d1a45adceb97175f1b5f49be9d6b994f2e23cb40
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-06-19  Saam Barati  <sbarati@apple.com>
2
3         DirectArguments::create needs to initialize to undefined instead of the empty value
4         https://bugs.webkit.org/show_bug.cgi?id=186818
5         <rdar://problem/38415177>
6
7         Reviewed by Filip Pizlo.
8
9         The bug here is that we will emit code that just loads from DirectArguments as
10         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
11         The arguments object has at least enough capacity to hold the declared parameters.
12         When we materialized this object in OSR exit, we initialized up to to the capacity
13         with JSValue(). In OSR exit, though, we only filled up to the length of the
14         object with actual values. So we'd end up with a DirectArguments object with
15         capacity minus length slots of JSValue(). To fix this, we need initialize up to
16         capacity with jsUndefined during construction. The invariant of this object is
17         that the capacity minus length slots at the end are filled in with jsUndefined.
18
19         * runtime/DirectArguments.cpp:
20         (JSC::DirectArguments::create):
21
22 2018-06-19  Michael Saboff  <msaboff@apple.com>
23
24         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
25         https://bugs.webkit.org/show_bug.cgi?id=186827
26
27         Reviewed by Saam Barati.
28
29         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
30
31         * runtime/JSLock.cpp:
32         (JSC::JSLock::didAcquireLock):
33
34 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
35
36         ShadowChicken crashes with stack overflow in the LLInt
37         https://bugs.webkit.org/show_bug.cgi?id=186540
38         <rdar://problem/39682133>
39
40         Reviewed by Saam Barati.
41
42         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
43         with debug opcodes because it was accessing the scope of the incomplete top
44         frame, which hadn't been set yet. Check that we have moved past the first
45         opcode (enter) and that the scope is not undefined (enter will
46         initialize it to undefined).
47
48         * interpreter/ShadowChicken.cpp:
49         (JSC::ShadowChicken::update):
50
51 2018-06-19  Keith Miller  <keith_miller@apple.com>
52
53         constructArray variants should take the slow path for subclasses of Array
54         https://bugs.webkit.org/show_bug.cgi?id=186812
55
56         Reviewed by Saam Barati and Mark Lam.
57
58         This patch fixes a crashing test in ObjectInitializationScope where we would
59         allocate a new structure for an indexing type change while initializing
60         a subclass of Array. Since the new array hasn't been fully initialized
61         if the GC ran it would see garbage and we might crash.
62
63         * runtime/JSArray.cpp:
64         (JSC::constructArray):
65         (JSC::constructArrayNegativeIndexed):
66         * runtime/JSArray.h:
67         (JSC::constructArray): Deleted.
68         (JSC::constructArrayNegativeIndexed): Deleted.
69
70 2018-06-19  Saam Barati  <sbarati@apple.com>
71
72         Wasm: Any function argument of type Void should be a validation error
73         https://bugs.webkit.org/show_bug.cgi?id=186794
74         <rdar://problem/41140257>
75
76         Reviewed by Keith Miller.
77
78         * wasm/WasmModuleParser.cpp:
79         (JSC::Wasm::ModuleParser::parseType):
80
81 2018-06-18  Keith Miller  <keith_miller@apple.com>
82
83         JSImmutableButterfly should assert m_header is adjacent to the data
84         https://bugs.webkit.org/show_bug.cgi?id=186795
85
86         Reviewed by Saam Barati.
87
88         * runtime/JSImmutableButterfly.cpp:
89         * runtime/JSImmutableButterfly.h:
90
91 2018-06-18  Keith Miller  <keith_miller@apple.com>
92
93         Unreviewed, fix the build...
94
95         * runtime/JSArray.cpp:
96         (JSC::JSArray::tryCreateUninitializedRestricted):
97
98 2018-06-18  Keith Miller  <keith_miller@apple.com>
99
100         Unreviewed, remove bad assertion.
101
102         * runtime/JSArray.cpp:
103         (JSC::JSArray::tryCreateUninitializedRestricted):
104
105 2018-06-18  Keith Miller  <keith_miller@apple.com>
106
107         Properly zero unused property storage offsets
108         https://bugs.webkit.org/show_bug.cgi?id=186692
109
110         Reviewed by Filip Pizlo.
111
112         Since the concurrent GC might see a property slot before the mutator has actually
113         stored the value there, we need to ensure that slot doesn't have garbage in it.
114
115         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
116         or creating a RegExp matches array, we never cleared the unused
117         property storage. ObjectIntializationScope has also been upgraded
118         to look for our invariants around property storage. Additionally,
119         a new assertion has been added to check for JSValue() when adding
120         a new property.
121
122         We used to put undefined into deleted property offsets. To
123         make things simpler, this patch causes us to store JSValue() there
124         instead.
125
126         Lastly, this patch fixes an issue where we would initialize the
127         array storage of RegExpMatchesArray twice. First with 0 and
128         secondly with the actual result. Now we only zero memory between
129         vector length and public length.
130
131         * runtime/Butterfly.h:
132         (JSC::Butterfly::offsetOfVectorLength):
133         * runtime/ButterflyInlines.h:
134         (JSC::Butterfly::tryCreateUninitialized):
135         (JSC::Butterfly::createUninitialized):
136         (JSC::Butterfly::tryCreate):
137         (JSC::Butterfly::create):
138         (JSC::Butterfly::createOrGrowPropertyStorage):
139         (JSC::Butterfly::createOrGrowArrayRight):
140         (JSC::Butterfly::growArrayRight):
141         (JSC::Butterfly::resizeArray):
142         * runtime/JSArray.cpp:
143         (JSC::JSArray::tryCreateUninitializedRestricted):
144         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
145         * runtime/JSArray.h:
146         (JSC::tryCreateArrayButterfly):
147         * runtime/JSObject.cpp:
148         (JSC::JSObject::createArrayStorageButterfly):
149         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
150         (JSC::JSObject::deleteProperty):
151         (JSC::JSObject::shiftButterflyAfterFlattening):
152         * runtime/JSObject.h:
153         * runtime/JSObjectInlines.h:
154         (JSC::JSObject::prepareToPutDirectWithoutTransition):
155         * runtime/ObjectInitializationScope.cpp:
156         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
157         * runtime/ObjectInitializationScope.h:
158         (JSC::ObjectInitializationScope::release):
159         * runtime/RegExpMatchesArray.h:
160         (JSC::tryCreateUninitializedRegExpMatchesArray):
161         (JSC::createRegExpMatchesArray):
162
163         * runtime/Butterfly.h:
164         (JSC::Butterfly::offsetOfVectorLength):
165         * runtime/ButterflyInlines.h:
166         (JSC::Butterfly::tryCreateUninitialized):
167         (JSC::Butterfly::createUninitialized):
168         (JSC::Butterfly::tryCreate):
169         (JSC::Butterfly::create):
170         (JSC::Butterfly::createOrGrowPropertyStorage):
171         (JSC::Butterfly::createOrGrowArrayRight):
172         (JSC::Butterfly::growArrayRight):
173         (JSC::Butterfly::resizeArray):
174         * runtime/JSArray.cpp:
175         (JSC::JSArray::tryCreateUninitializedRestricted):
176         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
177         * runtime/JSArray.h:
178         (JSC::tryCreateArrayButterfly):
179         * runtime/JSObject.cpp:
180         (JSC::JSObject::createArrayStorageButterfly):
181         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
182         (JSC::JSObject::deleteProperty):
183         (JSC::JSObject::shiftButterflyAfterFlattening):
184         * runtime/JSObject.h:
185         * runtime/JSObjectInlines.h:
186         (JSC::JSObject::prepareToPutDirectWithoutTransition):
187         * runtime/ObjectInitializationScope.cpp:
188         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
189         * runtime/RegExpMatchesArray.cpp:
190         (JSC::createEmptyRegExpMatchesArray):
191         * runtime/RegExpMatchesArray.h:
192         (JSC::tryCreateUninitializedRegExpMatchesArray):
193         (JSC::createRegExpMatchesArray):
194
195 2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>
196
197         Share structure across instances of classes exported through the ObjC API
198         https://bugs.webkit.org/show_bug.cgi?id=186579
199         <rdar://problem/40969212>
200
201         Reviewed by Saam Barati.
202
203         A new structure was being created for each instance of exported ObjC
204         classes due to setting the prototype in the structure for every object,
205         since prototype transitions are not cached by the structure. Cache the
206         Structure in the JSObjcClassInfo to avoid the transition.
207
208         * API/JSWrapperMap.mm:
209         (-[JSObjCClassInfo wrapperForObject:inContext:]):
210         (-[JSObjCClassInfo structureInContext:]):
211         * API/tests/JSWrapperMapTests.h: Added.
212         * API/tests/JSWrapperMapTests.mm: Added.
213         (+[JSWrapperMapTests testStructureIdentity]):
214         (runJSWrapperMapTests):
215         * API/tests/testapi.mm:
216         (testObjectiveCAPIMain):
217         * JavaScriptCore.xcodeproj/project.pbxproj:
218
219 2018-06-18  Michael Saboff  <msaboff@apple.com>
220
221         Support Unicode 11 in RegExp
222         https://bugs.webkit.org/show_bug.cgi?id=186685
223
224         Reviewed by Mark Lam.
225
226         Updated the UCD tables used to generate RegExp property tables to version 11.0.
227
228         * Scripts/generateYarrUnicodePropertyTables.py:
229         * ucd/CaseFolding.txt:
230         * ucd/DerivedBinaryProperties.txt:
231         * ucd/DerivedCoreProperties.txt:
232         * ucd/DerivedNormalizationProps.txt:
233         * ucd/PropList.txt:
234         * ucd/PropertyAliases.txt:
235         * ucd/PropertyValueAliases.txt:
236         * ucd/ScriptExtensions.txt:
237         * ucd/Scripts.txt:
238         * ucd/UnicodeData.txt:
239         * ucd/emoji-data.txt:
240
241 2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
242
243         [WTF] Remove workarounds needed to support libstdc++-4
244         https://bugs.webkit.org/show_bug.cgi?id=186762
245
246         Reviewed by Michael Catanzaro.
247
248         Revert r226299, r226300 r226301 and r226302.
249
250         * API/tests/TypedArrayCTest.cpp:
251         (assertEqualsAsNumber):
252
253 2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>
254
255         REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
256         https://bugs.webkit.org/show_bug.cgi?id=182923
257
258         Reviewed by Mark Lam.
259
260         The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
261         Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
262
263         * heap/MarkedBlock.h:
264
265 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
266
267         [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
268         https://bugs.webkit.org/show_bug.cgi?id=186723
269
270         Reviewed by Mark Lam.
271
272         Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
273         to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
274
275         This patch improves SixSpeed/spread-literal.es5.
276
277                                      baseline                  patched
278
279         spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
280
281         * runtime/JSArrayInlines.h:
282         (JSC::JSArray::pushInline):
283         * runtime/Structure.cpp:
284         (JSC::Structure::nonPropertyTransitionSlow):
285         (JSC::Structure::nonPropertyTransition): Deleted.
286         * runtime/Structure.h:
287         * runtime/StructureInlines.h:
288         (JSC::Structure::nonPropertyTransition):
289
290 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
291
292         [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
293         https://bugs.webkit.org/show_bug.cgi?id=186721
294
295         Reviewed by Keith Miller.
296
297         We still have several other OSRExits, but this patch reduces that.
298
299         1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
300         So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
301
302         2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
303         non-appropriate.
304
305         These changes a bit fix Kraken/crypto-aes regression.
306
307                                       baseline                  patched
308
309         stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
310
311
312         * dfg/DFGByteCodeParser.cpp:
313         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
314         * ftl/FTLOperations.cpp:
315         (JSC::FTL::operationMaterializeObjectInOSR):
316         * runtime/CommonSlowPaths.cpp:
317         (JSC::SLOW_PATH_DECL):
318
319 2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
320
321         [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
322         https://bugs.webkit.org/show_bug.cgi?id=186460
323
324         Reviewed by Saam Barati.
325
326         Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
327         We should return JSFixedArray for Spread. This patch adds a code generating
328         a JSFixedArray from JSImmutableButterfly.
329
330         Merging JSFixedArray into JSImmutableButterfly is possible future extension.
331
332         * ftl/FTLLowerDFGToB3.cpp:
333         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
334         * runtime/JSFixedArray.h:
335
336 2018-06-15  Saam Barati  <sbarati@apple.com>
337
338         Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
339         https://bugs.webkit.org/show_bug.cgi?id=186687
340         <rdar://problem/40071332>
341
342         Reviewed by Keith Miller.
343
344         * API/JSVirtualMachinePrivate.h:
345
346 2018-06-15  Saam Barati  <sbarati@apple.com>
347
348         Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
349         https://bugs.webkit.org/show_bug.cgi?id=186648
350
351         Reviewed by Michael Saboff.
352
353         This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
354         regressed with my first version of ForceOSRExit CFG pruning. This patch makes
355         ForceOSRExit CFG pruning more aggressive by not ignoring everything that
356         can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
357         if it's the plan's osr entry bytecode target. The goal is to get a speedometer
358         2 speedup with this change on iOS.
359
360         * dfg/DFGByteCodeParser.cpp:
361         (JSC::DFG::ByteCodeParser::parse):
362
363 2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>
364
365         Unreviewed, rolling out r232816.
366
367         Suggested by Caitlin:
368         "this patch clearly does get some things wrong, and it's not
369         easy to find what those things are"
370
371         Reverted changeset:
372
373         "[LLInt] use loadp consistently for
374         get_from_scope/put_to_scope"
375         https://bugs.webkit.org/show_bug.cgi?id=132333
376         https://trac.webkit.org/changeset/232816
377
378 2018-06-14  Michael Saboff  <msaboff@apple.com>
379
380         REGRESSION(232741): Crash running ARES-6
381         https://bugs.webkit.org/show_bug.cgi?id=186630
382
383         Reviewed by Saam Barati.
384
385         The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
386         treated edges between identical predecessor->successor pairs independently.
387         This fixes the issue by handling such edges once, using the added intermediate
388         pad for all instances of the edges between the same pairs.
389
390         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
391         (JSC::DFG::CriticalEdgeBreakingPhase::run):
392         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
393
394 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
395
396         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
397         https://bugs.webkit.org/show_bug.cgi?id=186560
398
399         Reviewed by Brian Burg.
400
401         Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
402         that always receives the session capabilities.
403
404         * inspector/remote/RemoteInspector.h:
405         * inspector/remote/RemoteInspectorConstants.h:
406         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
407         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
408         WebKit here and fill the SessionCapabilities instead.
409         * inspector/remote/glib/RemoteInspectorGlib.cpp:
410         (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
411         * inspector/remote/glib/RemoteInspectorServer.cpp:
412         (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
413         * inspector/remote/glib/RemoteInspectorServer.h:
414
415 2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>
416
417         [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
418         https://bugs.webkit.org/show_bug.cgi?id=186588
419
420         Reviewed by Carlos Garcia Campos.
421
422         Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
423         for resource paths, which avoids needing a switcheroo depending on the port.
424
425         * inspector/remote/glib/RemoteInspectorUtils.cpp:
426
427 2018-06-13  Caitlin Potter  <caitp@igalia.com>
428
429         [LLInt] use loadp consistently for get_from_scope/put_to_scope
430         https://bugs.webkit.org/show_bug.cgi?id=132333
431
432         Reviewed by Mark Lam.
433
434         Using `loadis` for register indexes and `loadp` for constant scopes /
435         symboltables makes sense, but is problematic for big-endian
436         architectures.
437
438         Consistently treating the operand as a pointer simplifies determining
439         how to access the operand, and helps avoid bad accesses and crashes on
440         big-endian ports.
441
442         * bytecode/CodeBlock.cpp:
443         (JSC::CodeBlock::finishCreation):
444         * bytecode/Instruction.h:
445         * jit/JITOperations.cpp:
446         * llint/LLIntSlowPaths.cpp:
447         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
448         * llint/LowLevelInterpreter32_64.asm:
449         * llint/LowLevelInterpreter64.asm:
450         * runtime/CommonSlowPaths.h:
451         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
452         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
453
454 2018-06-13  Keith Miller  <keith_miller@apple.com>
455
456         AutomaticThread should have a way to provide a thread name
457         https://bugs.webkit.org/show_bug.cgi?id=186604
458
459         Reviewed by Filip Pizlo.
460
461         Add names for JSC's automatic threads.
462
463         * dfg/DFGWorklist.cpp:
464         * heap/Heap.cpp:
465         * jit/JITWorklist.cpp:
466         * runtime/VMTraps.cpp:
467         * wasm/WasmWorklist.cpp:
468
469 2018-06-13  Saam Barati  <sbarati@apple.com>
470
471         CFGSimplificationPhase should de-dupe jettisonedBlocks
472         https://bugs.webkit.org/show_bug.cgi?id=186583
473
474         Reviewed by Filip Pizlo.
475
476         When making the predecessors list unique in r232741, it revealed a bug inside
477         of CFG simplification, where we try to remove the same predecessor more than
478         once from a blocks predecessors list. We built the list of blocks to remove
479         from the list of successors, which is not unique, causing us to try to remove
480         the same predecessor more than once. The solution here is to just add to this
481         list of blocks to remove only if the block is not already in the list.
482
483         * dfg/DFGCFGSimplificationPhase.cpp:
484         (JSC::DFG::CFGSimplificationPhase::run):
485
486 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
487
488         [JSC] Always use Nuke & Set procedure for x86
489         https://bugs.webkit.org/show_bug.cgi?id=186592
490
491         Reviewed by Keith Miller.
492
493         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
494         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
495         threads.
496
497         * runtime/JSObject.cpp:
498         (JSC::JSObject::convertContiguousToArrayStorage):
499
500 2018-06-12  Saam Barati  <sbarati@apple.com>
501
502         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
503         https://bugs.webkit.org/show_bug.cgi?id=186071
504
505         Reviewed by Mark Lam.
506
507         * API/JSVirtualMachine.mm:
508         (-[JSVirtualMachine shrinkFootprint]): Deleted.
509         * API/JSVirtualMachinePrivate.h:
510
511 2018-06-11  Saam Barati  <sbarati@apple.com>
512
513         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
514         https://bugs.webkit.org/show_bug.cgi?id=181409
515         <rdar://problem/36383749>
516
517         Reviewed by Keith Miller.
518
519         This patch is me redoing r226655. This is a patch I wrote when
520         profiling Speedometer. Fil rolled this change out in r230928. He
521         showed this slowed down a sunspider tests by ~2x. This sunspider
522         regression revealed a real performance bug in the original change:
523         we would kill blocks that reached OSR entry targets, sometimes leading
524         us to not do OSR entry into the DFG, since we could end up deleting
525         entire loops from the CFG. The reason for this is that code that has run
526         ~once and that reaches loops often has ForceOSRExits inside of it. The
527         solution to this is to not perform this optimization on blocks that can
528         reach OSR entry targets.
529         
530         The reason I'm redoing this patch is that it turns out Fil rolling
531         out the change was a Speedometer 2 regression.
532         
533         This is a modified version of the original ChangeLog I wrote in r226655:
534         
535         When I was looking at profiler data for Speedometer, I noticed that one of
536         the hottest functions in Speedometer is around 1100 bytecode operations long.
537         Only about 100 of those bytecode ops ever execute. However, we ended up
538         spending a lot of time compiling basic blocks that never executed. We often
539         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
540         This is the case when such a node never executes.
541         
542         This patch makes it so that anytime a block has a ForceOSRExit, and that block
543         can not reach an OSR entry target, we replace its terminal node with an Unreachable
544         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
545         size since it removes control flow edges from the CFG. This allows us to get
546         rid of huge chunks of the CFG in certain programs. When doing this transformation,
547         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
548         live-in to the ForceOSRExit.
549         
550         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
551         does not get rid of all the CFG that it could. If we decide it's worth
552         it, we could use additional inputs into this mechanism. For example, we could
553         profile if a basic block ever executes inside the LLInt/Baseline, and
554         remove parts of the CFG based on that.
555         
556         When running Speedometer with the concurrent JIT turned off, this patch
557         improves DFG/FTL compile times by around 5%.
558
559         * dfg/DFGByteCodeParser.cpp:
560         (JSC::DFG::ByteCodeParser::addToGraph):
561         (JSC::DFG::ByteCodeParser::inlineCall):
562         (JSC::DFG::ByteCodeParser::parse):
563         * dfg/DFGGraph.cpp:
564         (JSC::DFG::Graph::blocksInPostOrder):
565
566 2018-06-11  Saam Barati  <sbarati@apple.com>
567
568         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
569         https://bugs.webkit.org/show_bug.cgi?id=184829
570
571         Reviewed by Michael Saboff.
572
573         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
574         In B3/Air, this just meant writing a validation rule. In DFG, this meant
575         ensuring this property when building up the predecessors list, and also adding
576         a validation rule. The NaturalLoops algorithm relies on this property.
577
578         * b3/B3Validate.cpp:
579         * b3/air/AirValidate.cpp:
580         * b3/testb3.cpp:
581         (JSC::B3::testLoopWithMultipleHeaderEdges):
582         (JSC::B3::run):
583         * dfg/DFGGraph.cpp:
584         (JSC::DFG::Graph::handleSuccessor):
585         * dfg/DFGValidate.cpp:
586
587 2018-06-11  Keith Miller  <keith_miller@apple.com>
588
589         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
590         https://bugs.webkit.org/show_bug.cgi?id=186467
591
592         Reviewed by Simon Fraser.
593
594         This patch adds a LazyFireDetail that wraps ScopedLambda so that
595         we don't actually malloc any strings for firing unless those
596         Strings are actually going to be printed.
597
598         * bytecode/Watchpoint.h:
599         (JSC::LazyFireDetail::LazyFireDetail):
600         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
601         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
602         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
603         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
604         * runtime/ArrayPrototype.cpp:
605         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
606
607 2018-06-11  Mark Lam  <mark.lam@apple.com>
608
609         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
610         https://bugs.webkit.org/show_bug.cgi?id=186451
611         <rdar://problem/40875792>
612
613         Reviewed by Tim Horton.
614
615         Enhance setOptions() to be able to take a comma separated options string in
616         addition to white space separated options strings.
617
618         * runtime/Options.cpp:
619         (JSC::isSeparator):
620         (JSC::Options::setOptions):
621
622 2018-06-11  Michael Saboff  <msaboff@apple.com>
623
624         JavaScriptCore: Disable 32-bit JIT on Windows
625         https://bugs.webkit.org/show_bug.cgi?id=185989
626
627         Reviewed by Mark Lam.
628
629         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
630
631         * llint/LLIntData.h:
632         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
633         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
634         have a case label because these aren't opcodes.
635         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
636         on the JIT being enabled.
637         (JSC::recomputeDependentOptions):
638
639 2018-06-11  Michael Saboff  <msaboff@apple.com>
640
641         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
642         https://bugs.webkit.org/show_bug.cgi?id=186477
643
644         Reviewed by Filip Pizlo.
645
646         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
647         YARR interpreter nodes.  This caused us to overwrite other frame information.
648
649         Added frame offset debugging code to YARR interpreter.
650
651         * yarr/YarrInterpreter.cpp:
652         (JSC::Yarr::ByteCompiler::emitDisjunction):
653         (JSC::Yarr::ByteCompiler::dumpDisjunction):
654
655 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
656
657         [JSC] Array.prototype.sort should rejects null comparator
658         https://bugs.webkit.org/show_bug.cgi?id=186458
659
660         Reviewed by Keith Miller.
661
662         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
663         the behavior to Chrome and Firefox.
664
665         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
666         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
667         the spec issue.
668
669         * builtins/ArrayPrototype.js:
670         (sort):
671
672 2018-06-09  Dan Bernstein  <mitz@apple.com>
673
674         [Xcode] Clean up and modernize some build setting definitions
675         https://bugs.webkit.org/show_bug.cgi?id=186463
676
677         Reviewed by Sam Weinig.
678
679         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
680           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
681           is true for all supported Xcode versions.
682         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
683         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
684           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
685         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
686         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
687
688 2018-06-09  Dan Bernstein  <mitz@apple.com>
689
690         Added missing file references to the Configuration group.
691
692         * JavaScriptCore.xcodeproj/project.pbxproj:
693
694 2018-06-08  Darin Adler  <darin@apple.com>
695
696         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
697         https://bugs.webkit.org/show_bug.cgi?id=186436
698
699         Reviewed by Anders Carlsson.
700
701         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
702         objc-internal.h and explicitly declaring the alternative.
703
704 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
705
706         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
707         https://bugs.webkit.org/show_bug.cgi?id=186442
708         <rdar://problem/40879364>
709
710         Reviewed by Tim Horton.
711
712         * Configurations/FeatureDefines.xcconfig:
713
714 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
715
716         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
717         https://bugs.webkit.org/show_bug.cgi?id=186446
718         <rdar://problem/40949995>
719
720         Reviewed by Mark Lam.
721
722         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
723         boolean literals, but it would only work for false. Change it so that it
724         takes the fast path for true, false, null and undefined.
725
726         * llint/LowLevelInterpreter.asm:
727         * llint/LowLevelInterpreter64.asm:
728
729 2018-06-08  Brian Burg  <bburg@apple.com>
730
731         [Cocoa] Web Automation: include browser name and version in listing for automation targets
732         https://bugs.webkit.org/show_bug.cgi?id=186204
733         <rdar://problem/36950423>
734
735         Reviewed by Darin Adler.
736
737         Ask the client what the reported browser name and version should be, then
738         send this as part of the listing for an automation target.
739
740         * inspector/remote/RemoteInspectorConstants.h:
741         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
742         (Inspector::RemoteInspector::listingForAutomationTarget const):
743
744 2018-06-07  Chris Dumez  <cdumez@apple.com>
745
746         Add base class to get WeakPtrFactory member and avoid some boilerplate code
747         https://bugs.webkit.org/show_bug.cgi?id=186407
748
749         Reviewed by Brent Fulgham.
750
751         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
752         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
753         This also gets rid of old-style createWeakPtr() methods in favor of the newer
754         makeWeakPtr().
755
756         * wasm/WasmInstance.h:
757         * wasm/WasmMemory.cpp:
758         (JSC::Wasm::Memory::registerInstance):
759
760 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
761
762         Don't try to allocate JIT memory if we don't have the JIT entitlement
763         https://bugs.webkit.org/show_bug.cgi?id=182605
764         <rdar://problem/38271229>
765
766         Reviewed by Mark Lam.
767
768         Check that the current process has the correct entitlements before
769         trying to allocate JIT memory to silence warnings.
770
771         * jit/ExecutableAllocator.cpp:
772         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
773         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
774
775 2018-06-07  Saam Barati  <sbarati@apple.com>
776
777         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
778         https://bugs.webkit.org/show_bug.cgi?id=186386
779
780         Reviewed by Filip Pizlo.
781
782         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
783
784         * dfg/DFGTierUpCheckInjectionPhase.cpp:
785         (JSC::DFG::TierUpCheckInjectionPhase::run):
786
787 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
788
789         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
790         https://bugs.webkit.org/show_bug.cgi?id=186237
791
792         Reviewed by Saam Barati.
793
794         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
795         that means that we never notice that it fired if it fires between when the DFG decides to
796         watch it and when it actually adds the watchpoint.
797         
798         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
799         reason for being initialized blind: that's how we knew to ignore changes to the prototype
800         before the first allocation. However, that functionality also arose out of the fact that the
801         rare data is created lazily and usually won't exist until the first allocation.
802         
803         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
804         object allocation profile.
805         
806         It's hard to repro this race, however it started causing spurious test failures for me after
807         bug 164904.
808
809         * runtime/FunctionRareData.cpp:
810         (JSC::FunctionRareData::FunctionRareData):
811         (JSC::FunctionRareData::initializeObjectAllocationProfile):
812
813 2018-06-07  Saam Barati  <sbarati@apple.com>
814
815         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
816         https://bugs.webkit.org/show_bug.cgi?id=186218
817         <rdar://problem/38449540>
818
819         Reviewed by Filip Pizlo.
820
821         This patch makes tierUpCommon a tad bit more sane. There are a few things
822         that I did:
823         - There were a few release asserts that were crashing. Those release asserts
824         were incorrect. They were making assumptions about how the code and data
825         structures were ordered that were wrong. This patch removes them. The code
826         was using the loop hierarchy vector to make assumptions about which loop we
827         were currently executing in, which is incorrect. The only information that
828         can be used about where we're currently executing is the bytecode index we're
829         at.
830         - This makes it so that we go back to trying to compile outer loops before
831         inner loops. JF accidentally reverted this behavior that Ben implemented.
832         JF made it so that we just compiled the inner most loop. I make this
833         functionality work by first triggering a compile for the outer most loop
834         that the code is currently executing in and that can perform OSR entry.
835         However, some programs can get stuck in inner loops. The code works by
836         progressively asking inner loops to compile if program execution has not
837         yet reached an outer loop.
838
839         * dfg/DFGOperations.cpp:
840
841 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
842
843         ArityFixup should adjust SP first on 32-bit platforms too
844         https://bugs.webkit.org/show_bug.cgi?id=186351
845
846         Reviewed by Yusuke Suzuki.
847
848         * jit/ThunkGenerators.cpp:
849         (JSC::arityFixupGenerator):
850
851 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
852
853         [DFG] Compare operations do not respect negative zeros
854         https://bugs.webkit.org/show_bug.cgi?id=183729
855
856         Reviewed by Saam Barati.
857
858         Compare operations do not respect negative zeros. So propagating this can
859         reduce the size of the produced code for negative zero case. This pattern
860         can be seen in Kraken stanford-crypto-aes.
861
862         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
863         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
864         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
865
866         * bytecode/SpeculatedType.cpp:
867         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
868         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
869         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
870         SpecDoubleReal.
871
872         * dfg/DFGBackwardsPropagationPhase.cpp:
873         (JSC::DFG::BackwardsPropagationPhase::propagate):
874
875 2018-06-06  Saam Barati  <sbarati@apple.com>
876
877         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
878         https://bugs.webkit.org/show_bug.cgi?id=186363
879
880         Rubber-stamped by Filip Pizlo.
881
882         The code was assuming that the object it was creating an OPC for always
883         had a non-poly-proto structure. However, this assumption was wrong. For
884         example, an object in the prototype chain could be poly proto. That type 
885         of object graph would cause a crash in this code. This patch makes it so
886         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
887         object as we traverse the prototype chain.
888
889         * bytecode/ObjectPropertyConditionSet.cpp:
890         (JSC::generateConditionsForInstanceOf):
891
892 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
893
894         Adjust compile and runtime flags to match shippable state of features
895         https://bugs.webkit.org/show_bug.cgi?id=186319
896         <rdar://problem/40352045>
897
898         Reviewed by Maciej Stachowiak, Jon Lee, and others.
899
900         This patch revises the compile time and runtime state for various features to match their
901         suitability for end-user releases.
902
903         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
904         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
905         Cocoa builds.
906         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
907         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
908         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
909         at runtime for non-production builds.
910
911 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
912
913         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
914         https://bugs.webkit.org/show_bug.cgi?id=186286
915         <rdar://problem/40782992>
916
917         Reviewed by Dan Bernstein.
918
919         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
920         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
921         change this flag when preparing for a production release.
922
923         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
924         whether experimental features should be enabled, and use it to properly define the
925         feature flag.
926
927 2018-06-05  Darin Adler  <darin@apple.com>
928
929         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
930         https://bugs.webkit.org/show_bug.cgi?id=186301
931
932         Reviewed by Anders Carlsson.
933
934         * API/JSContext.mm:
935         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
936         (-[JSContext setName:]): Removed unnecessary call to copy, since the
937         JSStringCreateWithCFString function already reads the characters out
938         of the string and does not retain the string, so there is no need to
939         make an immutable copy. And used __bridge for typecast.
940         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
941         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
942         Ditto.
943
944         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
945         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
946         Use CFBridgingRelease instead of autorelease for a CF dictionary that
947         we return as an NSDictionary.
948
949 2018-06-04  Keith Miller  <keith_miller@apple.com>
950
951         Remove missing files from JavaScriptCore Xcode project
952         https://bugs.webkit.org/show_bug.cgi?id=186297
953
954         Reviewed by Saam Barati.
955
956         * JavaScriptCore.xcodeproj/project.pbxproj:
957
958 2018-06-04  Keith Miller  <keith_miller@apple.com>
959
960         Add test for CoW conversions in the DFG/FTL
961         https://bugs.webkit.org/show_bug.cgi?id=186295
962
963         Reviewed by Saam Barati.
964
965         Add a function to $vm that returns a JSString containing the
966         dataLog dump of the indexingMode of an Object.
967
968         * tools/JSDollarVM.cpp:
969         (JSC::functionIndexingMode):
970         (JSC::JSDollarVM::finishCreation):
971
972 2018-06-04  Saam Barati  <sbarati@apple.com>
973
974         Set the activeLength of all ScratchBuffers to zero when exiting the VM
975         https://bugs.webkit.org/show_bug.cgi?id=186284
976         <rdar://problem/40780738>
977
978         Reviewed by Keith Miller.
979
980         Simon recently found instances where we leak global objects from the
981         ScratchBuffer. Yusuke found that we forgot to set the active length
982         back to zero when doing catch OSR entry in the DFG/FTL. His solution
983         to this was adding a node that cleared the active length. This is
984         a good node to have, but it's not a complete solution: the DFG/FTL
985         could OSR exit before that node executes, which would cause us to leak
986         the data in it.
987         
988         This patch makes it so that we set each scratch buffer's active length
989         to zero on VM exit. This helps prevent leaks for JS code that eventually
990         exits the VM (which is essentially all code on the web and all API users).
991
992         * runtime/VM.cpp:
993         (JSC::VM::clearScratchBuffers):
994         * runtime/VM.h:
995         * runtime/VMEntryScope.cpp:
996         (JSC::VMEntryScope::~VMEntryScope):
997
998 2018-06-04  Keith Miller  <keith_miller@apple.com>
999
1000         JSLock should clear last exception when releasing the lock
1001         https://bugs.webkit.org/show_bug.cgi?id=186277
1002
1003         Reviewed by Mark Lam.
1004
1005         If we don't clear the last exception we essentially leak the
1006         object and everything referenced by it until another exception is
1007         thrown.
1008
1009         * runtime/JSLock.cpp:
1010         (JSC::JSLock::willReleaseLock):
1011
1012 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1013
1014         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
1015         https://bugs.webkit.org/show_bug.cgi?id=180248
1016
1017         Reviewed by Sam Weinig.
1018
1019         As a final step, this patch removes ListableHandler from JSC.
1020         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
1021
1022         * CMakeLists.txt:
1023         * JavaScriptCore.xcodeproj/project.pbxproj:
1024         * heap/Heap.h:
1025         * heap/ListableHandler.h: Removed.
1026
1027 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1028
1029         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
1030         https://bugs.webkit.org/show_bug.cgi?id=186223
1031
1032         Reviewed by Keith Miller.
1033
1034         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
1035         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
1036
1037         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
1038         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
1039         this ClearCatchLocals valid.
1040
1041         The existing tests for ExtractCatchLocal just pass.
1042
1043         * dfg/DFGAbstractHeap.h:
1044         * dfg/DFGAbstractInterpreterInlines.h:
1045         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1046         * dfg/DFGByteCodeParser.cpp:
1047         (JSC::DFG::ByteCodeParser::parseBlock):
1048         * dfg/DFGClobberize.h:
1049         (JSC::DFG::clobberize):
1050         * dfg/DFGDoesGC.cpp:
1051         (JSC::DFG::doesGC):
1052         * dfg/DFGFixupPhase.cpp:
1053         (JSC::DFG::FixupPhase::fixupNode):
1054         * dfg/DFGMayExit.cpp:
1055         * dfg/DFGNodeType.h:
1056         * dfg/DFGOSREntry.cpp:
1057         (JSC::DFG::prepareCatchOSREntry):
1058         * dfg/DFGPredictionPropagationPhase.cpp:
1059         * dfg/DFGSafeToExecute.h:
1060         (JSC::DFG::safeToExecute):
1061         * dfg/DFGSpeculativeJIT.cpp:
1062         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
1063         * dfg/DFGSpeculativeJIT.h:
1064         * dfg/DFGSpeculativeJIT32_64.cpp:
1065         (JSC::DFG::SpeculativeJIT::compile):
1066         * dfg/DFGSpeculativeJIT64.cpp:
1067         (JSC::DFG::SpeculativeJIT::compile):
1068         * ftl/FTLCapabilities.cpp:
1069         (JSC::FTL::canCompile):
1070         * ftl/FTLLowerDFGToB3.cpp:
1071         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1072         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
1073
1074 2018-06-02  Darin Adler  <darin@apple.com>
1075
1076         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
1077         https://bugs.webkit.org/show_bug.cgi?id=186227
1078
1079         Reviewed by Dan Bernstein.
1080
1081         * API/JSContext.mm:
1082         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
1083         * API/JSValue.mm:
1084         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
1085         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
1086         ARC-compatible, but more efficient.
1087         (valueToString): Use CFBridgingRelease instead of autorelease.
1088
1089 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
1090
1091         [ESNext][BigInt] Implement support for addition operations
1092         https://bugs.webkit.org/show_bug.cgi?id=179002
1093
1094         Reviewed by Yusuke Suzuki.
1095
1096         This patch is implementing support to BigInt Operands into binary "+"
1097         and binary "-" operators. Right now, we have limited support to DFG
1098         and FTL JIT layers, but we plan to fix this support in future
1099         patches.
1100
1101         * jit/JITOperations.cpp:
1102         * runtime/CommonSlowPaths.cpp:
1103         (JSC::SLOW_PATH_DECL):
1104         * runtime/JSBigInt.cpp:
1105         (JSC::JSBigInt::parseInt):
1106         (JSC::JSBigInt::stringToBigInt):
1107         (JSC::JSBigInt::toString):
1108         (JSC::JSBigInt::multiply):
1109         (JSC::JSBigInt::divide):
1110         (JSC::JSBigInt::remainder):
1111         (JSC::JSBigInt::add):
1112         (JSC::JSBigInt::sub):
1113         (JSC::JSBigInt::absoluteAdd):
1114         (JSC::JSBigInt::absoluteSub):
1115         (JSC::JSBigInt::toStringGeneric):
1116         (JSC::JSBigInt::allocateFor):
1117         (JSC::JSBigInt::toNumber const):
1118         (JSC::JSBigInt::getPrimitiveNumber const):
1119         * runtime/JSBigInt.h:
1120         * runtime/JSCJSValueInlines.h:
1121         * runtime/Operations.cpp:
1122         (JSC::jsAddSlowCase):
1123         * runtime/Operations.h:
1124         (JSC::jsSub):
1125
1126 2018-06-02  Commit Queue  <commit-queue@webkit.org>
1127
1128         Unreviewed, rolling out r232439.
1129         https://bugs.webkit.org/show_bug.cgi?id=186238
1130
1131         It breaks gtk-linux-32-release (Requested by caiolima on
1132         #webkit).
1133
1134         Reverted changeset:
1135
1136         "[ESNext][BigInt] Implement support for addition operations"
1137         https://bugs.webkit.org/show_bug.cgi?id=179002
1138         https://trac.webkit.org/changeset/232439
1139
1140 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1141
1142         Baseline op_jtrue emits an insane amount of code
1143         https://bugs.webkit.org/show_bug.cgi?id=185708
1144
1145         Reviewed by Filip Pizlo.
1146
1147         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
1148
1149         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
1150            to jump directly. This tightens the code.
1151
1152         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
1153
1154         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
1155
1156         [  12] jtrue             arg1, 6(->18)
1157               0x7f233170162c: mov 0x30(%rbp), %rax
1158               0x7f2331701630: mov %rax, %rsi
1159               0x7f2331701633: xor $0x6, %rsi
1160               0x7f2331701637: test $0xfffffffffffffffe, %rsi
1161               0x7f233170163e: jnz 0x7f2331701654
1162               0x7f2331701644: cmp $0x7, %eax
1163               0x7f2331701647: setz %sil
1164               0x7f233170164b: movzx %sil, %esi
1165               0x7f233170164f: jmp 0x7f2331701705
1166               0x7f2331701654: test %rax, %r14
1167               0x7f2331701657: jz 0x7f233170169c
1168               0x7f233170165d: cmp %r14, %rax
1169               0x7f2331701660: jb 0x7f2331701675
1170               0x7f2331701666: test %eax, %eax
1171               0x7f2331701668: setnz %sil
1172               0x7f233170166c: movzx %sil, %esi
1173               0x7f2331701670: jmp 0x7f2331701705
1174               0x7f2331701675: lea (%r14,%rax), %rsi
1175               0x7f2331701679: movq %rsi, %xmm0
1176               0x7f233170167e: xorps %xmm1, %xmm1
1177               0x7f2331701681: ucomisd %xmm1, %xmm0
1178               0x7f2331701685: jz 0x7f2331701695
1179               0x7f233170168b: mov $0x1, %esi
1180               0x7f2331701690: jmp 0x7f2331701705
1181               0x7f2331701695: xor %esi, %esi
1182               0x7f2331701697: jmp 0x7f2331701705
1183               0x7f233170169c: test %rax, %r15
1184               0x7f233170169f: jnz 0x7f2331701703
1185               0x7f23317016a5: cmp $0x1, 0x5(%rax)
1186               0x7f23317016a9: jnz 0x7f23317016c1
1187               0x7f23317016af: mov 0x8(%rax), %esi
1188               0x7f23317016b2: test %esi, %esi
1189               0x7f23317016b4: setnz %sil
1190               0x7f23317016b8: movzx %sil, %esi
1191               0x7f23317016bc: jmp 0x7f2331701705
1192               0x7f23317016c1: test $0x1, 0x6(%rax)
1193               0x7f23317016c5: jz 0x7f23317016f9
1194               0x7f23317016cb: mov (%rax), %esi
1195               0x7f23317016cd: mov $0x7f23315000c8, %rdx
1196               0x7f23317016d7: mov (%rdx), %rdx
1197               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
1198               0x7f23317016de: mov $0x7f2330de0000, %rdx
1199               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
1200               0x7f23317016ec: jnz 0x7f23317016f9
1201               0x7f23317016f2: xor %esi, %esi
1202               0x7f23317016f4: jmp 0x7f2331701705
1203               0x7f23317016f9: mov $0x1, %esi
1204               0x7f23317016fe: jmp 0x7f2331701705
1205               0x7f2331701703: xor %esi, %esi
1206               0x7f2331701705: test %esi, %esi
1207               0x7f2331701707: jnz 0x7f233170171b
1208
1209         [  12] jtrue             arg1, 6(->18)
1210               0x7f6c8710156c: mov 0x30(%rbp), %rax
1211               0x7f6c87101570: test %rax, %r15
1212               0x7f6c87101573: jnz 0x7f6c871015c8
1213               0x7f6c87101579: cmp $0x1, 0x5(%rax)
1214               0x7f6c8710157d: jnz 0x7f6c87101592
1215               0x7f6c87101583: cmp $0x0, 0x8(%rax)
1216               0x7f6c87101587: jnz 0x7f6c87101623
1217               0x7f6c8710158d: jmp 0x7f6c87101615
1218               0x7f6c87101592: test $0x1, 0x6(%rax)
1219               0x7f6c87101596: jz 0x7f6c87101623
1220               0x7f6c8710159c: mov (%rax), %esi
1221               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
1222               0x7f6c871015a8: mov (%rdx), %rdx
1223               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
1224               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
1225               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
1226               0x7f6c871015bd: jnz 0x7f6c87101623
1227               0x7f6c871015c3: jmp 0x7f6c87101615
1228               0x7f6c871015c8: cmp %r14, %rax
1229               0x7f6c871015cb: jb 0x7f6c871015de
1230               0x7f6c871015d1: test %eax, %eax
1231               0x7f6c871015d3: jnz 0x7f6c87101623
1232               0x7f6c871015d9: jmp 0x7f6c87101615
1233               0x7f6c871015de: test %rax, %r14
1234               0x7f6c871015e1: jz 0x7f6c87101602
1235               0x7f6c871015e7: lea (%r14,%rax), %rsi
1236               0x7f6c871015eb: movq %rsi, %xmm0
1237               0x7f6c871015f0: xorps %xmm1, %xmm1
1238               0x7f6c871015f3: ucomisd %xmm1, %xmm0
1239               0x7f6c871015f7: jz 0x7f6c87101615
1240               0x7f6c871015fd: jmp 0x7f6c87101623
1241               0x7f6c87101602: mov $0x7, %r11
1242               0x7f6c8710160c: cmp %r11, %rax
1243               0x7f6c8710160f: jz 0x7f6c87101623
1244
1245         * dfg/DFGSpeculativeJIT32_64.cpp:
1246         (JSC::DFG::SpeculativeJIT::emitBranch):
1247         * dfg/DFGSpeculativeJIT64.cpp:
1248         (JSC::DFG::SpeculativeJIT::emitBranch):
1249         * jit/AssemblyHelpers.cpp:
1250         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1251         (JSC::AssemblyHelpers::branchIfValue):
1252         * jit/AssemblyHelpers.h:
1253         (JSC::AssemblyHelpers::branchIfTruthy):
1254         (JSC::AssemblyHelpers::branchIfFalsey):
1255         * jit/JIT.h:
1256         * jit/JITInlines.h:
1257         (JSC::JIT::addJump):
1258         * jit/JITOpcodes.cpp:
1259         (JSC::JIT::emit_op_jfalse):
1260         (JSC::JIT::emit_op_jtrue):
1261         * jit/JITOpcodes32_64.cpp:
1262         (JSC::JIT::emit_op_jfalse):
1263         (JSC::JIT::emit_op_jtrue):
1264
1265 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1266
1267         [JSC] Remove WeakReferenceHarvester
1268         https://bugs.webkit.org/show_bug.cgi?id=186102
1269
1270         Reviewed by Filip Pizlo.
1271
1272         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
1273         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
1274         by using output constraints & Subspace iteration.
1275
1276         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
1277         output constraint set iterates marked JSWeakMap by using Subspace.
1278
1279         And we also add locking for JSWeakMap's rehash and output constraint visiting.
1280
1281         Attached microbenchmark does not show any regression.
1282
1283         * API/JSAPIWrapperObject.h:
1284         * CMakeLists.txt:
1285         * JavaScriptCore.xcodeproj/project.pbxproj:
1286         * heap/Heap.cpp:
1287         (JSC::Heap::endMarking):
1288         (JSC::Heap::addCoreConstraints):
1289         * heap/Heap.h:
1290         * heap/SlotVisitor.cpp:
1291         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
1292         * heap/SlotVisitor.h:
1293         * heap/WeakReferenceHarvester.h: Removed.
1294         * runtime/WeakMapImpl.cpp:
1295         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
1296         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
1297         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
1298         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
1299         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
1300         * runtime/WeakMapImpl.h:
1301         (JSC::WeakMapImpl::WeakMapImpl):
1302         (JSC::WeakMapImpl::finishCreation):
1303         (JSC::WeakMapImpl::rehash):
1304         (JSC::WeakMapImpl::makeAndSetNewBuffer):
1305         (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
1306
1307 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1308
1309         [JSC] Object.create should have intrinsic
1310         https://bugs.webkit.org/show_bug.cgi?id=186200
1311
1312         Reviewed by Filip Pizlo.
1313
1314         Object.create is used in various JS code. `Object.create(null)` is particularly used
1315         to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
1316         call in ARES-6/Babylon code.
1317
1318         This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
1319         DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
1320         object is null. It offers significant performance boost for `Object.create(null)`.
1321
1322                                                          baseline                  patched
1323
1324         object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
1325         object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
1326         object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
1327
1328         * dfg/DFGAbstractInterpreterInlines.h:
1329         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1330         * dfg/DFGByteCodeParser.cpp:
1331         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1332         * dfg/DFGClobberize.h:
1333         (JSC::DFG::clobberize):
1334         * dfg/DFGConstantFoldingPhase.cpp:
1335         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1336         * dfg/DFGDoesGC.cpp:
1337         (JSC::DFG::doesGC):
1338         * dfg/DFGFixupPhase.cpp:
1339         (JSC::DFG::FixupPhase::fixupNode):
1340         * dfg/DFGNode.h:
1341         (JSC::DFG::Node::convertToNewObject):
1342         * dfg/DFGNodeType.h:
1343         * dfg/DFGOperations.cpp:
1344         * dfg/DFGOperations.h:
1345         * dfg/DFGPredictionPropagationPhase.cpp:
1346         * dfg/DFGSafeToExecute.h:
1347         (JSC::DFG::safeToExecute):
1348         * dfg/DFGSpeculativeJIT.cpp:
1349         (JSC::DFG::SpeculativeJIT::compileObjectCreate):
1350         * dfg/DFGSpeculativeJIT.h:
1351         * dfg/DFGSpeculativeJIT32_64.cpp:
1352         (JSC::DFG::SpeculativeJIT::compile):
1353         * dfg/DFGSpeculativeJIT64.cpp:
1354         (JSC::DFG::SpeculativeJIT::compile):
1355         * ftl/FTLCapabilities.cpp:
1356         (JSC::FTL::canCompile):
1357         * ftl/FTLLowerDFGToB3.cpp:
1358         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1359         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
1360         * runtime/Intrinsic.cpp:
1361         (JSC::intrinsicName):
1362         * runtime/Intrinsic.h:
1363         * runtime/JSGlobalObject.cpp:
1364         (JSC::JSGlobalObject::init):
1365         (JSC::JSGlobalObject::visitChildren):
1366         * runtime/JSGlobalObject.h:
1367         (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
1368         * runtime/ObjectConstructor.cpp:
1369
1370 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
1371
1372         [ESNext][BigInt] Implement support for addition operations
1373         https://bugs.webkit.org/show_bug.cgi?id=179002
1374
1375         Reviewed by Yusuke Suzuki.
1376
1377         This patch is implementing support to BigInt Operands into binary "+"
1378         and binary "-" operators. Right now, we have limited support to DFG
1379         and FTL JIT layers, but we plan to fix this support in future
1380         patches.
1381
1382         * jit/JITOperations.cpp:
1383         * runtime/CommonSlowPaths.cpp:
1384         (JSC::SLOW_PATH_DECL):
1385         * runtime/JSBigInt.cpp:
1386         (JSC::JSBigInt::parseInt):
1387         (JSC::JSBigInt::stringToBigInt):
1388         (JSC::JSBigInt::toString):
1389         (JSC::JSBigInt::multiply):
1390         (JSC::JSBigInt::divide):
1391         (JSC::JSBigInt::remainder):
1392         (JSC::JSBigInt::add):
1393         (JSC::JSBigInt::sub):
1394         (JSC::JSBigInt::absoluteAdd):
1395         (JSC::JSBigInt::absoluteSub):
1396         (JSC::JSBigInt::toStringGeneric):
1397         (JSC::JSBigInt::allocateFor):
1398         (JSC::JSBigInt::toNumber const):
1399         (JSC::JSBigInt::getPrimitiveNumber const):
1400         * runtime/JSBigInt.h:
1401         * runtime/JSCJSValueInlines.h:
1402         * runtime/Operations.cpp:
1403         (JSC::jsAddSlowCase):
1404         * runtime/Operations.h:
1405         (JSC::jsSub):
1406
1407 2018-06-01  Wenson Hsieh  <wenson_hsieh@apple.com>
1408
1409         Fix the watchOS build after r232385
1410         https://bugs.webkit.org/show_bug.cgi?id=186203
1411
1412         Reviewed by Keith Miller.
1413
1414         Add a missing header include for JSImmutableButterfly.
1415
1416         * runtime/ArrayPrototype.cpp:
1417
1418 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1419
1420         [JSC] Add Symbol.prototype.description getter
1421         https://bugs.webkit.org/show_bug.cgi?id=186053
1422
1423         Reviewed by Keith Miller.
1424
1425         Symbol.prototype.description accessor  is now stage 3[1].
1426         This adds a getter to retrieve [[Description]] value from Symbol.
1427         Previously, Symbol#toString() returns `Symbol(${description})` value.
1428         So users need to extract `description` part if they want it.
1429
1430         [1]: https://tc39.github.io/proposal-Symbol-description/
1431
1432         * runtime/Symbol.cpp:
1433         (JSC::Symbol::description const):
1434         * runtime/Symbol.h:
1435         * runtime/SymbolPrototype.cpp:
1436         (JSC::tryExtractSymbol):
1437         (JSC::symbolProtoGetterDescription):
1438         (JSC::symbolProtoFuncToString):
1439         (JSC::symbolProtoFuncValueOf):
1440
1441 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1442
1443         [JSC] Correct values and members of JSBigInt appropriately
1444         https://bugs.webkit.org/show_bug.cgi?id=186196
1445
1446         Reviewed by Darin Adler.
1447
1448         This patch cleans up a bit to select more appropriate values and members of JSBigInt.
1449
1450         1. JSBigInt's structure should be StructureIsImmortal.
1451         2. JSBigInt::allocationSize should be annotated with `inline`.
1452         3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
1453         4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
1454
1455         * runtime/JSBigInt.cpp:
1456         (JSC::JSBigInt::allocationSize):
1457         (JSC::JSBigInt::allocateFor):
1458         (JSC::JSBigInt::compareToDouble):
1459         (JSC::JSBigInt::visitChildren): Deleted.
1460         (JSC::JSBigInt::finishCreation): Deleted.
1461         * runtime/JSBigInt.h:
1462
1463 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1464
1465         [DFG] InById should be converted to MatchStructure
1466         https://bugs.webkit.org/show_bug.cgi?id=185803
1467
1468         Reviewed by Keith Miller.
1469
1470         MatchStructure is introduced for instanceof optimization. But this node
1471         is also useful for InById node. This patch converts InById to MatchStructure
1472         node with CheckStructures if possible by using InByIdStatus.
1473
1474         Added microbenchmarks show improvements.
1475
1476                                    baseline                  patched
1477
1478         in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
1479         in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
1480
1481         * JavaScriptCore.xcodeproj/project.pbxproj:
1482         * Sources.txt:
1483         * bytecode/InByIdStatus.cpp: Added.
1484         (JSC::InByIdStatus::appendVariant):
1485         (JSC::InByIdStatus::computeFor):
1486         (JSC::InByIdStatus::hasExitSite):
1487         (JSC::InByIdStatus::computeForStubInfo):
1488         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1489         (JSC::InByIdStatus::filter):
1490         (JSC::InByIdStatus::dump const):
1491         * bytecode/InByIdStatus.h: Added.
1492         (JSC::InByIdStatus::InByIdStatus):
1493         (JSC::InByIdStatus::state const):
1494         (JSC::InByIdStatus::isSet const):
1495         (JSC::InByIdStatus::operator bool const):
1496         (JSC::InByIdStatus::isSimple const):
1497         (JSC::InByIdStatus::numVariants const):
1498         (JSC::InByIdStatus::variants const):
1499         (JSC::InByIdStatus::at const):
1500         (JSC::InByIdStatus::operator[] const):
1501         (JSC::InByIdStatus::takesSlowPath const):
1502         * bytecode/InByIdVariant.cpp: Added.
1503         (JSC::InByIdVariant::InByIdVariant):
1504         (JSC::InByIdVariant::attemptToMerge):
1505         (JSC::InByIdVariant::dump const):
1506         (JSC::InByIdVariant::dumpInContext const):
1507         * bytecode/InByIdVariant.h: Added.
1508         (JSC::InByIdVariant::isSet const):
1509         (JSC::InByIdVariant::operator bool const):
1510         (JSC::InByIdVariant::structureSet const):
1511         (JSC::InByIdVariant::structureSet):
1512         (JSC::InByIdVariant::conditionSet const):
1513         (JSC::InByIdVariant::offset const):
1514         (JSC::InByIdVariant::isHit const):
1515         * bytecode/PolyProtoAccessChain.h:
1516         * dfg/DFGByteCodeParser.cpp:
1517         (JSC::DFG::ByteCodeParser::parseBlock):
1518
1519 2018-06-01  Keith Miller  <keith_miller@apple.com>
1520
1521         move should only emit the move if it's actually needed
1522         https://bugs.webkit.org/show_bug.cgi?id=186123
1523
1524         Reviewed by Saam Barati.
1525
1526         This patch relpaces move with moveToDestinationIfNeeded. This
1527         will prevent us from emiting moves to the same location. The old
1528         move, has been renamed to emitMove and made private.
1529
1530         * bytecompiler/BytecodeGenerator.cpp:
1531         (JSC::BytecodeGenerator::BytecodeGenerator):
1532         (JSC::BytecodeGenerator::emitMove):
1533         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
1534         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1535         (JSC::BytecodeGenerator::move): Deleted.
1536         * bytecompiler/BytecodeGenerator.h:
1537         (JSC::BytecodeGenerator::move):
1538         (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
1539         * bytecompiler/NodesCodegen.cpp:
1540         (JSC::ThisNode::emitBytecode):
1541         (JSC::SuperNode::emitBytecode):
1542         (JSC::NewTargetNode::emitBytecode):
1543         (JSC::ResolveNode::emitBytecode):
1544         (JSC::TaggedTemplateNode::emitBytecode):
1545         (JSC::ArrayNode::emitBytecode):
1546         (JSC::ObjectLiteralNode::emitBytecode):
1547         (JSC::EvalFunctionCallNode::emitBytecode):
1548         (JSC::FunctionCallResolveNode::emitBytecode):
1549         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
1550         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1551         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
1552         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
1553         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
1554         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
1555         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1556         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
1557         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
1558         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
1559         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
1560         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
1561         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
1562         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
1563         (JSC::CallFunctionCallDotNode::emitBytecode):
1564         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1565         (JSC::emitPostIncOrDec):
1566         (JSC::PostfixNode::emitBracket):
1567         (JSC::PostfixNode::emitDot):
1568         (JSC::PrefixNode::emitResolve):
1569         (JSC::PrefixNode::emitBracket):
1570         (JSC::PrefixNode::emitDot):
1571         (JSC::LogicalOpNode::emitBytecode):
1572         (JSC::ReadModifyResolveNode::emitBytecode):
1573         (JSC::AssignResolveNode::emitBytecode):
1574         (JSC::AssignDotNode::emitBytecode):
1575         (JSC::AssignBracketNode::emitBytecode):
1576         (JSC::FunctionNode::emitBytecode):
1577         (JSC::ClassExprNode::emitBytecode):
1578         (JSC::DestructuringAssignmentNode::emitBytecode):
1579         (JSC::ArrayPatternNode::emitDirectBinding):
1580         (JSC::ObjectPatternNode::bindValue const):
1581         (JSC::AssignmentElementNode::bindValue const):
1582         (JSC::ObjectSpreadExpressionNode::emitBytecode):
1583
1584 2018-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1585
1586         [Baseline] Store constant directly in emit_op_mov
1587         https://bugs.webkit.org/show_bug.cgi?id=186182
1588
1589         Reviewed by Saam Barati.
1590
1591         In the old code, we first move a constant to a register and store it to the specified address.
1592         But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
1593         generated code size. Since the old code was emitting a constant in a code anyway, this change
1594         never increases the size of the generated code.
1595
1596         * jit/JITInlines.h:
1597         (JSC::JIT::emitGetVirtualRegister):
1598         We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
1599         from the stack. If we transfer values in registers without loading values from the stack, it
1600         breaks this assumption.
1601
1602         * jit/JITOpcodes.cpp:
1603         (JSC::JIT::emit_op_mov):
1604
1605 2018-05-31  Caio Lima  <ticaiolima@gmail.com>
1606
1607         [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
1608         https://bugs.webkit.org/show_bug.cgi?id=185929
1609
1610         Reviewed by Yusuke Suzuki.
1611
1612         This patch is introducing support to BigInt operands into ">=" and
1613         "<=" operators.
1614         Here we introduce ```bigIntCompareResult``` that is a helper function
1615         to reuse code between "less than" and "less than or equal" operators.
1616
1617         * runtime/JSBigInt.h:
1618         * runtime/Operations.h:
1619         (JSC::bigIntCompareResult):
1620         (JSC::bigIntCompare):
1621         (JSC::jsLess):
1622         (JSC::jsLessEq):
1623         (JSC::bigIntCompareLess): Deleted.
1624
1625 2018-05-31  Saam Barati  <sbarati@apple.com>
1626
1627         Cache toString results for CoW arrays
1628         https://bugs.webkit.org/show_bug.cgi?id=186160
1629
1630         Reviewed by Keith Miller.
1631
1632         This patch makes it so that we cache the result of toString on
1633         arrays with a CoW butterfly. This cache lives on Heap and is
1634         cleared after every GC. We only cache the toString result when
1635         the CoW butterfly doesn't have a hole (currently, all CoW arrays
1636         have a hole, but this isn't an invariant we want to rely on). The
1637         reason for this is that if there is a hole, the value may be loaded
1638         from the prototype, and the cache may produce a stale result.
1639         
1640         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
1641         progression on ARES.
1642
1643         * heap/Heap.cpp:
1644         (JSC::Heap::finalize):
1645         (JSC::Heap::addCoreConstraints):
1646         * heap/Heap.h:
1647         * runtime/ArrayPrototype.cpp:
1648         (JSC::canUseFastJoin):
1649         (JSC::holesMustForwardToPrototype):
1650         (JSC::isHole):
1651         (JSC::containsHole):
1652         (JSC::fastJoin):
1653         (JSC::arrayProtoFuncToString):
1654
1655 2018-05-31  Saam Barati  <sbarati@apple.com>
1656
1657         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
1658         https://bugs.webkit.org/show_bug.cgi?id=186169
1659
1660         Reviewed by Mark Lam.
1661
1662         If we don't do this, the CFA validation rule about StructureID being
1663         clobbered but AI not clobbering or folding a clobber will cause us
1664         to crash. Simon was running into this yesterday on arstechnica.com.
1665         I couldn't come up with a test case for this, but it's obvious
1666         what the issue is by looking at the IR dump at the time of the crash.
1667
1668         * dfg/DFGAbstractInterpreterInlines.h:
1669         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1670
1671 2018-05-31  Saam Barati  <sbarati@apple.com>
1672
1673         JSImmutableButterfly should align its variable storage
1674         https://bugs.webkit.org/show_bug.cgi?id=186159
1675
1676         Reviewed by Mark Lam.
1677
1678         I'm also making the use of reinterpret_cast and bitwise_cast consistent
1679         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
1680
1681         * runtime/JSImmutableButterfly.h:
1682         (JSC::JSImmutableButterfly::toButterfly const):
1683         (JSC::JSImmutableButterfly::fromButterfly):
1684         (JSC::JSImmutableButterfly::offsetOfData):
1685         (JSC::JSImmutableButterfly::allocationSize):
1686
1687 2018-05-31  Keith Miller  <keith_miller@apple.com>
1688
1689         DFGArrayModes needs to know more about CoW arrays
1690         https://bugs.webkit.org/show_bug.cgi?id=186162
1691
1692         Reviewed by Filip Pizlo.
1693
1694         This patch fixes two issues in DFGArrayMode.
1695
1696         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
1697         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
1698         to vend an accurate original structure.
1699
1700         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
1701         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
1702         action it is expecting when being dumped.
1703
1704         * bytecode/ArrayProfile.h:
1705         (JSC::hasSeenWritableArray):
1706         * dfg/DFGArrayMode.cpp:
1707         (JSC::DFG::ArrayMode::fromObserved):
1708         (JSC::DFG::ArrayMode::refine const):
1709         (JSC::DFG::ArrayMode::originalArrayStructure const):
1710         (JSC::DFG::arrayActionToString):
1711         (JSC::DFG::arrayClassToString):
1712         (JSC::DFG::ArrayMode::dump const):
1713         (WTF::printInternal):
1714         * dfg/DFGArrayMode.h:
1715         (JSC::DFG::ArrayMode::withProfile const):
1716         (JSC::DFG::ArrayMode::isJSArray const):
1717         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
1718         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
1719         * dfg/DFGByteCodeParser.cpp:
1720         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1721         (JSC::DFG::ByteCodeParser::parseBlock):
1722         * dfg/DFGFixupPhase.cpp:
1723         (JSC::DFG::FixupPhase::fixupNode):
1724         * dfg/DFGSpeculativeJIT.cpp:
1725         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1726         * ftl/FTLLowerDFGToB3.cpp:
1727         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
1728
1729 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1730
1731         [JSC] Pass VM& parameter as much as possible
1732         https://bugs.webkit.org/show_bug.cgi?id=186085
1733
1734         Reviewed by Saam Barati.
1735
1736         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
1737         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
1738         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
1739         This patch attempts to pass VM& parameter to such functions as much as possible.
1740
1741         * API/APICast.h:
1742         (toJS):
1743         (toJSForGC):
1744         * API/JSCallbackObjectFunctions.h:
1745         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
1746         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
1747         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1748         * API/JSObjectRef.cpp:
1749         (JSObjectIsConstructor):
1750         * API/JSTypedArray.cpp:
1751         (JSObjectGetTypedArrayBuffer):
1752         * API/JSValueRef.cpp:
1753         (JSValueIsInstanceOfConstructor):
1754         * bindings/ScriptFunctionCall.cpp:
1755         (Deprecated::ScriptFunctionCall::call):
1756         * bindings/ScriptValue.cpp:
1757         (Inspector::jsToInspectorValue):
1758         * bytecode/AccessCase.cpp:
1759         (JSC::AccessCase::generateImpl):
1760         * bytecode/CodeBlock.cpp:
1761         (JSC::CodeBlock::CodeBlock):
1762         * bytecode/ObjectAllocationProfileInlines.h:
1763         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1764         * bytecode/ObjectPropertyConditionSet.cpp:
1765         (JSC::generateConditionsForInstanceOf):
1766         * bytecode/PropertyCondition.cpp:
1767         (JSC::PropertyCondition::isWatchableWhenValid const):
1768         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
1769         * bytecode/StructureStubClearingWatchpoint.cpp:
1770         (JSC::StructureStubClearingWatchpoint::fireInternal):
1771         * debugger/Debugger.cpp:
1772         (JSC::Debugger::detach):
1773         * debugger/DebuggerScope.cpp:
1774         (JSC::DebuggerScope::create):
1775         (JSC::DebuggerScope::put):
1776         (JSC::DebuggerScope::deleteProperty):
1777         (JSC::DebuggerScope::getOwnPropertyNames):
1778         (JSC::DebuggerScope::defineOwnProperty):
1779         * dfg/DFGAbstractInterpreterInlines.h:
1780         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1781         * dfg/DFGAbstractValue.cpp:
1782         (JSC::DFG::AbstractValue::mergeOSREntryValue):
1783         * dfg/DFGArgumentsEliminationPhase.cpp:
1784         * dfg/DFGArrayMode.cpp:
1785         (JSC::DFG::ArrayMode::refine const):
1786         * dfg/DFGByteCodeParser.cpp:
1787         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1788         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1789         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1790         (JSC::DFG::ByteCodeParser::check):
1791         * dfg/DFGConstantFoldingPhase.cpp:
1792         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1793         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1794         * dfg/DFGFixupPhase.cpp:
1795         (JSC::DFG::FixupPhase::fixupNode):
1796         * dfg/DFGGraph.cpp:
1797         (JSC::DFG::Graph::tryGetConstantProperty):
1798         * dfg/DFGOperations.cpp:
1799         * dfg/DFGSpeculativeJIT.cpp:
1800         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1801         * dfg/DFGStrengthReductionPhase.cpp:
1802         (JSC::DFG::StrengthReductionPhase::handleNode):
1803         * ftl/FTLLowerDFGToB3.cpp:
1804         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1805         * ftl/FTLOperations.cpp:
1806         (JSC::FTL::operationPopulateObjectInOSR):
1807         * inspector/InjectedScriptManager.cpp:
1808         (Inspector::InjectedScriptManager::createInjectedScript):
1809         * inspector/JSJavaScriptCallFrame.cpp:
1810         (Inspector::JSJavaScriptCallFrame::caller const):
1811         (Inspector::JSJavaScriptCallFrame::scopeChain const):
1812         * interpreter/CallFrame.cpp:
1813         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
1814         * interpreter/Interpreter.cpp:
1815         (JSC::Interpreter::executeProgram):
1816         (JSC::Interpreter::executeCall):
1817         (JSC::Interpreter::executeConstruct):
1818         (JSC::Interpreter::execute):
1819         (JSC::Interpreter::executeModuleProgram):
1820         * jit/JITOperations.cpp:
1821         (JSC::getByVal):
1822         * jit/Repatch.cpp:
1823         (JSC::tryCacheInByID):
1824         * jsc.cpp:
1825         (functionDollarAgentReceiveBroadcast):
1826         (functionHasCustomProperties):
1827         * llint/LLIntSlowPaths.cpp:
1828         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1829         (JSC::LLInt::setupGetByIdPrototypeCache):
1830         (JSC::LLInt::getByVal):
1831         (JSC::LLInt::handleHostCall):
1832         (JSC::LLInt::llint_throw_stack_overflow_error):
1833         * runtime/AbstractModuleRecord.cpp:
1834         (JSC::AbstractModuleRecord::finishCreation):
1835         * runtime/ArrayConstructor.cpp:
1836         (JSC::constructArrayWithSizeQuirk):
1837         * runtime/ArrayPrototype.cpp:
1838         (JSC::speciesWatchpointIsValid):
1839         (JSC::arrayProtoFuncToString):
1840         (JSC::arrayProtoFuncToLocaleString):
1841         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1842         * runtime/AsyncFunctionConstructor.cpp:
1843         (JSC::callAsyncFunctionConstructor):
1844         (JSC::constructAsyncFunctionConstructor):
1845         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1846         (JSC::callAsyncGeneratorFunctionConstructor):
1847         (JSC::constructAsyncGeneratorFunctionConstructor):
1848         * runtime/BooleanConstructor.cpp:
1849         (JSC::constructWithBooleanConstructor):
1850         * runtime/ClonedArguments.cpp:
1851         (JSC::ClonedArguments::createEmpty):
1852         (JSC::ClonedArguments::createWithInlineFrame):
1853         (JSC::ClonedArguments::createWithMachineFrame):
1854         (JSC::ClonedArguments::createByCopyingFrom):
1855         (JSC::ClonedArguments::getOwnPropertySlot):
1856         (JSC::ClonedArguments::materializeSpecials):
1857         * runtime/CommonSlowPaths.cpp:
1858         (JSC::SLOW_PATH_DECL):
1859         * runtime/CommonSlowPaths.h:
1860         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1861         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1862         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
1863         * runtime/ConstructData.cpp:
1864         (JSC::construct):
1865         * runtime/DateConstructor.cpp:
1866         (JSC::constructWithDateConstructor):
1867         * runtime/DatePrototype.cpp:
1868         (JSC::dateProtoFuncToJSON):
1869         * runtime/DirectArguments.cpp:
1870         (JSC::DirectArguments::overrideThings):
1871         * runtime/Error.cpp:
1872         (JSC::getStackTrace):
1873         * runtime/ErrorConstructor.cpp:
1874         (JSC::Interpreter::constructWithErrorConstructor):
1875         (JSC::Interpreter::callErrorConstructor):
1876         * runtime/FunctionConstructor.cpp:
1877         (JSC::constructWithFunctionConstructor):
1878         (JSC::callFunctionConstructor):
1879         * runtime/GeneratorFunctionConstructor.cpp:
1880         (JSC::callGeneratorFunctionConstructor):
1881         (JSC::constructGeneratorFunctionConstructor):
1882         * runtime/GenericArgumentsInlines.h:
1883         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1884         * runtime/InferredStructureWatchpoint.cpp:
1885         (JSC::InferredStructureWatchpoint::fireInternal):
1886         * runtime/InferredType.cpp:
1887         (JSC::InferredType::removeStructure):
1888         * runtime/InferredType.h:
1889         * runtime/InferredTypeInlines.h:
1890         (JSC::InferredType::finalizeUnconditionally):
1891         * runtime/IntlCollator.cpp:
1892         (JSC::IntlCollator::initializeCollator):
1893         * runtime/IntlCollatorConstructor.cpp:
1894         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1895         * runtime/IntlCollatorPrototype.cpp:
1896         (JSC::IntlCollatorPrototypeGetterCompare):
1897         * runtime/IntlDateTimeFormat.cpp:
1898         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1899         (JSC::IntlDateTimeFormat::formatToParts):
1900         * runtime/IntlDateTimeFormatConstructor.cpp:
1901         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1902         * runtime/IntlDateTimeFormatPrototype.cpp:
1903         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1904         * runtime/IntlNumberFormat.cpp:
1905         (JSC::IntlNumberFormat::initializeNumberFormat):
1906         (JSC::IntlNumberFormat::formatToParts):
1907         * runtime/IntlNumberFormatConstructor.cpp:
1908         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1909         * runtime/IntlNumberFormatPrototype.cpp:
1910         (JSC::IntlNumberFormatPrototypeGetterFormat):
1911         * runtime/IntlObject.cpp:
1912         (JSC::canonicalizeLocaleList):
1913         (JSC::defaultLocale):
1914         (JSC::lookupSupportedLocales):
1915         (JSC::intlObjectFuncGetCanonicalLocales):
1916         * runtime/IntlPluralRules.cpp:
1917         (JSC::IntlPluralRules::initializePluralRules):
1918         (JSC::IntlPluralRules::resolvedOptions):
1919         * runtime/IntlPluralRulesConstructor.cpp:
1920         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1921         * runtime/IteratorOperations.cpp:
1922         (JSC::iteratorNext):
1923         (JSC::iteratorClose):
1924         (JSC::iteratorForIterable):
1925         * runtime/JSArray.cpp:
1926         (JSC::JSArray::shiftCountWithArrayStorage):
1927         (JSC::JSArray::unshiftCountWithArrayStorage):
1928         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
1929         * runtime/JSArrayBufferConstructor.cpp:
1930         (JSC::JSArrayBufferConstructor::finishCreation):
1931         (JSC::constructArrayBuffer):
1932         * runtime/JSArrayBufferPrototype.cpp:
1933         (JSC::arrayBufferProtoFuncSlice):
1934         * runtime/JSArrayBufferView.cpp:
1935         (JSC::JSArrayBufferView::unsharedJSBuffer):
1936         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
1937         * runtime/JSAsyncFunction.cpp:
1938         (JSC::JSAsyncFunction::createImpl):
1939         (JSC::JSAsyncFunction::create):
1940         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
1941         * runtime/JSAsyncGeneratorFunction.cpp:
1942         (JSC::JSAsyncGeneratorFunction::createImpl):
1943         (JSC::JSAsyncGeneratorFunction::create):
1944         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1945         * runtime/JSBoundFunction.cpp:
1946         (JSC::boundThisNoArgsFunctionCall):
1947         (JSC::boundFunctionCall):
1948         (JSC::boundThisNoArgsFunctionConstruct):
1949         (JSC::boundFunctionConstruct):
1950         (JSC::getBoundFunctionStructure):
1951         (JSC::JSBoundFunction::create):
1952         (JSC::JSBoundFunction::boundArgsCopy):
1953         * runtime/JSCJSValue.cpp:
1954         (JSC::JSValue::putToPrimitive):
1955         * runtime/JSCellInlines.h:
1956         (JSC::JSCell::setStructure):
1957         (JSC::JSCell::methodTable const):
1958         (JSC::JSCell::toBoolean const):
1959         * runtime/JSFunction.h:
1960         (JSC::JSFunction::createImpl):
1961         * runtime/JSGeneratorFunction.cpp:
1962         (JSC::JSGeneratorFunction::createImpl):
1963         (JSC::JSGeneratorFunction::create):
1964         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1965         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1966         (JSC::constructGenericTypedArrayViewWithArguments):
1967         (JSC::constructGenericTypedArrayView):
1968         * runtime/JSGenericTypedArrayViewInlines.h:
1969         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1970         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
1971         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
1972         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1973         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1974         (JSC::genericTypedArrayViewProtoFuncSlice):
1975         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1976         * runtime/JSGlobalObject.cpp:
1977         (JSC::JSGlobalObject::init):
1978         (JSC::JSGlobalObject::exposeDollarVM):
1979         (JSC::JSGlobalObject::finishCreation):
1980         * runtime/JSGlobalObject.h:
1981         * runtime/JSGlobalObjectFunctions.cpp:
1982         (JSC::globalFuncEval):
1983         * runtime/JSInternalPromise.cpp:
1984         (JSC::JSInternalPromise::then):
1985         * runtime/JSInternalPromiseConstructor.cpp:
1986         (JSC::constructPromise):
1987         * runtime/JSJob.cpp:
1988         (JSC::JSJobMicrotask::run):
1989         * runtime/JSLexicalEnvironment.cpp:
1990         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1991         (JSC::JSLexicalEnvironment::put):
1992         * runtime/JSMap.cpp:
1993         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1994         * runtime/JSMapIterator.cpp:
1995         (JSC::JSMapIterator::createPair):
1996         * runtime/JSModuleLoader.cpp:
1997         (JSC::JSModuleLoader::provideFetch):
1998         (JSC::JSModuleLoader::loadAndEvaluateModule):
1999         (JSC::JSModuleLoader::loadModule):
2000         (JSC::JSModuleLoader::linkAndEvaluateModule):
2001         (JSC::JSModuleLoader::requestImportModule):
2002         * runtime/JSONObject.cpp:
2003         (JSC::JSONProtoFuncParse):
2004         * runtime/JSObject.cpp:
2005         (JSC::JSObject::putInlineSlow):
2006         (JSC::JSObject::putByIndex):
2007         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2008         (JSC::JSObject::createInitialIndexedStorage):
2009         (JSC::JSObject::createArrayStorage):
2010         (JSC::JSObject::convertUndecidedToArrayStorage):
2011         (JSC::JSObject::convertInt32ToArrayStorage):
2012         (JSC::JSObject::convertDoubleToArrayStorage):
2013         (JSC::JSObject::convertContiguousToArrayStorage):
2014         (JSC::JSObject::convertFromCopyOnWrite):
2015         (JSC::JSObject::ensureWritableInt32Slow):
2016         (JSC::JSObject::ensureWritableDoubleSlow):
2017         (JSC::JSObject::ensureWritableContiguousSlow):
2018         (JSC::JSObject::ensureArrayStorageSlow):
2019         (JSC::JSObject::setPrototypeDirect):
2020         (JSC::JSObject::deleteProperty):
2021         (JSC::callToPrimitiveFunction):
2022         (JSC::JSObject::hasInstance):
2023         (JSC::JSObject::getOwnNonIndexPropertyNames):
2024         (JSC::JSObject::preventExtensions):
2025         (JSC::JSObject::isExtensible):
2026         (JSC::JSObject::reifyAllStaticProperties):
2027         (JSC::JSObject::fillGetterPropertySlot):
2028         (JSC::JSObject::defineOwnIndexedProperty):
2029         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2030         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2031         (JSC::JSObject::putByIndexBeyondVectorLength):
2032         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2033         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2034         (JSC::JSObject::getNewVectorLength):
2035         (JSC::JSObject::increaseVectorLength):
2036         (JSC::JSObject::reallocateAndShrinkButterfly):
2037         (JSC::JSObject::shiftButterflyAfterFlattening):
2038         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
2039         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
2040         (JSC::JSObject::needsSlowPutIndexing const):
2041         (JSC::JSObject::suggestedArrayStorageTransition const):
2042         * runtime/JSObject.h:
2043         (JSC::JSObject::mayInterceptIndexedAccesses):
2044         (JSC::JSObject::hasIndexingHeader const):
2045         (JSC::JSObject::hasCustomProperties):
2046         (JSC::JSObject::hasGetterSetterProperties):
2047         (JSC::JSObject::hasCustomGetterSetterProperties):
2048         (JSC::JSObject::isExtensibleImpl):
2049         (JSC::JSObject::isStructureExtensible):
2050         (JSC::JSObject::indexingShouldBeSparse):
2051         (JSC::JSObject::staticPropertiesReified):
2052         (JSC::JSObject::globalObject const):
2053         (JSC::JSObject::finishCreation):
2054         (JSC::JSNonFinalObject::finishCreation):
2055         (JSC::getCallData):
2056         (JSC::getConstructData):
2057         (JSC::JSObject::getOwnNonIndexPropertySlot):
2058         (JSC::JSObject::putOwnDataProperty):
2059         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
2060         (JSC::JSObject::butterflyPreCapacity):
2061         (JSC::JSObject::butterflyTotalSize):
2062         * runtime/JSObjectInlines.h:
2063         (JSC::JSObject::putDirectInternal):
2064         * runtime/JSPromise.cpp:
2065         (JSC::JSPromise::initialize):
2066         (JSC::JSPromise::resolve):
2067         * runtime/JSPromiseConstructor.cpp:
2068         (JSC::constructPromise):
2069         * runtime/JSPromiseDeferred.cpp:
2070         (JSC::newPromiseCapability):
2071         (JSC::callFunction):
2072         * runtime/JSScope.cpp:
2073         (JSC::abstractAccess):
2074         * runtime/JSScope.h:
2075         (JSC::JSScope::globalObject): Deleted.
2076         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
2077
2078         * runtime/JSSet.cpp:
2079         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2080         * runtime/JSSetIterator.cpp:
2081         (JSC::JSSetIterator::createPair):
2082         * runtime/JSStringIterator.cpp:
2083         (JSC::JSStringIterator::clone):
2084         * runtime/Lookup.cpp:
2085         (JSC::reifyStaticAccessor):
2086         (JSC::setUpStaticFunctionSlot):
2087         * runtime/Lookup.h:
2088         (JSC::getStaticPropertySlotFromTable):
2089         (JSC::replaceStaticPropertySlot):
2090         (JSC::reifyStaticProperty):
2091         * runtime/MapConstructor.cpp:
2092         (JSC::constructMap):
2093         * runtime/NumberConstructor.cpp:
2094         (JSC::NumberConstructor::finishCreation):
2095         * runtime/ObjectConstructor.cpp:
2096         (JSC::constructObject):
2097         (JSC::objectConstructorAssign):
2098         (JSC::toPropertyDescriptor):
2099         * runtime/ObjectPrototype.cpp:
2100         (JSC::objectProtoFuncDefineGetter):
2101         (JSC::objectProtoFuncDefineSetter):
2102         (JSC::objectProtoFuncToLocaleString):
2103         * runtime/Operations.cpp:
2104         (JSC::jsIsFunctionType): Deleted.
2105         Replace it with JSValue::isFunction(VM&).
2106
2107         * runtime/Operations.h:
2108         * runtime/ProgramExecutable.cpp:
2109         (JSC::ProgramExecutable::initializeGlobalProperties):
2110         * runtime/RegExpConstructor.cpp:
2111         (JSC::constructWithRegExpConstructor):
2112         (JSC::callRegExpConstructor):
2113         * runtime/SamplingProfiler.cpp:
2114         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2115         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
2116         * runtime/ScopedArguments.cpp:
2117         (JSC::ScopedArguments::overrideThings):
2118         * runtime/ScriptExecutable.cpp:
2119         (JSC::ScriptExecutable::newCodeBlockFor):
2120         (JSC::ScriptExecutable::prepareForExecutionImpl):
2121         * runtime/SetConstructor.cpp:
2122         (JSC::constructSet):
2123         * runtime/SparseArrayValueMap.cpp:
2124         (JSC::SparseArrayValueMap::putEntry):
2125         (JSC::SparseArrayValueMap::putDirect):
2126         * runtime/StringConstructor.cpp:
2127         (JSC::constructWithStringConstructor):
2128         * runtime/StringPrototype.cpp:
2129         (JSC::replaceUsingRegExpSearch):
2130         (JSC::replaceUsingStringSearch):
2131         (JSC::stringProtoFuncIterator):
2132         * runtime/Structure.cpp:
2133         (JSC::Structure::materializePropertyTable):
2134         (JSC::Structure::willStoreValueSlow):
2135         * runtime/StructureCache.cpp:
2136         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
2137         * runtime/StructureInlines.h:
2138         (JSC::Structure::get):
2139         * runtime/WeakMapConstructor.cpp:
2140         (JSC::constructWeakMap):
2141         * runtime/WeakSetConstructor.cpp:
2142         (JSC::constructWeakSet):
2143         * tools/HeapVerifier.cpp:
2144         (JSC::HeapVerifier::reportCell):
2145         * tools/JSDollarVM.cpp:
2146         (JSC::functionGlobalObjectForObject):
2147         (JSC::JSDollarVM::finishCreation):
2148         * wasm/js/JSWebAssemblyInstance.cpp:
2149         (JSC::JSWebAssemblyInstance::finalizeCreation):
2150         * wasm/js/WasmToJS.cpp:
2151         (JSC::Wasm::handleBadI64Use):
2152         (JSC::Wasm::wasmToJSException):
2153         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2154         (JSC::constructJSWebAssemblyCompileError):
2155         (JSC::callJSWebAssemblyCompileError):
2156         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2157         (JSC::constructJSWebAssemblyLinkError):
2158         (JSC::callJSWebAssemblyLinkError):
2159         * wasm/js/WebAssemblyModuleRecord.cpp:
2160         (JSC::WebAssemblyModuleRecord::evaluate):
2161         * wasm/js/WebAssemblyPrototype.cpp:
2162         (JSC::instantiate):
2163         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2164         (JSC::constructJSWebAssemblyRuntimeError):
2165         (JSC::callJSWebAssemblyRuntimeError):
2166         * wasm/js/WebAssemblyToJSCallee.cpp:
2167         (JSC::WebAssemblyToJSCallee::create):
2168
2169 2018-05-30  Saam Barati  <sbarati@apple.com>
2170
2171         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
2172         https://bugs.webkit.org/show_bug.cgi?id=186121
2173         <rdar://problem/39377796>
2174
2175         Reviewed by Keith Miller.
2176
2177         DFG's combined liveness was reporting that the machine CodeBlock's |this|
2178         argument was dead at certain points in the program. However, a CodeBlock's
2179         arguments are considered live for the entire function. This fixes a bug
2180         where object allocation sinking phase skipped materializing an allocation
2181         because it thought that the argument it was associated with, |this|, was dead.
2182
2183         * dfg/DFGCombinedLiveness.cpp:
2184         (JSC::DFG::liveNodesAtHead):
2185
2186 2018-05-30  Daniel Bates  <dabates@apple.com>
2187
2188         Web Inspector: Annotate Same-Site cookies
2189         https://bugs.webkit.org/show_bug.cgi?id=184897
2190         <rdar://problem/35178209>
2191
2192         Reviewed by Brian Burg.
2193
2194         Update protocol to include cookie Same-Site policy.
2195
2196         * inspector/protocol/Page.json:
2197
2198 2018-05-29  Keith Miller  <keith_miller@apple.com>
2199
2200         Error instances should not strongly hold onto StackFrames
2201         https://bugs.webkit.org/show_bug.cgi?id=185996
2202
2203         Reviewed by Mark Lam.
2204
2205         Previously, we would hold onto all the StackFrames until the the user
2206         looked at one of the properties on the Error object. This patch makes us
2207         only weakly retain the StackFrames and collect all the information
2208         if we are about to collect any frame.
2209
2210         This patch also adds a method to $vm that returns the heaps count
2211         of live global objects.
2212
2213         * heap/Heap.cpp:
2214         (JSC::Heap::finalizeUnconditionalFinalizers):
2215         * interpreter/Interpreter.cpp:
2216         (JSC::Interpreter::stackTraceAsString):
2217         * interpreter/Interpreter.h:
2218         * runtime/Error.cpp:
2219         (JSC::addErrorInfo):
2220         * runtime/ErrorInstance.cpp:
2221         (JSC::ErrorInstance::finalizeUnconditionally):
2222         (JSC::ErrorInstance::computeErrorInfo):
2223         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2224         (JSC::ErrorInstance::visitChildren): Deleted.
2225         * runtime/ErrorInstance.h:
2226         (JSC::ErrorInstance::subspaceFor):
2227         * runtime/JSFunction.cpp:
2228         (JSC::getCalculatedDisplayName):
2229         * runtime/StackFrame.h:
2230         (JSC::StackFrame::isMarked const):
2231         * runtime/VM.cpp:
2232         (JSC::VM::VM):
2233         * runtime/VM.h:
2234         * tools/JSDollarVM.cpp:
2235         (JSC::functionGlobalObjectCount):
2236         (JSC::JSDollarVM::finishCreation):
2237
2238 2018-05-30  Keith Miller  <keith_miller@apple.com>
2239
2240         LLInt get_by_id prototype caching doesn't properly handle changes
2241         https://bugs.webkit.org/show_bug.cgi?id=186112
2242
2243         Reviewed by Filip Pizlo.
2244
2245         The caching would sometimes fail to track that a prototype had changed
2246         and wouldn't update its set of watchpoints.
2247
2248         * bytecode/CodeBlock.cpp:
2249         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2250         * bytecode/CodeBlock.h:
2251         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2252         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
2253         * bytecode/ObjectPropertyConditionSet.h:
2254         (JSC::ObjectPropertyConditionSet::size const):
2255         * bytecode/Watchpoint.h:
2256         (JSC::Watchpoint::Watchpoint): Deleted.
2257         * llint/LLIntSlowPaths.cpp:
2258         (JSC::LLInt::setupGetByIdPrototypeCache):
2259
2260 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
2261
2262         [ESNext][BigInt] Implement support for "%" operation
2263         https://bugs.webkit.org/show_bug.cgi?id=184327
2264
2265         Reviewed by Yusuke Suzuki.
2266
2267         We are introducing the support of BigInt into remainder (a.k.a mod)
2268         operation.
2269
2270         * runtime/CommonSlowPaths.cpp:
2271         (JSC::SLOW_PATH_DECL):
2272         * runtime/JSBigInt.cpp:
2273         (JSC::JSBigInt::remainder):
2274         (JSC::JSBigInt::rightTrim):
2275         * runtime/JSBigInt.h:
2276
2277 2018-05-30  Saam Barati  <sbarati@apple.com>
2278
2279         AI for Atomics.load() is too conservative in always clobbering world
2280         https://bugs.webkit.org/show_bug.cgi?id=185738
2281         <rdar://problem/40342214>
2282
2283         Reviewed by Yusuke Suzuki.
2284
2285         It fails the assertion that Fil added for catching disagreements between
2286         AI and clobberize. This patch fixes that. You'd run into this if you
2287         manually enabled SAB in a build and ran any SAB tests.
2288
2289         * dfg/DFGAbstractInterpreterInlines.h:
2290         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2291
2292 2018-05-30  Michael Saboff  <msaboff@apple.com>
2293
2294         REGRESSION(r232212): Broke Win32 Builds
2295         https://bugs.webkit.org/show_bug.cgi?id=186061
2296
2297         Reviewed by Yusuke Suzuki.
2298
2299         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
2300         instead of LowLevelInterpreterWin.asm.
2301
2302         * CMakeLists.txt:
2303
2304 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
2305
2306         [MIPS] Fix build on MIPS32r1
2307         https://bugs.webkit.org/show_bug.cgi?id=185944
2308
2309         Reviewed by Yusuke Suzuki.
2310
2311         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
2312         on MIPS32r1.
2313
2314         * offlineasm/mips.rb:
2315
2316 2018-05-29  Saam Barati  <sbarati@apple.com>
2317
2318         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
2319         https://bugs.webkit.org/show_bug.cgi?id=186064
2320
2321         Reviewed by Mark Lam.
2322
2323         shrinkFootprint was implemented as:
2324         ```
2325         sanitizeStackForVM(this);
2326         deleteAllCode(DeleteAllCodeIfNotCollecting);
2327         heap.collectNow(Synchronousness::Sync);
2328         WTF::releaseFastMallocFreeMemory();
2329         ```
2330         
2331         However, for correctness reasons, deleteAllCode is implemented to do
2332         work when the VM is idle: no JS is running on the stack. This means
2333         that if shrinkFootprint is called when JS is running on the stack, it
2334         ends up freeing less memory than it could have if it waited to run until
2335         the VM goes idle.
2336         
2337         This patch makes it so we wait until idle before doing work. I'm seeing a
2338         10% footprint progression when testing this against a client of the JSC SPI.
2339         
2340         Because this is a semantic change in how the SPI works, this patch
2341         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
2342         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
2343         Once that happens, we will delete shrinkFootprint. Until then,
2344         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
2345
2346         * API/JSVirtualMachine.mm:
2347         (-[JSVirtualMachine shrinkFootprint]):
2348         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
2349         * API/JSVirtualMachinePrivate.h:
2350         * runtime/VM.cpp:
2351         (JSC::VM::shrinkFootprintWhenIdle):
2352         (JSC::VM::shrinkFootprint): Deleted.
2353         * runtime/VM.h:
2354
2355 2018-05-29  Saam Barati  <sbarati@apple.com>
2356
2357         shrinkFootprint needs to request a full collection
2358         https://bugs.webkit.org/show_bug.cgi?id=186069
2359
2360         Reviewed by Mark Lam.
2361
2362         * runtime/VM.cpp:
2363         (JSC::VM::shrinkFootprint):
2364
2365 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
2366
2367         [ESNext][BigInt] Implement support for "<" and ">" relational operation
2368         https://bugs.webkit.org/show_bug.cgi?id=185379
2369
2370         Reviewed by Yusuke Suzuki.
2371
2372         This patch is changing the ``jsLess``` operation to follow the
2373         semantics of Abstract Relational Comparison[1] that supports BigInt.
2374         For that, we create 2 new helper functions ```bigIntCompareLess``` and
2375         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
2376         compared.
2377
2378         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
2379
2380         * runtime/JSBigInt.cpp:
2381         (JSC::JSBigInt::unequalSign):
2382         (JSC::JSBigInt::absoluteGreater):
2383         (JSC::JSBigInt::absoluteLess):
2384         (JSC::JSBigInt::compare):
2385         (JSC::JSBigInt::absoluteCompare):
2386         * runtime/JSBigInt.h:
2387         * runtime/JSCJSValueInlines.h:
2388         (JSC::JSValue::isPrimitive const):
2389         * runtime/Operations.h:
2390         (JSC::bigIntCompareLess):
2391         (JSC::toPrimitiveNumeric):
2392         (JSC::jsLess):
2393
2394 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2395
2396         [Baseline] Merge loading functionalities
2397         https://bugs.webkit.org/show_bug.cgi?id=185907
2398
2399         Reviewed by Saam Barati.
2400
2401         This patch unifies emitXXXLoad functions in 32bit and 64bit.
2402
2403         * jit/JITInlines.h:
2404         (JSC::JIT::emitDoubleGetByVal):
2405         * jit/JITPropertyAccess.cpp:
2406         (JSC::JIT::emitDoubleLoad):
2407         (JSC::JIT::emitContiguousLoad):
2408         (JSC::JIT::emitArrayStorageLoad):
2409         (JSC::JIT::emitIntTypedArrayGetByVal):
2410         (JSC::JIT::emitFloatTypedArrayGetByVal):
2411         Define register usage first, and share the same code in 32bit and 64bit.
2412
2413         * jit/JITPropertyAccess32_64.cpp:
2414         (JSC::JIT::emitSlow_op_put_by_val):
2415         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
2416         We can remove this special handling.
2417
2418         (JSC::JIT::emitContiguousLoad): Deleted.
2419         (JSC::JIT::emitDoubleLoad): Deleted.
2420         (JSC::JIT::emitArrayStorageLoad): Deleted.
2421
2422 2018-05-29  Saam Barati  <sbarati@apple.com>
2423
2424         JSC should put bmalloc's scavenger into mini mode
2425         https://bugs.webkit.org/show_bug.cgi?id=185988
2426
2427         Reviewed by Michael Saboff.
2428
2429         When we InitializeThreading, we'll now enable bmalloc's mini mode
2430         if the VM is in mini mode. This is an 8-10% progression on the footprint
2431         at end score in run-testmem, making it a 4-5% memory score progression.
2432         It's between a 0-1% regression in its time score.
2433
2434         * runtime/InitializeThreading.cpp:
2435         (JSC::initializeThreading):
2436
2437 2018-05-29  Caitlin Potter  <caitp@igalia.com>
2438
2439         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
2440         https://bugs.webkit.org/show_bug.cgi?id=184267
2441
2442         Reviewed by Saam Barati.
2443
2444         Before this patch, the fast case for Array.prototype.concat was taken if
2445         there was a single argument passed to the function, which is either a
2446         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
2447         This incorrectly prevented Proxy objects from being spread when
2448         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
2449
2450         * builtins/ArrayPrototype.js:
2451         (concat):
2452
2453 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2454
2455         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
2456         https://bugs.webkit.org/show_bug.cgi?id=186022
2457
2458         Reviewed by Darin Adler.
2459
2460         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
2461         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
2462         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
2463         in asm.
2464
2465         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
2466         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
2467         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
2468         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
2469         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
2470         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
2471
2472         This patch also fixes naming convention for constant values.
2473
2474         * runtime/JSBigInt.cpp:
2475         (JSC::JSBigInt::digitMul):
2476         (JSC::JSBigInt::digitDiv):
2477         * runtime/JSBigInt.h:
2478
2479 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2480
2481         [WTF] Add clz32 / clz64 for MSVC
2482         https://bugs.webkit.org/show_bug.cgi?id=186023
2483
2484         Reviewed by Daniel Bates.
2485
2486         Move clz32 and clz64 to WTF.
2487
2488         * runtime/MathCommon.h:
2489         (JSC::clz32): Deleted.
2490         (JSC::clz64): Deleted.
2491
2492 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
2493
2494         [ESNext][BigInt] Implement "+" and "-" unary operation
2495         https://bugs.webkit.org/show_bug.cgi?id=182214
2496
2497         Reviewed by Yusuke Suzuki.
2498
2499         This Patch is implementing support to "-" unary operation on BigInt.
2500         It is also changing the logic of ASTBuilder::makeNegateNode to
2501         calculate BigInt literals with properly sign, avoiding
2502         unecessary operation. It required a refactoring into
2503         JSBigInt::parseInt to consider the sign as parameter.
2504
2505         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
2506         operations. With the introduction of BigInt, it is not true
2507         that every negate operation returns a Number. As ArithNegate is a
2508         node that considers its result is always a Number, like all other
2509         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
2510         speculation indicates that the operand is a BigInt.
2511         This design is following the same distinction between ArithAdd and
2512         ValueAdd. Also, this new node will make simpler the introduction of
2513         optimizations when we create speculation paths for BigInt in future
2514         patches.
2515
2516         In the case of "+" unary operation on BigInt, the current semantic we already have
2517         is correctly, since it needs to throw TypeError because of ToNumber call[1].
2518         In such case, we are adding tests to verify other edge cases.
2519
2520         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
2521
2522         * bytecompiler/BytecodeGenerator.cpp:
2523         (JSC::BytecodeGenerator::addBigIntConstant):
2524         * bytecompiler/BytecodeGenerator.h:
2525         * bytecompiler/NodesCodegen.cpp:
2526         (JSC::BigIntNode::jsValue const):
2527         * dfg/DFGAbstractInterpreterInlines.h:
2528         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2529         * dfg/DFGByteCodeParser.cpp:
2530         (JSC::DFG::ByteCodeParser::makeSafe):
2531         (JSC::DFG::ByteCodeParser::parseBlock):
2532         * dfg/DFGClobberize.h:
2533         (JSC::DFG::clobberize):
2534         * dfg/DFGDoesGC.cpp:
2535         (JSC::DFG::doesGC):
2536         * dfg/DFGFixupPhase.cpp:
2537         (JSC::DFG::FixupPhase::fixupNode):
2538         * dfg/DFGNode.h:
2539         (JSC::DFG::Node::arithNodeFlags):
2540         * dfg/DFGNodeType.h:
2541         * dfg/DFGPredictionPropagationPhase.cpp:
2542         * dfg/DFGSafeToExecute.h:
2543         (JSC::DFG::safeToExecute):
2544         * dfg/DFGSpeculativeJIT.cpp:
2545         (JSC::DFG::SpeculativeJIT::compileValueNegate):
2546         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2547         * dfg/DFGSpeculativeJIT.h:
2548         * dfg/DFGSpeculativeJIT32_64.cpp:
2549         (JSC::DFG::SpeculativeJIT::compile):
2550         * dfg/DFGSpeculativeJIT64.cpp:
2551         (JSC::DFG::SpeculativeJIT::compile):
2552         * ftl/FTLCapabilities.cpp:
2553         (JSC::FTL::canCompile):
2554         * ftl/FTLLowerDFGToB3.cpp:
2555         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2556         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
2557         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2558         * jit/JITOperations.cpp:
2559         * parser/ASTBuilder.h:
2560         (JSC::ASTBuilder::createBigIntWithSign):
2561         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
2562         (JSC::ASTBuilder::makeNegateNode):
2563         * parser/NodeConstructors.h:
2564         (JSC::BigIntNode::BigIntNode):
2565         * parser/Nodes.h:
2566         * runtime/CommonSlowPaths.cpp:
2567         (JSC::updateArithProfileForUnaryArithOp):
2568         (JSC::SLOW_PATH_DECL):
2569         * runtime/JSBigInt.cpp:
2570         (JSC::JSBigInt::parseInt):
2571         * runtime/JSBigInt.h:
2572         * runtime/JSCJSValueInlines.h:
2573         (JSC::JSValue::strictEqualSlowCaseInline):
2574
2575 2018-05-27  Dan Bernstein  <mitz@apple.com>
2576
2577         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
2578
2579         * jit/JITOperations.cpp:
2580
2581 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2582
2583         [JSC] Rename Array#flatten to flat
2584         https://bugs.webkit.org/show_bug.cgi?id=186012
2585
2586         Reviewed by Saam Barati.
2587
2588         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
2589         conflicts with the mootools' function name.
2590
2591         * builtins/ArrayPrototype.js:
2592         (globalPrivate.flatIntoArray):
2593         (flat):
2594         (globalPrivate.flatIntoArrayWithCallback):
2595         (flatMap):
2596         (globalPrivate.flattenIntoArray): Deleted.
2597         (flatten): Deleted.
2598         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
2599         * runtime/ArrayPrototype.cpp:
2600         (JSC::ArrayPrototype::finishCreation):
2601
2602 2018-05-25  Mark Lam  <mark.lam@apple.com>
2603
2604         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
2605         https://bugs.webkit.org/show_bug.cgi?id=185995
2606         <rdar://problem/40173142>
2607
2608         Reviewed by Saam Barati.
2609
2610         This is because there's no guarantee that any of the loop bodies will be
2611         executed.  Hence, there's no guarantee that the TDZ variables will have been
2612         initialized after each loop body.
2613
2614         * bytecompiler/BytecodeGenerator.cpp:
2615         (JSC::BytecodeGenerator::preserveTDZStack):
2616         (JSC::BytecodeGenerator::restoreTDZStack):
2617         * bytecompiler/BytecodeGenerator.h:
2618         * bytecompiler/NodesCodegen.cpp:
2619         (JSC::ForInNode::emitBytecode):
2620
2621 2018-05-25  Mark Lam  <mark.lam@apple.com>
2622
2623         MachineContext's instructionPointer() should handle null PCs correctly.
2624         https://bugs.webkit.org/show_bug.cgi?id=186004
2625         <rdar://problem/40570067>
2626
2627         Reviewed by Saam Barati.
2628
2629         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
2630         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
2631         assert accordingly with a debug ASSERT.  This is inconsequential for release
2632         builds, but to avoid this assertion failure, we should check for a null PC and
2633         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
2634         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
2635
2636         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
2637         for null pointers, but I rather not do that yet.  In general,
2638         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
2639         leave it that way for now.
2640
2641         Note: this assertion failure only manifests when we have signal traps enabled,
2642         and encounter a null pointer deref.
2643
2644         * runtime/MachineContext.h:
2645         (JSC::MachineContext::instructionPointer):
2646
2647 2018-05-25  Mark Lam  <mark.lam@apple.com>
2648
2649         Enforce invariant that GetterSetter objects are invariant.
2650         https://bugs.webkit.org/show_bug.cgi?id=185968
2651         <rdar://problem/40541416>
2652
2653         Reviewed by Saam Barati.
2654
2655         The code already assumes the invariant that GetterSetter objects are immutable.
2656         For example, the use of @tryGetById in builtins expect this invariant to be true.
2657         The existing code mostly enforces this except for one case: JSObject's
2658         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
2659         object.
2660
2661         This patch enforces this invariant by removing the setGetter and setSetter methods
2662         of GetterSetter, and requiring the getter/setter callback functions to be
2663         specified at construction time.
2664
2665         * jit/JITOperations.cpp:
2666         * llint/LLIntSlowPaths.cpp:
2667         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2668         * runtime/GetterSetter.cpp:
2669         (JSC::GetterSetter::withGetter): Deleted.
2670         (JSC::GetterSetter::withSetter): Deleted.
2671         * runtime/GetterSetter.h:
2672         * runtime/JSGlobalObject.cpp:
2673         (JSC::JSGlobalObject::init):
2674         * runtime/JSObject.cpp:
2675         (JSC::JSObject::putIndexedDescriptor):
2676         (JSC::JSObject::putDirectNativeIntrinsicGetter):
2677         (JSC::putDescriptor):
2678         (JSC::validateAndApplyPropertyDescriptor):
2679         * runtime/JSTypedArrayViewPrototype.cpp:
2680         (JSC::JSTypedArrayViewPrototype::finishCreation):
2681         * runtime/Lookup.cpp:
2682         (JSC::reifyStaticAccessor):
2683         * runtime/PropertyDescriptor.cpp:
2684         (JSC::PropertyDescriptor::slowGetterSetter):
2685
2686 2018-05-25  Saam Barati  <sbarati@apple.com>
2687
2688         Make JSC have a mini mode that kicks in when the JIT is disabled
2689         https://bugs.webkit.org/show_bug.cgi?id=185931
2690
2691         Reviewed by Mark Lam.
2692
2693         This patch makes JSC have a mini VM mode. This currently only kicks in
2694         when the process can't JIT. Mini VM now means a few things:
2695         - We always use a 1.27x heap growth factor. This number was the best tradeoff
2696           between memory use progression and time regression in run-testmem. We may
2697           want to tune this more in the future as we make other mini VM changes.
2698         - We always sweep synchronously.
2699         - We disable generational GC.
2700         
2701         I'm going to continue to extend what mini VM mode means in future changes.
2702         
2703         This patch is a 50% memory progression and an ~8-9% time regression
2704         on run-testmem when running in mini VM mode with the JIT disabled.
2705
2706         * heap/Heap.cpp:
2707         (JSC::Heap::collectNow):
2708         (JSC::Heap::finalize):
2709         (JSC::Heap::useGenerationalGC):
2710         (JSC::Heap::shouldSweepSynchronously):
2711         (JSC::Heap::shouldDoFullCollection):
2712         * heap/Heap.h:
2713         * runtime/Options.h:
2714         * runtime/VM.cpp:
2715         (JSC::VM::isInMiniMode):
2716         * runtime/VM.h:
2717
2718 2018-05-25  Saam Barati  <sbarati@apple.com>
2719
2720         Have a memory test where we can validate JSCs mini memory mode
2721         https://bugs.webkit.org/show_bug.cgi?id=185932
2722
2723         Reviewed by Mark Lam.
2724
2725         This patch adds the testmem CLI. It takes as input a file to run
2726         and the number of iterations to run it (by default it runs it
2727         20 times). Each iteration runs in a new JSContext. Each JSContext
2728         belongs to a VM that is created once. When finished, the CLI dumps
2729         out the peak memory usage of the process, the memory usage at the end
2730         of running all the iterations of the process, and the total time it
2731         took to run all the iterations.
2732
2733         * JavaScriptCore.xcodeproj/project.pbxproj:
2734         * testmem: Added.
2735         * testmem/testmem.mm: Added.
2736         (description):
2737         (Footprint::now):
2738         (main):
2739
2740 2018-05-25  David Kilzer  <ddkilzer@apple.com>
2741
2742         Fix issues with -dealloc methods found by clang static analyzer
2743         <https://webkit.org/b/185887>
2744
2745         Reviewed by Joseph Pecoraro.
2746
2747         * API/JSValue.mm:
2748         (-[JSValue dealloc]):
2749         (-[JSValue description]):
2750         - Move method implementations from (Internal) category to the
2751           main category since these are public API.  This fixes the
2752           false positive warning about a missing -dealloc method.
2753
2754 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2755
2756         [Baseline] Remove a hack for DCE removal of NewFunction
2757         https://bugs.webkit.org/show_bug.cgi?id=185945
2758
2759         Reviewed by Saam Barati.
2760
2761         This `undefined` check in baseline is originally introduced in r177871. The problem was,
2762         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
2763         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
2764         retrieve this into the stack since the scope is not referenced from anywhere.
2765
2766         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
2767         implementation. But rather than that, just emitting `Phantom` for this scope is clean
2768         and consistent to the other DFG nodes like GetClosureVar.
2769
2770         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
2771         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
2772         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
2773         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
2774         since it conservatively guards the scope, and it does not introduce any additional overhead
2775         compared to the current status.
2776
2777         * dfg/DFGByteCodeParser.cpp:
2778         (JSC::DFG::ByteCodeParser::parseBlock):
2779         * jit/JITOpcodes.cpp:
2780         (JSC::JIT::emitNewFuncExprCommon):
2781
2782 2018-05-23  Keith Miller  <keith_miller@apple.com>
2783
2784         Expose $vm if window.internals is exposed
2785         https://bugs.webkit.org/show_bug.cgi?id=185900
2786
2787         Reviewed by Mark Lam.
2788
2789         This is useful for testing vm internals when running LayoutTests.
2790
2791         * runtime/JSGlobalObject.cpp:
2792         (JSC::JSGlobalObject::init):
2793         (JSC::JSGlobalObject::visitChildren):
2794         (JSC::JSGlobalObject::exposeDollarVM):
2795         * runtime/JSGlobalObject.h:
2796
2797 2018-05-23  Keith Miller  <keith_miller@apple.com>
2798
2799         Define length on CoW array should properly convert to writable
2800         https://bugs.webkit.org/show_bug.cgi?id=185927
2801
2802         Reviewed by Yusuke Suzuki.
2803
2804         * runtime/JSArray.cpp:
2805         (JSC::JSArray::setLength):
2806
2807 2018-05-23  Keith Miller  <keith_miller@apple.com>
2808
2809         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
2810         https://bugs.webkit.org/show_bug.cgi?id=185923
2811
2812         Reviewed by Saam Barati.
2813
2814         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
2815         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
2816
2817         Block 1:
2818         @1: GetLocal(loc42, FlushedInt32);
2819         @2: PutStructure(Check: Cell: @1);
2820         @3: Jump(Block 1);
2821
2822         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
2823         the type of an local cannot change without writing to it.
2824
2825         This fixes a crash in destructuring-rest-element.js
2826
2827         * dfg/DFGInPlaceAbstractState.cpp:
2828         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2829
2830 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
2831
2832         Speed up JetStream/base64
2833         https://bugs.webkit.org/show_bug.cgi?id=185914
2834
2835         Reviewed by Michael Saboff.
2836         
2837         Make allocation fast paths ALWAYS_INLINE.
2838         
2839         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
2840         ~6%.
2841
2842         * CMakeLists.txt:
2843         * JavaScriptCore.xcodeproj/project.pbxproj:
2844         * heap/AllocatorInlines.h:
2845         (JSC::Allocator::allocate const):
2846         * heap/CompleteSubspace.cpp:
2847         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
2848         * heap/CompleteSubspace.h:
2849         * heap/CompleteSubspaceInlines.h: Added.
2850         (JSC::CompleteSubspace::allocateNonVirtual):
2851         * heap/FreeListInlines.h:
2852         (JSC::FreeList::allocate):
2853         * heap/IsoSubspace.cpp:
2854         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
2855         * heap/IsoSubspace.h:
2856         (JSC::IsoSubspace::allocatorForNonVirtual):
2857         * heap/IsoSubspaceInlines.h: Added.
2858         (JSC::IsoSubspace::allocateNonVirtual):
2859         * runtime/JSCellInlines.h:
2860         * runtime/VM.h:
2861
2862 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
2863
2864         Conversion misspelled "Convertion" in error message string
2865         https://bugs.webkit.org/show_bug.cgi?id=185436
2866
2867         Reviewed by Saam Barati, Michael Saboff
2868
2869         * runtime/JSBigInt.cpp:
2870         (JSC::JSBigInt::toNumber const):
2871
2872 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2873
2874         [JSC] Clean up stringGetByValStubGenerator
2875         https://bugs.webkit.org/show_bug.cgi?id=185864
2876
2877         Reviewed by Saam Barati.
2878
2879         We clean up stringGetByValStubGenerator.
2880
2881         1. Unify 32bit and 64bit implementations.
2882         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
2883         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
2884         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
2885         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
2886
2887         * jit/JIT.h:
2888         * jit/JITPropertyAccess.cpp:
2889         (JSC::JIT::emitSlow_op_get_by_val):
2890         (JSC::JIT::stringGetByValStubGenerator): Deleted.
2891         * jit/JITPropertyAccess32_64.cpp:
2892         (JSC::JIT::emit_op_get_by_val):
2893         (JSC::JIT::emitSlow_op_get_by_val):
2894         (JSC::JIT::stringGetByValStubGenerator): Deleted.
2895         * jit/ThunkGenerators.cpp:
2896         (JSC::stringGetByValGenerator):
2897         * jit/ThunkGenerators.h:
2898
2899 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2900
2901         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
2902         https://bugs.webkit.org/show_bug.cgi?id=185810
2903
2904         Reviewed by Saam Barati.
2905
2906         Let's use branchIfString/branchIfNotString helper functions instead of
2907         checking structure with jsString's structure. It's easy to read. And
2908         it emits less code since we do not need to embed string structure's
2909         raw pointer in 32bit environment.
2910
2911         * jit/JIT.h:
2912         * jit/JITInlines.h:
2913         (JSC::JIT::emitLoadCharacterString):
2914         (JSC::JIT::checkStructure): Deleted.
2915         * jit/JITOpcodes32_64.cpp:
2916         (JSC::JIT::emitSlow_op_eq):
2917         (JSC::JIT::compileOpEqJumpSlow):
2918         (JSC::JIT::emitSlow_op_neq):
2919         * jit/JITPropertyAccess.cpp:
2920         (JSC::JIT::stringGetByValStubGenerator):
2921         (JSC::JIT::emitSlow_op_get_by_val):
2922         (JSC::JIT::emitByValIdentifierCheck):
2923         * jit/JITPropertyAccess32_64.cpp:
2924         (JSC::JIT::stringGetByValStubGenerator):
2925         (JSC::JIT::emitSlow_op_get_by_val):
2926         * jit/JSInterfaceJIT.h:
2927         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
2928         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
2929         * jit/SpecializedThunkJIT.h:
2930         (JSC::SpecializedThunkJIT::loadJSStringArgument):
2931         * jit/ThunkGenerators.cpp:
2932         (JSC::stringCharLoad):
2933         (JSC::charCodeAtThunkGenerator):
2934         (JSC::charAtThunkGenerator):
2935         * runtime/JSString.h:
2936
2937 2018-05-22  Mark Lam  <mark.lam@apple.com>
2938
2939         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
2940         https://bugs.webkit.org/show_bug.cgi?id=185896
2941         <rdar://problem/40471403>
2942
2943         Reviewed by Saam Barati.
2944
2945         * bytecode/BytecodeGeneratorification.cpp:
2946         (JSC::BytecodeGeneratorification::run):
2947
2948 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2949
2950         [JSC] Fix CachedCall's argument count if RegExp has named captures
2951         https://bugs.webkit.org/show_bug.cgi?id=185587
2952
2953         Reviewed by Mark Lam.
2954
2955         If the given RegExp has named captures, the argument count of CachedCall in String#replace
2956         should be increased by one. This causes crash with assertion in test262. This patch corrects
2957         the argument count.
2958
2959         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
2960         the same.
2961
2962         * runtime/StringPrototype.cpp:
2963         (JSC::replaceUsingRegExpSearch):
2964
2965 2018-05-22  Mark Lam  <mark.lam@apple.com>
2966
2967         StringImpl utf8 conversion should not fail silently.
2968         https://bugs.webkit.org/show_bug.cgi?id=185888
2969         <rdar://problem/40464506>
2970
2971         Reviewed by Filip Pizlo.
2972
2973         * dfg/DFGLazyJSValue.cpp:
2974         (JSC::DFG::LazyJSValue::dumpInContext const):
2975         * runtime/DateConstructor.cpp:
2976         (JSC::constructDate):
2977         (JSC::dateParse):
2978         * runtime/JSDateMath.cpp:
2979         (JSC::parseDate):
2980         * runtime/JSDateMath.h:
2981
2982 2018-05-22  Keith Miller  <keith_miller@apple.com>
2983
2984         Remove the UnconditionalFinalizer class
2985         https://bugs.webkit.org/show_bug.cgi?id=185881
2986
2987         Reviewed by Filip Pizlo.
2988
2989         The only remaining user of this API is
2990         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
2991         to use the newer template based API and removes the old class.
2992
2993         * JavaScriptCore.xcodeproj/project.pbxproj:
2994         * bytecode/CodeBlock.h:
2995         * heap/Heap.cpp:
2996         (JSC::Heap::finalizeUnconditionalFinalizers):
2997         * heap/Heap.h:
2998         * heap/SlotVisitor.cpp:
2999         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
3000         * heap/SlotVisitor.h:
3001         * heap/UnconditionalFinalizer.h: Removed.
3002         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3003         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3004         (JSC::JSWebAssemblyCodeBlock::visitChildren):
3005         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
3006         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3007         * wasm/js/JSWebAssemblyCodeBlock.h:
3008         * wasm/js/JSWebAssemblyModule.h:
3009
3010         * CMakeLists.txt:
3011         * JavaScriptCore.xcodeproj/project.pbxproj:
3012         * bytecode/CodeBlock.h:
3013         * heap/Heap.cpp:
3014         (JSC::Heap::finalizeUnconditionalFinalizers):
3015         * heap/Heap.h:
3016         * heap/SlotVisitor.cpp:
3017         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
3018         * heap/SlotVisitor.h:
3019         * heap/UnconditionalFinalizer.h: Removed.
3020         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3021         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3022         (JSC::JSWebAssemblyCodeBlock::visitChildren):
3023         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
3024         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3025         * wasm/js/JSWebAssemblyCodeBlock.h:
3026         * wasm/js/JSWebAssemblyModule.h:
3027
3028 2018-05-22  Keith Miller  <keith_miller@apple.com>
3029
3030         Unreviewed, fix internal build.
3031
3032         * runtime/JSImmutableButterfly.cpp:
3033
3034 2018-05-22  Saam Barati  <sbarati@apple.com>
3035
3036         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
3037         https://bugs.webkit.org/show_bug.cgi?id=144525
3038
3039         Reviewed by Filip Pizlo.
3040
3041         This patch teaches LICM to fall back to hoisting a node's type checks when
3042         hoisting the entire node fails.
3043         
3044         This patch follow the same principles we use when deciding to hoist nodes in general:
3045         - If the pre header is control equivalent to where the current check is, we
3046         go ahead and hoist the check.
3047         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
3048         hoist the check. If hoisting failed in the past, we will not hoist the check.
3049
3050         * dfg/DFGLICMPhase.cpp:
3051         (JSC::DFG::LICMPhase::attemptHoist):
3052         * dfg/DFGUseKind.h:
3053         (JSC::DFG::checkMayCrashIfInputIsEmpty):
3054
3055 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
3056
3057         Get rid of TLCs
3058         https://bugs.webkit.org/show_bug.cgi?id=185846
3059
3060         Rubber stamped by Geoffrey Garen.
3061         
3062         This removes support for thread-local caches from the GC in order to speed up allocation a
3063         bit.
3064         
3065         We added TLCs as part of Spectre mitigations, which we have since removed.
3066         
3067         We will want some kind of TLCs eventually, since they allow us to:
3068         
3069         - have a global GC, which may be a perf optimization at some point.
3070         - allocate objects from JIT threads, which we've been wanting to do for a while.
3071         
3072         This change keeps the most interesting aspect of TLCs, which is the
3073         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
3074         TLCs again in the future if we wanted this feature.
3075         
3076         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
3077         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
3078         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
3079         you can directly use it to allocate. This removes two loads and a check from the allocation
3080         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
3081         allowed us to have a statically known set of LocalAllocators. This would have removed the
3082         bounds check (one load and one branch) and it would have made it possible to CSE the load of
3083         the TLC data structure, since that would no longer resize. But that's a harder change that
3084         this patch, and we don't need it right now.
3085         
3086         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
3087         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
3088         that check already. Previously, the TLC bounds check doubled as this check.
3089         
3090         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
3091         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
3092         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
3093         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
3094
3095         * JavaScriptCore.xcodeproj/project.pbxproj:
3096         * Sources.txt:
3097         * bytecode/ObjectAllocationProfileInlines.h:
3098         (JSC::ObjectAllocationProfile::initializeProfile):
3099         * dfg/DFGSpeculativeJIT.cpp:
3100         (JSC::DFG::SpeculativeJIT::compileCreateThis):
3101         * ftl/FTLLowerDFGToB3.cpp:
3102         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3103         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3104         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3105         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3106         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3107         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3108         * heap/Allocator.cpp:
3109         (JSC::Allocator::cellSize const):
3110         * heap/Allocator.h:
3111         (JSC::Allocator::Allocator):
3112         (JSC::Allocator::localAllocator const):
3113         (JSC::Allocator::operator== const):
3114         (JSC::Allocator::offset const): Deleted.
3115         * heap/AllocatorInlines.h:
3116         (JSC::Allocator::allocate const):
3117         (JSC::Allocator::tryAllocate const): Deleted.
3118         * heap/BlockDirectory.cpp:
3119         (JSC::BlockDirectory::BlockDirectory):
3120         (JSC::BlockDirectory::~BlockDirectory):
3121         * heap/BlockDirectory.h:
3122         (JSC::BlockDirectory::allocator const): Deleted.
3123         * heap/CompleteSubspace.cpp:
3124         (JSC::CompleteSubspace::allocateNonVirtual):
3125         (JSC::CompleteSubspace::allocatorForSlow):
3126         (JSC::CompleteSubspace::tryAllocateSlow):
3127         * heap/CompleteSubspace.h:
3128         * heap/Heap.cpp:
3129         (JSC::Heap::Heap):
3130         * heap/Heap.h:
3131         (JSC::Heap::threadLocalCacheLayout): Deleted.
3132         * heap/IsoSubspace.cpp:
3133         (JSC::IsoSubspace::IsoSubspace):
3134         (JSC::IsoSubspace::allocateNonVirtual):
3135         * heap/IsoSubspace.h:
3136         (JSC::IsoSubspace::allocatorForNonVirtual):
3137         * heap/LocalAllocator.cpp:
3138         (JSC::LocalAllocator::LocalAllocator):
3139         (JSC::LocalAllocator::~LocalAllocator):
3140         * heap/LocalAllocator.h:
3141         (JSC::LocalAllocator::cellSize const):
3142         (JSC::LocalAllocator::tlc const): Deleted.
3143         * heap/ThreadLocalCache.cpp: Removed.
3144         * heap/ThreadLocalCache.h: Removed.
3145         * heap/ThreadLocalCacheInlines.h: Removed.
3146         * heap/ThreadLocalCacheLayout.cpp: Removed.
3147         * heap/ThreadLocalCacheLayout.h: Removed.
3148         * jit/AssemblyHelpers.cpp:
3149         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3150         (JSC::AssemblyHelpers::emitAllocate):
3151         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3152         * jit/JITOpcodes.cpp:
3153         (JSC::JIT::emit_op_create_this):
3154         * runtime/JSLock.cpp:
3155         (JSC::JSLock::didAcquireLock):
3156         * runtime/VM.cpp:
3157         (JSC::VM::VM):
3158         (JSC::VM::~VM):
3159         * runtime/VM.h:
3160         * runtime/VMEntryScope.cpp:
3161         (JSC::VMEntryScope::~VMEntryScope):
3162         * runtime/VMEntryScope.h:
3163
3164 2018-05-22  Keith Miller  <keith_miller@apple.com>
3165
3166         We should have a CoW storage for NewArrayBuffer arrays.
3167         https://bugs.webkit.org/show_bug.cgi?id=185003
3168
3169         Reviewed by Filip Pizlo.
3170
3171         This patch adds copy on write storage for new array buffers. In
3172         order to do this there needed to be significant changes to the
3173         layout of IndexingType. The new indexing type has the following
3174         shape:
3175
3176         struct IndexingTypeAndMisc {
3177             struct IndexingModeIncludingHistory {
3178                 struct IndexingMode {
3179                     struct IndexingType {
3180                         uint8_t isArray:1;          // bit 0
3181                         uint8_t shape:3;            // bit 1 - 3
3182                     };
3183                     uint8_t copyOnWrite:1;          // bit 4
3184                 };
3185                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
3186             };
3187             uint8_t cellLockBits:2;                 // bit 6 - 7
3188         };
3189
3190         For simplicity ArrayStorage shapes cannot be CoW. So the only
3191         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
3192         ArrayWithContiguous.
3193
3194         The backing store for a CoW array is a new class
3195         JSImmutableButterfly, which looks exactly the same as a normal
3196         butterfly except that it has a JSCell header. Like other
3197         butterflies, JSImmutableButterfies are allocated out of the
3198         Auxiliary Gigacage and are pointed to by JSCells in the same
3199         way. However, when marking JSImmutableButterflies they are marked
3200         as if they were a property.
3201
3202         With CoW arrays, the new_array_buffer bytecode will reallocate the
3203         shared JSImmutableButterfly if it sees from the allocation profile
3204         that the last array it allocated has transitioned to a different
3205         indexing type. From then on, all arrays created by that
3206         new_array_buffer bytecode will have the promoted indexing
3207         type. This is more or less the same as what we used to do. The
3208         only difference is that we don't promote all the way to array
3209         storage even if we have seen it before.
3210
3211         Transitioning from a CoW indexing mode occurs whenever someone
3212         tries to store to an element, grow the array, or add properties.
3213         Storing or growing the array will call into code that does the
3214         stupid thing of copying the butterfly then continue into the old
3215         code. This doesn't end up costing us as future allocations will
3216         use any upgraded indexing shape.  We get adding properties for
3217         free by just changing the indexing mode on transition (our C++
3218         code always updates the indexing mode).
3219
3220         * JavaScriptCore.xcodeproj/project.pbxproj:
3221         * Sources.txt:
3222         * bytecode/ArrayAllocationProfile.cpp:
3223         (JSC::ArrayAllocationProfile::updateProfile):
3224         * bytecode/ArrayAllocationProfile.h:
3225         (JSC::ArrayAllocationProfile::initializeIndexingMode):
3226         * bytecode/ArrayProfile.cpp:
3227         (JSC::dumpArrayModes):
3228         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3229         * bytecode/ArrayProfile.h:
3230         (JSC::asArrayModes):
3231         (JSC::arrayModeFromStructure):
3232         (JSC::arrayModesInclude):
3233         (JSC::hasSeenCopyOnWriteArray):
3234         * bytecode/BytecodeList.json:
3235         * bytecode/CodeBlock.cpp:
3236         (JSC::CodeBlock::finishCreation):
3237         * bytecode/InlineAccess.cpp:
3238         (JSC::InlineAccess::generateArrayLength):
3239         * bytecode/UnlinkedCodeBlock.h:
3240         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
3241         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3242         * bytecompiler/BytecodeGenerator.cpp:
3243         (JSC::BytecodeGenerator::newArrayAllocationProfile):
3244         (JSC::BytecodeGenerator::emitNewArrayBuffer):
3245         (JSC::BytecodeGenerator::emitNewArray):
3246         (JSC::BytecodeGenerator::emitNewArrayWithSize):
3247         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3248         * bytecompiler/BytecodeGenerator.h:
3249         * bytecompiler/NodesCodegen.cpp:
3250         (JSC::ArrayNode::emitBytecode):
3251         (JSC::ArrayPatternNode::bindValue const):
3252         (JSC::ArrayPatternNode::emitDirectBinding):
3253         * dfg/DFGAbstractInterpreterInlines.h:
3254         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3255         * dfg/DFGArgumentsEliminationPhase.cpp:
3256         * dfg/DFGArgumentsUtilities.cpp:
3257         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3258         * dfg/DFGArrayMode.cpp:
3259         (JSC::DFG::ArrayMode::fromObserved):
3260         (JSC::DFG::ArrayMode::refine const):
3261         (JSC::DFG::ArrayMode::alreadyChecked const):
3262         * dfg/DFGArrayMode.h:
3263         (JSC::DFG::ArrayMode::ArrayMode):
3264         (JSC::DFG::ArrayMode::action const):
3265         (JSC::DFG::ArrayMode::withSpeculation const):
3266         (JSC::DFG::ArrayMode::withArrayClass const):
3267         (JSC::DFG::ArrayMode::withType const):
3268         (JSC::DFG::ArrayMode::withConversion const):
3269         (JSC::DFG::ArrayMode::withTypeAndConversion const):
3270         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
3271         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
3272         * dfg/DFGByteCodeParser.cpp:
3273         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3274         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3275         (JSC::DFG::ByteCodeParser::parseBlock):
3276         * dfg/DFGClobberize.h:
3277         (JSC::DFG::clobberize):
3278         * dfg/DFGConstantFoldingPhase.cpp:
3279         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3280         * dfg/DFGFixupPhase.cpp:
3281         (JSC::DFG::FixupPhase::fixupNode):
3282         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
3283         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3284         * dfg/DFGGraph.cpp:
3285         (JSC::DFG::Graph::dump):
3286         * dfg/DFGNode.h:
3287         (JSC::DFG::Node::indexingType):
3288         (JSC::DFG::Node::indexingMode):
3289         * dfg/DFGOSRExit.cpp:
3290         (JSC::DFG::OSRExit::compileExit):
3291         * dfg/DFGOperations.cpp:
3292         * dfg/DFGOperations.h:
3293         * dfg/DFGSpeculativeJIT.cpp:
3294         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3295         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3296         (JSC::DFG::SpeculativeJIT::arrayify):
3297         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3298         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3299         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3300         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3301         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3302         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3303         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
3304         * dfg/DFGSpeculativeJIT32_64.cpp:
3305         (JSC::DFG::SpeculativeJIT::compile):
3306         * dfg/DFGSpeculativeJIT64.cpp:
3307         (JSC::DFG::SpeculativeJIT::compile):
3308         * dfg/DFGValidate.cpp:
3309         * ftl/FTLAbstractHeapRepository.h:
3310         * ftl/FTLLowerDFGToB3.cpp:
3311         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
3312         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
3313         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
3314         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
3315         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3316         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
3317         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
3318         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
3319         * ftl/FTLOperations.cpp:
3320         (JSC::FTL::operationMaterializeObjectInOSR):
3321         * generate-bytecode-files:
3322         * interpreter/Interpreter.cpp:
3323         (JSC::sizeOfVarargs):
3324         (JSC::loadVarargs):
3325         * jit/AssemblyHelpers.cpp:
3326         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3327         * jit/AssemblyHelpers.h:
3328         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3329         * jit/JITOperations.cpp:
3330         * jit/JITPropertyAccess.cpp:
3331         (JSC::JIT::emit_op_put_by_val):
3332         (JSC::JIT::emitSlow_op_put_by_val):
3333         * jit/Repatch.cpp:
3334         (JSC::tryCachePutByID):
3335         * llint/LowLevelInterpreter.asm:
3336         * llint/LowLevelInterpreter32_64.asm:
3337         * llint/LowLevelInterpreter64.asm:
3338         * runtime/Butterfly.h:
3339         (JSC::ContiguousData::Data::Data):
3340         (JSC::ContiguousData::Data::operator bool const):
3341         (JSC::ContiguousData::Data::operator=):
3342         (JSC::ContiguousData::Data::operator const T& const):
3343         (JSC::ContiguousData::Data::set):
3344         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
3345         (JSC::ContiguousData::Data::clear):
3346         (JSC::ContiguousData::Data::get const):
3347         (JSC::ContiguousData::atUnsafe):
3348         (JSC::ContiguousData::at const): Deleted.
3349         (JSC::ContiguousData::at): Deleted.
3350         * runtime/ButterflyInlines.h:
3351         (JSC::ContiguousData<T>::at const):
3352         (JSC::ContiguousData<T>::at):
3353         * runtime/ClonedArguments.cpp:
3354         (JSC::ClonedArguments::createEmpty):
3355         * runtime/CommonSlowPaths.cpp:
3356         (JSC::SLOW_PATH_DECL):
3357         * runtime/CommonSlowPaths.h:
3358         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
3359         * runtime/IndexingType.cpp:
3360         (JSC::leastUpperBoundOfIndexingTypeAndType):
3361         (JSC::leastUpperBoundOfIndexingTypeAndValue):
3362         (JSC::dumpIndexingType):
3363         * runtime/IndexingType.h:
3364         (JSC::hasIndexedProperties):
3365         (JSC::hasUndecided):
3366         (JSC::hasInt32):
3367         (JSC::hasDouble):
3368         (JSC::hasContiguous):
3369         (JSC::hasArrayStorage):
3370         (JSC::hasAnyArrayStorage):
3371         (JSC::hasSlowPutArrayStorage):
3372         (JSC::shouldUseSlowPut):
3373         (JSC::isCopyOnWrite):
3374         (JSC::arrayIndexFromIndexingType):
3375         * runtime/JSArray.cpp:
3376         (JSC::JSArray::tryCreateUninitializedRestricted):
3377         (JSC::JSArray::put):
3378         (JSC::JSArray::appendMemcpy):
3379         (JSC::JSArray::setLength):
3380         (JSC::JSArray::pop):
3381         (JSC::JSArray::fastSlice):
3382         (JSC::JSArray::shiftCountWithAnyIndexingType):
3383         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3384         (JSC::JSArray::fillArgList):
3385         (JSC::JSArray::copyToArguments):
3386         * runtime/JSArrayInlines.h:
3387         (JSC::JSArray::pushInline):
3388         * runtime/JSCell.h:
3389         * runtime/JSCellInlines.h:
3390         (JSC::JSCell::JSCell):
3391         (JSC::JSCell::finishCreation):
3392         (JSC::JSCell::indexingType const):
3393         (JSC::JSCell::indexingMode const):
3394         (JSC::JSCell::setStructure):
3395         * runtime/JSFixedArray.h:
3396         * runtime/JSGlobalObject.cpp:
3397         (JSC::JSGlobalObject::init):
3398         (JSC::JSGlobalObject::haveABadTime):
3399         (JSC::JSGlobalObject::visitChildren):
3400         * runtime/JSGlobalObject.h:
3401         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
3402         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
3403         (JSC::JSGlobalObject::isOriginalArrayStructure):
3404         * runtime/JSImmutableButterfly.cpp: Added.
3405         (JSC::JSImmutableButterfly::visitChildren):
3406         (JSC::JSImmutableButterfly::copyToArguments):
3407         * runtime/JSImmutableButterfly.h: Added.
3408         (JSC::JSImmutableButterfly::createStructure):
3409         (JSC::JSImmutableButterfly::tryCreate):
3410         (JSC::JSImmutableButterfly::create):
3411         (JSC::JSImmutableButterfly::publicLength const):
3412         (JSC::JSImmutableButterfly::vectorLength const):
3413         (JSC::JSImmutableButterfly::length const):
3414         (JSC::JSImmutableButterfly::toButterfly const):
3415         (JSC::JSImmutableButterfly::fromButterfly):
3416         (JSC::JSImmutableButterfly::get const):
3417         (JSC::JSImmutableButterfly::subspaceFor):
3418         (JSC::JSImmutableButterfly::setIndex):
3419         (JSC::JSImmutableButterfly::allocationSize):
3420         (JSC::JSImmutableButterfly::JSImmutableButterfly):
3421         * runtime/JSObject.cpp:
3422         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
3423         (JSC::JSObject::visitButterflyImpl):
3424         (JSC::JSObject::getOwnPropertySlotByIndex):
3425         (JSC::JSObject::putByIndex):
3426         (JSC::JSObject::createInitialInt32):
3427         (JSC::JSObject::createInitialDouble):
3428         (JSC::JSObject::createInitialContiguous):
3429         (JSC::JSObject::convertUndecidedToInt32):
3430         (JSC::JSObject::convertUndecidedToDouble):
3431         (JSC::JSObject::convertUndecidedToContiguous):
3432         (JSC::JSObject::convertInt32ToDouble):
3433         (JSC::JSObject::convertInt32ToArrayStorage):
3434         (JSC::JSObject::convertDoubleToContiguous):
3435         (JSC::JSObject::convertDoubleToArrayStorage):
3436         (JSC::JSObject::convertContiguousToArrayStorage):
3437         (JSC::JSObject::createInitialForValueAndSet):
3438         (JSC::JSObject::convertInt32ForValue):
3439         (JSC::JSObject::convertFromCopyOnWrite):
3440         (JSC::JSObject::ensureWritableInt32Slow):
3441         (JSC::JSObject::ensureWritableDoubleSlow):
3442         (JSC::JSObject::ensureWritableContiguousSlow):
3443         (JSC::JSObject::ensureArrayStorageSlow):
3444         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
3445         (JSC::JSObject::switchToSlowPutArrayStorage):
3446         (JSC::JSObject::deletePropertyByIndex):
3447         (JSC::JSObject::getOwnPropertyNames):
3448         (JSC::canDoFastPutDirectIndex):
3449         (JSC::JSObject::defineOwnIndexedProperty):
3450         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3451         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3452         (JSC::JSObject::putByIndexBeyondVectorLength):
3453         (JSC::JSObject::countElements):
3454         (JSC::JSObject::ensureLengthSlow):
3455         (JSC::JSObject::getEnumerableLength):
3456         (JSC::JSObject::ensureInt32Slow): Deleted.
3457         (JSC::JSObject::ensureDoubleSlow): Deleted.
3458         (JSC::JSObject::ensureContiguousSlow): Deleted.
3459         * runtime/JSObject.h:
3460         (JSC::JSObject::putDirectIndex):
3461         (JSC::JSObject::canGetIndexQuickly):
3462         (JSC::JSObject::getIndexQuickly):
3463         (JSC::JSObject::tryGetIndexQuickly const):
3464         (JSC::JSObject::canSetIndexQuickly):
3465         (JSC::JSObject::setIndexQuickly):
3466         (JSC::JSObject::initializeIndex):
3467         (JSC::JSObject::initializeIndexWithoutBarrier):
3468         (JSC::JSObject::ensureWritableInt32):
3469         (JSC::JSObject::ensureWritableDouble):
3470         (JSC::JSObject::ensureWritableContiguous):
3471         (JSC::JSObject::ensureLength):
3472         (JSC::JSObject::ensureInt32): Deleted.
3473         (JSC::JSObject::ensureDouble): Deleted.
3474         (JSC::JSObject::ensureContiguous): Deleted.
3475         * runtime/JSObjectInlines.h:
3476         (JSC::JSObject::putDirectInternal):
3477         * runtime/JSType.h:
3478         * runtime/RegExpMatchesArray.h:
3479         (JSC::tryCreateUninitializedRegExpMatchesArray):
3480         * runtime/Structure.cpp:
3481         (JSC::Structure::Structure):
3482         (JSC::Structure::addNewPropertyTransition):
3483         (JSC::Structure::nonPropertyTransition):
3484         * runtime/Structure.h:
3485         * runtime/StructureIDBlob.h:
3486         (JSC::StructureIDBlob::StructureIDBlob):
3487         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
3488         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
3489         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
3490         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
3491         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
3492         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
3493         * runtime/StructureTransitionTable.h:
3494         (JSC::newIndexingType):
3495         * runtime/VM.cpp:
3496         (JSC::VM::VM):
3497         * runtime/VM.h:
3498
3499 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
3500
3501         Unreviewed, rolling out r232052.
3502
3503         Breaks internal builds.
3504
3505         Reverted changeset:
3506
3507         "Use more C++17"
3508         https://bugs.webkit.org/show_bug.cgi?id=185176
3509         https://trac.webkit.org/changeset/232052
3510
3511 2018-05-22  Alberto Garcia  <berto@igalia.com>
3512
3513         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
3514         https://bugs.webkit.org/show_bug.cgi?id=182622
3515         <rdar://problem/40292317>
3516
3517         Reviewed by Michael Catanzaro.
3518
3519         We were linking JavaScriptCore against libatomic in MIPS because
3520         in that architecture __atomic_fetch_add_8() is not a compiler
3521         intrinsic and is provided by that library instead. However other
3522         architectures (e.g armel) are in the same situation, so we need a
3523         generic test.
3524
3525         That test already exists in WebKit/CMakeLists.txt, so we just have
3526         to move it to a common file (WebKitCompilerFlags.cmake) and use
3527         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
3528
3529         * CMakeLists.txt:
3530
3531 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
3532
3533         Unreviewed, rolling out r231843.
3534
3535         Broke cross build
3536
3537         Reverted changeset:
3538
3539         "[CMake] Properly detect compiler flags, needed libs, and
3540         fallbacks for usage of 64-bit atomic operations"
3541         https://bugs.webkit.org/show_bug.cgi?id=182622
3542         https://trac.webkit.org/changeset/231843
3543
3544 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3545
3546         Use more C++17
3547         https://bugs.webkit.org/show_bug.cgi?id=185176
3548
3549         Reviewed by JF Bastien.
3550
3551         * Configurations/Base.xcconfig:
3552
3553 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3554
3555         [JSC] Remove duplicate methods in JSInterfaceJIT
3556         https://bugs.webkit.org/show_bug.cgi?id=185813
3557
3558         Reviewed by Saam Barati.
3559
3560         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
3561         This patch removes these ones and use AssemblyHelpers' ones instead.
3562
3563         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
3564
3565         * jit/AssemblyHelpers.h:
3566         (JSC::AssemblyHelpers::tagFor):
3567         (JSC::AssemblyHelpers::payloadFor):
3568         * jit/JIT.h:
3569         * jit/JITArithmetic.cpp:
3570         (JSC::JIT::emit_op_unsigned):
3571         (JSC::JIT::emit_compareUnsigned):
3572         (JSC::JIT::emit_op_inc):
3573         (JSC::JIT::emit_op_dec):
3574         (JSC::JIT::emit_op_mod):
3575         * jit/JITCall32_64.cpp:
3576         (JSC::JIT::compileOpCall):
3577         * jit/JITInlines.h:
3578         (JSC::JIT::emitPutIntToCallFrameHeader):
3579         (JSC::JIT::updateTopCallFrame):
3580         (JSC::JIT::emitInitRegister):
3581         (JSC::JIT::emitLoad):
3582         (JSC::JIT::emitStore):
3583         (JSC::JIT::emitStoreInt32):
3584         (JSC::JIT::emitStoreCell):
3585         (JSC::JIT::emitStoreBool):
3586         (JSC::JIT::emitGetVirtualRegister):
3587         (JSC::JIT::emitPutVirtualRegister):
3588         (JSC::JIT::emitTagBool): Deleted.
3589         * jit/JITOpcodes.cpp:
3590         (JSC::JIT::emit_op_overrides_has_instance):
3591         (JSC::JIT::emit_op_is_empty):
3592         (JSC::JIT::emit_op_is_undefined):
3593         (JSC::JIT::emit_op_is_boolean):
3594         (JSC::JIT::emit_op_is_number):
3595         (JSC::JIT::emit_op_is_cell_with_type):
3596         (JSC::JIT::emit_op_is_object):
3597         (JSC::JIT::emit_op_eq):
3598         (JSC::JIT::emit_op_neq):
3599         (JSC::JIT::compileOpStrictEq):
3600         (JSC::JIT::emit_op_eq_null):
3601         (JSC::JIT::emit_op_neq_null):
3602         (JSC::JIT::emitSlow_op_eq):
3603         (JSC::JIT::emitSlow_op_neq):
3604         (JSC::JIT::emitSlow_op_instanceof_custom):
3605         (JSC::JIT::emitNewFuncExprCommon):
3606         * jit/JSInterfaceJIT.h:
3607         (JSC::JSInterfaceJIT::emitLoadInt32):
3608         (JSC::JSInterfaceJIT::emitLoadDouble):
3609         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
3610         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
3611         (JSC::JSInterfaceJIT::tagFor): Deleted.
3612         (JSC::JSInterfaceJIT::payloadFor): Deleted.
3613         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
3614         (JSC::JSInterfaceJIT::intTagFor): Deleted.
3615         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
3616         (JSC::JSInterfaceJIT::addressFor): Deleted.
3617         * jit/SpecializedThunkJIT.h:
3618         (JSC::SpecializedThunkJIT::returnDouble):
3619         * jit/ThunkGenerators.cpp:
3620         (JSC::nativeForGenerator):
3621         (JSC::arityFixupGenerator):
3622
3623 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3624
3625         Unreviewed, reland InById cache
3626         https://bugs.webkit.org/show_bug.cgi?id=185682
3627
3628         Includes Dominik's 32bit fix.
3629
3630         * bytecode/AccessCase.cpp:
3631         (JSC::AccessCase::fromStructureStubInfo):
3632         (JSC::AccessCase::generateWithGuard):
3633         (JSC::AccessCase::generateImpl):
3634         * bytecode/BytecodeDumper.cpp:
3635         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
3636         (JSC::BytecodeDumper<Block>::dumpBytecode):
3637         * bytecode/BytecodeDumper.h:
3638         * bytecode/BytecodeList.json:
3639         * bytecode/BytecodeUseDef.h:
3640         (JSC::computeUsesForBytecodeOffset):
3641         (JSC::computeDefsForBytecodeOffset):
3642         * bytecode/CodeBlock.cpp:
3643         (JSC::CodeBlock::finishCreation):
3644         * bytecode/InlineAccess.cpp:
3645         (JSC::InlineAccess::generateSelfInAccess):
3646         * bytecode/InlineAccess.h:
3647         * bytecode/StructureStubInfo.cpp:
3648         (JSC::StructureStubInfo::initInByIdSelf):
3649         (JSC::StructureStubInfo::deref):
3650         (JSC::StructureStubInfo::aboutToDie):
3651         (JSC::StructureStubInfo::reset):
3652         (JSC::StructureStubInfo::visitWeakReferences):
3653         (JSC::StructureStubInfo::propagateTransitions):
3654         * bytecode/StructureStubInfo.h:
3655         (JSC::StructureStubInfo::patchableJump):
3656         * bytecompiler/BytecodeGenerator.cpp:
3657         (JSC::BytecodeGenerator::emitInByVal):
3658         (JSC::BytecodeGenerator::emitInById):
3659         (JSC::BytecodeGenerator::emitIn): Deleted.
3660         * bytecompiler/BytecodeGenerator.h:
3661         * bytecompiler/NodesCodegen.cpp:
3662         (JSC::InNode::emitBytecode):
3663         * dfg/DFGAbstractInterpreterInlines.h:
3664         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3665         * dfg/DFGByteCodeParser.cpp:
3666         (JSC::DFG::ByteCodeParser::parseBlock):
3667         * dfg/DFGCapabilities.cpp:
3668         (JSC::DFG::capabilityLevel):
3669         * dfg/DFGClobberize.h:
3670         (JSC::DFG::clobberize):
3671         * dfg/DFGConstantFoldingPhase.cpp:
3672         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3673         * dfg/DFGDoesGC.cpp:
3674         (JSC::DFG::doesGC):
3675         * dfg/DFGFixupPhase.cpp:
3676         (JSC::DFG::FixupPhase::fixupNode):
3677         * dfg/DFGJITCompiler.cpp:
3678         (JSC::DFG::JITCompiler::link):
3679         * dfg/DFGJITCompiler.h:
3680         (JSC::DFG::JITCompiler::addInById):
3681         (JSC::DFG::InRecord::InRecord): Deleted.
3682         (JSC::DFG::JITCompiler::addIn): Deleted.
3683         * dfg/DFGNode.h:
3684         (JSC::DFG::Node::convertToInById):
3685         (JSC::DFG::Node::hasIdentifier):
3686         (JSC::DFG::Node::hasArrayMode):
3687         * dfg/DFGNodeType.h:
3688         * dfg/DFGPredictionPropagationPhase.cpp:
3689         * dfg/DFGSafeToExecute.h:
3690         (JSC::DFG::safeToExecute):
3691         * dfg/DFGSpeculativeJIT.cpp:
3692         (JSC::DFG::SpeculativeJIT::compileInById):
3693         (JSC::DFG::SpeculativeJIT::compileInByVal):
3694         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
3695         * dfg/DFGSpeculativeJIT.h:
3696         * dfg/DFGSpeculativeJIT32_64.cpp:
3697         (JSC::DFG::SpeculativeJIT::compile):
3698         * dfg/DFGSpeculativeJIT64.cpp:
3699         (JSC::DFG::SpeculativeJIT::compile):
3700         * ftl/FTLCapabilities.cpp:
3701         (JSC::FTL::canCompile):
3702         * ftl/FTLLowerDFGToB3.cpp:
3703         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3704         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
3705         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
3706         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
3707         * jit/AssemblyHelpers.h:
3708         (JSC::AssemblyHelpers::boxBoolean):
3709         * jit/ICStats.h:
3710         * jit/JIT.cpp:
3711         (JSC::JIT::JIT):
3712         (JSC::JIT::privateCompileMainPass):
3713         (JSC::JIT::privateCompileSlowCases):
3714         (JSC::JIT::link):
3715         * jit/JIT.h:
3716         * jit/JITInlineCacheGenerator.cpp:
3717         (JSC::JITInByIdGenerator::JITInByIdGenerator):
3718         (JSC::JITInByIdGenerator::generateFastPath):
3719         * jit/JITInlineCacheGenerator.h:
3720         (JSC::JITInByIdGenerator::JITInByIdGenerator):
3721         * jit/JITOperations.cpp:
3722         * jit/JITOperations.h:
3723         * jit/JITPropertyAccess.cpp:
3724         (JSC::JIT::emit_op_in_by_id):
3725         (JSC::JIT::emitSlow_op_in_by_id):
3726         * jit/JITPropertyAccess32_64.cpp:
3727         (JSC::JIT::emit_op_in_by_id):
3728         (JSC::JIT::emitSlow_op_in_by_id):
3729         * jit/Repatch.cpp:
3730         (JSC::tryCacheInByID):
3731         (JSC::repatchInByID):
3732         (JSC::resetInByID):
3733         (JSC::tryCacheIn): Deleted.
3734         (JSC::repatchIn): Deleted.
3735         (JSC::resetIn): Deleted.
3736         * jit/Repatch.h:
3737         * llint/LowLevelInterpreter.asm:
3738         * llint/LowLevelInterpreter64.asm:
3739         * parser/NodeConstructors.h:
3740         (JSC::InNode::InNode):
3741         * runtime/CommonSlowPaths.cpp:
3742         (JSC::SLOW_PATH_DECL):
3743         * runtime/CommonSlowPaths.h:
3744         (JSC::CommonSlowPaths::opInByVal):
3745         (JSC::CommonSlowPaths::opIn): Deleted.
3746
3747 2018-05-21  Commit Queue  <commit-queue@webkit.org>
3748
3749         Unreviewed, rolling out r231998 and r232017.
3750         https://bugs.webkit.org/show_bug.cgi?id=185842
3751
3752         causes crashes on 32 JSC bot (Requested by realdawei on
3753         #webkit).
3754
3755         Reverted changesets:
3756
3757         "[JSC] JSC should have consistent InById IC"
3758         https://bugs.webkit.org/show_bug.cgi?id=185682
3759         https://trac.webkit.org/changeset/231998
3760
3761         "Unreviewed, fix 32bit and scope release"
3762         https://bugs.webkit.org/show_bug.cgi?id=185682
3763         https://trac.webkit.org/changeset/232017
3764
3765 2018-05-21  Jer Noble  <jer.noble@apple.com>
3766
3767         Complete fix for enabling modern EME by default
3768         https://bugs.webkit.org/show_bug.cgi?id=185770
3769         <rdar://problem/40368220>
3770
3771         Reviewed by Eric Carlson.
3772
3773         * Configurations/FeatureDefines.xcconfig:
3774
3775 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3776
3777         Unreviewed, fix 32bit and scope release
3778         https://bugs.webkit.org/show_bug.cgi?id=185682
3779
3780         * jit/JITOperations.cpp:
3781         * jit/JITPropertyAccess32_64.cpp:
3782         (JSC::JIT::emitSlow_op_in_by_id):
3783
3784 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
3785
3786         Revert the B3 compiler pipeline's treatment of taildup
3787         https://bugs.webkit.org/show_bug.cgi?id=185808
3788
3789         Reviewed by Yusuke Suzuki.
3790         
3791         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
3792         But then path specialization turned out to be a negative result. This reverts the pipeline to the
3793         way it was before that work.
3794         
3795         1.5% progression on V8Spider-CompileTime.
3796
3797         * b3/B3Generate.cpp:
3798         (JSC::B3::generateToAir):
3799
3800 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3801
3802         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
3803         https://bugs.webkit.org/show_bug.cgi?id=185802
3804
3805         Reviewed by Saam Barati.
3806
3807         * dfg/DFGConstantFoldingPhase.cpp:
3808         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3809
3810 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
3811
3812         DFG should inline InstanceOf ICs
3813         https://bugs.webkit.org/show_bug.cgi?id=185695
3814
3815         Reviewed by Yusuke Suzuki.
3816         
3817         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
3818         be folded to a CheckStructure + JSConstant.
3819         
3820         In the process of testing this, I found a bug where LICM was not hoisting things that
3821         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
3822         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
3823         
3824         This is a ~5% speed-up on boyer.
3825         
3826         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
3827         instanceof-sometimes-hit microbenchmarks.
3828
3829         * JavaScriptCore.xcodeproj/project.pbxproj:
3830         * Sources.txt:
3831         * bytecode/GetByIdStatus.cpp:
3832         (JSC::GetByIdStatus::appendVariant):
3833         (JSC::GetByIdStatus::filter):
3834         * bytecode/GetByIdStatus.h:
3835         (JSC::GetByIdStatus::operator bool const):
3836         (JSC::GetByIdStatus::operator! const): Deleted.
3837         * bytecode/GetByIdVariant.h:
3838         (JSC::GetByIdVariant::operator bool const):
3839         (JSC::GetByIdVariant::operator! const): Deleted.
3840         * bytecode/ICStatusUtils.h: Added.
3841         (JSC::appendICStatusVariant):
3842         (JSC::filterICStatusVariants):
3843         * bytecode/InstanceOfStatus.cpp: Added.
3844         (JSC::InstanceOfStatus::appendVariant):
3845         (JSC::InstanceOfStatus::computeFor):
3846         (JSC::InstanceOfStatus::computeForStubInfo):
3847         (JSC::InstanceOfStatus::commonPrototype const):
3848         (JSC::InstanceOfStatus::filter):
3849         * bytecode/InstanceOfStatus.h: Added.
3850         (JSC::InstanceOfStatus::InstanceOfStatus):
3851         (JSC::InstanceOfStatus::state const):
3852         (JSC::InstanceOfStatus::isSet const):
3853         (JSC::InstanceOfStatus::operator bool const):
3854         (JSC::InstanceOfStatus::isSimple const):
3855         (JSC::InstanceOfStatus::takesSlowPath const):
3856         (JSC::InstanceOfStatus::numVariants const):
3857         (JSC::InstanceOfStatus::variants const):
3858         (JSC::InstanceOfStatus::at const):
3859         (JSC::InstanceOfStatus::operator[] const):
3860         * bytecode/InstanceOfVariant.cpp: Added.
3861         (JSC::InstanceOfVariant::InstanceOfVariant):
3862         (JSC::InstanceOfVariant::attemptToMerge):
3863         (JSC::InstanceOfVariant::dump const):
3864         (JSC::InstanceOfVariant::dumpInContext const):
3865         * bytecode/InstanceOfVariant.h: Added.
3866         (JSC::InstanceOfVariant::InstanceOfVariant):
3867         (JSC::InstanceOfVariant::operator bool const):
3868         (JSC::InstanceOfVariant::structureSet const):
3869         (JSC::InstanceOfVariant::structureSet):
3870         (JSC::InstanceOfVariant::conditionSet const):
3871         (JSC::InstanceOfVariant::prototype const):
3872         (JSC::InstanceOfVariant::isHit const):
3873         * bytecode/StructureStubInfo.cpp:
3874         (JSC::StructureStubInfo::StructureStubInfo):
3875         * bytecode/StructureStubInfo.h:
3876         (JSC::StructureStubInfo::considerCaching):
3877         * dfg/DFGAbstractInterpreterInlines.h:
3878         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3879         * dfg/DFGByteCodeParser.cpp:
3880         (JSC::DFG::ByteCodeParser::parseBlock):
3881         * dfg/DFGClobberize.h:
3882         (JSC::DFG::clobberize):
3883         * dfg/DFGConstantFoldingPhase.cpp:
3884         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3885         * dfg/DFGDoesGC.cpp:
3886         (JSC::DFG::doesGC):
3887         * dfg/DFGFixupPhase.cpp:
3888         (JSC::DFG::FixupPhase::fixupNode):
3889         * dfg/DFGGraph.cpp:
3890         (JSC::DFG::Graph::dump):
3891         * dfg/DFGGraph.h:
3892         * dfg/DFGLICMPhase.cpp:
3893         (JSC::DFG::LICMPhase::attemptHoist):
3894         * dfg/DFGNode.cpp:
3895         (JSC::DFG::Node::remove):
3896         * dfg/DFGNode.h:
3897         (JSC::DFG::Node::hasMatchStructureData):
3898         (JSC::DFG::Node::matchStructureData):
3899         * dfg/DFGNodeType.h:
3900         * dfg/DFGSafeToExecute.h:
3901         (JSC::DFG::safeToExecute):
3902         * dfg/DFGSpeculativeJIT.cpp:
3903         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
3904         * dfg/DFGSpeculativeJIT.h:
3905         * dfg/DFGSpeculativeJIT32_64.cpp:
3906         (JSC::DFG::SpeculativeJIT::compile):
3907         * dfg/DFGSpeculativeJIT64.cpp:
3908         (JSC::DFG::SpeculativeJIT::compile):
3909         * ftl/FTLCapabilities.cpp:
3910         (JSC::FTL::canCompile):
3911         * ftl/FTLLowerDFGToB3.cpp:
3912         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3913         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
3914
3915 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3916
3917         [JSC] JSC should have consistent InById IC
3918         https://bugs.webkit.org/show_bug.cgi?id=185682
3919
3920         Reviewed by Filip Pizlo.
3921
3922         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
3923         when we found that DFG::In's parameter is constant string. We should
3924         align this IC to the other ById ICs to clean up and remove adhoc code
3925         in DFG and FTL.
3926
3927         This patch cleans up our "In" IC by aligning it to the other ById ICs.
3928         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
3929         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
3930         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
3931         has a inline access cache for own property case, which is the same to
3932         JITGetByIdGenerator.
3933
3934         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal