d5d111dd9e952900b170f96d037434af99a594bf
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-15  JF Bastien  <jfbastien@apple.com>
2
3         WTF: use Forward.h when appropriate instead of Vector.h
4         https://bugs.webkit.org/show_bug.cgi?id=176984
5
6         Reviewed by Saam Barati.
7
8         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
9
10         * bytecode/HandlerInfo.h:
11         * heap/GCIncomingRefCounted.h:
12         * heap/GCSegmentedArray.h:
13         * wasm/js/JSWebAssemblyModule.h:
14
15 2017-09-14  Saam Barati  <sbarati@apple.com>
16
17         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
18         https://bugs.webkit.org/show_bug.cgi?id=176863
19
20         Reviewed by Keith Miller.
21
22         * CMakeLists.txt:
23         * JavaScriptCore.xcodeproj/project.pbxproj:
24         * runtime/ProxyObject.cpp:
25         (JSC::performProxyGet):
26         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
27         (JSC::ProxyObject::performHasProperty):
28         (JSC::ProxyObject::getOwnPropertySlotCommon):
29         (JSC::ProxyObject::performPut):
30         (JSC::performProxyCall):
31         (JSC::performProxyConstruct):
32         (JSC::ProxyObject::performDelete):
33         (JSC::ProxyObject::performPreventExtensions):
34         (JSC::ProxyObject::performIsExtensible):
35         (JSC::ProxyObject::performDefineOwnProperty):
36         (JSC::ProxyObject::performGetOwnPropertyNames):
37         (JSC::ProxyObject::performSetPrototype):
38         (JSC::ProxyObject::performGetPrototype):
39
40 2017-09-14  Saam Barati  <sbarati@apple.com>
41
42         Make dumping the graph print when both when exitOK and !exitOK
43         https://bugs.webkit.org/show_bug.cgi?id=176954
44
45         Reviewed by Keith Miller.
46
47         * dfg/DFGGraph.cpp:
48         (JSC::DFG::Graph::dump):
49
50 2017-09-14  Saam Barati  <sbarati@apple.com>
51
52         It should be valid to exit before each set when doing arity fixup when inlining
53         https://bugs.webkit.org/show_bug.cgi?id=176948
54
55         Reviewed by Keith Miller.
56
57         This patch makes it so that we can exit before each SetLocal when doing arity
58         fixup during inlining. This is OK because if we exit at any of these SetLocals,
59         we will simply exit to the beginning of the call instruction.
60         
61         Not doing this led to a bug where FixupPhase would insert a ValueRep of
62         a node before the actual node. This is obviously invalid IR. I've added
63         a new validation rule to catch this malformed IR.
64
65         * dfg/DFGByteCodeParser.cpp:
66         (JSC::DFG::ByteCodeParser::inliningCost):
67         (JSC::DFG::ByteCodeParser::inlineCall):
68         * dfg/DFGValidate.cpp:
69         * runtime/Options.h:
70
71 2017-09-14  Mark Lam  <mark.lam@apple.com>
72
73         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
74         https://bugs.webkit.org/show_bug.cgi?id=176874
75         <rdar://problem/34436415>
76
77         Reviewed by Saam Barati.
78
79         1. Make Probe::Stack play nice with ASan by:
80
81            a. using a local memcpy implementation that suppresses ASan on ASan builds.
82               We don't want to use std:memcpy() which validates stack memory because
83               we are intentionally copying stack memory beyond the current frame.
84
85            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
86               This ensures that Page::flushWrites() only writes stack memory that was
87               modified by a probe.  The probes should only modify stack memory that
88               belongs to JSC stack data structures.  We don't want to inadvertently
89               modify adjacent words that may belong to ASan (which may happen if
90               s_chunkSize is larger than sizeof(uintptr_t)).
91
92            c. fixing a bug in Page dirtyBits management for when the size of the value to
93               write is greater than s_chunkSize.  The fix in generic, but in practice,
94               this currently only manifests on 32-bit ASan builds because
95               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
96               values.
97
98            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
99               s_chunksPerPage we can have even on ASan builds.
100
101         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
102            std::memcpy to avoid strict aliasing issues.
103
104         3. Optimized the implementation of Page::physicalAddressFor().
105
106         4. Optimized the implementation of Stack::set() in the recording of the low
107            watermark.  We just record the lowest raw pointer now, and only compute the
108            alignment to its chuck boundary later when the low watermark is requested.
109
110         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
111
112         No new test needed because this is already covered by testmasm with ASan enabled.
113
114         * assembler/ProbeContext.h:
115         (JSC::Probe::CPUState::gpr const):
116         (JSC::Probe::CPUState::spr const):
117         (JSC::Probe::Context::gpr):
118         (JSC::Probe::Context::spr):
119         (JSC::Probe::Context::fpr):
120         (JSC::Probe::Context::gprName):
121         (JSC::Probe::Context::sprName):
122         (JSC::Probe::Context::fprName):
123         (JSC::Probe::Context::gpr const):
124         (JSC::Probe::Context::spr const):
125         (JSC::Probe::Context::fpr const):
126         (JSC::Probe::Context::pc):
127         (JSC::Probe::Context::fp):
128         (JSC::Probe::Context::sp):
129         (JSC::Probe:: const): Deleted.
130         * assembler/ProbeStack.cpp:
131         (JSC::Probe::copyStackPage):
132         (JSC::Probe::Page::Page):
133         (JSC::Probe::Page::flushWrites):
134         * assembler/ProbeStack.h:
135         (JSC::Probe::Page::get):
136         (JSC::Probe::Page::set):
137         (JSC::Probe::Page::dirtyBitFor):
138         (JSC::Probe::Page::physicalAddressFor):
139         (JSC::Probe::Stack::lowWatermark):
140         (JSC::Probe::Stack::get):
141         (JSC::Probe::Stack::set):
142         * assembler/testmasm.cpp:
143         (JSC::testProbeModifiesStackValues):
144
145 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
146
147         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
148         https://bugs.webkit.org/show_bug.cgi?id=176917
149
150         Reviewed by Saam Barati.
151
152         * dfg/DFGByteCodeParser.cpp:
153         (JSC::DFG::ByteCodeParser::inliningCost):
154         * runtime/Options.h:
155
156 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
157
158         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
159         https://bugs.webkit.org/show_bug.cgi?id=176867
160
161         Reviewed by Sam Weinig.
162
163         We rarely require private symbols when enumerating property names.
164         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
165         is specified, PropertyNameArray does not include private symbols.
166         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
167
168         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
169         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
170
171         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
172
173         * API/JSObjectRef.cpp:
174         (JSObjectCopyPropertyNames):
175         * bindings/ScriptValue.cpp:
176         (Inspector::jsToInspectorValue):
177         * bytecode/ObjectAllocationProfile.h:
178         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
179         * runtime/EnumerationMode.h:
180         * runtime/IntlObject.cpp:
181         (JSC::supportedLocales):
182         * runtime/JSONObject.cpp:
183         (JSC::Stringifier::Stringifier):
184         (JSC::Stringifier::Holder::appendNextProperty):
185         (JSC::Walker::walk):
186         * runtime/JSPropertyNameEnumerator.cpp:
187         (JSC::JSPropertyNameEnumerator::create):
188         * runtime/JSPropertyNameEnumerator.h:
189         (JSC::propertyNameEnumerator):
190         * runtime/ObjectConstructor.cpp:
191         (JSC::objectConstructorGetOwnPropertyDescriptors):
192         (JSC::objectConstructorAssign):
193         (JSC::objectConstructorValues):
194         (JSC::defineProperties):
195         (JSC::setIntegrityLevel):
196         (JSC::testIntegrityLevel):
197         (JSC::ownPropertyKeys):
198         * runtime/PropertyNameArray.h:
199         (JSC::PropertyNameArray::PropertyNameArray):
200         (JSC::PropertyNameArray::propertyNameMode const):
201         (JSC::PropertyNameArray::privateSymbolMode const):
202         (JSC::PropertyNameArray::addUncheckedInternal):
203         (JSC::PropertyNameArray::addUnchecked):
204         (JSC::PropertyNameArray::add):
205         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
206         (JSC::PropertyNameArray::includeSymbolProperties const):
207         (JSC::PropertyNameArray::includeStringProperties const):
208         (JSC::PropertyNameArray::mode const): Deleted.
209         * runtime/ProxyObject.cpp:
210         (JSC::ProxyObject::performGetOwnPropertyNames):
211
212 2017-09-13  Mark Lam  <mark.lam@apple.com>
213
214         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
215         https://bugs.webkit.org/show_bug.cgi?id=176888
216         <rdar://problem/34381832>
217
218         Not reviewed.
219
220         * JavaScriptCore.xcodeproj/project.pbxproj:
221         * assembler/MacroAssembler.cpp:
222         (JSC::stdFunctionCallback):
223         * assembler/MacroAssemblerPrinter.cpp:
224         (JSC::Printer::printCallback):
225         * assembler/ProbeContext.h:
226         (JSC::Probe:: const):
227         (JSC::Probe::Context::Context):
228         (JSC::Probe::Context::gpr):
229         (JSC::Probe::Context::spr):
230         (JSC::Probe::Context::fpr):
231         (JSC::Probe::Context::gprName):
232         (JSC::Probe::Context::sprName):
233         (JSC::Probe::Context::fprName):
234         (JSC::Probe::Context::pc):
235         (JSC::Probe::Context::fp):
236         (JSC::Probe::Context::sp):
237         (JSC::Probe::CPUState::gpr const): Deleted.
238         (JSC::Probe::CPUState::spr const): Deleted.
239         (JSC::Probe::Context::arg): Deleted.
240         (JSC::Probe::Context::gpr const): Deleted.
241         (JSC::Probe::Context::spr const): Deleted.
242         (JSC::Probe::Context::fpr const): Deleted.
243         * assembler/ProbeFrame.h: Removed.
244         * assembler/ProbeStack.cpp:
245         (JSC::Probe::Page::Page):
246         * assembler/ProbeStack.h:
247         (JSC::Probe::Page::get):
248         (JSC::Probe::Page::set):
249         (JSC::Probe::Page::physicalAddressFor):
250         (JSC::Probe::Stack::lowWatermark):
251         (JSC::Probe::Stack::get):
252         (JSC::Probe::Stack::set):
253         * bytecode/ArithProfile.cpp:
254         * bytecode/ArithProfile.h:
255         * bytecode/ArrayProfile.h:
256         (JSC::ArrayProfile::observeArrayMode): Deleted.
257         * bytecode/CodeBlock.cpp:
258         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
259         * bytecode/CodeBlock.h:
260         (JSC::CodeBlock::addressOfOSRExitCounter):
261         * bytecode/ExecutionCounter.h:
262         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
263         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
264         * bytecode/MethodOfGettingAValueProfile.cpp:
265         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
266         * bytecode/MethodOfGettingAValueProfile.h:
267         * dfg/DFGDriver.cpp:
268         (JSC::DFG::compileImpl):
269         * dfg/DFGJITCode.cpp:
270         (JSC::DFG::JITCode::findPC):
271         * dfg/DFGJITCode.h:
272         * dfg/DFGJITCompiler.cpp:
273         (JSC::DFG::JITCompiler::linkOSRExits):
274         (JSC::DFG::JITCompiler::link):
275         * dfg/DFGOSRExit.cpp:
276         (JSC::DFG::OSRExit::setPatchableCodeOffset):
277         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
278         (JSC::DFG::OSRExit::codeLocationForRepatch const):
279         (JSC::DFG::OSRExit::correctJump):
280         (JSC::DFG::OSRExit::emitRestoreArguments):
281         (JSC::DFG::OSRExit::compileOSRExit):
282         (JSC::DFG::OSRExit::compileExit):
283         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
284         (JSC::DFG::jsValueFor): Deleted.
285         (JSC::DFG::restoreCalleeSavesFor): Deleted.
286         (JSC::DFG::saveCalleeSavesFor): Deleted.
287         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
288         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
289         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
290         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
291         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
292         (JSC::DFG::emitRestoreArguments): Deleted.
293         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
294         (JSC::DFG::reifyInlinedCallFrames): Deleted.
295         (JSC::DFG::adjustAndJumpToTarget): Deleted.
296         (JSC::DFG::printOSRExit): Deleted.
297         * dfg/DFGOSRExit.h:
298         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
299         * dfg/DFGOSRExitCompilerCommon.cpp:
300         * dfg/DFGOSRExitCompilerCommon.h:
301         * dfg/DFGOperations.cpp:
302         * dfg/DFGOperations.h:
303         * dfg/DFGThunks.cpp:
304         (JSC::DFG::osrExitGenerationThunkGenerator):
305         (JSC::DFG::osrExitThunkGenerator): Deleted.
306         * dfg/DFGThunks.h:
307         * jit/AssemblyHelpers.cpp:
308         (JSC::AssemblyHelpers::debugCall):
309         * jit/AssemblyHelpers.h:
310         * jit/JITOperations.cpp:
311         * jit/JITOperations.h:
312         * profiler/ProfilerOSRExit.h:
313         (JSC::Profiler::OSRExit::incCount): Deleted.
314         * runtime/JSCJSValue.h:
315         * runtime/JSCJSValueInlines.h:
316         * runtime/VM.h:
317
318 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
319
320         [JSC] Move class/struct used in other class' member out of anonymous namespace
321         https://bugs.webkit.org/show_bug.cgi?id=176876
322
323         Reviewed by Saam Barati.
324
325         GCC warns if a class has a base or field whose type uses the anonymous namespace
326         and it is defined in an included file. This is because this possibly violates
327         one definition rule (ODR): if an included file has the anonymous namespace, each
328         translation unit creates its private anonymous namespace. Thus, each type
329         inside the anonymous namespace becomes different in each translation unit if
330         the file is included in multiple translation units.
331
332         While the current use in JSC is not violating ODR since these cpp files are included
333         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
334         the actual bugs. So, in this patch, we just move related classes/structs out of
335         the anonymous namespace.
336
337         * dfg/DFGIntegerCheckCombiningPhase.cpp:
338         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
339         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
340         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
341         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
342         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
343         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
344         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
345         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
346         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
347         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
348         * dfg/DFGLICMPhase.cpp:
349
350 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
351
352         Web Inspector: Event Listeners section does not update when listeners are added/removed
353         https://bugs.webkit.org/show_bug.cgi?id=170570
354         <rdar://problem/31501645>
355
356         Reviewed by Joseph Pecoraro.
357
358         * inspector/protocol/DOM.json:
359         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
360         contain any information about the event listeners that were added/removed. They serve more
361         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
362
363 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
364
365         [JSC] Fix Array allocation in Object.keys
366         https://bugs.webkit.org/show_bug.cgi?id=176826
367
368         Reviewed by Saam Barati.
369
370         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
371         We check isHavingABadTime() in ownPropertyKeys fast path.
372         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
373
374         * runtime/ObjectConstructor.cpp:
375         (JSC::ownPropertyKeys):
376
377 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
378
379         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
380         https://bugs.webkit.org/show_bug.cgi?id=176010
381
382         Reviewed by Filip Pizlo.
383
384         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
385         It is used for meta property for objects (see peekMeta function in Ember.js).
386
387         This patch optimizes WeakMap#get.
388
389         1. We use inlineGet to inline WeakMap#get operation in the native function.
390         Since this native function itself is very small, we should inline HashMap#get
391         entirely in this function.
392
393         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
394         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
395         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
396         ObjectUse, and Int32Use.
397
398         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
399         calculate hash value for the key's Object and use this hash value to look up value from
400         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
401         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
402         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
403         patches.
404
405         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
406         not used in Ember.js right now.
407
408         This patch optimizes WeakMap#get by 50%.
409
410                                  baseline                  patched
411
412         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
413
414         * bytecode/DirectEvalCodeCache.h:
415         (JSC::DirectEvalCodeCache::tryGet):
416         * bytecode/SpeculatedType.cpp:
417         (JSC::dumpSpeculation):
418         (JSC::speculationFromClassInfo):
419         (JSC::speculationFromJSType):
420         (JSC::speculationFromString):
421         * bytecode/SpeculatedType.h:
422         * dfg/DFGAbstractInterpreterInlines.h:
423         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
424         * dfg/DFGByteCodeParser.cpp:
425         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
426         * dfg/DFGClobberize.h:
427         (JSC::DFG::clobberize):
428         * dfg/DFGDoesGC.cpp:
429         (JSC::DFG::doesGC):
430         * dfg/DFGFixupPhase.cpp:
431         (JSC::DFG::FixupPhase::fixupNode):
432         * dfg/DFGHeapLocation.cpp:
433         (WTF::printInternal):
434         * dfg/DFGHeapLocation.h:
435         * dfg/DFGNode.h:
436         (JSC::DFG::Node::hasHeapPrediction):
437         * dfg/DFGNodeType.h:
438         * dfg/DFGOperations.cpp:
439         * dfg/DFGOperations.h:
440         * dfg/DFGPredictionPropagationPhase.cpp:
441         * dfg/DFGSafeToExecute.h:
442         (JSC::DFG::SafeToExecuteEdge::operator()):
443         (JSC::DFG::safeToExecute):
444         * dfg/DFGSpeculativeJIT.cpp:
445         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
446         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
447         (JSC::DFG::SpeculativeJIT::speculate):
448         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
449         * dfg/DFGSpeculativeJIT.h:
450         (JSC::DFG::SpeculativeJIT::callOperation):
451         * dfg/DFGSpeculativeJIT32_64.cpp:
452         (JSC::DFG::SpeculativeJIT::compile):
453         * dfg/DFGSpeculativeJIT64.cpp:
454         (JSC::DFG::SpeculativeJIT::compile):
455         * dfg/DFGUseKind.cpp:
456         (WTF::printInternal):
457         * dfg/DFGUseKind.h:
458         (JSC::DFG::typeFilterFor):
459         (JSC::DFG::isCell):
460         * ftl/FTLCapabilities.cpp:
461         (JSC::FTL::canCompile):
462         * ftl/FTLLowerDFGToB3.cpp:
463         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
464         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
465         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
466         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
467         (JSC::FTL::DFG::LowerDFGToB3::speculate):
468         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
469         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
470         * jit/JITOperations.h:
471         * runtime/HashMapImpl.h:
472         (JSC::WeakMapHash::hash):
473         (JSC::WeakMapHash::equal):
474         * runtime/Intrinsic.cpp:
475         (JSC::intrinsicName):
476         * runtime/Intrinsic.h:
477         * runtime/JSType.h:
478         * runtime/JSWeakMap.h:
479         (JSC::isJSWeakMap):
480         * runtime/JSWeakSet.h:
481         (JSC::isJSWeakSet):
482         * runtime/WeakMapBase.cpp:
483         (JSC::WeakMapBase::get):
484         * runtime/WeakMapBase.h:
485         (JSC::WeakMapBase::HashTranslator::hash):
486         (JSC::WeakMapBase::HashTranslator::equal):
487         (JSC::WeakMapBase::inlineGet):
488         * runtime/WeakMapPrototype.cpp:
489         (JSC::WeakMapPrototype::finishCreation):
490         (JSC::getWeakMap):
491         (JSC::protoFuncWeakMapGet):
492         * runtime/WeakSetPrototype.cpp:
493         (JSC::getWeakSet):
494
495 2017-09-12  Keith Miller  <keith_miller@apple.com>
496
497         Rename JavaScriptCore CMake unifiable sources list
498         https://bugs.webkit.org/show_bug.cgi?id=176823
499
500         Reviewed by Joseph Pecoraro.
501
502         This patch also changes the error message when the unified source
503         bundler fails to be more accurate.
504
505         * CMakeLists.txt:
506
507 2017-09-12  Keith Miller  <keith_miller@apple.com>
508
509         Do unified source builds for JSC
510         https://bugs.webkit.org/show_bug.cgi?id=176076
511
512         Reviewed by Geoffrey Garen.
513
514         This patch switches the CMake JavaScriptCore build to use unified sources.
515         The Xcode build will be upgraded in a follow up patch.
516
517         Most of the source changes in this patch are fixing static
518         variable/functions name collisions. The most common collisions
519         were from our use of "static const bool verbose" and "using
520         namespace ...". I fixed all the verbose cases and fixed the "using
521         namespace" issues that occurred under the current bundling
522         strategy. It's likely that more of the "using namespace" issues
523         will need to be resolved in the future, particularly in the FTL.
524
525         I don't expect either of these problems will apply to other parts
526         of the project nearly as much as in JSC. Using a verbose variable
527         is a JSC idiom and JSC tends use the same, canonical, class name
528         in multiple parts of the engine.
529
530         * CMakeLists.txt:
531         * b3/B3CheckSpecial.cpp:
532         (JSC::B3::CheckSpecial::forEachArg):
533         (JSC::B3::CheckSpecial::generate):
534         (JSC::B3::Air::numB3Args): Deleted.
535         * b3/B3DuplicateTails.cpp:
536         * b3/B3EliminateCommonSubexpressions.cpp:
537         * b3/B3FixSSA.cpp:
538         (JSC::B3::demoteValues):
539         * b3/B3FoldPathConstants.cpp:
540         * b3/B3InferSwitches.cpp:
541         * b3/B3LowerMacrosAfterOptimizations.cpp:
542         (): Deleted.
543         * b3/B3LowerToAir.cpp:
544         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
545         (JSC::B3::Air::LowerToAir::run): Deleted.
546         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
547         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
548         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
549         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
550         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
551         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
552         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
553         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
554         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
555         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
556         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
557         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
558         (JSC::B3::Air::LowerToAir::tmp): Deleted.
559         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
560         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
561         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
562         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
563         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
564         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
565         (JSC::B3::Air::LowerToAir::addr): Deleted.
566         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
567         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
568         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
569         (JSC::B3::Air::LowerToAir::imm): Deleted.
570         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
571         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
572         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
573         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
574         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
575         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
576         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
577         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
578         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
579         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
580         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
581         (JSC::B3::Air::LowerToAir::createStore): Deleted.
582         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
583         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
584         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
585         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
586         (JSC::B3::Air::LowerToAir::print): Deleted.
587         (JSC::B3::Air::LowerToAir::append): Deleted.
588         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
589         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
590         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
591         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
592         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
593         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
594         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
595         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
596         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
597         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
598         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
599         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
600         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
601         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
602         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
603         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
604         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
605         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
606         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
607         (JSC::B3::Air::LowerToAir::lower): Deleted.
608         * b3/B3PatchpointSpecial.cpp:
609         (JSC::B3::PatchpointSpecial::generate):
610         * b3/B3ReduceDoubleToFloat.cpp:
611         (JSC::B3::reduceDoubleToFloat):
612         * b3/B3ReduceStrength.cpp:
613         * b3/B3StackmapGenerationParams.cpp:
614         * b3/B3StackmapSpecial.cpp:
615         (JSC::B3::StackmapSpecial::repsImpl):
616         (JSC::B3::StackmapSpecial::repForArg):
617         * b3/air/AirAllocateStackByGraphColoring.cpp:
618         (JSC::B3::Air::allocateStackByGraphColoring):
619         * b3/air/AirEmitShuffle.cpp:
620         (JSC::B3::Air::emitShuffle):
621         * b3/air/AirFixObviousSpills.cpp:
622         * b3/air/AirLowerAfterRegAlloc.cpp:
623         (JSC::B3::Air::lowerAfterRegAlloc):
624         * b3/air/AirStackAllocation.cpp:
625         (JSC::B3::Air::attemptAssignment):
626         (JSC::B3::Air::assign):
627         * bytecode/AccessCase.cpp:
628         (JSC::AccessCase::generateImpl):
629         * bytecode/CallLinkStatus.cpp:
630         (JSC::CallLinkStatus::computeDFGStatuses):
631         * bytecode/GetterSetterAccessCase.cpp:
632         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
633         * bytecode/ObjectPropertyConditionSet.cpp:
634         * bytecode/PolymorphicAccess.cpp:
635         (JSC::PolymorphicAccess::addCases):
636         (JSC::PolymorphicAccess::regenerate):
637         * bytecode/PropertyCondition.cpp:
638         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
639         * bytecode/StructureStubInfo.cpp:
640         (JSC::StructureStubInfo::addAccessCase):
641         * dfg/DFGArgumentsEliminationPhase.cpp:
642         * dfg/DFGByteCodeParser.cpp:
643         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
644         (JSC::DFG::ByteCodeParser::inliningCost):
645         (JSC::DFG::ByteCodeParser::inlineCall):
646         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
647         (JSC::DFG::ByteCodeParser::handleInlining):
648         (JSC::DFG::ByteCodeParser::planLoad):
649         (JSC::DFG::ByteCodeParser::store):
650         (JSC::DFG::ByteCodeParser::parseBlock):
651         (JSC::DFG::ByteCodeParser::linkBlock):
652         (JSC::DFG::ByteCodeParser::linkBlocks):
653         * dfg/DFGCSEPhase.cpp:
654         * dfg/DFGInPlaceAbstractState.cpp:
655         (JSC::DFG::InPlaceAbstractState::merge):
656         * dfg/DFGIntegerCheckCombiningPhase.cpp:
657         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
658         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
659         * dfg/DFGMovHintRemovalPhase.cpp:
660         * dfg/DFGObjectAllocationSinkingPhase.cpp:
661         * dfg/DFGPhantomInsertionPhase.cpp:
662         * dfg/DFGPutStackSinkingPhase.cpp:
663         * dfg/DFGStoreBarrierInsertionPhase.cpp:
664         * dfg/DFGVarargsForwardingPhase.cpp:
665         * ftl/FTLAbstractHeap.cpp:
666         (JSC::FTL::AbstractHeap::compute):
667         * ftl/FTLAbstractHeapRepository.cpp:
668         (JSC::FTL::AbstractHeapRepository::decorateMemory):
669         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
670         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
671         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
672         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
673         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
674         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
675         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
676         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
677         * ftl/FTLLink.cpp:
678         (JSC::FTL::link):
679         * heap/MarkingConstraintSet.cpp:
680         (JSC::MarkingConstraintSet::add):
681         * interpreter/ShadowChicken.cpp:
682         (JSC::ShadowChicken::update):
683         * jit/BinarySwitch.cpp:
684         (JSC::BinarySwitch::BinarySwitch):
685         (JSC::BinarySwitch::build):
686         * llint/LLIntData.cpp:
687         (JSC::LLInt::Data::loadStats):
688         (JSC::LLInt::Data::saveStats):
689         * runtime/ArrayPrototype.cpp:
690         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
691         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
692         * runtime/ErrorInstance.cpp:
693         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
694         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
695         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
696         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
697         * runtime/IntlDateTimeFormat.cpp:
698         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
699         * runtime/PromiseDeferredTimer.cpp:
700         (JSC::PromiseDeferredTimer::doWork):
701         (JSC::PromiseDeferredTimer::addPendingPromise):
702         (JSC::PromiseDeferredTimer::cancelPendingPromise):
703         * runtime/TypeProfiler.cpp:
704         (JSC::TypeProfiler::insertNewLocation):
705         * runtime/TypeProfilerLog.cpp:
706         (JSC::TypeProfilerLog::processLogEntries):
707         * runtime/WeakMapPrototype.cpp:
708         (JSC::protoFuncWeakMapDelete):
709         (JSC::protoFuncWeakMapGet):
710         (JSC::protoFuncWeakMapHas):
711         (JSC::protoFuncWeakMapSet):
712         (JSC::getWeakMapData): Deleted.
713         * runtime/WeakSetPrototype.cpp:
714         (JSC::protoFuncWeakSetDelete):
715         (JSC::protoFuncWeakSetHas):
716         (JSC::protoFuncWeakSetAdd):
717         (JSC::getWeakMapData): Deleted.
718         * testRegExp.cpp:
719         (testOneRegExp):
720         (runFromFiles):
721         * wasm/WasmB3IRGenerator.cpp:
722         (JSC::Wasm::parseAndCompile):
723         * wasm/WasmBBQPlan.cpp:
724         (JSC::Wasm::BBQPlan::moveToState):
725         (JSC::Wasm::BBQPlan::parseAndValidateModule):
726         (JSC::Wasm::BBQPlan::prepare):
727         (JSC::Wasm::BBQPlan::compileFunctions):
728         (JSC::Wasm::BBQPlan::complete):
729         * wasm/WasmFaultSignalHandler.cpp:
730         (JSC::Wasm::trapHandler):
731         * wasm/WasmOMGPlan.cpp:
732         (JSC::Wasm::OMGPlan::OMGPlan):
733         (JSC::Wasm::OMGPlan::work):
734         * wasm/WasmPlan.cpp:
735         (JSC::Wasm::Plan::fail):
736         * wasm/WasmSignature.cpp:
737         (JSC::Wasm::SignatureInformation::adopt):
738         * wasm/WasmWorklist.cpp:
739         (JSC::Wasm::Worklist::enqueue):
740
741 2017-09-12  Michael Saboff  <msaboff@apple.com>
742
743         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
744         https://bugs.webkit.org/show_bug.cgi?id=176814
745
746         Reviewed by Mark Lam.
747
748         The copy and advance indices where off by one and needed a little fine tuning.
749
750         * runtime/StringPrototype.cpp:
751         (JSC::substituteBackreferencesSlow):
752
753 2017-09-11  Mark Lam  <mark.lam@apple.com>
754
755         More exception check book-keeping needed found by 32-bit JSC test failures.
756         https://bugs.webkit.org/show_bug.cgi?id=176742
757
758         Reviewed by Michael Saboff and Keith Miller.
759
760         * dfg/DFGOperations.cpp:
761
762 2017-09-11  Mark Lam  <mark.lam@apple.com>
763
764         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
765         https://bugs.webkit.org/show_bug.cgi?id=176722
766
767         Reviewed by Saam Barati.
768
769         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
770         in effect when jsc is invoked.
771
772         * jsc.cpp:
773         (CommandLine::parseArguments):
774
775 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
776
777         Unreviewed, rolling out r221854.
778
779         The test added with this change fails on 32-bit JSC bots.
780
781         Reverted changeset:
782
783         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
784         https://bugs.webkit.org/show_bug.cgi?id=176010
785         http://trac.webkit.org/changeset/221854
786
787 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
788
789         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
790         https://bugs.webkit.org/show_bug.cgi?id=176010
791
792         Reviewed by Filip Pizlo.
793
794         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
795         It is used for meta property for objects (see peekMeta function in Ember.js).
796
797         This patch optimizes WeakMap#get.
798
799         1. We use inlineGet to inline WeakMap#get operation in the native function.
800         Since this native function itself is very small, we should inline HashMap#get
801         entirely in this function.
802
803         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
804         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
805         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
806         ObjectUse, and Int32Use.
807
808         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
809         calculate hash value for the key's Object and use this hash value to look up value from
810         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
811         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
812         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
813         patches.
814
815         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
816         not used in Ember.js right now.
817
818         This patch optimizes WeakMap#get by 50%.
819
820                                  baseline                  patched
821
822         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
823
824         * bytecode/DirectEvalCodeCache.h:
825         (JSC::DirectEvalCodeCache::tryGet):
826         * bytecode/SpeculatedType.cpp:
827         (JSC::dumpSpeculation):
828         (JSC::speculationFromClassInfo):
829         (JSC::speculationFromJSType):
830         (JSC::speculationFromString):
831         * bytecode/SpeculatedType.h:
832         * dfg/DFGAbstractInterpreterInlines.h:
833         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
834         * dfg/DFGByteCodeParser.cpp:
835         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
836         * dfg/DFGClobberize.h:
837         (JSC::DFG::clobberize):
838         * dfg/DFGDoesGC.cpp:
839         (JSC::DFG::doesGC):
840         * dfg/DFGFixupPhase.cpp:
841         (JSC::DFG::FixupPhase::fixupNode):
842         * dfg/DFGHeapLocation.cpp:
843         (WTF::printInternal):
844         * dfg/DFGHeapLocation.h:
845         * dfg/DFGNode.h:
846         (JSC::DFG::Node::hasHeapPrediction):
847         * dfg/DFGNodeType.h:
848         * dfg/DFGOperations.cpp:
849         * dfg/DFGOperations.h:
850         * dfg/DFGPredictionPropagationPhase.cpp:
851         * dfg/DFGSafeToExecute.h:
852         (JSC::DFG::SafeToExecuteEdge::operator()):
853         (JSC::DFG::safeToExecute):
854         * dfg/DFGSpeculativeJIT.cpp:
855         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
856         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
857         (JSC::DFG::SpeculativeJIT::speculate):
858         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
859         * dfg/DFGSpeculativeJIT.h:
860         (JSC::DFG::SpeculativeJIT::callOperation):
861         * dfg/DFGSpeculativeJIT32_64.cpp:
862         (JSC::DFG::SpeculativeJIT::compile):
863         * dfg/DFGSpeculativeJIT64.cpp:
864         (JSC::DFG::SpeculativeJIT::compile):
865         * dfg/DFGUseKind.cpp:
866         (WTF::printInternal):
867         * dfg/DFGUseKind.h:
868         (JSC::DFG::typeFilterFor):
869         (JSC::DFG::isCell):
870         * ftl/FTLCapabilities.cpp:
871         (JSC::FTL::canCompile):
872         * ftl/FTLLowerDFGToB3.cpp:
873         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
874         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
875         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
876         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
877         (JSC::FTL::DFG::LowerDFGToB3::speculate):
878         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
879         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
880         * jit/JITOperations.h:
881         * runtime/Intrinsic.cpp:
882         (JSC::intrinsicName):
883         * runtime/Intrinsic.h:
884         * runtime/JSType.h:
885         * runtime/JSWeakMap.h:
886         (JSC::isJSWeakMap):
887         * runtime/JSWeakSet.h:
888         (JSC::isJSWeakSet):
889         * runtime/WeakMapBase.cpp:
890         (JSC::WeakMapBase::get):
891         * runtime/WeakMapBase.h:
892         (JSC::WeakMapBase::HashTranslator::hash):
893         (JSC::WeakMapBase::HashTranslator::equal):
894         (JSC::WeakMapBase::inlineGet):
895         * runtime/WeakMapPrototype.cpp:
896         (JSC::WeakMapPrototype::finishCreation):
897         (JSC::getWeakMap):
898         (JSC::protoFuncWeakMapGet):
899         * runtime/WeakSetPrototype.cpp:
900         (JSC::getWeakSet):
901
902 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
903
904         [JSC] Optimize Object.keys by using careful array allocation
905         https://bugs.webkit.org/show_bug.cgi?id=176654
906
907         Reviewed by Darin Adler.
908
909         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
910         function in JS apps. Luckily Object.keys has several good features.
911
912         1. Once PropertyNameArray is allocated, we know the length of the result array since
913         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
914         but it rarely appears. ProxyObject case goes to the generic path.
915
916         2. Object.keys does not need to access object after listing PropertyNameArray. It means
917         that we do not need to worry about enumeration attribute change by touching object.
918
919         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
920         with the size and ArrayContiguous indexing shape.
921
922         This further improves SixSpeed object-assign.es5 by 13%.
923
924                                             baseline                  patched
925         Microbenchmarks:
926            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
927            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
928
929                                             baseline                  patched
930         SixSpeed:
931            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
932
933         BTW, the further optimization of Object.keys can be considered: introducing own property keys
934         cache which is similar to the current enumeration cache. But this patch is orthogonal to
935         this optimization!
936
937         * runtime/ObjectConstructor.cpp:
938         (JSC::objectConstructorValues):
939         (JSC::ownPropertyKeys):
940         * runtime/ObjectConstructor.h:
941
942 2017-09-10  Mark Lam  <mark.lam@apple.com>
943
944         Fix all ExceptionScope verification failures in JavaScriptCore.
945         https://bugs.webkit.org/show_bug.cgi?id=176662
946         <rdar://problem/34352085>
947
948         Reviewed by Filip Pizlo.
949
950         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
951            verification for release builds too (though this requires manually setting
952            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
953
954            This is useful because it allows us to run the tests more quickly to check
955            if any regressions have occurred.  Debug builds run so much slower and not
956            good for a quick turn around.  Debug builds are necessary though to get
957            trace information without inlining by the C++ compiler.  This is necessary to
958            diagnose where the missing exception check is.
959
960         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
961            simulated throw when an exception scope verification fails.
962
963            Previously, this option dumps the stack trace on all simulated throws.  That
964            turned out to not be very useful, and slows down the debugging process.
965            Instead, the new implementation captures the stack trace and only dumps it
966            if we have a verification failure.
967
968         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
969            to pass with JSC_validateExceptionChecks=true.
970
971         * bytecode/CodeBlock.cpp:
972         (JSC::CodeBlock::finishCreation):
973         * dfg/DFGOSRExit.cpp:
974         (JSC::DFG::OSRExit::executeOSRExit):
975         * dfg/DFGOperations.cpp:
976         * interpreter/Interpreter.cpp:
977         (JSC::eval):
978         (JSC::loadVarargs):
979         (JSC::Interpreter::unwind):
980         (JSC::Interpreter::executeProgram):
981         (JSC::Interpreter::executeCall):
982         (JSC::Interpreter::executeConstruct):
983         (JSC::Interpreter::prepareForRepeatCall):
984         (JSC::Interpreter::execute):
985         (JSC::Interpreter::executeModuleProgram):
986         * jit/JITOperations.cpp:
987         (JSC::getByVal):
988         * jsc.cpp:
989         (WTF::CustomGetter::customGetterAcessor):
990         (GlobalObject::moduleLoaderImportModule):
991         (GlobalObject::moduleLoaderResolve):
992         * llint/LLIntSlowPaths.cpp:
993         (JSC::LLInt::getByVal):
994         (JSC::LLInt::setUpCall):
995         * parser/Parser.h:
996         (JSC::Parser::popScopeInternal):
997         * runtime/AbstractModuleRecord.cpp:
998         (JSC::AbstractModuleRecord::hostResolveImportedModule):
999         (JSC::AbstractModuleRecord::resolveImport):
1000         (JSC::AbstractModuleRecord::resolveExportImpl):
1001         (JSC::getExportedNames):
1002         (JSC::AbstractModuleRecord::getModuleNamespace):
1003         * runtime/ArrayPrototype.cpp:
1004         (JSC::getProperty):
1005         (JSC::unshift):
1006         (JSC::arrayProtoFuncToString):
1007         (JSC::arrayProtoFuncToLocaleString):
1008         (JSC::arrayProtoFuncJoin):
1009         (JSC::arrayProtoFuncPop):
1010         (JSC::arrayProtoFuncPush):
1011         (JSC::arrayProtoFuncReverse):
1012         (JSC::arrayProtoFuncShift):
1013         (JSC::arrayProtoFuncSlice):
1014         (JSC::arrayProtoFuncSplice):
1015         (JSC::arrayProtoFuncUnShift):
1016         (JSC::arrayProtoFuncIndexOf):
1017         (JSC::arrayProtoFuncLastIndexOf):
1018         (JSC::concatAppendOne):
1019         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1020         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1021         * runtime/CatchScope.h:
1022         * runtime/CommonSlowPaths.cpp:
1023         (JSC::SLOW_PATH_DECL):
1024         * runtime/DatePrototype.cpp:
1025         (JSC::dateProtoFuncSetTime):
1026         (JSC::setNewValueFromTimeArgs):
1027         * runtime/DirectArguments.h:
1028         (JSC::DirectArguments::length const):
1029         * runtime/ErrorPrototype.cpp:
1030         (JSC::errorProtoFuncToString):
1031         * runtime/ExceptionFuzz.cpp:
1032         (JSC::doExceptionFuzzing):
1033         * runtime/ExceptionScope.h:
1034         (JSC::ExceptionScope::needExceptionCheck):
1035         (JSC::ExceptionScope::assertNoException):
1036         * runtime/GenericArgumentsInlines.h:
1037         (JSC::GenericArguments<Type>::defineOwnProperty):
1038         * runtime/HashMapImpl.h:
1039         (JSC::HashMapImpl::rehash):
1040         * runtime/IntlDateTimeFormat.cpp:
1041         (JSC::IntlDateTimeFormat::formatToParts):
1042         * runtime/JSArray.cpp:
1043         (JSC::JSArray::defineOwnProperty):
1044         (JSC::JSArray::put):
1045         * runtime/JSCJSValue.cpp:
1046         (JSC::JSValue::putToPrimitive):
1047         (JSC::JSValue::putToPrimitiveByIndex):
1048         * runtime/JSCJSValueInlines.h:
1049         (JSC::JSValue::toIndex const):
1050         (JSC::JSValue::get const):
1051         (JSC::JSValue::getPropertySlot const):
1052         (JSC::JSValue::equalSlowCaseInline):
1053         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1054         (JSC::constructGenericTypedArrayViewFromIterator):
1055         (JSC::constructGenericTypedArrayViewWithArguments):
1056         * runtime/JSGenericTypedArrayViewInlines.h:
1057         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1058         * runtime/JSGlobalObject.cpp:
1059         (JSC::JSGlobalObject::put):
1060         * runtime/JSGlobalObjectFunctions.cpp:
1061         (JSC::decode):
1062         (JSC::globalFuncEval):
1063         (JSC::globalFuncProtoGetter):
1064         (JSC::globalFuncProtoSetter):
1065         (JSC::globalFuncImportModule):
1066         * runtime/JSInternalPromise.cpp:
1067         (JSC::JSInternalPromise::then):
1068         * runtime/JSInternalPromiseDeferred.cpp:
1069         (JSC::JSInternalPromiseDeferred::create):
1070         * runtime/JSJob.cpp:
1071         (JSC::JSJobMicrotask::run):
1072         * runtime/JSModuleEnvironment.cpp:
1073         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1074         (JSC::JSModuleEnvironment::put):
1075         (JSC::JSModuleEnvironment::deleteProperty):
1076         * runtime/JSModuleLoader.cpp:
1077         (JSC::JSModuleLoader::provide):
1078         (JSC::JSModuleLoader::loadAndEvaluateModule):
1079         (JSC::JSModuleLoader::loadModule):
1080         (JSC::JSModuleLoader::linkAndEvaluateModule):
1081         (JSC::JSModuleLoader::requestImportModule):
1082         * runtime/JSModuleRecord.cpp:
1083         (JSC::JSModuleRecord::link):
1084         (JSC::JSModuleRecord::instantiateDeclarations):
1085         * runtime/JSONObject.cpp:
1086         (JSC::Stringifier::stringify):
1087         (JSC::Stringifier::toJSON):
1088         (JSC::JSONProtoFuncParse):
1089         * runtime/JSObject.cpp:
1090         (JSC::JSObject::calculatedClassName):
1091         (JSC::ordinarySetSlow):
1092         (JSC::JSObject::putInlineSlow):
1093         (JSC::JSObject::ordinaryToPrimitive const):
1094         (JSC::JSObject::toPrimitive const):
1095         (JSC::JSObject::hasInstance):
1096         (JSC::JSObject::getPropertyNames):
1097         (JSC::JSObject::toNumber const):
1098         (JSC::JSObject::defineOwnIndexedProperty):
1099         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1100         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1101         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1102         (JSC::validateAndApplyPropertyDescriptor):
1103         (JSC::JSObject::defineOwnNonIndexProperty):
1104         (JSC::JSObject::getGenericPropertyNames):
1105         * runtime/JSObject.h:
1106         (JSC::JSObject::get const):
1107         * runtime/JSObjectInlines.h:
1108         (JSC::JSObject::getPropertySlot const):
1109         (JSC::JSObject::getPropertySlot):
1110         (JSC::JSObject::getNonIndexPropertySlot):
1111         (JSC::JSObject::putInlineForJSObject):
1112         * runtime/JSPromiseConstructor.cpp:
1113         (JSC::constructPromise):
1114         * runtime/JSPromiseDeferred.cpp:
1115         (JSC::JSPromiseDeferred::create):
1116         * runtime/JSScope.cpp:
1117         (JSC::abstractAccess):
1118         (JSC::JSScope::resolve):
1119         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1120         (JSC::JSScope::abstractResolve):
1121         * runtime/LiteralParser.cpp:
1122         (JSC::LiteralParser<CharType>::tryJSONPParse):
1123         (JSC::LiteralParser<CharType>::parse):
1124         * runtime/Lookup.h:
1125         (JSC::putEntry):
1126         * runtime/MapConstructor.cpp:
1127         (JSC::constructMap):
1128         * runtime/NumberPrototype.cpp:
1129         (JSC::numberProtoFuncToString):
1130         * runtime/ObjectConstructor.cpp:
1131         (JSC::objectConstructorSetPrototypeOf):
1132         (JSC::objectConstructorGetOwnPropertyDescriptor):
1133         (JSC::objectConstructorGetOwnPropertyDescriptors):
1134         (JSC::objectConstructorAssign):
1135         (JSC::objectConstructorValues):
1136         (JSC::toPropertyDescriptor):
1137         (JSC::objectConstructorDefineProperty):
1138         (JSC::defineProperties):
1139         (JSC::objectConstructorDefineProperties):
1140         (JSC::ownPropertyKeys):
1141         * runtime/ObjectPrototype.cpp:
1142         (JSC::objectProtoFuncHasOwnProperty):
1143         (JSC::objectProtoFuncIsPrototypeOf):
1144         (JSC::objectProtoFuncLookupGetter):
1145         (JSC::objectProtoFuncLookupSetter):
1146         (JSC::objectProtoFuncToLocaleString):
1147         (JSC::objectProtoFuncToString):
1148         * runtime/Options.h:
1149         * runtime/ParseInt.h:
1150         (JSC::toStringView):
1151         * runtime/ProxyObject.cpp:
1152         (JSC::performProxyGet):
1153         (JSC::ProxyObject::performPut):
1154         * runtime/ReflectObject.cpp:
1155         (JSC::reflectObjectDefineProperty):
1156         * runtime/RegExpConstructor.cpp:
1157         (JSC::toFlags):
1158         (JSC::regExpCreate):
1159         (JSC::constructRegExp):
1160         * runtime/RegExpObject.cpp:
1161         (JSC::collectMatches):
1162         * runtime/RegExpObjectInlines.h:
1163         (JSC::RegExpObject::execInline):
1164         (JSC::RegExpObject::matchInline):
1165         * runtime/RegExpPrototype.cpp:
1166         (JSC::regExpProtoFuncTestFast):
1167         (JSC::regExpProtoFuncExec):
1168         (JSC::regExpProtoFuncMatchFast):
1169         (JSC::regExpProtoFuncToString):
1170         (JSC::regExpProtoFuncSplitFast):
1171         * runtime/ScriptExecutable.cpp:
1172         (JSC::ScriptExecutable::newCodeBlockFor):
1173         (JSC::ScriptExecutable::prepareForExecutionImpl):
1174         * runtime/SetConstructor.cpp:
1175         (JSC::constructSet):
1176         * runtime/ThrowScope.cpp:
1177         (JSC::ThrowScope::simulateThrow):
1178         * runtime/VM.cpp:
1179         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1180         * runtime/VM.h:
1181         * runtime/WeakMapPrototype.cpp:
1182         (JSC::protoFuncWeakMapSet):
1183         * runtime/WeakSetPrototype.cpp:
1184         (JSC::protoFuncWeakSetAdd):
1185         * wasm/js/WebAssemblyModuleConstructor.cpp:
1186         (JSC::WebAssemblyModuleConstructor::createModule):
1187         * wasm/js/WebAssemblyModuleRecord.cpp:
1188         (JSC::WebAssemblyModuleRecord::link):
1189         * wasm/js/WebAssemblyPrototype.cpp:
1190         (JSC::reject):
1191         (JSC::webAssemblyCompileFunc):
1192         (JSC::resolve):
1193         (JSC::webAssemblyInstantiateFunc):
1194
1195 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
1196
1197         Error should compute .stack and friends lazily
1198         https://bugs.webkit.org/show_bug.cgi?id=176645
1199
1200         Reviewed by Saam Barati.
1201         
1202         Building the string portion of the stack trace after we walk the stack accounts for most of
1203         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
1204         Vector<StackFrame> so that it can build the string only once it's really needed.
1205         
1206         This is an enormous speed-up for programs that allocate and throw exceptions.
1207         
1208         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
1209         
1210         It's a 2.2x speed-up for throwing and catching an Error.
1211         
1212         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
1213         
1214         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
1215         delta-blue-try-catch is 1.16x faster.
1216
1217         * interpreter/Interpreter.cpp:
1218         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1219         (JSC::GetStackTraceFunctor::operator() const):
1220         (JSC::Interpreter::getStackTrace):
1221         * interpreter/Interpreter.h:
1222         * runtime/Error.cpp:
1223         (JSC::getStackTrace):
1224         (JSC::getBytecodeOffset):
1225         (JSC::addErrorInfo):
1226         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
1227         * runtime/Error.h:
1228         * runtime/ErrorInstance.cpp:
1229         (JSC::ErrorInstance::ErrorInstance):
1230         (JSC::ErrorInstance::finishCreation):
1231         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1232         (JSC::ErrorInstance::visitChildren):
1233         (JSC::ErrorInstance::getOwnPropertySlot):
1234         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
1235         (JSC::ErrorInstance::defineOwnProperty):
1236         (JSC::ErrorInstance::put):
1237         (JSC::ErrorInstance::deleteProperty):
1238         * runtime/ErrorInstance.h:
1239         * runtime/Exception.cpp:
1240         (JSC::Exception::visitChildren):
1241         (JSC::Exception::finishCreation):
1242         * runtime/Exception.h:
1243         * runtime/StackFrame.cpp:
1244         (JSC::StackFrame::visitChildren):
1245         * runtime/StackFrame.h:
1246         (JSC::StackFrame::StackFrame):
1247
1248 2017-09-09  Mark Lam  <mark.lam@apple.com>
1249
1250         [Re-landing] Use JIT probes for DFG OSR exit.
1251         https://bugs.webkit.org/show_bug.cgi?id=175144
1252         <rdar://problem/33437050>
1253
1254         Not reviewed.  Original patch reviewed by Saam Barati.
1255
1256         Relanding r221774.
1257
1258         * JavaScriptCore.xcodeproj/project.pbxproj:
1259         * assembler/MacroAssembler.cpp:
1260         (JSC::stdFunctionCallback):
1261         * assembler/MacroAssemblerPrinter.cpp:
1262         (JSC::Printer::printCallback):
1263         * assembler/ProbeContext.h:
1264         (JSC::Probe::CPUState::gpr const):
1265         (JSC::Probe::CPUState::spr const):
1266         (JSC::Probe::Context::Context):
1267         (JSC::Probe::Context::arg):
1268         (JSC::Probe::Context::gpr):
1269         (JSC::Probe::Context::spr):
1270         (JSC::Probe::Context::fpr):
1271         (JSC::Probe::Context::gprName):
1272         (JSC::Probe::Context::sprName):
1273         (JSC::Probe::Context::fprName):
1274         (JSC::Probe::Context::gpr const):
1275         (JSC::Probe::Context::spr const):
1276         (JSC::Probe::Context::fpr const):
1277         (JSC::Probe::Context::pc):
1278         (JSC::Probe::Context::fp):
1279         (JSC::Probe::Context::sp):
1280         (JSC::Probe:: const): Deleted.
1281         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
1282         * assembler/ProbeStack.cpp:
1283         (JSC::Probe::Page::Page):
1284         * assembler/ProbeStack.h:
1285         (JSC::Probe::Page::get):
1286         (JSC::Probe::Page::set):
1287         (JSC::Probe::Page::physicalAddressFor):
1288         (JSC::Probe::Stack::lowWatermark):
1289         (JSC::Probe::Stack::get):
1290         (JSC::Probe::Stack::set):
1291         * bytecode/ArithProfile.cpp:
1292         * bytecode/ArithProfile.h:
1293         * bytecode/ArrayProfile.h:
1294         (JSC::ArrayProfile::observeArrayMode):
1295         * bytecode/CodeBlock.cpp:
1296         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1297         * bytecode/CodeBlock.h:
1298         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1299         * bytecode/ExecutionCounter.h:
1300         (JSC::ExecutionCounter::hasCrossedThreshold const):
1301         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1302         * bytecode/MethodOfGettingAValueProfile.cpp:
1303         (JSC::MethodOfGettingAValueProfile::reportValue):
1304         * bytecode/MethodOfGettingAValueProfile.h:
1305         * dfg/DFGDriver.cpp:
1306         (JSC::DFG::compileImpl):
1307         * dfg/DFGJITCode.cpp:
1308         (JSC::DFG::JITCode::findPC): Deleted.
1309         * dfg/DFGJITCode.h:
1310         * dfg/DFGJITCompiler.cpp:
1311         (JSC::DFG::JITCompiler::linkOSRExits):
1312         (JSC::DFG::JITCompiler::link):
1313         * dfg/DFGOSRExit.cpp:
1314         (JSC::DFG::jsValueFor):
1315         (JSC::DFG::restoreCalleeSavesFor):
1316         (JSC::DFG::saveCalleeSavesFor):
1317         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1318         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1319         (JSC::DFG::saveOrCopyCalleeSavesFor):
1320         (JSC::DFG::createDirectArgumentsDuringExit):
1321         (JSC::DFG::createClonedArgumentsDuringExit):
1322         (JSC::DFG::OSRExit::OSRExit):
1323         (JSC::DFG::emitRestoreArguments):
1324         (JSC::DFG::OSRExit::executeOSRExit):
1325         (JSC::DFG::reifyInlinedCallFrames):
1326         (JSC::DFG::adjustAndJumpToTarget):
1327         (JSC::DFG::printOSRExit):
1328         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1329         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1330         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1331         (JSC::DFG::OSRExit::correctJump): Deleted.
1332         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1333         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1334         (JSC::DFG::OSRExit::compileExit): Deleted.
1335         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
1336         * dfg/DFGOSRExit.h:
1337         (JSC::DFG::OSRExitState::OSRExitState):
1338         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1339         * dfg/DFGOSRExitCompilerCommon.cpp:
1340         * dfg/DFGOSRExitCompilerCommon.h:
1341         * dfg/DFGOperations.cpp:
1342         * dfg/DFGOperations.h:
1343         * dfg/DFGThunks.cpp:
1344         (JSC::DFG::osrExitThunkGenerator):
1345         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
1346         * dfg/DFGThunks.h:
1347         * jit/AssemblyHelpers.cpp:
1348         (JSC::AssemblyHelpers::debugCall): Deleted.
1349         * jit/AssemblyHelpers.h:
1350         * jit/JITOperations.cpp:
1351         * jit/JITOperations.h:
1352         * profiler/ProfilerOSRExit.h:
1353         (JSC::Profiler::OSRExit::incCount):
1354         * runtime/JSCJSValue.h:
1355         * runtime/JSCJSValueInlines.h:
1356         * runtime/VM.h:
1357
1358 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
1359
1360         Unreviewed, rolling out r221774.
1361
1362         This change introduced three debug JSC test timeouts.
1363
1364         Reverted changeset:
1365
1366         "Use JIT probes for DFG OSR exit."
1367         https://bugs.webkit.org/show_bug.cgi?id=175144
1368         http://trac.webkit.org/changeset/221774
1369
1370 2017-09-09  Mark Lam  <mark.lam@apple.com>
1371
1372         Avoid duplicate computations of ExecState::vm().
1373         https://bugs.webkit.org/show_bug.cgi?id=176647
1374
1375         Reviewed by Saam Barati.
1376
1377         Because while computing ExecState::vm() is cheap, it is not free.
1378
1379         This patch also:
1380         1. gets rids of some convenience methods in CallFrame that implicitly does a
1381            ExecState::vm() computation.  This minimizes the chance of us accidentally
1382            computing ExecState::vm() more than necessary.
1383         2. passes vm (when available) to methodTable().
1384         3. passes vm (when available) to JSLockHolder.
1385
1386         * API/JSBase.cpp:
1387         (JSCheckScriptSyntax):
1388         (JSGarbageCollect):
1389         (JSReportExtraMemoryCost):
1390         (JSSynchronousGarbageCollectForDebugging):
1391         (JSSynchronousEdenCollectForDebugging):
1392         * API/JSCallbackConstructor.h:
1393         (JSC::JSCallbackConstructor::create):
1394         * API/JSCallbackObject.h:
1395         (JSC::JSCallbackObject::create):
1396         * API/JSContext.mm:
1397         (-[JSContext setException:]):
1398         * API/JSContextRef.cpp:
1399         (JSContextGetGlobalObject):
1400         (JSContextCreateBacktrace):
1401         * API/JSManagedValue.mm:
1402         (-[JSManagedValue value]):
1403         * API/JSObjectRef.cpp:
1404         (JSObjectMake):
1405         (JSObjectMakeFunctionWithCallback):
1406         (JSObjectMakeConstructor):
1407         (JSObjectMakeFunction):
1408         (JSObjectSetPrototype):
1409         (JSObjectHasProperty):
1410         (JSObjectGetProperty):
1411         (JSObjectSetProperty):
1412         (JSObjectSetPropertyAtIndex):
1413         (JSObjectDeleteProperty):
1414         (JSObjectGetPrivateProperty):
1415         (JSObjectSetPrivateProperty):
1416         (JSObjectDeletePrivateProperty):
1417         (JSObjectIsFunction):
1418         (JSObjectCallAsFunction):
1419         (JSObjectCallAsConstructor):
1420         (JSObjectCopyPropertyNames):
1421         (JSPropertyNameAccumulatorAddName):
1422         * API/JSScriptRef.cpp:
1423         * API/JSTypedArray.cpp:
1424         (JSValueGetTypedArrayType):
1425         (JSObjectMakeTypedArrayWithArrayBuffer):
1426         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
1427         (JSObjectGetTypedArrayBytesPtr):
1428         (JSObjectGetTypedArrayBuffer):
1429         (JSObjectMakeArrayBufferWithBytesNoCopy):
1430         (JSObjectGetArrayBufferBytesPtr):
1431         * API/JSWeakObjectMapRefPrivate.cpp:
1432         * API/JSWrapperMap.mm:
1433         (constructorHasInstance):
1434         (makeWrapper):
1435         * API/ObjCCallbackFunction.mm:
1436         (objCCallbackFunctionForInvocation):
1437         * bytecode/CodeBlock.cpp:
1438         (JSC::CodeBlock::CodeBlock):
1439         (JSC::CodeBlock::jettison):
1440         * bytecode/CodeBlock.h:
1441         (JSC::CodeBlock::addConstant):
1442         (JSC::CodeBlock::replaceConstant):
1443         * bytecode/PutByIdStatus.cpp:
1444         (JSC::PutByIdStatus::computeFromLLInt):
1445         (JSC::PutByIdStatus::computeFor):
1446         * dfg/DFGDesiredWatchpoints.cpp:
1447         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1448         * dfg/DFGGraph.h:
1449         (JSC::DFG::Graph::globalThisObjectFor):
1450         * dfg/DFGOperations.cpp:
1451         * ftl/FTLOSRExitCompiler.cpp:
1452         (JSC::FTL::compileFTLOSRExit):
1453         * ftl/FTLOperations.cpp:
1454         (JSC::FTL::operationPopulateObjectInOSR):
1455         (JSC::FTL::operationMaterializeObjectInOSR):
1456         * heap/GCAssertions.h:
1457         * inspector/InjectedScriptHost.cpp:
1458         (Inspector::InjectedScriptHost::wrapper):
1459         * inspector/JSInjectedScriptHost.cpp:
1460         (Inspector::JSInjectedScriptHost::subtype):
1461         (Inspector::constructInternalProperty):
1462         (Inspector::JSInjectedScriptHost::getInternalProperties):
1463         (Inspector::JSInjectedScriptHost::weakMapEntries):
1464         (Inspector::JSInjectedScriptHost::weakSetEntries):
1465         (Inspector::JSInjectedScriptHost::iteratorEntries):
1466         * inspector/JSJavaScriptCallFrame.cpp:
1467         (Inspector::valueForScopeLocation):
1468         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
1469         (Inspector::toJS):
1470         * inspector/ScriptCallStackFactory.cpp:
1471         (Inspector::extractSourceInformationFromException):
1472         (Inspector::createScriptArguments):
1473         * interpreter/CachedCall.h:
1474         (JSC::CachedCall::CachedCall):
1475         * interpreter/CallFrame.h:
1476         (JSC::ExecState::atomicStringTable const): Deleted.
1477         (JSC::ExecState::propertyNames const): Deleted.
1478         (JSC::ExecState::emptyList const): Deleted.
1479         (JSC::ExecState::interpreter): Deleted.
1480         (JSC::ExecState::heap): Deleted.
1481         * interpreter/Interpreter.cpp:
1482         (JSC::Interpreter::executeProgram):
1483         (JSC::Interpreter::execute):
1484         (JSC::Interpreter::executeModuleProgram):
1485         * jit/JIT.cpp:
1486         (JSC::JIT::privateCompileMainPass):
1487         * jit/JITOperations.cpp:
1488         * jit/JITWorklist.cpp:
1489         (JSC::JITWorklist::compileNow):
1490         * jsc.cpp:
1491         (WTF::RuntimeArray::create):
1492         (WTF::RuntimeArray::getOwnPropertySlot):
1493         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
1494         (WTF::DOMJITFunctionObject::unsafeFunction):
1495         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1496         (GlobalObject::moduleLoaderFetch):
1497         (functionDumpCallFrame):
1498         (functionCreateRoot):
1499         (functionGetElement):
1500         (functionSetElementRoot):
1501         (functionCreateSimpleObject):
1502         (functionSetHiddenValue):
1503         (functionCreateProxy):
1504         (functionCreateImpureGetter):
1505         (functionCreateCustomGetterObject):
1506         (functionCreateDOMJITNodeObject):
1507         (functionCreateDOMJITGetterObject):
1508         (functionCreateDOMJITGetterComplexObject):
1509         (functionCreateDOMJITFunctionObject):
1510         (functionCreateDOMJITCheckSubClassObject):
1511         (functionGCAndSweep):
1512         (functionFullGC):
1513         (functionEdenGC):
1514         (functionHeapSize):
1515         (functionShadowChickenFunctionsOnStack):
1516         (functionSetGlobalConstRedeclarationShouldNotThrow):
1517         (functionJSCOptions):
1518         (functionFailNextNewCodeBlock):
1519         (functionMakeMasquerader):
1520         (functionDumpTypesForAllVariables):
1521         (functionFindTypeForExpression):
1522         (functionReturnTypeFor):
1523         (functionDumpBasicBlockExecutionRanges):
1524         (functionBasicBlockExecutionCount):
1525         (functionDrainMicrotasks):
1526         (functionGenerateHeapSnapshot):
1527         (functionEnsureArrayStorage):
1528         (functionStartSamplingProfiler):
1529         (runInteractive):
1530         * llint/LLIntSlowPaths.cpp:
1531         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1532         * parser/ModuleAnalyzer.cpp:
1533         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1534         * profiler/ProfilerBytecode.cpp:
1535         (JSC::Profiler::Bytecode::toJS const):
1536         * profiler/ProfilerBytecodeSequence.cpp:
1537         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
1538         * profiler/ProfilerBytecodes.cpp:
1539         (JSC::Profiler::Bytecodes::toJS const):
1540         * profiler/ProfilerCompilation.cpp:
1541         (JSC::Profiler::Compilation::toJS const):
1542         * profiler/ProfilerCompiledBytecode.cpp:
1543         (JSC::Profiler::CompiledBytecode::toJS const):
1544         * profiler/ProfilerDatabase.cpp:
1545         (JSC::Profiler::Database::toJS const):
1546         * profiler/ProfilerEvent.cpp:
1547         (JSC::Profiler::Event::toJS const):
1548         * profiler/ProfilerOSRExit.cpp:
1549         (JSC::Profiler::OSRExit::toJS const):
1550         * profiler/ProfilerOrigin.cpp:
1551         (JSC::Profiler::Origin::toJS const):
1552         * profiler/ProfilerProfiledBytecodes.cpp:
1553         (JSC::Profiler::ProfiledBytecodes::toJS const):
1554         * runtime/AbstractModuleRecord.cpp:
1555         (JSC::identifierToJSValue):
1556         (JSC::AbstractModuleRecord::resolveExportImpl):
1557         (JSC::getExportedNames):
1558         * runtime/ArrayPrototype.cpp:
1559         (JSC::arrayProtoFuncToString):
1560         (JSC::arrayProtoFuncToLocaleString):
1561         * runtime/BooleanConstructor.cpp:
1562         (JSC::constructBooleanFromImmediateBoolean):
1563         * runtime/CallData.cpp:
1564         (JSC::call):
1565         * runtime/CommonSlowPaths.cpp:
1566         (JSC::SLOW_PATH_DECL):
1567         * runtime/CommonSlowPaths.h:
1568         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1569         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1570         * runtime/Completion.cpp:
1571         (JSC::checkSyntax):
1572         (JSC::evaluate):
1573         (JSC::loadAndEvaluateModule):
1574         (JSC::loadModule):
1575         (JSC::linkAndEvaluateModule):
1576         (JSC::importModule):
1577         * runtime/ConstructData.cpp:
1578         (JSC::construct):
1579         * runtime/DatePrototype.cpp:
1580         (JSC::dateProtoFuncToJSON):
1581         * runtime/DirectArguments.h:
1582         (JSC::DirectArguments::length const):
1583         * runtime/DirectEvalExecutable.cpp:
1584         (JSC::DirectEvalExecutable::create):
1585         * runtime/ErrorPrototype.cpp:
1586         (JSC::errorProtoFuncToString):
1587         * runtime/ExceptionHelpers.cpp:
1588         (JSC::createUndefinedVariableError):
1589         (JSC::errorDescriptionForValue):
1590         * runtime/FunctionConstructor.cpp:
1591         (JSC::constructFunction):
1592         * runtime/GenericArgumentsInlines.h:
1593         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1594         * runtime/IdentifierInlines.h:
1595         (JSC::Identifier::add):
1596         * runtime/IndirectEvalExecutable.cpp:
1597         (JSC::IndirectEvalExecutable::create):
1598         * runtime/InternalFunction.cpp:
1599         (JSC::InternalFunction::finishCreation):
1600         (JSC::InternalFunction::createSubclassStructureSlow):
1601         * runtime/JSArray.cpp:
1602         (JSC::JSArray::getOwnPropertySlot):
1603         (JSC::JSArray::put):
1604         (JSC::JSArray::deleteProperty):
1605         (JSC::JSArray::getOwnNonIndexPropertyNames):
1606         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
1607         * runtime/JSArray.h:
1608         (JSC::JSArray::shiftCountForShift):
1609         * runtime/JSCJSValue.cpp:
1610         (JSC::JSValue::dumpForBacktrace const):
1611         * runtime/JSDataView.cpp:
1612         (JSC::JSDataView::getOwnPropertySlot):
1613         (JSC::JSDataView::deleteProperty):
1614         (JSC::JSDataView::getOwnNonIndexPropertyNames):
1615         * runtime/JSFunction.cpp:
1616         (JSC::JSFunction::getOwnPropertySlot):
1617         (JSC::JSFunction::deleteProperty):
1618         (JSC::JSFunction::reifyName):
1619         * runtime/JSGlobalObjectFunctions.cpp:
1620         (JSC::globalFuncEval):
1621         * runtime/JSInternalPromise.cpp:
1622         (JSC::JSInternalPromise::then):
1623         * runtime/JSLexicalEnvironment.cpp:
1624         (JSC::JSLexicalEnvironment::deleteProperty):
1625         * runtime/JSMap.cpp:
1626         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1627         * runtime/JSMapIterator.h:
1628         (JSC::JSMapIterator::advanceIter):
1629         * runtime/JSModuleEnvironment.cpp:
1630         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1631         * runtime/JSModuleLoader.cpp:
1632         (JSC::printableModuleKey):
1633         (JSC::JSModuleLoader::provide):
1634         (JSC::JSModuleLoader::loadAndEvaluateModule):
1635         (JSC::JSModuleLoader::loadModule):
1636         (JSC::JSModuleLoader::linkAndEvaluateModule):
1637         (JSC::JSModuleLoader::requestImportModule):
1638         * runtime/JSModuleNamespaceObject.h:
1639         * runtime/JSModuleRecord.cpp:
1640         (JSC::JSModuleRecord::evaluate):
1641         * runtime/JSONObject.cpp:
1642         (JSC::Stringifier::Stringifier):
1643         (JSC::Stringifier::appendStringifiedValue):
1644         (JSC::Stringifier::Holder::appendNextProperty):
1645         * runtime/JSObject.cpp:
1646         (JSC::JSObject::calculatedClassName):
1647         (JSC::JSObject::putByIndex):
1648         (JSC::JSObject::ordinaryToPrimitive const):
1649         (JSC::JSObject::toPrimitive const):
1650         (JSC::JSObject::hasInstance):
1651         (JSC::JSObject::getOwnPropertyNames):
1652         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1653         (JSC::getCustomGetterSetterFunctionForGetterSetter):
1654         (JSC::JSObject::getOwnPropertyDescriptor):
1655         (JSC::JSObject::getMethod):
1656         * runtime/JSObject.h:
1657         (JSC::JSObject::createRawObject):
1658         (JSC::JSFinalObject::create):
1659         * runtime/JSObjectInlines.h:
1660         (JSC::JSObject::canPerformFastPutInline):
1661         (JSC::JSObject::putInlineForJSObject):
1662         (JSC::JSObject::hasOwnProperty const):
1663         * runtime/JSScope.cpp:
1664         (JSC::isUnscopable):
1665         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1666         * runtime/JSSet.cpp:
1667         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
1668         * runtime/JSSetIterator.h:
1669         (JSC::JSSetIterator::advanceIter):
1670         * runtime/JSString.cpp:
1671         (JSC::JSString::getStringPropertyDescriptor):
1672         * runtime/JSString.h:
1673         (JSC::JSString::getStringPropertySlot):
1674         * runtime/MapConstructor.cpp:
1675         (JSC::constructMap):
1676         * runtime/ModuleProgramExecutable.cpp:
1677         (JSC::ModuleProgramExecutable::create):
1678         * runtime/ObjectPrototype.cpp:
1679         (JSC::objectProtoFuncToLocaleString):
1680         * runtime/ProgramExecutable.h:
1681         * runtime/RegExpObject.cpp:
1682         (JSC::RegExpObject::getOwnPropertySlot):
1683         (JSC::RegExpObject::deleteProperty):
1684         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
1685         (JSC::RegExpObject::getPropertyNames):
1686         (JSC::RegExpObject::getGenericPropertyNames):
1687         (JSC::RegExpObject::put):
1688         * runtime/ScopedArguments.h:
1689         (JSC::ScopedArguments::length const):
1690         * runtime/StrictEvalActivation.h:
1691         (JSC::StrictEvalActivation::create):
1692         * runtime/StringObject.cpp:
1693         (JSC::isStringOwnProperty):
1694         (JSC::StringObject::deleteProperty):
1695         (JSC::StringObject::getOwnNonIndexPropertyNames):
1696         * tools/JSDollarVMPrototype.cpp:
1697         (JSC::JSDollarVMPrototype::gc):
1698         (JSC::JSDollarVMPrototype::edenGC):
1699         * wasm/js/WebAssemblyModuleRecord.cpp:
1700         (JSC::WebAssemblyModuleRecord::evaluate):
1701
1702 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1703
1704         [DFG] NewArrayWithSize(size)'s size does not care negative zero
1705         https://bugs.webkit.org/show_bug.cgi?id=176300
1706
1707         Reviewed by Saam Barati.
1708
1709         NewArrayWithSize(size)'s size does not care negative zero as
1710         is the same to NewTypedArray. We propagate this information
1711         in DFGBackwardsPropagationPhase. This removes negative zero
1712         check in kraken fft's deinterleave function.
1713
1714         * dfg/DFGBackwardsPropagationPhase.cpp:
1715         (JSC::DFG::BackwardsPropagationPhase::propagate):
1716
1717 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1718
1719         [DFG] PutByVal with Array::Generic is too generic
1720         https://bugs.webkit.org/show_bug.cgi?id=176345
1721
1722         Reviewed by Filip Pizlo.
1723
1724         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
1725         We could have the case like,
1726
1727             dst[key] = src[key];
1728
1729         with string or symbol keys. But they are handled in slow path.
1730         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
1731         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
1732
1733         This improves SixSpeed object-assign.es5 by 9.1%.
1734
1735         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
1736
1737         * dfg/DFGFixupPhase.cpp:
1738         (JSC::DFG::FixupPhase::fixupNode):
1739         * dfg/DFGOperations.cpp:
1740         (JSC::DFG::putByVal):
1741         (JSC::DFG::putByValInternal):
1742         (JSC::DFG::putByValCellInternal):
1743         (JSC::DFG::putByValCellStringInternal):
1744         (JSC::DFG::operationPutByValInternal): Deleted.
1745         * dfg/DFGOperations.h:
1746         * dfg/DFGSpeculativeJIT.cpp:
1747         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
1748         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
1749         * dfg/DFGSpeculativeJIT.h:
1750         (JSC::DFG::SpeculativeJIT::callOperation):
1751         * dfg/DFGSpeculativeJIT32_64.cpp:
1752         (JSC::DFG::SpeculativeJIT::compile):
1753         * dfg/DFGSpeculativeJIT64.cpp:
1754         (JSC::DFG::SpeculativeJIT::compile):
1755         * ftl/FTLLowerDFGToB3.cpp:
1756         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1757         * jit/JITOperations.h:
1758
1759 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1760
1761         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
1762         https://bugs.webkit.org/show_bug.cgi?id=176590
1763
1764         Reviewed by Saam Barati.
1765
1766         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
1767
1768                                          baseline                  patched
1769
1770         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
1771         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
1772
1773         * dfg/DFGFixupPhase.cpp:
1774         (JSC::DFG::FixupPhase::fixupNode):
1775         * dfg/DFGOperations.cpp:
1776         (JSC::DFG::getByValObject):
1777         * dfg/DFGOperations.h:
1778         * dfg/DFGSpeculativeJIT.cpp:
1779         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
1780         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
1781         * dfg/DFGSpeculativeJIT.h:
1782         * dfg/DFGSpeculativeJIT32_64.cpp:
1783         (JSC::DFG::SpeculativeJIT::compile):
1784         * dfg/DFGSpeculativeJIT64.cpp:
1785         (JSC::DFG::SpeculativeJIT::compile):
1786         * ftl/FTLLowerDFGToB3.cpp:
1787         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1788
1789 2017-09-07  Mark Lam  <mark.lam@apple.com>
1790
1791         Use JIT probes for DFG OSR exit.
1792         https://bugs.webkit.org/show_bug.cgi?id=175144
1793         <rdar://problem/33437050>
1794
1795         Reviewed by Saam Barati.
1796
1797         This patch does the following:
1798         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
1799            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
1800            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
1801            generates a thunk that just executes the OSR exit.
1802
1803            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
1804            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
1805            CPU registers, and providing the Probe::Stack mechanism for modifying the
1806            stack frame.
1807
1808            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
1809            OSRExit::compileExit().  It is basically a re-write of those functions to
1810            execute the OSR exit work instead of compiling code to execute the work.
1811
1812            As a result, we get the following savings:
1813            a. no more OSR exit ramp compilation time.
1814            b. no use of JIT executable memory for storing each unique OSR exit ramp.
1815
1816            On the negative side, we incur these costs:
1817
1818            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
1819               version of the ramp.  However, OSR exits are rare.  Hence, this small
1820               difference should not matter much.  It is also offset by the savings from
1821               (a).
1822
1823            d. the Probe::Stack allocates 1K pages for memory for buffering stack
1824               modifcations.  The number of these pages depends on the span of stack memory
1825               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
1826               tends to only modify values in the current DFG frame and the current
1827               VMEntryRecord, the number of pages tends to only be 1 or 2.
1828
1829               Using the jsc tests as a workload, the vast majority of tests that do OSR
1830               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
1831               A few tests that are pathological uses up to 14 pages, and one particularly
1832               bad test (function-apply-many-args.js) uses 513 pages.
1833
1834            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
1835            only executed once to compute some values for the exit site that is used by
1836            all exit operations from that site, and a 2nd part to execute the exit.  The
1837            1st part is protected by a checking if exit.exitState has already been
1838            initialized.  The computed values are cached in exit.exitState.
1839
1840            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
1841            longer need the facility to patch the site that jumps to the OSR exit ramp.
1842            The DFG::JITCompiler has been modified to remove this patching code.
1843
1844         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
1845            std::memcpy to avoid strict aliasing issues.
1846
1847            Also optimized the implementation of Probe::Stack::physicalAddressFor().
1848
1849         3. Miscellaneous convenience methods added to make the Probe::Context easier of
1850            use.
1851
1852         4. Added a Probe::Frame class that makes it easier to get/set operands and
1853            arguments in a given frame using the deferred write properties of the
1854            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
1855            the OSR exit ramp.
1856
1857         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
1858            JIT versions of these functions are still left in place because they are still
1859            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
1860            These functions include:
1861
1862            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
1863                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
1864            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
1865                DFGOSRExit.cpp's reifyInlinedCallFrames()
1866            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
1867                DFGOSRExit.cpp's adjustAndJumpToTarget()
1868
1869            MethodOfGettingAValueProfile::emitReportValue() ==>
1870                MethodOfGettingAValueProfile::reportValue()
1871
1872            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
1873                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
1874            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
1875                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
1876
1877         * JavaScriptCore.xcodeproj/project.pbxproj:
1878         * assembler/MacroAssembler.cpp:
1879         (JSC::stdFunctionCallback):
1880         * assembler/MacroAssemblerPrinter.cpp:
1881         (JSC::Printer::printCallback):
1882         * assembler/ProbeContext.h:
1883         (JSC::Probe::CPUState::gpr const):
1884         (JSC::Probe::CPUState::spr const):
1885         (JSC::Probe::Context::Context):
1886         (JSC::Probe::Context::arg):
1887         (JSC::Probe::Context::gpr):
1888         (JSC::Probe::Context::spr):
1889         (JSC::Probe::Context::fpr):
1890         (JSC::Probe::Context::gprName):
1891         (JSC::Probe::Context::sprName):
1892         (JSC::Probe::Context::fprName):
1893         (JSC::Probe::Context::gpr const):
1894         (JSC::Probe::Context::spr const):
1895         (JSC::Probe::Context::fpr const):
1896         (JSC::Probe::Context::pc):
1897         (JSC::Probe::Context::fp):
1898         (JSC::Probe::Context::sp):
1899         (JSC::Probe:: const): Deleted.
1900         * assembler/ProbeFrame.h: Added.
1901         (JSC::Probe::Frame::Frame):
1902         (JSC::Probe::Frame::getArgument):
1903         (JSC::Probe::Frame::getOperand):
1904         (JSC::Probe::Frame::get):
1905         (JSC::Probe::Frame::setArgument):
1906         (JSC::Probe::Frame::setOperand):
1907         (JSC::Probe::Frame::set):
1908         * assembler/ProbeStack.cpp:
1909         (JSC::Probe::Page::Page):
1910         * assembler/ProbeStack.h:
1911         (JSC::Probe::Page::get):
1912         (JSC::Probe::Page::set):
1913         (JSC::Probe::Page::physicalAddressFor):
1914         (JSC::Probe::Stack::lowWatermark):
1915         (JSC::Probe::Stack::get):
1916         (JSC::Probe::Stack::set):
1917         * bytecode/ArithProfile.cpp:
1918         * bytecode/ArithProfile.h:
1919         * bytecode/ArrayProfile.h:
1920         (JSC::ArrayProfile::observeArrayMode):
1921         * bytecode/CodeBlock.cpp:
1922         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1923         * bytecode/CodeBlock.h:
1924         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1925         * bytecode/ExecutionCounter.h:
1926         (JSC::ExecutionCounter::hasCrossedThreshold const):
1927         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1928         * bytecode/MethodOfGettingAValueProfile.cpp:
1929         (JSC::MethodOfGettingAValueProfile::reportValue):
1930         * bytecode/MethodOfGettingAValueProfile.h:
1931         * dfg/DFGDriver.cpp:
1932         (JSC::DFG::compileImpl):
1933         * dfg/DFGJITCode.cpp:
1934         (JSC::DFG::JITCode::findPC): Deleted.
1935         * dfg/DFGJITCode.h:
1936         * dfg/DFGJITCompiler.cpp:
1937         (JSC::DFG::JITCompiler::linkOSRExits):
1938         (JSC::DFG::JITCompiler::link):
1939         * dfg/DFGOSRExit.cpp:
1940         (JSC::DFG::jsValueFor):
1941         (JSC::DFG::restoreCalleeSavesFor):
1942         (JSC::DFG::saveCalleeSavesFor):
1943         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1944         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1945         (JSC::DFG::saveOrCopyCalleeSavesFor):
1946         (JSC::DFG::createDirectArgumentsDuringExit):
1947         (JSC::DFG::createClonedArgumentsDuringExit):
1948         (JSC::DFG::OSRExit::OSRExit):
1949         (JSC::DFG::emitRestoreArguments):
1950         (JSC::DFG::OSRExit::executeOSRExit):
1951         (JSC::DFG::reifyInlinedCallFrames):
1952         (JSC::DFG::adjustAndJumpToTarget):
1953         (JSC::DFG::printOSRExit):
1954         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1955         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1956         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1957         (JSC::DFG::OSRExit::correctJump): Deleted.
1958         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1959         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1960         (JSC::DFG::OSRExit::compileExit): Deleted.
1961         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
1962         * dfg/DFGOSRExit.h:
1963         (JSC::DFG::OSRExitState::OSRExitState):
1964         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1965         * dfg/DFGOSRExitCompilerCommon.cpp:
1966         * dfg/DFGOSRExitCompilerCommon.h:
1967         * dfg/DFGOperations.cpp:
1968         * dfg/DFGOperations.h:
1969         * dfg/DFGThunks.cpp:
1970         (JSC::DFG::osrExitThunkGenerator):
1971         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
1972         * dfg/DFGThunks.h:
1973         * jit/AssemblyHelpers.cpp:
1974         (JSC::AssemblyHelpers::debugCall): Deleted.
1975         * jit/AssemblyHelpers.h:
1976         * jit/JITOperations.cpp:
1977         * jit/JITOperations.h:
1978         * profiler/ProfilerOSRExit.h:
1979         (JSC::Profiler::OSRExit::incCount):
1980         * runtime/JSCJSValue.h:
1981         * runtime/JSCJSValueInlines.h:
1982         * runtime/VM.h:
1983
1984 2017-09-07  Michael Saboff  <msaboff@apple.com>
1985
1986         Add support for RegExp named capture groups
1987         https://bugs.webkit.org/show_bug.cgi?id=176435
1988
1989         Reviewed by Filip Pizlo.
1990
1991         Added parsing for both naming a captured parenthesis as well and using a named group in
1992         a back reference.  Also added support for using named groups with String.prototype.replace().
1993
1994         This patch does not throw Syntax Errors as described in the current spec text for the two
1995         cases of malformed back references in String.prototype.replace() as I believe that it
1996         is inconsistent with the current semantics for handling of other malformed replacement
1997         tokens.  I filed an issue for the requested change to the proposed spec and also filed
1998         a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
1999
2000         This patch does not implement strength reduction in the optimizing JITs for named capture
2001         groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
2002
2003         * dfg/DFGAbstractInterpreterInlines.h:
2004         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2005         * dfg/DFGStrengthReductionPhase.cpp:
2006         (JSC::DFG::StrengthReductionPhase::handleNode):
2007         * runtime/CommonIdentifiers.h:
2008         * runtime/JSGlobalObject.cpp:
2009         (JSC::JSGlobalObject::init):
2010         (JSC::JSGlobalObject::haveABadTime):
2011         * runtime/JSGlobalObject.h:
2012         (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
2013         * runtime/RegExp.cpp:
2014         (JSC::RegExp::finishCreation):
2015         * runtime/RegExp.h:
2016         * runtime/RegExpMatchesArray.cpp:
2017         (JSC::createStructureImpl):
2018         (JSC::createRegExpMatchesArrayWithGroupsStructure):
2019         (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
2020         * runtime/RegExpMatchesArray.h:
2021         (JSC::createRegExpMatchesArray):
2022         * runtime/StringPrototype.cpp:
2023         (JSC::substituteBackreferencesSlow):
2024         (JSC::replaceUsingRegExpSearch):
2025         * yarr/YarrParser.h:
2026         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
2027         (JSC::Yarr::Parser::parseEscape):
2028         (JSC::Yarr::Parser::parseParenthesesBegin):
2029         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
2030         (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
2031         (JSC::Yarr::Parser::isIdentifierStart):
2032         (JSC::Yarr::Parser::isIdentifierPart):
2033         (JSC::Yarr::Parser::tryConsumeGroupName):
2034         * yarr/YarrPattern.cpp:
2035         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
2036         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
2037         (JSC::Yarr::YarrPattern::errorMessage):
2038         * yarr/YarrPattern.h:
2039         (JSC::Yarr::YarrPattern::reset):
2040         * yarr/YarrSyntaxChecker.cpp:
2041         (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
2042         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
2043
2044 2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>
2045
2046         [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
2047         https://bugs.webkit.org/show_bug.cgi?id=176561
2048
2049         Reviewed by Brent Fulgham.
2050
2051         * runtime/IntlObject.cpp:
2052         (JSC::defaultLocale):
2053
2054 2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>
2055
2056         Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
2057         https://bugs.webkit.org/show_bug.cgi?id=176563
2058         <rdar://problem/19639583>
2059
2060         Reviewed by Matt Baker.
2061
2062         * inspector/protocol/DOM.json:
2063         Add an event that is useful for augmented inspectors to inspect
2064         a node. Web pages will still prefer Inspector.inspect.
2065
2066 2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2067
2068         [JSC] Remove "malloc" and "free" from JSC/API
2069         https://bugs.webkit.org/show_bug.cgi?id=176331
2070
2071         Reviewed by Keith Miller.
2072
2073         Remove "malloc" and "free" manual calls in JSC/API.
2074
2075         * API/JSValue.mm:
2076         (createStructHandlerMap):
2077         * API/JSWrapperMap.mm:
2078         (parsePropertyAttributes):
2079         (makeSetterName):
2080         (copyPrototypeProperties):
2081         Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
2082
2083         * API/ObjcRuntimeExtras.h:
2084         (adoptSystem):
2085         Add adoptSystem to automate calling system free().
2086
2087         (protocolImplementsProtocol):
2088         (forEachProtocolImplementingProtocol):
2089         (forEachMethodInClass):
2090         (forEachMethodInProtocol):
2091         (forEachPropertyInProtocol):
2092         (StringRange::StringRange):
2093         (StringRange::operator const char* const):
2094         (StringRange::get const):
2095         Use CString for backend.
2096
2097         (StructBuffer::StructBuffer):
2098         (StructBuffer::~StructBuffer):
2099         (StringRange::~StringRange): Deleted.
2100         Use fastAlignedMalloc/astAlignedFree to get aligned memory.
2101
2102 2017-09-06  Mark Lam  <mark.lam@apple.com>
2103
2104         constructGenericTypedArrayViewWithArguments() is missing an exception check.
2105         https://bugs.webkit.org/show_bug.cgi?id=176485
2106         <rdar://problem/33898874>
2107
2108         Reviewed by Keith Miller.
2109
2110         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2111         (JSC::constructGenericTypedArrayViewWithArguments):
2112
2113 2017-09-06  Saam Barati  <sbarati@apple.com>
2114
2115         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
2116         https://bugs.webkit.org/show_bug.cgi?id=176346
2117
2118         Reviewed by Mark Lam.
2119
2120         * b3/B3Procedure.cpp:
2121         (JSC::B3::Procedure::Procedure):
2122         (JSC::B3::Procedure::setNumEntrypoints):
2123         * b3/B3Procedure.h:
2124         (JSC::B3::Procedure::setNumEntrypoints): Deleted.
2125         * b3/air/AirCode.cpp:
2126         (JSC::B3::Air::defaultPrologueGenerator):
2127         (JSC::B3::Air::Code::Code):
2128         (JSC::B3::Air::Code::setNumEntrypoints):
2129         * b3/air/AirCode.h:
2130         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2131         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2132         (JSC::B3::Air::Code::setEntrypoints):
2133         (JSC::B3::Air::Code::setEntrypointLabels):
2134         * b3/air/AirGenerate.cpp:
2135         (JSC::B3::Air::generate):
2136         * ftl/FTLLowerDFGToB3.cpp:
2137         (JSC::FTL::DFG::LowerDFGToB3::lower):
2138
2139 2017-09-06  Saam Barati  <sbarati@apple.com>
2140
2141         ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
2142         https://bugs.webkit.org/show_bug.cgi?id=176470
2143
2144         Reviewed by Mark Lam.
2145
2146         Update Node::convertToCheckStructureImmediate's assertion to allow
2147         the node to either be a CheckStructure or CheckStructureOrEmpty.
2148
2149         * dfg/DFGNode.h:
2150         (JSC::DFG::Node::convertToCheckStructureImmediate):
2151
2152 2017-09-05  Saam Barati  <sbarati@apple.com>
2153
2154         isNotCellSpeculation is wrong with respect to SpecEmpty
2155         https://bugs.webkit.org/show_bug.cgi?id=176429
2156
2157         Reviewed by Michael Saboff.
2158
2159         The isNotCellSpeculation(SpeculatedType t) function was not taking into account
2160         SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
2161         the empty value will fail a NotCell check. This bug would cause us to erroneously
2162         generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
2163
2164         * bytecode/SpeculatedType.h:
2165         (JSC::isNotCellSpeculation):
2166
2167 2017-09-05  Saam Barati  <sbarati@apple.com>
2168
2169         Make the distinction between entrypoints and CFG roots more clear by naming things better
2170         https://bugs.webkit.org/show_bug.cgi?id=176336
2171
2172         Reviewed by Mark Lam and Keith Miller and Michael Saboff.
2173
2174         This patch does renaming to make the distinction between Graph::m_entrypoints
2175         and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
2176         Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
2177         Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
2178         size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
2179         to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
2180         field to m_rootToArguments.
2181         
2182         Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
2183         when compiling with EntrySwitch. It represents the logical number of entrypoints
2184         the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
2185         cases.
2186
2187         * dfg/DFGByteCodeParser.cpp:
2188         (JSC::DFG::ByteCodeParser::parseBlock):
2189         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2190         * dfg/DFGCFG.h:
2191         (JSC::DFG::CFG::roots):
2192         (JSC::DFG::CPSCFG::CPSCFG):
2193         * dfg/DFGCPSRethreadingPhase.cpp:
2194         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
2195         * dfg/DFGDCEPhase.cpp:
2196         (JSC::DFG::DCEPhase::run):
2197         * dfg/DFGGraph.cpp:
2198         (JSC::DFG::Graph::dump):
2199         (JSC::DFG::Graph::determineReachability):
2200         (JSC::DFG::Graph::blocksInPreOrder):
2201         (JSC::DFG::Graph::blocksInPostOrder):
2202         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2203         * dfg/DFGGraph.h:
2204         (JSC::DFG::Graph::isRoot):
2205         (JSC::DFG::Graph::isEntrypoint): Deleted.
2206         * dfg/DFGInPlaceAbstractState.cpp:
2207         (JSC::DFG::InPlaceAbstractState::initialize):
2208         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2209         (JSC::DFG::createPreHeader):
2210         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2211         (JSC::DFG::MaximalFlushInsertionPhase::run):
2212         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2213         * dfg/DFGOSREntrypointCreationPhase.cpp:
2214         (JSC::DFG::OSREntrypointCreationPhase::run):
2215         * dfg/DFGPredictionInjectionPhase.cpp:
2216         (JSC::DFG::PredictionInjectionPhase::run):
2217         * dfg/DFGSSAConversionPhase.cpp:
2218         (JSC::DFG::SSAConversionPhase::run):
2219         * dfg/DFGSpeculativeJIT.cpp:
2220         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2221         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2222         * dfg/DFGTypeCheckHoistingPhase.cpp:
2223         (JSC::DFG::TypeCheckHoistingPhase::run):
2224         * dfg/DFGValidate.cpp:
2225
2226 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
2227
2228         test262: Completion values for control flow do not match the spec
2229         https://bugs.webkit.org/show_bug.cgi?id=171265
2230
2231         Reviewed by Saam Barati.
2232
2233         * bytecompiler/BytecodeGenerator.h:
2234         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
2235         When we care about having proper completion values (global code
2236         in programs, modules, and eval) insert undefined results for
2237         control flow statements.
2238
2239         * bytecompiler/NodesCodegen.cpp:
2240         (JSC::SourceElements::emitBytecode):
2241         Reduce writing a default `undefined` value to the completion result to
2242         only once before the last statement we know will produce a value.
2243
2244         (JSC::IfElseNode::emitBytecode):
2245         (JSC::WithNode::emitBytecode):
2246         (JSC::WhileNode::emitBytecode):
2247         (JSC::ForNode::emitBytecode):
2248         (JSC::ForInNode::emitBytecode):
2249         (JSC::ForOfNode::emitBytecode):
2250         (JSC::SwitchNode::emitBytecode):
2251         Insert an undefined to handle cases where code may break out of an
2252         if/else or with statement (break/continue).
2253
2254         (JSC::TryNode::emitBytecode):
2255         Same handling for break cases. Also, finally block statement completion
2256         values are always ignored for the try statement result.
2257
2258         (JSC::ClassDeclNode::emitBytecode):
2259         Class declarations, like function declarations, produce an empty result.
2260
2261         * parser/Nodes.cpp:
2262         (JSC::SourceElements::lastStatement):
2263         (JSC::SourceElements::hasCompletionValue):
2264         (JSC::SourceElements::hasEarlyBreakOrContinue):
2265         (JSC::BlockNode::lastStatement):
2266         (JSC::BlockNode::singleStatement):
2267         (JSC::BlockNode::hasCompletionValue):
2268         (JSC::BlockNode::hasEarlyBreakOrContinue):
2269         (JSC::ScopeNode::singleStatement):
2270         (JSC::ScopeNode::hasCompletionValue):
2271         (JSC::ScopeNode::hasEarlyBreakOrContinue):
2272         The only non-trivial cases need to loop through their list of statements
2273         to determine if this has a completion value or not. Likewise for
2274         determining if there is an early break / continue, meaning a break or
2275         continue statement with no preceding statement that has a completion value.
2276
2277         * parser/Nodes.h:
2278         (JSC::StatementNode::next):
2279         (JSC::StatementNode::hasCompletionValue):
2280         Helper to check if a statement nodes produces a completion value or not.
2281
2282 2017-09-04  Saam Barati  <sbarati@apple.com>
2283
2284         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
2285         https://bugs.webkit.org/show_bug.cgi?id=176317
2286
2287         Reviewed by Keith Miller.
2288
2289         It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
2290         the SetLocal of a particular value where the value is the empty JSValue.
2291         On 64-bit platforms, the empty value is zero. This means that the empty value
2292         passes a cell check. This will lead to a crash when we dereference null to load
2293         the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
2294         in the structure checks it hoists. On 64-bit platforms, instead of emitting a
2295         CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
2296         the empty value to flow through. If the value isn't empty, it'll perform the normal
2297         structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
2298         on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
2299         value to flow through.
2300
2301         * dfg/DFGAbstractInterpreterInlines.h:
2302         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2303         * dfg/DFGArgumentsEliminationPhase.cpp:
2304         * dfg/DFGClobberize.h:
2305         (JSC::DFG::clobberize):
2306         * dfg/DFGConstantFoldingPhase.cpp:
2307         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2308         * dfg/DFGDoesGC.cpp:
2309         (JSC::DFG::doesGC):
2310         * dfg/DFGFixupPhase.cpp:
2311         (JSC::DFG::FixupPhase::fixupNode):
2312         * dfg/DFGNode.h:
2313         (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
2314         (JSC::DFG::Node::hasStructureSet):
2315         * dfg/DFGNodeType.h:
2316         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2317         * dfg/DFGPredictionPropagationPhase.cpp:
2318         * dfg/DFGSafeToExecute.h:
2319         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2320         (JSC::DFG::SafeToExecuteEdge::operator()):
2321         (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
2322         (JSC::DFG::safeToExecute):
2323         * dfg/DFGSpeculativeJIT.cpp:
2324         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
2325         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
2326         * dfg/DFGSpeculativeJIT.h:
2327         * dfg/DFGSpeculativeJIT32_64.cpp:
2328         (JSC::DFG::SpeculativeJIT::compile):
2329         * dfg/DFGSpeculativeJIT64.cpp:
2330         (JSC::DFG::SpeculativeJIT::compile):
2331         * dfg/DFGTypeCheckHoistingPhase.cpp:
2332         (JSC::DFG::TypeCheckHoistingPhase::run):
2333         * dfg/DFGValidate.cpp:
2334         * ftl/FTLCapabilities.cpp:
2335         (JSC::FTL::canCompile):
2336         * ftl/FTLLowerDFGToB3.cpp:
2337         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2338         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
2339
2340 2017-09-04  Saam Barati  <sbarati@apple.com>
2341
2342         Support compiling catch in the FTL
2343         https://bugs.webkit.org/show_bug.cgi?id=175396
2344
2345         Reviewed by Filip Pizlo.
2346
2347         This patch implements op_catch in the FTL. It extends the DFG implementation
2348         by supporting multiple entrypoints in DFG-SSA. This patch implements this
2349         by introducing an EntrySwitch node. When converting to SSA, we introduce a new
2350         root block with an EntrySwitch that has the previous DFG entrypoints as its
2351         successors. By convention, we pick the zeroth entry point index to be the
2352         op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
2353         switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
2354         simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
2355         SSAConversion creates can not exit because we would both not know where to exit
2356         to in the program: we would not have valid OSR exit state. This design also
2357         mandates that anything we hoist above EntrySwitch in the new root block
2358         can not exit since they also do not have valid OSR exit state.
2359         
2360         This patch also adds a new metadata node named InitializeEntrypointArguments.
2361         InitializeEntrypointArguments is a metadata node that initializes the flush format for
2362         the arguments at a given entrypoint. For a given entrypoint index, this node
2363         tells AI and OSRAvailabilityAnalysis what the flush format for each argument
2364         is. This allows each individual entrypoint to have an independent set of
2365         argument types. Currently, this won't happen in practice because ArgumentPosition
2366         unifies flush formats, but this is an implementation detail we probably want
2367         to modify in the future. SSAConversion will add InitializeEntrypointArguments
2368         to the beginning of each of the original DFG entrypoint blocks.
2369         
2370         This patch also adds the ability to specify custom prologue code generators in Air.
2371         This allows the FTL to specify a custom prologue for catch entrypoints that
2372         matches the op_catch OSR entry calling convention that the DFG uses. This way,
2373         the baseline JIT code OSR enters into op_catch the same way both in the DFG
2374         and the FTL. In the future, we can use this same mechanism to perform stack
2375         overflow checks instead of using a patchpoint.
2376
2377         * b3/air/AirCode.cpp:
2378         (JSC::B3::Air::Code::isEntrypoint):
2379         (JSC::B3::Air::Code::entrypointIndex):
2380         * b3/air/AirCode.h:
2381         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2382         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2383         * b3/air/AirGenerate.cpp:
2384         (JSC::B3::Air::generate):
2385         * dfg/DFGAbstractInterpreterInlines.h:
2386         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2387         * dfg/DFGBasicBlock.h:
2388         * dfg/DFGByteCodeParser.cpp:
2389         (JSC::DFG::ByteCodeParser::parseBlock):
2390         (JSC::DFG::ByteCodeParser::parse):
2391         * dfg/DFGCFG.h:
2392         (JSC::DFG::selectCFG):
2393         * dfg/DFGClobberize.h:
2394         (JSC::DFG::clobberize):
2395         * dfg/DFGClobbersExitState.cpp:
2396         (JSC::DFG::clobbersExitState):
2397         * dfg/DFGCommonData.cpp:
2398         (JSC::DFG::CommonData::shrinkToFit):
2399         (JSC::DFG::CommonData::finalizeCatchEntrypoints):
2400         * dfg/DFGCommonData.h:
2401         (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
2402         (JSC::DFG::CommonData::appendCatchEntrypoint):
2403         * dfg/DFGDoesGC.cpp:
2404         (JSC::DFG::doesGC):
2405         * dfg/DFGFixupPhase.cpp:
2406         (JSC::DFG::FixupPhase::fixupNode):
2407         * dfg/DFGGraph.cpp:
2408         (JSC::DFG::Graph::dump):
2409         (JSC::DFG::Graph::invalidateCFG):
2410         (JSC::DFG::Graph::ensureCPSCFG):
2411         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2412         * dfg/DFGGraph.h:
2413         (JSC::DFG::Graph::isEntrypoint):
2414         * dfg/DFGInPlaceAbstractState.cpp:
2415         (JSC::DFG::InPlaceAbstractState::initialize):
2416         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2417         * dfg/DFGJITCode.cpp:
2418         (JSC::DFG::JITCode::shrinkToFit):
2419         (JSC::DFG::JITCode::finalizeOSREntrypoints):
2420         * dfg/DFGJITCode.h:
2421         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
2422         (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
2423         * dfg/DFGJITCompiler.cpp:
2424         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2425         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2426         * dfg/DFGMayExit.cpp:
2427         * dfg/DFGNode.h:
2428         (JSC::DFG::Node::isEntrySwitch):
2429         (JSC::DFG::Node::isTerminal):
2430         (JSC::DFG::Node::entrySwitchData):
2431         (JSC::DFG::Node::numSuccessors):
2432         (JSC::DFG::Node::successor):
2433         (JSC::DFG::Node::entrypointIndex):
2434         * dfg/DFGNodeType.h:
2435         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2436         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2437         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2438         * dfg/DFGOSREntry.cpp:
2439         (JSC::DFG::prepareCatchOSREntry):
2440         * dfg/DFGOSREntry.h:
2441         * dfg/DFGOSREntrypointCreationPhase.cpp:
2442         (JSC::DFG::OSREntrypointCreationPhase::run):
2443         * dfg/DFGPredictionPropagationPhase.cpp:
2444         * dfg/DFGSSAConversionPhase.cpp:
2445         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
2446         (JSC::DFG::SSAConversionPhase::run):
2447         * dfg/DFGSafeToExecute.h:
2448         (JSC::DFG::safeToExecute):
2449         * dfg/DFGSpeculativeJIT.cpp:
2450         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2451         * dfg/DFGSpeculativeJIT32_64.cpp:
2452         (JSC::DFG::SpeculativeJIT::compile):
2453         * dfg/DFGSpeculativeJIT64.cpp:
2454         (JSC::DFG::SpeculativeJIT::compile):
2455         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
2456         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
2457         * dfg/DFGValidate.cpp:
2458         * ftl/FTLCapabilities.cpp:
2459         (JSC::FTL::canCompile):
2460         * ftl/FTLCompile.cpp:
2461         (JSC::FTL::compile):
2462         * ftl/FTLLowerDFGToB3.cpp:
2463         (JSC::FTL::DFG::LowerDFGToB3::lower):
2464         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2465         (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
2466         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
2467         (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
2468         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2469         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
2470         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
2471         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
2472         * ftl/FTLOutput.cpp:
2473         (JSC::FTL::Output::entrySwitch):
2474         * ftl/FTLOutput.h:
2475         * jit/JITOperations.cpp:
2476
2477 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2478
2479         [DFG][FTL] Efficiently execute number#toString()
2480         https://bugs.webkit.org/show_bug.cgi?id=170007
2481
2482         Reviewed by Keith Miller.
2483
2484         In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
2485         However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.
2486
2487         While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
2488         So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
2489         Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
2490         speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
2491         It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).
2492
2493         In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
2494         throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
2495         conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
2496         radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
2497         We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
2498         It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.
2499
2500         Added microbenchmarks show performance improvement.
2501
2502                                                       baseline                  patched
2503
2504         number-to-string-with-radix-cse           43.8312+-1.3017     ^      7.4930+-0.5105        ^ definitely 5.8496x faster
2505         number-to-string-with-radix-10             7.2775+-0.5225     ^      2.1906+-0.1864        ^ definitely 3.3222x faster
2506         number-to-string-with-radix               39.7378+-1.4921     ^     16.6137+-0.7776        ^ definitely 2.3919x faster
2507         number-to-string-strength-reduction       94.9667+-2.7157     ^      9.3060+-0.7202        ^ definitely 10.2049x faster
2508
2509         * dfg/DFGAbstractInterpreterInlines.h:
2510         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2511         * dfg/DFGClobberize.h:
2512         (JSC::DFG::clobberize):
2513         * dfg/DFGConstantFoldingPhase.cpp:
2514         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2515         * dfg/DFGDoesGC.cpp:
2516         (JSC::DFG::doesGC):
2517         * dfg/DFGFixupPhase.cpp:
2518         (JSC::DFG::FixupPhase::fixupNode):
2519         * dfg/DFGGraph.h:
2520         (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
2521         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
2522         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
2523         * dfg/DFGNode.h:
2524         (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
2525         (JSC::DFG::Node::hasValidRadixConstant):
2526         (JSC::DFG::Node::validRadixConstant):
2527         * dfg/DFGNodeType.h:
2528         * dfg/DFGPredictionPropagationPhase.cpp:
2529         * dfg/DFGSafeToExecute.h:
2530         (JSC::DFG::safeToExecute):
2531         * dfg/DFGSpeculativeJIT.cpp:
2532         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
2533         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
2534         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
2535         * dfg/DFGSpeculativeJIT.h:
2536         * dfg/DFGSpeculativeJIT32_64.cpp:
2537         (JSC::DFG::SpeculativeJIT::compile):
2538         * dfg/DFGSpeculativeJIT64.cpp:
2539         (JSC::DFG::SpeculativeJIT::compile):
2540         * dfg/DFGStrengthReductionPhase.cpp:
2541         (JSC::DFG::StrengthReductionPhase::handleNode):
2542         * ftl/FTLCapabilities.cpp:
2543         (JSC::FTL::canCompile):
2544         * ftl/FTLLowerDFGToB3.cpp:
2545         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2546         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
2547         * runtime/JSGlobalObject.cpp:
2548         (JSC::JSGlobalObject::JSGlobalObject):
2549         (JSC::JSGlobalObject::init):
2550         (JSC::JSGlobalObject::visitChildren):
2551         * runtime/JSGlobalObject.h:
2552         (JSC::JSGlobalObject::numberToStringWatchpoint):
2553         (JSC::JSGlobalObject::numberProtoToStringFunction const):
2554         * runtime/NumberPrototype.cpp:
2555         (JSC::NumberPrototype::finishCreation):
2556         (JSC::toStringWithRadixInternal):
2557         (JSC::toStringWithRadix):
2558         (JSC::int32ToStringInternal):
2559         (JSC::numberToStringInternal):
2560         * runtime/NumberPrototype.h:
2561
2562 2017-09-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2563
2564         [DFG] Consider increasing the number of DFG worklist threads
2565         https://bugs.webkit.org/show_bug.cgi?id=176222
2566
2567         Reviewed by Saam Barati.
2568
2569         Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
2570         very long time if the target function is very large. However, DFG worklist
2571         has only one thread before this patch. Therefore, one function that takes
2572         too much time to be compiled can prevent the other functions from being
2573         compiled in DFG or upper tiers.
2574
2575         One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
2576         super long time (447 ms) because of its super large size of the function.
2577         While this function never gets compiled in FTL due to its large size,
2578         it can be compiled in DFG and takes super long time. Subsequent "a8" function
2579         compilation in DFG is blocked by this "a1". As a consequence, the benchmark
2580         takes very long time in a1/Baseline code, which is slower than DFG of course.
2581
2582         While FTL has a bit more threads, DFG worklist has only one thread. This patch
2583         adds one more thread to DFG worklist to alleviate the above situation. This
2584         change significantly improves Octane/zlib performance.
2585
2586                                     baseline                  patched
2587
2588         zlib           x2     482.32825+-6.07640    ^   408.66072+-14.03856      ^ definitely 1.1803x faster
2589
2590         * runtime/Options.h:
2591
2592 2017-09-04  Sam Weinig  <sam@webkit.org>
2593
2594         [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
2595         https://bugs.webkit.org/show_bug.cgi?id=176312
2596
2597         Reviewed by Darin Adler.
2598
2599         * runtime/CommonIdentifiers.h:
2600
2601             Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
2602             to WebCoreBuiltinNames in WebCore.
2603
2604 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2605
2606         Remove "malloc" and "free" use
2607         https://bugs.webkit.org/show_bug.cgi?id=176310
2608
2609         Reviewed by Darin Adler.
2610
2611         Use Vector instead.
2612
2613         * API/JSWrapperMap.mm:
2614         (selectorToPropertyName):
2615
2616 2017-09-03  Darin Adler  <darin@apple.com>
2617
2618         Try to fix Windows build.
2619
2620         * runtime/JSGlobalObjectFunctions.cpp: #include <unicode/utf8.h>.
2621
2622 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2623
2624         [WTF] Add C++03 allocator interface for GCC < 6
2625         https://bugs.webkit.org/show_bug.cgi?id=176301
2626
2627         Reviewed by Darin Adler.
2628
2629         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2630
2631 2017-09-03  Chris Dumez  <cdumez@apple.com>
2632
2633         Unreviewed, rolling out r221555.
2634
2635         Did not fix Windows build
2636
2637         Reverted changeset:
2638
2639         "Unreviewed attempt to fix Windows build."
2640         http://trac.webkit.org/changeset/221555
2641
2642 2017-09-03  Chris Dumez  <cdumez@apple.com>
2643
2644         Unreviewed attempt to fix Windows build.
2645
2646         * runtime/JSGlobalObjectFunctions.cpp:
2647
2648 2017-09-03  Chris Dumez  <cdumez@apple.com>
2649
2650         Unreviewed, rolling out r221552.
2651
2652         Broke the build
2653
2654         Reverted changeset:
2655
2656         "[WTF] Add C++03 allocator interface for GCC < 6"
2657         https://bugs.webkit.org/show_bug.cgi?id=176301
2658         http://trac.webkit.org/changeset/221552
2659
2660 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2661
2662         [WTF] Add C++03 allocator interface for GCC < 6
2663         https://bugs.webkit.org/show_bug.cgi?id=176301
2664
2665         Reviewed by Darin Adler.
2666
2667         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2668
2669 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2670
2671         [JSC] Clean up BytecodeLivenessAnalysis
2672         https://bugs.webkit.org/show_bug.cgi?id=176295
2673
2674         Reviewed by Saam Barati.
2675
2676         Previously, computeDefsForBytecodeOffset was a bit customizable.
2677         This is used for try-catch handler's liveness analysis. But after
2678         careful generatorification implementation, it is now not necessary.
2679         This patch drops this customizability.
2680
2681         * bytecode/BytecodeGeneratorification.cpp:
2682         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
2683         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
2684         * bytecode/BytecodeLivenessAnalysis.cpp:
2685         (JSC::BytecodeLivenessAnalysis::computeKills):
2686         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
2687         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
2688         * bytecode/BytecodeLivenessAnalysis.h:
2689         * bytecode/BytecodeLivenessAnalysisInlines.h:
2690         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
2691         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
2692         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
2693         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
2694         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
2695         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
2696         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
2697         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
2698         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
2699         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.
2700
2701 2017-09-03  Sam Weinig  <sam@webkit.org>
2702
2703         Remove CanvasProxy
2704         https://bugs.webkit.org/show_bug.cgi?id=176288
2705
2706         Reviewed by Yusuke Suzuki.
2707
2708         CanvasProxy does not appear to be in any current HTML spec
2709         and was disabled and unimplemented in our tree. Time to 
2710         get rid of it.
2711
2712         * Configurations/FeatureDefines.xcconfig:
2713
2714 2017-09-02  Oliver Hunt  <oliver@apple.com>
2715
2716         Need an API to get the global context from JSObjectRef
2717         https://bugs.webkit.org/show_bug.cgi?id=176291
2718
2719         Reviewed by Saam Barati.
2720
2721         Very simple additional API, starting off as SPI on principle.
2722
2723         * API/JSObjectRef.cpp:
2724         (JSObjectGetGlobalContext):
2725         * API/JSObjectRefPrivate.h:
2726         * API/tests/testapi.c:
2727         (main):
2728
2729 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2730
2731         [DFG] Relax arity requirement
2732         https://bugs.webkit.org/show_bug.cgi?id=175523
2733
2734         Reviewed by Saam Barati.
2735
2736         Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
2737         It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
2738         of the pre-ES6.
2739
2740         This patch removes the above restriction by performing the arity fixup in DFG.
2741
2742         SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
2743
2744                                        baseline                  patched
2745
2746         defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
2747         rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
2748         spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
2749         generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster
2750
2751         * bytecode/InlineCallFrame.cpp:
2752         (JSC::InlineCallFrame::dumpInContext const):
2753         * bytecode/InlineCallFrame.h:
2754         (JSC::InlineCallFrame::InlineCallFrame):
2755         * dfg/DFGAbstractInterpreterInlines.h:
2756         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2757         * dfg/DFGArgumentsEliminationPhase.cpp:
2758         * dfg/DFGArgumentsUtilities.cpp:
2759         (JSC::DFG::argumentsInvolveStackSlot):
2760         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2761         * dfg/DFGByteCodeParser.cpp:
2762         (JSC::DFG::ByteCodeParser::setLocal):
2763         (JSC::DFG::ByteCodeParser::setArgument):
2764         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
2765         (JSC::DFG::ByteCodeParser::flush):
2766         (JSC::DFG::ByteCodeParser::getArgumentCount):
2767         (JSC::DFG::ByteCodeParser::inliningCost):
2768         (JSC::DFG::ByteCodeParser::inlineCall):
2769         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2770         (JSC::DFG::ByteCodeParser::parseBlock):
2771         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2772         * dfg/DFGCommonData.cpp:
2773         (JSC::DFG::CommonData::validateReferences):
2774         * dfg/DFGConstantFoldingPhase.cpp:
2775         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2776         * dfg/DFGGraph.cpp:
2777         (JSC::DFG::Graph::isLiveInBytecode):
2778         * dfg/DFGGraph.h:
2779         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2780         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2781         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2782         * dfg/DFGOSRExit.cpp:
2783         (JSC::DFG::OSRExit::emitRestoreArguments):
2784         * dfg/DFGOSRExitCompilerCommon.cpp:
2785         (JSC::DFG::reifyInlinedCallFrames):
2786         * dfg/DFGPreciseLocalClobberize.h:
2787         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2788         * dfg/DFGSpeculativeJIT.cpp:
2789         (JSC::DFG::SpeculativeJIT::emitGetLength):
2790         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2791         * dfg/DFGStackLayoutPhase.cpp:
2792         (JSC::DFG::StackLayoutPhase::run):
2793         * ftl/FTLCompile.cpp:
2794         (JSC::FTL::compile):
2795         * ftl/FTLLowerDFGToB3.cpp:
2796         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2797         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
2798         * ftl/FTLOperations.cpp:
2799         (JSC::FTL::operationMaterializeObjectInOSR):
2800         * interpreter/StackVisitor.cpp:
2801         (JSC::StackVisitor::readInlinedFrame):
2802         * jit/AssemblyHelpers.h:
2803         (JSC::AssemblyHelpers::argumentsStart):
2804         * jit/SetupVarargsFrame.cpp:
2805         (JSC::emitSetupVarargsFrameFastCase):
2806         * runtime/ClonedArguments.cpp:
2807         (JSC::ClonedArguments::createWithInlineFrame):
2808         * runtime/CommonSlowPaths.h:
2809         (JSC::CommonSlowPaths::numberOfExtraSlots):
2810         (JSC::CommonSlowPaths::numberOfStackPaddingSlots):
2811         (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots):
2812         (JSC::CommonSlowPaths::arityCheckFor):
2813         * runtime/StackAlignment.h:
2814         (JSC::stackAlignmentBytes):
2815         (JSC::stackAlignmentRegisters):
2816
2817 2017-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2818
2819         [FTL] FTL allocation for async Function is incorrect
2820         https://bugs.webkit.org/show_bug.cgi?id=176214
2821
2822         Reviewed by Saam Barati.
2823
2824         In FTL, allocating async function / async generator function was incorrectly using
2825         JSFunction logic. While it is not observable right now since sizeof(JSFunction) == sizeof(JSAsyncFunction),
2826         but it is a bug.
2827
2828         * ftl/FTLLowerDFGToB3.cpp:
2829         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2830
2831 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2832
2833         [JSC] Fix "name" and "length" of Proxy revoke function
2834         https://bugs.webkit.org/show_bug.cgi?id=176155
2835
2836         Reviewed by Mark Lam.
2837
2838         ProxyRevoke's length should be configurable. And it does not have
2839         its own name. We add NameVisibility enum to InternalFunction to
2840         control visibility of the name.
2841
2842         * runtime/InternalFunction.cpp:
2843         (JSC::InternalFunction::finishCreation):
2844         * runtime/InternalFunction.h:
2845         * runtime/ProxyRevoke.cpp:
2846         (JSC::ProxyRevoke::finishCreation):
2847
2848 2017-08-31  Saam Barati  <sbarati@apple.com>
2849
2850         Throwing an exception in the DFG/FTL should not cause a jettison
2851         https://bugs.webkit.org/show_bug.cgi?id=176060
2852         <rdar://problem/34143348>
2853
2854         Reviewed by Keith Miller.
2855
2856         Throwing an exception is not something that should be a jettison-able
2857         OSR exit. We used to count Throw/ThrowStaticError towards our OSR exit
2858         counts which could cause a CodeBlock to jettison and recompile. This
2859         was dumb. Throwing an exception is not a reason to jettison and
2860         recompile in the way that a speculation failure is. This patch
2861         treats Throw/ThrowStaticError as true terminals in DFG IR.
2862
2863         * bytecode/BytecodeUseDef.h:
2864         (JSC::computeUsesForBytecodeOffset):
2865         * dfg/DFGAbstractInterpreterInlines.h:
2866         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2867         * dfg/DFGByteCodeParser.cpp:
2868         (JSC::DFG::ByteCodeParser::parseBlock):
2869         * dfg/DFGClobberize.h:
2870         (JSC::DFG::clobberize):
2871         * dfg/DFGFixupPhase.cpp:
2872         (JSC::DFG::FixupPhase::fixupNode):
2873         * dfg/DFGInPlaceAbstractState.cpp:
2874         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2875         * dfg/DFGNode.h:
2876         (JSC::DFG::Node::isTerminal):
2877         (JSC::DFG::Node::isPseudoTerminal):
2878         (JSC::DFG::Node::errorType):
2879         * dfg/DFGNodeType.h:
2880         * dfg/DFGOperations.cpp:
2881         * dfg/DFGOperations.h:
2882         * dfg/DFGPredictionPropagationPhase.cpp:
2883         * dfg/DFGSpeculativeJIT.cpp:
2884         (JSC::DFG::SpeculativeJIT::compileThrow):
2885         (JSC::DFG::SpeculativeJIT::compileThrowStaticError):
2886         * dfg/DFGSpeculativeJIT.h:
2887         (JSC::DFG::SpeculativeJIT::callOperation):
2888         * dfg/DFGSpeculativeJIT32_64.cpp:
2889         (JSC::DFG::SpeculativeJIT::compile):
2890         * dfg/DFGSpeculativeJIT64.cpp:
2891         (JSC::DFG::SpeculativeJIT::compile):
2892         * ftl/FTLLowerDFGToB3.cpp:
2893         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2894         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
2895         (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
2896         * jit/JITOperations.h:
2897
2898 2017-08-31  Saam Barati  <sbarati@apple.com>
2899
2900         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
2901         https://bugs.webkit.org/show_bug.cgi?id=176206
2902
2903         Reviewed by Keith Miller.
2904
2905         Mark fixed the main issue in Graph::methodOfGettingAValueProfileFor in r208560
2906         when he fixed it from overwriting invalid parts of the ArithProfile when the
2907         currentNode and the operandNode are from the same bytecode. However, the
2908         mechanism used to determine same bytecode was comparing NodeOrigin. That's
2909         slightly wrong. We need to compare semantic origin, since two NodeOrigins can
2910         have the same semantic origin, but differ only in exitOK. For example,
2911         in the below IR, the DoubleRep and the Phi have the same semantic
2912         origin, but different NodeOrigins.
2913
2914         43 Phi(JS|PureInt, NonBoolInt32|NonIntAsdouble, W:SideState, bc#63, ExitInvalid)
2915         58 ExitOK(MustGen, W:SideState, bc#63)
2916         51 DoubleRep(Check:Number:Kill:@43, Double|PureInt, BytecodeDouble, Exits, bc#63)
2917         54 ArithNegate(DoubleRep:Kill:@51<Double>, Double|UseAsOther|MayHaveDoubleResult, AnyIntAsDouble|NonIntAsdouble, NotSet, Exits, bc#63)
2918
2919         * dfg/DFGGraph.cpp:
2920         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2921
2922 2017-08-31  Don Olmstead  <don.olmstead@sony.com>
2923
2924         [CMake] Make USE_CF conditional within Windows
2925         https://bugs.webkit.org/show_bug.cgi?id=176173
2926
2927         Reviewed by Alex Christensen.
2928
2929         * PlatformWin.cmake:
2930
2931 2017-08-31  Saam Barati  <sbarati@apple.com>
2932
2933         useSeparatedWXHeap should never be true when not on iOS
2934         https://bugs.webkit.org/show_bug.cgi?id=176190
2935
2936         Reviewed by JF Bastien.
2937
2938         If you set useSeparatedWXHeap to true on X86_64, and launch the jsc shell,
2939         the process insta-crashes. Let's silently ignore that option and set it
2940         to false when not on iOS.
2941
2942         * runtime/Options.cpp:
2943         (JSC::recomputeDependentOptions):
2944
2945 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
2946
2947         Fix debug crashes.
2948
2949         Rubber stamped by Mark Lam.
2950
2951         * runtime/JSArrayBufferView.cpp:
2952         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2953
2954 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
2955
2956         All of the different ArrayBuffer::data's should be CagedPtr<>
2957         https://bugs.webkit.org/show_bug.cgi?id=175515
2958
2959         Reviewed by Michael Saboff.
2960         
2961         This straightforwardly implements what the title says.
2962
2963         * runtime/ArrayBuffer.cpp:
2964         (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
2965         (JSC::ArrayBufferContents::destroy):
2966         (JSC::ArrayBufferContents::tryAllocate):
2967         (JSC::ArrayBufferContents::makeShared):
2968         (JSC::ArrayBufferContents::copyTo):
2969         (JSC::ArrayBuffer::createFromBytes):
2970         (JSC::ArrayBuffer::transferTo):
2971         * runtime/ArrayBuffer.h:
2972         (JSC::SharedArrayBufferContents::data const):
2973         (JSC::ArrayBufferContents::data const):
2974         (JSC::ArrayBuffer::data):
2975         (JSC::ArrayBuffer::data const):
2976         * runtime/ArrayBufferView.h:
2977         (JSC::ArrayBufferView::baseAddress const):
2978         * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid.
2979         * runtime/DataView.h:
2980         (JSC::DataView::get):
2981         (JSC::DataView::set):
2982         * runtime/JSArrayBufferView.cpp:
2983         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2984         * runtime/JSArrayBufferView.h:
2985         (JSC::JSArrayBufferView::ConstructionContext::vector const):
2986         (JSC::JSArrayBufferView::vector const):
2987         * runtime/JSGenericTypedArrayViewInlines.h:
2988         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2989
2990 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
2991
2992         Strings need to be in some kind of gigacage
2993         https://bugs.webkit.org/show_bug.cgi?id=174924
2994
2995         Reviewed by Oliver Hunt.
2996
2997         * runtime/JSString.cpp:
2998         (JSC::JSRopeString::resolveRopeToAtomicString const):
2999         (JSC::JSRopeString::resolveRope const):
3000         * runtime/JSString.h:
3001         (JSC::JSString::create):
3002         (JSC::JSString::createHasOtherOwner):
3003         * runtime/JSStringBuilder.h:
3004         * runtime/VM.h:
3005         (JSC::VM::gigacageAuxiliarySpace):
3006
3007 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3008
3009         [JSC] Use reifying system for "name" property of builtin JSFunction
3010         https://bugs.webkit.org/show_bug.cgi?id=175260
3011
3012         Reviewed by Saam Barati.
3013
3014         Currently builtin JSFunction uses direct property for "name", which is different
3015         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
3016         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
3017         JSFunction::createBuiltinFunction.
3018
3019         We would like to store the "correct" name in FunctionExecutable. For example,
3020         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
3021         instead of specifying name when creating JSFunction. To do so, we add a new
3022         annotations, @getter and @overriddenName. When @getter is specified, the name of
3023         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
3024         the name of the function becomes "xxx".
3025
3026         We also treat @xxx as anonymous builtin functions that cannot be achieved in
3027         the current JS without privilege.
3028
3029         * Scripts/builtins/builtins_generate_combined_header.py:
3030         (generate_section_for_code_table_macro):
3031         * Scripts/builtins/builtins_generate_combined_implementation.py:
3032         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3033         * Scripts/builtins/builtins_generate_separate_header.py:
3034         (generate_section_for_code_table_macro):
3035         * Scripts/builtins/builtins_generate_separate_implementation.py:
3036         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3037         * Scripts/builtins/builtins_model.py:
3038         (BuiltinFunction.__init__):
3039         (BuiltinFunction.fromString):
3040         * Scripts/builtins/builtins_templates.py:
3041         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
3042         (overriddenName.string_appeared_here.match):
3043         (intrinsic.RegExpTestIntrinsic.test):
3044         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
3045         (overriddenName.string_appeared_here.match):
3046         (intrinsic.RegExpTestIntrinsic.test):
3047         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3048         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3049         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3050         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3051         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3052         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3053         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3054         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3055         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3056         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3057         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3058         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3059         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3060         * builtins/AsyncIteratorPrototype.js:
3061         (symbolAsyncIteratorGetter): Deleted.
3062         * builtins/BuiltinExecutables.cpp:
3063         (JSC::BuiltinExecutables::BuiltinExecutables):
3064         * builtins/BuiltinExecutables.h:
3065         * builtins/BuiltinNames.h:
3066         * builtins/FunctionPrototype.js:
3067         (symbolHasInstance): Deleted.
3068         * builtins/GlobalOperations.js:
3069         (globalPrivate.speciesGetter): Deleted.
3070         * builtins/IteratorPrototype.js:
3071         (symbolIteratorGetter): Deleted.
3072         * builtins/PromiseConstructor.js:
3073         (all.newResolveElement.return.resolve):
3074         (all.newResolveElement):
3075         (all):
3076         * builtins/PromiseOperations.js:
3077         (globalPrivate.newPromiseCapability.executor):
3078         (globalPrivate.newPromiseCapability):
3079         (globalPrivate.createResolvingFunctions.resolve):
3080         (globalPrivate.createResolvingFunctions.reject):
3081         (globalPrivate.createResolvingFunctions):
3082         * builtins/RegExpPrototype.js:
3083         (match): Deleted.
3084         (replace): Deleted.
3085         (search): Deleted.
3086         (split): Deleted.
3087         * jsc.cpp:
3088         (functionCreateBuiltin):
3089         * runtime/AsyncIteratorPrototype.cpp:
3090         (JSC::AsyncIteratorPrototype::finishCreation):
3091         * runtime/FunctionPrototype.cpp:
3092         (JSC::FunctionPrototype::addFunctionProperties):
3093         * runtime/IteratorPrototype.cpp:
3094         (JSC::IteratorPrototype::finishCreation):
3095         * runtime/JSFunction.cpp:
3096         (JSC::JSFunction::finishCreation):
3097         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3098         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
3099         (JSC::JSFunction::createBuiltinFunction): Deleted.
3100         * runtime/JSFunction.h:
3101         * runtime/JSGlobalObject.cpp:
3102         (JSC::JSGlobalObject::init):
3103         * runtime/JSObject.cpp:
3104         (JSC::JSObject::putDirectBuiltinFunction):
3105         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
3106         * runtime/JSTypedArrayViewPrototype.cpp:
3107         (JSC::JSTypedArrayViewPrototype::finishCreation):
3108         * runtime/Lookup.cpp:
3109         (JSC::reifyStaticAccessor):
3110         * runtime/MapPrototype.cpp:
3111         (JSC::MapPrototype::finishCreation):
3112         * runtime/RegExpPrototype.cpp:
3113         (JSC::RegExpPrototype::finishCreation):
3114         * runtime/SetPrototype.cpp:
3115         (JSC::SetPrototype::finishCreation):
3116
3117 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
3118
3119         Unreviewed, rolling out r221327.
3120
3121         This change caused test262 failures.
3122
3123         Reverted changeset:
3124
3125         "[JSC] Use reifying system for "name" property of builtin
3126         JSFunction"
3127         https://bugs.webkit.org/show_bug.cgi?id=175260
3128         http://trac.webkit.org/changeset/221327
3129
3130 2017-08-30  Matt Lewis  <jlewis3@apple.com>
3131
3132         Unreviewed, rolling out r221384.
3133
3134         This patch caused multiple 32-bit JSC test failures.
3135
3136         Reverted changeset:
3137
3138         "Strings need to be in some kind of gigacage"
3139         https://bugs.webkit.org/show_bug.cgi?id=174924
3140         http://trac.webkit.org/changeset/221384
3141
3142 2017-08-30  Saam Barati  <sbarati@apple.com>
3143
3144         semicolon is being interpreted as an = in the LiteralParser
3145         https://bugs.webkit.org/show_bug.cgi?id=176114
3146
3147         Reviewed by Oliver Hunt.
3148
3149         When lexing a semicolon in the LiteralParser, we were properly
3150         setting the TokenType on the current token, however, we were
3151         *returning* the wrong TokenType. The lex function both returns
3152         the TokenType and sets it on the current token. Semicolon was
3153         setting the TokenType to semicolon, but returning the TokenType
3154         for '='. This caused programs like `x;123` to be interpreted as
3155         `x=123`.
3156
3157         * runtime/LiteralParser.cpp:
3158         (JSC::LiteralParser<CharType>::Lexer::lex):
3159         (JSC::LiteralParser<CharType>::Lexer::next):
3160
3161 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
3162
3163         Strings need to be in some kind of gigacage
3164         https://bugs.webkit.org/show_bug.cgi?id=174924
3165
3166         Reviewed by Oliver Hunt.
3167
3168         * runtime/JSString.cpp:
3169         (JSC::JSRopeString::resolveRopeToAtomicString const):
3170         (JSC::JSRopeString::resolveRope const):
3171         * runtime/JSString.h:
3172         (JSC::JSString::create):
3173         (JSC::JSString::createHasOtherOwner):
3174         * runtime/JSStringBuilder.h:
3175         * runtime/VM.h:
3176         (JSC::VM::gigacageAuxiliarySpace):
3177
3178 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3179
3180         [ESNext] Async iteration - Implement async iteration statement: for-await-of
3181         https://bugs.webkit.org/show_bug.cgi?id=166698
3182
3183         Reviewed by Yusuke Suzuki.
3184
3185         Implementation of the for-await-of statement.
3186
3187         * bytecompiler/BytecodeGenerator.cpp:
3188         (JSC::BytecodeGenerator::emitEnumeration):
3189         (JSC::BytecodeGenerator::emitIteratorNext):
3190         * bytecompiler/BytecodeGenerator.h:
3191         * parser/ASTBuilder.h:
3192         (JSC::ASTBuilder::createForOfLoop):
3193         * parser/NodeConstructors.h:
3194         (JSC::ForOfNode::ForOfNode):
3195         * parser/Nodes.h:
3196         (JSC::ForOfNode::isForAwait const):
3197         * parser/Parser.cpp:
3198         (JSC::Parser<LexerType>::parseForStatement):
3199         * parser/Parser.h:
3200         (JSC::Scope::setSourceParseMode):
3201         (JSC::Scope::setIsFunction):
3202         (JSC::Scope::setIsAsyncGeneratorFunction):
3203         (JSC::Scope::setIsAsyncGeneratorFunctionBody):
3204         * parser/SyntaxChecker.h:
3205         (JSC::SyntaxChecker::createForOfLoop):
3206
3207 2017-08-29  Commit Queue  <commit-queue@webkit.org>
3208
3209         Unreviewed, rolling out r221317.
3210         https://bugs.webkit.org/show_bug.cgi?id=176090
3211
3212         "It broke a testing mode because we will never FTL compile a
3213         function that repeatedly throws" (Requested by saamyjoon on
3214         #webkit).
3215
3216         Reverted changeset:
3217
3218         "Throwing an exception in the DFG/FTL should not be a
3219         jettison-able OSR exit"
3220         https://bugs.webkit.org/show_bug.cgi?id=176060
3221         http://trac.webkit.org/changeset/221317
3222
3223 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3224
3225         [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
3226         https://bugs.webkit.org/show_bug.cgi?id=175895
3227
3228         Reviewed by Saam Barati.
3229
3230         We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
3231         are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
3232         But rather than introducing a special fixup edge (like, NonStringCellUse), converting
3233         CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
3234         In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
3235         if one side of the children is constant non String cell.
3236
3237         This slightly optimizes map/set iteration.
3238
3239         set-for-each          4.5064+-0.3072     ^      3.2862+-0.2098        ^ definitely 1.3713x faster
3240         large-map-iteration  56.2583+-1.6640           53.6798+-2.0097          might be 1.0480x faster
3241         set-for-of            8.8058+-0.5953     ^      7.5832+-0.3805        ^ definitely 1.1612x faster
3242         map-for-each          4.2633+-0.2694     ^      3.3967+-0.3013        ^ definitely 1.2551x faster
3243         map-for-of           13.1556+-0.5707           12.4911+-0.6004          might be 1.0532x faster
3244
3245         * dfg/DFGAbstractInterpreterInlines.h:
3246         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3247         * dfg/DFGConstantFoldingPhase.cpp:
3248         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3249         * dfg/DFGNode.h:
3250         (JSC::DFG::Node::convertToCompareEqPtr):
3251
3252 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3253
3254         [JSC] Use reifying system for "name" property of builtin JSFunction
3255         https://bugs.webkit.org/show_bug.cgi?id=175260
3256
3257         Reviewed by Saam Barati.
3258
3259         Currently builtin JSFunction uses direct property for "name", which is different
3260         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
3261         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
3262         JSFunction::createBuiltinFunction.
3263
3264         We would like to store the "correct" name in FunctionExecutable. For example,
3265         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
3266         instead of specifying name when creating JSFunction. To do so, we add a new
3267         annotations, @getter and @overriddenName. When @getter is specified, the name of
3268         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
3269         the name of the function becomes "xxx".
3270
3271         * Scripts/builtins/builtins_generate_combined_header.py:
3272         (generate_section_for_code_table_macro):
3273         * Scripts/builtins/builtins_generate_combined_implementation.py:
3274         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3275         * Scripts/builtins/builtins_generate_separate_header.py:
3276         (generate_section_for_code_table_macro):
3277         * Scripts/builtins/builtins_generate_separate_implementation.py:
3278         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3279         * Scripts/builtins/builtins_model.py:
3280         (BuiltinFunction.__init__):
3281         (BuiltinFunction.fromString):
3282         * Scripts/builtins/builtins_templates.py:
3283         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
3284         (overriddenName.string_appeared_here.match):
3285         (intrinsic.RegExpTestIntrinsic.test):
3286         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
3287         (overriddenName.string_appeared_here.match):
3288         (intrinsic.RegExpTestIntrinsic.test):
3289         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3290         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3291         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3292         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3293         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3294         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3295         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3296         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3297         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3298         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3299         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3300         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3301         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3302         * builtins/BuiltinExecutables.cpp:
3303         (JSC::BuiltinExecutables::BuiltinExecutables):
3304         * builtins/BuiltinExecutables.h:
3305         * builtins/FunctionPrototype.js:
3306         (symbolHasInstance): Deleted.
3307         * builtins/GlobalOperations.js:
3308         (globalPrivate.speciesGetter): Deleted.
3309         * builtins/IteratorPrototype.js:
3310         (symbolIteratorGetter): Deleted.
3311         * builtins/RegExpPrototype.js:
3312         (match): Deleted.
3313         (replace): Deleted.
3314         (search): Deleted.
3315         (split): Deleted.
3316         * jsc.cpp:
3317         (functionCreateBuiltin):
3318         * runtime/FunctionPrototype.cpp:
3319         (JSC::FunctionPrototype::addFunctionProperties):
3320         * runtime/IteratorPrototype.cpp:
3321         (JSC::IteratorPrototype::finishCreation):
3322         * runtime/JSFunction.cpp:
3323         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3324         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
3325         (JSC::JSFunction::createBuiltinFunction): Deleted.
3326         * runtime/JSFunction.h:
3327         * runtime/JSGlobalObject.cpp:
3328         (JSC::JSGlobalObject::init):
3329         * runtime/JSObject.cpp:
3330         (JSC::JSObject::putDirectBuiltinFunction):
3331         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
3332         * runtime/JSTypedArrayViewPrototype.cpp:
3333         (JSC::JSTypedArrayViewPrototype::finishCreation):
3334         * runtime/Lookup.cpp:
3335         (JSC::reifyStaticAccessor):
3336         * runtime/RegExpPrototype.cpp:
3337         (JSC::RegExpPrototype::finishCreation):
3338
3339 2017-08-29  Saam Barati  <sbarati@apple.com>
3340
3341         Throwing an exception in the DFG/FTL should not be a jettison-able OSR exit
3342         https://bugs.webkit.org/show_bug.cgi?id=176060
3343
3344         Reviewed by Michael Saboff.
3345
3346         OSR exitting when we throw an exception is expected behavior. We should
3347         not count these exits towards our jettison OSR exit threshold.
3348
3349         * bytecode/ExitKind.cpp:
3350         (JSC::exitKindToString):
3351         (JSC::exitKindMayJettison):
3352         * bytecode/ExitKind.h:
3353         * dfg/DFGSpeculativeJIT32_64.cpp:
3354         (JSC::DFG::SpeculativeJIT::compile):
3355         * dfg/DFGSpeculativeJIT64.cpp:
3356         (JSC::DFG::SpeculativeJIT::compile):
3357         * ftl/FTLLowerDFGToB3.cpp:
3358         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
3359
3360 2017-08-29  Chris Dumez  <cdumez@apple.com>
3361
3362         Add initial support for dataTransferItem.webkitGetAsEntry()
3363         https://bugs.webkit.org/show_bug.cgi?id=176038
3364         <rdar://problem/34121095>
3365
3366         Reviewed by Wenson Hsieh.
3367
3368         Add CommonIdentifier needed by [EnabledAtRuntime].
3369
3370         * runtime/CommonIdentifiers.h:
3371
3372 2017-08-27  Devin Rousso  <webkit@devinrousso.com>
3373
3374         Web Inspector: Record actions performed on WebGLRenderingContext
3375         https://bugs.webkit.org/show_bug.cgi?id=174483
3376         <rdar://problem/34040722>
3377
3378         Reviewed by Matt Baker.
3379
3380         * inspector/protocol/Recording.json:
3381         * inspector/scripts/codegen/generator.py:
3382         Add type and mapping for WebGL: "canvas-webgl" => CanvasWebGL
3383
3384 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3385
3386         Unreviewed, suppress warnings in GTK port
3387
3388         The "block" variable hides the argument variable.
3389
3390         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3391         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
3392
3393 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3394
3395         Merge WeakMapData into JSWeakMap and JSWeakSet
3396         https://bugs.webkit.org/show_bug.cgi?id=143919
3397
3398         Reviewed by Darin Adler.
3399
3400         This patch changes WeakMapData from JSCell to JSDestructibleObject,
3401         renaming it to WeakMapBase, and JSWeakMap and JSWeakSet simply inherit
3402         it instead of separately allocating WeakMapData. This reduces memory
3403         consumption and allocation times.
3404
3405         Also this patch a bit optimizes sizeof(DeadKeyCleaner) by dropping m_target
3406         field. Since this class is always embedded in WeakMapBase, we can calculate
3407         WeakMapBase address from the address of DeadKeyCleaner.
3408
3409         This patch does not include the optimization changing WeakMapData to Set
3410         for JSWeakSet.
3411
3412         * CMakeLists.txt:
3413         * JavaScriptCore.xcodeproj/project.pbxproj:
3414         * inspector/JSInjectedScriptHost.cpp:
3415         (Inspector::JSInjectedScriptHost::weakMapSize):
3416         (Inspector::JSInjectedScriptHost::weakMapEntries):
3417         (Inspector::JSInjectedScriptHost::weakSetSize):
3418         (Inspector::JSInjectedScriptHost::weakSetEntries):
3419         * runtime/JSWeakMap.cpp:
3420         (JSC::JSWeakMap::finishCreation): Deleted.
3421         (JSC::JSWeakMap::visitChildren): Deleted.
3422         * runtime/JSWeakMap.h:
3423         (JSC::JSWeakMap::createStructure): Deleted.
3424         (JSC::JSWeakMap::create): Deleted.
3425         (JSC::JSWeakMap::weakMapData): Deleted.
3426         (JSC::JSWeakMap::JSWeakMap): Deleted.
3427         * runtime/JSWeakSet.cpp:
3428         (JSC::JSWeakSet::finishCreation): Deleted.
3429         (JSC::JSWeakSet::visitChildren): Deleted.
3430         * runtime/JSWeakSet.h:
3431         (JSC::JSWeakSet::createStructure): Deleted.
3432         (JSC::JSWeakSet::create): Deleted.
3433         (JSC::JSWeakSet::weakMapData): Deleted.
3434         (JSC::JSWeakSet::JSWeakSet): Deleted.
3435         * runtime/VM.cpp:
3436         (JSC::VM::VM):
3437         * runtime/VM.h:
3438         * runtime/WeakMapBase.cpp: Renamed from Source/JavaScriptCore/runtime/WeakMapData.cpp.
3439         (JSC::WeakMapBase::WeakMapBase):
3440         (JSC::WeakMapBase::destroy):
3441         (JSC::WeakMapBase::estimatedSize):
3442         (JSC::WeakMapBase::visitChildren):
3443         (JSC::WeakMapBase::set):
3444         (JSC::WeakMapBase::get):
3445         (JSC::WeakMapBase::remove):
3446         (JSC::WeakMapBase::contains):
3447         (JSC::WeakMapBase::clear):
3448         (JSC::WeakMapBase::DeadKeyCleaner::target):
3449         (JSC::WeakMapBase::DeadKeyCleaner::visitWeakReferences):
3450         (JSC::WeakMapBase::DeadKeyCleaner::finalizeUnconditionally):
3451         * runtime/WeakMapBase.h: Renamed from Source/JavaScriptCore/runtime/WeakMapData.h.
3452         (JSC::WeakMapBase::size const):
3453         * runtime/WeakMapPrototype.cpp:
3454         (JSC::getWeakMap):
3455         (JSC::protoFuncWeakMapDelete):
3456         (JSC::protoFuncWeakMapGet):
3457         (JSC::protoFuncWeakMapHas):
3458         (JSC::protoFuncWeakMapSet):
3459         (JSC::getWeakMapData): Deleted.
3460         * runtime/WeakSetPrototype.cpp:
3461         (JSC::getWeakSet):
3462         (JSC::protoFuncWeakSetDelete):
3463         (JSC::protoFuncWeakSetHas):
3464         (JSC::protoFuncWeakSetAdd):
3465         (JSC::getWeakMapData): Deleted.
3466
3467 2017-08-25  Daniel Bates  <dabates@apple.com>
3468
3469         Demarcate code added due to lack of NSDMI for aggregates
3470         https://bugs.webkit.org/show_bug.cgi?id=175990
3471
3472         Reviewed by Andy Estes.
3473
3474         * domjit/DOMJITEffect.h:
3475         (JSC::DOMJIT::Effect::Effect):
3476         (JSC::DOMJIT::Effect::forWrite):
3477         (JSC::DOMJIT::Effect::forRead):
3478         (JSC::DOMJIT::Effect::forReadWrite):
3479         (JSC::DOMJIT::Effect::forPure):
3480         (JSC::DOMJIT::Effect::forDef):
3481         * runtime/HasOwnPropertyCache.h:
3482         (JSC::HasOwnPropertyCache::Entry::Entry):
3483         (JSC::HasOwnPropertyCache::Entry::operator=): Deleted.
3484         * wasm/WasmFormat.h: Modernize some of the code while I am here. Also
3485         make some comments read well.
3486         (JSC::Wasm::CallableFunction::CallableFunction):
3487         * wasm/js/WebAssemblyFunction.cpp:
3488         (JSC::WebAssemblyFunction::WebAssemblyFunction):
3489         * wasm/js/WebAssemblyWrapperFunction.cpp:
3490         (JSC::WebAssemblyWrapperFunction::create):
3491
3492 2017-08-25  Saam Barati  <sbarati@apple.com>
3493
3494         Unreviewed. Fix 32-bit after r221196
3495
3496         * jit/JITOpcodes32_64.cpp:
3497         (JSC::JIT::emit_op_catch):
3498
3499 2017-08-25  Chris Dumez  <cdumez@apple.com>
3500
3501         Land stubs for File and Directory Entries API interfaces
3502         https://bugs.webkit.org/show_bug.cgi?id=175993
3503         <rdar://problem/34087477>
3504
3505         Reviewed by Ryosuke Niwa.
3506
3507         Add CommonIdentifiers needed for [EnabledAtRuntime].
3508
3509         * runtime/CommonIdentifiers.h:
3510
3511 2017-08-25  Brian Burg  <bburg@apple.com>
3512
3513         Web Automation: add capabilities to control ICE candidate filtering and insecure media capture
3514         https://bugs.webkit.org/show_bug.cgi?id=175563
3515         <rdar://problem/33734492>
3516
3517         Reviewed by Joseph Pecoraro.
3518
3519         Add macros for new capability protocol string names. Let's use a reverse
3520         domain name notification for these capabilities so we know whether they are
3521         intended for a particular client/port or any WebKit client, and what feature they
3522         are related to (i.e., webrtc).
3523
3524         * inspector/remote/RemoteInspectorConstants.h:
3525
3526 2017-08-24  Brian Burg  <bburg@apple.com>
3527
3528         Web Automation: use automation session configurations to propagate per-session settings
3529         https://bugs.webkit.org/show_bug.cgi?id=175562
3530         <rdar://problem/30853362>
3531
3532         Reviewed by Joseph Pecoraro.
3533
3534         Add a Cocoa-specific code path to forward capabilities when requesting
3535         a new session from the remote inspector (i.e., automation) client.
3536
3537         If other ports want to use this, then we can convert Cocoa types to WebKit types later.
3538
3539         * inspector/remote/RemoteInspector.h:
3540         * inspector/remote/RemoteInspectorConstants.h:
3541         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3542         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
3543
3544 2017-08-25  Saam Barati  <sbarati@apple.com>
3545
3546         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
3547         https://bugs.webkit.org/show_bug.cgi?id=175893
3548
3549         Reviewed by Mark Lam.
3550
3551         * dfg/DFGJITCode.cpp:
3552         (JSC::DFG::JITCode::finalizeOSREntrypoints):
3553         * dfg/DFGJITCode.h:
3554         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
3555         * dfg/DFGSpeculativeJIT.cpp:
3556         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3557
3558 2017-08-25  Saam Barati  <sbarati@apple.com>
3559
3560         Support compiling catch in the DFG
3561         https://bugs.webkit.org/show_bug.cgi?id=174590
3562         <rdar://problem/34047845>
3563
3564         Reviewed by Filip Pizlo.
3565
3566         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
3567         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
3568         
3569         To implement catch in the DFG, this patch introduces the concept of multiple
3570         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
3571         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
3572         patch contains many straight forward changes generalizing the code to handle more than
3573         one entrypoint.
3574         
3575         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
3576         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
3577         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
3578         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
3579         and SSANaturalLoops vs CPSNaturalLoops.
3580         
3581         The way we compile the catch entrypoint is by bootstrapping the state
3582         of the program by loading all live bytecode locals from a buffer. The OSR
3583         entry code will store all live values into that buffer before jumping to
3584         the entrypoint. The OSR entry code is also responsible for performing type
3585         proofs of the arguments before doing an OSR entry. If there is a type
3586         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
3587         each catch entrypoint knows the argument type proofs it must perform to enter
3588         into the DFG. Currently, all entrypoints' arguments flush format are unified
3589         via ArgumentPosition, but this is just an implementation detail. The code is
3590         written more generally to assume that each entrypoint may perform its own distinct
3591         proof.
3592         
3593         op_catch now performs value profiling for all live bytecode locals in the
3594         LLInt and baseline JIT. This information is then fed into the DFG via the
3595         ExtractCatchLocal node in the prediction propagation phase.
3596         
3597         This patch also changes how we generate op_catch in bytecode. All op_catches
3598         are now split out at the end of the program in bytecode. This ensures that
3599         no op_catch is inside a try block. This is needed to ensure correctness in
3600         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
3601         before SetLocals inside a try block. If an op_catch were in a try block, this
3602         would cause the phase to insert a Flush before one of the state bootstrapping
3603         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
3604         its own at the end of a bytecode stream seemed like the most elegant solution since
3605         it better represents that we treat op_catch as an entrypoint. This is true
3606         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
3607         via normal control flow. Because op_catch cannot throw, this will not break
3608         any previous semantics of op_catch. Logically, it'd be valid to split try
3609         blocks around any non-throwing bytecode operation.
3610
3611         * CMakeLists.txt:
3612         * JavaScriptCore.xcodeproj/project.pbxproj:
3613         * bytecode/BytecodeDumper.cpp:
3614         (JSC::BytecodeDumper<Block>::dumpBytecode):
3615         * bytecode/BytecodeList.json:
3616         * bytecode/BytecodeUseDef.h:
3617         (JSC::computeUsesForBytecodeOffset):
3618         * bytecode/CodeBlock.cpp:
3619         (JSC::CodeBlock::finishCreation):
3620         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
3621         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
3622         (JSC::CodeBlock::validate):
3623         * bytecode/CodeBlock.h:
3624         * bytecode/ValueProfile.h:
3625         (JSC::ValueProfile::ValueProfile):
3626         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
3627         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
3628         (JSC::ValueProfileAndOperandBuffer::forEach):
3629         * bytecompiler/BytecodeGenerator.cpp:
3630         (JSC::BytecodeGenerator::generate):
3631         (JSC::BytecodeGenerator::BytecodeGenerator):
3632         (JSC::BytecodeGenerator::emitCatch):
3633         (JSC::BytecodeGenerator::emitEnumeration):
3634         * bytecompiler/BytecodeGenerator.h:
3635         * bytecompiler/NodesCodegen.cpp:
3636         (JSC::TryNode::emitBytecode):
3637         * dfg/DFGAbstractInterpreterInlines.h:
3638         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3639         * dfg/DFGBackwardsCFG.h:
3640         (JSC::DFG::BackwardsCFG::BackwardsCFG):
3641         * dfg/DFGBasicBlock.cpp:
3642         (JSC::DFG::BasicBlock::BasicBlock):
3643         * dfg/DFGBasicBlock.h:
3644         (JSC::DFG::BasicBlock::findTerminal const):
3645         * dfg/DFGByteCodeParser.cpp:
3646         (JSC::DFG::ByteCodeParser::setDirect):
3647         (JSC::DFG::ByteCodeParser::flush):
3648         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
3649         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
3650         (JSC::DFG::ByteCodeParser::parseBlock):
3651         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3652         (JSC::DFG::ByteCodeParser::parse):
3653         * dfg/DFGCFG.h:
3654         (JSC::DFG::CFG::root):
3655         (JSC::DFG::CFG::roots):
3656         (JSC::DFG::CPSCFG::CPSCFG):
3657         (JSC::DFG::selectCFG):
3658         * dfg/DFGCPSRethreadingPhase.cpp:
3659         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
3660         * dfg/DFGCSEPhase.cpp:
3661         * dfg/DFGClobberize.h:
3662         (JSC::DFG::clobberize):
3663         * dfg/DFGControlEquivalenceAnalysis.h:
3664         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
3665         * dfg/DFGDCEPhase.cpp:
3666         (JSC::DFG::DCEPhase::run):
3667         * dfg/DFGDisassembler.cpp:
3668         (JSC::DFG::Disassembler::createDumpList):
3669         * dfg/DFGDoesGC.cpp:
3670         (JSC::DFG::doesGC):
3671         * dfg/DFGDominators.h:
3672         (JSC::DFG::Dominators::Dominators):
3673         (JSC::DFG::ensureDominatorsForCFG):
3674         * dfg/DFGEdgeDominates.h:
3675         (JSC::DFG::EdgeDominates::EdgeDominates):
3676         (JSC::DFG::EdgeDominates::operator()):
3677         * dfg/DFGFixupPhase.cpp:
3678         (JSC::DFG::FixupPhase::fixupNode):
3679         (JSC::DFG::FixupPhase::fixupChecksInBlock):
3680         * dfg/DFGFlushFormat.h:
3681         * dfg/DFGGraph.cpp:
3682         (JSC::DFG::Graph::Graph):
3683         (JSC::DFG::unboxLoopNode):
3684         (JSC::DFG::Graph::dumpBlockHeader):
3685         (JSC::DFG::Graph::dump):
3686         (JSC::DFG::Graph::determineReachability):
3687         (JSC::DFG::Graph::invalidateCFG):
3688         (JSC::DFG::Graph::blocksInPreOrder):
3689         (JSC::DFG::Graph::blocksInPostOrder):
3690         (JSC::DFG::Graph::ensureCPSDominators):
3691         (JSC::DFG::Graph::ensureSSADominators):
3692         (JSC::DFG::Graph::ensureCPSNaturalLoops):
3693         (JSC::DFG::Graph::ensureSSANaturalLoops):
3694         (JSC::DFG::Graph::ensureBackwardsCFG):
3695         (JSC::DFG::Graph::ensureBackwardsDominators):
3696         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
3697         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3698         (JSC::DFG::Graph::clearCPSCFGData):
3699         (JSC::DFG::Graph::ensureDominators): Deleted.
3700         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
3701         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
3702         * dfg/DFGGraph.h:
3703         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
3704         (JSC::DFG::Graph::isEntrypoint const):
3705         * dfg/DFGInPlaceAbstractState.cpp:
3706         (JSC::DFG::InPlaceAbstractState::initialize):
3707         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3708         * dfg/DFGJITCode.cpp:
3709         (JSC::DFG::JITCode::shrinkToFit):
3710         * dfg/DFGJITCode.h:
3711         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
3712         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
3713         (JSC::DFG::JITCode::appendCatchEntrypoint):
3714         * dfg/DFGJITCompiler.cpp:
3715         (JSC::DFG::JITCompiler::compile):
3716         (JSC::DFG::JITCompiler::compileFunction):
3717         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3718         (JSC::DFG::JITCompiler::noticeOSREntry):
3719         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
3720         * dfg/DFGJITCompiler.h:
3721         * dfg/DFGLICMPhase.cpp:
3722         (JSC::DFG::LICMPhase::run):
3723         (JSC::DFG::LICMPhase::attemptHoist):
3724         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3725         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
3726         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
3727         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
3728         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
3729         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
3730         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
3731         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3732         (JSC::DFG::createPreHeader):
3733         (JSC::DFG::LoopPreHeaderCreationPhase::run):
3734         * dfg/DFGMaximalFlushInsertionPhase.cpp:
3735         (JSC::DFG::MaximalFlushInsertionPhase::run):
3736         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
3737         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
3738         * dfg/DFGMayExit.cpp:
3739         * dfg/DFGNaturalLoops.h:
3740         (JSC::DFG::NaturalLoops::NaturalLoops):
3741         * dfg/DFGNode.h:
3742         (JSC::DFG::Node::isSwitch const):
3743         (JSC::DFG::Node::successor):
3744         (JSC::DFG::Node::catchOSREntryIndex const):
3745         (JSC::DFG::Node::catchLocalPrediction):
3746         (JSC::DFG::Node::isSwitch): Deleted.
3747         * dfg/DFGNodeType.h:
3748         * dfg/DFGOSREntry.cpp:
3749         (JSC::DFG::prepareCatchOSREntry):
3750         * dfg/DFGOSREntry.h:
3751         * dfg/DFGOSREntrypointCreationPhase.cpp:
3752         (JSC::DFG::OSREntrypointCreationPhase::run):
3753         * dfg/DFGOSRExitCompilerCommon.cpp:
3754         (JSC::DFG::handleExitCounts):
3755         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3756         * dfg/DFGPlan.cpp:
3757         (JSC::DFG::Plan::compileInThreadImpl):
3758         * dfg/DFGPrePostNumbering.cpp:
3759         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
3760         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
3761         (WTF::printInternal): Deleted.
3762         * dfg/DFGPrePostNumbering.h:
3763         (): Deleted.
3764         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
3765         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
3766         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
3767         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
3768         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
3769         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
3770         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
3771         * dfg/DFGPredictionInjectionPhase.cpp:
3772         (JSC::DFG::PredictionInjectionPhase::run):
3773         * dfg/DFGPredictionPropagationPhase.cpp:
3774         * dfg/DFGPutStackSinkingPhase.cpp:
3775         * dfg/DFGSSACalculator.cpp:
3776         (JSC::DFG::SSACalculator::nonLocalReachingDef):
3777         (JSC::DFG::SSACalculator::reachingDefAtTail):
3778         * dfg/DFGSSACalculator.h:
3779         (JSC::DFG::SSACalculator::computePhis):
3780         * dfg/DFGSSAConversionPhase.cpp:
3781         (JSC::DFG::SSAConversionPhase::run):
3782         (JSC::DFG::performSSAConversion):
3783         * dfg/DFGSafeToExecute.h:
3784         (JSC::DFG::safeToExecute):
3785         * dfg/DFGSpeculativeJIT.cpp:
3786         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3787         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3788         (JSC::DFG::SpeculativeJIT::createOSREntries):
3789         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3790         * dfg/DFGSpeculativeJIT32_64.cpp:
3791         (JSC::DFG::SpeculativeJIT::compile):
3792         * dfg/DFGSpeculativeJIT64.cpp:
3793         (JSC::DFG::SpeculativeJIT::compile):
3794         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
3795         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
3796         * dfg/DFGStrengthReductionPhase.cpp:
3797         (JSC::DFG::StrengthReductionPhase::handleNode):
3798         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3799         (JSC::DFG::TierUpCheckInjectionPhase::run):
3800         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
3801         * dfg/DFGTypeCheckHoistingPhase.cpp:
3802         (JSC::DFG::TypeCheckHoistingPhase::run):
3803         * dfg/DFGValidate.cpp:
3804         * ftl/FTLLink.cpp:
3805         (JSC::FTL::link):
3806         * ftl/FTLLowerDFGToB3.cpp:
3807         (JSC::FTL::DFG::LowerDFGToB3::lower):
3808         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
3809         (JSC::FTL::DFG::LowerDFGToB3::isValid):
3810         * jit/JIT.h:
3811         * jit/JITInlines.h:
3812         (JSC::JIT::callOperation):
3813         * jit/JITOpcodes.cpp:
3814         (JSC::JIT::emit_op_catch):
3815         * jit/JITOpcodes32_64.cpp:
3816         (JSC::JIT::emit_op_catch):
3817         * jit/JITOperations.cpp:
3818         * jit/JITOperations.h:
3819         * llint/LLIntSlowPaths.cpp:
3820         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3821         * llint/LLIntSlowPaths.h:
3822         * llint/LowLevelInterpreter32_64.asm:
3823         * llint/LowLevelInterpreter64.asm:
3824
3825 2017-08-25  Keith Miller  <keith_miller@apple.com>
3826
3827         Explore increasing max JSString::m_length to UINT_MAX.
3828         https://bugs.webkit.org/show_bug.cgi?id=163955
3829         <rdar://problem/32001499>
3830
3831         Reviewed by JF Bastien.
3832
3833         This can cause us to release assert on some code paths. I don't
3834         see a reason to maintain this restriction.
3835
3836         * runtime/JSString.h:
3837         (JSC::JSString::length const):
3838         (JSC::JSString::setLength):
3839         (JSC::JSString::isValidLength): Deleted.
3840         * runtime/JSStringBuilder.h:
3841         (JSC::jsMakeNontrivialString):
3842
3843 2017-08-24  Commit Queue  <commit-queue@webkit.org>
3844
3845         Unreviewed, rolling out r221119, r221124, and r221143.
3846         https://bugs.webkit.org/show_bug.cgi?id=175973
3847
3848         "I think it regressed JSBench by 20%" (Requested by saamyjoon
3849         on #webkit).
3850
3851         Reverted changesets:
3852
3853         "Support compiling catch in the DFG"
3854         https://bugs.webkit.org/show_bug.cgi?id=174590
3855         http://trac.webkit.org/changeset/221119
3856
3857         "Unreviewed, build fix in GTK port"
3858         https://bugs.webkit.org/show_bug.cgi?id=174590
3859         http://trac.webkit.org/changeset/221124
3860
3861         "DFG::JITCode::osrEntry should get sorted since we perform a
3862         binary search on it"
3863         https://bugs.webkit.org/show_bug.cgi?id=175893
3864         http://trac.webkit.org/changeset/221143
3865
3866 2017-08-24  Michael Saboff  <msaboff@apple.com>
3867
3868         Enable moving fixed character class terms after fixed character terms for BMP only character classes
3869         https://bugs.webkit.org/show_bug.cgi?id=175958
3870
3871         Reviewed by Saam Barati.
3872
3873         Currently we don't perform the reordering optimiaztion of fixed character terms that
3874         follow fixed character class terms for Unicode patterns.
3875
3876         This change allows that reordering when the character class contains only BMP
3877         characters.
3878
3879         This fix is covered by existing tests.
3880
3881         * yarr/YarrJIT.cpp:
3882         (JSC::Yarr::YarrGenerator::optimizeAlternative):
3883
3884 2017-08-24  Michael Saboff  <msaboff@apple.com>
3885
3886         Add support for RegExp "dotAll" flag
3887         https://bugs.webkit.org/show_bug.cgi?id=175924
3888
3889         Reviewed by Keith Miller.
3890
3891         The dotAll RegExp flag, 's', changes . to match any character including line terminators.
3892         Added a the "dotAll" identifier as well as RegExp.prototype.dotAll getter.
3893         Added a new any character CharacterClass that is used to match . terms in a dotAll flags
3894         RegExp.  In the YARR pattern and parsing code, changed the NewlineClassID, which was only
3895         used for '.' processing, to DotClassID.  The selection of which builtin character class
3896         t