Arity fixup during inlining should do a 2 phase commit so it properly recovers the...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-15  Saam Barati  <sbarati@apple.com>
2
3         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
4         https://bugs.webkit.org/show_bug.cgi?id=176981
5
6         Reviewed by Yusuke Suzuki.
7
8         This patch makes inline arity fixup happen in two phases:
9         1. We get all the values we need and MovHint them to the expected locals.
10         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
11            frame is already set up. If any SetLocal exits, we have a valid exit state.
12            This is required because if we didn't do this in two phases, we may exit in
13            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
14            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
15            of the frame right before exiting. For example, consider if we need to pad two args:
16            [arg3][arg2][arg1][arg0]
17            [fix ][fix ][arg3][arg2][arg1][arg0]
18            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
19            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
20            [arg3][arg2][arg1][arg2][arg1][arg0]
21            And the caller would then just end up thinking its argument are:
22            [arg3][arg2][arg1][arg2]
23            which is incorrect.
24        
25        
26         This patch also fixes a couple of bugs in IdentitiyWithProfile:
27         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
28            It needed to store the result of evaluating its argument in a temporary that
29            it creates. Otherwise, it might try to simply overwrite a constant
30            or a register that it didn't own.
31         2. We weren't eliminating this node in CSE inside the DFG.
32
33         * bytecompiler/NodesCodegen.cpp:
34         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
35         * dfg/DFGByteCodeParser.cpp:
36         (JSC::DFG::ByteCodeParser::inlineCall):
37         * dfg/DFGCSEPhase.cpp:
38
39 2017-09-15  JF Bastien  <jfbastien@apple.com>
40
41         WTF: use Forward.h when appropriate instead of Vector.h
42         https://bugs.webkit.org/show_bug.cgi?id=176984
43
44         Reviewed by Saam Barati.
45
46         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
47
48         * bytecode/HandlerInfo.h:
49         * heap/GCIncomingRefCounted.h:
50         * heap/GCSegmentedArray.h:
51         * wasm/js/JSWebAssemblyModule.h:
52
53 2017-09-14  Saam Barati  <sbarati@apple.com>
54
55         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
56         https://bugs.webkit.org/show_bug.cgi?id=176863
57
58         Reviewed by Keith Miller.
59
60         * CMakeLists.txt:
61         * JavaScriptCore.xcodeproj/project.pbxproj:
62         * runtime/ProxyObject.cpp:
63         (JSC::performProxyGet):
64         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
65         (JSC::ProxyObject::performHasProperty):
66         (JSC::ProxyObject::getOwnPropertySlotCommon):
67         (JSC::ProxyObject::performPut):
68         (JSC::performProxyCall):
69         (JSC::performProxyConstruct):
70         (JSC::ProxyObject::performDelete):
71         (JSC::ProxyObject::performPreventExtensions):
72         (JSC::ProxyObject::performIsExtensible):
73         (JSC::ProxyObject::performDefineOwnProperty):
74         (JSC::ProxyObject::performGetOwnPropertyNames):
75         (JSC::ProxyObject::performSetPrototype):
76         (JSC::ProxyObject::performGetPrototype):
77
78 2017-09-14  Saam Barati  <sbarati@apple.com>
79
80         Make dumping the graph print when both when exitOK and !exitOK
81         https://bugs.webkit.org/show_bug.cgi?id=176954
82
83         Reviewed by Keith Miller.
84
85         * dfg/DFGGraph.cpp:
86         (JSC::DFG::Graph::dump):
87
88 2017-09-14  Saam Barati  <sbarati@apple.com>
89
90         It should be valid to exit before each set when doing arity fixup when inlining
91         https://bugs.webkit.org/show_bug.cgi?id=176948
92
93         Reviewed by Keith Miller.
94
95         This patch makes it so that we can exit before each SetLocal when doing arity
96         fixup during inlining. This is OK because if we exit at any of these SetLocals,
97         we will simply exit to the beginning of the call instruction.
98         
99         Not doing this led to a bug where FixupPhase would insert a ValueRep of
100         a node before the actual node. This is obviously invalid IR. I've added
101         a new validation rule to catch this malformed IR.
102
103         * dfg/DFGByteCodeParser.cpp:
104         (JSC::DFG::ByteCodeParser::inliningCost):
105         (JSC::DFG::ByteCodeParser::inlineCall):
106         * dfg/DFGValidate.cpp:
107         * runtime/Options.h:
108
109 2017-09-14  Mark Lam  <mark.lam@apple.com>
110
111         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
112         https://bugs.webkit.org/show_bug.cgi?id=176874
113         <rdar://problem/34436415>
114
115         Reviewed by Saam Barati.
116
117         1. Make Probe::Stack play nice with ASan by:
118
119            a. using a local memcpy implementation that suppresses ASan on ASan builds.
120               We don't want to use std:memcpy() which validates stack memory because
121               we are intentionally copying stack memory beyond the current frame.
122
123            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
124               This ensures that Page::flushWrites() only writes stack memory that was
125               modified by a probe.  The probes should only modify stack memory that
126               belongs to JSC stack data structures.  We don't want to inadvertently
127               modify adjacent words that may belong to ASan (which may happen if
128               s_chunkSize is larger than sizeof(uintptr_t)).
129
130            c. fixing a bug in Page dirtyBits management for when the size of the value to
131               write is greater than s_chunkSize.  The fix in generic, but in practice,
132               this currently only manifests on 32-bit ASan builds because
133               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
134               values.
135
136            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
137               s_chunksPerPage we can have even on ASan builds.
138
139         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
140            std::memcpy to avoid strict aliasing issues.
141
142         3. Optimized the implementation of Page::physicalAddressFor().
143
144         4. Optimized the implementation of Stack::set() in the recording of the low
145            watermark.  We just record the lowest raw pointer now, and only compute the
146            alignment to its chuck boundary later when the low watermark is requested.
147
148         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
149
150         No new test needed because this is already covered by testmasm with ASan enabled.
151
152         * assembler/ProbeContext.h:
153         (JSC::Probe::CPUState::gpr const):
154         (JSC::Probe::CPUState::spr const):
155         (JSC::Probe::Context::gpr):
156         (JSC::Probe::Context::spr):
157         (JSC::Probe::Context::fpr):
158         (JSC::Probe::Context::gprName):
159         (JSC::Probe::Context::sprName):
160         (JSC::Probe::Context::fprName):
161         (JSC::Probe::Context::gpr const):
162         (JSC::Probe::Context::spr const):
163         (JSC::Probe::Context::fpr const):
164         (JSC::Probe::Context::pc):
165         (JSC::Probe::Context::fp):
166         (JSC::Probe::Context::sp):
167         (JSC::Probe:: const): Deleted.
168         * assembler/ProbeStack.cpp:
169         (JSC::Probe::copyStackPage):
170         (JSC::Probe::Page::Page):
171         (JSC::Probe::Page::flushWrites):
172         * assembler/ProbeStack.h:
173         (JSC::Probe::Page::get):
174         (JSC::Probe::Page::set):
175         (JSC::Probe::Page::dirtyBitFor):
176         (JSC::Probe::Page::physicalAddressFor):
177         (JSC::Probe::Stack::lowWatermark):
178         (JSC::Probe::Stack::get):
179         (JSC::Probe::Stack::set):
180         * assembler/testmasm.cpp:
181         (JSC::testProbeModifiesStackValues):
182
183 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
184
185         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
186         https://bugs.webkit.org/show_bug.cgi?id=176917
187
188         Reviewed by Saam Barati.
189
190         * dfg/DFGByteCodeParser.cpp:
191         (JSC::DFG::ByteCodeParser::inliningCost):
192         * runtime/Options.h:
193
194 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
195
196         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
197         https://bugs.webkit.org/show_bug.cgi?id=176867
198
199         Reviewed by Sam Weinig.
200
201         We rarely require private symbols when enumerating property names.
202         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
203         is specified, PropertyNameArray does not include private symbols.
204         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
205
206         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
207         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
208
209         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
210
211         * API/JSObjectRef.cpp:
212         (JSObjectCopyPropertyNames):
213         * bindings/ScriptValue.cpp:
214         (Inspector::jsToInspectorValue):
215         * bytecode/ObjectAllocationProfile.h:
216         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
217         * runtime/EnumerationMode.h:
218         * runtime/IntlObject.cpp:
219         (JSC::supportedLocales):
220         * runtime/JSONObject.cpp:
221         (JSC::Stringifier::Stringifier):
222         (JSC::Stringifier::Holder::appendNextProperty):
223         (JSC::Walker::walk):
224         * runtime/JSPropertyNameEnumerator.cpp:
225         (JSC::JSPropertyNameEnumerator::create):
226         * runtime/JSPropertyNameEnumerator.h:
227         (JSC::propertyNameEnumerator):
228         * runtime/ObjectConstructor.cpp:
229         (JSC::objectConstructorGetOwnPropertyDescriptors):
230         (JSC::objectConstructorAssign):
231         (JSC::objectConstructorValues):
232         (JSC::defineProperties):
233         (JSC::setIntegrityLevel):
234         (JSC::testIntegrityLevel):
235         (JSC::ownPropertyKeys):
236         * runtime/PropertyNameArray.h:
237         (JSC::PropertyNameArray::PropertyNameArray):
238         (JSC::PropertyNameArray::propertyNameMode const):
239         (JSC::PropertyNameArray::privateSymbolMode const):
240         (JSC::PropertyNameArray::addUncheckedInternal):
241         (JSC::PropertyNameArray::addUnchecked):
242         (JSC::PropertyNameArray::add):
243         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
244         (JSC::PropertyNameArray::includeSymbolProperties const):
245         (JSC::PropertyNameArray::includeStringProperties const):
246         (JSC::PropertyNameArray::mode const): Deleted.
247         * runtime/ProxyObject.cpp:
248         (JSC::ProxyObject::performGetOwnPropertyNames):
249
250 2017-09-13  Mark Lam  <mark.lam@apple.com>
251
252         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
253         https://bugs.webkit.org/show_bug.cgi?id=176888
254         <rdar://problem/34381832>
255
256         Not reviewed.
257
258         * JavaScriptCore.xcodeproj/project.pbxproj:
259         * assembler/MacroAssembler.cpp:
260         (JSC::stdFunctionCallback):
261         * assembler/MacroAssemblerPrinter.cpp:
262         (JSC::Printer::printCallback):
263         * assembler/ProbeContext.h:
264         (JSC::Probe:: const):
265         (JSC::Probe::Context::Context):
266         (JSC::Probe::Context::gpr):
267         (JSC::Probe::Context::spr):
268         (JSC::Probe::Context::fpr):
269         (JSC::Probe::Context::gprName):
270         (JSC::Probe::Context::sprName):
271         (JSC::Probe::Context::fprName):
272         (JSC::Probe::Context::pc):
273         (JSC::Probe::Context::fp):
274         (JSC::Probe::Context::sp):
275         (JSC::Probe::CPUState::gpr const): Deleted.
276         (JSC::Probe::CPUState::spr const): Deleted.
277         (JSC::Probe::Context::arg): Deleted.
278         (JSC::Probe::Context::gpr const): Deleted.
279         (JSC::Probe::Context::spr const): Deleted.
280         (JSC::Probe::Context::fpr const): Deleted.
281         * assembler/ProbeFrame.h: Removed.
282         * assembler/ProbeStack.cpp:
283         (JSC::Probe::Page::Page):
284         * assembler/ProbeStack.h:
285         (JSC::Probe::Page::get):
286         (JSC::Probe::Page::set):
287         (JSC::Probe::Page::physicalAddressFor):
288         (JSC::Probe::Stack::lowWatermark):
289         (JSC::Probe::Stack::get):
290         (JSC::Probe::Stack::set):
291         * bytecode/ArithProfile.cpp:
292         * bytecode/ArithProfile.h:
293         * bytecode/ArrayProfile.h:
294         (JSC::ArrayProfile::observeArrayMode): Deleted.
295         * bytecode/CodeBlock.cpp:
296         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
297         * bytecode/CodeBlock.h:
298         (JSC::CodeBlock::addressOfOSRExitCounter):
299         * bytecode/ExecutionCounter.h:
300         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
301         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
302         * bytecode/MethodOfGettingAValueProfile.cpp:
303         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
304         * bytecode/MethodOfGettingAValueProfile.h:
305         * dfg/DFGDriver.cpp:
306         (JSC::DFG::compileImpl):
307         * dfg/DFGJITCode.cpp:
308         (JSC::DFG::JITCode::findPC):
309         * dfg/DFGJITCode.h:
310         * dfg/DFGJITCompiler.cpp:
311         (JSC::DFG::JITCompiler::linkOSRExits):
312         (JSC::DFG::JITCompiler::link):
313         * dfg/DFGOSRExit.cpp:
314         (JSC::DFG::OSRExit::setPatchableCodeOffset):
315         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
316         (JSC::DFG::OSRExit::codeLocationForRepatch const):
317         (JSC::DFG::OSRExit::correctJump):
318         (JSC::DFG::OSRExit::emitRestoreArguments):
319         (JSC::DFG::OSRExit::compileOSRExit):
320         (JSC::DFG::OSRExit::compileExit):
321         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
322         (JSC::DFG::jsValueFor): Deleted.
323         (JSC::DFG::restoreCalleeSavesFor): Deleted.
324         (JSC::DFG::saveCalleeSavesFor): Deleted.
325         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
326         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
327         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
328         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
329         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
330         (JSC::DFG::emitRestoreArguments): Deleted.
331         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
332         (JSC::DFG::reifyInlinedCallFrames): Deleted.
333         (JSC::DFG::adjustAndJumpToTarget): Deleted.
334         (JSC::DFG::printOSRExit): Deleted.
335         * dfg/DFGOSRExit.h:
336         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
337         * dfg/DFGOSRExitCompilerCommon.cpp:
338         * dfg/DFGOSRExitCompilerCommon.h:
339         * dfg/DFGOperations.cpp:
340         * dfg/DFGOperations.h:
341         * dfg/DFGThunks.cpp:
342         (JSC::DFG::osrExitGenerationThunkGenerator):
343         (JSC::DFG::osrExitThunkGenerator): Deleted.
344         * dfg/DFGThunks.h:
345         * jit/AssemblyHelpers.cpp:
346         (JSC::AssemblyHelpers::debugCall):
347         * jit/AssemblyHelpers.h:
348         * jit/JITOperations.cpp:
349         * jit/JITOperations.h:
350         * profiler/ProfilerOSRExit.h:
351         (JSC::Profiler::OSRExit::incCount): Deleted.
352         * runtime/JSCJSValue.h:
353         * runtime/JSCJSValueInlines.h:
354         * runtime/VM.h:
355
356 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
357
358         [JSC] Move class/struct used in other class' member out of anonymous namespace
359         https://bugs.webkit.org/show_bug.cgi?id=176876
360
361         Reviewed by Saam Barati.
362
363         GCC warns if a class has a base or field whose type uses the anonymous namespace
364         and it is defined in an included file. This is because this possibly violates
365         one definition rule (ODR): if an included file has the anonymous namespace, each
366         translation unit creates its private anonymous namespace. Thus, each type
367         inside the anonymous namespace becomes different in each translation unit if
368         the file is included in multiple translation units.
369
370         While the current use in JSC is not violating ODR since these cpp files are included
371         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
372         the actual bugs. So, in this patch, we just move related classes/structs out of
373         the anonymous namespace.
374
375         * dfg/DFGIntegerCheckCombiningPhase.cpp:
376         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
377         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
378         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
379         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
380         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
381         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
382         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
383         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
384         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
385         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
386         * dfg/DFGLICMPhase.cpp:
387
388 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
389
390         Web Inspector: Event Listeners section does not update when listeners are added/removed
391         https://bugs.webkit.org/show_bug.cgi?id=170570
392         <rdar://problem/31501645>
393
394         Reviewed by Joseph Pecoraro.
395
396         * inspector/protocol/DOM.json:
397         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
398         contain any information about the event listeners that were added/removed. They serve more
399         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
400
401 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
402
403         [JSC] Fix Array allocation in Object.keys
404         https://bugs.webkit.org/show_bug.cgi?id=176826
405
406         Reviewed by Saam Barati.
407
408         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
409         We check isHavingABadTime() in ownPropertyKeys fast path.
410         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
411
412         * runtime/ObjectConstructor.cpp:
413         (JSC::ownPropertyKeys):
414
415 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
416
417         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
418         https://bugs.webkit.org/show_bug.cgi?id=176010
419
420         Reviewed by Filip Pizlo.
421
422         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
423         It is used for meta property for objects (see peekMeta function in Ember.js).
424
425         This patch optimizes WeakMap#get.
426
427         1. We use inlineGet to inline WeakMap#get operation in the native function.
428         Since this native function itself is very small, we should inline HashMap#get
429         entirely in this function.
430
431         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
432         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
433         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
434         ObjectUse, and Int32Use.
435
436         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
437         calculate hash value for the key's Object and use this hash value to look up value from
438         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
439         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
440         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
441         patches.
442
443         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
444         not used in Ember.js right now.
445
446         This patch optimizes WeakMap#get by 50%.
447
448                                  baseline                  patched
449
450         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
451
452         * bytecode/DirectEvalCodeCache.h:
453         (JSC::DirectEvalCodeCache::tryGet):
454         * bytecode/SpeculatedType.cpp:
455         (JSC::dumpSpeculation):
456         (JSC::speculationFromClassInfo):
457         (JSC::speculationFromJSType):
458         (JSC::speculationFromString):
459         * bytecode/SpeculatedType.h:
460         * dfg/DFGAbstractInterpreterInlines.h:
461         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
462         * dfg/DFGByteCodeParser.cpp:
463         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
464         * dfg/DFGClobberize.h:
465         (JSC::DFG::clobberize):
466         * dfg/DFGDoesGC.cpp:
467         (JSC::DFG::doesGC):
468         * dfg/DFGFixupPhase.cpp:
469         (JSC::DFG::FixupPhase::fixupNode):
470         * dfg/DFGHeapLocation.cpp:
471         (WTF::printInternal):
472         * dfg/DFGHeapLocation.h:
473         * dfg/DFGNode.h:
474         (JSC::DFG::Node::hasHeapPrediction):
475         * dfg/DFGNodeType.h:
476         * dfg/DFGOperations.cpp:
477         * dfg/DFGOperations.h:
478         * dfg/DFGPredictionPropagationPhase.cpp:
479         * dfg/DFGSafeToExecute.h:
480         (JSC::DFG::SafeToExecuteEdge::operator()):
481         (JSC::DFG::safeToExecute):
482         * dfg/DFGSpeculativeJIT.cpp:
483         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
484         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
485         (JSC::DFG::SpeculativeJIT::speculate):
486         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
487         * dfg/DFGSpeculativeJIT.h:
488         (JSC::DFG::SpeculativeJIT::callOperation):
489         * dfg/DFGSpeculativeJIT32_64.cpp:
490         (JSC::DFG::SpeculativeJIT::compile):
491         * dfg/DFGSpeculativeJIT64.cpp:
492         (JSC::DFG::SpeculativeJIT::compile):
493         * dfg/DFGUseKind.cpp:
494         (WTF::printInternal):
495         * dfg/DFGUseKind.h:
496         (JSC::DFG::typeFilterFor):
497         (JSC::DFG::isCell):
498         * ftl/FTLCapabilities.cpp:
499         (JSC::FTL::canCompile):
500         * ftl/FTLLowerDFGToB3.cpp:
501         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
502         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
503         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
504         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
505         (JSC::FTL::DFG::LowerDFGToB3::speculate):
506         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
507         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
508         * jit/JITOperations.h:
509         * runtime/HashMapImpl.h:
510         (JSC::WeakMapHash::hash):
511         (JSC::WeakMapHash::equal):
512         * runtime/Intrinsic.cpp:
513         (JSC::intrinsicName):
514         * runtime/Intrinsic.h:
515         * runtime/JSType.h:
516         * runtime/JSWeakMap.h:
517         (JSC::isJSWeakMap):
518         * runtime/JSWeakSet.h:
519         (JSC::isJSWeakSet):
520         * runtime/WeakMapBase.cpp:
521         (JSC::WeakMapBase::get):
522         * runtime/WeakMapBase.h:
523         (JSC::WeakMapBase::HashTranslator::hash):
524         (JSC::WeakMapBase::HashTranslator::equal):
525         (JSC::WeakMapBase::inlineGet):
526         * runtime/WeakMapPrototype.cpp:
527         (JSC::WeakMapPrototype::finishCreation):
528         (JSC::getWeakMap):
529         (JSC::protoFuncWeakMapGet):
530         * runtime/WeakSetPrototype.cpp:
531         (JSC::getWeakSet):
532
533 2017-09-12  Keith Miller  <keith_miller@apple.com>
534
535         Rename JavaScriptCore CMake unifiable sources list
536         https://bugs.webkit.org/show_bug.cgi?id=176823
537
538         Reviewed by Joseph Pecoraro.
539
540         This patch also changes the error message when the unified source
541         bundler fails to be more accurate.
542
543         * CMakeLists.txt:
544
545 2017-09-12  Keith Miller  <keith_miller@apple.com>
546
547         Do unified source builds for JSC
548         https://bugs.webkit.org/show_bug.cgi?id=176076
549
550         Reviewed by Geoffrey Garen.
551
552         This patch switches the CMake JavaScriptCore build to use unified sources.
553         The Xcode build will be upgraded in a follow up patch.
554
555         Most of the source changes in this patch are fixing static
556         variable/functions name collisions. The most common collisions
557         were from our use of "static const bool verbose" and "using
558         namespace ...". I fixed all the verbose cases and fixed the "using
559         namespace" issues that occurred under the current bundling
560         strategy. It's likely that more of the "using namespace" issues
561         will need to be resolved in the future, particularly in the FTL.
562
563         I don't expect either of these problems will apply to other parts
564         of the project nearly as much as in JSC. Using a verbose variable
565         is a JSC idiom and JSC tends use the same, canonical, class name
566         in multiple parts of the engine.
567
568         * CMakeLists.txt:
569         * b3/B3CheckSpecial.cpp:
570         (JSC::B3::CheckSpecial::forEachArg):
571         (JSC::B3::CheckSpecial::generate):
572         (JSC::B3::Air::numB3Args): Deleted.
573         * b3/B3DuplicateTails.cpp:
574         * b3/B3EliminateCommonSubexpressions.cpp:
575         * b3/B3FixSSA.cpp:
576         (JSC::B3::demoteValues):
577         * b3/B3FoldPathConstants.cpp:
578         * b3/B3InferSwitches.cpp:
579         * b3/B3LowerMacrosAfterOptimizations.cpp:
580         (): Deleted.
581         * b3/B3LowerToAir.cpp:
582         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
583         (JSC::B3::Air::LowerToAir::run): Deleted.
584         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
585         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
586         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
587         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
588         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
589         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
590         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
591         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
592         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
593         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
594         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
595         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
596         (JSC::B3::Air::LowerToAir::tmp): Deleted.
597         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
598         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
599         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
600         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
601         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
602         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
603         (JSC::B3::Air::LowerToAir::addr): Deleted.
604         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
605         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
606         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
607         (JSC::B3::Air::LowerToAir::imm): Deleted.
608         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
609         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
610         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
611         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
612         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
613         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
614         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
615         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
616         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
617         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
618         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
619         (JSC::B3::Air::LowerToAir::createStore): Deleted.
620         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
621         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
622         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
623         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
624         (JSC::B3::Air::LowerToAir::print): Deleted.
625         (JSC::B3::Air::LowerToAir::append): Deleted.
626         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
627         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
628         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
629         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
630         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
631         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
632         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
633         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
634         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
635         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
636         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
637         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
638         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
639         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
640         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
641         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
642         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
643         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
644         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
645         (JSC::B3::Air::LowerToAir::lower): Deleted.
646         * b3/B3PatchpointSpecial.cpp:
647         (JSC::B3::PatchpointSpecial::generate):
648         * b3/B3ReduceDoubleToFloat.cpp:
649         (JSC::B3::reduceDoubleToFloat):
650         * b3/B3ReduceStrength.cpp:
651         * b3/B3StackmapGenerationParams.cpp:
652         * b3/B3StackmapSpecial.cpp:
653         (JSC::B3::StackmapSpecial::repsImpl):
654         (JSC::B3::StackmapSpecial::repForArg):
655         * b3/air/AirAllocateStackByGraphColoring.cpp:
656         (JSC::B3::Air::allocateStackByGraphColoring):
657         * b3/air/AirEmitShuffle.cpp:
658         (JSC::B3::Air::emitShuffle):
659         * b3/air/AirFixObviousSpills.cpp:
660         * b3/air/AirLowerAfterRegAlloc.cpp:
661         (JSC::B3::Air::lowerAfterRegAlloc):
662         * b3/air/AirStackAllocation.cpp:
663         (JSC::B3::Air::attemptAssignment):
664         (JSC::B3::Air::assign):
665         * bytecode/AccessCase.cpp:
666         (JSC::AccessCase::generateImpl):
667         * bytecode/CallLinkStatus.cpp:
668         (JSC::CallLinkStatus::computeDFGStatuses):
669         * bytecode/GetterSetterAccessCase.cpp:
670         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
671         * bytecode/ObjectPropertyConditionSet.cpp:
672         * bytecode/PolymorphicAccess.cpp:
673         (JSC::PolymorphicAccess::addCases):
674         (JSC::PolymorphicAccess::regenerate):
675         * bytecode/PropertyCondition.cpp:
676         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
677         * bytecode/StructureStubInfo.cpp:
678         (JSC::StructureStubInfo::addAccessCase):
679         * dfg/DFGArgumentsEliminationPhase.cpp:
680         * dfg/DFGByteCodeParser.cpp:
681         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
682         (JSC::DFG::ByteCodeParser::inliningCost):
683         (JSC::DFG::ByteCodeParser::inlineCall):
684         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
685         (JSC::DFG::ByteCodeParser::handleInlining):
686         (JSC::DFG::ByteCodeParser::planLoad):
687         (JSC::DFG::ByteCodeParser::store):
688         (JSC::DFG::ByteCodeParser::parseBlock):
689         (JSC::DFG::ByteCodeParser::linkBlock):
690         (JSC::DFG::ByteCodeParser::linkBlocks):
691         * dfg/DFGCSEPhase.cpp:
692         * dfg/DFGInPlaceAbstractState.cpp:
693         (JSC::DFG::InPlaceAbstractState::merge):
694         * dfg/DFGIntegerCheckCombiningPhase.cpp:
695         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
696         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
697         * dfg/DFGMovHintRemovalPhase.cpp:
698         * dfg/DFGObjectAllocationSinkingPhase.cpp:
699         * dfg/DFGPhantomInsertionPhase.cpp:
700         * dfg/DFGPutStackSinkingPhase.cpp:
701         * dfg/DFGStoreBarrierInsertionPhase.cpp:
702         * dfg/DFGVarargsForwardingPhase.cpp:
703         * ftl/FTLAbstractHeap.cpp:
704         (JSC::FTL::AbstractHeap::compute):
705         * ftl/FTLAbstractHeapRepository.cpp:
706         (JSC::FTL::AbstractHeapRepository::decorateMemory):
707         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
708         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
709         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
710         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
711         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
712         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
713         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
714         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
715         * ftl/FTLLink.cpp:
716         (JSC::FTL::link):
717         * heap/MarkingConstraintSet.cpp:
718         (JSC::MarkingConstraintSet::add):
719         * interpreter/ShadowChicken.cpp:
720         (JSC::ShadowChicken::update):
721         * jit/BinarySwitch.cpp:
722         (JSC::BinarySwitch::BinarySwitch):
723         (JSC::BinarySwitch::build):
724         * llint/LLIntData.cpp:
725         (JSC::LLInt::Data::loadStats):
726         (JSC::LLInt::Data::saveStats):
727         * runtime/ArrayPrototype.cpp:
728         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
729         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
730         * runtime/ErrorInstance.cpp:
731         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
732         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
733         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
734         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
735         * runtime/IntlDateTimeFormat.cpp:
736         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
737         * runtime/PromiseDeferredTimer.cpp:
738         (JSC::PromiseDeferredTimer::doWork):
739         (JSC::PromiseDeferredTimer::addPendingPromise):
740         (JSC::PromiseDeferredTimer::cancelPendingPromise):
741         * runtime/TypeProfiler.cpp:
742         (JSC::TypeProfiler::insertNewLocation):
743         * runtime/TypeProfilerLog.cpp:
744         (JSC::TypeProfilerLog::processLogEntries):
745         * runtime/WeakMapPrototype.cpp:
746         (JSC::protoFuncWeakMapDelete):
747         (JSC::protoFuncWeakMapGet):
748         (JSC::protoFuncWeakMapHas):
749         (JSC::protoFuncWeakMapSet):
750         (JSC::getWeakMapData): Deleted.
751         * runtime/WeakSetPrototype.cpp:
752         (JSC::protoFuncWeakSetDelete):
753         (JSC::protoFuncWeakSetHas):
754         (JSC::protoFuncWeakSetAdd):
755         (JSC::getWeakMapData): Deleted.
756         * testRegExp.cpp:
757         (testOneRegExp):
758         (runFromFiles):
759         * wasm/WasmB3IRGenerator.cpp:
760         (JSC::Wasm::parseAndCompile):
761         * wasm/WasmBBQPlan.cpp:
762         (JSC::Wasm::BBQPlan::moveToState):
763         (JSC::Wasm::BBQPlan::parseAndValidateModule):
764         (JSC::Wasm::BBQPlan::prepare):
765         (JSC::Wasm::BBQPlan::compileFunctions):
766         (JSC::Wasm::BBQPlan::complete):
767         * wasm/WasmFaultSignalHandler.cpp:
768         (JSC::Wasm::trapHandler):
769         * wasm/WasmOMGPlan.cpp:
770         (JSC::Wasm::OMGPlan::OMGPlan):
771         (JSC::Wasm::OMGPlan::work):
772         * wasm/WasmPlan.cpp:
773         (JSC::Wasm::Plan::fail):
774         * wasm/WasmSignature.cpp:
775         (JSC::Wasm::SignatureInformation::adopt):
776         * wasm/WasmWorklist.cpp:
777         (JSC::Wasm::Worklist::enqueue):
778
779 2017-09-12  Michael Saboff  <msaboff@apple.com>
780
781         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
782         https://bugs.webkit.org/show_bug.cgi?id=176814
783
784         Reviewed by Mark Lam.
785
786         The copy and advance indices where off by one and needed a little fine tuning.
787
788         * runtime/StringPrototype.cpp:
789         (JSC::substituteBackreferencesSlow):
790
791 2017-09-11  Mark Lam  <mark.lam@apple.com>
792
793         More exception check book-keeping needed found by 32-bit JSC test failures.
794         https://bugs.webkit.org/show_bug.cgi?id=176742
795
796         Reviewed by Michael Saboff and Keith Miller.
797
798         * dfg/DFGOperations.cpp:
799
800 2017-09-11  Mark Lam  <mark.lam@apple.com>
801
802         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
803         https://bugs.webkit.org/show_bug.cgi?id=176722
804
805         Reviewed by Saam Barati.
806
807         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
808         in effect when jsc is invoked.
809
810         * jsc.cpp:
811         (CommandLine::parseArguments):
812
813 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
814
815         Unreviewed, rolling out r221854.
816
817         The test added with this change fails on 32-bit JSC bots.
818
819         Reverted changeset:
820
821         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
822         https://bugs.webkit.org/show_bug.cgi?id=176010
823         http://trac.webkit.org/changeset/221854
824
825 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
826
827         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
828         https://bugs.webkit.org/show_bug.cgi?id=176010
829
830         Reviewed by Filip Pizlo.
831
832         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
833         It is used for meta property for objects (see peekMeta function in Ember.js).
834
835         This patch optimizes WeakMap#get.
836
837         1. We use inlineGet to inline WeakMap#get operation in the native function.
838         Since this native function itself is very small, we should inline HashMap#get
839         entirely in this function.
840
841         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
842         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
843         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
844         ObjectUse, and Int32Use.
845
846         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
847         calculate hash value for the key's Object and use this hash value to look up value from
848         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
849         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
850         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
851         patches.
852
853         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
854         not used in Ember.js right now.
855
856         This patch optimizes WeakMap#get by 50%.
857
858                                  baseline                  patched
859
860         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
861
862         * bytecode/DirectEvalCodeCache.h:
863         (JSC::DirectEvalCodeCache::tryGet):
864         * bytecode/SpeculatedType.cpp:
865         (JSC::dumpSpeculation):
866         (JSC::speculationFromClassInfo):
867         (JSC::speculationFromJSType):
868         (JSC::speculationFromString):
869         * bytecode/SpeculatedType.h:
870         * dfg/DFGAbstractInterpreterInlines.h:
871         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
872         * dfg/DFGByteCodeParser.cpp:
873         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
874         * dfg/DFGClobberize.h:
875         (JSC::DFG::clobberize):
876         * dfg/DFGDoesGC.cpp:
877         (JSC::DFG::doesGC):
878         * dfg/DFGFixupPhase.cpp:
879         (JSC::DFG::FixupPhase::fixupNode):
880         * dfg/DFGHeapLocation.cpp:
881         (WTF::printInternal):
882         * dfg/DFGHeapLocation.h:
883         * dfg/DFGNode.h:
884         (JSC::DFG::Node::hasHeapPrediction):
885         * dfg/DFGNodeType.h:
886         * dfg/DFGOperations.cpp:
887         * dfg/DFGOperations.h:
888         * dfg/DFGPredictionPropagationPhase.cpp:
889         * dfg/DFGSafeToExecute.h:
890         (JSC::DFG::SafeToExecuteEdge::operator()):
891         (JSC::DFG::safeToExecute):
892         * dfg/DFGSpeculativeJIT.cpp:
893         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
894         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
895         (JSC::DFG::SpeculativeJIT::speculate):
896         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
897         * dfg/DFGSpeculativeJIT.h:
898         (JSC::DFG::SpeculativeJIT::callOperation):
899         * dfg/DFGSpeculativeJIT32_64.cpp:
900         (JSC::DFG::SpeculativeJIT::compile):
901         * dfg/DFGSpeculativeJIT64.cpp:
902         (JSC::DFG::SpeculativeJIT::compile):
903         * dfg/DFGUseKind.cpp:
904         (WTF::printInternal):
905         * dfg/DFGUseKind.h:
906         (JSC::DFG::typeFilterFor):
907         (JSC::DFG::isCell):
908         * ftl/FTLCapabilities.cpp:
909         (JSC::FTL::canCompile):
910         * ftl/FTLLowerDFGToB3.cpp:
911         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
912         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
913         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
914         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
915         (JSC::FTL::DFG::LowerDFGToB3::speculate):
916         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
917         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
918         * jit/JITOperations.h:
919         * runtime/Intrinsic.cpp:
920         (JSC::intrinsicName):
921         * runtime/Intrinsic.h:
922         * runtime/JSType.h:
923         * runtime/JSWeakMap.h:
924         (JSC::isJSWeakMap):
925         * runtime/JSWeakSet.h:
926         (JSC::isJSWeakSet):
927         * runtime/WeakMapBase.cpp:
928         (JSC::WeakMapBase::get):
929         * runtime/WeakMapBase.h:
930         (JSC::WeakMapBase::HashTranslator::hash):
931         (JSC::WeakMapBase::HashTranslator::equal):
932         (JSC::WeakMapBase::inlineGet):
933         * runtime/WeakMapPrototype.cpp:
934         (JSC::WeakMapPrototype::finishCreation):
935         (JSC::getWeakMap):
936         (JSC::protoFuncWeakMapGet):
937         * runtime/WeakSetPrototype.cpp:
938         (JSC::getWeakSet):
939
940 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
941
942         [JSC] Optimize Object.keys by using careful array allocation
943         https://bugs.webkit.org/show_bug.cgi?id=176654
944
945         Reviewed by Darin Adler.
946
947         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
948         function in JS apps. Luckily Object.keys has several good features.
949
950         1. Once PropertyNameArray is allocated, we know the length of the result array since
951         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
952         but it rarely appears. ProxyObject case goes to the generic path.
953
954         2. Object.keys does not need to access object after listing PropertyNameArray. It means
955         that we do not need to worry about enumeration attribute change by touching object.
956
957         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
958         with the size and ArrayContiguous indexing shape.
959
960         This further improves SixSpeed object-assign.es5 by 13%.
961
962                                             baseline                  patched
963         Microbenchmarks:
964            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
965            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
966
967                                             baseline                  patched
968         SixSpeed:
969            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
970
971         BTW, the further optimization of Object.keys can be considered: introducing own property keys
972         cache which is similar to the current enumeration cache. But this patch is orthogonal to
973         this optimization!
974
975         * runtime/ObjectConstructor.cpp:
976         (JSC::objectConstructorValues):
977         (JSC::ownPropertyKeys):
978         * runtime/ObjectConstructor.h:
979
980 2017-09-10  Mark Lam  <mark.lam@apple.com>
981
982         Fix all ExceptionScope verification failures in JavaScriptCore.
983         https://bugs.webkit.org/show_bug.cgi?id=176662
984         <rdar://problem/34352085>
985
986         Reviewed by Filip Pizlo.
987
988         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
989            verification for release builds too (though this requires manually setting
990            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
991
992            This is useful because it allows us to run the tests more quickly to check
993            if any regressions have occurred.  Debug builds run so much slower and not
994            good for a quick turn around.  Debug builds are necessary though to get
995            trace information without inlining by the C++ compiler.  This is necessary to
996            diagnose where the missing exception check is.
997
998         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
999            simulated throw when an exception scope verification fails.
1000
1001            Previously, this option dumps the stack trace on all simulated throws.  That
1002            turned out to not be very useful, and slows down the debugging process.
1003            Instead, the new implementation captures the stack trace and only dumps it
1004            if we have a verification failure.
1005
1006         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
1007            to pass with JSC_validateExceptionChecks=true.
1008
1009         * bytecode/CodeBlock.cpp:
1010         (JSC::CodeBlock::finishCreation):
1011         * dfg/DFGOSRExit.cpp:
1012         (JSC::DFG::OSRExit::executeOSRExit):
1013         * dfg/DFGOperations.cpp:
1014         * interpreter/Interpreter.cpp:
1015         (JSC::eval):
1016         (JSC::loadVarargs):
1017         (JSC::Interpreter::unwind):
1018         (JSC::Interpreter::executeProgram):
1019         (JSC::Interpreter::executeCall):
1020         (JSC::Interpreter::executeConstruct):
1021         (JSC::Interpreter::prepareForRepeatCall):
1022         (JSC::Interpreter::execute):
1023         (JSC::Interpreter::executeModuleProgram):
1024         * jit/JITOperations.cpp:
1025         (JSC::getByVal):
1026         * jsc.cpp:
1027         (WTF::CustomGetter::customGetterAcessor):
1028         (GlobalObject::moduleLoaderImportModule):
1029         (GlobalObject::moduleLoaderResolve):
1030         * llint/LLIntSlowPaths.cpp:
1031         (JSC::LLInt::getByVal):
1032         (JSC::LLInt::setUpCall):
1033         * parser/Parser.h:
1034         (JSC::Parser::popScopeInternal):
1035         * runtime/AbstractModuleRecord.cpp:
1036         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1037         (JSC::AbstractModuleRecord::resolveImport):
1038         (JSC::AbstractModuleRecord::resolveExportImpl):
1039         (JSC::getExportedNames):
1040         (JSC::AbstractModuleRecord::getModuleNamespace):
1041         * runtime/ArrayPrototype.cpp:
1042         (JSC::getProperty):
1043         (JSC::unshift):
1044         (JSC::arrayProtoFuncToString):
1045         (JSC::arrayProtoFuncToLocaleString):
1046         (JSC::arrayProtoFuncJoin):
1047         (JSC::arrayProtoFuncPop):
1048         (JSC::arrayProtoFuncPush):
1049         (JSC::arrayProtoFuncReverse):
1050         (JSC::arrayProtoFuncShift):
1051         (JSC::arrayProtoFuncSlice):
1052         (JSC::arrayProtoFuncSplice):
1053         (JSC::arrayProtoFuncUnShift):
1054         (JSC::arrayProtoFuncIndexOf):
1055         (JSC::arrayProtoFuncLastIndexOf):
1056         (JSC::concatAppendOne):
1057         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1058         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1059         * runtime/CatchScope.h:
1060         * runtime/CommonSlowPaths.cpp:
1061         (JSC::SLOW_PATH_DECL):
1062         * runtime/DatePrototype.cpp:
1063         (JSC::dateProtoFuncSetTime):
1064         (JSC::setNewValueFromTimeArgs):
1065         * runtime/DirectArguments.h:
1066         (JSC::DirectArguments::length const):
1067         * runtime/ErrorPrototype.cpp:
1068         (JSC::errorProtoFuncToString):
1069         * runtime/ExceptionFuzz.cpp:
1070         (JSC::doExceptionFuzzing):
1071         * runtime/ExceptionScope.h:
1072         (JSC::ExceptionScope::needExceptionCheck):
1073         (JSC::ExceptionScope::assertNoException):
1074         * runtime/GenericArgumentsInlines.h:
1075         (JSC::GenericArguments<Type>::defineOwnProperty):
1076         * runtime/HashMapImpl.h:
1077         (JSC::HashMapImpl::rehash):
1078         * runtime/IntlDateTimeFormat.cpp:
1079         (JSC::IntlDateTimeFormat::formatToParts):
1080         * runtime/JSArray.cpp:
1081         (JSC::JSArray::defineOwnProperty):
1082         (JSC::JSArray::put):
1083         * runtime/JSCJSValue.cpp:
1084         (JSC::JSValue::putToPrimitive):
1085         (JSC::JSValue::putToPrimitiveByIndex):
1086         * runtime/JSCJSValueInlines.h:
1087         (JSC::JSValue::toIndex const):
1088         (JSC::JSValue::get const):
1089         (JSC::JSValue::getPropertySlot const):
1090         (JSC::JSValue::equalSlowCaseInline):
1091         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1092         (JSC::constructGenericTypedArrayViewFromIterator):
1093         (JSC::constructGenericTypedArrayViewWithArguments):
1094         * runtime/JSGenericTypedArrayViewInlines.h:
1095         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1096         * runtime/JSGlobalObject.cpp:
1097         (JSC::JSGlobalObject::put):
1098         * runtime/JSGlobalObjectFunctions.cpp:
1099         (JSC::decode):
1100         (JSC::globalFuncEval):
1101         (JSC::globalFuncProtoGetter):
1102         (JSC::globalFuncProtoSetter):
1103         (JSC::globalFuncImportModule):
1104         * runtime/JSInternalPromise.cpp:
1105         (JSC::JSInternalPromise::then):
1106         * runtime/JSInternalPromiseDeferred.cpp:
1107         (JSC::JSInternalPromiseDeferred::create):
1108         * runtime/JSJob.cpp:
1109         (JSC::JSJobMicrotask::run):
1110         * runtime/JSModuleEnvironment.cpp:
1111         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1112         (JSC::JSModuleEnvironment::put):
1113         (JSC::JSModuleEnvironment::deleteProperty):
1114         * runtime/JSModuleLoader.cpp:
1115         (JSC::JSModuleLoader::provide):
1116         (JSC::JSModuleLoader::loadAndEvaluateModule):
1117         (JSC::JSModuleLoader::loadModule):
1118         (JSC::JSModuleLoader::linkAndEvaluateModule):
1119         (JSC::JSModuleLoader::requestImportModule):
1120         * runtime/JSModuleRecord.cpp:
1121         (JSC::JSModuleRecord::link):
1122         (JSC::JSModuleRecord::instantiateDeclarations):
1123         * runtime/JSONObject.cpp:
1124         (JSC::Stringifier::stringify):
1125         (JSC::Stringifier::toJSON):
1126         (JSC::JSONProtoFuncParse):
1127         * runtime/JSObject.cpp:
1128         (JSC::JSObject::calculatedClassName):
1129         (JSC::ordinarySetSlow):
1130         (JSC::JSObject::putInlineSlow):
1131         (JSC::JSObject::ordinaryToPrimitive const):
1132         (JSC::JSObject::toPrimitive const):
1133         (JSC::JSObject::hasInstance):
1134         (JSC::JSObject::getPropertyNames):
1135         (JSC::JSObject::toNumber const):
1136         (JSC::JSObject::defineOwnIndexedProperty):
1137         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1138         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1139         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1140         (JSC::validateAndApplyPropertyDescriptor):
1141         (JSC::JSObject::defineOwnNonIndexProperty):
1142         (JSC::JSObject::getGenericPropertyNames):
1143         * runtime/JSObject.h:
1144         (JSC::JSObject::get const):
1145         * runtime/JSObjectInlines.h:
1146         (JSC::JSObject::getPropertySlot const):
1147         (JSC::JSObject::getPropertySlot):
1148         (JSC::JSObject::getNonIndexPropertySlot):
1149         (JSC::JSObject::putInlineForJSObject):
1150         * runtime/JSPromiseConstructor.cpp:
1151         (JSC::constructPromise):
1152         * runtime/JSPromiseDeferred.cpp:
1153         (JSC::JSPromiseDeferred::create):
1154         * runtime/JSScope.cpp:
1155         (JSC::abstractAccess):
1156         (JSC::JSScope::resolve):
1157         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1158         (JSC::JSScope::abstractResolve):
1159         * runtime/LiteralParser.cpp:
1160         (JSC::LiteralParser<CharType>::tryJSONPParse):
1161         (JSC::LiteralParser<CharType>::parse):
1162         * runtime/Lookup.h:
1163         (JSC::putEntry):
1164         * runtime/MapConstructor.cpp:
1165         (JSC::constructMap):
1166         * runtime/NumberPrototype.cpp:
1167         (JSC::numberProtoFuncToString):
1168         * runtime/ObjectConstructor.cpp:
1169         (JSC::objectConstructorSetPrototypeOf):
1170         (JSC::objectConstructorGetOwnPropertyDescriptor):
1171         (JSC::objectConstructorGetOwnPropertyDescriptors):
1172         (JSC::objectConstructorAssign):
1173         (JSC::objectConstructorValues):
1174         (JSC::toPropertyDescriptor):
1175         (JSC::objectConstructorDefineProperty):
1176         (JSC::defineProperties):
1177         (JSC::objectConstructorDefineProperties):
1178         (JSC::ownPropertyKeys):
1179         * runtime/ObjectPrototype.cpp:
1180         (JSC::objectProtoFuncHasOwnProperty):
1181         (JSC::objectProtoFuncIsPrototypeOf):
1182         (JSC::objectProtoFuncLookupGetter):
1183         (JSC::objectProtoFuncLookupSetter):
1184         (JSC::objectProtoFuncToLocaleString):
1185         (JSC::objectProtoFuncToString):
1186         * runtime/Options.h:
1187         * runtime/ParseInt.h:
1188         (JSC::toStringView):
1189         * runtime/ProxyObject.cpp:
1190         (JSC::performProxyGet):
1191         (JSC::ProxyObject::performPut):
1192         * runtime/ReflectObject.cpp:
1193         (JSC::reflectObjectDefineProperty):
1194         * runtime/RegExpConstructor.cpp:
1195         (JSC::toFlags):
1196         (JSC::regExpCreate):
1197         (JSC::constructRegExp):
1198         * runtime/RegExpObject.cpp:
1199         (JSC::collectMatches):
1200         * runtime/RegExpObjectInlines.h:
1201         (JSC::RegExpObject::execInline):
1202         (JSC::RegExpObject::matchInline):
1203         * runtime/RegExpPrototype.cpp:
1204         (JSC::regExpProtoFuncTestFast):
1205         (JSC::regExpProtoFuncExec):
1206         (JSC::regExpProtoFuncMatchFast):
1207         (JSC::regExpProtoFuncToString):
1208         (JSC::regExpProtoFuncSplitFast):
1209         * runtime/ScriptExecutable.cpp:
1210         (JSC::ScriptExecutable::newCodeBlockFor):
1211         (JSC::ScriptExecutable::prepareForExecutionImpl):
1212         * runtime/SetConstructor.cpp:
1213         (JSC::constructSet):
1214         * runtime/ThrowScope.cpp:
1215         (JSC::ThrowScope::simulateThrow):
1216         * runtime/VM.cpp:
1217         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1218         * runtime/VM.h:
1219         * runtime/WeakMapPrototype.cpp:
1220         (JSC::protoFuncWeakMapSet):
1221         * runtime/WeakSetPrototype.cpp:
1222         (JSC::protoFuncWeakSetAdd):
1223         * wasm/js/WebAssemblyModuleConstructor.cpp:
1224         (JSC::WebAssemblyModuleConstructor::createModule):
1225         * wasm/js/WebAssemblyModuleRecord.cpp:
1226         (JSC::WebAssemblyModuleRecord::link):
1227         * wasm/js/WebAssemblyPrototype.cpp:
1228         (JSC::reject):
1229         (JSC::webAssemblyCompileFunc):
1230         (JSC::resolve):
1231         (JSC::webAssemblyInstantiateFunc):
1232
1233 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
1234
1235         Error should compute .stack and friends lazily
1236         https://bugs.webkit.org/show_bug.cgi?id=176645
1237
1238         Reviewed by Saam Barati.
1239         
1240         Building the string portion of the stack trace after we walk the stack accounts for most of
1241         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
1242         Vector<StackFrame> so that it can build the string only once it's really needed.
1243         
1244         This is an enormous speed-up for programs that allocate and throw exceptions.
1245         
1246         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
1247         
1248         It's a 2.2x speed-up for throwing and catching an Error.
1249         
1250         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
1251         
1252         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
1253         delta-blue-try-catch is 1.16x faster.
1254
1255         * interpreter/Interpreter.cpp:
1256         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1257         (JSC::GetStackTraceFunctor::operator() const):
1258         (JSC::Interpreter::getStackTrace):
1259         * interpreter/Interpreter.h:
1260         * runtime/Error.cpp:
1261         (JSC::getStackTrace):
1262         (JSC::getBytecodeOffset):
1263         (JSC::addErrorInfo):
1264         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
1265         * runtime/Error.h:
1266         * runtime/ErrorInstance.cpp:
1267         (JSC::ErrorInstance::ErrorInstance):
1268         (JSC::ErrorInstance::finishCreation):
1269         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1270         (JSC::ErrorInstance::visitChildren):
1271         (JSC::ErrorInstance::getOwnPropertySlot):
1272         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
1273         (JSC::ErrorInstance::defineOwnProperty):
1274         (JSC::ErrorInstance::put):
1275         (JSC::ErrorInstance::deleteProperty):
1276         * runtime/ErrorInstance.h:
1277         * runtime/Exception.cpp:
1278         (JSC::Exception::visitChildren):
1279         (JSC::Exception::finishCreation):
1280         * runtime/Exception.h:
1281         * runtime/StackFrame.cpp:
1282         (JSC::StackFrame::visitChildren):
1283         * runtime/StackFrame.h:
1284         (JSC::StackFrame::StackFrame):
1285
1286 2017-09-09  Mark Lam  <mark.lam@apple.com>
1287
1288         [Re-landing] Use JIT probes for DFG OSR exit.
1289         https://bugs.webkit.org/show_bug.cgi?id=175144
1290         <rdar://problem/33437050>
1291
1292         Not reviewed.  Original patch reviewed by Saam Barati.
1293
1294         Relanding r221774.
1295
1296         * JavaScriptCore.xcodeproj/project.pbxproj:
1297         * assembler/MacroAssembler.cpp:
1298         (JSC::stdFunctionCallback):
1299         * assembler/MacroAssemblerPrinter.cpp:
1300         (JSC::Printer::printCallback):
1301         * assembler/ProbeContext.h:
1302         (JSC::Probe::CPUState::gpr const):
1303         (JSC::Probe::CPUState::spr const):
1304         (JSC::Probe::Context::Context):
1305         (JSC::Probe::Context::arg):
1306         (JSC::Probe::Context::gpr):
1307         (JSC::Probe::Context::spr):
1308         (JSC::Probe::Context::fpr):
1309         (JSC::Probe::Context::gprName):
1310         (JSC::Probe::Context::sprName):
1311         (JSC::Probe::Context::fprName):
1312         (JSC::Probe::Context::gpr const):
1313         (JSC::Probe::Context::spr const):
1314         (JSC::Probe::Context::fpr const):
1315         (JSC::Probe::Context::pc):
1316         (JSC::Probe::Context::fp):
1317         (JSC::Probe::Context::sp):
1318         (JSC::Probe:: const): Deleted.
1319         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
1320         * assembler/ProbeStack.cpp:
1321         (JSC::Probe::Page::Page):
1322         * assembler/ProbeStack.h:
1323         (JSC::Probe::Page::get):
1324         (JSC::Probe::Page::set):
1325         (JSC::Probe::Page::physicalAddressFor):
1326         (JSC::Probe::Stack::lowWatermark):
1327         (JSC::Probe::Stack::get):
1328         (JSC::Probe::Stack::set):
1329         * bytecode/ArithProfile.cpp:
1330         * bytecode/ArithProfile.h:
1331         * bytecode/ArrayProfile.h:
1332         (JSC::ArrayProfile::observeArrayMode):
1333         * bytecode/CodeBlock.cpp:
1334         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1335         * bytecode/CodeBlock.h:
1336         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1337         * bytecode/ExecutionCounter.h:
1338         (JSC::ExecutionCounter::hasCrossedThreshold const):
1339         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1340         * bytecode/MethodOfGettingAValueProfile.cpp:
1341         (JSC::MethodOfGettingAValueProfile::reportValue):
1342         * bytecode/MethodOfGettingAValueProfile.h:
1343         * dfg/DFGDriver.cpp:
1344         (JSC::DFG::compileImpl):
1345         * dfg/DFGJITCode.cpp:
1346         (JSC::DFG::JITCode::findPC): Deleted.
1347         * dfg/DFGJITCode.h:
1348         * dfg/DFGJITCompiler.cpp:
1349         (JSC::DFG::JITCompiler::linkOSRExits):
1350         (JSC::DFG::JITCompiler::link):
1351         * dfg/DFGOSRExit.cpp:
1352         (JSC::DFG::jsValueFor):
1353         (JSC::DFG::restoreCalleeSavesFor):
1354         (JSC::DFG::saveCalleeSavesFor):
1355         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1356         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1357         (JSC::DFG::saveOrCopyCalleeSavesFor):
1358         (JSC::DFG::createDirectArgumentsDuringExit):
1359         (JSC::DFG::createClonedArgumentsDuringExit):
1360         (JSC::DFG::OSRExit::OSRExit):
1361         (JSC::DFG::emitRestoreArguments):
1362         (JSC::DFG::OSRExit::executeOSRExit):
1363         (JSC::DFG::reifyInlinedCallFrames):
1364         (JSC::DFG::adjustAndJumpToTarget):
1365         (JSC::DFG::printOSRExit):
1366         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1367         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1368         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1369         (JSC::DFG::OSRExit::correctJump): Deleted.
1370         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1371         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1372         (JSC::DFG::OSRExit::compileExit): Deleted.
1373         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
1374         * dfg/DFGOSRExit.h:
1375         (JSC::DFG::OSRExitState::OSRExitState):
1376         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1377         * dfg/DFGOSRExitCompilerCommon.cpp:
1378         * dfg/DFGOSRExitCompilerCommon.h:
1379         * dfg/DFGOperations.cpp:
1380         * dfg/DFGOperations.h:
1381         * dfg/DFGThunks.cpp:
1382         (JSC::DFG::osrExitThunkGenerator):
1383         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
1384         * dfg/DFGThunks.h:
1385         * jit/AssemblyHelpers.cpp:
1386         (JSC::AssemblyHelpers::debugCall): Deleted.
1387         * jit/AssemblyHelpers.h:
1388         * jit/JITOperations.cpp:
1389         * jit/JITOperations.h:
1390         * profiler/ProfilerOSRExit.h:
1391         (JSC::Profiler::OSRExit::incCount):
1392         * runtime/JSCJSValue.h:
1393         * runtime/JSCJSValueInlines.h:
1394         * runtime/VM.h:
1395
1396 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
1397
1398         Unreviewed, rolling out r221774.
1399
1400         This change introduced three debug JSC test timeouts.
1401
1402         Reverted changeset:
1403
1404         "Use JIT probes for DFG OSR exit."
1405         https://bugs.webkit.org/show_bug.cgi?id=175144
1406         http://trac.webkit.org/changeset/221774
1407
1408 2017-09-09  Mark Lam  <mark.lam@apple.com>
1409
1410         Avoid duplicate computations of ExecState::vm().
1411         https://bugs.webkit.org/show_bug.cgi?id=176647
1412
1413         Reviewed by Saam Barati.
1414
1415         Because while computing ExecState::vm() is cheap, it is not free.
1416
1417         This patch also:
1418         1. gets rids of some convenience methods in CallFrame that implicitly does a
1419            ExecState::vm() computation.  This minimizes the chance of us accidentally
1420            computing ExecState::vm() more than necessary.
1421         2. passes vm (when available) to methodTable().
1422         3. passes vm (when available) to JSLockHolder.
1423
1424         * API/JSBase.cpp:
1425         (JSCheckScriptSyntax):
1426         (JSGarbageCollect):
1427         (JSReportExtraMemoryCost):
1428         (JSSynchronousGarbageCollectForDebugging):
1429         (JSSynchronousEdenCollectForDebugging):
1430         * API/JSCallbackConstructor.h:
1431         (JSC::JSCallbackConstructor::create):
1432         * API/JSCallbackObject.h:
1433         (JSC::JSCallbackObject::create):
1434         * API/JSContext.mm:
1435         (-[JSContext setException:]):
1436         * API/JSContextRef.cpp:
1437         (JSContextGetGlobalObject):
1438         (JSContextCreateBacktrace):
1439         * API/JSManagedValue.mm:
1440         (-[JSManagedValue value]):
1441         * API/JSObjectRef.cpp:
1442         (JSObjectMake):
1443         (JSObjectMakeFunctionWithCallback):
1444         (JSObjectMakeConstructor):
1445         (JSObjectMakeFunction):
1446         (JSObjectSetPrototype):
1447         (JSObjectHasProperty):
1448         (JSObjectGetProperty):
1449         (JSObjectSetProperty):
1450         (JSObjectSetPropertyAtIndex):
1451         (JSObjectDeleteProperty):
1452         (JSObjectGetPrivateProperty):
1453         (JSObjectSetPrivateProperty):
1454         (JSObjectDeletePrivateProperty):
1455         (JSObjectIsFunction):
1456         (JSObjectCallAsFunction):
1457         (JSObjectCallAsConstructor):
1458         (JSObjectCopyPropertyNames):
1459         (JSPropertyNameAccumulatorAddName):
1460         * API/JSScriptRef.cpp:
1461         * API/JSTypedArray.cpp:
1462         (JSValueGetTypedArrayType):
1463         (JSObjectMakeTypedArrayWithArrayBuffer):
1464         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
1465         (JSObjectGetTypedArrayBytesPtr):
1466         (JSObjectGetTypedArrayBuffer):
1467         (JSObjectMakeArrayBufferWithBytesNoCopy):
1468         (JSObjectGetArrayBufferBytesPtr):
1469         * API/JSWeakObjectMapRefPrivate.cpp:
1470         * API/JSWrapperMap.mm:
1471         (constructorHasInstance):
1472         (makeWrapper):
1473         * API/ObjCCallbackFunction.mm:
1474         (objCCallbackFunctionForInvocation):
1475         * bytecode/CodeBlock.cpp:
1476         (JSC::CodeBlock::CodeBlock):
1477         (JSC::CodeBlock::jettison):
1478         * bytecode/CodeBlock.h:
1479         (JSC::CodeBlock::addConstant):
1480         (JSC::CodeBlock::replaceConstant):
1481         * bytecode/PutByIdStatus.cpp:
1482         (JSC::PutByIdStatus::computeFromLLInt):
1483         (JSC::PutByIdStatus::computeFor):
1484         * dfg/DFGDesiredWatchpoints.cpp:
1485         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1486         * dfg/DFGGraph.h:
1487         (JSC::DFG::Graph::globalThisObjectFor):
1488         * dfg/DFGOperations.cpp:
1489         * ftl/FTLOSRExitCompiler.cpp:
1490         (JSC::FTL::compileFTLOSRExit):
1491         * ftl/FTLOperations.cpp:
1492         (JSC::FTL::operationPopulateObjectInOSR):
1493         (JSC::FTL::operationMaterializeObjectInOSR):
1494         * heap/GCAssertions.h:
1495         * inspector/InjectedScriptHost.cpp:
1496         (Inspector::InjectedScriptHost::wrapper):
1497         * inspector/JSInjectedScriptHost.cpp:
1498         (Inspector::JSInjectedScriptHost::subtype):
1499         (Inspector::constructInternalProperty):
1500         (Inspector::JSInjectedScriptHost::getInternalProperties):
1501         (Inspector::JSInjectedScriptHost::weakMapEntries):
1502         (Inspector::JSInjectedScriptHost::weakSetEntries):
1503         (Inspector::JSInjectedScriptHost::iteratorEntries):
1504         * inspector/JSJavaScriptCallFrame.cpp:
1505         (Inspector::valueForScopeLocation):
1506         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
1507         (Inspector::toJS):
1508         * inspector/ScriptCallStackFactory.cpp:
1509         (Inspector::extractSourceInformationFromException):
1510         (Inspector::createScriptArguments):
1511         * interpreter/CachedCall.h:
1512         (JSC::CachedCall::CachedCall):
1513         * interpreter/CallFrame.h:
1514         (JSC::ExecState::atomicStringTable const): Deleted.
1515         (JSC::ExecState::propertyNames const): Deleted.
1516         (JSC::ExecState::emptyList const): Deleted.
1517         (JSC::ExecState::interpreter): Deleted.
1518         (JSC::ExecState::heap): Deleted.
1519         * interpreter/Interpreter.cpp:
1520         (JSC::Interpreter::executeProgram):
1521         (JSC::Interpreter::execute):
1522         (JSC::Interpreter::executeModuleProgram):
1523         * jit/JIT.cpp:
1524         (JSC::JIT::privateCompileMainPass):
1525         * jit/JITOperations.cpp:
1526         * jit/JITWorklist.cpp:
1527         (JSC::JITWorklist::compileNow):
1528         * jsc.cpp:
1529         (WTF::RuntimeArray::create):
1530         (WTF::RuntimeArray::getOwnPropertySlot):
1531         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
1532         (WTF::DOMJITFunctionObject::unsafeFunction):
1533         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1534         (GlobalObject::moduleLoaderFetch):
1535         (functionDumpCallFrame):
1536         (functionCreateRoot):
1537         (functionGetElement):
1538         (functionSetElementRoot):
1539         (functionCreateSimpleObject):
1540         (functionSetHiddenValue):
1541         (functionCreateProxy):
1542         (functionCreateImpureGetter):
1543         (functionCreateCustomGetterObject):
1544         (functionCreateDOMJITNodeObject):
1545         (functionCreateDOMJITGetterObject):
1546         (functionCreateDOMJITGetterComplexObject):
1547         (functionCreateDOMJITFunctionObject):
1548         (functionCreateDOMJITCheckSubClassObject):
1549         (functionGCAndSweep):
1550         (functionFullGC):
1551         (functionEdenGC):
1552         (functionHeapSize):
1553         (functionShadowChickenFunctionsOnStack):
1554         (functionSetGlobalConstRedeclarationShouldNotThrow):
1555         (functionJSCOptions):
1556         (functionFailNextNewCodeBlock):
1557         (functionMakeMasquerader):
1558         (functionDumpTypesForAllVariables):
1559         (functionFindTypeForExpression):
1560         (functionReturnTypeFor):
1561         (functionDumpBasicBlockExecutionRanges):
1562         (functionBasicBlockExecutionCount):
1563         (functionDrainMicrotasks):
1564         (functionGenerateHeapSnapshot):
1565         (functionEnsureArrayStorage):
1566         (functionStartSamplingProfiler):
1567         (runInteractive):
1568         * llint/LLIntSlowPaths.cpp:
1569         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1570         * parser/ModuleAnalyzer.cpp:
1571         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1572         * profiler/ProfilerBytecode.cpp:
1573         (JSC::Profiler::Bytecode::toJS const):
1574         * profiler/ProfilerBytecodeSequence.cpp:
1575         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
1576         * profiler/ProfilerBytecodes.cpp:
1577         (JSC::Profiler::Bytecodes::toJS const):
1578         * profiler/ProfilerCompilation.cpp:
1579         (JSC::Profiler::Compilation::toJS const):
1580         * profiler/ProfilerCompiledBytecode.cpp:
1581         (JSC::Profiler::CompiledBytecode::toJS const):
1582         * profiler/ProfilerDatabase.cpp:
1583         (JSC::Profiler::Database::toJS const):
1584         * profiler/ProfilerEvent.cpp:
1585         (JSC::Profiler::Event::toJS const):
1586         * profiler/ProfilerOSRExit.cpp:
1587         (JSC::Profiler::OSRExit::toJS const):
1588         * profiler/ProfilerOrigin.cpp:
1589         (JSC::Profiler::Origin::toJS const):
1590         * profiler/ProfilerProfiledBytecodes.cpp:
1591         (JSC::Profiler::ProfiledBytecodes::toJS const):
1592         * runtime/AbstractModuleRecord.cpp:
1593         (JSC::identifierToJSValue):
1594         (JSC::AbstractModuleRecord::resolveExportImpl):
1595         (JSC::getExportedNames):
1596         * runtime/ArrayPrototype.cpp:
1597         (JSC::arrayProtoFuncToString):
1598         (JSC::arrayProtoFuncToLocaleString):
1599         * runtime/BooleanConstructor.cpp:
1600         (JSC::constructBooleanFromImmediateBoolean):
1601         * runtime/CallData.cpp:
1602         (JSC::call):
1603         * runtime/CommonSlowPaths.cpp:
1604         (JSC::SLOW_PATH_DECL):
1605         * runtime/CommonSlowPaths.h:
1606         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1607         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1608         * runtime/Completion.cpp:
1609         (JSC::checkSyntax):
1610         (JSC::evaluate):
1611         (JSC::loadAndEvaluateModule):
1612         (JSC::loadModule):
1613         (JSC::linkAndEvaluateModule):
1614         (JSC::importModule):
1615         * runtime/ConstructData.cpp:
1616         (JSC::construct):
1617         * runtime/DatePrototype.cpp:
1618         (JSC::dateProtoFuncToJSON):
1619         * runtime/DirectArguments.h:
1620         (JSC::DirectArguments::length const):
1621         * runtime/DirectEvalExecutable.cpp:
1622         (JSC::DirectEvalExecutable::create):
1623         * runtime/ErrorPrototype.cpp:
1624         (JSC::errorProtoFuncToString):
1625         * runtime/ExceptionHelpers.cpp:
1626         (JSC::createUndefinedVariableError):
1627         (JSC::errorDescriptionForValue):
1628         * runtime/FunctionConstructor.cpp:
1629         (JSC::constructFunction):
1630         * runtime/GenericArgumentsInlines.h:
1631         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1632         * runtime/IdentifierInlines.h:
1633         (JSC::Identifier::add):
1634         * runtime/IndirectEvalExecutable.cpp:
1635         (JSC::IndirectEvalExecutable::create):
1636         * runtime/InternalFunction.cpp:
1637         (JSC::InternalFunction::finishCreation):
1638         (JSC::InternalFunction::createSubclassStructureSlow):
1639         * runtime/JSArray.cpp:
1640         (JSC::JSArray::getOwnPropertySlot):
1641         (JSC::JSArray::put):
1642         (JSC::JSArray::deleteProperty):
1643         (JSC::JSArray::getOwnNonIndexPropertyNames):
1644         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
1645         * runtime/JSArray.h:
1646         (JSC::JSArray::shiftCountForShift):
1647         * runtime/JSCJSValue.cpp:
1648         (JSC::JSValue::dumpForBacktrace const):
1649         * runtime/JSDataView.cpp:
1650         (JSC::JSDataView::getOwnPropertySlot):
1651         (JSC::JSDataView::deleteProperty):
1652         (JSC::JSDataView::getOwnNonIndexPropertyNames):
1653         * runtime/JSFunction.cpp:
1654         (JSC::JSFunction::getOwnPropertySlot):
1655         (JSC::JSFunction::deleteProperty):
1656         (JSC::JSFunction::reifyName):
1657         * runtime/JSGlobalObjectFunctions.cpp:
1658         (JSC::globalFuncEval):
1659         * runtime/JSInternalPromise.cpp:
1660         (JSC::JSInternalPromise::then):
1661         * runtime/JSLexicalEnvironment.cpp:
1662         (JSC::JSLexicalEnvironment::deleteProperty):
1663         * runtime/JSMap.cpp:
1664         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1665         * runtime/JSMapIterator.h:
1666         (JSC::JSMapIterator::advanceIter):
1667         * runtime/JSModuleEnvironment.cpp:
1668         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1669         * runtime/JSModuleLoader.cpp:
1670         (JSC::printableModuleKey):
1671         (JSC::JSModuleLoader::provide):
1672         (JSC::JSModuleLoader::loadAndEvaluateModule):
1673         (JSC::JSModuleLoader::loadModule):
1674         (JSC::JSModuleLoader::linkAndEvaluateModule):
1675         (JSC::JSModuleLoader::requestImportModule):
1676         * runtime/JSModuleNamespaceObject.h:
1677         * runtime/JSModuleRecord.cpp:
1678         (JSC::JSModuleRecord::evaluate):
1679         * runtime/JSONObject.cpp:
1680         (JSC::Stringifier::Stringifier):
1681         (JSC::Stringifier::appendStringifiedValue):
1682         (JSC::Stringifier::Holder::appendNextProperty):
1683         * runtime/JSObject.cpp:
1684         (JSC::JSObject::calculatedClassName):
1685         (JSC::JSObject::putByIndex):
1686         (JSC::JSObject::ordinaryToPrimitive const):
1687         (JSC::JSObject::toPrimitive const):
1688         (JSC::JSObject::hasInstance):
1689         (JSC::JSObject::getOwnPropertyNames):
1690         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1691         (JSC::getCustomGetterSetterFunctionForGetterSetter):
1692         (JSC::JSObject::getOwnPropertyDescriptor):
1693         (JSC::JSObject::getMethod):
1694         * runtime/JSObject.h:
1695         (JSC::JSObject::createRawObject):
1696         (JSC::JSFinalObject::create):
1697         * runtime/JSObjectInlines.h:
1698         (JSC::JSObject::canPerformFastPutInline):
1699         (JSC::JSObject::putInlineForJSObject):
1700         (JSC::JSObject::hasOwnProperty const):
1701         * runtime/JSScope.cpp:
1702         (JSC::isUnscopable):
1703         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1704         * runtime/JSSet.cpp:
1705         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
1706         * runtime/JSSetIterator.h:
1707         (JSC::JSSetIterator::advanceIter):
1708         * runtime/JSString.cpp:
1709         (JSC::JSString::getStringPropertyDescriptor):
1710         * runtime/JSString.h:
1711         (JSC::JSString::getStringPropertySlot):
1712         * runtime/MapConstructor.cpp:
1713         (JSC::constructMap):
1714         * runtime/ModuleProgramExecutable.cpp:
1715         (JSC::ModuleProgramExecutable::create):
1716         * runtime/ObjectPrototype.cpp:
1717         (JSC::objectProtoFuncToLocaleString):
1718         * runtime/ProgramExecutable.h:
1719         * runtime/RegExpObject.cpp:
1720         (JSC::RegExpObject::getOwnPropertySlot):
1721         (JSC::RegExpObject::deleteProperty):
1722         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
1723         (JSC::RegExpObject::getPropertyNames):
1724         (JSC::RegExpObject::getGenericPropertyNames):
1725         (JSC::RegExpObject::put):
1726         * runtime/ScopedArguments.h:
1727         (JSC::ScopedArguments::length const):
1728         * runtime/StrictEvalActivation.h:
1729         (JSC::StrictEvalActivation::create):
1730         * runtime/StringObject.cpp:
1731         (JSC::isStringOwnProperty):
1732         (JSC::StringObject::deleteProperty):
1733         (JSC::StringObject::getOwnNonIndexPropertyNames):
1734         * tools/JSDollarVMPrototype.cpp:
1735         (JSC::JSDollarVMPrototype::gc):
1736         (JSC::JSDollarVMPrototype::edenGC):
1737         * wasm/js/WebAssemblyModuleRecord.cpp:
1738         (JSC::WebAssemblyModuleRecord::evaluate):
1739
1740 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1741
1742         [DFG] NewArrayWithSize(size)'s size does not care negative zero
1743         https://bugs.webkit.org/show_bug.cgi?id=176300
1744
1745         Reviewed by Saam Barati.
1746
1747         NewArrayWithSize(size)'s size does not care negative zero as
1748         is the same to NewTypedArray. We propagate this information
1749         in DFGBackwardsPropagationPhase. This removes negative zero
1750         check in kraken fft's deinterleave function.
1751
1752         * dfg/DFGBackwardsPropagationPhase.cpp:
1753         (JSC::DFG::BackwardsPropagationPhase::propagate):
1754
1755 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1756
1757         [DFG] PutByVal with Array::Generic is too generic
1758         https://bugs.webkit.org/show_bug.cgi?id=176345
1759
1760         Reviewed by Filip Pizlo.
1761
1762         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
1763         We could have the case like,
1764
1765             dst[key] = src[key];
1766
1767         with string or symbol keys. But they are handled in slow path.
1768         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
1769         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
1770
1771         This improves SixSpeed object-assign.es5 by 9.1%.
1772
1773         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
1774
1775         * dfg/DFGFixupPhase.cpp:
1776         (JSC::DFG::FixupPhase::fixupNode):
1777         * dfg/DFGOperations.cpp:
1778         (JSC::DFG::putByVal):
1779         (JSC::DFG::putByValInternal):
1780         (JSC::DFG::putByValCellInternal):
1781         (JSC::DFG::putByValCellStringInternal):
1782         (JSC::DFG::operationPutByValInternal): Deleted.
1783         * dfg/DFGOperations.h:
1784         * dfg/DFGSpeculativeJIT.cpp:
1785         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
1786         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
1787         * dfg/DFGSpeculativeJIT.h:
1788         (JSC::DFG::SpeculativeJIT::callOperation):
1789         * dfg/DFGSpeculativeJIT32_64.cpp:
1790         (JSC::DFG::SpeculativeJIT::compile):
1791         * dfg/DFGSpeculativeJIT64.cpp:
1792         (JSC::DFG::SpeculativeJIT::compile):
1793         * ftl/FTLLowerDFGToB3.cpp:
1794         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1795         * jit/JITOperations.h:
1796
1797 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1798
1799         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
1800         https://bugs.webkit.org/show_bug.cgi?id=176590
1801
1802         Reviewed by Saam Barati.
1803
1804         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
1805
1806                                          baseline                  patched
1807
1808         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
1809         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
1810
1811         * dfg/DFGFixupPhase.cpp:
1812         (JSC::DFG::FixupPhase::fixupNode):
1813         * dfg/DFGOperations.cpp:
1814         (JSC::DFG::getByValObject):
1815         * dfg/DFGOperations.h:
1816         * dfg/DFGSpeculativeJIT.cpp:
1817         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
1818         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
1819         * dfg/DFGSpeculativeJIT.h:
1820         * dfg/DFGSpeculativeJIT32_64.cpp:
1821         (JSC::DFG::SpeculativeJIT::compile):
1822         * dfg/DFGSpeculativeJIT64.cpp:
1823         (JSC::DFG::SpeculativeJIT::compile):
1824         * ftl/FTLLowerDFGToB3.cpp:
1825         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1826
1827 2017-09-07  Mark Lam  <mark.lam@apple.com>
1828
1829         Use JIT probes for DFG OSR exit.
1830         https://bugs.webkit.org/show_bug.cgi?id=175144
1831         <rdar://problem/33437050>
1832
1833         Reviewed by Saam Barati.
1834
1835         This patch does the following:
1836         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
1837            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
1838            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
1839            generates a thunk that just executes the OSR exit.
1840
1841            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
1842            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
1843            CPU registers, and providing the Probe::Stack mechanism for modifying the
1844            stack frame.
1845
1846            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
1847            OSRExit::compileExit().  It is basically a re-write of those functions to
1848            execute the OSR exit work instead of compiling code to execute the work.
1849
1850            As a result, we get the following savings:
1851            a. no more OSR exit ramp compilation time.
1852            b. no use of JIT executable memory for storing each unique OSR exit ramp.
1853
1854            On the negative side, we incur these costs:
1855
1856            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
1857               version of the ramp.  However, OSR exits are rare.  Hence, this small
1858               difference should not matter much.  It is also offset by the savings from
1859               (a).
1860
1861            d. the Probe::Stack allocates 1K pages for memory for buffering stack
1862               modifcations.  The number of these pages depends on the span of stack memory
1863               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
1864               tends to only modify values in the current DFG frame and the current
1865               VMEntryRecord, the number of pages tends to only be 1 or 2.
1866
1867               Using the jsc tests as a workload, the vast majority of tests that do OSR
1868               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
1869               A few tests that are pathological uses up to 14 pages, and one particularly
1870               bad test (function-apply-many-args.js) uses 513 pages.
1871
1872            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
1873            only executed once to compute some values for the exit site that is used by
1874            all exit operations from that site, and a 2nd part to execute the exit.  The
1875            1st part is protected by a checking if exit.exitState has already been
1876            initialized.  The computed values are cached in exit.exitState.
1877
1878            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
1879            longer need the facility to patch the site that jumps to the OSR exit ramp.
1880            The DFG::JITCompiler has been modified to remove this patching code.
1881
1882         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
1883            std::memcpy to avoid strict aliasing issues.
1884
1885            Also optimized the implementation of Probe::Stack::physicalAddressFor().
1886
1887         3. Miscellaneous convenience methods added to make the Probe::Context easier of
1888            use.
1889
1890         4. Added a Probe::Frame class that makes it easier to get/set operands and
1891            arguments in a given frame using the deferred write properties of the
1892            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
1893            the OSR exit ramp.
1894
1895         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
1896            JIT versions of these functions are still left in place because they are still
1897            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
1898            These functions include:
1899
1900            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
1901                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
1902            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
1903                DFGOSRExit.cpp's reifyInlinedCallFrames()
1904            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
1905                DFGOSRExit.cpp's adjustAndJumpToTarget()
1906
1907            MethodOfGettingAValueProfile::emitReportValue() ==>
1908                MethodOfGettingAValueProfile::reportValue()
1909
1910            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
1911                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
1912            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
1913                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
1914
1915         * JavaScriptCore.xcodeproj/project.pbxproj:
1916         * assembler/MacroAssembler.cpp:
1917         (JSC::stdFunctionCallback):
1918         * assembler/MacroAssemblerPrinter.cpp:
1919         (JSC::Printer::printCallback):
1920         * assembler/ProbeContext.h:
1921         (JSC::Probe::CPUState::gpr const):
1922         (JSC::Probe::CPUState::spr const):
1923         (JSC::Probe::Context::Context):
1924         (JSC::Probe::Context::arg):
1925         (JSC::Probe::Context::gpr):
1926         (JSC::Probe::Context::spr):
1927         (JSC::Probe::Context::fpr):
1928         (JSC::Probe::Context::gprName):
1929         (JSC::Probe::Context::sprName):
1930         (JSC::Probe::Context::fprName):
1931         (JSC::Probe::Context::gpr const):
1932         (JSC::Probe::Context::spr const):
1933         (JSC::Probe::Context::fpr const):
1934         (JSC::Probe::Context::pc):
1935         (JSC::Probe::Context::fp):
1936         (JSC::Probe::Context::sp):
1937         (JSC::Probe:: const): Deleted.
1938         * assembler/ProbeFrame.h: Added.
1939         (JSC::Probe::Frame::Frame):
1940         (JSC::Probe::Frame::getArgument):
1941         (JSC::Probe::Frame::getOperand):
1942         (JSC::Probe::Frame::get):
1943         (JSC::Probe::Frame::setArgument):
1944         (JSC::Probe::Frame::setOperand):
1945         (JSC::Probe::Frame::set):
1946         * assembler/ProbeStack.cpp:
1947         (JSC::Probe::Page::Page):
1948         * assembler/ProbeStack.h:
1949         (JSC::Probe::Page::get):
1950         (JSC::Probe::Page::set):
1951         (JSC::Probe::Page::physicalAddressFor):
1952         (JSC::Probe::Stack::lowWatermark):
1953         (JSC::Probe::Stack::get):
1954         (JSC::Probe::Stack::set):
1955         * bytecode/ArithProfile.cpp:
1956         * bytecode/ArithProfile.h:
1957         * bytecode/ArrayProfile.h:
1958         (JSC::ArrayProfile::observeArrayMode):
1959         * bytecode/CodeBlock.cpp:
1960         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1961         * bytecode/CodeBlock.h:
1962         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1963         * bytecode/ExecutionCounter.h:
1964         (JSC::ExecutionCounter::hasCrossedThreshold const):
1965         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1966         * bytecode/MethodOfGettingAValueProfile.cpp:
1967         (JSC::MethodOfGettingAValueProfile::reportValue):
1968         * bytecode/MethodOfGettingAValueProfile.h:
1969         * dfg/DFGDriver.cpp:
1970         (JSC::DFG::compileImpl):
1971         * dfg/DFGJITCode.cpp:
1972         (JSC::DFG::JITCode::findPC): Deleted.
1973         * dfg/DFGJITCode.h:
1974         * dfg/DFGJITCompiler.cpp:
1975         (JSC::DFG::JITCompiler::linkOSRExits):
1976         (JSC::DFG::JITCompiler::link):
1977         * dfg/DFGOSRExit.cpp:
1978         (JSC::DFG::jsValueFor):
1979         (JSC::DFG::restoreCalleeSavesFor):
1980         (JSC::DFG::saveCalleeSavesFor):
1981         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1982         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1983         (JSC::DFG::saveOrCopyCalleeSavesFor):
1984         (JSC::DFG::createDirectArgumentsDuringExit):
1985         (JSC::DFG::createClonedArgumentsDuringExit):
1986         (JSC::DFG::OSRExit::OSRExit):
1987         (JSC::DFG::emitRestoreArguments):
1988         (JSC::DFG::OSRExit::executeOSRExit):
1989         (JSC::DFG::reifyInlinedCallFrames):
1990         (JSC::DFG::adjustAndJumpToTarget):
1991         (JSC::DFG::printOSRExit):
1992         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1993         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1994         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1995         (JSC::DFG::OSRExit::correctJump): Deleted.
1996         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1997         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1998         (JSC::DFG::OSRExit::compileExit): Deleted.
1999         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2000         * dfg/DFGOSRExit.h:
2001         (JSC::DFG::OSRExitState::OSRExitState):
2002         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2003         * dfg/DFGOSRExitCompilerCommon.cpp:
2004         * dfg/DFGOSRExitCompilerCommon.h:
2005         * dfg/DFGOperations.cpp:
2006         * dfg/DFGOperations.h:
2007         * dfg/DFGThunks.cpp:
2008         (JSC::DFG::osrExitThunkGenerator):
2009         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2010         * dfg/DFGThunks.h:
2011         * jit/AssemblyHelpers.cpp:
2012         (JSC::AssemblyHelpers::debugCall): Deleted.
2013         * jit/AssemblyHelpers.h:
2014         * jit/JITOperations.cpp:
2015         * jit/JITOperations.h:
2016         * profiler/ProfilerOSRExit.h:
2017         (JSC::Profiler::OSRExit::incCount):
2018         * runtime/JSCJSValue.h:
2019         * runtime/JSCJSValueInlines.h:
2020         * runtime/VM.h:
2021
2022 2017-09-07  Michael Saboff  <msaboff@apple.com>
2023
2024         Add support for RegExp named capture groups
2025         https://bugs.webkit.org/show_bug.cgi?id=176435
2026
2027         Reviewed by Filip Pizlo.
2028
2029         Added parsing for both naming a captured parenthesis as well and using a named group in
2030         a back reference.  Also added support for using named groups with String.prototype.replace().
2031
2032         This patch does not throw Syntax Errors as described in the current spec text for the two
2033         cases of malformed back references in String.prototype.replace() as I believe that it
2034         is inconsistent with the current semantics for handling of other malformed replacement
2035         tokens.  I filed an issue for the requested change to the proposed spec and also filed
2036         a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
2037
2038         This patch does not implement strength reduction in the optimizing JITs for named capture
2039         groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
2040
2041         * dfg/DFGAbstractInterpreterInlines.h:
2042         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2043         * dfg/DFGStrengthReductionPhase.cpp:
2044         (JSC::DFG::StrengthReductionPhase::handleNode):
2045         * runtime/CommonIdentifiers.h:
2046         * runtime/JSGlobalObject.cpp:
2047         (JSC::JSGlobalObject::init):
2048         (JSC::JSGlobalObject::haveABadTime):
2049         * runtime/JSGlobalObject.h:
2050         (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
2051         * runtime/RegExp.cpp:
2052         (JSC::RegExp::finishCreation):
2053         * runtime/RegExp.h:
2054         * runtime/RegExpMatchesArray.cpp:
2055         (JSC::createStructureImpl):
2056         (JSC::createRegExpMatchesArrayWithGroupsStructure):
2057         (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
2058         * runtime/RegExpMatchesArray.h:
2059         (JSC::createRegExpMatchesArray):
2060         * runtime/StringPrototype.cpp:
2061         (JSC::substituteBackreferencesSlow):
2062         (JSC::replaceUsingRegExpSearch):
2063         * yarr/YarrParser.h:
2064         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
2065         (JSC::Yarr::Parser::parseEscape):
2066         (JSC::Yarr::Parser::parseParenthesesBegin):
2067         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
2068         (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
2069         (JSC::Yarr::Parser::isIdentifierStart):
2070         (JSC::Yarr::Parser::isIdentifierPart):
2071         (JSC::Yarr::Parser::tryConsumeGroupName):
2072         * yarr/YarrPattern.cpp:
2073         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
2074         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
2075         (JSC::Yarr::YarrPattern::errorMessage):
2076         * yarr/YarrPattern.h:
2077         (JSC::Yarr::YarrPattern::reset):
2078         * yarr/YarrSyntaxChecker.cpp:
2079         (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
2080         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
2081
2082 2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>
2083
2084         [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
2085         https://bugs.webkit.org/show_bug.cgi?id=176561
2086
2087         Reviewed by Brent Fulgham.
2088
2089         * runtime/IntlObject.cpp:
2090         (JSC::defaultLocale):
2091
2092 2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>
2093
2094         Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
2095         https://bugs.webkit.org/show_bug.cgi?id=176563
2096         <rdar://problem/19639583>
2097
2098         Reviewed by Matt Baker.
2099
2100         * inspector/protocol/DOM.json:
2101         Add an event that is useful for augmented inspectors to inspect
2102         a node. Web pages will still prefer Inspector.inspect.
2103
2104 2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2105
2106         [JSC] Remove "malloc" and "free" from JSC/API
2107         https://bugs.webkit.org/show_bug.cgi?id=176331
2108
2109         Reviewed by Keith Miller.
2110
2111         Remove "malloc" and "free" manual calls in JSC/API.
2112
2113         * API/JSValue.mm:
2114         (createStructHandlerMap):
2115         * API/JSWrapperMap.mm:
2116         (parsePropertyAttributes):
2117         (makeSetterName):
2118         (copyPrototypeProperties):
2119         Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
2120
2121         * API/ObjcRuntimeExtras.h:
2122         (adoptSystem):
2123         Add adoptSystem to automate calling system free().
2124
2125         (protocolImplementsProtocol):
2126         (forEachProtocolImplementingProtocol):
2127         (forEachMethodInClass):
2128         (forEachMethodInProtocol):
2129         (forEachPropertyInProtocol):
2130         (StringRange::StringRange):
2131         (StringRange::operator const char* const):
2132         (StringRange::get const):
2133         Use CString for backend.
2134
2135         (StructBuffer::StructBuffer):
2136         (StructBuffer::~StructBuffer):
2137         (StringRange::~StringRange): Deleted.
2138         Use fastAlignedMalloc/astAlignedFree to get aligned memory.
2139
2140 2017-09-06  Mark Lam  <mark.lam@apple.com>
2141
2142         constructGenericTypedArrayViewWithArguments() is missing an exception check.
2143         https://bugs.webkit.org/show_bug.cgi?id=176485
2144         <rdar://problem/33898874>
2145
2146         Reviewed by Keith Miller.
2147
2148         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2149         (JSC::constructGenericTypedArrayViewWithArguments):
2150
2151 2017-09-06  Saam Barati  <sbarati@apple.com>
2152
2153         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
2154         https://bugs.webkit.org/show_bug.cgi?id=176346
2155
2156         Reviewed by Mark Lam.
2157
2158         * b3/B3Procedure.cpp:
2159         (JSC::B3::Procedure::Procedure):
2160         (JSC::B3::Procedure::setNumEntrypoints):
2161         * b3/B3Procedure.h:
2162         (JSC::B3::Procedure::setNumEntrypoints): Deleted.
2163         * b3/air/AirCode.cpp:
2164         (JSC::B3::Air::defaultPrologueGenerator):
2165         (JSC::B3::Air::Code::Code):
2166         (JSC::B3::Air::Code::setNumEntrypoints):
2167         * b3/air/AirCode.h:
2168         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2169         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2170         (JSC::B3::Air::Code::setEntrypoints):
2171         (JSC::B3::Air::Code::setEntrypointLabels):
2172         * b3/air/AirGenerate.cpp:
2173         (JSC::B3::Air::generate):
2174         * ftl/FTLLowerDFGToB3.cpp:
2175         (JSC::FTL::DFG::LowerDFGToB3::lower):
2176
2177 2017-09-06  Saam Barati  <sbarati@apple.com>
2178
2179         ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
2180         https://bugs.webkit.org/show_bug.cgi?id=176470
2181
2182         Reviewed by Mark Lam.
2183
2184         Update Node::convertToCheckStructureImmediate's assertion to allow
2185         the node to either be a CheckStructure or CheckStructureOrEmpty.
2186
2187         * dfg/DFGNode.h:
2188         (JSC::DFG::Node::convertToCheckStructureImmediate):
2189
2190 2017-09-05  Saam Barati  <sbarati@apple.com>
2191
2192         isNotCellSpeculation is wrong with respect to SpecEmpty
2193         https://bugs.webkit.org/show_bug.cgi?id=176429
2194
2195         Reviewed by Michael Saboff.
2196
2197         The isNotCellSpeculation(SpeculatedType t) function was not taking into account
2198         SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
2199         the empty value will fail a NotCell check. This bug would cause us to erroneously
2200         generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
2201
2202         * bytecode/SpeculatedType.h:
2203         (JSC::isNotCellSpeculation):
2204
2205 2017-09-05  Saam Barati  <sbarati@apple.com>
2206
2207         Make the distinction between entrypoints and CFG roots more clear by naming things better
2208         https://bugs.webkit.org/show_bug.cgi?id=176336
2209
2210         Reviewed by Mark Lam and Keith Miller and Michael Saboff.
2211
2212         This patch does renaming to make the distinction between Graph::m_entrypoints
2213         and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
2214         Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
2215         Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
2216         size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
2217         to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
2218         field to m_rootToArguments.
2219         
2220         Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
2221         when compiling with EntrySwitch. It represents the logical number of entrypoints
2222         the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
2223         cases.
2224
2225         * dfg/DFGByteCodeParser.cpp:
2226         (JSC::DFG::ByteCodeParser::parseBlock):
2227         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2228         * dfg/DFGCFG.h:
2229         (JSC::DFG::CFG::roots):
2230         (JSC::DFG::CPSCFG::CPSCFG):
2231         * dfg/DFGCPSRethreadingPhase.cpp:
2232         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
2233         * dfg/DFGDCEPhase.cpp:
2234         (JSC::DFG::DCEPhase::run):
2235         * dfg/DFGGraph.cpp:
2236         (JSC::DFG::Graph::dump):
2237         (JSC::DFG::Graph::determineReachability):
2238         (JSC::DFG::Graph::blocksInPreOrder):
2239         (JSC::DFG::Graph::blocksInPostOrder):
2240         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2241         * dfg/DFGGraph.h:
2242         (JSC::DFG::Graph::isRoot):
2243         (JSC::DFG::Graph::isEntrypoint): Deleted.
2244         * dfg/DFGInPlaceAbstractState.cpp:
2245         (JSC::DFG::InPlaceAbstractState::initialize):
2246         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2247         (JSC::DFG::createPreHeader):
2248         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2249         (JSC::DFG::MaximalFlushInsertionPhase::run):
2250         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2251         * dfg/DFGOSREntrypointCreationPhase.cpp:
2252         (JSC::DFG::OSREntrypointCreationPhase::run):
2253         * dfg/DFGPredictionInjectionPhase.cpp:
2254         (JSC::DFG::PredictionInjectionPhase::run):
2255         * dfg/DFGSSAConversionPhase.cpp:
2256         (JSC::DFG::SSAConversionPhase::run):
2257         * dfg/DFGSpeculativeJIT.cpp:
2258         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2259         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2260         * dfg/DFGTypeCheckHoistingPhase.cpp:
2261         (JSC::DFG::TypeCheckHoistingPhase::run):
2262         * dfg/DFGValidate.cpp:
2263
2264 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
2265
2266         test262: Completion values for control flow do not match the spec
2267         https://bugs.webkit.org/show_bug.cgi?id=171265
2268
2269         Reviewed by Saam Barati.
2270
2271         * bytecompiler/BytecodeGenerator.h:
2272         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
2273         When we care about having proper completion values (global code
2274         in programs, modules, and eval) insert undefined results for
2275         control flow statements.
2276
2277         * bytecompiler/NodesCodegen.cpp:
2278         (JSC::SourceElements::emitBytecode):
2279         Reduce writing a default `undefined` value to the completion result to
2280         only once before the last statement we know will produce a value.
2281
2282         (JSC::IfElseNode::emitBytecode):
2283         (JSC::WithNode::emitBytecode):
2284         (JSC::WhileNode::emitBytecode):
2285         (JSC::ForNode::emitBytecode):
2286         (JSC::ForInNode::emitBytecode):
2287         (JSC::ForOfNode::emitBytecode):
2288         (JSC::SwitchNode::emitBytecode):
2289         Insert an undefined to handle cases where code may break out of an
2290         if/else or with statement (break/continue).
2291
2292         (JSC::TryNode::emitBytecode):
2293         Same handling for break cases. Also, finally block statement completion
2294         values are always ignored for the try statement result.
2295
2296         (JSC::ClassDeclNode::emitBytecode):
2297         Class declarations, like function declarations, produce an empty result.
2298
2299         * parser/Nodes.cpp:
2300         (JSC::SourceElements::lastStatement):
2301         (JSC::SourceElements::hasCompletionValue):
2302         (JSC::SourceElements::hasEarlyBreakOrContinue):
2303         (JSC::BlockNode::lastStatement):
2304         (JSC::BlockNode::singleStatement):
2305         (JSC::BlockNode::hasCompletionValue):
2306         (JSC::BlockNode::hasEarlyBreakOrContinue):
2307         (JSC::ScopeNode::singleStatement):
2308         (JSC::ScopeNode::hasCompletionValue):
2309         (JSC::ScopeNode::hasEarlyBreakOrContinue):
2310         The only non-trivial cases need to loop through their list of statements
2311         to determine if this has a completion value or not. Likewise for
2312         determining if there is an early break / continue, meaning a break or
2313         continue statement with no preceding statement that has a completion value.
2314
2315         * parser/Nodes.h:
2316         (JSC::StatementNode::next):
2317         (JSC::StatementNode::hasCompletionValue):
2318         Helper to check if a statement nodes produces a completion value or not.
2319
2320 2017-09-04  Saam Barati  <sbarati@apple.com>
2321
2322         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
2323         https://bugs.webkit.org/show_bug.cgi?id=176317
2324
2325         Reviewed by Keith Miller.
2326
2327         It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
2328         the SetLocal of a particular value where the value is the empty JSValue.
2329         On 64-bit platforms, the empty value is zero. This means that the empty value
2330         passes a cell check. This will lead to a crash when we dereference null to load
2331         the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
2332         in the structure checks it hoists. On 64-bit platforms, instead of emitting a
2333         CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
2334         the empty value to flow through. If the value isn't empty, it'll perform the normal
2335         structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
2336         on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
2337         value to flow through.
2338
2339         * dfg/DFGAbstractInterpreterInlines.h:
2340         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2341         * dfg/DFGArgumentsEliminationPhase.cpp:
2342         * dfg/DFGClobberize.h:
2343         (JSC::DFG::clobberize):
2344         * dfg/DFGConstantFoldingPhase.cpp:
2345         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2346         * dfg/DFGDoesGC.cpp:
2347         (JSC::DFG::doesGC):
2348         * dfg/DFGFixupPhase.cpp:
2349         (JSC::DFG::FixupPhase::fixupNode):
2350         * dfg/DFGNode.h:
2351         (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
2352         (JSC::DFG::Node::hasStructureSet):
2353         * dfg/DFGNodeType.h:
2354         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2355         * dfg/DFGPredictionPropagationPhase.cpp:
2356         * dfg/DFGSafeToExecute.h:
2357         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2358         (JSC::DFG::SafeToExecuteEdge::operator()):
2359         (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
2360         (JSC::DFG::safeToExecute):
2361         * dfg/DFGSpeculativeJIT.cpp:
2362         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
2363         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
2364         * dfg/DFGSpeculativeJIT.h:
2365         * dfg/DFGSpeculativeJIT32_64.cpp:
2366         (JSC::DFG::SpeculativeJIT::compile):
2367         * dfg/DFGSpeculativeJIT64.cpp:
2368         (JSC::DFG::SpeculativeJIT::compile):
2369         * dfg/DFGTypeCheckHoistingPhase.cpp:
2370         (JSC::DFG::TypeCheckHoistingPhase::run):
2371         * dfg/DFGValidate.cpp:
2372         * ftl/FTLCapabilities.cpp:
2373         (JSC::FTL::canCompile):
2374         * ftl/FTLLowerDFGToB3.cpp:
2375         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2376         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
2377
2378 2017-09-04  Saam Barati  <sbarati@apple.com>
2379
2380         Support compiling catch in the FTL
2381         https://bugs.webkit.org/show_bug.cgi?id=175396
2382
2383         Reviewed by Filip Pizlo.
2384
2385         This patch implements op_catch in the FTL. It extends the DFG implementation
2386         by supporting multiple entrypoints in DFG-SSA. This patch implements this
2387         by introducing an EntrySwitch node. When converting to SSA, we introduce a new
2388         root block with an EntrySwitch that has the previous DFG entrypoints as its
2389         successors. By convention, we pick the zeroth entry point index to be the
2390         op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
2391         switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
2392         simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
2393         SSAConversion creates can not exit because we would both not know where to exit
2394         to in the program: we would not have valid OSR exit state. This design also
2395         mandates that anything we hoist above EntrySwitch in the new root block
2396         can not exit since they also do not have valid OSR exit state.
2397         
2398         This patch also adds a new metadata node named InitializeEntrypointArguments.
2399         InitializeEntrypointArguments is a metadata node that initializes the flush format for
2400         the arguments at a given entrypoint. For a given entrypoint index, this node
2401         tells AI and OSRAvailabilityAnalysis what the flush format for each argument
2402         is. This allows each individual entrypoint to have an independent set of
2403         argument types. Currently, this won't happen in practice because ArgumentPosition
2404         unifies flush formats, but this is an implementation detail we probably want
2405         to modify in the future. SSAConversion will add InitializeEntrypointArguments
2406         to the beginning of each of the original DFG entrypoint blocks.
2407         
2408         This patch also adds the ability to specify custom prologue code generators in Air.
2409         This allows the FTL to specify a custom prologue for catch entrypoints that
2410         matches the op_catch OSR entry calling convention that the DFG uses. This way,
2411         the baseline JIT code OSR enters into op_catch the same way both in the DFG
2412         and the FTL. In the future, we can use this same mechanism to perform stack
2413         overflow checks instead of using a patchpoint.
2414
2415         * b3/air/AirCode.cpp:
2416         (JSC::B3::Air::Code::isEntrypoint):
2417         (JSC::B3::Air::Code::entrypointIndex):
2418         * b3/air/AirCode.h:
2419         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2420         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2421         * b3/air/AirGenerate.cpp:
2422         (JSC::B3::Air::generate):
2423         * dfg/DFGAbstractInterpreterInlines.h:
2424         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2425         * dfg/DFGBasicBlock.h:
2426         * dfg/DFGByteCodeParser.cpp:
2427         (JSC::DFG::ByteCodeParser::parseBlock):
2428         (JSC::DFG::ByteCodeParser::parse):
2429         * dfg/DFGCFG.h:
2430         (JSC::DFG::selectCFG):
2431         * dfg/DFGClobberize.h:
2432         (JSC::DFG::clobberize):
2433         * dfg/DFGClobbersExitState.cpp:
2434         (JSC::DFG::clobbersExitState):
2435         * dfg/DFGCommonData.cpp:
2436         (JSC::DFG::CommonData::shrinkToFit):
2437         (JSC::DFG::CommonData::finalizeCatchEntrypoints):
2438         * dfg/DFGCommonData.h:
2439         (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
2440         (JSC::DFG::CommonData::appendCatchEntrypoint):
2441         * dfg/DFGDoesGC.cpp:
2442         (JSC::DFG::doesGC):
2443         * dfg/DFGFixupPhase.cpp:
2444         (JSC::DFG::FixupPhase::fixupNode):
2445         * dfg/DFGGraph.cpp:
2446         (JSC::DFG::Graph::dump):
2447         (JSC::DFG::Graph::invalidateCFG):
2448         (JSC::DFG::Graph::ensureCPSCFG):
2449         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2450         * dfg/DFGGraph.h:
2451         (JSC::DFG::Graph::isEntrypoint):
2452         * dfg/DFGInPlaceAbstractState.cpp:
2453         (JSC::DFG::InPlaceAbstractState::initialize):
2454         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2455         * dfg/DFGJITCode.cpp:
2456         (JSC::DFG::JITCode::shrinkToFit):
2457         (JSC::DFG::JITCode::finalizeOSREntrypoints):
2458         * dfg/DFGJITCode.h:
2459         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
2460         (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
2461         * dfg/DFGJITCompiler.cpp:
2462         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2463         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2464         * dfg/DFGMayExit.cpp:
2465         * dfg/DFGNode.h:
2466         (JSC::DFG::Node::isEntrySwitch):
2467         (JSC::DFG::Node::isTerminal):
2468         (JSC::DFG::Node::entrySwitchData):
2469         (JSC::DFG::Node::numSuccessors):
2470         (JSC::DFG::Node::successor):
2471         (JSC::DFG::Node::entrypointIndex):
2472         * dfg/DFGNodeType.h:
2473         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2474         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2475         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2476         * dfg/DFGOSREntry.cpp:
2477         (JSC::DFG::prepareCatchOSREntry):
2478         * dfg/DFGOSREntry.h:
2479         * dfg/DFGOSREntrypointCreationPhase.cpp:
2480         (JSC::DFG::OSREntrypointCreationPhase::run):
2481         * dfg/DFGPredictionPropagationPhase.cpp:
2482         * dfg/DFGSSAConversionPhase.cpp:
2483         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
2484         (JSC::DFG::SSAConversionPhase::run):
2485         * dfg/DFGSafeToExecute.h:
2486         (JSC::DFG::safeToExecute):
2487         * dfg/DFGSpeculativeJIT.cpp:
2488         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2489         * dfg/DFGSpeculativeJIT32_64.cpp:
2490         (JSC::DFG::SpeculativeJIT::compile):
2491         * dfg/DFGSpeculativeJIT64.cpp:
2492         (JSC::DFG::SpeculativeJIT::compile):
2493         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
2494         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
2495         * dfg/DFGValidate.cpp:
2496         * ftl/FTLCapabilities.cpp:
2497         (JSC::FTL::canCompile):
2498         * ftl/FTLCompile.cpp:
2499         (JSC::FTL::compile):
2500         * ftl/FTLLowerDFGToB3.cpp:
2501         (JSC::FTL::DFG::LowerDFGToB3::lower):
2502         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2503         (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
2504         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
2505         (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
2506         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2507         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
2508         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
2509         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
2510         * ftl/FTLOutput.cpp:
2511         (JSC::FTL::Output::entrySwitch):
2512         * ftl/FTLOutput.h:
2513         * jit/JITOperations.cpp:
2514
2515 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2516
2517         [DFG][FTL] Efficiently execute number#toString()
2518         https://bugs.webkit.org/show_bug.cgi?id=170007
2519
2520         Reviewed by Keith Miller.
2521
2522         In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
2523         However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.
2524
2525         While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
2526         So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
2527         Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
2528         speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
2529         It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).
2530
2531         In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
2532         throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
2533         conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
2534         radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
2535         We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
2536         It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.
2537
2538         Added microbenchmarks show performance improvement.
2539
2540                                                       baseline                  patched
2541
2542         number-to-string-with-radix-cse           43.8312+-1.3017     ^      7.4930+-0.5105        ^ definitely 5.8496x faster
2543         number-to-string-with-radix-10             7.2775+-0.5225     ^      2.1906+-0.1864        ^ definitely 3.3222x faster
2544         number-to-string-with-radix               39.7378+-1.4921     ^     16.6137+-0.7776        ^ definitely 2.3919x faster
2545         number-to-string-strength-reduction       94.9667+-2.7157     ^      9.3060+-0.7202        ^ definitely 10.2049x faster
2546
2547         * dfg/DFGAbstractInterpreterInlines.h:
2548         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2549         * dfg/DFGClobberize.h:
2550         (JSC::DFG::clobberize):
2551         * dfg/DFGConstantFoldingPhase.cpp:
2552         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2553         * dfg/DFGDoesGC.cpp:
2554         (JSC::DFG::doesGC):
2555         * dfg/DFGFixupPhase.cpp:
2556         (JSC::DFG::FixupPhase::fixupNode):
2557         * dfg/DFGGraph.h:
2558         (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
2559         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
2560         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
2561         * dfg/DFGNode.h:
2562         (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
2563         (JSC::DFG::Node::hasValidRadixConstant):
2564         (JSC::DFG::Node::validRadixConstant):
2565         * dfg/DFGNodeType.h:
2566         * dfg/DFGPredictionPropagationPhase.cpp:
2567         * dfg/DFGSafeToExecute.h:
2568         (JSC::DFG::safeToExecute):
2569         * dfg/DFGSpeculativeJIT.cpp:
2570         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
2571         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
2572         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
2573         * dfg/DFGSpeculativeJIT.h:
2574         * dfg/DFGSpeculativeJIT32_64.cpp:
2575         (JSC::DFG::SpeculativeJIT::compile):
2576         * dfg/DFGSpeculativeJIT64.cpp:
2577         (JSC::DFG::SpeculativeJIT::compile):
2578         * dfg/DFGStrengthReductionPhase.cpp:
2579         (JSC::DFG::StrengthReductionPhase::handleNode):
2580         * ftl/FTLCapabilities.cpp:
2581         (JSC::FTL::canCompile):
2582         * ftl/FTLLowerDFGToB3.cpp:
2583         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2584         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
2585         * runtime/JSGlobalObject.cpp:
2586         (JSC::JSGlobalObject::JSGlobalObject):
2587         (JSC::JSGlobalObject::init):
2588         (JSC::JSGlobalObject::visitChildren):
2589         * runtime/JSGlobalObject.h:
2590         (JSC::JSGlobalObject::numberToStringWatchpoint):
2591         (JSC::JSGlobalObject::numberProtoToStringFunction const):
2592         * runtime/NumberPrototype.cpp:
2593         (JSC::NumberPrototype::finishCreation):
2594         (JSC::toStringWithRadixInternal):
2595         (JSC::toStringWithRadix):
2596         (JSC::int32ToStringInternal):
2597         (JSC::numberToStringInternal):
2598         * runtime/NumberPrototype.h:
2599
2600 2017-09-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2601
2602         [DFG] Consider increasing the number of DFG worklist threads
2603         https://bugs.webkit.org/show_bug.cgi?id=176222
2604
2605         Reviewed by Saam Barati.
2606
2607         Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
2608         very long time if the target function is very large. However, DFG worklist
2609         has only one thread before this patch. Therefore, one function that takes
2610         too much time to be compiled can prevent the other functions from being
2611         compiled in DFG or upper tiers.
2612
2613         One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
2614         super long time (447 ms) because of its super large size of the function.
2615         While this function never gets compiled in FTL due to its large size,
2616         it can be compiled in DFG and takes super long time. Subsequent "a8" function
2617         compilation in DFG is blocked by this "a1". As a consequence, the benchmark
2618         takes very long time in a1/Baseline code, which is slower than DFG of course.
2619
2620         While FTL has a bit more threads, DFG worklist has only one thread. This patch
2621         adds one more thread to DFG worklist to alleviate the above situation. This
2622         change significantly improves Octane/zlib performance.
2623
2624                                     baseline                  patched
2625
2626         zlib           x2     482.32825+-6.07640    ^   408.66072+-14.03856      ^ definitely 1.1803x faster
2627
2628         * runtime/Options.h:
2629
2630 2017-09-04  Sam Weinig  <sam@webkit.org>
2631
2632         [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
2633         https://bugs.webkit.org/show_bug.cgi?id=176312
2634
2635         Reviewed by Darin Adler.
2636
2637         * runtime/CommonIdentifiers.h:
2638
2639             Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
2640             to WebCoreBuiltinNames in WebCore.
2641
2642 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2643
2644         Remove "malloc" and "free" use
2645         https://bugs.webkit.org/show_bug.cgi?id=176310
2646
2647         Reviewed by Darin Adler.
2648
2649         Use Vector instead.
2650
2651         * API/JSWrapperMap.mm:
2652         (selectorToPropertyName):
2653
2654 2017-09-03  Darin Adler  <darin@apple.com>
2655
2656         Try to fix Windows build.
2657
2658         * runtime/JSGlobalObjectFunctions.cpp: #include <unicode/utf8.h>.
2659
2660 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2661
2662         [WTF] Add C++03 allocator interface for GCC < 6
2663         https://bugs.webkit.org/show_bug.cgi?id=176301
2664
2665         Reviewed by Darin Adler.
2666
2667         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2668
2669 2017-09-03  Chris Dumez  <cdumez@apple.com>
2670
2671         Unreviewed, rolling out r221555.
2672
2673         Did not fix Windows build
2674
2675         Reverted changeset:
2676
2677         "Unreviewed attempt to fix Windows build."
2678         http://trac.webkit.org/changeset/221555
2679
2680 2017-09-03  Chris Dumez  <cdumez@apple.com>
2681
2682         Unreviewed attempt to fix Windows build.
2683
2684         * runtime/JSGlobalObjectFunctions.cpp:
2685
2686 2017-09-03  Chris Dumez  <cdumez@apple.com>
2687
2688         Unreviewed, rolling out r221552.
2689
2690         Broke the build
2691
2692         Reverted changeset:
2693
2694         "[WTF] Add C++03 allocator interface for GCC < 6"
2695         https://bugs.webkit.org/show_bug.cgi?id=176301
2696         http://trac.webkit.org/changeset/221552
2697
2698 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2699
2700         [WTF] Add C++03 allocator interface for GCC < 6
2701         https://bugs.webkit.org/show_bug.cgi?id=176301
2702
2703         Reviewed by Darin Adler.
2704
2705         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2706
2707 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2708
2709         [JSC] Clean up BytecodeLivenessAnalysis
2710         https://bugs.webkit.org/show_bug.cgi?id=176295
2711
2712         Reviewed by Saam Barati.
2713
2714         Previously, computeDefsForBytecodeOffset was a bit customizable.
2715         This is used for try-catch handler's liveness analysis. But after
2716         careful generatorification implementation, it is now not necessary.
2717         This patch drops this customizability.
2718
2719         * bytecode/BytecodeGeneratorification.cpp:
2720         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
2721         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
2722         * bytecode/BytecodeLivenessAnalysis.cpp:
2723         (JSC::BytecodeLivenessAnalysis::computeKills):
2724         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
2725         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
2726         * bytecode/BytecodeLivenessAnalysis.h:
2727         * bytecode/BytecodeLivenessAnalysisInlines.h:
2728         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
2729         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
2730         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
2731         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
2732         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
2733         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
2734         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
2735         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
2736         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
2737         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.
2738
2739 2017-09-03  Sam Weinig  <sam@webkit.org>
2740
2741         Remove CanvasProxy
2742         https://bugs.webkit.org/show_bug.cgi?id=176288
2743
2744         Reviewed by Yusuke Suzuki.
2745
2746         CanvasProxy does not appear to be in any current HTML spec
2747         and was disabled and unimplemented in our tree. Time to 
2748         get rid of it.
2749
2750         * Configurations/FeatureDefines.xcconfig:
2751
2752 2017-09-02  Oliver Hunt  <oliver@apple.com>
2753
2754         Need an API to get the global context from JSObjectRef
2755         https://bugs.webkit.org/show_bug.cgi?id=176291
2756
2757         Reviewed by Saam Barati.
2758
2759         Very simple additional API, starting off as SPI on principle.
2760
2761         * API/JSObjectRef.cpp:
2762         (JSObjectGetGlobalContext):
2763         * API/JSObjectRefPrivate.h:
2764         * API/tests/testapi.c:
2765         (main):
2766
2767 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2768
2769         [DFG] Relax arity requirement
2770         https://bugs.webkit.org/show_bug.cgi?id=175523
2771
2772         Reviewed by Saam Barati.
2773
2774         Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
2775         It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
2776         of the pre-ES6.
2777
2778         This patch removes the above restriction by performing the arity fixup in DFG.
2779
2780         SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
2781
2782                                        baseline                  patched
2783
2784         defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
2785         rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
2786         spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
2787         generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster
2788
2789         * bytecode/InlineCallFrame.cpp:
2790         (JSC::InlineCallFrame::dumpInContext const):
2791         * bytecode/InlineCallFrame.h:
2792         (JSC::InlineCallFrame::InlineCallFrame):
2793         * dfg/DFGAbstractInterpreterInlines.h:
2794         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2795         * dfg/DFGArgumentsEliminationPhase.cpp:
2796         * dfg/DFGArgumentsUtilities.cpp:
2797         (JSC::DFG::argumentsInvolveStackSlot):
2798         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2799         * dfg/DFGByteCodeParser.cpp:
2800         (JSC::DFG::ByteCodeParser::setLocal):
2801         (JSC::DFG::ByteCodeParser::setArgument):
2802         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
2803         (JSC::DFG::ByteCodeParser::flush):
2804         (JSC::DFG::ByteCodeParser::getArgumentCount):
2805         (JSC::DFG::ByteCodeParser::inliningCost):
2806         (JSC::DFG::ByteCodeParser::inlineCall):
2807         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2808         (JSC::DFG::ByteCodeParser::parseBlock):
2809         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2810         * dfg/DFGCommonData.cpp:
2811         (JSC::DFG::CommonData::validateReferences):
2812         * dfg/DFGConstantFoldingPhase.cpp:
2813         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2814         * dfg/DFGGraph.cpp:
2815         (JSC::DFG::Graph::isLiveInBytecode):
2816         * dfg/DFGGraph.h:
2817         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2818         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2819         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2820         * dfg/DFGOSRExit.cpp:
2821         (JSC::DFG::OSRExit::emitRestoreArguments):
2822         * dfg/DFGOSRExitCompilerCommon.cpp:
2823         (JSC::DFG::reifyInlinedCallFrames):
2824         * dfg/DFGPreciseLocalClobberize.h:
2825         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2826         * dfg/DFGSpeculativeJIT.cpp:
2827         (JSC::DFG::SpeculativeJIT::emitGetLength):
2828         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2829         * dfg/DFGStackLayoutPhase.cpp:
2830         (JSC::DFG::StackLayoutPhase::run):
2831         * ftl/FTLCompile.cpp:
2832         (JSC::FTL::compile):
2833         * ftl/FTLLowerDFGToB3.cpp:
2834         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2835         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
2836         * ftl/FTLOperations.cpp:
2837         (JSC::FTL::operationMaterializeObjectInOSR):
2838         * interpreter/StackVisitor.cpp:
2839         (JSC::StackVisitor::readInlinedFrame):
2840         * jit/AssemblyHelpers.h:
2841         (JSC::AssemblyHelpers::argumentsStart):
2842         * jit/SetupVarargsFrame.cpp:
2843         (JSC::emitSetupVarargsFrameFastCase):
2844         * runtime/ClonedArguments.cpp:
2845         (JSC::ClonedArguments::createWithInlineFrame):
2846         * runtime/CommonSlowPaths.h:
2847         (JSC::CommonSlowPaths::numberOfExtraSlots):
2848         (JSC::CommonSlowPaths::numberOfStackPaddingSlots):
2849         (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots):
2850         (JSC::CommonSlowPaths::arityCheckFor):
2851         * runtime/StackAlignment.h:
2852         (JSC::stackAlignmentBytes):
2853         (JSC::stackAlignmentRegisters):
2854
2855 2017-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2856
2857         [FTL] FTL allocation for async Function is incorrect
2858         https://bugs.webkit.org/show_bug.cgi?id=176214
2859
2860         Reviewed by Saam Barati.
2861
2862         In FTL, allocating async function / async generator function was incorrectly using
2863         JSFunction logic. While it is not observable right now since sizeof(JSFunction) == sizeof(JSAsyncFunction),
2864         but it is a bug.
2865
2866         * ftl/FTLLowerDFGToB3.cpp:
2867         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2868
2869 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2870
2871         [JSC] Fix "name" and "length" of Proxy revoke function
2872         https://bugs.webkit.org/show_bug.cgi?id=176155
2873
2874         Reviewed by Mark Lam.
2875
2876         ProxyRevoke's length should be configurable. And it does not have
2877         its own name. We add NameVisibility enum to InternalFunction to
2878         control visibility of the name.
2879
2880         * runtime/InternalFunction.cpp:
2881         (JSC::InternalFunction::finishCreation):
2882         * runtime/InternalFunction.h:
2883         * runtime/ProxyRevoke.cpp:
2884         (JSC::ProxyRevoke::finishCreation):
2885
2886 2017-08-31  Saam Barati  <sbarati@apple.com>
2887
2888         Throwing an exception in the DFG/FTL should not cause a jettison
2889         https://bugs.webkit.org/show_bug.cgi?id=176060
2890         <rdar://problem/34143348>
2891
2892         Reviewed by Keith Miller.
2893
2894         Throwing an exception is not something that should be a jettison-able
2895         OSR exit. We used to count Throw/ThrowStaticError towards our OSR exit
2896         counts which could cause a CodeBlock to jettison and recompile. This
2897         was dumb. Throwing an exception is not a reason to jettison and
2898         recompile in the way that a speculation failure is. This patch
2899         treats Throw/ThrowStaticError as true terminals in DFG IR.
2900
2901         * bytecode/BytecodeUseDef.h:
2902         (JSC::computeUsesForBytecodeOffset):
2903         * dfg/DFGAbstractInterpreterInlines.h:
2904         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2905         * dfg/DFGByteCodeParser.cpp:
2906         (JSC::DFG::ByteCodeParser::parseBlock):
2907         * dfg/DFGClobberize.h:
2908         (JSC::DFG::clobberize):
2909         * dfg/DFGFixupPhase.cpp:
2910         (JSC::DFG::FixupPhase::fixupNode):
2911         * dfg/DFGInPlaceAbstractState.cpp:
2912         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2913         * dfg/DFGNode.h:
2914         (JSC::DFG::Node::isTerminal):
2915         (JSC::DFG::Node::isPseudoTerminal):
2916         (JSC::DFG::Node::errorType):
2917         * dfg/DFGNodeType.h:
2918         * dfg/DFGOperations.cpp:
2919         * dfg/DFGOperations.h:
2920         * dfg/DFGPredictionPropagationPhase.cpp:
2921         * dfg/DFGSpeculativeJIT.cpp:
2922         (JSC::DFG::SpeculativeJIT::compileThrow):
2923         (JSC::DFG::SpeculativeJIT::compileThrowStaticError):
2924         * dfg/DFGSpeculativeJIT.h:
2925         (JSC::DFG::SpeculativeJIT::callOperation):
2926         * dfg/DFGSpeculativeJIT32_64.cpp:
2927         (JSC::DFG::SpeculativeJIT::compile):
2928         * dfg/DFGSpeculativeJIT64.cpp:
2929         (JSC::DFG::SpeculativeJIT::compile):
2930         * ftl/FTLLowerDFGToB3.cpp:
2931         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2932         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
2933         (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
2934         * jit/JITOperations.h:
2935
2936 2017-08-31  Saam Barati  <sbarati@apple.com>
2937
2938         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
2939         https://bugs.webkit.org/show_bug.cgi?id=176206
2940
2941         Reviewed by Keith Miller.
2942
2943         Mark fixed the main issue in Graph::methodOfGettingAValueProfileFor in r208560
2944         when he fixed it from overwriting invalid parts of the ArithProfile when the
2945         currentNode and the operandNode are from the same bytecode. However, the
2946         mechanism used to determine same bytecode was comparing NodeOrigin. That's
2947         slightly wrong. We need to compare semantic origin, since two NodeOrigins can
2948         have the same semantic origin, but differ only in exitOK. For example,
2949         in the below IR, the DoubleRep and the Phi have the same semantic
2950         origin, but different NodeOrigins.
2951
2952         43 Phi(JS|PureInt, NonBoolInt32|NonIntAsdouble, W:SideState, bc#63, ExitInvalid)
2953         58 ExitOK(MustGen, W:SideState, bc#63)
2954         51 DoubleRep(Check:Number:Kill:@43, Double|PureInt, BytecodeDouble, Exits, bc#63)
2955         54 ArithNegate(DoubleRep:Kill:@51<Double>, Double|UseAsOther|MayHaveDoubleResult, AnyIntAsDouble|NonIntAsdouble, NotSet, Exits, bc#63)
2956
2957         * dfg/DFGGraph.cpp:
2958         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2959
2960 2017-08-31  Don Olmstead  <don.olmstead@sony.com>
2961
2962         [CMake] Make USE_CF conditional within Windows
2963         https://bugs.webkit.org/show_bug.cgi?id=176173
2964
2965         Reviewed by Alex Christensen.
2966
2967         * PlatformWin.cmake:
2968
2969 2017-08-31  Saam Barati  <sbarati@apple.com>
2970
2971         useSeparatedWXHeap should never be true when not on iOS
2972         https://bugs.webkit.org/show_bug.cgi?id=176190
2973
2974         Reviewed by JF Bastien.
2975
2976         If you set useSeparatedWXHeap to true on X86_64, and launch the jsc shell,
2977         the process insta-crashes. Let's silently ignore that option and set it
2978         to false when not on iOS.
2979
2980         * runtime/Options.cpp:
2981         (JSC::recomputeDependentOptions):
2982
2983 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
2984
2985         Fix debug crashes.
2986
2987         Rubber stamped by Mark Lam.
2988
2989         * runtime/JSArrayBufferView.cpp:
2990         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2991
2992 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
2993
2994         All of the different ArrayBuffer::data's should be CagedPtr<>
2995         https://bugs.webkit.org/show_bug.cgi?id=175515
2996
2997         Reviewed by Michael Saboff.
2998         
2999         This straightforwardly implements what the title says.
3000
3001         * runtime/ArrayBuffer.cpp:
3002         (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
3003         (JSC::ArrayBufferContents::destroy):
3004         (JSC::ArrayBufferContents::tryAllocate):
3005         (JSC::ArrayBufferContents::makeShared):
3006         (JSC::ArrayBufferContents::copyTo):
3007         (JSC::ArrayBuffer::createFromBytes):
3008         (JSC::ArrayBuffer::transferTo):
3009         * runtime/ArrayBuffer.h:
3010         (JSC::SharedArrayBufferContents::data const):
3011         (JSC::ArrayBufferContents::data const):
3012         (JSC::ArrayBuffer::data):
3013         (JSC::ArrayBuffer::data const):
3014         * runtime/ArrayBufferView.h:
3015         (JSC::ArrayBufferView::baseAddress const):
3016         * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid.
3017         * runtime/DataView.h:
3018         (JSC::DataView::get):
3019         (JSC::DataView::set):
3020         * runtime/JSArrayBufferView.cpp:
3021         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3022         * runtime/JSArrayBufferView.h:
3023         (JSC::JSArrayBufferView::ConstructionContext::vector const):
3024         (JSC::JSArrayBufferView::vector const):
3025         * runtime/JSGenericTypedArrayViewInlines.h:
3026         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3027
3028 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
3029
3030         Strings need to be in some kind of gigacage
3031         https://bugs.webkit.org/show_bug.cgi?id=174924
3032
3033         Reviewed by Oliver Hunt.
3034
3035         * runtime/JSString.cpp:
3036         (JSC::JSRopeString::resolveRopeToAtomicString const):
3037         (JSC::JSRopeString::resolveRope const):
3038         * runtime/JSString.h:
3039         (JSC::JSString::create):
3040         (JSC::JSString::createHasOtherOwner):
3041         * runtime/JSStringBuilder.h:
3042         * runtime/VM.h:
3043         (JSC::VM::gigacageAuxiliarySpace):
3044
3045 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3046
3047         [JSC] Use reifying system for "name" property of builtin JSFunction
3048         https://bugs.webkit.org/show_bug.cgi?id=175260
3049
3050         Reviewed by Saam Barati.
3051
3052         Currently builtin JSFunction uses direct property for "name", which is different
3053         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
3054         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
3055         JSFunction::createBuiltinFunction.
3056
3057         We would like to store the "correct" name in FunctionExecutable. For example,
3058         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
3059         instead of specifying name when creating JSFunction. To do so, we add a new
3060         annotations, @getter and @overriddenName. When @getter is specified, the name of
3061         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
3062         the name of the function becomes "xxx".
3063
3064         We also treat @xxx as anonymous builtin functions that cannot be achieved in
3065         the current JS without privilege.
3066
3067         * Scripts/builtins/builtins_generate_combined_header.py:
3068         (generate_section_for_code_table_macro):
3069         * Scripts/builtins/builtins_generate_combined_implementation.py:
3070         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3071         * Scripts/builtins/builtins_generate_separate_header.py:
3072         (generate_section_for_code_table_macro):
3073         * Scripts/builtins/builtins_generate_separate_implementation.py:
3074         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3075         * Scripts/builtins/builtins_model.py:
3076         (BuiltinFunction.__init__):
3077         (BuiltinFunction.fromString):
3078         * Scripts/builtins/builtins_templates.py:
3079         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
3080         (overriddenName.string_appeared_here.match):
3081         (intrinsic.RegExpTestIntrinsic.test):
3082         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
3083         (overriddenName.string_appeared_here.match):
3084         (intrinsic.RegExpTestIntrinsic.test):
3085         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3086         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3087         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3088         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3089         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3090         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3091         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3092         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3093         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3094         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3095         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3096         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3097         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3098         * builtins/AsyncIteratorPrototype.js:
3099         (symbolAsyncIteratorGetter): Deleted.
3100         * builtins/BuiltinExecutables.cpp:
3101         (JSC::BuiltinExecutables::BuiltinExecutables):
3102         * builtins/BuiltinExecutables.h:
3103         * builtins/BuiltinNames.h:
3104         * builtins/FunctionPrototype.js:
3105         (symbolHasInstance): Deleted.
3106         * builtins/GlobalOperations.js:
3107         (globalPrivate.speciesGetter): Deleted.
3108         * builtins/IteratorPrototype.js:
3109         (symbolIteratorGetter): Deleted.
3110         * builtins/PromiseConstructor.js:
3111         (all.newResolveElement.return.resolve):
3112         (all.newResolveElement):
3113         (all):
3114         * builtins/PromiseOperations.js:
3115         (globalPrivate.newPromiseCapability.executor):
3116         (globalPrivate.newPromiseCapability):
3117         (globalPrivate.createResolvingFunctions.resolve):
3118         (globalPrivate.createResolvingFunctions.reject):
3119         (globalPrivate.createResolvingFunctions):
3120         * builtins/RegExpPrototype.js:
3121         (match): Deleted.
3122         (replace): Deleted.
3123         (search): Deleted.
3124         (split): Deleted.
3125         * jsc.cpp:
3126         (functionCreateBuiltin):
3127         * runtime/AsyncIteratorPrototype.cpp:
3128         (JSC::AsyncIteratorPrototype::finishCreation):
3129         * runtime/FunctionPrototype.cpp:
3130         (JSC::FunctionPrototype::addFunctionProperties):
3131         * runtime/IteratorPrototype.cpp:
3132         (JSC::IteratorPrototype::finishCreation):
3133         * runtime/JSFunction.cpp:
3134         (JSC::JSFunction::finishCreation):
3135         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3136         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
3137         (JSC::JSFunction::createBuiltinFunction): Deleted.
3138         * runtime/JSFunction.h:
3139         * runtime/JSGlobalObject.cpp:
3140         (JSC::JSGlobalObject::init):
3141         * runtime/JSObject.cpp:
3142         (JSC::JSObject::putDirectBuiltinFunction):
3143         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
3144         * runtime/JSTypedArrayViewPrototype.cpp:
3145         (JSC::JSTypedArrayViewPrototype::finishCreation):
3146         * runtime/Lookup.cpp:
3147         (JSC::reifyStaticAccessor):
3148         * runtime/MapPrototype.cpp:
3149         (JSC::MapPrototype::finishCreation):
3150         * runtime/RegExpPrototype.cpp:
3151         (JSC::RegExpPrototype::finishCreation):
3152         * runtime/SetPrototype.cpp:
3153         (JSC::SetPrototype::finishCreation):
3154
3155 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
3156
3157         Unreviewed, rolling out r221327.
3158
3159         This change caused test262 failures.
3160
3161         Reverted changeset:
3162
3163         "[JSC] Use reifying system for "name" property of builtin
3164         JSFunction"
3165         https://bugs.webkit.org/show_bug.cgi?id=175260
3166         http://trac.webkit.org/changeset/221327
3167
3168 2017-08-30  Matt Lewis  <jlewis3@apple.com>
3169
3170         Unreviewed, rolling out r221384.
3171
3172         This patch caused multiple 32-bit JSC test failures.
3173
3174         Reverted changeset:
3175
3176         "Strings need to be in some kind of gigacage"
3177         https://bugs.webkit.org/show_bug.cgi?id=174924
3178         http://trac.webkit.org/changeset/221384
3179
3180 2017-08-30  Saam Barati  <sbarati@apple.com>
3181
3182         semicolon is being interpreted as an = in the LiteralParser
3183         https://bugs.webkit.org/show_bug.cgi?id=176114
3184
3185         Reviewed by Oliver Hunt.
3186
3187         When lexing a semicolon in the LiteralParser, we were properly
3188         setting the TokenType on the current token, however, we were
3189         *returning* the wrong TokenType. The lex function both returns
3190         the TokenType and sets it on the current token. Semicolon was
3191         setting the TokenType to semicolon, but returning the TokenType
3192         for '='. This caused programs like `x;123` to be interpreted as
3193         `x=123`.
3194
3195         * runtime/LiteralParser.cpp:
3196         (JSC::LiteralParser<CharType>::Lexer::lex):
3197         (JSC::LiteralParser<CharType>::Lexer::next):
3198
3199 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
3200
3201         Strings need to be in some kind of gigacage
3202         https://bugs.webkit.org/show_bug.cgi?id=174924
3203
3204         Reviewed by Oliver Hunt.
3205
3206         * runtime/JSString.cpp:
3207         (JSC::JSRopeString::resolveRopeToAtomicString const):
3208         (JSC::JSRopeString::resolveRope const):
3209         * runtime/JSString.h:
3210         (JSC::JSString::create):
3211         (JSC::JSString::createHasOtherOwner):
3212         * runtime/JSStringBuilder.h:
3213         * runtime/VM.h:
3214         (JSC::VM::gigacageAuxiliarySpace):
3215
3216 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3217
3218         [ESNext] Async iteration - Implement async iteration statement: for-await-of
3219         https://bugs.webkit.org/show_bug.cgi?id=166698
3220
3221         Reviewed by Yusuke Suzuki.
3222
3223         Implementation of the for-await-of statement.
3224
3225         * bytecompiler/BytecodeGenerator.cpp:
3226         (JSC::BytecodeGenerator::emitEnumeration):
3227         (JSC::BytecodeGenerator::emitIteratorNext):
3228         * bytecompiler/BytecodeGenerator.h:
3229         * parser/ASTBuilder.h:
3230         (JSC::ASTBuilder::createForOfLoop):
3231         * parser/NodeConstructors.h:
3232         (JSC::ForOfNode::ForOfNode):
3233         * parser/Nodes.h:
3234         (JSC::ForOfNode::isForAwait const):
3235         * parser/Parser.cpp:
3236         (JSC::Parser<LexerType>::parseForStatement):
3237         * parser/Parser.h:
3238         (JSC::Scope::setSourceParseMode):
3239         (JSC::Scope::setIsFunction):
3240         (JSC::Scope::setIsAsyncGeneratorFunction):
3241         (JSC::Scope::setIsAsyncGeneratorFunctionBody):
3242         * parser/SyntaxChecker.h:
3243         (JSC::SyntaxChecker::createForOfLoop):
3244
3245 2017-08-29  Commit Queue  <commit-queue@webkit.org>
3246
3247         Unreviewed, rolling out r221317.
3248         https://bugs.webkit.org/show_bug.cgi?id=176090
3249
3250         "It broke a testing mode because we will never FTL compile a
3251         function that repeatedly throws" (Requested by saamyjoon on
3252         #webkit).
3253
3254         Reverted changeset:
3255
3256         "Throwing an exception in the DFG/FTL should not be a
3257         jettison-able OSR exit"
3258         https://bugs.webkit.org/show_bug.cgi?id=176060
3259         http://trac.webkit.org/changeset/221317
3260
3261 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3262
3263         [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
3264         https://bugs.webkit.org/show_bug.cgi?id=175895
3265
3266         Reviewed by Saam Barati.
3267
3268         We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
3269         are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
3270         But rather than introducing a special fixup edge (like, NonStringCellUse), converting
3271         CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
3272         In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
3273         if one side of the children is constant non String cell.
3274
3275         This slightly optimizes map/set iteration.
3276
3277         set-for-each          4.5064+-0.3072     ^      3.2862+-0.2098        ^ definitely 1.3713x faster
3278         large-map-iteration  56.2583+-1.6640           53.6798+-2.0097          might be 1.0480x faster
3279         set-for-of            8.8058+-0.5953     ^      7.5832+-0.3805        ^ definitely 1.1612x faster
3280         map-for-each          4.2633+-0.2694     ^      3.3967+-0.3013        ^ definitely 1.2551x faster
3281         map-for-of           13.1556+-0.5707           12.4911+-0.6004          might be 1.0532x faster
3282
3283         * dfg/DFGAbstractInterpreterInlines.h:
3284         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3285         * dfg/DFGConstantFoldingPhase.cpp:
3286         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3287         * dfg/DFGNode.h:
3288         (JSC::DFG::Node::convertToCompareEqPtr):
3289
3290 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3291
3292         [JSC] Use reifying system for "name" property of builtin JSFunction
3293         https://bugs.webkit.org/show_bug.cgi?id=175260
3294
3295         Reviewed by Saam Barati.
3296
3297         Currently builtin JSFunction uses direct property for "name", which is different
3298         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
3299         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
3300         JSFunction::createBuiltinFunction.
3301
3302         We would like to store the "correct" name in FunctionExecutable. For example,
3303         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
3304         instead of specifying name when creating JSFunction. To do so, we add a new
3305         annotations, @getter and @overriddenName. When @getter is specified, the name of
3306         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
3307         the name of the function becomes "xxx".
3308
3309         * Scripts/builtins/builtins_generate_combined_header.py:
3310         (generate_section_for_code_table_macro):
3311         * Scripts/builtins/builtins_generate_combined_implementation.py:
3312         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3313         * Scripts/builtins/builtins_generate_separate_header.py:
3314         (generate_section_for_code_table_macro):
3315         * Scripts/builtins/builtins_generate_separate_implementation.py:
3316         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3317         * Scripts/builtins/builtins_model.py:
3318         (BuiltinFunction.__init__):
3319         (BuiltinFunction.fromString):
3320         * Scripts/builtins/builtins_templates.py:
3321         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
3322         (overriddenName.string_appeared_here.match):
3323         (intrinsic.RegExpTestIntrinsic.test):
3324         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
3325         (overriddenName.string_appeared_here.match):
3326         (intrinsic.RegExpTestIntrinsic.test):
3327         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3328         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3329         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3330         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3331         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3332         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3333         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3334         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3335         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: