         https://bugs.webkit.org/show_bug.cgi?id=184976
3780         <rdar://problem/39723901>
3781
3782         Not reviewed.
3783
3784         * runtime/JSCPtrTag.h:
3785
3786 2018-04-26  Mark Lam  <mark.lam@apple.com>
3787
3788         Gardening: Windows build fix.
3789
3790         Not reviewed.
3791
3792         * runtime/Options.cpp:
3793
3794 2018-04-26  Jer Noble  <jer.noble@apple.com>
3795
3796         WK_COCOA_TOUCH all the things.
3797         https://bugs.webkit.org/show_bug.cgi?id=185006
3798         <rdar://problem/39736025>
3799
3800         Reviewed by Tim Horton.
3801
3802         * Configurations/Base.xcconfig:
3803
3804 2018-04-26  Per Arne Vollan  <pvollan@apple.com>
3805
3806         Disable content filtering in minimal simulator mode
3807         https://bugs.webkit.org/show_bug.cgi?id=185027
3808         <rdar://problem/39736091>
3809
3810         Reviewed by Jer Noble.
3811
3812         * Configurations/FeatureDefines.xcconfig:
3813
3814 2018-04-26  Andy VanWagoner  <thetalecrafter@gmail.com>
3815
3816         [INTL] Implement Intl.PluralRules
3817         https://bugs.webkit.org/show_bug.cgi?id=184312
3818
3819         Reviewed by JF Bastien.
3820
3821         Use UNumberFormat to enforce formatting, and then UPluralRules to find
3822         the correct plural rule for the given number. Relies on ICU v59+ for
3823         resolvedOptions().pluralCategories and trailing 0 detection.
3824         Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
3825
3826         * CMakeLists.txt:
3827         * Configurations/FeatureDefines.xcconfig:
3828         * DerivedSources.make:
3829         * JavaScriptCore.xcodeproj/project.pbxproj:
3830         * Sources.txt:
3831         * builtins/BuiltinNames.h:
3832         * runtime/BigIntObject.cpp:
3833         (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
3834         * runtime/BigIntObject.h:
3835         * runtime/CommonIdentifiers.h:
3836         * runtime/IntlObject.cpp:
3837         (JSC::IntlObject::finishCreation):
3838         * runtime/IntlObject.h:
3839         * runtime/IntlPluralRules.cpp: Added.
3840         (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
3841         (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
3842         (JSC::UEnumerationDeleter::operator() const):
3843         (JSC::IntlPluralRules::create):
3844         (JSC::IntlPluralRules::createStructure):
3845         (JSC::IntlPluralRules::IntlPluralRules):
3846         (JSC::IntlPluralRules::finishCreation):
3847         (JSC::IntlPluralRules::destroy):
3848         (JSC::IntlPluralRules::visitChildren):
3849         (JSC::IntlPRInternal::localeData):
3850         (JSC::IntlPluralRules::initializePluralRules):
3851         (JSC::IntlPluralRules::resolvedOptions):
3852         (JSC::IntlPluralRules::select):
3853         * runtime/IntlPluralRules.h: Added.
3854         * runtime/IntlPluralRulesConstructor.cpp: Added.
3855         (JSC::IntlPluralRulesConstructor::create):
3856         (JSC::IntlPluralRulesConstructor::createStructure):
3857         (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
3858         (JSC::IntlPluralRulesConstructor::finishCreation):
3859         (JSC::constructIntlPluralRules):
3860         (JSC::callIntlPluralRules):
3861         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
3862         (JSC::IntlPluralRulesConstructor::visitChildren):
3863         * runtime/IntlPluralRulesConstructor.h: Added.
3864         * runtime/IntlPluralRulesPrototype.cpp: Added.
3865         (JSC::IntlPluralRulesPrototype::create):
3866         (JSC::IntlPluralRulesPrototype::createStructure):
3867         (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
3868         (JSC::IntlPluralRulesPrototype::finishCreation):
3869         (JSC::IntlPluralRulesPrototypeFuncSelect):
3870         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
3871         * runtime/IntlPluralRulesPrototype.h: Added.
3872         * runtime/JSGlobalObject.cpp:
3873         (JSC::JSGlobalObject::init):
3874         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3875         * runtime/JSGlobalObject.h:
3876         * runtime/Options.h:
3877         * runtime/RegExpPrototype.cpp: Added inlines header.
3878         * runtime/VM.cpp:
3879         (JSC::VM::VM):
3880         * runtime/VM.h:
3881
3882 2018-04-26  Dominik Infuehr  <dinfuehr@igalia.com>
3883
3884         [MIPS] Fix branch offsets in branchNeg32
3885         https://bugs.webkit.org/show_bug.cgi?id=185025
3886
3887         Reviewed by Yusuke Suzuki.
3888
3889         Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
3890
3891         * assembler/MacroAssemblerMIPS.h:
3892         (JSC::MacroAssemblerMIPS::branchNeg32):
3893
3894 2018-04-25  Robin Morisset  <rmorisset@apple.com>
3895
3896         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
3897         https://bugs.webkit.org/show_bug.cgi?id=184773
3898         <rdar://problem/37773612>
3899
3900         Reviewed by Filip Pizlo.
3901
3902         We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
3903         arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
3904         This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
3905         We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
3906         This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
3907
3908         * ftl/FTLLowerDFGToB3.cpp:
3909         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3910
3911 2018-04-25  Mark Lam  <mark.lam@apple.com>
3912
3913         Push the definition of PtrTag down to the WTF layer.
3914         https://bugs.webkit.org/show_bug.cgi?id=184976
3915         <rdar://problem/39723901>
3916
3917         Reviewed by Saam Barati.
3918
3919         * CMakeLists.txt:
3920         * JavaScriptCore.xcodeproj/project.pbxproj:
3921         * assembler/ARM64Assembler.h:
3922         * assembler/AbstractMacroAssembler.h:
3923         * assembler/MacroAssemblerCodeRef.cpp:
3924         * assembler/MacroAssemblerCodeRef.h:
3925         * b3/B3MathExtras.cpp:
3926         * bytecode/LLIntCallLinkInfo.h:
3927         * disassembler/Disassembler.h:
3928         * ftl/FTLJITCode.cpp:
3929         * interpreter/InterpreterInlines.h:
3930         * jit/ExecutableAllocator.h:
3931         * jit/JITOperations.cpp:
3932         * jit/ThunkGenerator.h:
3933         * jit/ThunkGenerators.h:
3934         * llint/LLIntOffsetsExtractor.cpp:
3935         * llint/LLIntPCRanges.h:
3936         * runtime/JSCPtrTag.h: Added.
3937         * runtime/NativeFunction.h:
3938         * runtime/PtrTag.h: Removed.
3939         * runtime/VMTraps.cpp:
3940
3941 2018-04-25  Keith Miller  <keith_miller@apple.com>
3942
3943         getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
3944         https://bugs.webkit.org/show_bug.cgi?id=184998
3945
3946         Reviewed by Saam Barati.
3947
3948         * runtime/CodeCache.cpp:
3949         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3950
3951 2018-04-25  Keith Miller  <keith_miller@apple.com>
3952
3953         Add missing scope release to functionProtoFuncToString
3954         https://bugs.webkit.org/show_bug.cgi?id=184995
3955
3956         Reviewed by Saam Barati.
3957
3958         * runtime/FunctionPrototype.cpp:
3959         (JSC::functionProtoFuncToString):
3960
3961 2018-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3962
3963         REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
3964         https://bugs.webkit.org/show_bug.cgi?id=184730
3965
3966         Reviewed by Mark Lam.