a3e2a22f79f95679fabc61bd22fd39974ba730d5
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-25  Mark Lam  <mark.lam@apple.com>
2
3         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
4         https://bugs.webkit.org/show_bug.cgi?id=185995
5         <rdar://problem/40173142>
6
7         Reviewed by Saam Barati.
8
9         This is because there's no guarantee that any of the loop bodies will be
10         executed.  Hence, there's no guarantee that the TDZ variables will have been
11         initialized after each loop body.
12
13         * bytecompiler/BytecodeGenerator.cpp:
14         (JSC::BytecodeGenerator::preserveTDZStack):
15         (JSC::BytecodeGenerator::restoreTDZStack):
16         * bytecompiler/BytecodeGenerator.h:
17         * bytecompiler/NodesCodegen.cpp:
18         (JSC::ForInNode::emitBytecode):
19
20 2018-05-25  Mark Lam  <mark.lam@apple.com>
21
22         MachineContext's instructionPointer() should handle null PCs correctly.
23         https://bugs.webkit.org/show_bug.cgi?id=186004
24         <rdar://problem/40570067>
25
26         Reviewed by Saam Barati.
27
28         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
29         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
30         assert accordingly with a debug ASSERT.  This is inconsequential for release
31         builds, but to avoid this assertion failure, we should check for a null PC and
32         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
33         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
34
35         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
36         for null pointers, but I rather not do that yet.  In general,
37         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
38         leave it that way for now.
39
40         Note: this assertion failure only manifests when we have signal traps enabled,
41         and encounter a null pointer deref.
42
43         * runtime/MachineContext.h:
44         (JSC::MachineContext::instructionPointer):
45
46 2018-05-25  Mark Lam  <mark.lam@apple.com>
47
48         Enforce invariant that GetterSetter objects are invariant.
49         https://bugs.webkit.org/show_bug.cgi?id=185968
50         <rdar://problem/40541416>
51
52         Reviewed by Saam Barati.
53
54         The code already assumes the invariant that GetterSetter objects are immutable.
55         For example, the use of @tryGetById in builtins expect this invariant to be true.
56         The existing code mostly enforces this except for one case: JSObject's
57         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
58         object.
59
60         This patch enforces this invariant by removing the setGetter and setSetter methods
61         of GetterSetter, and requiring the getter/setter callback functions to be
62         specified at construction time.
63
64         * jit/JITOperations.cpp:
65         * llint/LLIntSlowPaths.cpp:
66         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
67         * runtime/GetterSetter.cpp:
68         (JSC::GetterSetter::withGetter): Deleted.
69         (JSC::GetterSetter::withSetter): Deleted.
70         * runtime/GetterSetter.h:
71         * runtime/JSGlobalObject.cpp:
72         (JSC::JSGlobalObject::init):
73         * runtime/JSObject.cpp:
74         (JSC::JSObject::putIndexedDescriptor):
75         (JSC::JSObject::putDirectNativeIntrinsicGetter):
76         (JSC::putDescriptor):
77         (JSC::validateAndApplyPropertyDescriptor):
78         * runtime/JSTypedArrayViewPrototype.cpp:
79         (JSC::JSTypedArrayViewPrototype::finishCreation):
80         * runtime/Lookup.cpp:
81         (JSC::reifyStaticAccessor):
82         * runtime/PropertyDescriptor.cpp:
83         (JSC::PropertyDescriptor::slowGetterSetter):
84
85 2018-05-25  Saam Barati  <sbarati@apple.com>
86
87         Make JSC have a mini mode that kicks in when the JIT is disabled
88         https://bugs.webkit.org/show_bug.cgi?id=185931
89
90         Reviewed by Mark Lam.
91
92         This patch makes JSC have a mini VM mode. This currently only kicks in
93         when the process can't JIT. Mini VM now means a few things:
94         - We always use a 1.27x heap growth factor. This number was the best tradeoff
95           between memory use progression and time regression in run-testmem. We may
96           want to tune this more in the future as we make other mini VM changes.
97         - We always sweep synchronously.
98         - We disable generational GC.
99         
100         I'm going to continue to extend what mini VM mode means in future changes.
101         
102         This patch is a 50% memory progression and an ~8-9% time regression
103         on run-testmem when running in mini VM mode with the JIT disabled.
104
105         * heap/Heap.cpp:
106         (JSC::Heap::collectNow):
107         (JSC::Heap::finalize):
108         (JSC::Heap::useGenerationalGC):
109         (JSC::Heap::shouldSweepSynchronously):
110         (JSC::Heap::shouldDoFullCollection):
111         * heap/Heap.h:
112         * runtime/Options.h:
113         * runtime/VM.cpp:
114         (JSC::VM::isInMiniMode):
115         * runtime/VM.h:
116
117 2018-05-25  Saam Barati  <sbarati@apple.com>
118
119         Have a memory test where we can validate JSCs mini memory mode
120         https://bugs.webkit.org/show_bug.cgi?id=185932
121
122         Reviewed by Mark Lam.
123
124         This patch adds the testmem CLI. It takes as input a file to run
125         and the number of iterations to run it (by default it runs it
126         20 times). Each iteration runs in a new JSContext. Each JSContext
127         belongs to a VM that is created once. When finished, the CLI dumps
128         out the peak memory usage of the process, the memory usage at the end
129         of running all the iterations of the process, and the total time it
130         took to run all the iterations.
131
132         * JavaScriptCore.xcodeproj/project.pbxproj:
133         * testmem: Added.
134         * testmem/testmem.mm: Added.
135         (description):
136         (Footprint::now):
137         (main):
138
139 2018-05-25  David Kilzer  <ddkilzer@apple.com>
140
141         Fix issues with -dealloc methods found by clang static analyzer
142         <https://webkit.org/b/185887>
143
144         Reviewed by Joseph Pecoraro.
145
146         * API/JSValue.mm:
147         (-[JSValue dealloc]):
148         (-[JSValue description]):
149         - Move method implementations from (Internal) category to the
150           main category since these are public API.  This fixes the
151           false positive warning about a missing -dealloc method.
152
153 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
154
155         [Baseline] Remove a hack for DCE removal of NewFunction
156         https://bugs.webkit.org/show_bug.cgi?id=185945
157
158         Reviewed by Saam Barati.
159
160         This `undefined` check in baseline is originally introduced in r177871. The problem was,
161         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
162         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
163         retrieve this into the stack since the scope is not referenced from anywhere.
164
165         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
166         implementation. But rather than that, just emitting `Phantom` for this scope is clean
167         and consistent to the other DFG nodes like GetClosureVar.
168
169         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
170         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
171         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
172         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
173         since it conservatively guards the scope, and it does not introduce any additional overhead
174         compared to the current status.
175
176         * dfg/DFGByteCodeParser.cpp:
177         (JSC::DFG::ByteCodeParser::parseBlock):
178         * jit/JITOpcodes.cpp:
179         (JSC::JIT::emitNewFuncExprCommon):
180
181 2018-05-23  Keith Miller  <keith_miller@apple.com>
182
183         Expose $vm if window.internals is exposed
184         https://bugs.webkit.org/show_bug.cgi?id=185900
185
186         Reviewed by Mark Lam.
187
188         This is useful for testing vm internals when running LayoutTests.
189
190         * runtime/JSGlobalObject.cpp:
191         (JSC::JSGlobalObject::init):
192         (JSC::JSGlobalObject::visitChildren):
193         (JSC::JSGlobalObject::exposeDollarVM):
194         * runtime/JSGlobalObject.h:
195
196 2018-05-23  Keith Miller  <keith_miller@apple.com>
197
198         Define length on CoW array should properly convert to writable
199         https://bugs.webkit.org/show_bug.cgi?id=185927
200
201         Reviewed by Yusuke Suzuki.
202
203         * runtime/JSArray.cpp:
204         (JSC::JSArray::setLength):
205
206 2018-05-23  Keith Miller  <keith_miller@apple.com>
207
208         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
209         https://bugs.webkit.org/show_bug.cgi?id=185923
210
211         Reviewed by Saam Barati.
212
213         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
214         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
215
216         Block 1:
217         @1: GetLocal(loc42, FlushedInt32);
218         @2: PutStructure(Check: Cell: @1);
219         @3: Jump(Block 1);
220
221         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
222         the type of an local cannot change without writing to it.
223
224         This fixes a crash in destructuring-rest-element.js
225
226         * dfg/DFGInPlaceAbstractState.cpp:
227         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
228
229 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
230
231         Speed up JetStream/base64
232         https://bugs.webkit.org/show_bug.cgi?id=185914
233
234         Reviewed by Michael Saboff.
235         
236         Make allocation fast paths ALWAYS_INLINE.
237         
238         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
239         ~6%.
240
241         * CMakeLists.txt:
242         * JavaScriptCore.xcodeproj/project.pbxproj:
243         * heap/AllocatorInlines.h:
244         (JSC::Allocator::allocate const):
245         * heap/CompleteSubspace.cpp:
246         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
247         * heap/CompleteSubspace.h:
248         * heap/CompleteSubspaceInlines.h: Added.
249         (JSC::CompleteSubspace::allocateNonVirtual):
250         * heap/FreeListInlines.h:
251         (JSC::FreeList::allocate):
252         * heap/IsoSubspace.cpp:
253         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
254         * heap/IsoSubspace.h:
255         (JSC::IsoSubspace::allocatorForNonVirtual):
256         * heap/IsoSubspaceInlines.h: Added.
257         (JSC::IsoSubspace::allocateNonVirtual):
258         * runtime/JSCellInlines.h:
259         * runtime/VM.h:
260
261 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
262
263         Conversion misspelled "Convertion" in error message string
264         https://bugs.webkit.org/show_bug.cgi?id=185436
265
266         Reviewed by Saam Barati, Michael Saboff
267
268         * runtime/JSBigInt.cpp:
269         (JSC::JSBigInt::toNumber const):
270
271 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
272
273         [JSC] Clean up stringGetByValStubGenerator
274         https://bugs.webkit.org/show_bug.cgi?id=185864
275
276         Reviewed by Saam Barati.
277
278         We clean up stringGetByValStubGenerator.
279
280         1. Unify 32bit and 64bit implementations.
281         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
282         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
283         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
284         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
285
286         * jit/JIT.h:
287         * jit/JITPropertyAccess.cpp:
288         (JSC::JIT::emitSlow_op_get_by_val):
289         (JSC::JIT::stringGetByValStubGenerator): Deleted.
290         * jit/JITPropertyAccess32_64.cpp:
291         (JSC::JIT::emit_op_get_by_val):
292         (JSC::JIT::emitSlow_op_get_by_val):
293         (JSC::JIT::stringGetByValStubGenerator): Deleted.
294         * jit/ThunkGenerators.cpp:
295         (JSC::stringGetByValGenerator):
296         * jit/ThunkGenerators.h:
297
298 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
299
300         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
301         https://bugs.webkit.org/show_bug.cgi?id=185810
302
303         Reviewed by Saam Barati.
304
305         Let's use branchIfString/branchIfNotString helper functions instead of
306         checking structure with jsString's structure. It's easy to read. And
307         it emits less code since we do not need to embed string structure's
308         raw pointer in 32bit environment.
309
310         * jit/JIT.h:
311         * jit/JITInlines.h:
312         (JSC::JIT::emitLoadCharacterString):
313         (JSC::JIT::checkStructure): Deleted.
314         * jit/JITOpcodes32_64.cpp:
315         (JSC::JIT::emitSlow_op_eq):
316         (JSC::JIT::compileOpEqJumpSlow):
317         (JSC::JIT::emitSlow_op_neq):
318         * jit/JITPropertyAccess.cpp:
319         (JSC::JIT::stringGetByValStubGenerator):
320         (JSC::JIT::emitSlow_op_get_by_val):
321         (JSC::JIT::emitByValIdentifierCheck):
322         * jit/JITPropertyAccess32_64.cpp:
323         (JSC::JIT::stringGetByValStubGenerator):
324         (JSC::JIT::emitSlow_op_get_by_val):
325         * jit/JSInterfaceJIT.h:
326         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
327         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
328         * jit/SpecializedThunkJIT.h:
329         (JSC::SpecializedThunkJIT::loadJSStringArgument):
330         * jit/ThunkGenerators.cpp:
331         (JSC::stringCharLoad):
332         (JSC::charCodeAtThunkGenerator):
333         (JSC::charAtThunkGenerator):
334         * runtime/JSString.h:
335
336 2018-05-22  Mark Lam  <mark.lam@apple.com>
337
338         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
339         https://bugs.webkit.org/show_bug.cgi?id=185896
340         <rdar://problem/40471403>
341
342         Reviewed by Saam Barati.
343
344         * bytecode/BytecodeGeneratorification.cpp:
345         (JSC::BytecodeGeneratorification::run):
346
347 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
348
349         [JSC] Fix CachedCall's argument count if RegExp has named captures
350         https://bugs.webkit.org/show_bug.cgi?id=185587
351
352         Reviewed by Mark Lam.
353
354         If the given RegExp has named captures, the argument count of CachedCall in String#replace
355         should be increased by one. This causes crash with assertion in test262. This patch corrects
356         the argument count.
357
358         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
359         the same.
360
361         * runtime/StringPrototype.cpp:
362         (JSC::replaceUsingRegExpSearch):
363
364 2018-05-22  Mark Lam  <mark.lam@apple.com>
365
366         StringImpl utf8 conversion should not fail silently.
367         https://bugs.webkit.org/show_bug.cgi?id=185888
368         <rdar://problem/40464506>
369
370         Reviewed by Filip Pizlo.
371
372         * dfg/DFGLazyJSValue.cpp:
373         (JSC::DFG::LazyJSValue::dumpInContext const):
374         * runtime/DateConstructor.cpp:
375         (JSC::constructDate):
376         (JSC::dateParse):
377         * runtime/JSDateMath.cpp:
378         (JSC::parseDate):
379         * runtime/JSDateMath.h:
380
381 2018-05-22  Keith Miller  <keith_miller@apple.com>
382
383         Remove the UnconditionalFinalizer class
384         https://bugs.webkit.org/show_bug.cgi?id=185881
385
386         Reviewed by Filip Pizlo.
387
388         The only remaining user of this API is
389         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
390         to use the newer template based API and removes the old class.
391
392         * JavaScriptCore.xcodeproj/project.pbxproj:
393         * bytecode/CodeBlock.h:
394         * heap/Heap.cpp:
395         (JSC::Heap::finalizeUnconditionalFinalizers):
396         * heap/Heap.h:
397         * heap/SlotVisitor.cpp:
398         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
399         * heap/SlotVisitor.h:
400         * heap/UnconditionalFinalizer.h: Removed.
401         * wasm/js/JSWebAssemblyCodeBlock.cpp:
402         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
403         (JSC::JSWebAssemblyCodeBlock::visitChildren):
404         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
405         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
406         * wasm/js/JSWebAssemblyCodeBlock.h:
407         * wasm/js/JSWebAssemblyModule.h:
408
409         * CMakeLists.txt:
410         * JavaScriptCore.xcodeproj/project.pbxproj:
411         * bytecode/CodeBlock.h:
412         * heap/Heap.cpp:
413         (JSC::Heap::finalizeUnconditionalFinalizers):
414         * heap/Heap.h:
415         * heap/SlotVisitor.cpp:
416         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
417         * heap/SlotVisitor.h:
418         * heap/UnconditionalFinalizer.h: Removed.
419         * wasm/js/JSWebAssemblyCodeBlock.cpp:
420         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
421         (JSC::JSWebAssemblyCodeBlock::visitChildren):
422         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
423         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
424         * wasm/js/JSWebAssemblyCodeBlock.h:
425         * wasm/js/JSWebAssemblyModule.h:
426
427 2018-05-22  Keith Miller  <keith_miller@apple.com>
428
429         Unreviewed, fix internal build.
430
431         * runtime/JSImmutableButterfly.cpp:
432
433 2018-05-22  Saam Barati  <sbarati@apple.com>
434
435         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
436         https://bugs.webkit.org/show_bug.cgi?id=144525
437
438         Reviewed by Filip Pizlo.
439
440         This patch teaches LICM to fall back to hoisting a node's type checks when
441         hoisting the entire node fails.
442         
443         This patch follow the same principles we use when deciding to hoist nodes in general:
444         - If the pre header is control equivalent to where the current check is, we
445         go ahead and hoist the check.
446         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
447         hoist the check. If hoisting failed in the past, we will not hoist the check.
448
449         * dfg/DFGLICMPhase.cpp:
450         (JSC::DFG::LICMPhase::attemptHoist):
451         * dfg/DFGUseKind.h:
452         (JSC::DFG::checkMayCrashIfInputIsEmpty):
453
454 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
455
456         Get rid of TLCs
457         https://bugs.webkit.org/show_bug.cgi?id=185846
458
459         Rubber stamped by Geoffrey Garen.
460         
461         This removes support for thread-local caches from the GC in order to speed up allocation a
462         bit.
463         
464         We added TLCs as part of Spectre mitigations, which we have since removed.
465         
466         We will want some kind of TLCs eventually, since they allow us to:
467         
468         - have a global GC, which may be a perf optimization at some point.
469         - allocate objects from JIT threads, which we've been wanting to do for a while.
470         
471         This change keeps the most interesting aspect of TLCs, which is the
472         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
473         TLCs again in the future if we wanted this feature.
474         
475         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
476         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
477         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
478         you can directly use it to allocate. This removes two loads and a check from the allocation
479         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
480         allowed us to have a statically known set of LocalAllocators. This would have removed the
481         bounds check (one load and one branch) and it would have made it possible to CSE the load of
482         the TLC data structure, since that would no longer resize. But that's a harder change that
483         this patch, and we don't need it right now.
484         
485         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
486         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
487         that check already. Previously, the TLC bounds check doubled as this check.
488         
489         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
490         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
491         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
492         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
493
494         * JavaScriptCore.xcodeproj/project.pbxproj:
495         * Sources.txt:
496         * bytecode/ObjectAllocationProfileInlines.h:
497         (JSC::ObjectAllocationProfile::initializeProfile):
498         * dfg/DFGSpeculativeJIT.cpp:
499         (JSC::DFG::SpeculativeJIT::compileCreateThis):
500         * ftl/FTLLowerDFGToB3.cpp:
501         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
502         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
503         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
504         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
505         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
506         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
507         * heap/Allocator.cpp:
508         (JSC::Allocator::cellSize const):
509         * heap/Allocator.h:
510         (JSC::Allocator::Allocator):
511         (JSC::Allocator::localAllocator const):
512         (JSC::Allocator::operator== const):
513         (JSC::Allocator::offset const): Deleted.
514         * heap/AllocatorInlines.h:
515         (JSC::Allocator::allocate const):
516         (JSC::Allocator::tryAllocate const): Deleted.
517         * heap/BlockDirectory.cpp:
518         (JSC::BlockDirectory::BlockDirectory):
519         (JSC::BlockDirectory::~BlockDirectory):
520         * heap/BlockDirectory.h:
521         (JSC::BlockDirectory::allocator const): Deleted.
522         * heap/CompleteSubspace.cpp:
523         (JSC::CompleteSubspace::allocateNonVirtual):
524         (JSC::CompleteSubspace::allocatorForSlow):
525         (JSC::CompleteSubspace::tryAllocateSlow):
526         * heap/CompleteSubspace.h:
527         * heap/Heap.cpp:
528         (JSC::Heap::Heap):
529         * heap/Heap.h:
530         (JSC::Heap::threadLocalCacheLayout): Deleted.
531         * heap/IsoSubspace.cpp:
532         (JSC::IsoSubspace::IsoSubspace):
533         (JSC::IsoSubspace::allocateNonVirtual):
534         * heap/IsoSubspace.h:
535         (JSC::IsoSubspace::allocatorForNonVirtual):
536         * heap/LocalAllocator.cpp:
537         (JSC::LocalAllocator::LocalAllocator):
538         (JSC::LocalAllocator::~LocalAllocator):
539         * heap/LocalAllocator.h:
540         (JSC::LocalAllocator::cellSize const):
541         (JSC::LocalAllocator::tlc const): Deleted.
542         * heap/ThreadLocalCache.cpp: Removed.
543         * heap/ThreadLocalCache.h: Removed.
544         * heap/ThreadLocalCacheInlines.h: Removed.
545         * heap/ThreadLocalCacheLayout.cpp: Removed.
546         * heap/ThreadLocalCacheLayout.h: Removed.
547         * jit/AssemblyHelpers.cpp:
548         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
549         (JSC::AssemblyHelpers::emitAllocate):
550         (JSC::AssemblyHelpers::emitAllocateVariableSized):
551         * jit/JITOpcodes.cpp:
552         (JSC::JIT::emit_op_create_this):
553         * runtime/JSLock.cpp:
554         (JSC::JSLock::didAcquireLock):
555         * runtime/VM.cpp:
556         (JSC::VM::VM):
557         (JSC::VM::~VM):
558         * runtime/VM.h:
559         * runtime/VMEntryScope.cpp:
560         (JSC::VMEntryScope::~VMEntryScope):
561         * runtime/VMEntryScope.h:
562
563 2018-05-22  Keith Miller  <keith_miller@apple.com>
564
565         We should have a CoW storage for NewArrayBuffer arrays.
566         https://bugs.webkit.org/show_bug.cgi?id=185003
567
568         Reviewed by Filip Pizlo.
569
570         This patch adds copy on write storage for new array buffers. In
571         order to do this there needed to be significant changes to the
572         layout of IndexingType. The new indexing type has the following
573         shape:
574
575         struct IndexingTypeAndMisc {
576             struct IndexingModeIncludingHistory {
577                 struct IndexingMode {
578                     struct IndexingType {
579                         uint8_t isArray:1;          // bit 0
580                         uint8_t shape:3;            // bit 1 - 3
581                     };
582                     uint8_t copyOnWrite:1;          // bit 4
583                 };
584                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
585             };
586             uint8_t cellLockBits:2;                 // bit 6 - 7
587         };
588
589         For simplicity ArrayStorage shapes cannot be CoW. So the only
590         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
591         ArrayWithContiguous.
592
593         The backing store for a CoW array is a new class
594         JSImmutableButterfly, which looks exactly the same as a normal
595         butterfly except that it has a JSCell header. Like other
596         butterflies, JSImmutableButterfies are allocated out of the
597         Auxiliary Gigacage and are pointed to by JSCells in the same
598         way. However, when marking JSImmutableButterflies they are marked
599         as if they were a property.
600
601         With CoW arrays, the new_array_buffer bytecode will reallocate the
602         shared JSImmutableButterfly if it sees from the allocation profile
603         that the last array it allocated has transitioned to a different
604         indexing type. From then on, all arrays created by that
605         new_array_buffer bytecode will have the promoted indexing
606         type. This is more or less the same as what we used to do. The
607         only difference is that we don't promote all the way to array
608         storage even if we have seen it before.
609
610         Transitioning from a CoW indexing mode occurs whenever someone
611         tries to store to an element, grow the array, or add properties.
612         Storing or growing the array will call into code that does the
613         stupid thing of copying the butterfly then continue into the old
614         code. This doesn't end up costing us as future allocations will
615         use any upgraded indexing shape.  We get adding properties for
616         free by just changing the indexing mode on transition (our C++
617         code always updates the indexing mode).
618
619         * JavaScriptCore.xcodeproj/project.pbxproj:
620         * Sources.txt:
621         * bytecode/ArrayAllocationProfile.cpp:
622         (JSC::ArrayAllocationProfile::updateProfile):
623         * bytecode/ArrayAllocationProfile.h:
624         (JSC::ArrayAllocationProfile::initializeIndexingMode):
625         * bytecode/ArrayProfile.cpp:
626         (JSC::dumpArrayModes):
627         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
628         * bytecode/ArrayProfile.h:
629         (JSC::asArrayModes):
630         (JSC::arrayModeFromStructure):
631         (JSC::arrayModesInclude):
632         (JSC::hasSeenCopyOnWriteArray):
633         * bytecode/BytecodeList.json:
634         * bytecode/CodeBlock.cpp:
635         (JSC::CodeBlock::finishCreation):
636         * bytecode/InlineAccess.cpp:
637         (JSC::InlineAccess::generateArrayLength):
638         * bytecode/UnlinkedCodeBlock.h:
639         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
640         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
641         * bytecompiler/BytecodeGenerator.cpp:
642         (JSC::BytecodeGenerator::newArrayAllocationProfile):
643         (JSC::BytecodeGenerator::emitNewArrayBuffer):
644         (JSC::BytecodeGenerator::emitNewArray):
645         (JSC::BytecodeGenerator::emitNewArrayWithSize):
646         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
647         * bytecompiler/BytecodeGenerator.h:
648         * bytecompiler/NodesCodegen.cpp:
649         (JSC::ArrayNode::emitBytecode):
650         (JSC::ArrayPatternNode::bindValue const):
651         (JSC::ArrayPatternNode::emitDirectBinding):
652         * dfg/DFGAbstractInterpreterInlines.h:
653         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
654         * dfg/DFGArgumentsEliminationPhase.cpp:
655         * dfg/DFGArgumentsUtilities.cpp:
656         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
657         * dfg/DFGArrayMode.cpp:
658         (JSC::DFG::ArrayMode::fromObserved):
659         (JSC::DFG::ArrayMode::refine const):
660         (JSC::DFG::ArrayMode::alreadyChecked const):
661         * dfg/DFGArrayMode.h:
662         (JSC::DFG::ArrayMode::ArrayMode):
663         (JSC::DFG::ArrayMode::action const):
664         (JSC::DFG::ArrayMode::withSpeculation const):
665         (JSC::DFG::ArrayMode::withArrayClass const):
666         (JSC::DFG::ArrayMode::withType const):
667         (JSC::DFG::ArrayMode::withConversion const):
668         (JSC::DFG::ArrayMode::withTypeAndConversion const):
669         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
670         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
671         * dfg/DFGByteCodeParser.cpp:
672         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
673         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
674         (JSC::DFG::ByteCodeParser::parseBlock):
675         * dfg/DFGClobberize.h:
676         (JSC::DFG::clobberize):
677         * dfg/DFGConstantFoldingPhase.cpp:
678         (JSC::DFG::ConstantFoldingPhase::foldConstants):
679         * dfg/DFGFixupPhase.cpp:
680         (JSC::DFG::FixupPhase::fixupNode):
681         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
682         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
683         * dfg/DFGGraph.cpp:
684         (JSC::DFG::Graph::dump):
685         * dfg/DFGNode.h:
686         (JSC::DFG::Node::indexingType):
687         (JSC::DFG::Node::indexingMode):
688         * dfg/DFGOSRExit.cpp:
689         (JSC::DFG::OSRExit::compileExit):
690         * dfg/DFGOperations.cpp:
691         * dfg/DFGOperations.h:
692         * dfg/DFGSpeculativeJIT.cpp:
693         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
694         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
695         (JSC::DFG::SpeculativeJIT::arrayify):
696         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
697         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
698         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
699         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
700         (JSC::DFG::SpeculativeJIT::compileCreateRest):
701         (JSC::DFG::SpeculativeJIT::compileArraySlice):
702         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
703         * dfg/DFGSpeculativeJIT32_64.cpp:
704         (JSC::DFG::SpeculativeJIT::compile):
705         * dfg/DFGSpeculativeJIT64.cpp:
706         (JSC::DFG::SpeculativeJIT::compile):
707         * dfg/DFGValidate.cpp:
708         * ftl/FTLAbstractHeapRepository.h:
709         * ftl/FTLLowerDFGToB3.cpp:
710         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
711         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
712         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
713         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
714         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
715         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
716         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
717         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
718         * ftl/FTLOperations.cpp:
719         (JSC::FTL::operationMaterializeObjectInOSR):
720         * generate-bytecode-files:
721         * interpreter/Interpreter.cpp:
722         (JSC::sizeOfVarargs):
723         (JSC::loadVarargs):
724         * jit/AssemblyHelpers.cpp:
725         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
726         * jit/AssemblyHelpers.h:
727         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
728         * jit/JITOperations.cpp:
729         * jit/JITPropertyAccess.cpp:
730         (JSC::JIT::emit_op_put_by_val):
731         (JSC::JIT::emitSlow_op_put_by_val):
732         * jit/Repatch.cpp:
733         (JSC::tryCachePutByID):
734         * llint/LowLevelInterpreter.asm:
735         * llint/LowLevelInterpreter32_64.asm:
736         * llint/LowLevelInterpreter64.asm:
737         * runtime/Butterfly.h:
738         (JSC::ContiguousData::Data::Data):
739         (JSC::ContiguousData::Data::operator bool const):
740         (JSC::ContiguousData::Data::operator=):
741         (JSC::ContiguousData::Data::operator const T& const):
742         (JSC::ContiguousData::Data::set):
743         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
744         (JSC::ContiguousData::Data::clear):
745         (JSC::ContiguousData::Data::get const):
746         (JSC::ContiguousData::atUnsafe):
747         (JSC::ContiguousData::at const): Deleted.
748         (JSC::ContiguousData::at): Deleted.
749         * runtime/ButterflyInlines.h:
750         (JSC::ContiguousData<T>::at const):
751         (JSC::ContiguousData<T>::at):
752         * runtime/ClonedArguments.cpp:
753         (JSC::ClonedArguments::createEmpty):
754         * runtime/CommonSlowPaths.cpp:
755         (JSC::SLOW_PATH_DECL):
756         * runtime/CommonSlowPaths.h:
757         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
758         * runtime/IndexingType.cpp:
759         (JSC::leastUpperBoundOfIndexingTypeAndType):
760         (JSC::leastUpperBoundOfIndexingTypeAndValue):
761         (JSC::dumpIndexingType):
762         * runtime/IndexingType.h:
763         (JSC::hasIndexedProperties):
764         (JSC::hasUndecided):
765         (JSC::hasInt32):
766         (JSC::hasDouble):
767         (JSC::hasContiguous):
768         (JSC::hasArrayStorage):
769         (JSC::hasAnyArrayStorage):
770         (JSC::hasSlowPutArrayStorage):
771         (JSC::shouldUseSlowPut):
772         (JSC::isCopyOnWrite):
773         (JSC::arrayIndexFromIndexingType):
774         * runtime/JSArray.cpp:
775         (JSC::JSArray::tryCreateUninitializedRestricted):
776         (JSC::JSArray::put):
777         (JSC::JSArray::appendMemcpy):
778         (JSC::JSArray::setLength):
779         (JSC::JSArray::pop):
780         (JSC::JSArray::fastSlice):
781         (JSC::JSArray::shiftCountWithAnyIndexingType):
782         (JSC::JSArray::unshiftCountWithAnyIndexingType):
783         (JSC::JSArray::fillArgList):
784         (JSC::JSArray::copyToArguments):
785         * runtime/JSArrayInlines.h:
786         (JSC::JSArray::pushInline):
787         * runtime/JSCell.h:
788         * runtime/JSCellInlines.h:
789         (JSC::JSCell::JSCell):
790         (JSC::JSCell::finishCreation):
791         (JSC::JSCell::indexingType const):
792         (JSC::JSCell::indexingMode const):
793         (JSC::JSCell::setStructure):
794         * runtime/JSFixedArray.h:
795         * runtime/JSGlobalObject.cpp:
796         (JSC::JSGlobalObject::init):
797         (JSC::JSGlobalObject::haveABadTime):
798         (JSC::JSGlobalObject::visitChildren):
799         * runtime/JSGlobalObject.h:
800         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
801         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
802         (JSC::JSGlobalObject::isOriginalArrayStructure):
803         * runtime/JSImmutableButterfly.cpp: Added.
804         (JSC::JSImmutableButterfly::visitChildren):
805         (JSC::JSImmutableButterfly::copyToArguments):
806         * runtime/JSImmutableButterfly.h: Added.
807         (JSC::JSImmutableButterfly::createStructure):
808         (JSC::JSImmutableButterfly::tryCreate):
809         (JSC::JSImmutableButterfly::create):
810         (JSC::JSImmutableButterfly::publicLength const):
811         (JSC::JSImmutableButterfly::vectorLength const):
812         (JSC::JSImmutableButterfly::length const):
813         (JSC::JSImmutableButterfly::toButterfly const):
814         (JSC::JSImmutableButterfly::fromButterfly):
815         (JSC::JSImmutableButterfly::get const):
816         (JSC::JSImmutableButterfly::subspaceFor):
817         (JSC::JSImmutableButterfly::setIndex):
818         (JSC::JSImmutableButterfly::allocationSize):
819         (JSC::JSImmutableButterfly::JSImmutableButterfly):
820         * runtime/JSObject.cpp:
821         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
822         (JSC::JSObject::visitButterflyImpl):
823         (JSC::JSObject::getOwnPropertySlotByIndex):
824         (JSC::JSObject::putByIndex):
825         (JSC::JSObject::createInitialInt32):
826         (JSC::JSObject::createInitialDouble):
827         (JSC::JSObject::createInitialContiguous):
828         (JSC::JSObject::convertUndecidedToInt32):
829         (JSC::JSObject::convertUndecidedToDouble):
830         (JSC::JSObject::convertUndecidedToContiguous):
831         (JSC::JSObject::convertInt32ToDouble):
832         (JSC::JSObject::convertInt32ToArrayStorage):
833         (JSC::JSObject::convertDoubleToContiguous):
834         (JSC::JSObject::convertDoubleToArrayStorage):
835         (JSC::JSObject::convertContiguousToArrayStorage):
836         (JSC::JSObject::createInitialForValueAndSet):
837         (JSC::JSObject::convertInt32ForValue):
838         (JSC::JSObject::convertFromCopyOnWrite):
839         (JSC::JSObject::ensureWritableInt32Slow):
840         (JSC::JSObject::ensureWritableDoubleSlow):
841         (JSC::JSObject::ensureWritableContiguousSlow):
842         (JSC::JSObject::ensureArrayStorageSlow):
843         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
844         (JSC::JSObject::switchToSlowPutArrayStorage):
845         (JSC::JSObject::deletePropertyByIndex):
846         (JSC::JSObject::getOwnPropertyNames):
847         (JSC::canDoFastPutDirectIndex):
848         (JSC::JSObject::defineOwnIndexedProperty):
849         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
850         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
851         (JSC::JSObject::putByIndexBeyondVectorLength):
852         (JSC::JSObject::countElements):
853         (JSC::JSObject::ensureLengthSlow):
854         (JSC::JSObject::getEnumerableLength):
855         (JSC::JSObject::ensureInt32Slow): Deleted.
856         (JSC::JSObject::ensureDoubleSlow): Deleted.
857         (JSC::JSObject::ensureContiguousSlow): Deleted.
858         * runtime/JSObject.h:
859         (JSC::JSObject::putDirectIndex):
860         (JSC::JSObject::canGetIndexQuickly):
861         (JSC::JSObject::getIndexQuickly):
862         (JSC::JSObject::tryGetIndexQuickly const):
863         (JSC::JSObject::canSetIndexQuickly):
864         (JSC::JSObject::setIndexQuickly):
865         (JSC::JSObject::initializeIndex):
866         (JSC::JSObject::initializeIndexWithoutBarrier):
867         (JSC::JSObject::ensureWritableInt32):
868         (JSC::JSObject::ensureWritableDouble):
869         (JSC::JSObject::ensureWritableContiguous):
870         (JSC::JSObject::ensureLength):
871         (JSC::JSObject::ensureInt32): Deleted.
872         (JSC::JSObject::ensureDouble): Deleted.
873         (JSC::JSObject::ensureContiguous): Deleted.
874         * runtime/JSObjectInlines.h:
875         (JSC::JSObject::putDirectInternal):
876         * runtime/JSType.h:
877         * runtime/RegExpMatchesArray.h:
878         (JSC::tryCreateUninitializedRegExpMatchesArray):
879         * runtime/Structure.cpp:
880         (JSC::Structure::Structure):
881         (JSC::Structure::addNewPropertyTransition):
882         (JSC::Structure::nonPropertyTransition):
883         * runtime/Structure.h:
884         * runtime/StructureIDBlob.h:
885         (JSC::StructureIDBlob::StructureIDBlob):
886         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
887         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
888         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
889         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
890         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
891         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
892         * runtime/StructureTransitionTable.h:
893         (JSC::newIndexingType):
894         * runtime/VM.cpp:
895         (JSC::VM::VM):
896         * runtime/VM.h:
897
898 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
899
900         Unreviewed, rolling out r232052.
901
902         Breaks internal builds.
903
904         Reverted changeset:
905
906         "Use more C++17"
907         https://bugs.webkit.org/show_bug.cgi?id=185176
908         https://trac.webkit.org/changeset/232052
909
910 2018-05-22  Alberto Garcia  <berto@igalia.com>
911
912         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
913         https://bugs.webkit.org/show_bug.cgi?id=182622
914         <rdar://problem/40292317>
915
916         Reviewed by Michael Catanzaro.
917
918         We were linking JavaScriptCore against libatomic in MIPS because
919         in that architecture __atomic_fetch_add_8() is not a compiler
920         intrinsic and is provided by that library instead. However other
921         architectures (e.g armel) are in the same situation, so we need a
922         generic test.
923
924         That test already exists in WebKit/CMakeLists.txt, so we just have
925         to move it to a common file (WebKitCompilerFlags.cmake) and use
926         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
927
928         * CMakeLists.txt:
929
930 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
931
932         Unreviewed, rolling out r231843.
933
934         Broke cross build
935
936         Reverted changeset:
937
938         "[CMake] Properly detect compiler flags, needed libs, and
939         fallbacks for usage of 64-bit atomic operations"
940         https://bugs.webkit.org/show_bug.cgi?id=182622
941         https://trac.webkit.org/changeset/231843
942
943 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
944
945         Use more C++17
946         https://bugs.webkit.org/show_bug.cgi?id=185176
947
948         Reviewed by JF Bastien.
949
950         * Configurations/Base.xcconfig:
951
952 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
953
954         [JSC] Remove duplicate methods in JSInterfaceJIT
955         https://bugs.webkit.org/show_bug.cgi?id=185813
956
957         Reviewed by Saam Barati.
958
959         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
960         This patch removes these ones and use AssemblyHelpers' ones instead.
961
962         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
963
964         * jit/AssemblyHelpers.h:
965         (JSC::AssemblyHelpers::tagFor):
966         (JSC::AssemblyHelpers::payloadFor):
967         * jit/JIT.h:
968         * jit/JITArithmetic.cpp:
969         (JSC::JIT::emit_op_unsigned):
970         (JSC::JIT::emit_compareUnsigned):
971         (JSC::JIT::emit_op_inc):
972         (JSC::JIT::emit_op_dec):
973         (JSC::JIT::emit_op_mod):
974         * jit/JITCall32_64.cpp:
975         (JSC::JIT::compileOpCall):
976         * jit/JITInlines.h:
977         (JSC::JIT::emitPutIntToCallFrameHeader):
978         (JSC::JIT::updateTopCallFrame):
979         (JSC::JIT::emitInitRegister):
980         (JSC::JIT::emitLoad):
981         (JSC::JIT::emitStore):
982         (JSC::JIT::emitStoreInt32):
983         (JSC::JIT::emitStoreCell):
984         (JSC::JIT::emitStoreBool):
985         (JSC::JIT::emitGetVirtualRegister):
986         (JSC::JIT::emitPutVirtualRegister):
987         (JSC::JIT::emitTagBool): Deleted.
988         * jit/JITOpcodes.cpp:
989         (JSC::JIT::emit_op_overrides_has_instance):
990         (JSC::JIT::emit_op_is_empty):
991         (JSC::JIT::emit_op_is_undefined):
992         (JSC::JIT::emit_op_is_boolean):
993         (JSC::JIT::emit_op_is_number):
994         (JSC::JIT::emit_op_is_cell_with_type):
995         (JSC::JIT::emit_op_is_object):
996         (JSC::JIT::emit_op_eq):
997         (JSC::JIT::emit_op_neq):
998         (JSC::JIT::compileOpStrictEq):
999         (JSC::JIT::emit_op_eq_null):
1000         (JSC::JIT::emit_op_neq_null):
1001         (JSC::JIT::emitSlow_op_eq):
1002         (JSC::JIT::emitSlow_op_neq):
1003         (JSC::JIT::emitSlow_op_instanceof_custom):
1004         (JSC::JIT::emitNewFuncExprCommon):
1005         * jit/JSInterfaceJIT.h:
1006         (JSC::JSInterfaceJIT::emitLoadInt32):
1007         (JSC::JSInterfaceJIT::emitLoadDouble):
1008         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
1009         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
1010         (JSC::JSInterfaceJIT::tagFor): Deleted.
1011         (JSC::JSInterfaceJIT::payloadFor): Deleted.
1012         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
1013         (JSC::JSInterfaceJIT::intTagFor): Deleted.
1014         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
1015         (JSC::JSInterfaceJIT::addressFor): Deleted.
1016         * jit/SpecializedThunkJIT.h:
1017         (JSC::SpecializedThunkJIT::returnDouble):
1018         * jit/ThunkGenerators.cpp:
1019         (JSC::nativeForGenerator):
1020         (JSC::arityFixupGenerator):
1021
1022 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1023
1024         Unreviewed, reland InById cache
1025         https://bugs.webkit.org/show_bug.cgi?id=185682
1026
1027         Includes Dominik's 32bit fix.
1028
1029         * bytecode/AccessCase.cpp:
1030         (JSC::AccessCase::fromStructureStubInfo):
1031         (JSC::AccessCase::generateWithGuard):
1032         (JSC::AccessCase::generateImpl):
1033         * bytecode/BytecodeDumper.cpp:
1034         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
1035         (JSC::BytecodeDumper<Block>::dumpBytecode):
1036         * bytecode/BytecodeDumper.h:
1037         * bytecode/BytecodeList.json:
1038         * bytecode/BytecodeUseDef.h:
1039         (JSC::computeUsesForBytecodeOffset):
1040         (JSC::computeDefsForBytecodeOffset):
1041         * bytecode/CodeBlock.cpp:
1042         (JSC::CodeBlock::finishCreation):
1043         * bytecode/InlineAccess.cpp:
1044         (JSC::InlineAccess::generateSelfInAccess):
1045         * bytecode/InlineAccess.h:
1046         * bytecode/StructureStubInfo.cpp:
1047         (JSC::StructureStubInfo::initInByIdSelf):
1048         (JSC::StructureStubInfo::deref):
1049         (JSC::StructureStubInfo::aboutToDie):
1050         (JSC::StructureStubInfo::reset):
1051         (JSC::StructureStubInfo::visitWeakReferences):
1052         (JSC::StructureStubInfo::propagateTransitions):
1053         * bytecode/StructureStubInfo.h:
1054         (JSC::StructureStubInfo::patchableJump):
1055         * bytecompiler/BytecodeGenerator.cpp:
1056         (JSC::BytecodeGenerator::emitInByVal):
1057         (JSC::BytecodeGenerator::emitInById):
1058         (JSC::BytecodeGenerator::emitIn): Deleted.
1059         * bytecompiler/BytecodeGenerator.h:
1060         * bytecompiler/NodesCodegen.cpp:
1061         (JSC::InNode::emitBytecode):
1062         * dfg/DFGAbstractInterpreterInlines.h:
1063         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1064         * dfg/DFGByteCodeParser.cpp:
1065         (JSC::DFG::ByteCodeParser::parseBlock):
1066         * dfg/DFGCapabilities.cpp:
1067         (JSC::DFG::capabilityLevel):
1068         * dfg/DFGClobberize.h:
1069         (JSC::DFG::clobberize):
1070         * dfg/DFGConstantFoldingPhase.cpp:
1071         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1072         * dfg/DFGDoesGC.cpp:
1073         (JSC::DFG::doesGC):
1074         * dfg/DFGFixupPhase.cpp:
1075         (JSC::DFG::FixupPhase::fixupNode):
1076         * dfg/DFGJITCompiler.cpp:
1077         (JSC::DFG::JITCompiler::link):
1078         * dfg/DFGJITCompiler.h:
1079         (JSC::DFG::JITCompiler::addInById):
1080         (JSC::DFG::InRecord::InRecord): Deleted.
1081         (JSC::DFG::JITCompiler::addIn): Deleted.
1082         * dfg/DFGNode.h:
1083         (JSC::DFG::Node::convertToInById):
1084         (JSC::DFG::Node::hasIdentifier):
1085         (JSC::DFG::Node::hasArrayMode):
1086         * dfg/DFGNodeType.h:
1087         * dfg/DFGPredictionPropagationPhase.cpp:
1088         * dfg/DFGSafeToExecute.h:
1089         (JSC::DFG::safeToExecute):
1090         * dfg/DFGSpeculativeJIT.cpp:
1091         (JSC::DFG::SpeculativeJIT::compileInById):
1092         (JSC::DFG::SpeculativeJIT::compileInByVal):
1093         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
1094         * dfg/DFGSpeculativeJIT.h:
1095         * dfg/DFGSpeculativeJIT32_64.cpp:
1096         (JSC::DFG::SpeculativeJIT::compile):
1097         * dfg/DFGSpeculativeJIT64.cpp:
1098         (JSC::DFG::SpeculativeJIT::compile):
1099         * ftl/FTLCapabilities.cpp:
1100         (JSC::FTL::canCompile):
1101         * ftl/FTLLowerDFGToB3.cpp:
1102         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1103         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
1104         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
1105         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
1106         * jit/AssemblyHelpers.h:
1107         (JSC::AssemblyHelpers::boxBoolean):
1108         * jit/ICStats.h:
1109         * jit/JIT.cpp:
1110         (JSC::JIT::JIT):
1111         (JSC::JIT::privateCompileMainPass):
1112         (JSC::JIT::privateCompileSlowCases):
1113         (JSC::JIT::link):
1114         * jit/JIT.h:
1115         * jit/JITInlineCacheGenerator.cpp:
1116         (JSC::JITInByIdGenerator::JITInByIdGenerator):
1117         (JSC::JITInByIdGenerator::generateFastPath):
1118         * jit/JITInlineCacheGenerator.h:
1119         (JSC::JITInByIdGenerator::JITInByIdGenerator):
1120         * jit/JITOperations.cpp:
1121         * jit/JITOperations.h:
1122         * jit/JITPropertyAccess.cpp:
1123         (JSC::JIT::emit_op_in_by_id):
1124         (JSC::JIT::emitSlow_op_in_by_id):
1125         * jit/JITPropertyAccess32_64.cpp:
1126         (JSC::JIT::emit_op_in_by_id):
1127         (JSC::JIT::emitSlow_op_in_by_id):
1128         * jit/Repatch.cpp:
1129         (JSC::tryCacheInByID):
1130         (JSC::repatchInByID):
1131         (JSC::resetInByID):
1132         (JSC::tryCacheIn): Deleted.
1133         (JSC::repatchIn): Deleted.
1134         (JSC::resetIn): Deleted.
1135         * jit/Repatch.h:
1136         * llint/LowLevelInterpreter.asm:
1137         * llint/LowLevelInterpreter64.asm:
1138         * parser/NodeConstructors.h:
1139         (JSC::InNode::InNode):
1140         * runtime/CommonSlowPaths.cpp:
1141         (JSC::SLOW_PATH_DECL):
1142         * runtime/CommonSlowPaths.h:
1143         (JSC::CommonSlowPaths::opInByVal):
1144         (JSC::CommonSlowPaths::opIn): Deleted.
1145
1146 2018-05-21  Commit Queue  <commit-queue@webkit.org>
1147
1148         Unreviewed, rolling out r231998 and r232017.
1149         https://bugs.webkit.org/show_bug.cgi?id=185842
1150
1151         causes crashes on 32 JSC bot (Requested by realdawei on
1152         #webkit).
1153
1154         Reverted changesets:
1155
1156         "[JSC] JSC should have consistent InById IC"
1157         https://bugs.webkit.org/show_bug.cgi?id=185682
1158         https://trac.webkit.org/changeset/231998
1159
1160         "Unreviewed, fix 32bit and scope release"
1161         https://bugs.webkit.org/show_bug.cgi?id=185682
1162         https://trac.webkit.org/changeset/232017
1163
1164 2018-05-21  Jer Noble  <jer.noble@apple.com>
1165
1166         Complete fix for enabling modern EME by default
1167         https://bugs.webkit.org/show_bug.cgi?id=185770
1168         <rdar://problem/40368220>
1169
1170         Reviewed by Eric Carlson.
1171
1172         * Configurations/FeatureDefines.xcconfig:
1173
1174 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1175
1176         Unreviewed, fix 32bit and scope release
1177         https://bugs.webkit.org/show_bug.cgi?id=185682
1178
1179         * jit/JITOperations.cpp:
1180         * jit/JITPropertyAccess32_64.cpp:
1181         (JSC::JIT::emitSlow_op_in_by_id):
1182
1183 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
1184
1185         Revert the B3 compiler pipeline's treatment of taildup
1186         https://bugs.webkit.org/show_bug.cgi?id=185808
1187
1188         Reviewed by Yusuke Suzuki.
1189         
1190         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
1191         But then path specialization turned out to be a negative result. This reverts the pipeline to the
1192         way it was before that work.
1193         
1194         1.5% progression on V8Spider-CompileTime.
1195
1196         * b3/B3Generate.cpp:
1197         (JSC::B3::generateToAir):
1198
1199 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1200
1201         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
1202         https://bugs.webkit.org/show_bug.cgi?id=185802
1203
1204         Reviewed by Saam Barati.
1205
1206         * dfg/DFGConstantFoldingPhase.cpp:
1207         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1208
1209 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
1210
1211         DFG should inline InstanceOf ICs
1212         https://bugs.webkit.org/show_bug.cgi?id=185695
1213
1214         Reviewed by Yusuke Suzuki.
1215         
1216         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
1217         be folded to a CheckStructure + JSConstant.
1218         
1219         In the process of testing this, I found a bug where LICM was not hoisting things that
1220         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
1221         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
1222         
1223         This is a ~5% speed-up on boyer.
1224         
1225         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
1226         instanceof-sometimes-hit microbenchmarks.
1227
1228         * JavaScriptCore.xcodeproj/project.pbxproj:
1229         * Sources.txt:
1230         * bytecode/GetByIdStatus.cpp:
1231         (JSC::GetByIdStatus::appendVariant):
1232         (JSC::GetByIdStatus::filter):
1233         * bytecode/GetByIdStatus.h:
1234         (JSC::GetByIdStatus::operator bool const):
1235         (JSC::GetByIdStatus::operator! const): Deleted.
1236         * bytecode/GetByIdVariant.h:
1237         (JSC::GetByIdVariant::operator bool const):
1238         (JSC::GetByIdVariant::operator! const): Deleted.
1239         * bytecode/ICStatusUtils.h: Added.
1240         (JSC::appendICStatusVariant):
1241         (JSC::filterICStatusVariants):
1242         * bytecode/InstanceOfStatus.cpp: Added.
1243         (JSC::InstanceOfStatus::appendVariant):
1244         (JSC::InstanceOfStatus::computeFor):
1245         (JSC::InstanceOfStatus::computeForStubInfo):
1246         (JSC::InstanceOfStatus::commonPrototype const):
1247         (JSC::InstanceOfStatus::filter):
1248         * bytecode/InstanceOfStatus.h: Added.
1249         (JSC::InstanceOfStatus::InstanceOfStatus):
1250         (JSC::InstanceOfStatus::state const):
1251         (JSC::InstanceOfStatus::isSet const):
1252         (JSC::InstanceOfStatus::operator bool const):
1253         (JSC::InstanceOfStatus::isSimple const):
1254         (JSC::InstanceOfStatus::takesSlowPath const):
1255         (JSC::InstanceOfStatus::numVariants const):
1256         (JSC::InstanceOfStatus::variants const):
1257         (JSC::InstanceOfStatus::at const):
1258         (JSC::InstanceOfStatus::operator[] const):
1259         * bytecode/InstanceOfVariant.cpp: Added.
1260         (JSC::InstanceOfVariant::InstanceOfVariant):
1261         (JSC::InstanceOfVariant::attemptToMerge):
1262         (JSC::InstanceOfVariant::dump const):
1263         (JSC::InstanceOfVariant::dumpInContext const):
1264         * bytecode/InstanceOfVariant.h: Added.
1265         (JSC::InstanceOfVariant::InstanceOfVariant):
1266         (JSC::InstanceOfVariant::operator bool const):
1267         (JSC::InstanceOfVariant::structureSet const):
1268         (JSC::InstanceOfVariant::structureSet):
1269         (JSC::InstanceOfVariant::conditionSet const):
1270         (JSC::InstanceOfVariant::prototype const):
1271         (JSC::InstanceOfVariant::isHit const):
1272         * bytecode/StructureStubInfo.cpp:
1273         (JSC::StructureStubInfo::StructureStubInfo):
1274         * bytecode/StructureStubInfo.h:
1275         (JSC::StructureStubInfo::considerCaching):
1276         * dfg/DFGAbstractInterpreterInlines.h:
1277         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1278         * dfg/DFGByteCodeParser.cpp:
1279         (JSC::DFG::ByteCodeParser::parseBlock):
1280         * dfg/DFGClobberize.h:
1281         (JSC::DFG::clobberize):
1282         * dfg/DFGConstantFoldingPhase.cpp:
1283         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1284         * dfg/DFGDoesGC.cpp:
1285         (JSC::DFG::doesGC):
1286         * dfg/DFGFixupPhase.cpp:
1287         (JSC::DFG::FixupPhase::fixupNode):
1288         * dfg/DFGGraph.cpp:
1289         (JSC::DFG::Graph::dump):
1290         * dfg/DFGGraph.h:
1291         * dfg/DFGLICMPhase.cpp:
1292         (JSC::DFG::LICMPhase::attemptHoist):
1293         * dfg/DFGNode.cpp:
1294         (JSC::DFG::Node::remove):
1295         * dfg/DFGNode.h:
1296         (JSC::DFG::Node::hasMatchStructureData):
1297         (JSC::DFG::Node::matchStructureData):
1298         * dfg/DFGNodeType.h:
1299         * dfg/DFGSafeToExecute.h:
1300         (JSC::DFG::safeToExecute):
1301         * dfg/DFGSpeculativeJIT.cpp:
1302         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
1303         * dfg/DFGSpeculativeJIT.h:
1304         * dfg/DFGSpeculativeJIT32_64.cpp:
1305         (JSC::DFG::SpeculativeJIT::compile):
1306         * dfg/DFGSpeculativeJIT64.cpp:
1307         (JSC::DFG::SpeculativeJIT::compile):
1308         * ftl/FTLCapabilities.cpp:
1309         (JSC::FTL::canCompile):
1310         * ftl/FTLLowerDFGToB3.cpp:
1311         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1312         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
1313
1314 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1315
1316         [JSC] JSC should have consistent InById IC
1317         https://bugs.webkit.org/show_bug.cgi?id=185682
1318
1319         Reviewed by Filip Pizlo.
1320
1321         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
1322         when we found that DFG::In's parameter is constant string. We should
1323         align this IC to the other ById ICs to clean up and remove adhoc code
1324         in DFG and FTL.
1325
1326         This patch cleans up our "In" IC by aligning it to the other ById ICs.
1327         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
1328         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
1329         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
1330         has a inline access cache for own property case, which is the same to
1331         JITGetByIdGenerator.
1332
1333         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
1334         to the original In DFG node. DFG AI attempts to lower InByVal to InById
1335         if AI figured out that the property name is a constant string. And in
1336         InById node, we use JITInByIdGenerator code.
1337
1338         This patch cleans up DFG and FTL's adhoc In IC code.
1339
1340         In a subsequent patch, we should introduce InByIdStatus to optimize
1341         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
1342         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
1343         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
1344
1345         * bytecode/AccessCase.cpp:
1346         (JSC::AccessCase::fromStructureStubInfo):
1347         (JSC::AccessCase::generateWithGuard):
1348         * bytecode/BytecodeDumper.cpp:
1349         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
1350         (JSC::BytecodeDumper<Block>::dumpBytecode):
1351         * bytecode/BytecodeDumper.h:
1352         * bytecode/BytecodeList.json:
1353         * bytecode/BytecodeUseDef.h:
1354         (JSC::computeUsesForBytecodeOffset):
1355         (JSC::computeDefsForBytecodeOffset):
1356         * bytecode/CodeBlock.cpp:
1357         (JSC::CodeBlock::finishCreation):
1358         * bytecode/InlineAccess.cpp:
1359         (JSC::InlineAccess::generateSelfInAccess):
1360         * bytecode/InlineAccess.h:
1361         * bytecode/StructureStubInfo.cpp:
1362         (JSC::StructureStubInfo::initInByIdSelf):
1363         (JSC::StructureStubInfo::deref):
1364         (JSC::StructureStubInfo::aboutToDie):
1365         (JSC::StructureStubInfo::reset):
1366         (JSC::StructureStubInfo::visitWeakReferences):
1367         (JSC::StructureStubInfo::propagateTransitions):
1368         * bytecode/StructureStubInfo.h:
1369         (JSC::StructureStubInfo::patchableJump):
1370         * bytecompiler/BytecodeGenerator.cpp:
1371         (JSC::BytecodeGenerator::emitInByVal):
1372         (JSC::BytecodeGenerator::emitInById):
1373         (JSC::BytecodeGenerator::emitIn): Deleted.
1374         * bytecompiler/BytecodeGenerator.h:
1375         * bytecompiler/NodesCodegen.cpp:
1376         (JSC::InNode::emitBytecode):
1377         * dfg/DFGAbstractInterpreterInlines.h:
1378         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1379         * dfg/DFGByteCodeParser.cpp:
1380         (JSC::DFG::ByteCodeParser::parseBlock):
1381         * dfg/DFGCapabilities.cpp:
1382         (JSC::DFG::capabilityLevel):
1383         * dfg/DFGClobberize.h:
1384         (JSC::DFG::clobberize):
1385         * dfg/DFGConstantFoldingPhase.cpp:
1386         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1387         * dfg/DFGDoesGC.cpp:
1388         (JSC::DFG::doesGC):
1389         * dfg/DFGFixupPhase.cpp:
1390         (JSC::DFG::FixupPhase::fixupNode):
1391         * dfg/DFGJITCompiler.cpp:
1392         (JSC::DFG::JITCompiler::link):
1393         * dfg/DFGJITCompiler.h:
1394         (JSC::DFG::JITCompiler::addInById):
1395         (JSC::DFG::InRecord::InRecord): Deleted.
1396         (JSC::DFG::JITCompiler::addIn): Deleted.
1397         * dfg/DFGNode.h:
1398         (JSC::DFG::Node::convertToInById):
1399         (JSC::DFG::Node::hasIdentifier):
1400         (JSC::DFG::Node::hasArrayMode):
1401         * dfg/DFGNodeType.h:
1402         * dfg/DFGPredictionPropagationPhase.cpp:
1403         * dfg/DFGSafeToExecute.h:
1404         (JSC::DFG::safeToExecute):
1405         * dfg/DFGSpeculativeJIT.cpp:
1406         (JSC::DFG::SpeculativeJIT::compileInById):
1407         (JSC::DFG::SpeculativeJIT::compileInByVal):
1408         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
1409         * dfg/DFGSpeculativeJIT.h:
1410         * dfg/DFGSpeculativeJIT32_64.cpp:
1411         (JSC::DFG::SpeculativeJIT::compile):
1412         * dfg/DFGSpeculativeJIT64.cpp:
1413         (JSC::DFG::SpeculativeJIT::compile):
1414         * ftl/FTLCapabilities.cpp:
1415         (JSC::FTL::canCompile):
1416         * ftl/FTLLowerDFGToB3.cpp:
1417         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1418         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
1419         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
1420         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
1421         * jit/ICStats.h:
1422         * jit/JIT.cpp:
1423         (JSC::JIT::JIT):
1424         (JSC::JIT::privateCompileMainPass):
1425         (JSC::JIT::privateCompileSlowCases):
1426         (JSC::JIT::link):
1427         * jit/JIT.h:
1428         * jit/JITInlineCacheGenerator.cpp:
1429         (JSC::JITInByIdGenerator::JITInByIdGenerator):
1430         (JSC::JITInByIdGenerator::generateFastPath):
1431         * jit/JITInlineCacheGenerator.h:
1432         (JSC::JITInByIdGenerator::JITInByIdGenerator):
1433         * jit/JITOperations.cpp:
1434         * jit/JITOperations.h:
1435         * jit/JITPropertyAccess.cpp:
1436         (JSC::JIT::emit_op_in_by_id):
1437         (JSC::JIT::emitSlow_op_in_by_id):
1438         * jit/JITPropertyAccess32_64.cpp:
1439         (JSC::JIT::emit_op_in_by_id):
1440         (JSC::JIT::emitSlow_op_in_by_id):
1441         * jit/Repatch.cpp:
1442         (JSC::tryCacheInByID):
1443         (JSC::repatchInByID):
1444         (JSC::resetInByID):
1445         (JSC::tryCacheIn): Deleted.
1446         (JSC::repatchIn): Deleted.
1447         (JSC::resetIn): Deleted.
1448         * jit/Repatch.h:
1449         * llint/LowLevelInterpreter.asm:
1450         * llint/LowLevelInterpreter64.asm:
1451         * parser/NodeConstructors.h:
1452         (JSC::InNode::InNode):
1453         * runtime/CommonSlowPaths.cpp:
1454         (JSC::SLOW_PATH_DECL):
1455         * runtime/CommonSlowPaths.h:
1456         (JSC::CommonSlowPaths::opInByVal):
1457         (JSC::CommonSlowPaths::opIn): Deleted.
1458
1459 2018-05-18  Commit Queue  <commit-queue@webkit.org>
1460
1461         Unreviewed, rolling out r231982.
1462         https://bugs.webkit.org/show_bug.cgi?id=185793
1463
1464         Caused layout test failures (Requested by realdawei on
1465         #webkit).
1466
1467         Reverted changeset:
1468
1469         "Complete fix for enabling modern EME by default"
1470         https://bugs.webkit.org/show_bug.cgi?id=185770
1471         https://trac.webkit.org/changeset/231982
1472
1473 2018-05-18  Keith Miller  <keith_miller@apple.com>
1474
1475         op_in should mark if it sees out of bounds accesses
1476         https://bugs.webkit.org/show_bug.cgi?id=185792
1477
1478         Reviewed by Filip Pizlo.
1479
1480         This would used to cause us to OSR loop since we would always speculate
1481         we were in bounds in HasIndexedProperty.
1482
1483         * bytecode/ArrayProfile.cpp:
1484         (JSC::ArrayProfile::observeIndexedRead):
1485         * bytecode/ArrayProfile.h:
1486         * runtime/CommonSlowPaths.h:
1487         (JSC::CommonSlowPaths::opIn):
1488
1489 2018-05-18  Mark Lam  <mark.lam@apple.com>
1490
1491         Add missing exception check.
1492         https://bugs.webkit.org/show_bug.cgi?id=185786
1493         <rdar://problem/35686560>
1494
1495         Reviewed by Michael Saboff.
1496
1497         * runtime/JSPropertyNameEnumerator.h:
1498         (JSC::propertyNameEnumerator):
1499
1500 2018-05-18  Jer Noble  <jer.noble@apple.com>
1501
1502         Complete fix for enabling modern EME by default
1503         https://bugs.webkit.org/show_bug.cgi?id=185770
1504         <rdar://problem/40368220>
1505
1506         Reviewed by Eric Carlson.
1507
1508         * Configurations/FeatureDefines.xcconfig:
1509
1510 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1511
1512         Unreviewed, fix exception checking, part 2
1513         https://bugs.webkit.org/show_bug.cgi?id=185350
1514
1515         * dfg/DFGOperations.cpp:
1516         (JSC::DFG::putByValInternal):
1517         * jit/JITOperations.cpp:
1518         * runtime/CommonSlowPaths.h:
1519         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
1520
1521 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
1522
1523         JSC should have InstanceOf inline caching
1524         https://bugs.webkit.org/show_bug.cgi?id=185652
1525
1526         Reviewed by Saam Barati.
1527         
1528         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
1529         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
1530         too many cases, we emit the generic instanceof implementation instead.
1531         
1532         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
1533         abstraction.
1534         
1535         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
1536         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
1537
1538         * API/tests/testapi.mm:
1539         (testObjectiveCAPIMain):
1540         * JavaScriptCore.xcodeproj/project.pbxproj:
1541         * Sources.txt:
1542         * b3/B3Effects.h:
1543         (JSC::B3::Effects::forReadOnlyCall):
1544         * bytecode/AccessCase.cpp:
1545         (JSC::AccessCase::guardedByStructureCheck const):
1546         (JSC::AccessCase::canReplace const):
1547         (JSC::AccessCase::visitWeak const):
1548         (JSC::AccessCase::generateWithGuard):
1549         (JSC::AccessCase::generateImpl):
1550         * bytecode/AccessCase.h:
1551         * bytecode/InstanceOfAccessCase.cpp: Added.
1552         (JSC::InstanceOfAccessCase::create):
1553         (JSC::InstanceOfAccessCase::dumpImpl const):
1554         (JSC::InstanceOfAccessCase::clone const):
1555         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
1556         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
1557         * bytecode/InstanceOfAccessCase.h: Added.
1558         (JSC::InstanceOfAccessCase::prototype const):
1559         * bytecode/ObjectPropertyCondition.h:
1560         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
1561         (JSC::ObjectPropertyCondition::hasPrototype):
1562         * bytecode/ObjectPropertyConditionSet.cpp:
1563         (JSC::generateConditionsForInstanceOf):
1564         * bytecode/ObjectPropertyConditionSet.h:
1565         * bytecode/PolymorphicAccess.cpp:
1566         (JSC::PolymorphicAccess::addCases):
1567         (JSC::PolymorphicAccess::regenerate):
1568         (WTF::printInternal):
1569         * bytecode/PropertyCondition.cpp:
1570         (JSC::PropertyCondition::dumpInContext const):
1571         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1572         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1573         (WTF::printInternal):
1574         * bytecode/PropertyCondition.h:
1575         (JSC::PropertyCondition::absenceWithoutBarrier):
1576         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1577         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
1578         (JSC::PropertyCondition::hasPrototype):
1579         (JSC::PropertyCondition::hasPrototype const):
1580         (JSC::PropertyCondition::prototype const):
1581         (JSC::PropertyCondition::hash const):
1582         (JSC::PropertyCondition::operator== const):
1583         * bytecode/StructureStubInfo.cpp:
1584         (JSC::StructureStubInfo::StructureStubInfo):
1585         (JSC::StructureStubInfo::reset):
1586         * bytecode/StructureStubInfo.h:
1587         (JSC::StructureStubInfo::considerCaching):
1588         * dfg/DFGByteCodeParser.cpp:
1589         (JSC::DFG::ByteCodeParser::parseBlock):
1590         * dfg/DFGFixupPhase.cpp:
1591         (JSC::DFG::FixupPhase::fixupNode):
1592         * dfg/DFGInlineCacheWrapper.h:
1593         * dfg/DFGInlineCacheWrapperInlines.h:
1594         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
1595         * dfg/DFGJITCompiler.cpp:
1596         (JSC::DFG::JITCompiler::link):
1597         * dfg/DFGJITCompiler.h:
1598         (JSC::DFG::JITCompiler::addInstanceOf):
1599         * dfg/DFGOperations.cpp:
1600         * dfg/DFGSpeculativeJIT.cpp:
1601         (JSC::DFG::SpeculativeJIT::usedRegisters):
1602         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
1603         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1604         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
1605         * dfg/DFGSpeculativeJIT.h:
1606         * dfg/DFGSpeculativeJIT64.cpp:
1607         (JSC::DFG::SpeculativeJIT::cachedGetById):
1608         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1609         * ftl/FTLLowerDFGToB3.cpp:
1610         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
1611         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1612         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
1613         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1614         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1615         (JSC::FTL::DFG::LowerDFGToB3::getById):
1616         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
1617         * jit/ICStats.h:
1618         * jit/JIT.cpp:
1619         (JSC::JIT::privateCompileSlowCases):
1620         (JSC::JIT::link):
1621         * jit/JIT.h:
1622         * jit/JITInlineCacheGenerator.cpp:
1623         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1624         (JSC::JITInlineCacheGenerator::finalize):
1625         (JSC::JITByIdGenerator::JITByIdGenerator):
1626         (JSC::JITByIdGenerator::finalize):
1627         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
1628         (JSC::JITInstanceOfGenerator::generateFastPath):
1629         (JSC::JITInstanceOfGenerator::finalize):
1630         * jit/JITInlineCacheGenerator.h:
1631         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
1632         (JSC::JITInlineCacheGenerator::slowPathBegin const):
1633         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
1634         (JSC::finalizeInlineCaches):
1635         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
1636         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
1637         * jit/JITOpcodes.cpp:
1638         (JSC::JIT::emit_op_instanceof):
1639         (JSC::JIT::emitSlow_op_instanceof):
1640         * jit/JITOperations.cpp:
1641         * jit/JITOperations.h:
1642         * jit/JITPropertyAccess.cpp:
1643         (JSC::JIT::privateCompileGetByValWithCachedId):
1644         (JSC::JIT::privateCompilePutByValWithCachedId):
1645         * jit/RegisterSet.cpp:
1646         (JSC::RegisterSet::stubUnavailableRegisters):
1647         * jit/Repatch.cpp:
1648         (JSC::tryCacheIn):
1649         (JSC::tryCacheInstanceOf):
1650         (JSC::repatchInstanceOf):
1651         (JSC::resetPatchableJump):
1652         (JSC::resetIn):
1653         (JSC::resetInstanceOf):
1654         * jit/Repatch.h:
1655         * runtime/Options.h:
1656         * runtime/Structure.h:
1657
1658 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1659
1660         Unreviewed, fix exception checking
1661         https://bugs.webkit.org/show_bug.cgi?id=185350
1662
1663         * runtime/CommonSlowPaths.h:
1664         (JSC::CommonSlowPaths::putDirectWithReify):
1665         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
1666
1667 2018-05-17  Michael Saboff  <msaboff@apple.com>
1668
1669         We don't throw SyntaxErrors for runtime generated regular expressions with errors
1670         https://bugs.webkit.org/show_bug.cgi?id=185755
1671
1672         Reviewed by Keith Miller.
1673
1674         Added a new helper that creates the correct exception to throw for each type of error when
1675         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
1676         where we create a new RegExp from an existing one.  Also refactored other places that we
1677         throw SyntaxErrors after a failed RegExp compile to use the new helper.
1678
1679         * runtime/RegExp.h:
1680         * runtime/RegExpConstructor.cpp:
1681         (JSC::regExpCreate):
1682         (JSC::constructRegExp):
1683         * runtime/RegExpPrototype.cpp:
1684         (JSC::regExpProtoFuncCompile):
1685         * yarr/YarrErrorCode.cpp:
1686         (JSC::Yarr::errorToThrow):
1687         * yarr/YarrErrorCode.h:
1688
1689 2018-05-17  Saam Barati  <sbarati@apple.com>
1690
1691         Remove shrinkFootprint test from apitests since it's flaky
1692         https://bugs.webkit.org/show_bug.cgi?id=185754
1693
1694         Reviewed by Mark Lam.
1695
1696         This test is flaky as it keeps failing on certain people's machines.
1697         Having a test about OS footprint seems like it'll forever be doomed
1698         to being flaky.
1699
1700         * API/tests/testapi.mm:
1701         (testObjectiveCAPIMain):
1702
1703 2018-05-17  Saam Barati  <sbarati@apple.com>
1704
1705         defaultConstructorSourceCode needs to makeSource every time it's called
1706         https://bugs.webkit.org/show_bug.cgi?id=185753
1707
1708         Rubber-stamped by Mark Lam.
1709
1710         The bug here is multiple VMs can be running concurrently to one another
1711         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
1712         if we copy a static SourceCode. instead, we create a new one each time
1713         this function is called.
1714
1715         * builtins/BuiltinExecutables.cpp:
1716         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1717
1718 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1719
1720         [JSC] Use AssemblyHelpers' type checking functions as much as possible
1721         https://bugs.webkit.org/show_bug.cgi?id=185730
1722
1723         Reviewed by Saam Barati.
1724
1725         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
1726         bit and register operations for type tagging of JSValue. It is really useful when we would like
1727         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
1728         the named function is more readable than some branching operations.
1729
1730         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
1731         to AssemblyHelpers' one.
1732
1733         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
1734         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
1735         semantics is aligned to the existing branchIfCell / branchIfNotCell.
1736
1737         * bytecode/AccessCase.cpp:
1738         (JSC::AccessCase::generateWithGuard):
1739         * dfg/DFGSpeculativeJIT.cpp:
1740         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1741         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1742         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1743         (JSC::DFG::SpeculativeJIT::compileSpread):
1744         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
1745         (JSC::DFG::SpeculativeJIT::speculateCellType):
1746         (JSC::DFG::SpeculativeJIT::speculateNumber):
1747         (JSC::DFG::SpeculativeJIT::speculateMisc):
1748         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
1749         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1750         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
1751         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1752         * dfg/DFGSpeculativeJIT32_64.cpp:
1753         (JSC::DFG::SpeculativeJIT::emitCall):
1754         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1755         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1756         (JSC::DFG::SpeculativeJIT::compile):
1757         * dfg/DFGSpeculativeJIT64.cpp:
1758         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1759         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1760         (JSC::DFG::SpeculativeJIT::emitCall):
1761         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1762         (JSC::DFG::SpeculativeJIT::compile):
1763         (JSC::DFG::SpeculativeJIT::convertAnyInt):
1764         * ftl/FTLLowerDFGToB3.cpp:
1765         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
1766         * jit/AssemblyHelpers.h:
1767         (JSC::AssemblyHelpers::branchIfInt32):
1768         (JSC::AssemblyHelpers::branchIfNotInt32):
1769         (JSC::AssemblyHelpers::branchIfNumber):
1770         (JSC::AssemblyHelpers::branchIfNotNumber):
1771         (JSC::AssemblyHelpers::branchIfBoolean):
1772         (JSC::AssemblyHelpers::branchIfNotBoolean):
1773         (JSC::AssemblyHelpers::branchIfEmpty):
1774         (JSC::AssemblyHelpers::branchIfNotEmpty):
1775         (JSC::AssemblyHelpers::branchIfUndefined):
1776         (JSC::AssemblyHelpers::branchIfNotUndefined):
1777         (JSC::AssemblyHelpers::branchIfNull):
1778         (JSC::AssemblyHelpers::branchIfNotNull):
1779         * jit/JIT.h:
1780         * jit/JITArithmetic.cpp:
1781         (JSC::JIT::emit_compareAndJump):
1782         (JSC::JIT::emit_compareAndJumpSlow):
1783         * jit/JITArithmetic32_64.cpp:
1784         (JSC::JIT::emit_compareAndJump):
1785         (JSC::JIT::emit_op_unsigned):
1786         (JSC::JIT::emit_op_inc):
1787         (JSC::JIT::emit_op_dec):
1788         (JSC::JIT::emitBinaryDoubleOp):
1789         (JSC::JIT::emit_op_mod):
1790         * jit/JITCall.cpp:
1791         (JSC::JIT::compileCallEval):
1792         (JSC::JIT::compileOpCall):
1793         * jit/JITCall32_64.cpp:
1794         (JSC::JIT::compileCallEval):
1795         (JSC::JIT::compileOpCall):
1796         * jit/JITInlines.h:
1797         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
1798         (JSC::JIT::emitJumpIfBothJSCells):
1799         (JSC::JIT::emitJumpSlowCaseIfJSCell):
1800         (JSC::JIT::emitJumpIfNotInt):
1801         (JSC::JIT::emitJumpSlowCaseIfNotInt):
1802         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
1803         (JSC::JIT::emitJumpIfCellObject): Deleted.
1804         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
1805         (JSC::JIT::emitJumpIfJSCell): Deleted.
1806         (JSC::JIT::emitJumpIfInt): Deleted.
1807         * jit/JITOpcodes.cpp:
1808         (JSC::JIT::emit_op_instanceof):
1809         (JSC::JIT::emit_op_is_undefined):
1810         (JSC::JIT::emit_op_is_cell_with_type):
1811         (JSC::JIT::emit_op_is_object):
1812         (JSC::JIT::emit_op_to_primitive):
1813         (JSC::JIT::emit_op_jeq_null):
1814         (JSC::JIT::emit_op_jneq_null):
1815         (JSC::JIT::compileOpStrictEq):
1816         (JSC::JIT::compileOpStrictEqJump):
1817         (JSC::JIT::emit_op_to_number):
1818         (JSC::JIT::emit_op_to_string):
1819         (JSC::JIT::emit_op_to_object):
1820         (JSC::JIT::emit_op_eq_null):
1821         (JSC::JIT::emit_op_neq_null):
1822         (JSC::JIT::emit_op_to_this):
1823         (JSC::JIT::emit_op_create_this):
1824         (JSC::JIT::emit_op_check_tdz):
1825         (JSC::JIT::emitNewFuncExprCommon):
1826         (JSC::JIT::emit_op_profile_type):
1827         * jit/JITOpcodes32_64.cpp:
1828         (JSC::JIT::emit_op_instanceof):
1829         (JSC::JIT::emit_op_is_undefined):
1830         (JSC::JIT::emit_op_is_cell_with_type):
1831         (JSC::JIT::emit_op_is_object):
1832         (JSC::JIT::emit_op_to_primitive):
1833         (JSC::JIT::emit_op_not):
1834         (JSC::JIT::emit_op_jeq_null):
1835         (JSC::JIT::emit_op_jneq_null):
1836         (JSC::JIT::emit_op_jneq_ptr):
1837         (JSC::JIT::emit_op_eq):
1838         (JSC::JIT::emit_op_jeq):
1839         (JSC::JIT::emit_op_neq):
1840         (JSC::JIT::emit_op_jneq):
1841         (JSC::JIT::compileOpStrictEq):
1842         (JSC::JIT::compileOpStrictEqJump):
1843         (JSC::JIT::emit_op_eq_null):
1844         (JSC::JIT::emit_op_neq_null):
1845         (JSC::JIT::emit_op_to_number):
1846         (JSC::JIT::emit_op_to_string):
1847         (JSC::JIT::emit_op_to_object):
1848         (JSC::JIT::emit_op_create_this):
1849         (JSC::JIT::emit_op_to_this):
1850         (JSC::JIT::emit_op_check_tdz):
1851         (JSC::JIT::emit_op_profile_type):
1852         * jit/JITPropertyAccess.cpp:
1853         (JSC::JIT::emit_op_get_by_val):
1854         (JSC::JIT::emitGetByValWithCachedId):
1855         (JSC::JIT::emitGenericContiguousPutByVal):
1856         (JSC::JIT::emitPutByValWithCachedId):
1857         (JSC::JIT::emit_op_get_from_scope):
1858         (JSC::JIT::emit_op_put_to_scope):
1859         (JSC::JIT::emitWriteBarrier):
1860         (JSC::JIT::emitIntTypedArrayPutByVal):
1861         (JSC::JIT::emitFloatTypedArrayPutByVal):
1862         * jit/JITPropertyAccess32_64.cpp:
1863         (JSC::JIT::emit_op_get_by_val):
1864         (JSC::JIT::emitContiguousLoad):
1865         (JSC::JIT::emitArrayStorageLoad):
1866         (JSC::JIT::emitGetByValWithCachedId):
1867         (JSC::JIT::emitGenericContiguousPutByVal):
1868         (JSC::JIT::emitPutByValWithCachedId):
1869         (JSC::JIT::emit_op_get_from_scope):
1870         (JSC::JIT::emit_op_put_to_scope):
1871         * jit/JSInterfaceJIT.h:
1872         (JSC::JSInterfaceJIT::emitLoadJSCell):
1873         (JSC::JSInterfaceJIT::emitLoadInt32):
1874         (JSC::JSInterfaceJIT::emitLoadDouble):
1875         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
1876         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
1877         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
1878         * jit/Repatch.cpp:
1879         (JSC::linkPolymorphicCall):
1880         * jit/ThunkGenerators.cpp:
1881         (JSC::virtualThunkFor):
1882         (JSC::absThunkGenerator):
1883         * tools/JSDollarVM.cpp:
1884         (WTF::DOMJITNode::checkSubClassSnippet):
1885         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
1886
1887 2018-05-17  Saam Barati  <sbarati@apple.com>
1888
1889         Unreviewed. Fix the build after my attempted build fix broke the build.
1890
1891         * builtins/BuiltinExecutables.cpp:
1892         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1893         (JSC::BuiltinExecutables::createDefaultConstructor):
1894         * builtins/BuiltinExecutables.h:
1895
1896 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1897
1898         [JSC] Remove reifyPropertyNameIfNeeded
1899         https://bugs.webkit.org/show_bug.cgi?id=185350
1900
1901         Reviewed by Saam Barati.
1902
1903         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
1904         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
1905         cost, we should remove this from the critical path.
1906
1907         This patch removes this function call from the critical path. And in our slow paths, we call
1908         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
1909         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
1910         and care the edge cases. The other callsites of putDirect should know the type of the given
1911         object and the name of the property (And avoid these edge cases).
1912
1913         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
1914         regressions of the existing tests.
1915
1916                                            baseline                  patched
1917         Kraken:
1918             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
1919
1920         SixSpeed:
1921             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
1922
1923         * dfg/DFGOperations.cpp:
1924         (JSC::DFG::putByValInternal):
1925         (JSC::DFG::putByValCellInternal):
1926         * jit/JITOperations.cpp:
1927         * llint/LLIntSlowPaths.cpp:
1928         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1929         * runtime/ClassInfo.h:
1930         * runtime/CommonSlowPaths.h:
1931         (JSC::CommonSlowPaths::putDirectWithReify):
1932         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
1933         * runtime/JSCell.cpp:
1934         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
1935         * runtime/JSCell.h:
1936         * runtime/JSFunction.cpp:
1937         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
1938         * runtime/JSFunction.h:
1939         * runtime/JSObject.cpp:
1940         (JSC::JSObject::putDirectAccessor):
1941         (JSC::JSObject::putDirectNonIndexAccessor):
1942         * runtime/JSObject.h:
1943         * runtime/JSObjectInlines.h:
1944         (JSC::JSObject::putDirectInternal):
1945
1946 2018-05-17  Saam Barati  <sbarati@apple.com>
1947
1948         Unreviewed. Try to fix windows build.
1949
1950         * builtins/BuiltinExecutables.cpp:
1951         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1952
1953 2018-05-16  Saam Barati  <sbarati@apple.com>
1954
1955         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
1956         https://bugs.webkit.org/show_bug.cgi?id=185637
1957
1958         Reviewed by Keith Miller.
1959
1960         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
1961         source code. However, we were only using this for default class constructors. There
1962         are only two types of default class constructors. This patch makes it so that
1963         we just store this information inside of a single bit, and ask for the source
1964         code as needed instead of holding it in a nullable field that is 24 bytes in size.
1965         
1966         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
1967         This has the consequence of making it allocated out of a 160 byte size class
1968         instead of a 224 byte size class. This should bring down its memory footprint
1969         by ~40%.
1970
1971         * builtins/BuiltinExecutables.cpp:
1972         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
1973         (JSC::BuiltinExecutables::createDefaultConstructor):
1974         (JSC::BuiltinExecutables::createExecutable):
1975         * builtins/BuiltinExecutables.h:
1976         * bytecode/UnlinkedFunctionExecutable.cpp:
1977         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1978         (JSC::UnlinkedFunctionExecutable::link):
1979         * bytecode/UnlinkedFunctionExecutable.h:
1980         * runtime/CodeCache.cpp:
1981         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
1982
1983 2018-05-16  Saam Barati  <sbarati@apple.com>
1984
1985         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
1986         https://bugs.webkit.org/show_bug.cgi?id=185707
1987
1988         Reviewed by Mark Lam.
1989
1990         * runtime/VM.cpp:
1991         (JSC::VM::shrinkFootprint):
1992
1993 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
1994
1995         [ESNext][BigInt] Implement support for "/" operation
1996         https://bugs.webkit.org/show_bug.cgi?id=183996
1997
1998         Reviewed by Yusuke Suzuki.
1999
2000         This patch is introducing the support for BigInt into divide
2001         operation int LLInt and JIT layers.
2002
2003         * dfg/DFGOperations.cpp:
2004         * runtime/CommonSlowPaths.cpp:
2005         (JSC::SLOW_PATH_DECL):
2006         * runtime/JSBigInt.cpp:
2007         (JSC::JSBigInt::divide):
2008         (JSC::JSBigInt::copy):
2009         (JSC::JSBigInt::unaryMinus):
2010         (JSC::JSBigInt::absoluteCompare):
2011         (JSC::JSBigInt::absoluteDivLarge):
2012         (JSC::JSBigInt::productGreaterThan):
2013         (JSC::JSBigInt::inplaceAdd):
2014         (JSC::JSBigInt::inplaceSub):
2015         (JSC::JSBigInt::inplaceRightShift):
2016         (JSC::JSBigInt::specialLeftShift):
2017         (JSC::JSBigInt::digit):
2018         (JSC::JSBigInt::setDigit):
2019         * runtime/JSBigInt.h:
2020
2021 2018-05-16  Saam Barati  <sbarati@apple.com>
2022
2023         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
2024         https://bugs.webkit.org/show_bug.cgi?id=185670
2025
2026         Reviewed by Yusuke Suzuki.
2027
2028         This patch makes it so that we constant fold CheckTypeInfoFlags for
2029         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
2030         fold in three ways:
2031         - When the incoming value is a constant, we just look at its inline type
2032         flags. Since those flags never change after an object is created, this
2033         is sound.
2034         - Based on the incoming value having a finite structure set. We just iterate
2035         all structures and ensure they have the bit set.
2036         - Based on speculated type. To do this, I split up SpecFunction into two
2037         subheaps where one is for functions that have the bit set, and one for
2038         functions that don't have the bit set. The latter is currently only comprised
2039         of JSBoundFunctions. To constant fold, we check that the incoming
2040         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
2041
2042         * bytecode/SpeculatedType.cpp:
2043         (JSC::speculationFromClassInfo):
2044         * bytecode/SpeculatedType.h:
2045         * dfg/DFGAbstractInterpreterInlines.h:
2046         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2047         * dfg/DFGConstantFoldingPhase.cpp:
2048         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2049         * dfg/DFGSpeculativeJIT.cpp:
2050         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
2051         * dfg/DFGStrengthReductionPhase.cpp:
2052         (JSC::DFG::StrengthReductionPhase::handleNode):
2053         * runtime/JSFunction.cpp:
2054         (JSC::JSFunction::JSFunction):
2055         (JSC::JSFunction::assertTypeInfoFlagInvariants):
2056         * runtime/JSFunction.h:
2057         (JSC::JSFunction::assertTypeInfoFlagInvariants):
2058         * runtime/JSFunctionInlines.h:
2059         (JSC::JSFunction::JSFunction):
2060
2061 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
2062
2063         Web Inspector: create a navigation item for toggling the overlay rulers/guides
2064         https://bugs.webkit.org/show_bug.cgi?id=185644
2065
2066         Reviewed by Matt Baker.
2067
2068         * inspector/protocol/OverlayTypes.json:
2069         * inspector/protocol/Page.json:
2070
2071 2018-05-16  Commit Queue  <commit-queue@webkit.org>
2072
2073         Unreviewed, rolling out r231845.
2074         https://bugs.webkit.org/show_bug.cgi?id=185702
2075
2076         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
2077         caiolima on #webkit).
2078
2079         Reverted changeset:
2080
2081         "[ESNext][BigInt] Implement support for "/" operation"
2082         https://bugs.webkit.org/show_bug.cgi?id=183996
2083         https://trac.webkit.org/changeset/231845
2084
2085 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
2086
2087         DFG models InstanceOf incorrectly
2088         https://bugs.webkit.org/show_bug.cgi?id=185694
2089
2090         Reviewed by Keith Miller.
2091         
2092         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
2093         hoist it.
2094
2095         * dfg/DFGAbstractInterpreterInlines.h:
2096         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2097         * dfg/DFGClobberize.h:
2098         (JSC::DFG::clobberize):
2099         * dfg/DFGHeapLocation.cpp:
2100         (WTF::printInternal):
2101         * dfg/DFGHeapLocation.h:
2102         * dfg/DFGNodeType.h:
2103
2104 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
2105
2106         Add support for Intl NumberFormat formatToParts
2107         https://bugs.webkit.org/show_bug.cgi?id=185375
2108
2109         Reviewed by Yusuke Suzuki.
2110
2111         Add flag for NumberFormat formatToParts. Implement formatToParts using
2112         unum_formatDoubleForFields. Because the fields are nested and come back
2113         in no guaranteed order, the simple algorithm to convert them to the
2114         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
2115         it appears to perform well enough for the initial implementation. Another
2116         issue has been created to improve this algorithm.
2117
2118         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
2119         on macOS, since only v57 is available.
2120
2121         * Configurations/FeatureDefines.xcconfig:
2122         * runtime/IntlNumberFormat.cpp:
2123         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
2124         (JSC::IntlNumberFormat::partTypeString):
2125         (JSC::IntlNumberFormat::formatToParts):
2126         * runtime/IntlNumberFormat.h:
2127         * runtime/IntlNumberFormatPrototype.cpp:
2128         (JSC::IntlNumberFormatPrototype::create):
2129         (JSC::IntlNumberFormatPrototype::finishCreation):
2130         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
2131         * runtime/IntlNumberFormatPrototype.h:
2132         * runtime/Options.h:
2133
2134 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
2135
2136         [ESNext][BigInt] Implement support for "/" operation
2137         https://bugs.webkit.org/show_bug.cgi?id=183996
2138
2139         Reviewed by Yusuke Suzuki.
2140
2141         This patch is introducing the support for BigInt into divide
2142         operation int LLInt and JIT layers.
2143
2144         * dfg/DFGOperations.cpp:
2145         * runtime/CommonSlowPaths.cpp:
2146         (JSC::SLOW_PATH_DECL):
2147         * runtime/JSBigInt.cpp:
2148         (JSC::JSBigInt::divide):
2149         (JSC::JSBigInt::copy):
2150         (JSC::JSBigInt::unaryMinus):
2151         (JSC::JSBigInt::absoluteCompare):
2152         (JSC::JSBigInt::absoluteDivLarge):
2153         (JSC::JSBigInt::productGreaterThan):
2154         (JSC::JSBigInt::inplaceAdd):
2155         (JSC::JSBigInt::inplaceSub):
2156         (JSC::JSBigInt::inplaceRightShift):
2157         (JSC::JSBigInt::specialLeftShift):
2158         (JSC::JSBigInt::digit):
2159         (JSC::JSBigInt::setDigit):
2160         * runtime/JSBigInt.h:
2161
2162 2018-05-16  Alberto Garcia  <berto@igalia.com>
2163
2164         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
2165         https://bugs.webkit.org/show_bug.cgi?id=182622
2166
2167         Reviewed by Michael Catanzaro.
2168
2169         We were linking JavaScriptCore against libatomic in MIPS because
2170         in that architecture __atomic_fetch_add_8() is not a compiler
2171         intrinsic and is provided by that library instead. However other
2172         architectures (e.g armel) are in the same situation, so we need a
2173         generic test.
2174
2175         That test already exists in WebKit/CMakeLists.txt, so we just have
2176         to move it to a common file (WebKitCompilerFlags.cmake) and use
2177         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
2178
2179         * CMakeLists.txt:
2180
2181 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2182
2183         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
2184         https://bugs.webkit.org/show_bug.cgi?id=185601
2185
2186         Reviewed by Saam Barati.
2187
2188         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
2189         before calling getCallData when we would like to check whether a given object is callable
2190         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
2191         is fine. But if we would like to check whether the object is callable, we can have non
2192         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
2193
2194         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
2195         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
2196         OverridesGetCallData checking before calling getCallData.
2197
2198         We found that this virtual call exists in JSON.stringify's critial path. Checking
2199         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
2200
2201                                                baseline                  patched
2202
2203             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
2204
2205         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
2206         since major cases are covered by this fast JSFunctionType checking.
2207
2208         * API/JSCallbackObject.h:
2209         * dfg/DFGAbstractInterpreterInlines.h:
2210         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2211         * dfg/DFGOperations.cpp:
2212         * dfg/DFGSpeculativeJIT.cpp:
2213         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
2214         (JSC::DFG::SpeculativeJIT::compileIsFunction):
2215         * ftl/FTLLowerDFGToB3.cpp:
2216         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
2217         * jit/AssemblyHelpers.h:
2218         (JSC::AssemblyHelpers::emitTypeOf):
2219         * runtime/ExceptionHelpers.cpp:
2220         (JSC::createError):
2221         (JSC::createInvalidFunctionApplyParameterError):
2222         * runtime/FunctionPrototype.cpp:
2223         (JSC::functionProtoFuncToString):
2224         * runtime/InternalFunction.h:
2225         * runtime/JSCJSValue.h:
2226         * runtime/JSCJSValueInlines.h:
2227         (JSC::JSValue::isFunction const):
2228         (JSC::JSValue::isCallable const):
2229         * runtime/JSCell.h:
2230         * runtime/JSCellInlines.h:
2231         (JSC::JSCell::isFunction):
2232         ALWAYS_INLINE works well for my environment.
2233         (JSC::JSCell::isCallable):
2234         * runtime/JSFunction.h:
2235         * runtime/JSONObject.cpp:
2236         (JSC::Stringifier::toJSON):
2237         (JSC::Stringifier::toJSONImpl):
2238         (JSC::Stringifier::appendStringifiedValue):
2239         * runtime/JSObjectInlines.h:
2240         (JSC::createListFromArrayLike):
2241         * runtime/JSTypeInfo.h:
2242         (JSC::TypeInfo::overridesGetCallData const):
2243         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
2244         * runtime/Operations.cpp:
2245         (JSC::jsTypeStringForValue):
2246         (JSC::jsIsObjectTypeOrNull):
2247         * runtime/ProxyObject.h:
2248         * runtime/RuntimeType.cpp:
2249         (JSC::runtimeTypeForValue):
2250         * runtime/RuntimeType.h:
2251         * runtime/Structure.cpp:
2252         (JSC::Structure::Structure):
2253         * runtime/TypeProfilerLog.cpp:
2254         (JSC::TypeProfilerLog::TypeProfilerLog):
2255         (JSC::TypeProfilerLog::processLogEntries):
2256         * runtime/TypeProfilerLog.h:
2257         * runtime/VM.cpp:
2258         (JSC::VM::enableTypeProfiler):
2259         * tools/JSDollarVM.cpp:
2260         (JSC::functionFindTypeForExpression):
2261         (JSC::functionReturnTypeFor):
2262         (JSC::functionHasBasicBlockExecuted):
2263         (JSC::functionBasicBlockExecutionCount):
2264         * wasm/js/JSWebAssemblyHelpers.h:
2265         (JSC::getWasmBufferFromValue):
2266         * wasm/js/JSWebAssemblyInstance.cpp:
2267         (JSC::JSWebAssemblyInstance::create):
2268         * wasm/js/WebAssemblyFunction.cpp:
2269         (JSC::callWebAssemblyFunction):
2270         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2271         (JSC::constructJSWebAssemblyInstance):
2272         * wasm/js/WebAssemblyModuleRecord.cpp:
2273         (JSC::WebAssemblyModuleRecord::link):
2274         * wasm/js/WebAssemblyPrototype.cpp:
2275         (JSC::webAssemblyInstantiateFunc):
2276         (JSC::webAssemblyInstantiateStreamingInternal):
2277         * wasm/js/WebAssemblyWrapperFunction.cpp:
2278         (JSC::WebAssemblyWrapperFunction::finishCreation):
2279
2280 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
2281
2282         Web Inspector: Add rulers and guides
2283         https://bugs.webkit.org/show_bug.cgi?id=32263
2284         <rdar://problem/19281564>
2285
2286         Reviewed by Matt Baker.
2287
2288         * inspector/protocol/OverlayTypes.json:
2289
2290 2018-05-14  Keith Miller  <keith_miller@apple.com>
2291
2292         Remove butterflyMask from DFGAbstractHeap
2293         https://bugs.webkit.org/show_bug.cgi?id=185640
2294
2295         Reviewed by Saam Barati.
2296
2297         We don't have a butterfly indexing mask anymore so we don't need
2298         the abstract heap information for it anymore.
2299
2300         * dfg/DFGAbstractHeap.h:
2301         * dfg/DFGClobberize.h:
2302         (JSC::DFG::clobberize):
2303
2304 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
2305
2306         [INTL] Handle error in defineProperty for supported locales length
2307         https://bugs.webkit.org/show_bug.cgi?id=185623
2308
2309         Reviewed by Saam Barati.
2310
2311         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
2312         length of the supported locales array.
2313
2314         * runtime/IntlObject.cpp:
2315         (JSC::supportedLocales):
2316
2317 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2318
2319         [JSC] Tweak LiteralParser to improve lexing performance
2320         https://bugs.webkit.org/show_bug.cgi?id=185541
2321
2322         Reviewed by Saam Barati.
2323
2324         This patch attemps to improve LiteralParser performance.
2325
2326         This patch improves Kraken/json-parse-financial by roughly ~10%.
2327                                            baseline                  patched
2328
2329             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
2330
2331         * parser/Lexer.cpp:
2332         (JSC::Lexer<T>::Lexer):
2333         * runtime/ArgList.h:
2334         (JSC::MarkedArgumentBuffer::takeLast):
2335         Add takeLast() for idiomatic last() + removeLast() calls.
2336
2337         * runtime/LiteralParser.cpp:
2338         (JSC::LiteralParser<CharType>::Lexer::lex):
2339         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
2340         We should not include this mode in its template parameter to reduce the code size.
2341         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
2342         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
2343
2344         (JSC::LiteralParser<CharType>::Lexer::next):
2345         (JSC::isSafeStringCharacter):
2346         Take mode in its template parameter. But do not take terminator character in its template parameter.
2347
2348         (JSC::LiteralParser<CharType>::Lexer::lexString):
2349         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2350         Duplicate while statements manually since this is a critical path.
2351
2352         (JSC::LiteralParser<CharType>::parse):
2353         Use takeLast().
2354
2355         * runtime/LiteralParser.h:
2356
2357 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
2358
2359         [MIPS] Use btpz to compare against 0 instead of bpeq
2360         https://bugs.webkit.org/show_bug.cgi?id=185607
2361
2362         Reviewed by Yusuke Suzuki.
2363
2364         Fixes build on MIPS since MIPS doesn't have an instruction to
2365         compare a register against an immediate. Since the immediate is just 0
2366         in this case the simplest solution is just to use btpz instead of bpeq
2367         to compare to 0.
2368
2369         * llint/LowLevelInterpreter.asm:
2370
2371 2018-05-12  Filip Pizlo  <fpizlo@apple.com>
2372
2373         CachedCall::call() should be faster
2374         https://bugs.webkit.org/show_bug.cgi?id=185583
2375
2376         Reviewed by Yusuke Suzuki.
2377         
2378         CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
2379         Unfortunately, because of a combination of abstraction and assertions, this code path had a
2380         lot of overhead. This patch reduces this overhead by:
2381         
2382         - Turning off some assertions. These assertions don't look to have security value; they're
2383           mostly for sanity. I turned off stack alignment checks and VM state checks having to do
2384           with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
2385           call, considering that the caller would have already been strongly assuming that the JSLock
2386           is held.
2387         
2388         - Making more things inlineable.
2389         
2390         This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
2391
2392         * JavaScriptCore.xcodeproj/project.pbxproj:
2393         * interpreter/CachedCall.h:
2394         (JSC::CachedCall::call):
2395         * interpreter/Interpreter.cpp:
2396         (JSC::checkedReturn): Deleted.
2397         * interpreter/Interpreter.h:
2398         (JSC::Interpreter::checkedReturn):
2399         * interpreter/InterpreterInlines.h:
2400         (JSC::Interpreter::execute):
2401         * jit/JITCode.cpp:
2402         (JSC::JITCode::execute): Deleted.
2403         * jit/JITCodeInlines.h: Added.
2404         (JSC::JITCode::execute):
2405         * llint/LowLevelInterpreter.asm:
2406         * runtime/StringPrototype.cpp:
2407
2408 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
2409
2410         [INTL] Improve spec & test262 compliance for Intl APIs
2411         https://bugs.webkit.org/show_bug.cgi?id=185578
2412
2413         Reviewed by Yusuke Suzuki.
2414
2415         Use putDirectIndex over push for lists to arrays.
2416         Update default options to construct with a null prototype.
2417         Define constructor and toStringTag on prototypes.
2418         Add proper time clipping.
2419         Remove some outdated comment spec text, use url instead.
2420
2421         * runtime/IntlCollator.cpp:
2422         (JSC::IntlCollator::initializeCollator):
2423         * runtime/IntlCollatorConstructor.cpp:
2424         (JSC::IntlCollatorConstructor::finishCreation):
2425         * runtime/IntlCollatorPrototype.cpp:
2426         (JSC::IntlCollatorPrototype::finishCreation):
2427         * runtime/IntlDateTimeFormatConstructor.cpp:
2428         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2429         * runtime/IntlDateTimeFormatPrototype.cpp:
2430         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2431         (JSC::IntlDateTimeFormatFuncFormatDateTime):
2432         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
2433         * runtime/IntlNumberFormat.cpp:
2434         (JSC::IntlNumberFormat::initializeNumberFormat):
2435         * runtime/IntlNumberFormatConstructor.cpp:
2436         (JSC::IntlNumberFormatConstructor::finishCreation):
2437         * runtime/IntlNumberFormatPrototype.cpp:
2438         (JSC::IntlNumberFormatPrototype::finishCreation):
2439         * runtime/IntlObject.cpp:
2440         (JSC::lookupSupportedLocales):
2441         (JSC::supportedLocales):
2442         (JSC::intlObjectFuncGetCanonicalLocales):
2443         * runtime/IntlPluralRules.cpp:
2444         (JSC::IntlPluralRules::resolvedOptions):
2445         * runtime/IntlPluralRulesConstructor.cpp:
2446         (JSC::IntlPluralRulesConstructor::finishCreation):
2447
2448 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
2449
2450         [ESNext][BigInt] Implement support for "*" operation
2451         https://bugs.webkit.org/show_bug.cgi?id=183721
2452
2453         Reviewed by Yusuke Suzuki.
2454
2455         Added BigInt support into times binary operator into LLInt and on
2456         JITOperations profiledMul and unprofiledMul. We are also replacing all
2457         uses of int to unsigned when there is no negative values for
2458         variables.
2459
2460         * dfg/DFGConstantFoldingPhase.cpp:
2461         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2462         * jit/JITOperations.cpp:
2463         * runtime/CommonSlowPaths.cpp:
2464         (JSC::SLOW_PATH_DECL):
2465         * runtime/JSBigInt.cpp:
2466         (JSC::JSBigInt::JSBigInt):
2467         (JSC::JSBigInt::allocationSize):
2468         (JSC::JSBigInt::createWithLength):
2469         (JSC::JSBigInt::toString):
2470         (JSC::JSBigInt::multiply):
2471         (JSC::JSBigInt::digitDiv):
2472         (JSC::JSBigInt::internalMultiplyAdd):
2473         (JSC::JSBigInt::multiplyAccumulate):
2474         (JSC::JSBigInt::equals):
2475         (JSC::JSBigInt::absoluteDivSmall):
2476         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2477         (JSC::JSBigInt::toStringGeneric):
2478         (JSC::JSBigInt::rightTrim):
2479         (JSC::JSBigInt::allocateFor):
2480         (JSC::JSBigInt::parseInt):
2481         (JSC::JSBigInt::digit):
2482         (JSC::JSBigInt::setDigit):
2483         * runtime/JSBigInt.h:
2484         * runtime/JSCJSValue.h:
2485         * runtime/JSCJSValueInlines.h:
2486         (JSC::JSValue::toNumeric const):
2487         * runtime/Operations.h:
2488         (JSC::jsMul):
2489
2490 2018-05-11  Commit Queue  <commit-queue@webkit.org>
2491
2492         Unreviewed, rolling out r231316 and r231332.
2493         https://bugs.webkit.org/show_bug.cgi?id=185564
2494
2495         Appears to be a Speedometer2/MotionMark regression (Requested
2496         by keith_miller on #webkit).
2497
2498         Reverted changesets:
2499
2500         "Remove the prototype caching for get_by_id in the LLInt"
2501         https://bugs.webkit.org/show_bug.cgi?id=185226
2502         https://trac.webkit.org/changeset/231316
2503
2504         "Unreviewed, fix 32-bit profile offset for change in bytecode"
2505         https://trac.webkit.org/changeset/231332
2506
2507 2018-05-11  Michael Saboff  <msaboff@apple.com>
2508
2509         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
2510         https://bugs.webkit.org/show_bug.cgi?id=185328
2511
2512         Reviewed by Keith Miller.
2513
2514         Fixed a typo from when this code was added in r228968 where resultGPR
2515         was assigned the input register instead of the result.gpr().
2516
2517         * dfg/DFGSpeculativeJIT64.cpp:
2518         (JSC::DFG::SpeculativeJIT::compile):
2519
2520 2018-05-11  Saam Barati  <sbarati@apple.com>
2521
2522         Don't use inferred types when the JIT is disabled
2523         https://bugs.webkit.org/show_bug.cgi?id=185539
2524
2525         Reviewed by Yusuke Suzuki.
2526
2527         There are many JSC API clients that run with the JIT disabled. They were
2528         all allocating and tracking inferred types for no benefit. Inferred types
2529         only benefit programs when they make it to the DFG/FTL. I was seeing cases
2530         where the inferred type machinery used ~0.5MB. This patch makes is so we
2531         don't allocate that machinery when the JIT is disabled.
2532
2533         * runtime/Structure.cpp:
2534         (JSC::Structure::willStoreValueSlow):
2535         * runtime/Structure.h:
2536
2537 2018-05-11  Saam Barati  <sbarati@apple.com>
2538
2539         Don't allocate value profiles when the JIT is disabled
2540         https://bugs.webkit.org/show_bug.cgi?id=185525
2541
2542         Reviewed by Michael Saboff.
2543
2544         There are many JSC API clients that run with the JIT disabled. We were
2545         still allocating a ton of value profiles in this use case even though
2546         these clients get no benefit from doing value profiling. This patch makes
2547         it so that we don't allocate value profiles or argument value profiles
2548         when we're not using the JIT. We now just make all value profiles in
2549         the instruction stream point to a global value profile that the VM owns.
2550         And we make the argument value profile array have zero length and teach
2551         the LLInt how to handle that. Heap clears the global value profile on each GC.
2552
2553         In an app that I'm testing this against, this saves ~1MB of memory.
2554
2555         * bytecode/CodeBlock.cpp:
2556         (JSC::CodeBlock::finishCreation):
2557         (JSC::CodeBlock::setNumParameters):
2558         * bytecode/CodeBlock.h:
2559         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2560         (JSC::CodeBlock::valueProfileForArgument):
2561         * bytecompiler/BytecodeGenerator.cpp:
2562         (JSC::BytecodeGenerator::emitProfiledOpcode):
2563         * heap/Heap.cpp:
2564         (JSC::Heap::runEndPhase):
2565         * llint/LowLevelInterpreter.asm:
2566         * runtime/VM.cpp:
2567         (JSC::VM::VM):
2568         * runtime/VM.h:
2569
2570 2018-05-10  Carlos Garcia Campos  <cgarcia@igalia.com>
2571
2572         [JSC][GLIB] Add introspectable alternatives to functions using vargars
2573         https://bugs.webkit.org/show_bug.cgi?id=185508
2574
2575         Reviewed by Michael Catanzaro.
2576
2577         * API/glib/JSCClass.cpp:
2578         (jscClassCreateConstructor):
2579         (jsc_class_add_constructor):
2580         (jsc_class_add_constructorv):
2581         (jscClassAddMethod):
2582         (jsc_class_add_method):
2583         (jsc_class_add_methodv):
2584         * API/glib/JSCClass.h:
2585         * API/glib/JSCValue.cpp:
2586         (jsObjectCall):
2587         (jscValueCallFunction):
2588         (jsc_value_object_invoke_methodv):
2589         (jscValueFunctionCreate):
2590         (jsc_value_new_function):
2591         (jsc_value_new_functionv):
2592         (jsc_value_function_callv):
2593         (jsc_value_constructor_callv):
2594         * API/glib/JSCValue.h:
2595         * API/glib/docs/jsc-glib-4.0-sections.txt:
2596
2597 2018-05-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2598
2599         [JSC] Make return types of construction functions tight
2600         https://bugs.webkit.org/show_bug.cgi?id=185509
2601
2602         Reviewed by Saam Barati.
2603
2604         Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
2605
2606         * runtime/ArrayConstructor.cpp:
2607         (JSC::constructArrayWithSizeQuirk):
2608         * runtime/ArrayConstructor.h:
2609         * runtime/ObjectConstructor.h:
2610         (JSC::constructEmptyObject):
2611
2612 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2613
2614         [JSC] Object.assign for final objects should be faster
2615         https://bugs.webkit.org/show_bug.cgi?id=185348
2616
2617         Reviewed by Saam Barati.
2618
2619         Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
2620         improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
2621
2622         If enumerating properties of source objects and putting properties to target object are non observable,
2623         we can avoid hash table looking up of source object properties. We can enumerate object property entries,
2624         and put them to target object. This patch adds this fast path to Object.assign implementation.
2625
2626         When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
2627         property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
2628         "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
2629
2630         This improves object-assign.es6 by 1.85x.
2631
2632                                         baseline                  patched
2633
2634             object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
2635
2636         And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
2637
2638         * runtime/JSObject.h:
2639         * runtime/JSObjectInlines.h:
2640         (JSC::JSObject::canPerformFastPutInlineExcludingProto):
2641         (JSC::JSObject::canPerformFastPutInline):
2642         * runtime/ObjectConstructor.cpp:
2643         (JSC::objectConstructorAssign):
2644         * runtime/Structure.cpp:
2645         (JSC::Structure::Structure):
2646         * runtime/Structure.h:
2647         * runtime/StructureInlines.h:
2648         (JSC::Structure::forEachProperty):
2649         (JSC::Structure::add):
2650
2651 2018-05-10  Filip Pizlo  <fpizlo@apple.com>
2652
2653         DFG CFA should pick the right time to inject OSR entry data
2654         https://bugs.webkit.org/show_bug.cgi?id=185530
2655
2656         Reviewed by Saam Barati.
2657         
2658         Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
2659         OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
2660         reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
2661         would eventually LUB to non-constant.
2662         
2663         This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
2664         execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
2665         useless regexp/string execution in the compiler.
2666
2667         * dfg/DFGBlockSet.h:
2668         (JSC::DFG::BlockSet::remove):
2669         * dfg/DFGCFAPhase.cpp:
2670         (JSC::DFG::CFAPhase::run):
2671         (JSC::DFG::CFAPhase::injectOSR):
2672         (JSC::DFG::CFAPhase::performBlockCFA):
2673
2674 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
2675
2676         InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
2677         https://bugs.webkit.org/show_bug.cgi?id=185452
2678
2679         Reviewed by Michael Saboff.
2680         
2681         We were spending a lot of time in beginBasicBlock() just copying the state of all variables
2682         from the block head to InPlaceAbstractState::m_variables. It is necessary for
2683         InPlaceAbstractState to have its own copy since we need to mutate it separately from
2684         block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
2685         of superfluous work.
2686         
2687         This change adds a bitvector called m_activeVariables that tracks which variables have been
2688         copied. We lazily copy the variables on first use. Variables that were never copied also have
2689         a simplified merging path, which just needs to consider if the variable got clobbered between
2690         head and tail.
2691         
2692         This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
2693
2694         * bytecode/Operands.h:
2695         (JSC::Operands::argumentIndex const):
2696         (JSC::Operands::localIndex const):
2697         (JSC::Operands::argument):
2698         (JSC::Operands::argument const):
2699         (JSC::Operands::local):
2700         (JSC::Operands::local const):
2701         (JSC::Operands::operandIndex const):
2702         * dfg/DFGAbstractValue.h:
2703         (JSC::DFG::AbstractValue::fastForwardFromTo):
2704         * dfg/DFGCFAPhase.cpp:
2705         (JSC::DFG::CFAPhase::performForwardCFA):
2706         * dfg/DFGInPlaceAbstractState.cpp:
2707         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
2708         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
2709         (JSC::DFG::InPlaceAbstractState::activateAllVariables):
2710         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2711         (JSC::DFG::InPlaceAbstractState::activateVariable):
2712         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
2713         * dfg/DFGInPlaceAbstractState.h:
2714         (JSC::DFG::InPlaceAbstractState::variableAt):
2715         (JSC::DFG::InPlaceAbstractState::operand):
2716         (JSC::DFG::InPlaceAbstractState::local):
2717         (JSC::DFG::InPlaceAbstractState::argument):
2718         (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
2719         (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
2720
2721 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
2722
2723         [ESNext][BigInt] Implement support for "==" operation
2724         https://bugs.webkit.org/show_bug.cgi?id=184474
2725
2726         Reviewed by Yusuke Suzuki.
2727
2728         This patch is implementing support of BigInt for equals operator
2729         following the spec semantics[1].
2730
2731         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
2732
2733         * runtime/JSBigInt.cpp:
2734         (JSC::JSBigInt::parseInt):
2735         (JSC::JSBigInt::stringToBigInt):
2736         (JSC::JSBigInt::toString):
2737         (JSC::JSBigInt::setDigit):
2738         (JSC::JSBigInt::equalsToNumber):
2739         (JSC::JSBigInt::compareToDouble):
2740         * runtime/JSBigInt.h:
2741         * runtime/JSCJSValueInlines.h:
2742         (JSC::JSValue::equalSlowCaseInline):
2743
2744 2018-05-09  Filip Pizlo  <fpizlo@apple.com>
2745
2746         Speed up AbstractInterpreter::executeEdges
2747         https://bugs.webkit.org/show_bug.cgi?id=185457
2748
2749         Reviewed by Saam Barati.
2750
2751         This patch started out with the desire to make executeEdges() faster by making filtering faster.
2752         However, when I studied the disassembly, I found that there are many opportunities for
2753         improvement and I implemented all of them:
2754         
2755         - Filtering itself now has an inline fast path for when the filtering didn't change the value or
2756           for non-cells.
2757         
2758         - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
2759           since fast-forwarding is only interesting for cells and only if we have a clobbered value.
2760         
2761         - Similarly, edge verification doesn't need to fast-forward in the common case.
2762         
2763         - A bunch of stuff related to Graph::doToChildren is now inlined properly.
2764         
2765         - The edge doesn't even have to be considered for execution if it's UntypedUse.
2766         
2767         That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
2768         abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
2769         it means proving that the value could either be formatted as a double (with impure NaN values),
2770         or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
2771         states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
2772         make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
2773         to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
2774         SpecBytecodeNumber (if returning a JSValueRep).
2775         
2776         But that fix revealed an amazing timeout in
2777         stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
2778         stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
2779         ever realizing that we should jettison something. The problem was with how
2780         triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
2781         baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
2782         
2783         This is a 1% improvement in V8Spider-CompileTime.
2784
2785         * bytecode/ExitKind.cpp:
2786         (JSC::exitKindMayJettison):
2787         * dfg/DFGAbstractInterpreter.h:
2788         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
2789         (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
2790         * dfg/DFGAbstractInterpreterInlines.h:
2791         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
2792         (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
2793         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
2794         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
2795         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2796         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2797         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2798         * dfg/DFGAbstractValue.cpp:
2799         (JSC::DFG::AbstractValue::filterSlow):
2800         (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
2801         * dfg/DFGAbstractValue.h:
2802         (JSC::DFG::AbstractValue::filter):
2803         (JSC::DFG::AbstractValue::fastForwardToAndFilter):
2804         (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
2805         (JSC::DFG::AbstractValue::makeTop):
2806         * dfg/DFGAtTailAbstractState.h:
2807         (JSC::DFG::AtTailAbstractState::fastForward):
2808         (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
2809         (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
2810         * dfg/DFGGraph.h:
2811         (JSC::DFG::Graph::doToChildren):
2812         * dfg/DFGInPlaceAbstractState.h:
2813         (JSC::DFG::InPlaceAbstractState::fastForward):
2814         (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
2815         (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
2816         * dfg/DFGOSRExit.cpp:
2817         (JSC::DFG::OSRExit::executeOSRExit):
2818         * dfg/DFGOSRExitCompilerCommon.cpp:
2819         (JSC::DFG::handleExitCounts):
2820         * dfg/DFGOperations.cpp:
2821         * dfg/DFGOperations.h:
2822
2823 2018-05-09  Saam Barati  <sbarati@apple.com>
2824
2825         Add JSVirtualMachine SPI to shrink the memory footprint of the VM
2826         https://bugs.webkit.org/show_bug.cgi?id=185441
2827         <rdar://problem/39999414>
2828
2829         Reviewed by Keith Miller.
2830
2831         This patch adds JSVirtualMachine SPI to release as much memory as possible.
2832         The SPI does:
2833         - Deletes all code caches.
2834         - Synchronous GC.
2835         - Run the scavenger.
2836
2837         * API/JSVirtualMachine.mm:
2838         (-[JSVirtualMachine shrinkFootprint]):
2839         * API/JSVirtualMachinePrivate.h: Added.
2840         * API/tests/testapi.mm:
2841         (testObjectiveCAPIMain):
2842         * JavaScriptCore.xcodeproj/project.pbxproj:
2843         * runtime/VM.cpp:
2844         (JSC::VM::shrinkFootprint):
2845         * runtime/VM.h:
2846
2847 2018-05-09  Leo Balter  <leonardo.balter@gmail.com>
2848
2849         [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
2850         Error found in the following Test262 tests:
2851
2852         - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
2853         - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
2854         - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
2855
2856         The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
2857         presenting a length > 2**32-1
2858         https://bugs.webkit.org/show_bug.cgi?id=185476
2859
2860         Reviewed by Yusuke Suzuki.
2861
2862         * runtime/ArrayPrototype.cpp:
2863
2864 2018-05-09  Michael Catanzaro  <mcatanzaro@igalia.com>
2865
2866         [WPE] Build cleanly with GCC 8 and ICU 60
2867         https://bugs.webkit.org/show_bug.cgi?id=185462
2868
2869         Reviewed by Carlos Alberto Lopez Perez.
2870
2871         * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
2872         (jsc_class_add_constructor):
2873         (jsc_class_add_method):
2874         * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
2875         (jsc_value_object_define_property_accessor):
2876         (jsc_value_new_function):
2877         * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
2878         problem with GCC 7 too, but might as well fix it now.
2879         * assembler/ProbeContext.h:
2880         (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
2881         (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
2882         * b3/air/AirArg.h:
2883         (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
2884         * builtins/BuiltinNames.cpp:
2885         (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
2886         * builtins/BuiltinNames.h:
2887         (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
2888         * dfg/DFGDoubleFormatState.h:
2889         (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
2890         * heap/MarkedBlockInlines.h:
2891         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
2892         * runtime/ConfigFile.cpp:
2893         (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
2894         with the wrong length parameter and the result is not null-terminated. Also, silence a
2895         -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
2896         * runtime/IntlDateTimeFormat.cpp:
2897         (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
2898         * runtime/JSGlobalObject.cpp:
2899         (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
2900         (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
2901
2902 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2903
2904         [ARMv7] Drop ARMv7 disassembler in favor of capstone
2905         https://bugs.webkit.org/show_bug.cgi?id=185423
2906
2907         Reviewed by Michael Catanzaro.
2908
2909         This patch removes ARMv7Disassembler in our tree.
2910         We already adopted Capstone, and it is already used in ARMv7 JIT environments.
2911
2912         * CMakeLists.txt:
2913         * JavaScriptCore.xcodeproj/project.pbxproj:
2914         * Sources.txt:
2915         * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
2916         * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
2917         * disassembler/ARMv7Disassembler.cpp: Removed.
2918
2919 2018-05-09  Srdjan Lazarevic  <srdjan.lazarevic@rt-rk.com>
2920
2921         [MIPS] Optimize generated JIT code using r2
2922         https://bugs.webkit.org/show_bug.cgi?id=184584
2923
2924         Reviewed by Yusuke Suzuki.
2925
2926         EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
2927         Also, done some code size optimizations that were discovered in meantime.
2928
2929         * assembler/MIPSAssembler.h:
2930         (JSC::MIPSAssembler::ext):
2931         (JSC::MIPSAssembler::mfhc1):
2932         * assembler/MacroAssemblerMIPS.cpp:
2933         * assembler/MacroAssemblerMIPS.h:
2934         (JSC::MacroAssemblerMIPS::isPowerOf2):
2935         (JSC::MacroAssemblerMIPS::bitPosition):
2936         (JSC::MacroAssemblerMIPS::loadAddress):
2937         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
2938         (JSC::MacroAssemblerMIPS::load8):
2939         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
2940         (JSC::MacroAssemblerMIPS::load32):
2941         (JSC::MacroAssemblerMIPS::load16Unaligned):
2942         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
2943         (JSC::MacroAssemblerMIPS::load16):
2944         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
2945         (JSC::MacroAssemblerMIPS::store8):
2946         (JSC::MacroAssemblerMIPS::store16):
2947         (JSC::MacroAssemblerMIPS::store32):
2948         (JSC::MacroAssemblerMIPS::branchTest32):
2949         (JSC::MacroAssemblerMIPS::loadFloat):
2950         (JSC::MacroAssemblerMIPS::loadDouble):
2951         (JSC::MacroAssemblerMIPS::storeFloat):
2952         (JSC::MacroAssemblerMIPS::storeDouble):
2953
2954 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2955
2956         [JSC][GTK][JSCONLY] Use capstone disassembler
2957         https://bugs.webkit.org/show_bug.cgi?id=185283
2958
2959         Reviewed by Michael Catanzaro.
2960
2961         Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
2962         And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
2963
2964         And we remove ARM LLVM disassembler.
2965
2966         Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
2967
2968         * CMakeLists.txt:
2969         * Sources.txt:
2970         * disassembler/ARMLLVMDisassembler.cpp: Removed.
2971         * disassembler/CapstoneDisassembler.cpp: Added.
2972         (JSC::tryToDisassemble):
2973
2974 2018-05-09  Dominik Infuehr  <dinfuehr@igalia.com>
2975
2976         [MIPS] Use mfhc1 and mthc1 to fix assembler error
2977         https://bugs.webkit.org/show_bug.cgi?id=185464
2978
2979         Reviewed by Yusuke Suzuki.
2980
2981         The binutils-assembler started to report failures for copying words between
2982         GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
2983         of mfc1 and mtc1 for conversion.
2984
2985         * offlineasm/mips.rb:
2986
2987 2018-05-08  Dominik Infuehr  <dinfuehr@igalia.com>
2988
2989         [MIPS] Collect callee-saved register using inline assembly
2990         https://bugs.webkit.org/show_bug.cgi?id=185428
2991
2992         Reviewed by Yusuke Suzuki.
2993
2994         MIPS used setjmp instead of collecting registers with inline assembly like
2995         other architectures.
2996
2997         * heap/RegisterState.h:
2998
2999 2018-05-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3000
3001         [BigInt] Simplifying JSBigInt by using bool addition
3002         https://bugs.webkit.org/show_bug.cgi?id=185374
3003
3004         Reviewed by Alex Christensen.
3005
3006         Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
3007         Just adding overflow flag to carry/borrow produces setb + add in x86.
3008
3009         Also we annotate small helper functions and accessors with `inline` not to call these functions
3010         inside internalMultiplyAdd loop.
3011
3012         * runtime/JSBigInt.cpp:
3013         (JSC::JSBigInt::isZero):
3014         (JSC::JSBigInt::inplaceMultiplyAdd):
3015         (JSC::JSBigInt::digitAdd):
3016         (JSC::JSBigInt::digitSub):
3017         (JSC::JSBigInt::digitMul):
3018         (JSC::JSBigInt::digitPow):
3019         (JSC::JSBigInt::digitDiv):
3020         (JSC::JSBigInt::offsetOfData):
3021         (JSC::JSBigInt::dataStorage):
3022         (JSC::JSBigInt::digit):
3023         (JSC::JSBigInt::setDigit):
3024
3025 2018-05-08  Michael Saboff  <msaboff@apple.com>
3026
3027         Replace multiple Watchpoint Set fireAll() methods with templates
3028         https://bugs.webkit.org/show_bug.cgi?id=185456
3029
3030         Reviewed by Saam Barati.
3031
3032         Refactored to minimize duplicate code.
3033
3034         * bytecode/Watchpoint.h:
3035         (JSC::WatchpointSet::fireAll):
3036         (JSC::InlineWatchpointSet::fireAll):
3037
3038 2018-05-08  Filip Pizlo  <fpizlo@apple.com>
3039
3040         DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
3041         https://bugs.webkit.org/show_bug.cgi?id=185453
3042
3043         Reviewed by Michael Saboff.
3044         
3045         Tiny improvement for compile times.
3046
3047         * dfg/DFGFlowMap.h:
3048         (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
3049         * dfg/DFGInPlaceAbstractState.cpp:
3050         (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
3051
3052 2018-05-08  Michael Saboff  <msaboff@apple.com>
3053
3054         Deferred firing of structure transition watchpoints is racy
3055         https://bugs.webkit.org/show_bug.cgi?id=185438
3056
3057         Reviewed by Saam Barati.
3058
3059         Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
3060         and fire them in the destructor.  When the watchpoints are taken from the
3061         original WatchpointSet, that WatchpointSet if marked invalid.
3062
3063         * bytecode/Watchpoint.cpp:
3064         (JSC::WatchpointSet::fireAllSlow):
3065         (JSC::WatchpointSet::take):
3066         (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
3067         (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
3068         (JSC::DeferredWatchpointFire::fireAll):
3069         (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
3070         * bytecode/Watchpoint.h:
3071         (JSC::WatchpointSet::fireAll):
3072         (JSC::InlineWatchpointSet::fireAll):
3073         * runtime/JSObject.cpp:
3074         (JSC::JSObject::setPrototypeDirect):
3075         (JSC::JSObject::convertToDictionary):
3076         * runtime/JSObjectInlines.h:
3077         (JSC::JSObject::putDirectInternal):
3078         * runtime/Structure.cpp:
3079         (JSC::Structure::Structure):
3080         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
3081         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
3082         (JSC::DeferredStructureTransitionWatchpointFire::dump const):
3083         (JSC::Structure::didTransitionFromThisStructure const):
3084         (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
3085         * runtime/Structure.h:
3086         (JSC::DeferredStructureTransitionWatchpointFire::structure const):
3087
3088 2018-05-08  Eric Carlson  <eric.carlson@apple.com>
3089
3090         Consecutive messages logged as JSON are coalesced
3091         https://bugs.webkit.org/show_bug.cgi?id=185432
3092
3093         Reviewed by Joseph Pecoraro.
3094
3095         * inspector/ConsoleMessage.cpp:
3096         (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
3097
3098 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
3099
3100         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
3101         https://bugs.webkit.org/show_bug.cgi?id=185365
3102
3103         Reviewed by Saam Barati.
3104         
3105         This patch does three things to improve compile times:
3106         
3107         - Fixes some inlining goofs.
3108         
3109         - Adds the ability to measure compile times with run-jsc-benchmarks.
3110         
3111         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
3112           code that clears abstract values. It turns out that on constant folding "needed" this, in the
3113           sense that this was the only thing protecting it from loading the abstract value of a no-result
3114           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
3115           Any node that produces a result will explicitly set its abstract value, so this problem can
3116           also be guarded by just having constant folding check if the node it wants to fold returns any
3117           result.
3118         
3119         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
3120         
3121         Rolling back in after fixing cloop build.
3122
3123         * dfg/DFGAbstractInterpreterInlines.h:
3124         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3125         * dfg/DFGAbstractValue.cpp:
3126         (JSC::DFG::AbstractValue::set):
3127         * dfg/DFGAbstractValue.h:
3128         (JSC::DFG::AbstractValue::merge):
3129         * dfg/DFGConstantFoldingPhase.cpp:
3130         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3131         * dfg/DFGGraph.h:
3132         (JSC::DFG::Graph::doToChildrenWithNode):
3133         (JSC::DFG::Graph::doToChildren):
3134         * dfg/DFGInPlaceAbstractState.cpp:
3135         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3136         * jit/JIT.cpp:
3137         (JSC::JIT::totalCompileTime):
3138         * jit/JIT.h:
3139         * jsc.cpp:
3140         (GlobalObject::finishCreation):
3141         (functionTotalCompileTime):
3142
3143 2018-05-08  Ryan Haddad  <ryanhaddad@apple.com>
3144
3145         Unreviewed, rolling out r231468.
3146
3147         Broke the CLoop build
3148
3149         Reverted changeset:
3150
3151         "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
3152         any abstract values"
3153         https://bugs.webkit.org/show_bug.cgi?id=185365
3154         https://trac.webkit.org/changeset/231468
3155
3156 2018-05-07  Daniel Bates  <dabates@apple.com>
3157
3158         Check X-Frame-Options and CSP frame-ancestors in network process
3159         https://bugs.webkit.org/show_bug.cgi?id=185410
3160         <rdar://problem/37733934>
3161
3162         Reviewed by Ryosuke Niwa.
3163
3164         Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
3165
3166         * runtime/ConsoleTypes.h:
3167
3168 2018-05-07  Saam Barati  <sbarati@apple.com>
3169
3170         Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
3171         https://bugs.webkit.org/show_bug.cgi?id=185329
3172         <rdar://problem/39961536>
3173
3174         Reviewed by Michael Saboff.
3175
3176         I was made aware of a memory goof inside of JSC where we would inefficiently
3177         use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
3178         
3179         We did two things badly:
3180         1. We used a HashMap instead of a Vector to represent the environment. Having
3181         a HashMap is useful when looking things up when generating bytecode, but it's
3182         space inefficient. Because UnlinkedFunctionExecutables live a long time because
3183         of the code cache, we should have them store this information efficiently
3184         inside of a Vector.
3185         
3186         2. We didn't hash-cons these environments together. If you think about how
3187         some programs are structured, hash-consing these together is hugely profitable.
3188         Consider some code like this:
3189         ```
3190         const/let V_1 = ...;
3191         const/let V_2 = ...;
3192         ...
3193         const/let V_n = ...;
3194         
3195         function f_1() { ... };
3196         function f_2() { ... };
3197         ...
3198         function f_n() { ... };
3199         ```
3200         
3201         Each f_i would store an identical hash map for its parent TDZ variables
3202         consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
3203         each f_i just holds onto a reference to the environment.
3204         
3205         I benchmarked this change against an app that made heavy use of the
3206         above code pattern and it reduced its peak memory footprint from ~220MB
3207         to ~160MB.
3208
3209         * bytecode/UnlinkedFunctionExecutable.cpp:
3210         (JSC::generateUnlinkedFunctionCodeBlock):
3211         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3212         * bytecode/UnlinkedFunctionExecutable.h:
3213         * parser/VariableEnvironment.cpp:
3214         (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
3215         (JSC::CompactVariableEnvironment::operator== const):
3216         (JSC::CompactVariableEnvironment::toVariableEnvironment const):
3217         (JSC::CompactVariableMap::get):
3218         (JSC::CompactVariableMap::Handle::~Handle):
3219         * parser/VariableEnvironment.h:
3220         (JSC::VariableEnvironmentEntry::bits const):
3221         (JSC::VariableEnvironmentEntry::operator== const):
3222         (JSC::VariableEnvironment::isEverythingCaptured const):
3223         (JSC::CompactVariableEnvironment::hash const):
3224         (JSC::CompactVariableMapKey::CompactVariableMapKey):
3225         (JSC::CompactVariableMapKey::hash):
3226         (JSC::CompactVariableMapKey::equal):
3227         (JSC::CompactVariableMapKey::makeDeletedValue):
3228         (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
3229         (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
3230         (JSC::CompactVariableMapKey::environment):
3231         (WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
3232         (WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
3233         (WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
3234         (WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
3235         (JSC::CompactVariableMap::Handle::Handle):
3236         (JSC::CompactVariableMap::Handle::environment const):
3237         (JSC::VariableEnvironment::VariableEnvironment): Deleted.
3238         * runtime/VM.cpp:
3239         (JSC::VM::VM):
3240         * runtime/VM.h:
3241
3242 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3243
3244         [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
3245         https://bugs.webkit.org/show_bug.cgi?id=185371
3246
3247         Reviewed by Mark Lam.
3248
3249         Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
3250         As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
3251         but actually MIPS have much more registers.
3252
3253         This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
3254         argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
3255         have extra mechanism.
3256
3257         Then, we remove several unnecessary MIPS code in our JIT infrastructure.
3258
3259         * dfg/DFGByteCodeParser.cpp:
3260         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3261         * dfg/DFGFixupPhase.cpp:
3262         (JSC::DFG::FixupPhase::fixupNode):
3263         * dfg/DFGSpeculativeJIT32_64.cpp:
3264         (JSC::DFG::SpeculativeJIT::compile):
3265         * jit/CCallHelpers.h:
3266         * jit/GPRInfo.h:
3267         (JSC::GPRInfo::toRegister):
3268         (JSC::GPRInfo::toIndex):
3269         * offlineasm/mips.rb:
3270
3271 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
3272
3273         DFG AI should have O(1) clobbering
3274         https://bugs.webkit.org/show_bug.cgi?id=185287
3275
3276         Reviewed by Saam Barati.
3277         
3278         This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
3279         would traverse all of the state available to the AI at that time and clobber it.
3280         
3281         This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
3282         
3283         This is a ~1% speed-up for compile times.
3284
3285         * JavaScriptCore.xcodeproj/project.pbxproj:
3286         * Sources.txt:
3287         * dfg/DFGAbstractInterpreter.h:
3288         (JSC::DFG::AbstractInterpreter::forNode):
3289         (JSC::DFG::AbstractInterpreter::setForNode):
3290         (JSC::DFG::AbstractInterpreter::clearForNode):
3291         (JSC::DFG::AbstractInterpreter::variables): Deleted.
3292         * dfg/DFGAbstractInterpreterInlines.h:
3293         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3294         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
3295         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
3296         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
3297         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
3298         * dfg/DFGAbstractValue.cpp:
3299         (JSC::DFG::AbstractValue::fastForwardToSlow):
3300         * dfg/DFGAbstractValue.h:
3301         (JSC::DFG::AbstractValue::fastForwardTo):
3302         (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
3303         (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
3304         (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
3305         * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
3306         (JSC::DFG::AbstractValueClobberEpoch::dump const):
3307         * dfg/DFGAbstractValueClobberEpoch.h: Added.
3308         (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
3309         (JSC::DFG::AbstractValueClobberEpoch::first):
3310         (JSC::DFG::AbstractValueClobberEpoch::clobber):
3311         (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
3312         (JSC::DFG::AbstractValueClobberEpoch::operator== const):
3313         (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
3314         (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
3315         (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
3316         * dfg/DFGAtTailAbstractState.h:
3317         (JSC::DFG::AtTailAbstractState::setForNode):
3318         (JSC::DFG::AtTailAbstractState::clearForNode):
3319         (JSC::DFG::AtTailAbstractState::numberOfArguments const):
3320         (JSC::DFG::AtTailAbstractState::numberOfLocals const):
3321         (JSC::DFG::AtTailAbstractState::operand):
3322         (JSC::DFG::AtTailAbstractState::local):
3323         (JSC::DFG::AtTailAbstractState::argument):
3324         (JSC::DFG::AtTailAbstractState::clobberStructures):
3325         (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
3326         (JSC::DFG::AtTailAbstractState::variables): Deleted.
3327         * dfg/DFGCFAPhase.cpp:
3328         (JSC::DFG::CFAPhase::performBlockCFA):
3329         * dfg/DFGConstantFoldingPhase.cpp:
3330         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3331         * dfg/DFGFlowMap.h:
3332         (JSC::DFG::FlowMap::at):
3333         (JSC::DFG::FlowMap::atShadow):
3334         (JSC::DFG::FlowMap::at const):
3335         (JSC::DFG::FlowMap::atShadow const):
3336         * dfg/DFGInPlaceAbstractState.cpp:
3337         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3338         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3339         * dfg/DFGInPlaceAbstractState.h:
3340         (JSC::DFG::InPlaceAbstractState::forNode):
3341         (JSC::DFG::InPlaceAbstractState::setForNode):
3342         (JSC::DFG::InPlaceAbstractState::clearForNode):
3343         (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
3344         (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
3345         (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
3346         (JSC::DFG::InPlaceAbstractState::operand):
3347         (JSC::DFG::InPlaceAbstractState::local):
3348         (JSC::DFG::InPlaceAbstractState::argument):
3349         (JSC::DFG::InPlaceAbstractState::variableAt):
3350         (JSC::DFG::InPlaceAbstractState::clobberStructures):
3351         (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
3352         (JSC::DFG::InPlaceAbstractState::fastForward):
3353         (JSC::DFG::InPlaceAbstractState::variables): Deleted.
3354         * dfg/DFGSpeculativeJIT64.cpp:
3355         (JSC::DFG::SpeculativeJIT::compile):
3356         * ftl/FTLLowerDFGToB3.cpp:
3357         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
3358
3359 2018-05-06  Filip Pizlo  <fpizlo@apple.com>
3360
3361         InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
3362         https://bugs.webkit.org/show_bug.cgi?id=185365
3363
3364         Reviewed by Saam Barati.
3365         
3366         This patch does three things to improve compile times:
3367         
3368         - Fixes some inlining goofs.
3369         
3370         - Adds the ability to measure compile times with run-jsc-benchmarks.
3371         
3372         - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
3373           code that clears abstract values. It turns out that on constant folding "needed" this, in the
3374           sense that this was the only thing protecting it from loading the abstract value of a no-result
3375           node and then concluding that because it had a non-empty m_value, it could be constant-folded.
3376           Any node that produces a result will explicitly set its abstract value, so this problem can
3377           also be guarded by just having constant folding check if the node it wants to fold returns any
3378           result.
3379         
3380         Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
3381
3382         * dfg/DFGAbstractInterpreterInlines.h:
3383         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3384         * dfg/DFGAbstractValue.cpp:
3385         (JSC::DFG::AbstractValue::set):
3386         * dfg/DFGAbstractValue.h:
3387         (JSC::DFG::AbstractValue::merge):
3388         * dfg/DFGConstantFoldingPhase.cpp:
3389         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3390         * dfg/DFGGraph.h:
3391         (JSC::DFG::Graph::doToChildrenWithNode):
3392         (JSC::DFG::Graph::doToChildren):
3393         * dfg/DFGInPlaceAbstractState.cpp:
3394         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3395         * jit/JIT.cpp:
3396         (JSC::JIT::totalCompileTime):
3397         * jit/JIT.h:
3398         * jsc.cpp:
3399         (GlobalObject::finishCreation):
3400         (functionTotalCompileTime):
3401
3402 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
3403
3404         DFG AI doesn't need to merge valuesAtTail - it can just assign them
3405         https://bugs.webkit.org/show_bug.cgi?id=185355
3406
3407         Reviewed by Mark Lam.
3408         
3409         This is a further attempt to improve compile times. Assigning AbstractValue ought to always
3410         be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
3411         merging will get the same answer because the value computed this time will be either the same
3412         as or more general than the value computed last time. If the value does change for some
3413         reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
3414         changes, then we have no reason to believe that this new value is less right than the last
3415         one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
3416         if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
3417
3418         * dfg/DFGInPlaceAbstractState.cpp:
3419         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3420
3421 2018-05-07  Andy VanWagoner  <andy@vanwagoner.family>
3422
3423         Remove defunct email address
3424         https://bugs.webkit.org/show_bug.cgi?id=185396
3425
3426         Reviewed by Mark Lam.
3427
3428         The email address thetalecrafter@gmail.com is no longer valid, as the
3429         associated google account has been closed. This updates the email
3430         address so questions about these Intl contributions go to the right
3431         place.
3432
3433         * builtins/DatePrototype.js:
3434         * builtins/NumberPrototype.js:
3435         * builtins/StringPrototype.js:
3436         * runtime/IntlCollator.cpp:
3437         * runtime/IntlCollator.h:
3438         * runtime/IntlCollatorConstructor.cpp:
3439         * runtime/IntlCollatorConstructor.h:
3440         * runtime/IntlCollatorPrototype.cpp:
3441         * runtime/IntlCollatorPrototype.h:
3442         * runtime/IntlDateTimeFormat.cpp:
3443         * runtime/IntlDateTimeFormat.h:
3444         * runtime/IntlDateTimeFormatConstructor.cpp:
3445         * runtime/IntlDateTimeFormatConstructor.h:
3446         * runtime/IntlDateTimeFormatPrototype.cpp:
3447         * runtime/IntlDateTimeFormatPrototype.h:
3448         * runtime/IntlNumberFormat.cpp:
3449         * runtime/IntlNumberFormat.h:
3450         * runtime/IntlNumberFormatConstructor.cpp:
3451         * runtime/IntlNumberFormatConstructor.h:
3452         * runtime/IntlNumberFormatPrototype.cpp:
3453         * runtime/IntlNumberFormatPrototype.h:
3454         * runtime/IntlObject.cpp:
3455         * runtime/IntlObject.h:
3456         * runtime/IntlPluralRules.cpp:
3457         * runtime/IntlPluralRules.h:
3458         * runtime/IntlPluralRulesConstructor.cpp:
3459         * runtime/IntlPluralRulesConstructor.h:
3460         * runtime/IntlPluralRulesPrototype.cpp:
3461         * runtime/IntlPluralRulesPrototype.h:
3462
3463 2018-05-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3464
3465         [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
3466         https://bugs.webkit.org/show_bug.cgi?id=185362
3467
3468         Reviewed by Sam Weinig.
3469
3470         "namespace std" may include many names. It can conflict with names defined by our code,
3471         and the other platform provided headers. For example, std::byte conflicts with Windows'
3472         ::byte.
3473         This patch removes "using namespace std;" from JSC and bmalloc.
3474
3475         * API/JSClassRef.cpp:
3476         (OpaqueJSClass::create):
3477         * bytecode/Opcode.cpp:
3478         * bytecompiler/BytecodeGenerator.cpp:
3479         (JSC::BytecodeGenerator::newRegister):
3480         * heap/Heap.cpp:
3481         (JSC::Heap::updateAllocationLimits):
3482         * interpreter/Interpreter.cpp:
3483         * jit/JIT.cpp:
3484         * parser/Parser.cpp:
3485         * runtime/JSArray.cpp:
3486         * runtime/JSLexicalEnvironment.cpp:
3487         * runtime/JSModuleEnvironment.cpp:
3488         * runtime/Structure.cpp:
3489         * shell/DLLLauncherMain.cpp:
3490         (getStringValue):
3491         (applePathFromRegistry):
3492         (appleApplicationSupportDirectory):
3493         (copyEnvironmentVariable):
3494         (prependPath):
3495         (fatalError):
3496         (directoryExists):
3497         (modifyPath):
3498         (getLastErrorString):
3499         (wWinMain):
3500
3501 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
3502
3503         DFG CFA phase should only do clobber asserts in debug
3504         https://bugs.webkit.org/show_bug.cgi?id=185354
3505
3506         Reviewed by Saam Barati.
3507         
3508         Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
3509         unless asserts are enabled.
3510
3511         * dfg/DFGCFAPhase.cpp:
3512         (JSC::DFG::CFAPhase::performBlockCFA):
3513
3514 2018-05-04  Keith Miller  <keith_miller@apple.com>
3515
3516         isCacheableArrayLength should return true for undecided arrays
3517         https://bugs.webkit.org/show_bug.cgi?id=185309
3518
3519         Reviewed by Michael Saboff.
3520
3521         Undecided arrays have butterflies so there is no reason why we
3522         should not be able to cache their length.
3523
3524         * bytecode/InlineAccess.cpp:
3525         (JSC::InlineAccess::isCacheableArrayLength):
3526
3527 2018-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3528
3529         Remove std::random_shuffle
3530         https://bugs.webkit.org/show_bug.cgi?id=185292
3531
3532         Reviewed by Darin Adler.
3533
3534         std::random_shuffle is deprecated in C++14 and removed in C++17,
3535         since std::random_shuffle relies on rand and srand.
3536         Use std::shuffle instead.
3537
3538         * jit/BinarySwitch.cpp:
3539         (JSC::RandomNumberGenerator::RandomNumberGenerator):
3540         (JSC::RandomNumberGenerator::operator()):
3541         (JSC::RandomNumberGenerator::min):
3542         (JSC::RandomNumberGenerator::max):
3543         (JSC::BinarySwitch::build):
3544
3545 2018-05-03  Saam Barati  <sbarati@apple.com>
3546
3547         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
3548         https://bugs.webkit.org/show_bug.cgi?id=185177
3549
3550         Reviewed by Filip Pizlo.
3551
3552         This patch teaches the DFG/FTL how to constant fold CreateThis with
3553         a known poly proto Structure to NewObject. We do it by emitting a NewObject
3554         followed by a PutByOffset for the prototype value.
3555         
3556         We make it so that ObjectAllocationProfile holds the prototype value.
3557         This is sound because JSFunction clears that profile when its 'prototype'
3558         field changes.
3559         
3560         This patch also renames underscoreProtoPrivateName to polyProtoName since
3561         that name was nonsensical: it was only used for poly proto.
3562         
3563         This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
3564         regressed that benchmark when I first introduced poly proto.
3565
3566         * builtins/BuiltinNames.cpp:
3567         * builtins/BuiltinNames.h:
3568         (JSC::BuiltinNames::BuiltinNames):
3569         (JSC::BuiltinNames::polyProtoName const):
3570         (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
3571         * bytecode/ObjectAllocationProfile.h:
3572         (JSC::ObjectAllocationProfile::prototype):
3573         (JSC::ObjectAllocationProfile::clear):
3574         (JSC::ObjectAllocationProfile::visitAggregate):
3575         * bytecode/ObjectAllocationProfileInlines.h:
3576         (JSC::ObjectAllocationProfile::initializeProfile):
3577         * dfg/DFGAbstractInterpreterInlines.h:
3578         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3579         * dfg/DFGByteCodeParser.cpp:
3580         (JSC::DFG::ByteCodeParser::parseBlock):
3581         * dfg/DFGConstantFoldingPhase.cpp:
3582         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3583         * dfg/DFGOperations.cpp:
3584         * runtime/CommonSlowPaths.cpp:
3585         (JSC::SLOW_PATH_DECL):
3586         * runtime/FunctionRareData.h:
3587         * runtime/Structure.cpp:
3588         (JSC::Structure::create):
3589
3590 2018-05-03  Michael Saboff  <msaboff@apple.com>
3591
3592         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
3593         https://bugs.webkit.org/show_bug.cgi?id=185281
3594
3595         Reviewed by Saam Barati.
3596
3597         When we compute bytecode block reachability, we need to take into account blocks
3598         containing try/catch.
3599
3600         * jit/JIT.cpp:
3601         (JSC::JIT::privateCompileMainPass):
3602
3603 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
3604
3605         ARM: Wrong offset for operand rt in disassembler
3606         https://bugs.webkit.org/show_bug.cgi?id=184083
3607
3608         Reviewed by Yusuke Suzuki.
3609
3610         * disassembler/ARMv7/ARMv7DOpcode.h:
3611         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
3612         (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
3613
3614 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
3615
3616         ARM: Support vstr in disassembler
3617         https://bugs.webkit.org/show_bug.cgi?id=184084
3618
3619         Reviewed by Yusuke Suzuki.
3620
3621         * disassembler/ARMv7/ARMv7DOpcode.cpp:
3622         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
3623         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
3624         * disassembler/ARMv7/ARMv7DOpcode.h:
3625         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
3626         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
3627         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
3628         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
3629         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
3630         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
3631         (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
3632
3633 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
3634
3635         Invoke ensureArrayStorage for all arguments
3636         https://bugs.webkit.org/show_bug.cgi?id=185247
3637
3638         Reviewed by Yusuke Suzuki.
3639
3640         ensureArrayStorage was only invoked for first argument in each loop iteration.
3641
3642         * jsc.cpp:
3643         (functionEnsureArrayStorage):
3644
3645 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
3646
3647         Make it easy to log compile times for all optimizing tiers
3648         https://bugs.webkit.org/show_bug.cgi?id=185270
3649
3650         Reviewed by Keith Miller.
3651         
3652         This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
3653         helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
3654         it.
3655         
3656         This should help us reduce compile times by telling us where to look. So, far, it looks like
3657         CFA is the worst.
3658
3659         * JavaScriptCore.xcodeproj/project.pbxproj:
3660         * Sources.txt:
3661         * b3/B3Common.cpp:
3662         (JSC::B3::shouldMeasurePhaseTiming): Deleted.
3663         * b3/B3Common.h:
3664         * b3/B3TimingScope.cpp: Removed.
3665         * b3/B3TimingScope.h:
3666         (JSC::B3::TimingScope::TimingScope):
3667         * dfg/DFGPhase.h:
3668         (JSC::DFG::runAndLog):
3669         * dfg/DFGPlan.cpp:
3670         (JSC::DFG::Plan::compileInThread):
3671         * tools/CompilerTimingScope.cpp: Added.
3672         (JSC::CompilerTimingScope::CompilerTimingScope):
3673         (JSC::CompilerTimingScope::~CompilerTimingScope):
3674         * tools/CompilerTimingScope.h: Added.
3675         * runtime/Options.cpp:
3676         (JSC::recomputeDependentOptions):
3677         * runtime/Options.h:
3678
3679 2018-05-03  Filip Pizlo  <fpizlo@apple.com>
3680
3681         Strings should not be allocated in a gigacage
3682         https://bugs.webkit.org/show_bug.cgi?id=185218
3683
3684         Reviewed by Saam Barati.
3685
3686         * runtime/JSBigInt.cpp:
3687         (JSC::JSBigInt::toStringGeneric):
3688         * runtime/JSString.cpp:
3689         (JSC::JSRopeString::resolveRopeToAtomicString const):
3690         (JSC::JSRopeString::resolveRope const):
3691         * runtime/JSString.h:
3692         (JSC::JSString::create):
3693         (JSC::JSString::createHasOtherOwner):
3694         * runtime/VM.h:
3695         (JSC::VM::gigacageAuxiliarySpace):
3696
3697 2018-05-03  Keith Miller  <keith_miller@apple.com>
3698
3699         Unreviewed, fix 32-bit profile offset for change in bytecode
3700         length of the get_by_id and get_array_length opcodes.
3701
3702         * llint/LowLevelInterpreter32_64.asm:
3703
3704 2018-05-03  Michael Saboff  <msaboff@apple.com>
3705
3706         WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
3707         https://bugs.webkit.org/show_bug.cgi?id=185231
3708
3709         Reviewed by Saam Barati.
3710
3711         We weren't clearing the scratch register cache when switching back and forth between 
3712         allowing scratch register usage.  We disallow scratch register usage when we are in
3713         code that will freely allocate and use any register.  Such usage can change the
3714         contents of scratch registers.  For ARM64, where we cache the contents of scratch
3715         registers to reuse some or all of the contained values, we need to invalidate these
3716         caches.  We do this when re-enabling scratch register usage, that is when we transition
3717         from disallow to allow scratch register usage.
3718
3719         Added a new Air regression test.
3720
3721         * assembler/AllowMacroScratchRegisterUsage.h:
3722         (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
3723         * assembler/AllowMacroScratchRegisterUsageIf.h:
3724         (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
3725         * assembler/DisallowMacroScratchRegisterUsage.h:
3726         (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
3727         * b3/air/testair.cpp:
3728
3729 2018-05-03  Keith Miller  <keith_miller@apple.com>
3730
3731         Remove the prototype caching for get_by_id in the LLInt
3732         https://bugs.webkit.org/show_bug.cgi?id=185226
3733
3734         Reviewed by Michael Saboff.
3735
3736         There is no evidence that this is actually a speedup and we keep
3737         getting bugs with it. At this point it seems like we should just
3738         remove this code.
3739
3740         * CMakeLists.txt:
3741         * JavaScriptCore.xcodeproj/project.pbxproj:
3742         * Sources.txt:
3743         * bytecode/BytecodeDumper.cpp:
3744         (JSC::BytecodeDumper<Block>::printGetByIdOp):
3745         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
3746         (JSC::BytecodeDumper<Block>::dumpBytecode):
3747         * bytecode/BytecodeList.json:
3748         * bytecode/BytecodeUseDef.h:
3749         (JSC::computeUsesForBytecodeOffset):
3750         (JSC::computeDefsForBytecodeOffset):
3751         * bytecode/CodeBlock.cpp:
3752         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3753         * bytecode/CodeBlock.h:
3754         (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
3755         * bytecode/GetByIdStatus.cpp:
3756         (JSC::GetByIdStatus::computeFromLLInt):
3757         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
3758         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
3759         * bytecompiler/BytecodeGenerator.cpp:
3760         (JSC::BytecodeGenerator::emitGetById):
3761         * dfg/DFGByteCodeParser.cpp:
3762         (JSC::DFG::ByteCodeParser::parseBlock):
3763         * dfg/DFGCapabilities.cpp:
3764         (JSC::DFG::capabilityLevel):
3765         * jit/JIT.cpp:
3766         (JSC::JIT::privateCompileMainPass):
3767         (JSC::JIT::privateCompileSlowCases):
3768         * llint/LLIntSlowPaths.cpp:
3769         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3770         (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
3771         * llint/LowLevelInterpreter32_64.asm:
3772         * llint/LowLevelInterpreter64.asm:
3773         * runtime/Options.h:
3774
3775 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
3776
3777         Unreviewed, rolling out r231197.
3778
3779         The test added with this change crashes on the 32-bit JSC bot.
3780
3781         Reverted changeset:
3782
3783         "Correctly detect string overflow when using the 'Function'
3784         constructor"
3785         https://bugs.webkit.org/show_bug.cgi?id=184883
3786         https://trac.webkit.org/changeset/231197
3787
3788 2018-05-03  Dominik Infuehr  <dinfuehr@igalia.com>
3789
3790         Disable usage of fused multiply-add instructions for JSC with compiler flag
3791         https://bugs.webkit.org/show_bug.cgi?id=184909
3792
3793         Reviewed by Yusuke Suzuki.
3794
3795         Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
3796         like parseInt() do not return slightly different results depending on whether the
3797         compiler was able to use fused multiply-add instructions or not.
3798
3799         * CMakeLists.txt:
3800
3801 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3802
3803         Unreviewed, fix build failure in ARM, ARMv7 and MIPS
3804         https://bugs.webkit.org/show_bug.cgi?id=185192
3805
3806         compareDouble relies on MacroAssembler::invert function.
3807
3808         * assembler/MacroAssembler.h:
3809         (JSC::MacroAssembler::compareDouble):
3810         * assembler/MacroAssemblerARM.h:
3811         (JSC::MacroAssemblerARM::compareDouble): Deleted.
3812         * assembler/MacroAssemblerARMv7.h:
3813         (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
3814         * assembler/MacroAssemblerMIPS.h:
3815         (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
3816
3817 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3818
3819         [JSC] Add MacroAssembler::and16 and store16
3820         https://bugs.webkit.org/show_bug.cgi?id=185188
3821
3822         Reviewed by Mark Lam.
3823
3824         r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
3825         This patch adds these methods for ARM.
3826
3827         * assembler/MacroAssemblerARM.h:
3828         (JSC::MacroAssemblerARM::and16):
3829         (JSC::MacroAssemblerARM::store16):
3830
3831 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3832
3833         [DFG] Unify compare related code in 32bit and 64bit
3834         https://bugs.webkit.org/show_bug.cgi?id=185189
3835
3836         Reviewed by Mark Lam.
3837
3838         This patch unifies some part of compare related code in 32bit and 64bit
3839         to reduce the size of 32bit specific DFG code.
3840
3841         * dfg/DFGSpeculativeJIT.cpp:
3842         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
3843         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
3844         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3845         * dfg/DFGSpeculativeJIT32_64.cpp:
3846         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
3847         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
3848         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
3849         * dfg/DFGSpeculativeJIT64.cpp:
3850         (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
3851         (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
3852         (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
3853
3854 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3855
3856         [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
3857         https://bugs.webkit.org/show_bug.cgi?id=185192
3858
3859         Reviewed by Mark Lam.
3860
3861         Now Object.is starts using compareDouble. So we would like to have
3862         efficient implementation for compareDouble and compareFloat for
3863         major architectures, ARM64, X86, and X86_64.
3864
3865         This patch adds compareDouble and compareFloat implementations for
3866         these architectures. And generic implementation is moved to each
3867         architecture's MacroAssembler implementation.
3868
3869         We also add tests for them in testmasm. To implement this test
3870         easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
3871         major architectures.
3872
3873         * assembler/MacroAssembler.h:
3874         (JSC::MacroAssembler::compareDouble): Deleted.
3875         (JSC::MacroAssembler::compareFloat): Deleted.
3876         * assembler/MacroAssemblerARM.h:
3877         (JSC::MacroAssemblerARM::compareDouble):
3878         * assembler/MacroAssemblerARM64.h:
3879         (JSC::MacroAssemblerARM64::compareDouble):
3880         (JSC::MacroAssemblerARM64::compareFloat):
3881         (JSC::MacroAssemblerARM64::loadFloat):
3882         (JSC::MacroAssemblerARM64::floatingPointCompare):
3883         * assembler/MacroAssemblerARMv7.h:
3884         (JSC::MacroAssemblerARMv7::compareDouble):
3885         * assembler/MacroAssemblerMIPS.h:
3886         (JSC::MacroAssemblerMIPS::compareDouble):
3887         * assembler/MacroAssemblerX86Common.h:
3888         (JSC::MacroAssemblerX86Common::loadFloat):
3889         (JSC::MacroAssemblerX86Common::compareDouble):
3890         (JSC::MacroAssemblerX86Common::compareFloat):
3891         (JSC::MacroAssemblerX86Common::floatingPointCompare):
3892         * assembler/X86Assembler.h:
3893         (JSC::X86Assembler::movss_mr):
3894         (JSC::X86Assembler::movss_rm):
3895         * assembler/testmasm.cpp:
3896         (JSC::floatOperands):
3897         (JSC::testCompareFloat):
3898         (JSC::run):
3899
3900 2018-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3901
3902         Unreviewed, fix 32bit DFG code
3903         https://bugs.webkit.org/show_bug.cgi?id=185065
3904
3905         * dfg/DFGSpeculativeJIT.cpp:
3906         (JSC::DFG::SpeculativeJIT::compileSameValue):
3907
3908 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
3909
3910         JSC should know how to cache custom getter accesses on the prototype chain
3911         https://bugs.webkit.org/show_bug.cgi?id=185213
3912
3913         Reviewed by Keith Miller.
3914
3915         This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
3916
3917         * jit/Repatch.cpp:
3918         (JSC::tryCacheGetByID):
3919
3920 2018-05-01  Filip Pizlo  <fpizlo@apple.com>
3921
3922         JSC should be able to cache custom setter calls on the prototype chain
3923         https://bugs.webkit.org/show_bug.cgi?id=185174
3924
3925         Reviewed by Saam Barati.
3926
3927         We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
3928         condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
3929         impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
3930         of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
3931         custom accessors because it won't find the custom property in the structure.
3932
3933         The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
3934
3935         This is a 4x speed-up on assign-custom-setter.js.
3936
3937         * bytecode/AccessCase.cpp:
3938         (JSC::AccessCase::hasAlternateBase const):
3939         (JSC::AccessCase::alternateBase const):
3940         (JSC::AccessCase::generateImpl):
3941         * bytecode/AccessCase.h:
3942         (JSC::AccessCase::alternateBase const): Deleted.