test262: $.agent became $262.agent in test262 update
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
2
3         test262: $.agent became $262.agent in test262 update
4         https://bugs.webkit.org/show_bug.cgi?id=177407
5
6         Reviewed by Yusuke Suzuki.
7
8         * jsc.cpp:
9         (GlobalObject::finishCreation):
10         Alias `$` and `$262` for now.
11
12 2017-09-22  Keith Miller  <keith_miller@apple.com>
13
14         Speculatively change iteration protocall to use the same next function
15         https://bugs.webkit.org/show_bug.cgi?id=175653
16
17         Reviewed by Saam Barati.
18
19         This patch speculatively makes a change to the iteration protocall to fetch the next
20         property immediately after calling the Symbol.iterator function. This is, in theory,
21         a breaking change, so we will see if this breaks things (most likely it won't as this
22         is a relatively subtle point).
23
24         See: https://github.com/tc39/ecma262/issues/976
25
26         * builtins/IteratorHelpers.js:
27         (performIteration):
28         * bytecompiler/BytecodeGenerator.cpp:
29         (JSC::BytecodeGenerator::emitEnumeration):
30         (JSC::BytecodeGenerator::emitIteratorNext):
31         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
32         (JSC::BytecodeGenerator::emitDelegateYield):
33         * bytecompiler/BytecodeGenerator.h:
34         * bytecompiler/NodesCodegen.cpp:
35         (JSC::ArrayPatternNode::bindValue const):
36         * inspector/JSInjectedScriptHost.cpp:
37         (Inspector::JSInjectedScriptHost::iteratorEntries):
38         * runtime/IteratorOperations.cpp:
39         (JSC::iteratorNext):
40         (JSC::iteratorStep):
41         (JSC::iteratorClose):
42         (JSC::iteratorForIterable):
43         * runtime/IteratorOperations.h:
44         (JSC::forEachInIterable):
45         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
46         (JSC::constructGenericTypedArrayViewFromIterator):
47         (JSC::constructGenericTypedArrayViewWithArguments):
48
49 2017-09-22  Fujii Hironori  <Hironori.Fujii@sony.com>
50
51         [Win64] Crashes in Yarr JIT compiled code
52         https://bugs.webkit.org/show_bug.cgi?id=177293
53
54         Reviewed by Yusuke Suzuki.
55
56         In x64 Windows, rcx register is used for the address of allocated
57         space for the return value. But, rcx is used for regT1 since
58         r221052. Save rcx in the stack.
59
60         * yarr/YarrJIT.cpp:
61         (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
62         (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
63
64 2017-09-22  Saam Barati  <sbarati@apple.com>
65
66         Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
67         https://bugs.webkit.org/show_bug.cgi?id=177368
68
69         Reviewed by Keith Miller.
70
71         * runtime/ErrorInstance.cpp:
72         (JSC::ErrorInstance::finishCreation):
73         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
74         (JSC::ErrorInstance::visitChildren):
75
76 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
77
78         [DFG][FTL] Profile array vector length for array allocation
79         https://bugs.webkit.org/show_bug.cgi?id=177051
80
81         Reviewed by Saam Barati.
82
83         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
84         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
85         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
86         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
87
88             empty array allocation,
89
90             var array = [];
91             array.push(0);
92             array.push(1);
93             array.push(2);
94             array.push(3);
95             array.push(4);
96
97             v.s. new_array_buffer case,
98
99             var array = [0];
100             array.push(1);
101             array.push(2);
102             array.push(3);
103             array.push(4);
104
105         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
106         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
107
108         We select 25 to make it fit to one of size classes.
109
110         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
111         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
112         is larger than 25, we just use it for allocation as before.
113
114         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
115
116             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
117             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
118
119         * bytecode/ArrayAllocationProfile.cpp:
120         (JSC::ArrayAllocationProfile::updateProfile):
121         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
122         * bytecode/ArrayAllocationProfile.h:
123         (JSC::ArrayAllocationProfile::selectIndexingType):
124         (JSC::ArrayAllocationProfile::vectorLengthHint):
125         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
126         * bytecode/CodeBlock.cpp:
127         (JSC::CodeBlock::updateAllArrayPredictions):
128         * dfg/DFGByteCodeParser.cpp:
129         (JSC::DFG::ByteCodeParser::parseBlock):
130         * dfg/DFGGraph.cpp:
131         (JSC::DFG::Graph::dump):
132         * dfg/DFGNode.h:
133         (JSC::DFG::Node::vectorLengthHint):
134         * dfg/DFGOperations.cpp:
135         * dfg/DFGOperations.h:
136         * dfg/DFGSpeculativeJIT64.cpp:
137         (JSC::DFG::SpeculativeJIT::compile):
138         * ftl/FTLLowerDFGToB3.cpp:
139         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
140         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
141         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
142         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
143         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
144         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
145         * runtime/ArrayConventions.h:
146         * runtime/JSArray.h:
147         (JSC::JSArray::tryCreate):
148
149 2017-09-22  Commit Queue  <commit-queue@webkit.org>
150
151         Unreviewed, rolling out r222380.
152         https://bugs.webkit.org/show_bug.cgi?id=177352
153
154         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
155         #webkit).
156
157         Reverted changeset:
158
159         "[DFG][FTL] Profile array vector length for array allocation"
160         https://bugs.webkit.org/show_bug.cgi?id=177051
161         http://trac.webkit.org/changeset/222380
162
163 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
164
165         [DFG][FTL] Profile array vector length for array allocation
166         https://bugs.webkit.org/show_bug.cgi?id=177051
167
168         Reviewed by Saam Barati.
169
170         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
171         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
172         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
173         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
174
175             empty array allocation,
176
177             var array = [];
178             array.push(0);
179             array.push(1);
180             array.push(2);
181             array.push(3);
182             array.push(4);
183
184             v.s. new_array_buffer case,
185
186             var array = [0];
187             array.push(1);
188             array.push(2);
189             array.push(3);
190             array.push(4);
191
192         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
193         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
194
195         We select 25 to make it fit to one of size classes.
196
197         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
198         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
199         is larger than 25, we just use it for allocation as before.
200
201         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
202
203             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
204             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
205
206         * bytecode/ArrayAllocationProfile.cpp:
207         (JSC::ArrayAllocationProfile::updateProfile):
208         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
209         * bytecode/ArrayAllocationProfile.h:
210         (JSC::ArrayAllocationProfile::selectIndexingType):
211         (JSC::ArrayAllocationProfile::vectorLengthHint):
212         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
213         * bytecode/CodeBlock.cpp:
214         (JSC::CodeBlock::updateAllArrayPredictions):
215         * dfg/DFGByteCodeParser.cpp:
216         (JSC::DFG::ByteCodeParser::parseBlock):
217         * dfg/DFGGraph.cpp:
218         (JSC::DFG::Graph::dump):
219         * dfg/DFGNode.h:
220         (JSC::DFG::Node::vectorLengthHint):
221         * dfg/DFGOperations.cpp:
222         * dfg/DFGOperations.h:
223         * dfg/DFGSpeculativeJIT64.cpp:
224         (JSC::DFG::SpeculativeJIT::compile):
225         * ftl/FTLLowerDFGToB3.cpp:
226         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
227         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
228         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
229         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
230         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
231         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
232         * runtime/ArrayConventions.h:
233         * runtime/JSArray.h:
234         (JSC::JSArray::tryCreate):
235
236 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
237
238         Web Inspector: Remove support for CSS Regions
239         https://bugs.webkit.org/show_bug.cgi?id=177287
240
241         Reviewed by Matt Baker.
242
243         * inspector/protocol/CSS.json:
244         * inspector/protocol/OverlayTypes.json:
245
246 2017-09-21  Brian Burg  <bburg@apple.com>
247
248         Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
249         https://bugs.webkit.org/show_bug.cgi?id=177010
250         <rdar://problem/33134548>
251
252         Reviewed by Joseph Pecoraro.
253
254         Use "reload from origin" nomenclature instead of "reload ignoring cache".
255
256         * inspector/protocol/Page.json: Improve the comment, but don't change the
257         parameter name since this would be a divergence from legacy protocols.
258
259 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
260
261         test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
262         https://bugs.webkit.org/show_bug.cgi?id=177307
263
264         Reviewed by Michael Saboff.
265
266         * runtime/RegExpPrototype.cpp:
267         In r221160 we added support for the new RegExp flag (dotAll).
268         We needed to make space for it in FlagsString.
269
270 2017-09-20  Keith Miller  <keith_miller@apple.com>
271
272         JSC should use unified sources for platform specific files.
273         https://bugs.webkit.org/show_bug.cgi?id=177290
274
275         Reviewed by Michael Saboff.
276
277         Add a list of platform specific source files and update the
278         Generate Unified Sources phase of the Xcode build. I skipped WPE
279         since that seems to have failed for some reason that I didn't
280         fully understand. See:
281         https://webkit-queues.webkit.org/results/4611260
282
283         Also, fix duplicate symbols in Glib remote inspector files.
284
285         * CMakeLists.txt:
286         * JavaScriptCore.xcodeproj/project.pbxproj:
287         * PlatformGTK.cmake:
288         * PlatformMac.cmake:
289         * SourcesGTK.txt: Added.
290         * SourcesMac.txt: Added.
291         * inspector/remote/glib/RemoteInspectorServer.cpp:
292         (Inspector::RemoteInspectorServer::interfaceInfo):
293         (Inspector::RemoteInspectorServer::setTargetList):
294         (Inspector::RemoteInspectorServer::setupInspectorClient):
295         (Inspector::RemoteInspectorServer::setup):
296         (Inspector::RemoteInspectorServer::close):
297         (Inspector::RemoteInspectorServer::connectionClosed):
298         (Inspector::RemoteInspectorServer::sendMessageToBackend):
299         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
300         (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
301
302 2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>
303
304         [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
305         https://bugs.webkit.org/show_bug.cgi?id=177017
306
307         Reviewed by Alex Christensen.
308
309         * API/JSRemoteInspector.cpp:
310         (JSRemoteInspectorSetParentProcessInformation):
311         * API/JSRemoteInspector.h:
312         * inspector/remote/RemoteInspector.h:
313
314 2017-09-20  Keith Miller  <keith_miller@apple.com>
315
316         Rename source list file to Sources.txt
317         https://bugs.webkit.org/show_bug.cgi?id=177283
318
319         Reviewed by Saam Barati.
320
321         * CMakeLists.txt:
322         * JavaScriptCore.xcodeproj/project.pbxproj:
323         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
324
325 2017-09-20  Keith Miller  <keith_miller@apple.com>
326
327         Unreviewed, fix string capitalization
328
329         * JavaScriptCore.xcodeproj/project.pbxproj:
330
331 2017-09-20  Keith Miller  <keith_miller@apple.com>
332
333         JSC Xcode build should use unified sources for platform independent files
334         https://bugs.webkit.org/show_bug.cgi?id=177190
335
336         Reviewed by Saam Barati.
337
338         This patch changes the Xcode build to use unified sources. The
339         main difference from a development perspective is that instead of
340         added source files to Xcode they need to be added to the shared
341         sources.txt. For now, platform specific files are still added
342         to the JavaScriptCore target.
343
344         Because Xcode needs to know about all the files before we generate
345         them all the unified source files need to be added to the
346         JavaScriptCore framework target. As a result, if we run out of
347         bundle files more will need to be added to the project. Currently,
348         there are no spare files. If adding more bundle files becomes
349         problematic we can change this.
350
351         LowLevelInterpreter.cpp can't be added to the unified source list yet
352         due to a clang bug.
353
354         * CMakeLists.txt:
355         * JavaScriptCore.xcodeproj/project.pbxproj:
356         * sources.txt: Added.
357
358 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
359
360         [Win] Cannot find script to generate unified sources.
361         https://bugs.webkit.org/show_bug.cgi?id=177014
362
363         Reviewed by Keith Miller.
364
365         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
366
367         * CMakeLists.txt:
368         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
369
370 2017-09-20  Alberto Garcia  <berto@igalia.com>
371
372         Fix HPPA and Alpha builds
373         https://bugs.webkit.org/show_bug.cgi?id=177224
374
375         Reviewed by Alex Christensen.
376
377         * CMakeLists.txt:
378
379 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
380
381         ErrorInstance and Exception need destroy methods
382         https://bugs.webkit.org/show_bug.cgi?id=177095
383
384         Reviewed by Saam Barati.
385         
386         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
387         follow that type's protocol.
388
389         * runtime/ErrorInstance.cpp:
390         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
391         * runtime/ErrorInstance.h:
392         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
393
394 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
395
396         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
397         https://bugs.webkit.org/show_bug.cgi?id=177070
398
399         Reviewed by Saam Barati.
400
401         Due to the security reason, our global object is immutable prototype exotic object.
402         It prevents users from injecting proxies into the prototype chain of the global object[1].
403         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
404         of the global object after instantiating it.
405
406         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
407         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
408         edge cases.
409
410         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
411
412         * API/JSObjectRef.cpp:
413         (JSObjectSetPrototype):
414         * API/tests/CustomGlobalObjectClassTest.c:
415         (globalObjectSetPrototypeTest):
416
417 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
418
419         [DFG] Remove ToThis more aggressively
420         https://bugs.webkit.org/show_bug.cgi?id=177056
421
422         Reviewed by Saam Barati.
423
424         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
425         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
426         and attempts to fold/convert to efficient nodes.
427
428         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
429         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
430
431         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
432         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
433
434         This removes GetGlobalThis from ES6 generators in common cases.
435
436         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
437
438         * dfg/DFGAbstractInterpreterInlines.h:
439         (JSC::DFG::isToThisAnIdentity):
440         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
441         * dfg/DFGClobberize.h:
442         (JSC::DFG::clobberize):
443         * dfg/DFGConstantFoldingPhase.cpp:
444         (JSC::DFG::ConstantFoldingPhase::foldConstants):
445         * dfg/DFGDoesGC.cpp:
446         (JSC::DFG::doesGC):
447         * dfg/DFGFixupPhase.cpp:
448         (JSC::DFG::FixupPhase::fixupNode):
449         * dfg/DFGNode.h:
450         (JSC::DFG::Node::convertToGetGlobalThis):
451         * dfg/DFGNodeType.h:
452         * dfg/DFGPredictionPropagationPhase.cpp:
453         * dfg/DFGSafeToExecute.h:
454         (JSC::DFG::safeToExecute):
455         * dfg/DFGSpeculativeJIT.cpp:
456         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
457         * dfg/DFGSpeculativeJIT.h:
458         * dfg/DFGSpeculativeJIT32_64.cpp:
459         (JSC::DFG::SpeculativeJIT::compile):
460         * dfg/DFGSpeculativeJIT64.cpp:
461         (JSC::DFG::SpeculativeJIT::compile):
462         * ftl/FTLCapabilities.cpp:
463         (JSC::FTL::canCompile):
464         * ftl/FTLLowerDFGToB3.cpp:
465         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
466         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
467         * runtime/JSGlobalLexicalEnvironment.cpp:
468         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
469         * runtime/JSGlobalLexicalEnvironment.h:
470         * runtime/JSGlobalObject.cpp:
471         (JSC::JSGlobalObject::toThis): Deleted.
472         * runtime/JSGlobalObject.h:
473         (JSC::JSGlobalObject::addressOfGlobalThis):
474         * runtime/JSLexicalEnvironment.cpp:
475         (JSC::JSLexicalEnvironment::toThis): Deleted.
476         * runtime/JSLexicalEnvironment.h:
477         * runtime/JSScope.cpp:
478         (JSC::JSScope::toThis):
479         * runtime/JSScope.h:
480         * runtime/StrictEvalActivation.cpp:
481         (JSC::StrictEvalActivation::toThis): Deleted.
482         * runtime/StrictEvalActivation.h:
483
484 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
485
486         Merge JSLexicalEnvironment and JSEnvironmentRecord
487         https://bugs.webkit.org/show_bug.cgi?id=175492
488
489         Reviewed by Saam Barati.
490
491         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
492         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
493
494         * CMakeLists.txt:
495         * JavaScriptCore.xcodeproj/project.pbxproj:
496         * dfg/DFGSpeculativeJIT.cpp:
497         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
498         * dfg/DFGSpeculativeJIT32_64.cpp:
499         (JSC::DFG::SpeculativeJIT::compile):
500         * dfg/DFGSpeculativeJIT64.cpp:
501         (JSC::DFG::SpeculativeJIT::compile):
502         * ftl/FTLAbstractHeapRepository.h:
503         * ftl/FTLLowerDFGToB3.cpp:
504         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
505         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
506         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
507         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
508         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
509         * jit/JITPropertyAccess.cpp:
510         (JSC::JIT::emitGetClosureVar):
511         (JSC::JIT::emitPutClosureVar):
512         (JSC::JIT::emitScopedArgumentsGetByVal):
513         * jit/JITPropertyAccess32_64.cpp:
514         (JSC::JIT::emitGetClosureVar):
515         (JSC::JIT::emitPutClosureVar):
516         * llint/LLIntOffsetsExtractor.cpp:
517         * llint/LowLevelInterpreter.asm:
518         * llint/LowLevelInterpreter32_64.asm:
519         * llint/LowLevelInterpreter64.asm:
520         * runtime/JSEnvironmentRecord.cpp: Removed.
521         * runtime/JSEnvironmentRecord.h: Removed.
522         * runtime/JSLexicalEnvironment.cpp:
523         (JSC::JSLexicalEnvironment::visitChildren):
524         (JSC::JSLexicalEnvironment::heapSnapshot):
525         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
526         * runtime/JSLexicalEnvironment.h:
527         (JSC::JSLexicalEnvironment::subspaceFor):
528         (JSC::JSLexicalEnvironment::variables):
529         (JSC::JSLexicalEnvironment::isValidScopeOffset):
530         (JSC::JSLexicalEnvironment::variableAt):
531         (JSC::JSLexicalEnvironment::offsetOfVariables):
532         (JSC::JSLexicalEnvironment::offsetOfVariable):
533         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
534         (JSC::JSLexicalEnvironment::allocationSize):
535         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
536         (JSC::JSLexicalEnvironment::finishCreation):
537         * runtime/JSModuleEnvironment.cpp:
538         (JSC::JSModuleEnvironment::create):
539         * runtime/JSObject.h:
540         (JSC::JSObject::isEnvironment const):
541         (JSC::JSObject::isEnvironmentRecord const): Deleted.
542         * runtime/JSSegmentedVariableObject.h:
543         * runtime/StringPrototype.cpp:
544         (JSC::checkObjectCoercible):
545
546 2017-09-15  Saam Barati  <sbarati@apple.com>
547
548         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
549         https://bugs.webkit.org/show_bug.cgi?id=176981
550
551         Reviewed by Yusuke Suzuki.
552
553         This patch makes inline arity fixup happen in two phases:
554         1. We get all the values we need and MovHint them to the expected locals.
555         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
556            frame is already set up. If any SetLocal exits, we have a valid exit state.
557            This is required because if we didn't do this in two phases, we may exit in
558            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
559            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
560            of the frame right before exiting. For example, consider if we need to pad two args:
561            [arg3][arg2][arg1][arg0]
562            [fix ][fix ][arg3][arg2][arg1][arg0]
563            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
564            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
565            [arg3][arg2][arg1][arg2][arg1][arg0]
566            And the caller would then just end up thinking its argument are:
567            [arg3][arg2][arg1][arg2]
568            which is incorrect.
569        
570        
571         This patch also fixes a couple of bugs in IdentitiyWithProfile:
572         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
573            It needed to store the result of evaluating its argument in a temporary that
574            it creates. Otherwise, it might try to simply overwrite a constant
575            or a register that it didn't own.
576         2. We weren't eliminating this node in CSE inside the DFG.
577
578         * bytecompiler/NodesCodegen.cpp:
579         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
580         * dfg/DFGByteCodeParser.cpp:
581         (JSC::DFG::ByteCodeParser::inlineCall):
582         * dfg/DFGCSEPhase.cpp:
583
584 2017-09-15  JF Bastien  <jfbastien@apple.com>
585
586         WTF: use Forward.h when appropriate instead of Vector.h
587         https://bugs.webkit.org/show_bug.cgi?id=176984
588
589         Reviewed by Saam Barati.
590
591         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
592
593         * bytecode/HandlerInfo.h:
594         * heap/GCIncomingRefCounted.h:
595         * heap/GCSegmentedArray.h:
596         * wasm/js/JSWebAssemblyModule.h:
597
598 2017-09-14  Saam Barati  <sbarati@apple.com>
599
600         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
601         https://bugs.webkit.org/show_bug.cgi?id=176863
602
603         Reviewed by Keith Miller.
604
605         * CMakeLists.txt:
606         * JavaScriptCore.xcodeproj/project.pbxproj:
607         * runtime/ProxyObject.cpp:
608         (JSC::performProxyGet):
609         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
610         (JSC::ProxyObject::performHasProperty):
611         (JSC::ProxyObject::getOwnPropertySlotCommon):
612         (JSC::ProxyObject::performPut):
613         (JSC::performProxyCall):
614         (JSC::performProxyConstruct):
615         (JSC::ProxyObject::performDelete):
616         (JSC::ProxyObject::performPreventExtensions):
617         (JSC::ProxyObject::performIsExtensible):
618         (JSC::ProxyObject::performDefineOwnProperty):
619         (JSC::ProxyObject::performGetOwnPropertyNames):
620         (JSC::ProxyObject::performSetPrototype):
621         (JSC::ProxyObject::performGetPrototype):
622
623 2017-09-14  Saam Barati  <sbarati@apple.com>
624
625         Make dumping the graph print when both when exitOK and !exitOK
626         https://bugs.webkit.org/show_bug.cgi?id=176954
627
628         Reviewed by Keith Miller.
629
630         * dfg/DFGGraph.cpp:
631         (JSC::DFG::Graph::dump):
632
633 2017-09-14  Saam Barati  <sbarati@apple.com>
634
635         It should be valid to exit before each set when doing arity fixup when inlining
636         https://bugs.webkit.org/show_bug.cgi?id=176948
637
638         Reviewed by Keith Miller.
639
640         This patch makes it so that we can exit before each SetLocal when doing arity
641         fixup during inlining. This is OK because if we exit at any of these SetLocals,
642         we will simply exit to the beginning of the call instruction.
643         
644         Not doing this led to a bug where FixupPhase would insert a ValueRep of
645         a node before the actual node. This is obviously invalid IR. I've added
646         a new validation rule to catch this malformed IR.
647
648         * dfg/DFGByteCodeParser.cpp:
649         (JSC::DFG::ByteCodeParser::inliningCost):
650         (JSC::DFG::ByteCodeParser::inlineCall):
651         * dfg/DFGValidate.cpp:
652         * runtime/Options.h:
653
654 2017-09-14  Mark Lam  <mark.lam@apple.com>
655
656         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
657         https://bugs.webkit.org/show_bug.cgi?id=176874
658         <rdar://problem/34436415>
659
660         Reviewed by Saam Barati.
661
662         1. Make Probe::Stack play nice with ASan by:
663
664            a. using a local memcpy implementation that suppresses ASan on ASan builds.
665               We don't want to use std:memcpy() which validates stack memory because
666               we are intentionally copying stack memory beyond the current frame.
667
668            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
669               This ensures that Page::flushWrites() only writes stack memory that was
670               modified by a probe.  The probes should only modify stack memory that
671               belongs to JSC stack data structures.  We don't want to inadvertently
672               modify adjacent words that may belong to ASan (which may happen if
673               s_chunkSize is larger than sizeof(uintptr_t)).
674
675            c. fixing a bug in Page dirtyBits management for when the size of the value to
676               write is greater than s_chunkSize.  The fix in generic, but in practice,
677               this currently only manifests on 32-bit ASan builds because
678               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
679               values.
680
681            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
682               s_chunksPerPage we can have even on ASan builds.
683
684         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
685            std::memcpy to avoid strict aliasing issues.
686
687         3. Optimized the implementation of Page::physicalAddressFor().
688
689         4. Optimized the implementation of Stack::set() in the recording of the low
690            watermark.  We just record the lowest raw pointer now, and only compute the
691            alignment to its chuck boundary later when the low watermark is requested.
692
693         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
694
695         No new test needed because this is already covered by testmasm with ASan enabled.
696
697         * assembler/ProbeContext.h:
698         (JSC::Probe::CPUState::gpr const):
699         (JSC::Probe::CPUState::spr const):
700         (JSC::Probe::Context::gpr):
701         (JSC::Probe::Context::spr):
702         (JSC::Probe::Context::fpr):
703         (JSC::Probe::Context::gprName):
704         (JSC::Probe::Context::sprName):
705         (JSC::Probe::Context::fprName):
706         (JSC::Probe::Context::gpr const):
707         (JSC::Probe::Context::spr const):
708         (JSC::Probe::Context::fpr const):
709         (JSC::Probe::Context::pc):
710         (JSC::Probe::Context::fp):
711         (JSC::Probe::Context::sp):
712         (JSC::Probe:: const): Deleted.
713         * assembler/ProbeStack.cpp:
714         (JSC::Probe::copyStackPage):
715         (JSC::Probe::Page::Page):
716         (JSC::Probe::Page::flushWrites):
717         * assembler/ProbeStack.h:
718         (JSC::Probe::Page::get):
719         (JSC::Probe::Page::set):
720         (JSC::Probe::Page::dirtyBitFor):
721         (JSC::Probe::Page::physicalAddressFor):
722         (JSC::Probe::Stack::lowWatermark):
723         (JSC::Probe::Stack::get):
724         (JSC::Probe::Stack::set):
725         * assembler/testmasm.cpp:
726         (JSC::testProbeModifiesStackValues):
727
728 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
729
730         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
731         https://bugs.webkit.org/show_bug.cgi?id=176917
732
733         Reviewed by Saam Barati.
734
735         * dfg/DFGByteCodeParser.cpp:
736         (JSC::DFG::ByteCodeParser::inliningCost):
737         * runtime/Options.h:
738
739 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
740
741         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
742         https://bugs.webkit.org/show_bug.cgi?id=176867
743
744         Reviewed by Sam Weinig.
745
746         We rarely require private symbols when enumerating property names.
747         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
748         is specified, PropertyNameArray does not include private symbols.
749         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
750
751         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
752         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
753
754         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
755
756         * API/JSObjectRef.cpp:
757         (JSObjectCopyPropertyNames):
758         * bindings/ScriptValue.cpp:
759         (Inspector::jsToInspectorValue):
760         * bytecode/ObjectAllocationProfile.h:
761         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
762         * runtime/EnumerationMode.h:
763         * runtime/IntlObject.cpp:
764         (JSC::supportedLocales):
765         * runtime/JSONObject.cpp:
766         (JSC::Stringifier::Stringifier):
767         (JSC::Stringifier::Holder::appendNextProperty):
768         (JSC::Walker::walk):
769         * runtime/JSPropertyNameEnumerator.cpp:
770         (JSC::JSPropertyNameEnumerator::create):
771         * runtime/JSPropertyNameEnumerator.h:
772         (JSC::propertyNameEnumerator):
773         * runtime/ObjectConstructor.cpp:
774         (JSC::objectConstructorGetOwnPropertyDescriptors):
775         (JSC::objectConstructorAssign):
776         (JSC::objectConstructorValues):
777         (JSC::defineProperties):
778         (JSC::setIntegrityLevel):
779         (JSC::testIntegrityLevel):
780         (JSC::ownPropertyKeys):
781         * runtime/PropertyNameArray.h:
782         (JSC::PropertyNameArray::PropertyNameArray):
783         (JSC::PropertyNameArray::propertyNameMode const):
784         (JSC::PropertyNameArray::privateSymbolMode const):
785         (JSC::PropertyNameArray::addUncheckedInternal):
786         (JSC::PropertyNameArray::addUnchecked):
787         (JSC::PropertyNameArray::add):
788         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
789         (JSC::PropertyNameArray::includeSymbolProperties const):
790         (JSC::PropertyNameArray::includeStringProperties const):
791         (JSC::PropertyNameArray::mode const): Deleted.
792         * runtime/ProxyObject.cpp:
793         (JSC::ProxyObject::performGetOwnPropertyNames):
794
795 2017-09-13  Mark Lam  <mark.lam@apple.com>
796
797         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
798         https://bugs.webkit.org/show_bug.cgi?id=176888
799         <rdar://problem/34381832>
800
801         Not reviewed.
802
803         * JavaScriptCore.xcodeproj/project.pbxproj:
804         * assembler/MacroAssembler.cpp:
805         (JSC::stdFunctionCallback):
806         * assembler/MacroAssemblerPrinter.cpp:
807         (JSC::Printer::printCallback):
808         * assembler/ProbeContext.h:
809         (JSC::Probe:: const):
810         (JSC::Probe::Context::Context):
811         (JSC::Probe::Context::gpr):
812         (JSC::Probe::Context::spr):
813         (JSC::Probe::Context::fpr):
814         (JSC::Probe::Context::gprName):
815         (JSC::Probe::Context::sprName):
816         (JSC::Probe::Context::fprName):
817         (JSC::Probe::Context::pc):
818         (JSC::Probe::Context::fp):
819         (JSC::Probe::Context::sp):
820         (JSC::Probe::CPUState::gpr const): Deleted.
821         (JSC::Probe::CPUState::spr const): Deleted.
822         (JSC::Probe::Context::arg): Deleted.
823         (JSC::Probe::Context::gpr const): Deleted.
824         (JSC::Probe::Context::spr const): Deleted.
825         (JSC::Probe::Context::fpr const): Deleted.
826         * assembler/ProbeFrame.h: Removed.
827         * assembler/ProbeStack.cpp:
828         (JSC::Probe::Page::Page):
829         * assembler/ProbeStack.h:
830         (JSC::Probe::Page::get):
831         (JSC::Probe::Page::set):
832         (JSC::Probe::Page::physicalAddressFor):
833         (JSC::Probe::Stack::lowWatermark):
834         (JSC::Probe::Stack::get):
835         (JSC::Probe::Stack::set):
836         * bytecode/ArithProfile.cpp:
837         * bytecode/ArithProfile.h:
838         * bytecode/ArrayProfile.h:
839         (JSC::ArrayProfile::observeArrayMode): Deleted.
840         * bytecode/CodeBlock.cpp:
841         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
842         * bytecode/CodeBlock.h:
843         (JSC::CodeBlock::addressOfOSRExitCounter):
844         * bytecode/ExecutionCounter.h:
845         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
846         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
847         * bytecode/MethodOfGettingAValueProfile.cpp:
848         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
849         * bytecode/MethodOfGettingAValueProfile.h:
850         * dfg/DFGDriver.cpp:
851         (JSC::DFG::compileImpl):
852         * dfg/DFGJITCode.cpp:
853         (JSC::DFG::JITCode::findPC):
854         * dfg/DFGJITCode.h:
855         * dfg/DFGJITCompiler.cpp:
856         (JSC::DFG::JITCompiler::linkOSRExits):
857         (JSC::DFG::JITCompiler::link):
858         * dfg/DFGOSRExit.cpp:
859         (JSC::DFG::OSRExit::setPatchableCodeOffset):
860         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
861         (JSC::DFG::OSRExit::codeLocationForRepatch const):
862         (JSC::DFG::OSRExit::correctJump):
863         (JSC::DFG::OSRExit::emitRestoreArguments):
864         (JSC::DFG::OSRExit::compileOSRExit):
865         (JSC::DFG::OSRExit::compileExit):
866         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
867         (JSC::DFG::jsValueFor): Deleted.
868         (JSC::DFG::restoreCalleeSavesFor): Deleted.
869         (JSC::DFG::saveCalleeSavesFor): Deleted.
870         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
871         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
872         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
873         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
874         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
875         (JSC::DFG::emitRestoreArguments): Deleted.
876         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
877         (JSC::DFG::reifyInlinedCallFrames): Deleted.
878         (JSC::DFG::adjustAndJumpToTarget): Deleted.
879         (JSC::DFG::printOSRExit): Deleted.
880         * dfg/DFGOSRExit.h:
881         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
882         * dfg/DFGOSRExitCompilerCommon.cpp:
883         * dfg/DFGOSRExitCompilerCommon.h:
884         * dfg/DFGOperations.cpp:
885         * dfg/DFGOperations.h:
886         * dfg/DFGThunks.cpp:
887         (JSC::DFG::osrExitGenerationThunkGenerator):
888         (JSC::DFG::osrExitThunkGenerator): Deleted.
889         * dfg/DFGThunks.h:
890         * jit/AssemblyHelpers.cpp:
891         (JSC::AssemblyHelpers::debugCall):
892         * jit/AssemblyHelpers.h:
893         * jit/JITOperations.cpp:
894         * jit/JITOperations.h:
895         * profiler/ProfilerOSRExit.h:
896         (JSC::Profiler::OSRExit::incCount): Deleted.
897         * runtime/JSCJSValue.h:
898         * runtime/JSCJSValueInlines.h:
899         * runtime/VM.h:
900
901 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
902
903         [JSC] Move class/struct used in other class' member out of anonymous namespace
904         https://bugs.webkit.org/show_bug.cgi?id=176876
905
906         Reviewed by Saam Barati.
907
908         GCC warns if a class has a base or field whose type uses the anonymous namespace
909         and it is defined in an included file. This is because this possibly violates
910         one definition rule (ODR): if an included file has the anonymous namespace, each
911         translation unit creates its private anonymous namespace. Thus, each type
912         inside the anonymous namespace becomes different in each translation unit if
913         the file is included in multiple translation units.
914
915         While the current use in JSC is not violating ODR since these cpp files are included
916         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
917         the actual bugs. So, in this patch, we just move related classes/structs out of
918         the anonymous namespace.
919
920         * dfg/DFGIntegerCheckCombiningPhase.cpp:
921         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
922         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
923         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
924         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
925         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
926         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
927         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
928         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
929         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
930         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
931         * dfg/DFGLICMPhase.cpp:
932
933 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
934
935         Web Inspector: Event Listeners section does not update when listeners are added/removed
936         https://bugs.webkit.org/show_bug.cgi?id=170570
937         <rdar://problem/31501645>
938
939         Reviewed by Joseph Pecoraro.
940
941         * inspector/protocol/DOM.json:
942         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
943         contain any information about the event listeners that were added/removed. They serve more
944         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
945
946 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
947
948         [JSC] Fix Array allocation in Object.keys
949         https://bugs.webkit.org/show_bug.cgi?id=176826
950
951         Reviewed by Saam Barati.
952
953         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
954         We check isHavingABadTime() in ownPropertyKeys fast path.
955         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
956
957         * runtime/ObjectConstructor.cpp:
958         (JSC::ownPropertyKeys):
959
960 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
961
962         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
963         https://bugs.webkit.org/show_bug.cgi?id=176010
964
965         Reviewed by Filip Pizlo.
966
967         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
968         It is used for meta property for objects (see peekMeta function in Ember.js).
969
970         This patch optimizes WeakMap#get.
971
972         1. We use inlineGet to inline WeakMap#get operation in the native function.
973         Since this native function itself is very small, we should inline HashMap#get
974         entirely in this function.
975
976         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
977         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
978         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
979         ObjectUse, and Int32Use.
980
981         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
982         calculate hash value for the key's Object and use this hash value to look up value from
983         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
984         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
985         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
986         patches.
987
988         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
989         not used in Ember.js right now.
990
991         This patch optimizes WeakMap#get by 50%.
992
993                                  baseline                  patched
994
995         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
996
997         * bytecode/DirectEvalCodeCache.h:
998         (JSC::DirectEvalCodeCache::tryGet):
999         * bytecode/SpeculatedType.cpp:
1000         (JSC::dumpSpeculation):
1001         (JSC::speculationFromClassInfo):
1002         (JSC::speculationFromJSType):
1003         (JSC::speculationFromString):
1004         * bytecode/SpeculatedType.h:
1005         * dfg/DFGAbstractInterpreterInlines.h:
1006         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1007         * dfg/DFGByteCodeParser.cpp:
1008         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1009         * dfg/DFGClobberize.h:
1010         (JSC::DFG::clobberize):
1011         * dfg/DFGDoesGC.cpp:
1012         (JSC::DFG::doesGC):
1013         * dfg/DFGFixupPhase.cpp:
1014         (JSC::DFG::FixupPhase::fixupNode):
1015         * dfg/DFGHeapLocation.cpp:
1016         (WTF::printInternal):
1017         * dfg/DFGHeapLocation.h:
1018         * dfg/DFGNode.h:
1019         (JSC::DFG::Node::hasHeapPrediction):
1020         * dfg/DFGNodeType.h:
1021         * dfg/DFGOperations.cpp:
1022         * dfg/DFGOperations.h:
1023         * dfg/DFGPredictionPropagationPhase.cpp:
1024         * dfg/DFGSafeToExecute.h:
1025         (JSC::DFG::SafeToExecuteEdge::operator()):
1026         (JSC::DFG::safeToExecute):
1027         * dfg/DFGSpeculativeJIT.cpp:
1028         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1029         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1030         (JSC::DFG::SpeculativeJIT::speculate):
1031         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1032         * dfg/DFGSpeculativeJIT.h:
1033         (JSC::DFG::SpeculativeJIT::callOperation):
1034         * dfg/DFGSpeculativeJIT32_64.cpp:
1035         (JSC::DFG::SpeculativeJIT::compile):
1036         * dfg/DFGSpeculativeJIT64.cpp:
1037         (JSC::DFG::SpeculativeJIT::compile):
1038         * dfg/DFGUseKind.cpp:
1039         (WTF::printInternal):
1040         * dfg/DFGUseKind.h:
1041         (JSC::DFG::typeFilterFor):
1042         (JSC::DFG::isCell):
1043         * ftl/FTLCapabilities.cpp:
1044         (JSC::FTL::canCompile):
1045         * ftl/FTLLowerDFGToB3.cpp:
1046         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1047         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1048         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1049         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1050         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1051         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1052         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1053         * jit/JITOperations.h:
1054         * runtime/HashMapImpl.h:
1055         (JSC::WeakMapHash::hash):
1056         (JSC::WeakMapHash::equal):
1057         * runtime/Intrinsic.cpp:
1058         (JSC::intrinsicName):
1059         * runtime/Intrinsic.h:
1060         * runtime/JSType.h:
1061         * runtime/JSWeakMap.h:
1062         (JSC::isJSWeakMap):
1063         * runtime/JSWeakSet.h:
1064         (JSC::isJSWeakSet):
1065         * runtime/WeakMapBase.cpp:
1066         (JSC::WeakMapBase::get):
1067         * runtime/WeakMapBase.h:
1068         (JSC::WeakMapBase::HashTranslator::hash):
1069         (JSC::WeakMapBase::HashTranslator::equal):
1070         (JSC::WeakMapBase::inlineGet):
1071         * runtime/WeakMapPrototype.cpp:
1072         (JSC::WeakMapPrototype::finishCreation):
1073         (JSC::getWeakMap):
1074         (JSC::protoFuncWeakMapGet):
1075         * runtime/WeakSetPrototype.cpp:
1076         (JSC::getWeakSet):
1077
1078 2017-09-12  Keith Miller  <keith_miller@apple.com>
1079
1080         Rename JavaScriptCore CMake unifiable sources list
1081         https://bugs.webkit.org/show_bug.cgi?id=176823
1082
1083         Reviewed by Joseph Pecoraro.
1084
1085         This patch also changes the error message when the unified source
1086         bundler fails to be more accurate.
1087
1088         * CMakeLists.txt:
1089
1090 2017-09-12  Keith Miller  <keith_miller@apple.com>
1091
1092         Do unified source builds for JSC
1093         https://bugs.webkit.org/show_bug.cgi?id=176076
1094
1095         Reviewed by Geoffrey Garen.
1096
1097         This patch switches the CMake JavaScriptCore build to use unified sources.
1098         The Xcode build will be upgraded in a follow up patch.
1099
1100         Most of the source changes in this patch are fixing static
1101         variable/functions name collisions. The most common collisions
1102         were from our use of "static const bool verbose" and "using
1103         namespace ...". I fixed all the verbose cases and fixed the "using
1104         namespace" issues that occurred under the current bundling
1105         strategy. It's likely that more of the "using namespace" issues
1106         will need to be resolved in the future, particularly in the FTL.
1107
1108         I don't expect either of these problems will apply to other parts
1109         of the project nearly as much as in JSC. Using a verbose variable
1110         is a JSC idiom and JSC tends use the same, canonical, class name
1111         in multiple parts of the engine.
1112
1113         * CMakeLists.txt:
1114         * b3/B3CheckSpecial.cpp:
1115         (JSC::B3::CheckSpecial::forEachArg):
1116         (JSC::B3::CheckSpecial::generate):
1117         (JSC::B3::Air::numB3Args): Deleted.
1118         * b3/B3DuplicateTails.cpp:
1119         * b3/B3EliminateCommonSubexpressions.cpp:
1120         * b3/B3FixSSA.cpp:
1121         (JSC::B3::demoteValues):
1122         * b3/B3FoldPathConstants.cpp:
1123         * b3/B3InferSwitches.cpp:
1124         * b3/B3LowerMacrosAfterOptimizations.cpp:
1125         (): Deleted.
1126         * b3/B3LowerToAir.cpp:
1127         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
1128         (JSC::B3::Air::LowerToAir::run): Deleted.
1129         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
1130         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
1131         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
1132         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
1133         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
1134         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
1135         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
1136         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
1137         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
1138         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
1139         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
1140         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
1141         (JSC::B3::Air::LowerToAir::tmp): Deleted.
1142         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
1143         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
1144         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
1145         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
1146         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
1147         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1148         (JSC::B3::Air::LowerToAir::addr): Deleted.
1149         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
1150         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
1151         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
1152         (JSC::B3::Air::LowerToAir::imm): Deleted.
1153         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
1154         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
1155         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
1156         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
1157         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
1158         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
1159         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
1160         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
1161         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
1162         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
1163         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
1164         (JSC::B3::Air::LowerToAir::createStore): Deleted.
1165         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
1166         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
1167         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
1168         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
1169         (JSC::B3::Air::LowerToAir::print): Deleted.
1170         (JSC::B3::Air::LowerToAir::append): Deleted.
1171         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
1172         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
1173         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
1174         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
1175         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
1176         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
1177         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
1178         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
1179         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
1180         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
1181         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
1182         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
1183         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
1184         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
1185         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
1186         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
1187         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
1188         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
1189         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
1190         (JSC::B3::Air::LowerToAir::lower): Deleted.
1191         * b3/B3PatchpointSpecial.cpp:
1192         (JSC::B3::PatchpointSpecial::generate):
1193         * b3/B3ReduceDoubleToFloat.cpp:
1194         (JSC::B3::reduceDoubleToFloat):
1195         * b3/B3ReduceStrength.cpp:
1196         * b3/B3StackmapGenerationParams.cpp:
1197         * b3/B3StackmapSpecial.cpp:
1198         (JSC::B3::StackmapSpecial::repsImpl):
1199         (JSC::B3::StackmapSpecial::repForArg):
1200         * b3/air/AirAllocateStackByGraphColoring.cpp:
1201         (JSC::B3::Air::allocateStackByGraphColoring):
1202         * b3/air/AirEmitShuffle.cpp:
1203         (JSC::B3::Air::emitShuffle):
1204         * b3/air/AirFixObviousSpills.cpp:
1205         * b3/air/AirLowerAfterRegAlloc.cpp:
1206         (JSC::B3::Air::lowerAfterRegAlloc):
1207         * b3/air/AirStackAllocation.cpp:
1208         (JSC::B3::Air::attemptAssignment):
1209         (JSC::B3::Air::assign):
1210         * bytecode/AccessCase.cpp:
1211         (JSC::AccessCase::generateImpl):
1212         * bytecode/CallLinkStatus.cpp:
1213         (JSC::CallLinkStatus::computeDFGStatuses):
1214         * bytecode/GetterSetterAccessCase.cpp:
1215         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1216         * bytecode/ObjectPropertyConditionSet.cpp:
1217         * bytecode/PolymorphicAccess.cpp:
1218         (JSC::PolymorphicAccess::addCases):
1219         (JSC::PolymorphicAccess::regenerate):
1220         * bytecode/PropertyCondition.cpp:
1221         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1222         * bytecode/StructureStubInfo.cpp:
1223         (JSC::StructureStubInfo::addAccessCase):
1224         * dfg/DFGArgumentsEliminationPhase.cpp:
1225         * dfg/DFGByteCodeParser.cpp:
1226         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1227         (JSC::DFG::ByteCodeParser::inliningCost):
1228         (JSC::DFG::ByteCodeParser::inlineCall):
1229         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1230         (JSC::DFG::ByteCodeParser::handleInlining):
1231         (JSC::DFG::ByteCodeParser::planLoad):
1232         (JSC::DFG::ByteCodeParser::store):
1233         (JSC::DFG::ByteCodeParser::parseBlock):
1234         (JSC::DFG::ByteCodeParser::linkBlock):
1235         (JSC::DFG::ByteCodeParser::linkBlocks):
1236         * dfg/DFGCSEPhase.cpp:
1237         * dfg/DFGInPlaceAbstractState.cpp:
1238         (JSC::DFG::InPlaceAbstractState::merge):
1239         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1240         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1241         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1242         * dfg/DFGMovHintRemovalPhase.cpp:
1243         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1244         * dfg/DFGPhantomInsertionPhase.cpp:
1245         * dfg/DFGPutStackSinkingPhase.cpp:
1246         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1247         * dfg/DFGVarargsForwardingPhase.cpp:
1248         * ftl/FTLAbstractHeap.cpp:
1249         (JSC::FTL::AbstractHeap::compute):
1250         * ftl/FTLAbstractHeapRepository.cpp:
1251         (JSC::FTL::AbstractHeapRepository::decorateMemory):
1252         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
1253         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
1254         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
1255         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
1256         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
1257         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
1258         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
1259         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
1260         * ftl/FTLLink.cpp:
1261         (JSC::FTL::link):
1262         * heap/MarkingConstraintSet.cpp:
1263         (JSC::MarkingConstraintSet::add):
1264         * interpreter/ShadowChicken.cpp:
1265         (JSC::ShadowChicken::update):
1266         * jit/BinarySwitch.cpp:
1267         (JSC::BinarySwitch::BinarySwitch):
1268         (JSC::BinarySwitch::build):
1269         * llint/LLIntData.cpp:
1270         (JSC::LLInt::Data::loadStats):
1271         (JSC::LLInt::Data::saveStats):
1272         * runtime/ArrayPrototype.cpp:
1273         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1274         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1275         * runtime/ErrorInstance.cpp:
1276         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
1277         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
1278         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
1279         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
1280         * runtime/IntlDateTimeFormat.cpp:
1281         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1282         * runtime/PromiseDeferredTimer.cpp:
1283         (JSC::PromiseDeferredTimer::doWork):
1284         (JSC::PromiseDeferredTimer::addPendingPromise):
1285         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1286         * runtime/TypeProfiler.cpp:
1287         (JSC::TypeProfiler::insertNewLocation):
1288         * runtime/TypeProfilerLog.cpp:
1289         (JSC::TypeProfilerLog::processLogEntries):
1290         * runtime/WeakMapPrototype.cpp:
1291         (JSC::protoFuncWeakMapDelete):
1292         (JSC::protoFuncWeakMapGet):
1293         (JSC::protoFuncWeakMapHas):
1294         (JSC::protoFuncWeakMapSet):
1295         (JSC::getWeakMapData): Deleted.
1296         * runtime/WeakSetPrototype.cpp:
1297         (JSC::protoFuncWeakSetDelete):
1298         (JSC::protoFuncWeakSetHas):
1299         (JSC::protoFuncWeakSetAdd):
1300         (JSC::getWeakMapData): Deleted.
1301         * testRegExp.cpp:
1302         (testOneRegExp):
1303         (runFromFiles):
1304         * wasm/WasmB3IRGenerator.cpp:
1305         (JSC::Wasm::parseAndCompile):
1306         * wasm/WasmBBQPlan.cpp:
1307         (JSC::Wasm::BBQPlan::moveToState):
1308         (JSC::Wasm::BBQPlan::parseAndValidateModule):
1309         (JSC::Wasm::BBQPlan::prepare):
1310         (JSC::Wasm::BBQPlan::compileFunctions):
1311         (JSC::Wasm::BBQPlan::complete):
1312         * wasm/WasmFaultSignalHandler.cpp:
1313         (JSC::Wasm::trapHandler):
1314         * wasm/WasmOMGPlan.cpp:
1315         (JSC::Wasm::OMGPlan::OMGPlan):
1316         (JSC::Wasm::OMGPlan::work):
1317         * wasm/WasmPlan.cpp:
1318         (JSC::Wasm::Plan::fail):
1319         * wasm/WasmSignature.cpp:
1320         (JSC::Wasm::SignatureInformation::adopt):
1321         * wasm/WasmWorklist.cpp:
1322         (JSC::Wasm::Worklist::enqueue):
1323
1324 2017-09-12  Michael Saboff  <msaboff@apple.com>
1325
1326         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
1327         https://bugs.webkit.org/show_bug.cgi?id=176814
1328
1329         Reviewed by Mark Lam.
1330
1331         The copy and advance indices where off by one and needed a little fine tuning.
1332
1333         * runtime/StringPrototype.cpp:
1334         (JSC::substituteBackreferencesSlow):
1335
1336 2017-09-11  Mark Lam  <mark.lam@apple.com>
1337
1338         More exception check book-keeping needed found by 32-bit JSC test failures.
1339         https://bugs.webkit.org/show_bug.cgi?id=176742
1340
1341         Reviewed by Michael Saboff and Keith Miller.
1342
1343         * dfg/DFGOperations.cpp:
1344
1345 2017-09-11  Mark Lam  <mark.lam@apple.com>
1346
1347         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
1348         https://bugs.webkit.org/show_bug.cgi?id=176722
1349
1350         Reviewed by Saam Barati.
1351
1352         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
1353         in effect when jsc is invoked.
1354
1355         * jsc.cpp:
1356         (CommandLine::parseArguments):
1357
1358 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
1359
1360         Unreviewed, rolling out r221854.
1361
1362         The test added with this change fails on 32-bit JSC bots.
1363
1364         Reverted changeset:
1365
1366         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
1367         https://bugs.webkit.org/show_bug.cgi?id=176010
1368         http://trac.webkit.org/changeset/221854
1369
1370 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1371
1372         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
1373         https://bugs.webkit.org/show_bug.cgi?id=176010
1374
1375         Reviewed by Filip Pizlo.
1376
1377         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
1378         It is used for meta property for objects (see peekMeta function in Ember.js).
1379
1380         This patch optimizes WeakMap#get.
1381
1382         1. We use inlineGet to inline WeakMap#get operation in the native function.
1383         Since this native function itself is very small, we should inline HashMap#get
1384         entirely in this function.
1385
1386         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
1387         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
1388         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
1389         ObjectUse, and Int32Use.
1390
1391         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
1392         calculate hash value for the key's Object and use this hash value to look up value from
1393         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
1394         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
1395         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
1396         patches.
1397
1398         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
1399         not used in Ember.js right now.
1400
1401         This patch optimizes WeakMap#get by 50%.
1402
1403                                  baseline                  patched
1404
1405         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
1406
1407         * bytecode/DirectEvalCodeCache.h:
1408         (JSC::DirectEvalCodeCache::tryGet):
1409         * bytecode/SpeculatedType.cpp:
1410         (JSC::dumpSpeculation):
1411         (JSC::speculationFromClassInfo):
1412         (JSC::speculationFromJSType):
1413         (JSC::speculationFromString):
1414         * bytecode/SpeculatedType.h:
1415         * dfg/DFGAbstractInterpreterInlines.h:
1416         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1417         * dfg/DFGByteCodeParser.cpp:
1418         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1419         * dfg/DFGClobberize.h:
1420         (JSC::DFG::clobberize):
1421         * dfg/DFGDoesGC.cpp:
1422         (JSC::DFG::doesGC):
1423         * dfg/DFGFixupPhase.cpp:
1424         (JSC::DFG::FixupPhase::fixupNode):
1425         * dfg/DFGHeapLocation.cpp:
1426         (WTF::printInternal):
1427         * dfg/DFGHeapLocation.h:
1428         * dfg/DFGNode.h:
1429         (JSC::DFG::Node::hasHeapPrediction):
1430         * dfg/DFGNodeType.h:
1431         * dfg/DFGOperations.cpp:
1432         * dfg/DFGOperations.h:
1433         * dfg/DFGPredictionPropagationPhase.cpp:
1434         * dfg/DFGSafeToExecute.h:
1435         (JSC::DFG::SafeToExecuteEdge::operator()):
1436         (JSC::DFG::safeToExecute):
1437         * dfg/DFGSpeculativeJIT.cpp:
1438         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1439         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1440         (JSC::DFG::SpeculativeJIT::speculate):
1441         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1442         * dfg/DFGSpeculativeJIT.h:
1443         (JSC::DFG::SpeculativeJIT::callOperation):
1444         * dfg/DFGSpeculativeJIT32_64.cpp:
1445         (JSC::DFG::SpeculativeJIT::compile):
1446         * dfg/DFGSpeculativeJIT64.cpp:
1447         (JSC::DFG::SpeculativeJIT::compile):
1448         * dfg/DFGUseKind.cpp:
1449         (WTF::printInternal):
1450         * dfg/DFGUseKind.h:
1451         (JSC::DFG::typeFilterFor):
1452         (JSC::DFG::isCell):
1453         * ftl/FTLCapabilities.cpp:
1454         (JSC::FTL::canCompile):
1455         * ftl/FTLLowerDFGToB3.cpp:
1456         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1457         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1458         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1459         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1460         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1461         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1462         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1463         * jit/JITOperations.h:
1464         * runtime/Intrinsic.cpp:
1465         (JSC::intrinsicName):
1466         * runtime/Intrinsic.h:
1467         * runtime/JSType.h:
1468         * runtime/JSWeakMap.h:
1469         (JSC::isJSWeakMap):
1470         * runtime/JSWeakSet.h:
1471         (JSC::isJSWeakSet):
1472         * runtime/WeakMapBase.cpp:
1473         (JSC::WeakMapBase::get):
1474         * runtime/WeakMapBase.h:
1475         (JSC::WeakMapBase::HashTranslator::hash):
1476         (JSC::WeakMapBase::HashTranslator::equal):
1477         (JSC::WeakMapBase::inlineGet):
1478         * runtime/WeakMapPrototype.cpp:
1479         (JSC::WeakMapPrototype::finishCreation):
1480         (JSC::getWeakMap):
1481         (JSC::protoFuncWeakMapGet):
1482         * runtime/WeakSetPrototype.cpp:
1483         (JSC::getWeakSet):
1484
1485 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1486
1487         [JSC] Optimize Object.keys by using careful array allocation
1488         https://bugs.webkit.org/show_bug.cgi?id=176654
1489
1490         Reviewed by Darin Adler.
1491
1492         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
1493         function in JS apps. Luckily Object.keys has several good features.
1494
1495         1. Once PropertyNameArray is allocated, we know the length of the result array since
1496         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
1497         but it rarely appears. ProxyObject case goes to the generic path.
1498
1499         2. Object.keys does not need to access object after listing PropertyNameArray. It means
1500         that we do not need to worry about enumeration attribute change by touching object.
1501
1502         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
1503         with the size and ArrayContiguous indexing shape.
1504
1505         This further improves SixSpeed object-assign.es5 by 13%.
1506
1507                                             baseline                  patched
1508         Microbenchmarks:
1509            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
1510            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
1511
1512                                             baseline                  patched
1513         SixSpeed:
1514            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
1515
1516         BTW, the further optimization of Object.keys can be considered: introducing own property keys
1517         cache which is similar to the current enumeration cache. But this patch is orthogonal to
1518         this optimization!
1519
1520         * runtime/ObjectConstructor.cpp:
1521         (JSC::objectConstructorValues):
1522         (JSC::ownPropertyKeys):
1523         * runtime/ObjectConstructor.h:
1524
1525 2017-09-10  Mark Lam  <mark.lam@apple.com>
1526
1527         Fix all ExceptionScope verification failures in JavaScriptCore.
1528         https://bugs.webkit.org/show_bug.cgi?id=176662
1529         <rdar://problem/34352085>
1530
1531         Reviewed by Filip Pizlo.
1532
1533         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
1534            verification for release builds too (though this requires manually setting
1535            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
1536
1537            This is useful because it allows us to run the tests more quickly to check
1538            if any regressions have occurred.  Debug builds run so much slower and not
1539            good for a quick turn around.  Debug builds are necessary though to get
1540            trace information without inlining by the C++ compiler.  This is necessary to
1541            diagnose where the missing exception check is.
1542
1543         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
1544            simulated throw when an exception scope verification fails.
1545
1546            Previously, this option dumps the stack trace on all simulated throws.  That
1547            turned out to not be very useful, and slows down the debugging process.
1548            Instead, the new implementation captures the stack trace and only dumps it
1549            if we have a verification failure.
1550
1551         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
1552            to pass with JSC_validateExceptionChecks=true.
1553
1554         * bytecode/CodeBlock.cpp:
1555         (JSC::CodeBlock::finishCreation):
1556         * dfg/DFGOSRExit.cpp:
1557         (JSC::DFG::OSRExit::executeOSRExit):
1558         * dfg/DFGOperations.cpp:
1559         * interpreter/Interpreter.cpp:
1560         (JSC::eval):
1561         (JSC::loadVarargs):
1562         (JSC::Interpreter::unwind):
1563         (JSC::Interpreter::executeProgram):
1564         (JSC::Interpreter::executeCall):
1565         (JSC::Interpreter::executeConstruct):
1566         (JSC::Interpreter::prepareForRepeatCall):
1567         (JSC::Interpreter::execute):
1568         (JSC::Interpreter::executeModuleProgram):
1569         * jit/JITOperations.cpp:
1570         (JSC::getByVal):
1571         * jsc.cpp:
1572         (WTF::CustomGetter::customGetterAcessor):
1573         (GlobalObject::moduleLoaderImportModule):
1574         (GlobalObject::moduleLoaderResolve):
1575         * llint/LLIntSlowPaths.cpp:
1576         (JSC::LLInt::getByVal):
1577         (JSC::LLInt::setUpCall):
1578         * parser/Parser.h:
1579         (JSC::Parser::popScopeInternal):
1580         * runtime/AbstractModuleRecord.cpp:
1581         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1582         (JSC::AbstractModuleRecord::resolveImport):
1583         (JSC::AbstractModuleRecord::resolveExportImpl):
1584         (JSC::getExportedNames):
1585         (JSC::AbstractModuleRecord::getModuleNamespace):
1586         * runtime/ArrayPrototype.cpp:
1587         (JSC::getProperty):
1588         (JSC::unshift):
1589         (JSC::arrayProtoFuncToString):
1590         (JSC::arrayProtoFuncToLocaleString):
1591         (JSC::arrayProtoFuncJoin):
1592         (JSC::arrayProtoFuncPop):
1593         (JSC::arrayProtoFuncPush):
1594         (JSC::arrayProtoFuncReverse):
1595         (JSC::arrayProtoFuncShift):
1596         (JSC::arrayProtoFuncSlice):
1597         (JSC::arrayProtoFuncSplice):
1598         (JSC::arrayProtoFuncUnShift):
1599         (JSC::arrayProtoFuncIndexOf):
1600         (JSC::arrayProtoFuncLastIndexOf):
1601         (JSC::concatAppendOne):
1602         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1603         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1604         * runtime/CatchScope.h:
1605         * runtime/CommonSlowPaths.cpp:
1606         (JSC::SLOW_PATH_DECL):
1607         * runtime/DatePrototype.cpp:
1608         (JSC::dateProtoFuncSetTime):
1609         (JSC::setNewValueFromTimeArgs):
1610         * runtime/DirectArguments.h:
1611         (JSC::DirectArguments::length const):
1612         * runtime/ErrorPrototype.cpp:
1613         (JSC::errorProtoFuncToString):
1614         * runtime/ExceptionFuzz.cpp:
1615         (JSC::doExceptionFuzzing):
1616         * runtime/ExceptionScope.h:
1617         (JSC::ExceptionScope::needExceptionCheck):
1618         (JSC::ExceptionScope::assertNoException):
1619         * runtime/GenericArgumentsInlines.h:
1620         (JSC::GenericArguments<Type>::defineOwnProperty):
1621         * runtime/HashMapImpl.h:
1622         (JSC::HashMapImpl::rehash):
1623         * runtime/IntlDateTimeFormat.cpp:
1624         (JSC::IntlDateTimeFormat::formatToParts):
1625         * runtime/JSArray.cpp:
1626         (JSC::JSArray::defineOwnProperty):
1627         (JSC::JSArray::put):
1628         * runtime/JSCJSValue.cpp:
1629         (JSC::JSValue::putToPrimitive):
1630         (JSC::JSValue::putToPrimitiveByIndex):
1631         * runtime/JSCJSValueInlines.h:
1632         (JSC::JSValue::toIndex const):
1633         (JSC::JSValue::get const):
1634         (JSC::JSValue::getPropertySlot const):
1635         (JSC::JSValue::equalSlowCaseInline):
1636         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1637         (JSC::constructGenericTypedArrayViewFromIterator):
1638         (JSC::constructGenericTypedArrayViewWithArguments):
1639         * runtime/JSGenericTypedArrayViewInlines.h:
1640         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1641         * runtime/JSGlobalObject.cpp:
1642         (JSC::JSGlobalObject::put):
1643         * runtime/JSGlobalObjectFunctions.cpp:
1644         (JSC::decode):
1645         (JSC::globalFuncEval):
1646         (JSC::globalFuncProtoGetter):
1647         (JSC::globalFuncProtoSetter):
1648         (JSC::globalFuncImportModule):
1649         * runtime/JSInternalPromise.cpp:
1650         (JSC::JSInternalPromise::then):
1651         * runtime/JSInternalPromiseDeferred.cpp:
1652         (JSC::JSInternalPromiseDeferred::create):
1653         * runtime/JSJob.cpp:
1654         (JSC::JSJobMicrotask::run):
1655         * runtime/JSModuleEnvironment.cpp:
1656         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1657         (JSC::JSModuleEnvironment::put):
1658         (JSC::JSModuleEnvironment::deleteProperty):
1659         * runtime/JSModuleLoader.cpp:
1660         (JSC::JSModuleLoader::provide):
1661         (JSC::JSModuleLoader::loadAndEvaluateModule):
1662         (JSC::JSModuleLoader::loadModule):
1663         (JSC::JSModuleLoader::linkAndEvaluateModule):
1664         (JSC::JSModuleLoader::requestImportModule):
1665         * runtime/JSModuleRecord.cpp:
1666         (JSC::JSModuleRecord::link):
1667         (JSC::JSModuleRecord::instantiateDeclarations):
1668         * runtime/JSONObject.cpp:
1669         (JSC::Stringifier::stringify):
1670         (JSC::Stringifier::toJSON):
1671         (JSC::JSONProtoFuncParse):
1672         * runtime/JSObject.cpp:
1673         (JSC::JSObject::calculatedClassName):
1674         (JSC::ordinarySetSlow):
1675         (JSC::JSObject::putInlineSlow):
1676         (JSC::JSObject::ordinaryToPrimitive const):
1677         (JSC::JSObject::toPrimitive const):
1678         (JSC::JSObject::hasInstance):
1679         (JSC::JSObject::getPropertyNames):
1680         (JSC::JSObject::toNumber const):
1681         (JSC::JSObject::defineOwnIndexedProperty):
1682         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1683         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1684         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1685         (JSC::validateAndApplyPropertyDescriptor):
1686         (JSC::JSObject::defineOwnNonIndexProperty):
1687         (JSC::JSObject::getGenericPropertyNames):
1688         * runtime/JSObject.h:
1689         (JSC::JSObject::get const):
1690         * runtime/JSObjectInlines.h:
1691         (JSC::JSObject::getPropertySlot const):
1692         (JSC::JSObject::getPropertySlot):
1693         (JSC::JSObject::getNonIndexPropertySlot):
1694         (JSC::JSObject::putInlineForJSObject):
1695         * runtime/JSPromiseConstructor.cpp:
1696         (JSC::constructPromise):
1697         * runtime/JSPromiseDeferred.cpp:
1698         (JSC::JSPromiseDeferred::create):
1699         * runtime/JSScope.cpp:
1700         (JSC::abstractAccess):
1701         (JSC::JSScope::resolve):
1702         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1703         (JSC::JSScope::abstractResolve):
1704         * runtime/LiteralParser.cpp:
1705         (JSC::LiteralParser<CharType>::tryJSONPParse):
1706         (JSC::LiteralParser<CharType>::parse):
1707         * runtime/Lookup.h:
1708         (JSC::putEntry):
1709         * runtime/MapConstructor.cpp:
1710         (JSC::constructMap):
1711         * runtime/NumberPrototype.cpp:
1712         (JSC::numberProtoFuncToString):
1713         * runtime/ObjectConstructor.cpp:
1714         (JSC::objectConstructorSetPrototypeOf):
1715         (JSC::objectConstructorGetOwnPropertyDescriptor):
1716         (JSC::objectConstructorGetOwnPropertyDescriptors):
1717         (JSC::objectConstructorAssign):
1718         (JSC::objectConstructorValues):
1719         (JSC::toPropertyDescriptor):
1720         (JSC::objectConstructorDefineProperty):
1721         (JSC::defineProperties):
1722         (JSC::objectConstructorDefineProperties):
1723         (JSC::ownPropertyKeys):
1724         * runtime/ObjectPrototype.cpp:
1725         (JSC::objectProtoFuncHasOwnProperty):
1726         (JSC::objectProtoFuncIsPrototypeOf):
1727         (JSC::objectProtoFuncLookupGetter):
1728         (JSC::objectProtoFuncLookupSetter):
1729         (JSC::objectProtoFuncToLocaleString):
1730         (JSC::objectProtoFuncToString):
1731         * runtime/Options.h:
1732         * runtime/ParseInt.h:
1733         (JSC::toStringView):
1734         * runtime/ProxyObject.cpp:
1735         (JSC::performProxyGet):
1736         (JSC::ProxyObject::performPut):
1737         * runtime/ReflectObject.cpp:
1738         (JSC::reflectObjectDefineProperty):
1739         * runtime/RegExpConstructor.cpp:
1740         (JSC::toFlags):
1741         (JSC::regExpCreate):
1742         (JSC::constructRegExp):
1743         * runtime/RegExpObject.cpp:
1744         (JSC::collectMatches):
1745         * runtime/RegExpObjectInlines.h:
1746         (JSC::RegExpObject::execInline):
1747         (JSC::RegExpObject::matchInline):
1748         * runtime/RegExpPrototype.cpp:
1749         (JSC::regExpProtoFuncTestFast):
1750         (JSC::regExpProtoFuncExec):
1751         (JSC::regExpProtoFuncMatchFast):
1752         (JSC::regExpProtoFuncToString):
1753         (JSC::regExpProtoFuncSplitFast):
1754         * runtime/ScriptExecutable.cpp:
1755         (JSC::ScriptExecutable::newCodeBlockFor):
1756         (JSC::ScriptExecutable::prepareForExecutionImpl):
1757         * runtime/SetConstructor.cpp:
1758         (JSC::constructSet):
1759         * runtime/ThrowScope.cpp:
1760         (JSC::ThrowScope::simulateThrow):
1761         * runtime/VM.cpp:
1762         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1763         * runtime/VM.h:
1764         * runtime/WeakMapPrototype.cpp:
1765         (JSC::protoFuncWeakMapSet):
1766         * runtime/WeakSetPrototype.cpp:
1767         (JSC::protoFuncWeakSetAdd):
1768         * wasm/js/WebAssemblyModuleConstructor.cpp:
1769         (JSC::WebAssemblyModuleConstructor::createModule):
1770         * wasm/js/WebAssemblyModuleRecord.cpp:
1771         (JSC::WebAssemblyModuleRecord::link):
1772         * wasm/js/WebAssemblyPrototype.cpp:
1773         (JSC::reject):
1774         (JSC::webAssemblyCompileFunc):
1775         (JSC::resolve):
1776         (JSC::webAssemblyInstantiateFunc):
1777
1778 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
1779
1780         Error should compute .stack and friends lazily
1781         https://bugs.webkit.org/show_bug.cgi?id=176645
1782
1783         Reviewed by Saam Barati.
1784         
1785         Building the string portion of the stack trace after we walk the stack accounts for most of
1786         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
1787         Vector<StackFrame> so that it can build the string only once it's really needed.
1788         
1789         This is an enormous speed-up for programs that allocate and throw exceptions.
1790         
1791         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
1792         
1793         It's a 2.2x speed-up for throwing and catching an Error.
1794         
1795         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
1796         
1797         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
1798         delta-blue-try-catch is 1.16x faster.
1799
1800         * interpreter/Interpreter.cpp:
1801         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1802         (JSC::GetStackTraceFunctor::operator() const):
1803         (JSC::Interpreter::getStackTrace):
1804         * interpreter/Interpreter.h:
1805         * runtime/Error.cpp:
1806         (JSC::getStackTrace):
1807         (JSC::getBytecodeOffset):
1808         (JSC::addErrorInfo):
1809         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
1810         * runtime/Error.h:
1811         * runtime/ErrorInstance.cpp:
1812         (JSC::ErrorInstance::ErrorInstance):
1813         (JSC::ErrorInstance::finishCreation):
1814         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1815         (JSC::ErrorInstance::visitChildren):
1816         (JSC::ErrorInstance::getOwnPropertySlot):
1817         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
1818         (JSC::ErrorInstance::defineOwnProperty):
1819         (JSC::ErrorInstance::put):
1820         (JSC::ErrorInstance::deleteProperty):
1821         * runtime/ErrorInstance.h:
1822         * runtime/Exception.cpp:
1823         (JSC::Exception::visitChildren):
1824         (JSC::Exception::finishCreation):
1825         * runtime/Exception.h:
1826         * runtime/StackFrame.cpp:
1827         (JSC::StackFrame::visitChildren):
1828         * runtime/StackFrame.h:
1829         (JSC::StackFrame::StackFrame):
1830
1831 2017-09-09  Mark Lam  <mark.lam@apple.com>
1832
1833         [Re-landing] Use JIT probes for DFG OSR exit.
1834         https://bugs.webkit.org/show_bug.cgi?id=175144
1835         <rdar://problem/33437050>
1836
1837         Not reviewed.  Original patch reviewed by Saam Barati.
1838
1839         Relanding r221774.
1840
1841         * JavaScriptCore.xcodeproj/project.pbxproj:
1842         * assembler/MacroAssembler.cpp:
1843         (JSC::stdFunctionCallback):
1844         * assembler/MacroAssemblerPrinter.cpp:
1845         (JSC::Printer::printCallback):
1846         * assembler/ProbeContext.h:
1847         (JSC::Probe::CPUState::gpr const):
1848         (JSC::Probe::CPUState::spr const):
1849         (JSC::Probe::Context::Context):
1850         (JSC::Probe::Context::arg):
1851         (JSC::Probe::Context::gpr):
1852         (JSC::Probe::Context::spr):
1853         (JSC::Probe::Context::fpr):
1854         (JSC::Probe::Context::gprName):
1855         (JSC::Probe::Context::sprName):
1856         (JSC::Probe::Context::fprName):
1857         (JSC::Probe::Context::gpr const):
1858         (JSC::Probe::Context::spr const):
1859         (JSC::Probe::Context::fpr const):
1860         (JSC::Probe::Context::pc):
1861         (JSC::Probe::Context::fp):
1862         (JSC::Probe::Context::sp):
1863         (JSC::Probe:: const): Deleted.
1864         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
1865         * assembler/ProbeStack.cpp:
1866         (JSC::Probe::Page::Page):
1867         * assembler/ProbeStack.h:
1868         (JSC::Probe::Page::get):
1869         (JSC::Probe::Page::set):
1870         (JSC::Probe::Page::physicalAddressFor):
1871         (JSC::Probe::Stack::lowWatermark):
1872         (JSC::Probe::Stack::get):
1873         (JSC::Probe::Stack::set):
1874         * bytecode/ArithProfile.cpp:
1875         * bytecode/ArithProfile.h:
1876         * bytecode/ArrayProfile.h:
1877         (JSC::ArrayProfile::observeArrayMode):
1878         * bytecode/CodeBlock.cpp:
1879         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1880         * bytecode/CodeBlock.h:
1881         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1882         * bytecode/ExecutionCounter.h:
1883         (JSC::ExecutionCounter::hasCrossedThreshold const):
1884         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1885         * bytecode/MethodOfGettingAValueProfile.cpp:
1886         (JSC::MethodOfGettingAValueProfile::reportValue):
1887         * bytecode/MethodOfGettingAValueProfile.h:
1888         * dfg/DFGDriver.cpp:
1889         (JSC::DFG::compileImpl):
1890         * dfg/DFGJITCode.cpp:
1891         (JSC::DFG::JITCode::findPC): Deleted.
1892         * dfg/DFGJITCode.h:
1893         * dfg/DFGJITCompiler.cpp:
1894         (JSC::DFG::JITCompiler::linkOSRExits):
1895         (JSC::DFG::JITCompiler::link):
1896         * dfg/DFGOSRExit.cpp:
1897         (JSC::DFG::jsValueFor):
1898         (JSC::DFG::restoreCalleeSavesFor):
1899         (JSC::DFG::saveCalleeSavesFor):
1900         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1901         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1902         (JSC::DFG::saveOrCopyCalleeSavesFor):
1903         (JSC::DFG::createDirectArgumentsDuringExit):
1904         (JSC::DFG::createClonedArgumentsDuringExit):
1905         (JSC::DFG::OSRExit::OSRExit):
1906         (JSC::DFG::emitRestoreArguments):
1907         (JSC::DFG::OSRExit::executeOSRExit):
1908         (JSC::DFG::reifyInlinedCallFrames):
1909         (JSC::DFG::adjustAndJumpToTarget):
1910         (JSC::DFG::printOSRExit):
1911         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1912         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1913         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1914         (JSC::DFG::OSRExit::correctJump): Deleted.
1915         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1916         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1917         (JSC::DFG::OSRExit::compileExit): Deleted.
1918         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
1919         * dfg/DFGOSRExit.h:
1920         (JSC::DFG::OSRExitState::OSRExitState):
1921         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1922         * dfg/DFGOSRExitCompilerCommon.cpp:
1923         * dfg/DFGOSRExitCompilerCommon.h:
1924         * dfg/DFGOperations.cpp:
1925         * dfg/DFGOperations.h:
1926         * dfg/DFGThunks.cpp:
1927         (JSC::DFG::osrExitThunkGenerator):
1928         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
1929         * dfg/DFGThunks.h:
1930         * jit/AssemblyHelpers.cpp:
1931         (JSC::AssemblyHelpers::debugCall): Deleted.
1932         * jit/AssemblyHelpers.h:
1933         * jit/JITOperations.cpp:
1934         * jit/JITOperations.h:
1935         * profiler/ProfilerOSRExit.h:
1936         (JSC::Profiler::OSRExit::incCount):
1937         * runtime/JSCJSValue.h:
1938         * runtime/JSCJSValueInlines.h:
1939         * runtime/VM.h:
1940
1941 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
1942
1943         Unreviewed, rolling out r221774.
1944
1945         This change introduced three debug JSC test timeouts.
1946
1947         Reverted changeset:
1948
1949         "Use JIT probes for DFG OSR exit."
1950         https://bugs.webkit.org/show_bug.cgi?id=175144
1951         http://trac.webkit.org/changeset/221774
1952
1953 2017-09-09  Mark Lam  <mark.lam@apple.com>
1954
1955         Avoid duplicate computations of ExecState::vm().
1956         https://bugs.webkit.org/show_bug.cgi?id=176647
1957
1958         Reviewed by Saam Barati.
1959
1960         Because while computing ExecState::vm() is cheap, it is not free.
1961
1962         This patch also:
1963         1. gets rids of some convenience methods in CallFrame that implicitly does a
1964            ExecState::vm() computation.  This minimizes the chance of us accidentally
1965            computing ExecState::vm() more than necessary.
1966         2. passes vm (when available) to methodTable().
1967         3. passes vm (when available) to JSLockHolder.
1968
1969         * API/JSBase.cpp:
1970         (JSCheckScriptSyntax):
1971         (JSGarbageCollect):
1972         (JSReportExtraMemoryCost):
1973         (JSSynchronousGarbageCollectForDebugging):
1974         (JSSynchronousEdenCollectForDebugging):
1975         * API/JSCallbackConstructor.h:
1976         (JSC::JSCallbackConstructor::create):
1977         * API/JSCallbackObject.h:
1978         (JSC::JSCallbackObject::create):
1979         * API/JSContext.mm:
1980         (-[JSContext setException:]):
1981         * API/JSContextRef.cpp:
1982         (JSContextGetGlobalObject):
1983         (JSContextCreateBacktrace):
1984         * API/JSManagedValue.mm:
1985         (-[JSManagedValue value]):
1986         * API/JSObjectRef.cpp:
1987         (JSObjectMake):
1988         (JSObjectMakeFunctionWithCallback):
1989         (JSObjectMakeConstructor):
1990         (JSObjectMakeFunction):
1991         (JSObjectSetPrototype):
1992         (JSObjectHasProperty):
1993         (JSObjectGetProperty):
1994         (JSObjectSetProperty):
1995         (JSObjectSetPropertyAtIndex):
1996         (JSObjectDeleteProperty):
1997         (JSObjectGetPrivateProperty):
1998         (JSObjectSetPrivateProperty):
1999         (JSObjectDeletePrivateProperty):
2000         (JSObjectIsFunction):
2001         (JSObjectCallAsFunction):
2002         (JSObjectCallAsConstructor):
2003         (JSObjectCopyPropertyNames):
2004         (JSPropertyNameAccumulatorAddName):
2005         * API/JSScriptRef.cpp:
2006         * API/JSTypedArray.cpp:
2007         (JSValueGetTypedArrayType):
2008         (JSObjectMakeTypedArrayWithArrayBuffer):
2009         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
2010         (JSObjectGetTypedArrayBytesPtr):
2011         (JSObjectGetTypedArrayBuffer):
2012         (JSObjectMakeArrayBufferWithBytesNoCopy):
2013         (JSObjectGetArrayBufferBytesPtr):
2014         * API/JSWeakObjectMapRefPrivate.cpp:
2015         * API/JSWrapperMap.mm:
2016         (constructorHasInstance):
2017         (makeWrapper):
2018         * API/ObjCCallbackFunction.mm:
2019         (objCCallbackFunctionForInvocation):
2020         * bytecode/CodeBlock.cpp:
2021         (JSC::CodeBlock::CodeBlock):
2022         (JSC::CodeBlock::jettison):
2023         * bytecode/CodeBlock.h:
2024         (JSC::CodeBlock::addConstant):
2025         (JSC::CodeBlock::replaceConstant):
2026         * bytecode/PutByIdStatus.cpp:
2027         (JSC::PutByIdStatus::computeFromLLInt):
2028         (JSC::PutByIdStatus::computeFor):
2029         * dfg/DFGDesiredWatchpoints.cpp:
2030         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2031         * dfg/DFGGraph.h:
2032         (JSC::DFG::Graph::globalThisObjectFor):
2033         * dfg/DFGOperations.cpp:
2034         * ftl/FTLOSRExitCompiler.cpp:
2035         (JSC::FTL::compileFTLOSRExit):
2036         * ftl/FTLOperations.cpp:
2037         (JSC::FTL::operationPopulateObjectInOSR):
2038         (JSC::FTL::operationMaterializeObjectInOSR):
2039         * heap/GCAssertions.h:
2040         * inspector/InjectedScriptHost.cpp:
2041         (Inspector::InjectedScriptHost::wrapper):
2042         * inspector/JSInjectedScriptHost.cpp:
2043         (Inspector::JSInjectedScriptHost::subtype):
2044         (Inspector::constructInternalProperty):
2045         (Inspector::JSInjectedScriptHost::getInternalProperties):
2046         (Inspector::JSInjectedScriptHost::weakMapEntries):
2047         (Inspector::JSInjectedScriptHost::weakSetEntries):
2048         (Inspector::JSInjectedScriptHost::iteratorEntries):
2049         * inspector/JSJavaScriptCallFrame.cpp:
2050         (Inspector::valueForScopeLocation):
2051         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2052         (Inspector::toJS):
2053         * inspector/ScriptCallStackFactory.cpp:
2054         (Inspector::extractSourceInformationFromException):
2055         (Inspector::createScriptArguments):
2056         * interpreter/CachedCall.h:
2057         (JSC::CachedCall::CachedCall):
2058         * interpreter/CallFrame.h:
2059         (JSC::ExecState::atomicStringTable const): Deleted.
2060         (JSC::ExecState::propertyNames const): Deleted.
2061         (JSC::ExecState::emptyList const): Deleted.
2062         (JSC::ExecState::interpreter): Deleted.
2063         (JSC::ExecState::heap): Deleted.
2064         * interpreter/Interpreter.cpp:
2065         (JSC::Interpreter::executeProgram):
2066         (JSC::Interpreter::execute):
2067         (JSC::Interpreter::executeModuleProgram):
2068         * jit/JIT.cpp:
2069         (JSC::JIT::privateCompileMainPass):
2070         * jit/JITOperations.cpp:
2071         * jit/JITWorklist.cpp:
2072         (JSC::JITWorklist::compileNow):
2073         * jsc.cpp:
2074         (WTF::RuntimeArray::create):
2075         (WTF::RuntimeArray::getOwnPropertySlot):
2076         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2077         (WTF::DOMJITFunctionObject::unsafeFunction):
2078         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2079         (GlobalObject::moduleLoaderFetch):
2080         (functionDumpCallFrame):
2081         (functionCreateRoot):
2082         (functionGetElement):
2083         (functionSetElementRoot):
2084         (functionCreateSimpleObject):
2085         (functionSetHiddenValue):
2086         (functionCreateProxy):
2087         (functionCreateImpureGetter):
2088         (functionCreateCustomGetterObject):
2089         (functionCreateDOMJITNodeObject):
2090         (functionCreateDOMJITGetterObject):
2091         (functionCreateDOMJITGetterComplexObject):
2092         (functionCreateDOMJITFunctionObject):
2093         (functionCreateDOMJITCheckSubClassObject):
2094         (functionGCAndSweep):
2095         (functionFullGC):
2096         (functionEdenGC):
2097         (functionHeapSize):
2098         (functionShadowChickenFunctionsOnStack):
2099         (functionSetGlobalConstRedeclarationShouldNotThrow):
2100         (functionJSCOptions):
2101         (functionFailNextNewCodeBlock):
2102         (functionMakeMasquerader):
2103         (functionDumpTypesForAllVariables):
2104         (functionFindTypeForExpression):
2105         (functionReturnTypeFor):
2106         (functionDumpBasicBlockExecutionRanges):
2107         (functionBasicBlockExecutionCount):
2108         (functionDrainMicrotasks):
2109         (functionGenerateHeapSnapshot):
2110         (functionEnsureArrayStorage):
2111         (functionStartSamplingProfiler):
2112         (runInteractive):
2113         * llint/LLIntSlowPaths.cpp:
2114         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2115         * parser/ModuleAnalyzer.cpp:
2116         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2117         * profiler/ProfilerBytecode.cpp:
2118         (JSC::Profiler::Bytecode::toJS const):
2119         * profiler/ProfilerBytecodeSequence.cpp:
2120         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
2121         * profiler/ProfilerBytecodes.cpp:
2122         (JSC::Profiler::Bytecodes::toJS const):
2123         * profiler/ProfilerCompilation.cpp:
2124         (JSC::Profiler::Compilation::toJS const):
2125         * profiler/ProfilerCompiledBytecode.cpp:
2126         (JSC::Profiler::CompiledBytecode::toJS const):
2127         * profiler/ProfilerDatabase.cpp:
2128         (JSC::Profiler::Database::toJS const):
2129         * profiler/ProfilerEvent.cpp:
2130         (JSC::Profiler::Event::toJS const):
2131         * profiler/ProfilerOSRExit.cpp:
2132         (JSC::Profiler::OSRExit::toJS const):
2133         * profiler/ProfilerOrigin.cpp:
2134         (JSC::Profiler::Origin::toJS const):
2135         * profiler/ProfilerProfiledBytecodes.cpp:
2136         (JSC::Profiler::ProfiledBytecodes::toJS const):
2137         * runtime/AbstractModuleRecord.cpp:
2138         (JSC::identifierToJSValue):
2139         (JSC::AbstractModuleRecord::resolveExportImpl):
2140         (JSC::getExportedNames):
2141         * runtime/ArrayPrototype.cpp:
2142         (JSC::arrayProtoFuncToString):
2143         (JSC::arrayProtoFuncToLocaleString):
2144         * runtime/BooleanConstructor.cpp:
2145         (JSC::constructBooleanFromImmediateBoolean):
2146         * runtime/CallData.cpp:
2147         (JSC::call):
2148         * runtime/CommonSlowPaths.cpp:
2149         (JSC::SLOW_PATH_DECL):
2150         * runtime/CommonSlowPaths.h:
2151         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2152         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2153         * runtime/Completion.cpp:
2154         (JSC::checkSyntax):
2155         (JSC::evaluate):
2156         (JSC::loadAndEvaluateModule):
2157         (JSC::loadModule):
2158         (JSC::linkAndEvaluateModule):
2159         (JSC::importModule):
2160         * runtime/ConstructData.cpp:
2161         (JSC::construct):
2162         * runtime/DatePrototype.cpp:
2163         (JSC::dateProtoFuncToJSON):
2164         * runtime/DirectArguments.h:
2165         (JSC::DirectArguments::length const):
2166         * runtime/DirectEvalExecutable.cpp:
2167         (JSC::DirectEvalExecutable::create):
2168         * runtime/ErrorPrototype.cpp:
2169         (JSC::errorProtoFuncToString):
2170         * runtime/ExceptionHelpers.cpp:
2171         (JSC::createUndefinedVariableError):
2172         (JSC::errorDescriptionForValue):
2173         * runtime/FunctionConstructor.cpp:
2174         (JSC::constructFunction):
2175         * runtime/GenericArgumentsInlines.h:
2176         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2177         * runtime/IdentifierInlines.h:
2178         (JSC::Identifier::add):
2179         * runtime/IndirectEvalExecutable.cpp:
2180         (JSC::IndirectEvalExecutable::create):
2181         * runtime/InternalFunction.cpp:
2182         (JSC::InternalFunction::finishCreation):
2183         (JSC::InternalFunction::createSubclassStructureSlow):
2184         * runtime/JSArray.cpp:
2185         (JSC::JSArray::getOwnPropertySlot):
2186         (JSC::JSArray::put):
2187         (JSC::JSArray::deleteProperty):
2188         (JSC::JSArray::getOwnNonIndexPropertyNames):
2189         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
2190         * runtime/JSArray.h:
2191         (JSC::JSArray::shiftCountForShift):
2192         * runtime/JSCJSValue.cpp:
2193         (JSC::JSValue::dumpForBacktrace const):
2194         * runtime/JSDataView.cpp:
2195         (JSC::JSDataView::getOwnPropertySlot):
2196         (JSC::JSDataView::deleteProperty):
2197         (JSC::JSDataView::getOwnNonIndexPropertyNames):
2198         * runtime/JSFunction.cpp:
2199         (JSC::JSFunction::getOwnPropertySlot):
2200         (JSC::JSFunction::deleteProperty):
2201         (JSC::JSFunction::reifyName):
2202         * runtime/JSGlobalObjectFunctions.cpp:
2203         (JSC::globalFuncEval):
2204         * runtime/JSInternalPromise.cpp:
2205         (JSC::JSInternalPromise::then):
2206         * runtime/JSLexicalEnvironment.cpp:
2207         (JSC::JSLexicalEnvironment::deleteProperty):
2208         * runtime/JSMap.cpp:
2209         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2210         * runtime/JSMapIterator.h:
2211         (JSC::JSMapIterator::advanceIter):
2212         * runtime/JSModuleEnvironment.cpp:
2213         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2214         * runtime/JSModuleLoader.cpp:
2215         (JSC::printableModuleKey):
2216         (JSC::JSModuleLoader::provide):
2217         (JSC::JSModuleLoader::loadAndEvaluateModule):
2218         (JSC::JSModuleLoader::loadModule):
2219         (JSC::JSModuleLoader::linkAndEvaluateModule):
2220         (JSC::JSModuleLoader::requestImportModule):
2221         * runtime/JSModuleNamespaceObject.h:
2222         * runtime/JSModuleRecord.cpp:
2223         (JSC::JSModuleRecord::evaluate):
2224         * runtime/JSONObject.cpp:
2225         (JSC::Stringifier::Stringifier):
2226         (JSC::Stringifier::appendStringifiedValue):
2227         (JSC::Stringifier::Holder::appendNextProperty):
2228         * runtime/JSObject.cpp:
2229         (JSC::JSObject::calculatedClassName):
2230         (JSC::JSObject::putByIndex):
2231         (JSC::JSObject::ordinaryToPrimitive const):
2232         (JSC::JSObject::toPrimitive const):
2233         (JSC::JSObject::hasInstance):
2234         (JSC::JSObject::getOwnPropertyNames):
2235         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2236         (JSC::getCustomGetterSetterFunctionForGetterSetter):
2237         (JSC::JSObject::getOwnPropertyDescriptor):
2238         (JSC::JSObject::getMethod):
2239         * runtime/JSObject.h:
2240         (JSC::JSObject::createRawObject):
2241         (JSC::JSFinalObject::create):
2242         * runtime/JSObjectInlines.h:
2243         (JSC::JSObject::canPerformFastPutInline):
2244         (JSC::JSObject::putInlineForJSObject):
2245         (JSC::JSObject::hasOwnProperty const):
2246         * runtime/JSScope.cpp:
2247         (JSC::isUnscopable):
2248         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
2249         * runtime/JSSet.cpp:
2250         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2251         * runtime/JSSetIterator.h:
2252         (JSC::JSSetIterator::advanceIter):
2253         * runtime/JSString.cpp:
2254         (JSC::JSString::getStringPropertyDescriptor):
2255         * runtime/JSString.h:
2256         (JSC::JSString::getStringPropertySlot):
2257         * runtime/MapConstructor.cpp:
2258         (JSC::constructMap):
2259         * runtime/ModuleProgramExecutable.cpp:
2260         (JSC::ModuleProgramExecutable::create):
2261         * runtime/ObjectPrototype.cpp:
2262         (JSC::objectProtoFuncToLocaleString):
2263         * runtime/ProgramExecutable.h:
2264         * runtime/RegExpObject.cpp:
2265         (JSC::RegExpObject::getOwnPropertySlot):
2266         (JSC::RegExpObject::deleteProperty):
2267         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2268         (JSC::RegExpObject::getPropertyNames):
2269         (JSC::RegExpObject::getGenericPropertyNames):
2270         (JSC::RegExpObject::put):
2271         * runtime/ScopedArguments.h:
2272         (JSC::ScopedArguments::length const):
2273         * runtime/StrictEvalActivation.h:
2274         (JSC::StrictEvalActivation::create):
2275         * runtime/StringObject.cpp:
2276         (JSC::isStringOwnProperty):
2277         (JSC::StringObject::deleteProperty):
2278         (JSC::StringObject::getOwnNonIndexPropertyNames):
2279         * tools/JSDollarVMPrototype.cpp:
2280         (JSC::JSDollarVMPrototype::gc):
2281         (JSC::JSDollarVMPrototype::edenGC):
2282         * wasm/js/WebAssemblyModuleRecord.cpp:
2283         (JSC::WebAssemblyModuleRecord::evaluate):
2284
2285 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2286
2287         [DFG] NewArrayWithSize(size)'s size does not care negative zero
2288         https://bugs.webkit.org/show_bug.cgi?id=176300
2289
2290         Reviewed by Saam Barati.
2291
2292         NewArrayWithSize(size)'s size does not care negative zero as
2293         is the same to NewTypedArray. We propagate this information
2294         in DFGBackwardsPropagationPhase. This removes negative zero
2295         check in kraken fft's deinterleave function.
2296
2297         * dfg/DFGBackwardsPropagationPhase.cpp:
2298         (JSC::DFG::BackwardsPropagationPhase::propagate):
2299
2300 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2301
2302         [DFG] PutByVal with Array::Generic is too generic
2303         https://bugs.webkit.org/show_bug.cgi?id=176345
2304
2305         Reviewed by Filip Pizlo.
2306
2307         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
2308         We could have the case like,
2309
2310             dst[key] = src[key];
2311
2312         with string or symbol keys. But they are handled in slow path.
2313         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
2314         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
2315
2316         This improves SixSpeed object-assign.es5 by 9.1%.
2317
2318         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
2319
2320         * dfg/DFGFixupPhase.cpp:
2321         (JSC::DFG::FixupPhase::fixupNode):
2322         * dfg/DFGOperations.cpp:
2323         (JSC::DFG::putByVal):
2324         (JSC::DFG::putByValInternal):
2325         (JSC::DFG::putByValCellInternal):
2326         (JSC::DFG::putByValCellStringInternal):
2327         (JSC::DFG::operationPutByValInternal): Deleted.
2328         * dfg/DFGOperations.h:
2329         * dfg/DFGSpeculativeJIT.cpp:
2330         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
2331         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
2332         * dfg/DFGSpeculativeJIT.h:
2333         (JSC::DFG::SpeculativeJIT::callOperation):
2334         * dfg/DFGSpeculativeJIT32_64.cpp:
2335         (JSC::DFG::SpeculativeJIT::compile):
2336         * dfg/DFGSpeculativeJIT64.cpp:
2337         (JSC::DFG::SpeculativeJIT::compile):
2338         * ftl/FTLLowerDFGToB3.cpp:
2339         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2340         * jit/JITOperations.h:
2341
2342 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2343
2344         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
2345         https://bugs.webkit.org/show_bug.cgi?id=176590
2346
2347         Reviewed by Saam Barati.
2348
2349         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
2350
2351                                          baseline                  patched
2352
2353         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
2354         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
2355
2356         * dfg/DFGFixupPhase.cpp:
2357         (JSC::DFG::FixupPhase::fixupNode):
2358         * dfg/DFGOperations.cpp:
2359         (JSC::DFG::getByValObject):
2360         * dfg/DFGOperations.h:
2361         * dfg/DFGSpeculativeJIT.cpp:
2362         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
2363         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
2364         * dfg/DFGSpeculativeJIT.h:
2365         * dfg/DFGSpeculativeJIT32_64.cpp:
2366         (JSC::DFG::SpeculativeJIT::compile):
2367         * dfg/DFGSpeculativeJIT64.cpp:
2368         (JSC::DFG::SpeculativeJIT::compile):
2369         * ftl/FTLLowerDFGToB3.cpp:
2370         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2371
2372 2017-09-07  Mark Lam  <mark.lam@apple.com>
2373
2374         Use JIT probes for DFG OSR exit.
2375         https://bugs.webkit.org/show_bug.cgi?id=175144
2376         <rdar://problem/33437050>
2377
2378         Reviewed by Saam Barati.
2379
2380         This patch does the following:
2381         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
2382            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
2383            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
2384            generates a thunk that just executes the OSR exit.
2385
2386            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
2387            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
2388            CPU registers, and providing the Probe::Stack mechanism for modifying the
2389            stack frame.
2390
2391            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
2392            OSRExit::compileExit().  It is basically a re-write of those functions to
2393            execute the OSR exit work instead of compiling code to execute the work.
2394
2395            As a result, we get the following savings:
2396            a. no more OSR exit ramp compilation time.
2397            b. no use of JIT executable memory for storing each unique OSR exit ramp.
2398
2399            On the negative side, we incur these costs:
2400
2401            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
2402               version of the ramp.  However, OSR exits are rare.  Hence, this small
2403               difference should not matter much.  It is also offset by the savings from
2404               (a).
2405
2406            d. the Probe::Stack allocates 1K pages for memory for buffering stack
2407               modifcations.  The number of these pages depends on the span of stack memory
2408               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
2409               tends to only modify values in the current DFG frame and the current
2410               VMEntryRecord, the number of pages tends to only be 1 or 2.
2411
2412               Using the jsc tests as a workload, the vast majority of tests that do OSR
2413               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
2414               A few tests that are pathological uses up to 14 pages, and one particularly
2415               bad test (function-apply-many-args.js) uses 513 pages.
2416
2417            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
2418            only executed once to compute some values for the exit site that is used by
2419            all exit operations from that site, and a 2nd part to execute the exit.  The
2420            1st part is protected by a checking if exit.exitState has already been
2421            initialized.  The computed values are cached in exit.exitState.
2422
2423            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
2424            longer need the facility to patch the site that jumps to the OSR exit ramp.
2425            The DFG::JITCompiler has been modified to remove this patching code.
2426
2427         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
2428            std::memcpy to avoid strict aliasing issues.
2429
2430            Also optimized the implementation of Probe::Stack::physicalAddressFor().
2431
2432         3. Miscellaneous convenience methods added to make the Probe::Context easier of
2433            use.
2434
2435         4. Added a Probe::Frame class that makes it easier to get/set operands and
2436            arguments in a given frame using the deferred write properties of the
2437            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
2438            the OSR exit ramp.
2439
2440         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
2441            JIT versions of these functions are still left in place because they are still
2442            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
2443            These functions include:
2444
2445            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
2446                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
2447            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
2448                DFGOSRExit.cpp's reifyInlinedCallFrames()
2449            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
2450                DFGOSRExit.cpp's adjustAndJumpToTarget()
2451
2452            MethodOfGettingAValueProfile::emitReportValue() ==>
2453                MethodOfGettingAValueProfile::reportValue()
2454
2455            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
2456                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
2457            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
2458                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
2459
2460         * JavaScriptCore.xcodeproj/project.pbxproj:
2461         * assembler/MacroAssembler.cpp:
2462         (JSC::stdFunctionCallback):
2463         * assembler/MacroAssemblerPrinter.cpp:
2464         (JSC::Printer::printCallback):
2465         * assembler/ProbeContext.h:
2466         (JSC::Probe::CPUState::gpr const):
2467         (JSC::Probe::CPUState::spr const):
2468         (JSC::Probe::Context::Context):
2469         (JSC::Probe::Context::arg):
2470         (JSC::Probe::Context::gpr):
2471         (JSC::Probe::Context::spr):
2472         (JSC::Probe::Context::fpr):
2473         (JSC::Probe::Context::gprName):
2474         (JSC::Probe::Context::sprName):
2475         (JSC::Probe::Context::fprName):
2476         (JSC::Probe::Context::gpr const):
2477         (JSC::Probe::Context::spr const):
2478         (JSC::Probe::Context::fpr const):
2479         (JSC::Probe::Context::pc):
2480         (JSC::Probe::Context::fp):
2481         (JSC::Probe::Context::sp):
2482         (JSC::Probe:: const): Deleted.
2483         * assembler/ProbeFrame.h: Added.
2484         (JSC::Probe::Frame::Frame):
2485         (JSC::Probe::Frame::getArgument):
2486         (JSC::Probe::Frame::getOperand):
2487         (JSC::Probe::Frame::get):
2488         (JSC::Probe::Frame::setArgument):
2489         (JSC::Probe::Frame::setOperand):
2490         (JSC::Probe::Frame::set):
2491         * assembler/ProbeStack.cpp:
2492         (JSC::Probe::Page::Page):
2493         * assembler/ProbeStack.h:
2494         (JSC::Probe::Page::get):
2495         (JSC::Probe::Page::set):
2496         (JSC::Probe::Page::physicalAddressFor):
2497         (JSC::Probe::Stack::lowWatermark):
2498         (JSC::Probe::Stack::get):
2499         (JSC::Probe::Stack::set):
2500         * bytecode/ArithProfile.cpp:
2501         * bytecode/ArithProfile.h:
2502         * bytecode/ArrayProfile.h:
2503         (JSC::ArrayProfile::observeArrayMode):
2504         * bytecode/CodeBlock.cpp:
2505         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
2506         * bytecode/CodeBlock.h:
2507         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
2508         * bytecode/ExecutionCounter.h:
2509         (JSC::ExecutionCounter::hasCrossedThreshold const):
2510         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
2511         * bytecode/MethodOfGettingAValueProfile.cpp:
2512         (JSC::MethodOfGettingAValueProfile::reportValue):
2513         * bytecode/MethodOfGettingAValueProfile.h:
2514         * dfg/DFGDriver.cpp:
2515         (JSC::DFG::compileImpl):
2516         * dfg/DFGJITCode.cpp:
2517         (JSC::DFG::JITCode::findPC): Deleted.
2518         * dfg/DFGJITCode.h:
2519         * dfg/DFGJITCompiler.cpp:
2520         (JSC::DFG::JITCompiler::linkOSRExits):
2521         (JSC::DFG::JITCompiler::link):
2522         * dfg/DFGOSRExit.cpp:
2523         (JSC::DFG::jsValueFor):
2524         (JSC::DFG::restoreCalleeSavesFor):
2525         (JSC::DFG::saveCalleeSavesFor):
2526         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2527         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2528         (JSC::DFG::saveOrCopyCalleeSavesFor):
2529         (JSC::DFG::createDirectArgumentsDuringExit):
2530         (JSC::DFG::createClonedArgumentsDuringExit):
2531         (JSC::DFG::OSRExit::OSRExit):
2532         (JSC::DFG::emitRestoreArguments):
2533         (JSC::DFG::OSRExit::executeOSRExit):
2534         (JSC::DFG::reifyInlinedCallFrames):
2535         (JSC::DFG::adjustAndJumpToTarget):
2536         (JSC::DFG::printOSRExit):
2537         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2538         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2539         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
2540         (JSC::DFG::OSRExit::correctJump): Deleted.
2541         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
2542         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
2543         (JSC::DFG::OSRExit::compileExit): Deleted.
2544         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2545         * dfg/DFGOSRExit.h:
2546         (JSC::DFG::OSRExitState::OSRExitState):
2547         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2548         * dfg/DFGOSRExitCompilerCommon.cpp:
2549         * dfg/DFGOSRExitCompilerCommon.h:
2550         * dfg/DFGOperations.cpp:
2551         * dfg/DFGOperations.h:
2552         * dfg/DFGThunks.cpp:
2553         (JSC::DFG::osrExitThunkGenerator):
2554         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2555         * dfg/DFGThunks.h:
2556         * jit/AssemblyHelpers.cpp:
2557         (JSC::AssemblyHelpers::debugCall): Deleted.
2558         * jit/AssemblyHelpers.h:
2559         * jit/JITOperations.cpp:
2560         * jit/JITOperations.h:
2561         * profiler/ProfilerOSRExit.h:
2562         (JSC::Profiler::OSRExit::incCount):
2563         * runtime/JSCJSValue.h:
2564         * runtime/JSCJSValueInlines.h:
2565         * runtime/VM.h:
2566
2567 2017-09-07  Michael Saboff  <msaboff@apple.com>
2568
2569         Add support for RegExp named capture groups
2570         https://bugs.webkit.org/show_bug.cgi?id=176435
2571
2572         Reviewed by Filip Pizlo.
2573
2574         Added parsing for both naming a captured parenthesis as well and using a named group in
2575         a back reference.  Also added support for using named groups with String.prototype.replace().
2576
2577         This patch does not throw Syntax Errors as described in the current spec text for the two
2578         cases of malformed back references in String.prototype.replace() as I believe that it
2579         is inconsistent with the current semantics for handling of other malformed replacement
2580         tokens.  I filed an issue for the requested change to the proposed spec and also filed
2581         a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
2582
2583         This patch does not implement strength reduction in the optimizing JITs for named capture
2584         groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
2585
2586         * dfg/DFGAbstractInterpreterInlines.h:
2587         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2588         * dfg/DFGStrengthReductionPhase.cpp:
2589         (JSC::DFG::StrengthReductionPhase::handleNode):
2590         * runtime/CommonIdentifiers.h:
2591         * runtime/JSGlobalObject.cpp:
2592         (JSC::JSGlobalObject::init):
2593         (JSC::JSGlobalObject::haveABadTime):
2594         * runtime/JSGlobalObject.h:
2595         (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
2596         * runtime/RegExp.cpp:
2597         (JSC::RegExp::finishCreation):
2598         * runtime/RegExp.h:
2599         * runtime/RegExpMatchesArray.cpp:
2600         (JSC::createStructureImpl):
2601         (JSC::createRegExpMatchesArrayWithGroupsStructure):
2602         (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
2603         * runtime/RegExpMatchesArray.h:
2604         (JSC::createRegExpMatchesArray):
2605         * runtime/StringPrototype.cpp:
2606         (JSC::substituteBackreferencesSlow):
2607         (JSC::replaceUsingRegExpSearch):
2608         * yarr/YarrParser.h:
2609         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
2610         (JSC::Yarr::Parser::parseEscape):
2611         (JSC::Yarr::Parser::parseParenthesesBegin):
2612         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
2613         (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
2614         (JSC::Yarr::Parser::isIdentifierStart):
2615         (JSC::Yarr::Parser::isIdentifierPart):
2616         (JSC::Yarr::Parser::tryConsumeGroupName):
2617         * yarr/YarrPattern.cpp:
2618         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
2619         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
2620         (JSC::Yarr::YarrPattern::errorMessage):
2621         * yarr/YarrPattern.h:
2622         (JSC::Yarr::YarrPattern::reset):
2623         * yarr/YarrSyntaxChecker.cpp:
2624         (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
2625         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
2626
2627 2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>
2628
2629         [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
2630         https://bugs.webkit.org/show_bug.cgi?id=176561
2631
2632         Reviewed by Brent Fulgham.
2633
2634         * runtime/IntlObject.cpp:
2635         (JSC::defaultLocale):
2636
2637 2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>
2638
2639         Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
2640         https://bugs.webkit.org/show_bug.cgi?id=176563
2641         <rdar://problem/19639583>
2642
2643         Reviewed by Matt Baker.
2644
2645         * inspector/protocol/DOM.json:
2646         Add an event that is useful for augmented inspectors to inspect
2647         a node. Web pages will still prefer Inspector.inspect.
2648
2649 2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2650
2651         [JSC] Remove "malloc" and "free" from JSC/API
2652         https://bugs.webkit.org/show_bug.cgi?id=176331
2653
2654         Reviewed by Keith Miller.
2655
2656         Remove "malloc" and "free" manual calls in JSC/API.
2657
2658         * API/JSValue.mm:
2659         (createStructHandlerMap):
2660         * API/JSWrapperMap.mm:
2661         (parsePropertyAttributes):
2662         (makeSetterName):
2663         (copyPrototypeProperties):
2664         Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
2665
2666         * API/ObjcRuntimeExtras.h:
2667         (adoptSystem):
2668         Add adoptSystem to automate calling system free().
2669
2670         (protocolImplementsProtocol):
2671         (forEachProtocolImplementingProtocol):
2672         (forEachMethodInClass):
2673         (forEachMethodInProtocol):
2674         (forEachPropertyInProtocol):
2675         (StringRange::StringRange):
2676         (StringRange::operator const char* const):
2677         (StringRange::get const):
2678         Use CString for backend.
2679
2680         (StructBuffer::StructBuffer):
2681         (StructBuffer::~StructBuffer):
2682         (StringRange::~StringRange): Deleted.
2683         Use fastAlignedMalloc/astAlignedFree to get aligned memory.
2684
2685 2017-09-06  Mark Lam  <mark.lam@apple.com>
2686
2687         constructGenericTypedArrayViewWithArguments() is missing an exception check.
2688         https://bugs.webkit.org/show_bug.cgi?id=176485
2689         <rdar://problem/33898874>
2690
2691         Reviewed by Keith Miller.
2692
2693         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2694         (JSC::constructGenericTypedArrayViewWithArguments):
2695
2696 2017-09-06  Saam Barati  <sbarati@apple.com>
2697
2698         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
2699         https://bugs.webkit.org/show_bug.cgi?id=176346
2700
2701         Reviewed by Mark Lam.
2702
2703         * b3/B3Procedure.cpp:
2704         (JSC::B3::Procedure::Procedure):
2705         (JSC::B3::Procedure::setNumEntrypoints):
2706         * b3/B3Procedure.h:
2707         (JSC::B3::Procedure::setNumEntrypoints): Deleted.
2708         * b3/air/AirCode.cpp:
2709         (JSC::B3::Air::defaultPrologueGenerator):
2710         (JSC::B3::Air::Code::Code):
2711         (JSC::B3::Air::Code::setNumEntrypoints):
2712         * b3/air/AirCode.h:
2713         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2714         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2715         (JSC::B3::Air::Code::setEntrypoints):
2716         (JSC::B3::Air::Code::setEntrypointLabels):
2717         * b3/air/AirGenerate.cpp:
2718         (JSC::B3::Air::generate):
2719         * ftl/FTLLowerDFGToB3.cpp:
2720         (JSC::FTL::DFG::LowerDFGToB3::lower):
2721
2722 2017-09-06  Saam Barati  <sbarati@apple.com>
2723
2724         ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
2725         https://bugs.webkit.org/show_bug.cgi?id=176470
2726
2727         Reviewed by Mark Lam.
2728
2729         Update Node::convertToCheckStructureImmediate's assertion to allow
2730         the node to either be a CheckStructure or CheckStructureOrEmpty.
2731
2732         * dfg/DFGNode.h:
2733         (JSC::DFG::Node::convertToCheckStructureImmediate):
2734
2735 2017-09-05  Saam Barati  <sbarati@apple.com>
2736
2737         isNotCellSpeculation is wrong with respect to SpecEmpty
2738         https://bugs.webkit.org/show_bug.cgi?id=176429
2739
2740         Reviewed by Michael Saboff.
2741
2742         The isNotCellSpeculation(SpeculatedType t) function was not taking into account
2743         SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
2744         the empty value will fail a NotCell check. This bug would cause us to erroneously
2745         generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
2746
2747         * bytecode/SpeculatedType.h:
2748         (JSC::isNotCellSpeculation):
2749
2750 2017-09-05  Saam Barati  <sbarati@apple.com>
2751
2752         Make the distinction between entrypoints and CFG roots more clear by naming things better
2753         https://bugs.webkit.org/show_bug.cgi?id=176336
2754
2755         Reviewed by Mark Lam and Keith Miller and Michael Saboff.
2756
2757         This patch does renaming to make the distinction between Graph::m_entrypoints
2758         and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
2759         Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
2760         Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
2761         size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
2762         to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
2763         field to m_rootToArguments.
2764         
2765         Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
2766         when compiling with EntrySwitch. It represents the logical number of entrypoints
2767         the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
2768         cases.
2769
2770         * dfg/DFGByteCodeParser.cpp:
2771         (JSC::DFG::ByteCodeParser::parseBlock):
2772         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2773         * dfg/DFGCFG.h:
2774         (JSC::DFG::CFG::roots):
2775         (JSC::DFG::CPSCFG::CPSCFG):
2776         * dfg/DFGCPSRethreadingPhase.cpp:
2777         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
2778         * dfg/DFGDCEPhase.cpp:
2779         (JSC::DFG::DCEPhase::run):
2780         * dfg/DFGGraph.cpp:
2781         (JSC::DFG::Graph::dump):
2782         (JSC::DFG::Graph::determineReachability):
2783         (JSC::DFG::Graph::blocksInPreOrder):
2784         (JSC::DFG::Graph::blocksInPostOrder):
2785         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2786         * dfg/DFGGraph.h:
2787         (JSC::DFG::Graph::isRoot):
2788         (JSC::DFG::Graph::isEntrypoint): Deleted.
2789         * dfg/DFGInPlaceAbstractState.cpp:
2790         (JSC::DFG::InPlaceAbstractState::initialize):
2791         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2792         (JSC::DFG::createPreHeader):
2793         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2794         (JSC::DFG::MaximalFlushInsertionPhase::run):
2795         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2796         * dfg/DFGOSREntrypointCreationPhase.cpp:
2797         (JSC::DFG::OSREntrypointCreationPhase::run):
2798         * dfg/DFGPredictionInjectionPhase.cpp:
2799         (JSC::DFG::PredictionInjectionPhase::run):
2800         * dfg/DFGSSAConversionPhase.cpp:
2801         (JSC::DFG::SSAConversionPhase::run):
2802         * dfg/DFGSpeculativeJIT.cpp:
2803         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2804         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2805         * dfg/DFGTypeCheckHoistingPhase.cpp:
2806         (JSC::DFG::TypeCheckHoistingPhase::run):
2807         * dfg/DFGValidate.cpp:
2808
2809 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
2810
2811         test262: Completion values for control flow do not match the spec
2812         https://bugs.webkit.org/show_bug.cgi?id=171265
2813
2814         Reviewed by Saam Barati.
2815
2816         * bytecompiler/BytecodeGenerator.h:
2817         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
2818         When we care about having proper completion values (global code
2819         in programs, modules, and eval) insert undefined results for
2820         control flow statements.
2821
2822         * bytecompiler/NodesCodegen.cpp:
2823         (JSC::SourceElements::emitBytecode):
2824         Reduce writing a default `undefined` value to the completion result to
2825         only once before the last statement we know will produce a value.
2826
2827         (JSC::IfElseNode::emitBytecode):
2828         (JSC::WithNode::emitBytecode):
2829         (JSC::WhileNode::emitBytecode):
2830         (JSC::ForNode::emitBytecode):
2831         (JSC::ForInNode::emitBytecode):
2832         (JSC::ForOfNode::emitBytecode):
2833         (JSC::SwitchNode::emitBytecode):
2834         Insert an undefined to handle cases where code may break out of an
2835         if/else or with statement (break/continue).
2836
2837         (JSC::TryNode::emitBytecode):
2838         Same handling for break cases. Also, finally block statement completion
2839         values are always ignored for the try statement result.
2840
2841         (JSC::ClassDeclNode::emitBytecode):
2842         Class declarations, like function declarations, produce an empty result.
2843
2844         * parser/Nodes.cpp:
2845         (JSC::SourceElements::lastStatement):
2846         (JSC::SourceElements::hasCompletionValue):
2847         (JSC::SourceElements::hasEarlyBreakOrContinue):
2848         (JSC::BlockNode::lastStatement):
2849         (JSC::BlockNode::singleStatement):
2850         (JSC::BlockNode::hasCompletionValue):
2851         (JSC::BlockNode::hasEarlyBreakOrContinue):
2852         (JSC::ScopeNode::singleStatement):
2853         (JSC::ScopeNode::hasCompletionValue):
2854         (JSC::ScopeNode::hasEarlyBreakOrContinue):
2855         The only non-trivial cases need to loop through their list of statements
2856         to determine if this has a completion value or not. Likewise for
2857         determining if there is an early break / continue, meaning a break or
2858         continue statement with no preceding statement that has a completion value.
2859
2860         * parser/Nodes.h:
2861         (JSC::StatementNode::next):
2862         (JSC::StatementNode::hasCompletionValue):
2863         Helper to check if a statement nodes produces a completion value or not.
2864
2865 2017-09-04  Saam Barati  <sbarati@apple.com>
2866
2867         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
2868         https://bugs.webkit.org/show_bug.cgi?id=176317
2869
2870         Reviewed by Keith Miller.
2871
2872         It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
2873         the SetLocal of a particular value where the value is the empty JSValue.
2874         On 64-bit platforms, the empty value is zero. This means that the empty value
2875         passes a cell check. This will lead to a crash when we dereference null to load
2876         the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
2877         in the structure checks it hoists. On 64-bit platforms, instead of emitting a
2878         CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
2879         the empty value to flow through. If the value isn't empty, it'll perform the normal
2880         structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
2881         on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
2882         value to flow through.
2883
2884         * dfg/DFGAbstractInterpreterInlines.h:
2885         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2886         * dfg/DFGArgumentsEliminationPhase.cpp:
2887         * dfg/DFGClobberize.h:
2888         (JSC::DFG::clobberize):
2889         * dfg/DFGConstantFoldingPhase.cpp:
2890         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2891         * dfg/DFGDoesGC.cpp:
2892         (JSC::DFG::doesGC):
2893         * dfg/DFGFixupPhase.cpp:
2894         (JSC::DFG::FixupPhase::fixupNode):
2895         * dfg/DFGNode.h:
2896         (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
2897         (JSC::DFG::Node::hasStructureSet):
2898         * dfg/DFGNodeType.h:
2899         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2900         * dfg/DFGPredictionPropagationPhase.cpp:
2901         * dfg/DFGSafeToExecute.h:
2902         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2903         (JSC::DFG::SafeToExecuteEdge::operator()):
2904         (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
2905         (JSC::DFG::safeToExecute):
2906         * dfg/DFGSpeculativeJIT.cpp:
2907         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
2908         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
2909         * dfg/DFGSpeculativeJIT.h:
2910         * dfg/DFGSpeculativeJIT32_64.cpp:
2911         (JSC::DFG::SpeculativeJIT::compile):
2912         * dfg/DFGSpeculativeJIT64.cpp:
2913         (JSC::DFG::SpeculativeJIT::compile):
2914         * dfg/DFGTypeCheckHoistingPhase.cpp:
2915         (JSC::DFG::TypeCheckHoistingPhase::run):
2916         * dfg/DFGValidate.cpp:
2917         * ftl/FTLCapabilities.cpp:
2918         (JSC::FTL::canCompile):
2919         * ftl/FTLLowerDFGToB3.cpp:
2920         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2921         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
2922
2923 2017-09-04  Saam Barati  <sbarati@apple.com>
2924
2925         Support compiling catch in the FTL
2926         https://bugs.webkit.org/show_bug.cgi?id=175396
2927
2928         Reviewed by Filip Pizlo.
2929
2930         This patch implements op_catch in the FTL. It extends the DFG implementation
2931         by supporting multiple entrypoints in DFG-SSA. This patch implements this
2932         by introducing an EntrySwitch node. When converting to SSA, we introduce a new
2933         root block with an EntrySwitch that has the previous DFG entrypoints as its
2934         successors. By convention, we pick the zeroth entry point index to be the
2935         op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
2936         switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
2937         simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
2938         SSAConversion creates can not exit because we would both not know where to exit
2939         to in the program: we would not have valid OSR exit state. This design also
2940         mandates that anything we hoist above EntrySwitch in the new root block
2941         can not exit since they also do not have valid OSR exit state.
2942         
2943         This patch also adds a new metadata node named InitializeEntrypointArguments.
2944         InitializeEntrypointArguments is a metadata node that initializes the flush format for
2945         the arguments at a given entrypoint. For a given entrypoint index, this node
2946         tells AI and OSRAvailabilityAnalysis what the flush format for each argument
2947         is. This allows each individual entrypoint to have an independent set of
2948         argument types. Currently, this won't happen in practice because ArgumentPosition
2949         unifies flush formats, but this is an implementation detail we probably want
2950         to modify in the future. SSAConversion will add InitializeEntrypointArguments
2951         to the beginning of each of the original DFG entrypoint blocks.
2952         
2953         This patch also adds the ability to specify custom prologue code generators in Air.
2954         This allows the FTL to specify a custom prologue for catch entrypoints that
2955         matches the op_catch OSR entry calling convention that the DFG uses. This way,
2956         the baseline JIT code OSR enters into op_catch the same way both in the DFG
2957         and the FTL. In the future, we can use this same mechanism to perform stack
2958         overflow checks instead of using a patchpoint.
2959
2960         * b3/air/AirCode.cpp:
2961         (JSC::B3::Air::Code::isEntrypoint):
2962         (JSC::B3::Air::Code::entrypointIndex):
2963         * b3/air/AirCode.h:
2964         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2965         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2966         * b3/air/AirGenerate.cpp:
2967         (JSC::B3::Air::generate):
2968         * dfg/DFGAbstractInterpreterInlines.h:
2969         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2970         * dfg/DFGBasicBlock.h:
2971         * dfg/DFGByteCodeParser.cpp:
2972         (JSC::DFG::ByteCodeParser::parseBlock):
2973         (JSC::DFG::ByteCodeParser::parse):
2974         * dfg/DFGCFG.h:
2975         (JSC::DFG::selectCFG):
2976         * dfg/DFGClobberize.h:
2977         (JSC::DFG::clobberize):
2978         * dfg/DFGClobbersExitState.cpp:
2979         (JSC::DFG::clobbersExitState):
2980         * dfg/DFGCommonData.cpp:
2981         (JSC::DFG::CommonData::shrinkToFit):
2982         (JSC::DFG::CommonData::finalizeCatchEntrypoints):
2983         * dfg/DFGCommonData.h:
2984         (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
2985         (JSC::DFG::CommonData::appendCatchEntrypoint):
2986         * dfg/DFGDoesGC.cpp:
2987         (JSC::DFG::doesGC):
2988         * dfg/DFGFixupPhase.cpp:
2989         (JSC::DFG::FixupPhase::fixupNode):
2990         * dfg/DFGGraph.cpp:
2991         (JSC::DFG::Graph::dump):
2992         (JSC::DFG::Graph::invalidateCFG):
2993         (JSC::DFG::Graph::ensureCPSCFG):
2994         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2995         * dfg/DFGGraph.h:
2996         (JSC::DFG::Graph::isEntrypoint):
2997         * dfg/DFGInPlaceAbstractState.cpp:
2998         (JSC::DFG::InPlaceAbstractState::initialize):
2999         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3000         * dfg/DFGJITCode.cpp:
3001         (JSC::DFG::JITCode::shrinkToFit):
3002         (JSC::DFG::JITCode::finalizeOSREntrypoints):
3003         * dfg/DFGJITCode.h:
3004         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
3005         (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
3006         * dfg/DFGJITCompiler.cpp:
3007         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3008         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
3009         * dfg/DFGMayExit.cpp:
3010         * dfg/DFGNode.h:
3011         (JSC::DFG::Node::isEntrySwitch):
3012         (JSC::DFG::Node::isTerminal):
3013         (JSC::DFG::Node::entrySwitchData):
3014         (JSC::DFG::Node::numSuccessors):
3015         (JSC::DFG::Node::successor):
3016         (JSC::DFG::Node::entrypointIndex):
3017         * dfg/DFGNodeType.h:
3018         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3019         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3020         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3021         * dfg/DFGOSREntry.cpp:
3022         (JSC::DFG::prepareCatchOSREntry):
3023         * dfg/DFGOSREntry.h:
3024         * dfg/DFGOSREntrypointCreationPhase.cpp:
3025         (JSC::DFG::OSREntrypointCreationPhase::run):
3026         * dfg/DFGPredictionPropagationPhase.cpp:
3027         * dfg/DFGSSAConversionPhase.cpp:
3028         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
3029         (JSC::DFG::SSAConversionPhase::run):
3030         * dfg/DFGSafeToExecute.h:
3031         (JSC::DFG::safeToExecute):
3032         * dfg/DFGSpeculativeJIT.cpp:
3033         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3034         * dfg/DFGSpeculativeJIT32_64.cpp:
3035         (JSC::DFG::SpeculativeJIT::compile):
3036         * dfg/DFGSpeculativeJIT64.cpp:
3037         (JSC::DFG::SpeculativeJIT::compile):
3038         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
3039         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
3040         * dfg/DFGValidate.cpp:
3041         * ftl/FTLCapabilities.cpp:
3042         (JSC::FTL::canCompile):
3043         * ftl/FTLCompile.cpp:
3044         (JSC::FTL::compile):
3045         * ftl/FTLLowerDFGToB3.cpp:
3046         (JSC::FTL::DFG::LowerDFGToB3::lower):
3047         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3048         (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
3049         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
3050         (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
3051         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3052         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
3053         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
3054         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
3055         * ftl/FTLOutput.cpp:
3056         (JSC::FTL::Output::entrySwitch):
3057         * ftl/FTLOutput.h:
3058         * jit/JITOperations.cpp:
3059
3060 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3061
3062         [DFG][FTL] Efficiently execute number#toString()
3063         https://bugs.webkit.org/show_bug.cgi?id=170007
3064
3065         Reviewed by Keith Miller.
3066
3067         In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
3068         However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.
3069
3070         While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
3071         So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
3072         Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
3073         speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
3074         It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).
3075
3076         In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
3077         throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
3078         conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
3079         radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
3080         We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
3081         It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.
3082
3083         Added microbenchmarks show performance improvement.
3084
3085                                                       baseline                  patched
3086
3087         number-to-string-with-radix-cse           43.8312+-1.3017     ^      7.4930+-0.5105        ^ definitely 5.8496x faster
3088         number-to-string-with-radix-10             7.2775+-0.5225     ^      2.1906+-0.1864        ^ definitely 3.3222x faster
3089         number-to-string-with-radix               39.7378+-1.4921     ^     16.6137+-0.7776        ^ definitely 2.3919x faster
3090         number-to-string-strength-reduction       94.9667+-2.7157     ^      9.3060+-0.7202        ^ definitely 10.2049x faster
3091
3092         * dfg/DFGAbstractInterpreterInlines.h:
3093         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3094         * dfg/DFGClobberize.h:
3095         (JSC::DFG::clobberize):
3096         * dfg/DFGConstantFoldingPhase.cpp:
3097         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3098         * dfg/DFGDoesGC.cpp:
3099         (JSC::DFG::doesGC):
3100         * dfg/DFGFixupPhase.cpp:
3101         (JSC::DFG::FixupPhase::fixupNode):
3102         * dfg/DFGGraph.h:
3103         (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
3104         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
3105         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
3106         * dfg/DFGNode.h:
3107         (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
3108         (JSC::DFG::Node::hasValidRadixConstant):
3109         (JSC::DFG::Node::validRadixConstant):
3110         * dfg/DFGNodeType.h:
3111         * dfg/DFGPredictionPropagationPhase.cpp:
3112         * dfg/DFGSafeToExecute.h:
3113         (JSC::DFG::safeToExecute):
3114         * dfg/DFGSpeculativeJIT.cpp:
3115         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
3116         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
3117         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
3118         * dfg/DFGSpeculativeJIT.h:
3119         * dfg/DFGSpeculativeJIT32_64.cpp:
3120         (JSC::DFG::SpeculativeJIT::compile):
3121         * dfg/DFGSpeculativeJIT64.cpp:
3122         (JSC::DFG::SpeculativeJIT::compile):
3123         * dfg/DFGStrengthReductionPhase.cpp:
3124         (JSC::DFG::StrengthReductionPhase::handleNode):
3125         * ftl/FTLCapabilities.cpp:
3126         (JSC::FTL::canCompile):
3127         * ftl/FTLLowerDFGToB3.cpp:
3128         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3129         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
3130         * runtime/JSGlobalObject.cpp:
3131         (JSC::JSGlobalObject::JSGlobalObject):
3132         (JSC::JSGlobalObject::init):
3133         (JSC::JSGlobalObject::visitChildren):
3134         * runtime/JSGlobalObject.h:
3135         (JSC::JSGlobalObject::numberToStringWatchpoint):
3136         (JSC::JSGlobalObject::numberProtoToStringFunction const):
3137         * runtime/NumberPrototype.cpp:
3138         (JSC::NumberPrototype::finishCreation):
3139         (JSC::toStringWithRadixInternal):
3140         (JSC::toStringWithRadix):
3141         (JSC::int32ToStringInternal):
3142         (JSC::numberToStringInternal):
3143         * runtime/NumberPrototype.h:
3144
3145 2017-09-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3146
3147         [DFG] Consider increasing the number of DFG worklist threads
3148         https://bugs.webkit.org/show_bug.cgi?id=176222
3149
3150         Reviewed by Saam Barati.
3151
3152         Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
3153         very long time if the target function is very large. However, DFG worklist
3154         has only one thread before this patch. Therefore, one function that takes
3155         too much time to be compiled can prevent the other functions from being
3156         compiled in DFG or upper tiers.
3157
3158         One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
3159         super long time (447 ms) because of its super large size of the function.
3160         While this function never gets compiled in FTL due to its large size,
3161         it can be compiled in DFG and takes super long time. Subsequent "a8" function
3162         compilation in DFG is blocked by this "a1". As a consequence, the benchmark
3163         takes very long time in a1/Baseline code, which is slower than DFG of course.
3164
3165         While FTL has a bit more threads, DFG worklist has only one thread. This patch
3166         adds one more thread to DFG worklist to alleviate the above situation. This
3167         change significantly improves Octane/zlib performance.
3168
3169                                     baseline                  patched
3170
3171         zlib           x2     482.32825+-6.07640    ^   408.66072+-14.03856      ^ definitely 1.1803x faster
3172
3173         * runtime/Options.h:
3174
3175 2017-09-04  Sam Weinig  <sam@webkit.org>
3176
3177         [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
3178         https://bugs.webkit.org/show_bug.cgi?id=176312
3179
3180         Reviewed by Darin Adler.
3181
3182         * runtime/CommonIdentifiers.h:
3183
3184             Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
3185             to WebCoreBuiltinNames in WebCore.
3186
3187 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3188
3189         Remove "malloc" and "free" use
3190         https://bugs.webkit.org/show_bug.cgi?id=176310
3191
3192         Reviewed by Darin Adler.
3193
3194         Use Vector instead.
3195
3196         * API/JSWrapperMap.mm:
3197         (selectorToPropertyName):
3198
3199 2017-09-03  Darin Adler  <darin@apple.com>
3200
3201         Try to fix Windows build.
3202
3203         * runtime/JSGlobalObjectFunctions.cpp: #include <unicode/utf8.h>.
3204
3205 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3206
3207         [WTF] Add C++03 allocator interface for GCC < 6
3208         https://bugs.webkit.org/show_bug.cgi?id=176301
3209
3210         Reviewed by Darin Adler.
3211
3212         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3213
3214 2017-09-03  Chris Dumez  <cdumez@apple.com>
3215
3216         Unreviewed, rolling out r221555.
3217
3218         Did not fix Windows build
3219
3220         Reverted changeset:
3221
3222         "Unreviewed attempt to fix Windows build."
3223         http://trac.webkit.org/changeset/221555
3224
3225 2017-09-03  Chris Dumez  <cdumez@apple.com>
3226
3227         Unreviewed attempt to fix Windows build.
3228
3229         * runtime/JSGlobalObjectFunctions.cpp:
3230
3231 2017-09-03  Chris Dumez  <cdumez@apple.com>
3232
3233         Unreviewed, rolling out r221552.
3234
3235         Broke the build
3236
3237         Reverted changeset:
3238
3239         "[WTF] Add C++03 allocator interface for GCC < 6"
3240         https://bugs.webkit.org/show_bug.cgi?id=176301
3241         http://trac.webkit.org/changeset/221552
3242
3243 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3244
3245         [WTF] Add C++03 allocator interface for GCC < 6
3246         https://bugs.webkit.org/show_bug.cgi?id=176301
3247
3248         Reviewed by Darin Adler.
3249
3250         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3251
3252 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3253
3254         [JSC] Clean up BytecodeLivenessAnalysis
3255         https://bugs.webkit.org/show_bug.cgi?id=176295
3256
3257         Reviewed by Saam Barati.
3258
3259         Previously, computeDefsForBytecodeOffset was a bit customizable.
3260         This is used for try-catch handler's liveness analysis. But after
3261         careful generatorification implementation, it is now not necessary.
3262         This patch drops this customizability.
3263
3264         * bytecode/BytecodeGeneratorification.cpp:
3265         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
3266         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
3267         * bytecode/BytecodeLivenessAnalysis.cpp:
3268         (JSC::BytecodeLivenessAnalysis::computeKills):
3269         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
3270         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
3271         * bytecode/BytecodeLivenessAnalysis.h:
3272         * bytecode/BytecodeLivenessAnalysisInlines.h:
3273         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
3274         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
3275         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
3276         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
3277         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
3278         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
3279         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
3280         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
3281         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
3282         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.
3283
3284 2017-09-03  Sam Weinig  <sam@webkit.org>
3285
3286         Remove CanvasProxy
3287         https://bugs.webkit.org/show_bug.cgi?id=176288
3288
3289         Reviewed by Yusuke Suzuki.
3290
3291         CanvasProxy does not appear to be in any current HTML spec
3292         and was disabled and unimplemented in our tree. Time to 
3293         get rid of it.
3294
3295         * Configurations/FeatureDefines.xcconfig:
3296
3297 2017-09-02  Oliver Hunt  <oliver@apple.com>
3298
3299         Need an API to get the global context from JSObjectRef
3300         https://bugs.webkit.org/show_bug.cgi?id=176291
3301
3302         Reviewed by Saam Barati.
3303
3304         Very simple additional API, starting off as SPI on principle.
3305
3306         * API/JSObjectRef.cpp:
3307         (JSObjectGetGlobalContext):
3308         * API/JSObjectRefPrivate.h:
3309         * API/tests/testapi.c:
3310         (main):
3311
3312 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3313
3314         [DFG] Relax arity requirement
3315         https://bugs.webkit.org/show_bug.cgi?id=175523
3316
3317         Reviewed by Saam Barati.
3318
3319         Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
3320         It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
3321         of the pre-ES6.
3322
3323         This patch removes the above restriction by performing the arity fixup in DFG.
3324
3325         SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
3326
3327                                        baseline                  patched
3328
3329         defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
3330         rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
3331         spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
3332         generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster
3333
3334         * bytecode/InlineCallFrame.cpp:
3335         (JSC::InlineCallFrame::dumpInContext const):
3336         * bytecode/InlineCallFrame.h:
3337         (JSC::InlineCallFrame::InlineCallFrame):
3338         * dfg/DFGAbstractInterpreterInlines.h:
3339         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):