f2d564c6517f8d95ca01a72bf5e1adde83b13220
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-20  Keith Miller  <keith_miller@apple.com>
2
3         Rename source list file to Sources.txt
4         https://bugs.webkit.org/show_bug.cgi?id=177283
5
6         Reviewed by Saam Barati.
7
8         * CMakeLists.txt:
9         * JavaScriptCore.xcodeproj/project.pbxproj:
10         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
11
12 2017-09-20  Keith Miller  <keith_miller@apple.com>
13
14         Unreviewed, fix string capitalization
15
16         * JavaScriptCore.xcodeproj/project.pbxproj:
17
18 2017-09-20  Keith Miller  <keith_miller@apple.com>
19
20         JSC Xcode build should use unified sources for platform independent files
21         https://bugs.webkit.org/show_bug.cgi?id=177190
22
23         Reviewed by Saam Barati.
24
25         This patch changes the Xcode build to use unified sources. The
26         main difference from a development perspective is that instead of
27         added source files to Xcode they need to be added to the shared
28         sources.txt. For now, platform specific files are still added
29         to the JavaScriptCore target.
30
31         Because Xcode needs to know about all the files before we generate
32         them all the unified source files need to be added to the
33         JavaScriptCore framework target. As a result, if we run out of
34         bundle files more will need to be added to the project. Currently,
35         there are no spare files. If adding more bundle files becomes
36         problematic we can change this.
37
38         LowLevelInterpreter.cpp can't be added to the unified source list yet
39         due to a clang bug.
40
41         * CMakeLists.txt:
42         * JavaScriptCore.xcodeproj/project.pbxproj:
43         * sources.txt: Added.
44
45 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
46
47         [Win] Cannot find script to generate unified sources.
48         https://bugs.webkit.org/show_bug.cgi?id=177014
49
50         Reviewed by Keith Miller.
51
52         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
53
54         * CMakeLists.txt:
55         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
56
57 2017-09-20  Alberto Garcia  <berto@igalia.com>
58
59         Fix HPPA and Alpha builds
60         https://bugs.webkit.org/show_bug.cgi?id=177224
61
62         Reviewed by Alex Christensen.
63
64         * CMakeLists.txt:
65
66 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
67
68         ErrorInstance and Exception need destroy methods
69         https://bugs.webkit.org/show_bug.cgi?id=177095
70
71         Reviewed by Saam Barati.
72         
73         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
74         follow that type's protocol.
75
76         * runtime/ErrorInstance.cpp:
77         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
78         * runtime/ErrorInstance.h:
79         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
80
81 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
82
83         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
84         https://bugs.webkit.org/show_bug.cgi?id=177070
85
86         Reviewed by Saam Barati.
87
88         Due to the security reason, our global object is immutable prototype exotic object.
89         It prevents users from injecting proxies into the prototype chain of the global object[1].
90         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
91         of the global object after instantiating it.
92
93         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
94         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
95         edge cases.
96
97         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
98
99         * API/JSObjectRef.cpp:
100         (JSObjectSetPrototype):
101         * API/tests/CustomGlobalObjectClassTest.c:
102         (globalObjectSetPrototypeTest):
103
104 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
105
106         [DFG] Remove ToThis more aggressively
107         https://bugs.webkit.org/show_bug.cgi?id=177056
108
109         Reviewed by Saam Barati.
110
111         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
112         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
113         and attempts to fold/convert to efficient nodes.
114
115         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
116         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
117
118         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
119         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
120
121         This removes GetGlobalThis from ES6 generators in common cases.
122
123         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
124
125         * dfg/DFGAbstractInterpreterInlines.h:
126         (JSC::DFG::isToThisAnIdentity):
127         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
128         * dfg/DFGClobberize.h:
129         (JSC::DFG::clobberize):
130         * dfg/DFGConstantFoldingPhase.cpp:
131         (JSC::DFG::ConstantFoldingPhase::foldConstants):
132         * dfg/DFGDoesGC.cpp:
133         (JSC::DFG::doesGC):
134         * dfg/DFGFixupPhase.cpp:
135         (JSC::DFG::FixupPhase::fixupNode):
136         * dfg/DFGNode.h:
137         (JSC::DFG::Node::convertToGetGlobalThis):
138         * dfg/DFGNodeType.h:
139         * dfg/DFGPredictionPropagationPhase.cpp:
140         * dfg/DFGSafeToExecute.h:
141         (JSC::DFG::safeToExecute):
142         * dfg/DFGSpeculativeJIT.cpp:
143         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
144         * dfg/DFGSpeculativeJIT.h:
145         * dfg/DFGSpeculativeJIT32_64.cpp:
146         (JSC::DFG::SpeculativeJIT::compile):
147         * dfg/DFGSpeculativeJIT64.cpp:
148         (JSC::DFG::SpeculativeJIT::compile):
149         * ftl/FTLCapabilities.cpp:
150         (JSC::FTL::canCompile):
151         * ftl/FTLLowerDFGToB3.cpp:
152         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
153         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
154         * runtime/JSGlobalLexicalEnvironment.cpp:
155         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
156         * runtime/JSGlobalLexicalEnvironment.h:
157         * runtime/JSGlobalObject.cpp:
158         (JSC::JSGlobalObject::toThis): Deleted.
159         * runtime/JSGlobalObject.h:
160         (JSC::JSGlobalObject::addressOfGlobalThis):
161         * runtime/JSLexicalEnvironment.cpp:
162         (JSC::JSLexicalEnvironment::toThis): Deleted.
163         * runtime/JSLexicalEnvironment.h:
164         * runtime/JSScope.cpp:
165         (JSC::JSScope::toThis):
166         * runtime/JSScope.h:
167         * runtime/StrictEvalActivation.cpp:
168         (JSC::StrictEvalActivation::toThis): Deleted.
169         * runtime/StrictEvalActivation.h:
170
171 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
172
173         Merge JSLexicalEnvironment and JSEnvironmentRecord
174         https://bugs.webkit.org/show_bug.cgi?id=175492
175
176         Reviewed by Saam Barati.
177
178         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
179         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
180
181         * CMakeLists.txt:
182         * JavaScriptCore.xcodeproj/project.pbxproj:
183         * dfg/DFGSpeculativeJIT.cpp:
184         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
185         * dfg/DFGSpeculativeJIT32_64.cpp:
186         (JSC::DFG::SpeculativeJIT::compile):
187         * dfg/DFGSpeculativeJIT64.cpp:
188         (JSC::DFG::SpeculativeJIT::compile):
189         * ftl/FTLAbstractHeapRepository.h:
190         * ftl/FTLLowerDFGToB3.cpp:
191         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
192         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
193         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
194         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
195         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
196         * jit/JITPropertyAccess.cpp:
197         (JSC::JIT::emitGetClosureVar):
198         (JSC::JIT::emitPutClosureVar):
199         (JSC::JIT::emitScopedArgumentsGetByVal):
200         * jit/JITPropertyAccess32_64.cpp:
201         (JSC::JIT::emitGetClosureVar):
202         (JSC::JIT::emitPutClosureVar):
203         * llint/LLIntOffsetsExtractor.cpp:
204         * llint/LowLevelInterpreter.asm:
205         * llint/LowLevelInterpreter32_64.asm:
206         * llint/LowLevelInterpreter64.asm:
207         * runtime/JSEnvironmentRecord.cpp: Removed.
208         * runtime/JSEnvironmentRecord.h: Removed.
209         * runtime/JSLexicalEnvironment.cpp:
210         (JSC::JSLexicalEnvironment::visitChildren):
211         (JSC::JSLexicalEnvironment::heapSnapshot):
212         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
213         * runtime/JSLexicalEnvironment.h:
214         (JSC::JSLexicalEnvironment::subspaceFor):
215         (JSC::JSLexicalEnvironment::variables):
216         (JSC::JSLexicalEnvironment::isValidScopeOffset):
217         (JSC::JSLexicalEnvironment::variableAt):
218         (JSC::JSLexicalEnvironment::offsetOfVariables):
219         (JSC::JSLexicalEnvironment::offsetOfVariable):
220         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
221         (JSC::JSLexicalEnvironment::allocationSize):
222         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
223         (JSC::JSLexicalEnvironment::finishCreation):
224         * runtime/JSModuleEnvironment.cpp:
225         (JSC::JSModuleEnvironment::create):
226         * runtime/JSObject.h:
227         (JSC::JSObject::isEnvironment const):
228         (JSC::JSObject::isEnvironmentRecord const): Deleted.
229         * runtime/JSSegmentedVariableObject.h:
230         * runtime/StringPrototype.cpp:
231         (JSC::checkObjectCoercible):
232
233 2017-09-15  Saam Barati  <sbarati@apple.com>
234
235         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
236         https://bugs.webkit.org/show_bug.cgi?id=176981
237
238         Reviewed by Yusuke Suzuki.
239
240         This patch makes inline arity fixup happen in two phases:
241         1. We get all the values we need and MovHint them to the expected locals.
242         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
243            frame is already set up. If any SetLocal exits, we have a valid exit state.
244            This is required because if we didn't do this in two phases, we may exit in
245            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
246            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
247            of the frame right before exiting. For example, consider if we need to pad two args:
248            [arg3][arg2][arg1][arg0]
249            [fix ][fix ][arg3][arg2][arg1][arg0]
250            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
251            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
252            [arg3][arg2][arg1][arg2][arg1][arg0]
253            And the caller would then just end up thinking its argument are:
254            [arg3][arg2][arg1][arg2]
255            which is incorrect.
256        
257        
258         This patch also fixes a couple of bugs in IdentitiyWithProfile:
259         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
260            It needed to store the result of evaluating its argument in a temporary that
261            it creates. Otherwise, it might try to simply overwrite a constant
262            or a register that it didn't own.
263         2. We weren't eliminating this node in CSE inside the DFG.
264
265         * bytecompiler/NodesCodegen.cpp:
266         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
267         * dfg/DFGByteCodeParser.cpp:
268         (JSC::DFG::ByteCodeParser::inlineCall):
269         * dfg/DFGCSEPhase.cpp:
270
271 2017-09-15  JF Bastien  <jfbastien@apple.com>
272
273         WTF: use Forward.h when appropriate instead of Vector.h
274         https://bugs.webkit.org/show_bug.cgi?id=176984
275
276         Reviewed by Saam Barati.
277
278         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
279
280         * bytecode/HandlerInfo.h:
281         * heap/GCIncomingRefCounted.h:
282         * heap/GCSegmentedArray.h:
283         * wasm/js/JSWebAssemblyModule.h:
284
285 2017-09-14  Saam Barati  <sbarati@apple.com>
286
287         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
288         https://bugs.webkit.org/show_bug.cgi?id=176863
289
290         Reviewed by Keith Miller.
291
292         * CMakeLists.txt:
293         * JavaScriptCore.xcodeproj/project.pbxproj:
294         * runtime/ProxyObject.cpp:
295         (JSC::performProxyGet):
296         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
297         (JSC::ProxyObject::performHasProperty):
298         (JSC::ProxyObject::getOwnPropertySlotCommon):
299         (JSC::ProxyObject::performPut):
300         (JSC::performProxyCall):
301         (JSC::performProxyConstruct):
302         (JSC::ProxyObject::performDelete):
303         (JSC::ProxyObject::performPreventExtensions):
304         (JSC::ProxyObject::performIsExtensible):
305         (JSC::ProxyObject::performDefineOwnProperty):
306         (JSC::ProxyObject::performGetOwnPropertyNames):
307         (JSC::ProxyObject::performSetPrototype):
308         (JSC::ProxyObject::performGetPrototype):
309
310 2017-09-14  Saam Barati  <sbarati@apple.com>
311
312         Make dumping the graph print when both when exitOK and !exitOK
313         https://bugs.webkit.org/show_bug.cgi?id=176954
314
315         Reviewed by Keith Miller.
316
317         * dfg/DFGGraph.cpp:
318         (JSC::DFG::Graph::dump):
319
320 2017-09-14  Saam Barati  <sbarati@apple.com>
321
322         It should be valid to exit before each set when doing arity fixup when inlining
323         https://bugs.webkit.org/show_bug.cgi?id=176948
324
325         Reviewed by Keith Miller.
326
327         This patch makes it so that we can exit before each SetLocal when doing arity
328         fixup during inlining. This is OK because if we exit at any of these SetLocals,
329         we will simply exit to the beginning of the call instruction.
330         
331         Not doing this led to a bug where FixupPhase would insert a ValueRep of
332         a node before the actual node. This is obviously invalid IR. I've added
333         a new validation rule to catch this malformed IR.
334
335         * dfg/DFGByteCodeParser.cpp:
336         (JSC::DFG::ByteCodeParser::inliningCost):
337         (JSC::DFG::ByteCodeParser::inlineCall):
338         * dfg/DFGValidate.cpp:
339         * runtime/Options.h:
340
341 2017-09-14  Mark Lam  <mark.lam@apple.com>
342
343         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
344         https://bugs.webkit.org/show_bug.cgi?id=176874
345         <rdar://problem/34436415>
346
347         Reviewed by Saam Barati.
348
349         1. Make Probe::Stack play nice with ASan by:
350
351            a. using a local memcpy implementation that suppresses ASan on ASan builds.
352               We don't want to use std:memcpy() which validates stack memory because
353               we are intentionally copying stack memory beyond the current frame.
354
355            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
356               This ensures that Page::flushWrites() only writes stack memory that was
357               modified by a probe.  The probes should only modify stack memory that
358               belongs to JSC stack data structures.  We don't want to inadvertently
359               modify adjacent words that may belong to ASan (which may happen if
360               s_chunkSize is larger than sizeof(uintptr_t)).
361
362            c. fixing a bug in Page dirtyBits management for when the size of the value to
363               write is greater than s_chunkSize.  The fix in generic, but in practice,
364               this currently only manifests on 32-bit ASan builds because
365               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
366               values.
367
368            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
369               s_chunksPerPage we can have even on ASan builds.
370
371         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
372            std::memcpy to avoid strict aliasing issues.
373
374         3. Optimized the implementation of Page::physicalAddressFor().
375
376         4. Optimized the implementation of Stack::set() in the recording of the low
377            watermark.  We just record the lowest raw pointer now, and only compute the
378            alignment to its chuck boundary later when the low watermark is requested.
379
380         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
381
382         No new test needed because this is already covered by testmasm with ASan enabled.
383
384         * assembler/ProbeContext.h:
385         (JSC::Probe::CPUState::gpr const):
386         (JSC::Probe::CPUState::spr const):
387         (JSC::Probe::Context::gpr):
388         (JSC::Probe::Context::spr):
389         (JSC::Probe::Context::fpr):
390         (JSC::Probe::Context::gprName):
391         (JSC::Probe::Context::sprName):
392         (JSC::Probe::Context::fprName):
393         (JSC::Probe::Context::gpr const):
394         (JSC::Probe::Context::spr const):
395         (JSC::Probe::Context::fpr const):
396         (JSC::Probe::Context::pc):
397         (JSC::Probe::Context::fp):
398         (JSC::Probe::Context::sp):
399         (JSC::Probe:: const): Deleted.
400         * assembler/ProbeStack.cpp:
401         (JSC::Probe::copyStackPage):
402         (JSC::Probe::Page::Page):
403         (JSC::Probe::Page::flushWrites):
404         * assembler/ProbeStack.h:
405         (JSC::Probe::Page::get):
406         (JSC::Probe::Page::set):
407         (JSC::Probe::Page::dirtyBitFor):
408         (JSC::Probe::Page::physicalAddressFor):
409         (JSC::Probe::Stack::lowWatermark):
410         (JSC::Probe::Stack::get):
411         (JSC::Probe::Stack::set):
412         * assembler/testmasm.cpp:
413         (JSC::testProbeModifiesStackValues):
414
415 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
416
417         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
418         https://bugs.webkit.org/show_bug.cgi?id=176917
419
420         Reviewed by Saam Barati.
421
422         * dfg/DFGByteCodeParser.cpp:
423         (JSC::DFG::ByteCodeParser::inliningCost):
424         * runtime/Options.h:
425
426 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
427
428         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
429         https://bugs.webkit.org/show_bug.cgi?id=176867
430
431         Reviewed by Sam Weinig.
432
433         We rarely require private symbols when enumerating property names.
434         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
435         is specified, PropertyNameArray does not include private symbols.
436         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
437
438         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
439         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
440
441         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
442
443         * API/JSObjectRef.cpp:
444         (JSObjectCopyPropertyNames):
445         * bindings/ScriptValue.cpp:
446         (Inspector::jsToInspectorValue):
447         * bytecode/ObjectAllocationProfile.h:
448         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
449         * runtime/EnumerationMode.h:
450         * runtime/IntlObject.cpp:
451         (JSC::supportedLocales):
452         * runtime/JSONObject.cpp:
453         (JSC::Stringifier::Stringifier):
454         (JSC::Stringifier::Holder::appendNextProperty):
455         (JSC::Walker::walk):
456         * runtime/JSPropertyNameEnumerator.cpp:
457         (JSC::JSPropertyNameEnumerator::create):
458         * runtime/JSPropertyNameEnumerator.h:
459         (JSC::propertyNameEnumerator):
460         * runtime/ObjectConstructor.cpp:
461         (JSC::objectConstructorGetOwnPropertyDescriptors):
462         (JSC::objectConstructorAssign):
463         (JSC::objectConstructorValues):
464         (JSC::defineProperties):
465         (JSC::setIntegrityLevel):
466         (JSC::testIntegrityLevel):
467         (JSC::ownPropertyKeys):
468         * runtime/PropertyNameArray.h:
469         (JSC::PropertyNameArray::PropertyNameArray):
470         (JSC::PropertyNameArray::propertyNameMode const):
471         (JSC::PropertyNameArray::privateSymbolMode const):
472         (JSC::PropertyNameArray::addUncheckedInternal):
473         (JSC::PropertyNameArray::addUnchecked):
474         (JSC::PropertyNameArray::add):
475         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
476         (JSC::PropertyNameArray::includeSymbolProperties const):
477         (JSC::PropertyNameArray::includeStringProperties const):
478         (JSC::PropertyNameArray::mode const): Deleted.
479         * runtime/ProxyObject.cpp:
480         (JSC::ProxyObject::performGetOwnPropertyNames):
481
482 2017-09-13  Mark Lam  <mark.lam@apple.com>
483
484         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
485         https://bugs.webkit.org/show_bug.cgi?id=176888
486         <rdar://problem/34381832>
487
488         Not reviewed.
489
490         * JavaScriptCore.xcodeproj/project.pbxproj:
491         * assembler/MacroAssembler.cpp:
492         (JSC::stdFunctionCallback):
493         * assembler/MacroAssemblerPrinter.cpp:
494         (JSC::Printer::printCallback):
495         * assembler/ProbeContext.h:
496         (JSC::Probe:: const):
497         (JSC::Probe::Context::Context):
498         (JSC::Probe::Context::gpr):
499         (JSC::Probe::Context::spr):
500         (JSC::Probe::Context::fpr):
501         (JSC::Probe::Context::gprName):
502         (JSC::Probe::Context::sprName):
503         (JSC::Probe::Context::fprName):
504         (JSC::Probe::Context::pc):
505         (JSC::Probe::Context::fp):
506         (JSC::Probe::Context::sp):
507         (JSC::Probe::CPUState::gpr const): Deleted.
508         (JSC::Probe::CPUState::spr const): Deleted.
509         (JSC::Probe::Context::arg): Deleted.
510         (JSC::Probe::Context::gpr const): Deleted.
511         (JSC::Probe::Context::spr const): Deleted.
512         (JSC::Probe::Context::fpr const): Deleted.
513         * assembler/ProbeFrame.h: Removed.
514         * assembler/ProbeStack.cpp:
515         (JSC::Probe::Page::Page):
516         * assembler/ProbeStack.h:
517         (JSC::Probe::Page::get):
518         (JSC::Probe::Page::set):
519         (JSC::Probe::Page::physicalAddressFor):
520         (JSC::Probe::Stack::lowWatermark):
521         (JSC::Probe::Stack::get):
522         (JSC::Probe::Stack::set):
523         * bytecode/ArithProfile.cpp:
524         * bytecode/ArithProfile.h:
525         * bytecode/ArrayProfile.h:
526         (JSC::ArrayProfile::observeArrayMode): Deleted.
527         * bytecode/CodeBlock.cpp:
528         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
529         * bytecode/CodeBlock.h:
530         (JSC::CodeBlock::addressOfOSRExitCounter):
531         * bytecode/ExecutionCounter.h:
532         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
533         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
534         * bytecode/MethodOfGettingAValueProfile.cpp:
535         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
536         * bytecode/MethodOfGettingAValueProfile.h:
537         * dfg/DFGDriver.cpp:
538         (JSC::DFG::compileImpl):
539         * dfg/DFGJITCode.cpp:
540         (JSC::DFG::JITCode::findPC):
541         * dfg/DFGJITCode.h:
542         * dfg/DFGJITCompiler.cpp:
543         (JSC::DFG::JITCompiler::linkOSRExits):
544         (JSC::DFG::JITCompiler::link):
545         * dfg/DFGOSRExit.cpp:
546         (JSC::DFG::OSRExit::setPatchableCodeOffset):
547         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
548         (JSC::DFG::OSRExit::codeLocationForRepatch const):
549         (JSC::DFG::OSRExit::correctJump):
550         (JSC::DFG::OSRExit::emitRestoreArguments):
551         (JSC::DFG::OSRExit::compileOSRExit):
552         (JSC::DFG::OSRExit::compileExit):
553         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
554         (JSC::DFG::jsValueFor): Deleted.
555         (JSC::DFG::restoreCalleeSavesFor): Deleted.
556         (JSC::DFG::saveCalleeSavesFor): Deleted.
557         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
558         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
559         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
560         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
561         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
562         (JSC::DFG::emitRestoreArguments): Deleted.
563         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
564         (JSC::DFG::reifyInlinedCallFrames): Deleted.
565         (JSC::DFG::adjustAndJumpToTarget): Deleted.
566         (JSC::DFG::printOSRExit): Deleted.
567         * dfg/DFGOSRExit.h:
568         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
569         * dfg/DFGOSRExitCompilerCommon.cpp:
570         * dfg/DFGOSRExitCompilerCommon.h:
571         * dfg/DFGOperations.cpp:
572         * dfg/DFGOperations.h:
573         * dfg/DFGThunks.cpp:
574         (JSC::DFG::osrExitGenerationThunkGenerator):
575         (JSC::DFG::osrExitThunkGenerator): Deleted.
576         * dfg/DFGThunks.h:
577         * jit/AssemblyHelpers.cpp:
578         (JSC::AssemblyHelpers::debugCall):
579         * jit/AssemblyHelpers.h:
580         * jit/JITOperations.cpp:
581         * jit/JITOperations.h:
582         * profiler/ProfilerOSRExit.h:
583         (JSC::Profiler::OSRExit::incCount): Deleted.
584         * runtime/JSCJSValue.h:
585         * runtime/JSCJSValueInlines.h:
586         * runtime/VM.h:
587
588 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
589
590         [JSC] Move class/struct used in other class' member out of anonymous namespace
591         https://bugs.webkit.org/show_bug.cgi?id=176876
592
593         Reviewed by Saam Barati.
594
595         GCC warns if a class has a base or field whose type uses the anonymous namespace
596         and it is defined in an included file. This is because this possibly violates
597         one definition rule (ODR): if an included file has the anonymous namespace, each
598         translation unit creates its private anonymous namespace. Thus, each type
599         inside the anonymous namespace becomes different in each translation unit if
600         the file is included in multiple translation units.
601
602         While the current use in JSC is not violating ODR since these cpp files are included
603         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
604         the actual bugs. So, in this patch, we just move related classes/structs out of
605         the anonymous namespace.
606
607         * dfg/DFGIntegerCheckCombiningPhase.cpp:
608         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
609         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
610         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
611         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
612         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
613         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
614         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
615         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
616         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
617         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
618         * dfg/DFGLICMPhase.cpp:
619
620 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
621
622         Web Inspector: Event Listeners section does not update when listeners are added/removed
623         https://bugs.webkit.org/show_bug.cgi?id=170570
624         <rdar://problem/31501645>
625
626         Reviewed by Joseph Pecoraro.
627
628         * inspector/protocol/DOM.json:
629         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
630         contain any information about the event listeners that were added/removed. They serve more
631         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
632
633 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
634
635         [JSC] Fix Array allocation in Object.keys
636         https://bugs.webkit.org/show_bug.cgi?id=176826
637
638         Reviewed by Saam Barati.
639
640         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
641         We check isHavingABadTime() in ownPropertyKeys fast path.
642         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
643
644         * runtime/ObjectConstructor.cpp:
645         (JSC::ownPropertyKeys):
646
647 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
648
649         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
650         https://bugs.webkit.org/show_bug.cgi?id=176010
651
652         Reviewed by Filip Pizlo.
653
654         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
655         It is used for meta property for objects (see peekMeta function in Ember.js).
656
657         This patch optimizes WeakMap#get.
658
659         1. We use inlineGet to inline WeakMap#get operation in the native function.
660         Since this native function itself is very small, we should inline HashMap#get
661         entirely in this function.
662
663         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
664         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
665         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
666         ObjectUse, and Int32Use.
667
668         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
669         calculate hash value for the key's Object and use this hash value to look up value from
670         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
671         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
672         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
673         patches.
674
675         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
676         not used in Ember.js right now.
677
678         This patch optimizes WeakMap#get by 50%.
679
680                                  baseline                  patched
681
682         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
683
684         * bytecode/DirectEvalCodeCache.h:
685         (JSC::DirectEvalCodeCache::tryGet):
686         * bytecode/SpeculatedType.cpp:
687         (JSC::dumpSpeculation):
688         (JSC::speculationFromClassInfo):
689         (JSC::speculationFromJSType):
690         (JSC::speculationFromString):
691         * bytecode/SpeculatedType.h:
692         * dfg/DFGAbstractInterpreterInlines.h:
693         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
694         * dfg/DFGByteCodeParser.cpp:
695         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
696         * dfg/DFGClobberize.h:
697         (JSC::DFG::clobberize):
698         * dfg/DFGDoesGC.cpp:
699         (JSC::DFG::doesGC):
700         * dfg/DFGFixupPhase.cpp:
701         (JSC::DFG::FixupPhase::fixupNode):
702         * dfg/DFGHeapLocation.cpp:
703         (WTF::printInternal):
704         * dfg/DFGHeapLocation.h:
705         * dfg/DFGNode.h:
706         (JSC::DFG::Node::hasHeapPrediction):
707         * dfg/DFGNodeType.h:
708         * dfg/DFGOperations.cpp:
709         * dfg/DFGOperations.h:
710         * dfg/DFGPredictionPropagationPhase.cpp:
711         * dfg/DFGSafeToExecute.h:
712         (JSC::DFG::SafeToExecuteEdge::operator()):
713         (JSC::DFG::safeToExecute):
714         * dfg/DFGSpeculativeJIT.cpp:
715         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
716         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
717         (JSC::DFG::SpeculativeJIT::speculate):
718         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
719         * dfg/DFGSpeculativeJIT.h:
720         (JSC::DFG::SpeculativeJIT::callOperation):
721         * dfg/DFGSpeculativeJIT32_64.cpp:
722         (JSC::DFG::SpeculativeJIT::compile):
723         * dfg/DFGSpeculativeJIT64.cpp:
724         (JSC::DFG::SpeculativeJIT::compile):
725         * dfg/DFGUseKind.cpp:
726         (WTF::printInternal):
727         * dfg/DFGUseKind.h:
728         (JSC::DFG::typeFilterFor):
729         (JSC::DFG::isCell):
730         * ftl/FTLCapabilities.cpp:
731         (JSC::FTL::canCompile):
732         * ftl/FTLLowerDFGToB3.cpp:
733         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
734         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
735         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
736         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
737         (JSC::FTL::DFG::LowerDFGToB3::speculate):
738         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
739         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
740         * jit/JITOperations.h:
741         * runtime/HashMapImpl.h:
742         (JSC::WeakMapHash::hash):
743         (JSC::WeakMapHash::equal):
744         * runtime/Intrinsic.cpp:
745         (JSC::intrinsicName):
746         * runtime/Intrinsic.h:
747         * runtime/JSType.h:
748         * runtime/JSWeakMap.h:
749         (JSC::isJSWeakMap):
750         * runtime/JSWeakSet.h:
751         (JSC::isJSWeakSet):
752         * runtime/WeakMapBase.cpp:
753         (JSC::WeakMapBase::get):
754         * runtime/WeakMapBase.h:
755         (JSC::WeakMapBase::HashTranslator::hash):
756         (JSC::WeakMapBase::HashTranslator::equal):
757         (JSC::WeakMapBase::inlineGet):
758         * runtime/WeakMapPrototype.cpp:
759         (JSC::WeakMapPrototype::finishCreation):
760         (JSC::getWeakMap):
761         (JSC::protoFuncWeakMapGet):
762         * runtime/WeakSetPrototype.cpp:
763         (JSC::getWeakSet):
764
765 2017-09-12  Keith Miller  <keith_miller@apple.com>
766
767         Rename JavaScriptCore CMake unifiable sources list
768         https://bugs.webkit.org/show_bug.cgi?id=176823
769
770         Reviewed by Joseph Pecoraro.
771
772         This patch also changes the error message when the unified source
773         bundler fails to be more accurate.
774
775         * CMakeLists.txt:
776
777 2017-09-12  Keith Miller  <keith_miller@apple.com>
778
779         Do unified source builds for JSC
780         https://bugs.webkit.org/show_bug.cgi?id=176076
781
782         Reviewed by Geoffrey Garen.
783
784         This patch switches the CMake JavaScriptCore build to use unified sources.
785         The Xcode build will be upgraded in a follow up patch.
786
787         Most of the source changes in this patch are fixing static
788         variable/functions name collisions. The most common collisions
789         were from our use of "static const bool verbose" and "using
790         namespace ...". I fixed all the verbose cases and fixed the "using
791         namespace" issues that occurred under the current bundling
792         strategy. It's likely that more of the "using namespace" issues
793         will need to be resolved in the future, particularly in the FTL.
794
795         I don't expect either of these problems will apply to other parts
796         of the project nearly as much as in JSC. Using a verbose variable
797         is a JSC idiom and JSC tends use the same, canonical, class name
798         in multiple parts of the engine.
799
800         * CMakeLists.txt:
801         * b3/B3CheckSpecial.cpp:
802         (JSC::B3::CheckSpecial::forEachArg):
803         (JSC::B3::CheckSpecial::generate):
804         (JSC::B3::Air::numB3Args): Deleted.
805         * b3/B3DuplicateTails.cpp:
806         * b3/B3EliminateCommonSubexpressions.cpp:
807         * b3/B3FixSSA.cpp:
808         (JSC::B3::demoteValues):
809         * b3/B3FoldPathConstants.cpp:
810         * b3/B3InferSwitches.cpp:
811         * b3/B3LowerMacrosAfterOptimizations.cpp:
812         (): Deleted.
813         * b3/B3LowerToAir.cpp:
814         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
815         (JSC::B3::Air::LowerToAir::run): Deleted.
816         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
817         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
818         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
819         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
820         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
821         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
822         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
823         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
824         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
825         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
826         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
827         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
828         (JSC::B3::Air::LowerToAir::tmp): Deleted.
829         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
830         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
831         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
832         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
833         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
834         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
835         (JSC::B3::Air::LowerToAir::addr): Deleted.
836         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
837         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
838         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
839         (JSC::B3::Air::LowerToAir::imm): Deleted.
840         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
841         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
842         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
843         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
844         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
845         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
846         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
847         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
848         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
849         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
850         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
851         (JSC::B3::Air::LowerToAir::createStore): Deleted.
852         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
853         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
854         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
855         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
856         (JSC::B3::Air::LowerToAir::print): Deleted.
857         (JSC::B3::Air::LowerToAir::append): Deleted.
858         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
859         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
860         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
861         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
862         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
863         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
864         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
865         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
866         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
867         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
868         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
869         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
870         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
871         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
872         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
873         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
874         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
875         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
876         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
877         (JSC::B3::Air::LowerToAir::lower): Deleted.
878         * b3/B3PatchpointSpecial.cpp:
879         (JSC::B3::PatchpointSpecial::generate):
880         * b3/B3ReduceDoubleToFloat.cpp:
881         (JSC::B3::reduceDoubleToFloat):
882         * b3/B3ReduceStrength.cpp:
883         * b3/B3StackmapGenerationParams.cpp:
884         * b3/B3StackmapSpecial.cpp:
885         (JSC::B3::StackmapSpecial::repsImpl):
886         (JSC::B3::StackmapSpecial::repForArg):
887         * b3/air/AirAllocateStackByGraphColoring.cpp:
888         (JSC::B3::Air::allocateStackByGraphColoring):
889         * b3/air/AirEmitShuffle.cpp:
890         (JSC::B3::Air::emitShuffle):
891         * b3/air/AirFixObviousSpills.cpp:
892         * b3/air/AirLowerAfterRegAlloc.cpp:
893         (JSC::B3::Air::lowerAfterRegAlloc):
894         * b3/air/AirStackAllocation.cpp:
895         (JSC::B3::Air::attemptAssignment):
896         (JSC::B3::Air::assign):
897         * bytecode/AccessCase.cpp:
898         (JSC::AccessCase::generateImpl):
899         * bytecode/CallLinkStatus.cpp:
900         (JSC::CallLinkStatus::computeDFGStatuses):
901         * bytecode/GetterSetterAccessCase.cpp:
902         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
903         * bytecode/ObjectPropertyConditionSet.cpp:
904         * bytecode/PolymorphicAccess.cpp:
905         (JSC::PolymorphicAccess::addCases):
906         (JSC::PolymorphicAccess::regenerate):
907         * bytecode/PropertyCondition.cpp:
908         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
909         * bytecode/StructureStubInfo.cpp:
910         (JSC::StructureStubInfo::addAccessCase):
911         * dfg/DFGArgumentsEliminationPhase.cpp:
912         * dfg/DFGByteCodeParser.cpp:
913         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
914         (JSC::DFG::ByteCodeParser::inliningCost):
915         (JSC::DFG::ByteCodeParser::inlineCall):
916         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
917         (JSC::DFG::ByteCodeParser::handleInlining):
918         (JSC::DFG::ByteCodeParser::planLoad):
919         (JSC::DFG::ByteCodeParser::store):
920         (JSC::DFG::ByteCodeParser::parseBlock):
921         (JSC::DFG::ByteCodeParser::linkBlock):
922         (JSC::DFG::ByteCodeParser::linkBlocks):
923         * dfg/DFGCSEPhase.cpp:
924         * dfg/DFGInPlaceAbstractState.cpp:
925         (JSC::DFG::InPlaceAbstractState::merge):
926         * dfg/DFGIntegerCheckCombiningPhase.cpp:
927         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
928         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
929         * dfg/DFGMovHintRemovalPhase.cpp:
930         * dfg/DFGObjectAllocationSinkingPhase.cpp:
931         * dfg/DFGPhantomInsertionPhase.cpp:
932         * dfg/DFGPutStackSinkingPhase.cpp:
933         * dfg/DFGStoreBarrierInsertionPhase.cpp:
934         * dfg/DFGVarargsForwardingPhase.cpp:
935         * ftl/FTLAbstractHeap.cpp:
936         (JSC::FTL::AbstractHeap::compute):
937         * ftl/FTLAbstractHeapRepository.cpp:
938         (JSC::FTL::AbstractHeapRepository::decorateMemory):
939         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
940         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
941         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
942         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
943         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
944         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
945         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
946         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
947         * ftl/FTLLink.cpp:
948         (JSC::FTL::link):
949         * heap/MarkingConstraintSet.cpp:
950         (JSC::MarkingConstraintSet::add):
951         * interpreter/ShadowChicken.cpp:
952         (JSC::ShadowChicken::update):
953         * jit/BinarySwitch.cpp:
954         (JSC::BinarySwitch::BinarySwitch):
955         (JSC::BinarySwitch::build):
956         * llint/LLIntData.cpp:
957         (JSC::LLInt::Data::loadStats):
958         (JSC::LLInt::Data::saveStats):
959         * runtime/ArrayPrototype.cpp:
960         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
961         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
962         * runtime/ErrorInstance.cpp:
963         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
964         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
965         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
966         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
967         * runtime/IntlDateTimeFormat.cpp:
968         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
969         * runtime/PromiseDeferredTimer.cpp:
970         (JSC::PromiseDeferredTimer::doWork):
971         (JSC::PromiseDeferredTimer::addPendingPromise):
972         (JSC::PromiseDeferredTimer::cancelPendingPromise):
973         * runtime/TypeProfiler.cpp:
974         (JSC::TypeProfiler::insertNewLocation):
975         * runtime/TypeProfilerLog.cpp:
976         (JSC::TypeProfilerLog::processLogEntries):
977         * runtime/WeakMapPrototype.cpp:
978         (JSC::protoFuncWeakMapDelete):
979         (JSC::protoFuncWeakMapGet):
980         (JSC::protoFuncWeakMapHas):
981         (JSC::protoFuncWeakMapSet):
982         (JSC::getWeakMapData): Deleted.
983         * runtime/WeakSetPrototype.cpp:
984         (JSC::protoFuncWeakSetDelete):
985         (JSC::protoFuncWeakSetHas):
986         (JSC::protoFuncWeakSetAdd):
987         (JSC::getWeakMapData): Deleted.
988         * testRegExp.cpp:
989         (testOneRegExp):
990         (runFromFiles):
991         * wasm/WasmB3IRGenerator.cpp:
992         (JSC::Wasm::parseAndCompile):
993         * wasm/WasmBBQPlan.cpp:
994         (JSC::Wasm::BBQPlan::moveToState):
995         (JSC::Wasm::BBQPlan::parseAndValidateModule):
996         (JSC::Wasm::BBQPlan::prepare):
997         (JSC::Wasm::BBQPlan::compileFunctions):
998         (JSC::Wasm::BBQPlan::complete):
999         * wasm/WasmFaultSignalHandler.cpp:
1000         (JSC::Wasm::trapHandler):
1001         * wasm/WasmOMGPlan.cpp:
1002         (JSC::Wasm::OMGPlan::OMGPlan):
1003         (JSC::Wasm::OMGPlan::work):
1004         * wasm/WasmPlan.cpp:
1005         (JSC::Wasm::Plan::fail):
1006         * wasm/WasmSignature.cpp:
1007         (JSC::Wasm::SignatureInformation::adopt):
1008         * wasm/WasmWorklist.cpp:
1009         (JSC::Wasm::Worklist::enqueue):
1010
1011 2017-09-12  Michael Saboff  <msaboff@apple.com>
1012
1013         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
1014         https://bugs.webkit.org/show_bug.cgi?id=176814
1015
1016         Reviewed by Mark Lam.
1017
1018         The copy and advance indices where off by one and needed a little fine tuning.
1019
1020         * runtime/StringPrototype.cpp:
1021         (JSC::substituteBackreferencesSlow):
1022
1023 2017-09-11  Mark Lam  <mark.lam@apple.com>
1024
1025         More exception check book-keeping needed found by 32-bit JSC test failures.
1026         https://bugs.webkit.org/show_bug.cgi?id=176742
1027
1028         Reviewed by Michael Saboff and Keith Miller.
1029
1030         * dfg/DFGOperations.cpp:
1031
1032 2017-09-11  Mark Lam  <mark.lam@apple.com>
1033
1034         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
1035         https://bugs.webkit.org/show_bug.cgi?id=176722
1036
1037         Reviewed by Saam Barati.
1038
1039         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
1040         in effect when jsc is invoked.
1041
1042         * jsc.cpp:
1043         (CommandLine::parseArguments):
1044
1045 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
1046
1047         Unreviewed, rolling out r221854.
1048
1049         The test added with this change fails on 32-bit JSC bots.
1050
1051         Reverted changeset:
1052
1053         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
1054         https://bugs.webkit.org/show_bug.cgi?id=176010
1055         http://trac.webkit.org/changeset/221854
1056
1057 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1058
1059         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
1060         https://bugs.webkit.org/show_bug.cgi?id=176010
1061
1062         Reviewed by Filip Pizlo.
1063
1064         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
1065         It is used for meta property for objects (see peekMeta function in Ember.js).
1066
1067         This patch optimizes WeakMap#get.
1068
1069         1. We use inlineGet to inline WeakMap#get operation in the native function.
1070         Since this native function itself is very small, we should inline HashMap#get
1071         entirely in this function.
1072
1073         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
1074         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
1075         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
1076         ObjectUse, and Int32Use.
1077
1078         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
1079         calculate hash value for the key's Object and use this hash value to look up value from
1080         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
1081         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
1082         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
1083         patches.
1084
1085         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
1086         not used in Ember.js right now.
1087
1088         This patch optimizes WeakMap#get by 50%.
1089
1090                                  baseline                  patched
1091
1092         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
1093
1094         * bytecode/DirectEvalCodeCache.h:
1095         (JSC::DirectEvalCodeCache::tryGet):
1096         * bytecode/SpeculatedType.cpp:
1097         (JSC::dumpSpeculation):
1098         (JSC::speculationFromClassInfo):
1099         (JSC::speculationFromJSType):
1100         (JSC::speculationFromString):
1101         * bytecode/SpeculatedType.h:
1102         * dfg/DFGAbstractInterpreterInlines.h:
1103         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1104         * dfg/DFGByteCodeParser.cpp:
1105         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1106         * dfg/DFGClobberize.h:
1107         (JSC::DFG::clobberize):
1108         * dfg/DFGDoesGC.cpp:
1109         (JSC::DFG::doesGC):
1110         * dfg/DFGFixupPhase.cpp:
1111         (JSC::DFG::FixupPhase::fixupNode):
1112         * dfg/DFGHeapLocation.cpp:
1113         (WTF::printInternal):
1114         * dfg/DFGHeapLocation.h:
1115         * dfg/DFGNode.h:
1116         (JSC::DFG::Node::hasHeapPrediction):
1117         * dfg/DFGNodeType.h:
1118         * dfg/DFGOperations.cpp:
1119         * dfg/DFGOperations.h:
1120         * dfg/DFGPredictionPropagationPhase.cpp:
1121         * dfg/DFGSafeToExecute.h:
1122         (JSC::DFG::SafeToExecuteEdge::operator()):
1123         (JSC::DFG::safeToExecute):
1124         * dfg/DFGSpeculativeJIT.cpp:
1125         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1126         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1127         (JSC::DFG::SpeculativeJIT::speculate):
1128         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1129         * dfg/DFGSpeculativeJIT.h:
1130         (JSC::DFG::SpeculativeJIT::callOperation):
1131         * dfg/DFGSpeculativeJIT32_64.cpp:
1132         (JSC::DFG::SpeculativeJIT::compile):
1133         * dfg/DFGSpeculativeJIT64.cpp:
1134         (JSC::DFG::SpeculativeJIT::compile):
1135         * dfg/DFGUseKind.cpp:
1136         (WTF::printInternal):
1137         * dfg/DFGUseKind.h:
1138         (JSC::DFG::typeFilterFor):
1139         (JSC::DFG::isCell):
1140         * ftl/FTLCapabilities.cpp:
1141         (JSC::FTL::canCompile):
1142         * ftl/FTLLowerDFGToB3.cpp:
1143         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1144         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1145         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1146         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1147         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1148         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1149         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1150         * jit/JITOperations.h:
1151         * runtime/Intrinsic.cpp:
1152         (JSC::intrinsicName):
1153         * runtime/Intrinsic.h:
1154         * runtime/JSType.h:
1155         * runtime/JSWeakMap.h:
1156         (JSC::isJSWeakMap):
1157         * runtime/JSWeakSet.h:
1158         (JSC::isJSWeakSet):
1159         * runtime/WeakMapBase.cpp:
1160         (JSC::WeakMapBase::get):
1161         * runtime/WeakMapBase.h:
1162         (JSC::WeakMapBase::HashTranslator::hash):
1163         (JSC::WeakMapBase::HashTranslator::equal):
1164         (JSC::WeakMapBase::inlineGet):
1165         * runtime/WeakMapPrototype.cpp:
1166         (JSC::WeakMapPrototype::finishCreation):
1167         (JSC::getWeakMap):
1168         (JSC::protoFuncWeakMapGet):
1169         * runtime/WeakSetPrototype.cpp:
1170         (JSC::getWeakSet):
1171
1172 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1173
1174         [JSC] Optimize Object.keys by using careful array allocation
1175         https://bugs.webkit.org/show_bug.cgi?id=176654
1176
1177         Reviewed by Darin Adler.
1178
1179         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
1180         function in JS apps. Luckily Object.keys has several good features.
1181
1182         1. Once PropertyNameArray is allocated, we know the length of the result array since
1183         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
1184         but it rarely appears. ProxyObject case goes to the generic path.
1185
1186         2. Object.keys does not need to access object after listing PropertyNameArray. It means
1187         that we do not need to worry about enumeration attribute change by touching object.
1188
1189         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
1190         with the size and ArrayContiguous indexing shape.
1191
1192         This further improves SixSpeed object-assign.es5 by 13%.
1193
1194                                             baseline                  patched
1195         Microbenchmarks:
1196            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
1197            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
1198
1199                                             baseline                  patched
1200         SixSpeed:
1201            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
1202
1203         BTW, the further optimization of Object.keys can be considered: introducing own property keys
1204         cache which is similar to the current enumeration cache. But this patch is orthogonal to
1205         this optimization!
1206
1207         * runtime/ObjectConstructor.cpp:
1208         (JSC::objectConstructorValues):
1209         (JSC::ownPropertyKeys):
1210         * runtime/ObjectConstructor.h:
1211
1212 2017-09-10  Mark Lam  <mark.lam@apple.com>
1213
1214         Fix all ExceptionScope verification failures in JavaScriptCore.
1215         https://bugs.webkit.org/show_bug.cgi?id=176662
1216         <rdar://problem/34352085>
1217
1218         Reviewed by Filip Pizlo.
1219
1220         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
1221            verification for release builds too (though this requires manually setting
1222            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
1223
1224            This is useful because it allows us to run the tests more quickly to check
1225            if any regressions have occurred.  Debug builds run so much slower and not
1226            good for a quick turn around.  Debug builds are necessary though to get
1227            trace information without inlining by the C++ compiler.  This is necessary to
1228            diagnose where the missing exception check is.
1229
1230         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
1231            simulated throw when an exception scope verification fails.
1232
1233            Previously, this option dumps the stack trace on all simulated throws.  That
1234            turned out to not be very useful, and slows down the debugging process.
1235            Instead, the new implementation captures the stack trace and only dumps it
1236            if we have a verification failure.
1237
1238         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
1239            to pass with JSC_validateExceptionChecks=true.
1240
1241         * bytecode/CodeBlock.cpp:
1242         (JSC::CodeBlock::finishCreation):
1243         * dfg/DFGOSRExit.cpp:
1244         (JSC::DFG::OSRExit::executeOSRExit):
1245         * dfg/DFGOperations.cpp:
1246         * interpreter/Interpreter.cpp:
1247         (JSC::eval):
1248         (JSC::loadVarargs):
1249         (JSC::Interpreter::unwind):
1250         (JSC::Interpreter::executeProgram):
1251         (JSC::Interpreter::executeCall):
1252         (JSC::Interpreter::executeConstruct):
1253         (JSC::Interpreter::prepareForRepeatCall):
1254         (JSC::Interpreter::execute):
1255         (JSC::Interpreter::executeModuleProgram):
1256         * jit/JITOperations.cpp:
1257         (JSC::getByVal):
1258         * jsc.cpp:
1259         (WTF::CustomGetter::customGetterAcessor):
1260         (GlobalObject::moduleLoaderImportModule):
1261         (GlobalObject::moduleLoaderResolve):
1262         * llint/LLIntSlowPaths.cpp:
1263         (JSC::LLInt::getByVal):
1264         (JSC::LLInt::setUpCall):
1265         * parser/Parser.h:
1266         (JSC::Parser::popScopeInternal):
1267         * runtime/AbstractModuleRecord.cpp:
1268         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1269         (JSC::AbstractModuleRecord::resolveImport):
1270         (JSC::AbstractModuleRecord::resolveExportImpl):
1271         (JSC::getExportedNames):
1272         (JSC::AbstractModuleRecord::getModuleNamespace):
1273         * runtime/ArrayPrototype.cpp:
1274         (JSC::getProperty):
1275         (JSC::unshift):
1276         (JSC::arrayProtoFuncToString):
1277         (JSC::arrayProtoFuncToLocaleString):
1278         (JSC::arrayProtoFuncJoin):
1279         (JSC::arrayProtoFuncPop):
1280         (JSC::arrayProtoFuncPush):
1281         (JSC::arrayProtoFuncReverse):
1282         (JSC::arrayProtoFuncShift):
1283         (JSC::arrayProtoFuncSlice):
1284         (JSC::arrayProtoFuncSplice):
1285         (JSC::arrayProtoFuncUnShift):
1286         (JSC::arrayProtoFuncIndexOf):
1287         (JSC::arrayProtoFuncLastIndexOf):
1288         (JSC::concatAppendOne):
1289         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1290         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1291         * runtime/CatchScope.h:
1292         * runtime/CommonSlowPaths.cpp:
1293         (JSC::SLOW_PATH_DECL):
1294         * runtime/DatePrototype.cpp:
1295         (JSC::dateProtoFuncSetTime):
1296         (JSC::setNewValueFromTimeArgs):
1297         * runtime/DirectArguments.h:
1298         (JSC::DirectArguments::length const):
1299         * runtime/ErrorPrototype.cpp:
1300         (JSC::errorProtoFuncToString):
1301         * runtime/ExceptionFuzz.cpp:
1302         (JSC::doExceptionFuzzing):
1303         * runtime/ExceptionScope.h:
1304         (JSC::ExceptionScope::needExceptionCheck):
1305         (JSC::ExceptionScope::assertNoException):
1306         * runtime/GenericArgumentsInlines.h:
1307         (JSC::GenericArguments<Type>::defineOwnProperty):
1308         * runtime/HashMapImpl.h:
1309         (JSC::HashMapImpl::rehash):
1310         * runtime/IntlDateTimeFormat.cpp:
1311         (JSC::IntlDateTimeFormat::formatToParts):
1312         * runtime/JSArray.cpp:
1313         (JSC::JSArray::defineOwnProperty):
1314         (JSC::JSArray::put):
1315         * runtime/JSCJSValue.cpp:
1316         (JSC::JSValue::putToPrimitive):
1317         (JSC::JSValue::putToPrimitiveByIndex):
1318         * runtime/JSCJSValueInlines.h:
1319         (JSC::JSValue::toIndex const):
1320         (JSC::JSValue::get const):
1321         (JSC::JSValue::getPropertySlot const):
1322         (JSC::JSValue::equalSlowCaseInline):
1323         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1324         (JSC::constructGenericTypedArrayViewFromIterator):
1325         (JSC::constructGenericTypedArrayViewWithArguments):
1326         * runtime/JSGenericTypedArrayViewInlines.h:
1327         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1328         * runtime/JSGlobalObject.cpp:
1329         (JSC::JSGlobalObject::put):
1330         * runtime/JSGlobalObjectFunctions.cpp:
1331         (JSC::decode):
1332         (JSC::globalFuncEval):
1333         (JSC::globalFuncProtoGetter):
1334         (JSC::globalFuncProtoSetter):
1335         (JSC::globalFuncImportModule):
1336         * runtime/JSInternalPromise.cpp:
1337         (JSC::JSInternalPromise::then):
1338         * runtime/JSInternalPromiseDeferred.cpp:
1339         (JSC::JSInternalPromiseDeferred::create):
1340         * runtime/JSJob.cpp:
1341         (JSC::JSJobMicrotask::run):
1342         * runtime/JSModuleEnvironment.cpp:
1343         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1344         (JSC::JSModuleEnvironment::put):
1345         (JSC::JSModuleEnvironment::deleteProperty):
1346         * runtime/JSModuleLoader.cpp:
1347         (JSC::JSModuleLoader::provide):
1348         (JSC::JSModuleLoader::loadAndEvaluateModule):
1349         (JSC::JSModuleLoader::loadModule):
1350         (JSC::JSModuleLoader::linkAndEvaluateModule):
1351         (JSC::JSModuleLoader::requestImportModule):
1352         * runtime/JSModuleRecord.cpp:
1353         (JSC::JSModuleRecord::link):
1354         (JSC::JSModuleRecord::instantiateDeclarations):
1355         * runtime/JSONObject.cpp:
1356         (JSC::Stringifier::stringify):
1357         (JSC::Stringifier::toJSON):
1358         (JSC::JSONProtoFuncParse):
1359         * runtime/JSObject.cpp:
1360         (JSC::JSObject::calculatedClassName):
1361         (JSC::ordinarySetSlow):
1362         (JSC::JSObject::putInlineSlow):
1363         (JSC::JSObject::ordinaryToPrimitive const):
1364         (JSC::JSObject::toPrimitive const):
1365         (JSC::JSObject::hasInstance):
1366         (JSC::JSObject::getPropertyNames):
1367         (JSC::JSObject::toNumber const):
1368         (JSC::JSObject::defineOwnIndexedProperty):
1369         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1370         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1371         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1372         (JSC::validateAndApplyPropertyDescriptor):
1373         (JSC::JSObject::defineOwnNonIndexProperty):
1374         (JSC::JSObject::getGenericPropertyNames):
1375         * runtime/JSObject.h:
1376         (JSC::JSObject::get const):
1377         * runtime/JSObjectInlines.h:
1378         (JSC::JSObject::getPropertySlot const):
1379         (JSC::JSObject::getPropertySlot):
1380         (JSC::JSObject::getNonIndexPropertySlot):
1381         (JSC::JSObject::putInlineForJSObject):
1382         * runtime/JSPromiseConstructor.cpp:
1383         (JSC::constructPromise):
1384         * runtime/JSPromiseDeferred.cpp:
1385         (JSC::JSPromiseDeferred::create):
1386         * runtime/JSScope.cpp:
1387         (JSC::abstractAccess):
1388         (JSC::JSScope::resolve):
1389         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1390         (JSC::JSScope::abstractResolve):
1391         * runtime/LiteralParser.cpp:
1392         (JSC::LiteralParser<CharType>::tryJSONPParse):
1393         (JSC::LiteralParser<CharType>::parse):
1394         * runtime/Lookup.h:
1395         (JSC::putEntry):
1396         * runtime/MapConstructor.cpp:
1397         (JSC::constructMap):
1398         * runtime/NumberPrototype.cpp:
1399         (JSC::numberProtoFuncToString):
1400         * runtime/ObjectConstructor.cpp:
1401         (JSC::objectConstructorSetPrototypeOf):
1402         (JSC::objectConstructorGetOwnPropertyDescriptor):
1403         (JSC::objectConstructorGetOwnPropertyDescriptors):
1404         (JSC::objectConstructorAssign):
1405         (JSC::objectConstructorValues):
1406         (JSC::toPropertyDescriptor):
1407         (JSC::objectConstructorDefineProperty):
1408         (JSC::defineProperties):
1409         (JSC::objectConstructorDefineProperties):
1410         (JSC::ownPropertyKeys):
1411         * runtime/ObjectPrototype.cpp:
1412         (JSC::objectProtoFuncHasOwnProperty):
1413         (JSC::objectProtoFuncIsPrototypeOf):
1414         (JSC::objectProtoFuncLookupGetter):
1415         (JSC::objectProtoFuncLookupSetter):
1416         (JSC::objectProtoFuncToLocaleString):
1417         (JSC::objectProtoFuncToString):
1418         * runtime/Options.h:
1419         * runtime/ParseInt.h:
1420         (JSC::toStringView):
1421         * runtime/ProxyObject.cpp:
1422         (JSC::performProxyGet):
1423         (JSC::ProxyObject::performPut):
1424         * runtime/ReflectObject.cpp:
1425         (JSC::reflectObjectDefineProperty):
1426         * runtime/RegExpConstructor.cpp:
1427         (JSC::toFlags):
1428         (JSC::regExpCreate):
1429         (JSC::constructRegExp):
1430         * runtime/RegExpObject.cpp:
1431         (JSC::collectMatches):
1432         * runtime/RegExpObjectInlines.h:
1433         (JSC::RegExpObject::execInline):
1434         (JSC::RegExpObject::matchInline):
1435         * runtime/RegExpPrototype.cpp:
1436         (JSC::regExpProtoFuncTestFast):
1437         (JSC::regExpProtoFuncExec):
1438         (JSC::regExpProtoFuncMatchFast):
1439         (JSC::regExpProtoFuncToString):
1440         (JSC::regExpProtoFuncSplitFast):
1441         * runtime/ScriptExecutable.cpp:
1442         (JSC::ScriptExecutable::newCodeBlockFor):
1443         (JSC::ScriptExecutable::prepareForExecutionImpl):
1444         * runtime/SetConstructor.cpp:
1445         (JSC::constructSet):
1446         * runtime/ThrowScope.cpp:
1447         (JSC::ThrowScope::simulateThrow):
1448         * runtime/VM.cpp:
1449         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1450         * runtime/VM.h:
1451         * runtime/WeakMapPrototype.cpp:
1452         (JSC::protoFuncWeakMapSet):
1453         * runtime/WeakSetPrototype.cpp:
1454         (JSC::protoFuncWeakSetAdd):
1455         * wasm/js/WebAssemblyModuleConstructor.cpp:
1456         (JSC::WebAssemblyModuleConstructor::createModule):
1457         * wasm/js/WebAssemblyModuleRecord.cpp:
1458         (JSC::WebAssemblyModuleRecord::link):
1459         * wasm/js/WebAssemblyPrototype.cpp:
1460         (JSC::reject):
1461         (JSC::webAssemblyCompileFunc):
1462         (JSC::resolve):
1463         (JSC::webAssemblyInstantiateFunc):
1464
1465 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
1466
1467         Error should compute .stack and friends lazily
1468         https://bugs.webkit.org/show_bug.cgi?id=176645
1469
1470         Reviewed by Saam Barati.
1471         
1472         Building the string portion of the stack trace after we walk the stack accounts for most of
1473         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
1474         Vector<StackFrame> so that it can build the string only once it's really needed.
1475         
1476         This is an enormous speed-up for programs that allocate and throw exceptions.
1477         
1478         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
1479         
1480         It's a 2.2x speed-up for throwing and catching an Error.
1481         
1482         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
1483         
1484         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
1485         delta-blue-try-catch is 1.16x faster.
1486
1487         * interpreter/Interpreter.cpp:
1488         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1489         (JSC::GetStackTraceFunctor::operator() const):
1490         (JSC::Interpreter::getStackTrace):
1491         * interpreter/Interpreter.h:
1492         * runtime/Error.cpp:
1493         (JSC::getStackTrace):
1494         (JSC::getBytecodeOffset):
1495         (JSC::addErrorInfo):
1496         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
1497         * runtime/Error.h:
1498         * runtime/ErrorInstance.cpp:
1499         (JSC::ErrorInstance::ErrorInstance):
1500         (JSC::ErrorInstance::finishCreation):
1501         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1502         (JSC::ErrorInstance::visitChildren):
1503         (JSC::ErrorInstance::getOwnPropertySlot):
1504         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
1505         (JSC::ErrorInstance::defineOwnProperty):
1506         (JSC::ErrorInstance::put):
1507         (JSC::ErrorInstance::deleteProperty):
1508         * runtime/ErrorInstance.h:
1509         * runtime/Exception.cpp:
1510         (JSC::Exception::visitChildren):
1511         (JSC::Exception::finishCreation):
1512         * runtime/Exception.h:
1513         * runtime/StackFrame.cpp:
1514         (JSC::StackFrame::visitChildren):
1515         * runtime/StackFrame.h:
1516         (JSC::StackFrame::StackFrame):
1517
1518 2017-09-09  Mark Lam  <mark.lam@apple.com>
1519
1520         [Re-landing] Use JIT probes for DFG OSR exit.
1521         https://bugs.webkit.org/show_bug.cgi?id=175144
1522         <rdar://problem/33437050>
1523
1524         Not reviewed.  Original patch reviewed by Saam Barati.
1525
1526         Relanding r221774.
1527
1528         * JavaScriptCore.xcodeproj/project.pbxproj:
1529         * assembler/MacroAssembler.cpp:
1530         (JSC::stdFunctionCallback):
1531         * assembler/MacroAssemblerPrinter.cpp:
1532         (JSC::Printer::printCallback):
1533         * assembler/ProbeContext.h:
1534         (JSC::Probe::CPUState::gpr const):
1535         (JSC::Probe::CPUState::spr const):
1536         (JSC::Probe::Context::Context):
1537         (JSC::Probe::Context::arg):
1538         (JSC::Probe::Context::gpr):
1539         (JSC::Probe::Context::spr):
1540         (JSC::Probe::Context::fpr):
1541         (JSC::Probe::Context::gprName):
1542         (JSC::Probe::Context::sprName):
1543         (JSC::Probe::Context::fprName):
1544         (JSC::Probe::Context::gpr const):
1545         (JSC::Probe::Context::spr const):
1546         (JSC::Probe::Context::fpr const):
1547         (JSC::Probe::Context::pc):
1548         (JSC::Probe::Context::fp):
1549         (JSC::Probe::Context::sp):
1550         (JSC::Probe:: const): Deleted.
1551         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
1552         * assembler/ProbeStack.cpp:
1553         (JSC::Probe::Page::Page):
1554         * assembler/ProbeStack.h:
1555         (JSC::Probe::Page::get):
1556         (JSC::Probe::Page::set):
1557         (JSC::Probe::Page::physicalAddressFor):
1558         (JSC::Probe::Stack::lowWatermark):
1559         (JSC::Probe::Stack::get):
1560         (JSC::Probe::Stack::set):
1561         * bytecode/ArithProfile.cpp:
1562         * bytecode/ArithProfile.h:
1563         * bytecode/ArrayProfile.h:
1564         (JSC::ArrayProfile::observeArrayMode):
1565         * bytecode/CodeBlock.cpp:
1566         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1567         * bytecode/CodeBlock.h:
1568         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1569         * bytecode/ExecutionCounter.h:
1570         (JSC::ExecutionCounter::hasCrossedThreshold const):
1571         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1572         * bytecode/MethodOfGettingAValueProfile.cpp:
1573         (JSC::MethodOfGettingAValueProfile::reportValue):
1574         * bytecode/MethodOfGettingAValueProfile.h:
1575         * dfg/DFGDriver.cpp:
1576         (JSC::DFG::compileImpl):
1577         * dfg/DFGJITCode.cpp:
1578         (JSC::DFG::JITCode::findPC): Deleted.
1579         * dfg/DFGJITCode.h:
1580         * dfg/DFGJITCompiler.cpp:
1581         (JSC::DFG::JITCompiler::linkOSRExits):
1582         (JSC::DFG::JITCompiler::link):
1583         * dfg/DFGOSRExit.cpp:
1584         (JSC::DFG::jsValueFor):
1585         (JSC::DFG::restoreCalleeSavesFor):
1586         (JSC::DFG::saveCalleeSavesFor):
1587         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1588         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1589         (JSC::DFG::saveOrCopyCalleeSavesFor):
1590         (JSC::DFG::createDirectArgumentsDuringExit):
1591         (JSC::DFG::createClonedArgumentsDuringExit):
1592         (JSC::DFG::OSRExit::OSRExit):
1593         (JSC::DFG::emitRestoreArguments):
1594         (JSC::DFG::OSRExit::executeOSRExit):
1595         (JSC::DFG::reifyInlinedCallFrames):
1596         (JSC::DFG::adjustAndJumpToTarget):
1597         (JSC::DFG::printOSRExit):
1598         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1599         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1600         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1601         (JSC::DFG::OSRExit::correctJump): Deleted.
1602         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1603         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1604         (JSC::DFG::OSRExit::compileExit): Deleted.
1605         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
1606         * dfg/DFGOSRExit.h:
1607         (JSC::DFG::OSRExitState::OSRExitState):
1608         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1609         * dfg/DFGOSRExitCompilerCommon.cpp:
1610         * dfg/DFGOSRExitCompilerCommon.h:
1611         * dfg/DFGOperations.cpp:
1612         * dfg/DFGOperations.h:
1613         * dfg/DFGThunks.cpp:
1614         (JSC::DFG::osrExitThunkGenerator):
1615         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
1616         * dfg/DFGThunks.h:
1617         * jit/AssemblyHelpers.cpp:
1618         (JSC::AssemblyHelpers::debugCall): Deleted.
1619         * jit/AssemblyHelpers.h:
1620         * jit/JITOperations.cpp:
1621         * jit/JITOperations.h:
1622         * profiler/ProfilerOSRExit.h:
1623         (JSC::Profiler::OSRExit::incCount):
1624         * runtime/JSCJSValue.h:
1625         * runtime/JSCJSValueInlines.h:
1626         * runtime/VM.h:
1627
1628 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
1629
1630         Unreviewed, rolling out r221774.
1631
1632         This change introduced three debug JSC test timeouts.
1633
1634         Reverted changeset:
1635
1636         "Use JIT probes for DFG OSR exit."
1637         https://bugs.webkit.org/show_bug.cgi?id=175144
1638         http://trac.webkit.org/changeset/221774
1639
1640 2017-09-09  Mark Lam  <mark.lam@apple.com>
1641
1642         Avoid duplicate computations of ExecState::vm().
1643         https://bugs.webkit.org/show_bug.cgi?id=176647
1644
1645         Reviewed by Saam Barati.
1646
1647         Because while computing ExecState::vm() is cheap, it is not free.
1648
1649         This patch also:
1650         1. gets rids of some convenience methods in CallFrame that implicitly does a
1651            ExecState::vm() computation.  This minimizes the chance of us accidentally
1652            computing ExecState::vm() more than necessary.
1653         2. passes vm (when available) to methodTable().
1654         3. passes vm (when available) to JSLockHolder.
1655
1656         * API/JSBase.cpp:
1657         (JSCheckScriptSyntax):
1658         (JSGarbageCollect):
1659         (JSReportExtraMemoryCost):
1660         (JSSynchronousGarbageCollectForDebugging):
1661         (JSSynchronousEdenCollectForDebugging):
1662         * API/JSCallbackConstructor.h:
1663         (JSC::JSCallbackConstructor::create):
1664         * API/JSCallbackObject.h:
1665         (JSC::JSCallbackObject::create):
1666         * API/JSContext.mm:
1667         (-[JSContext setException:]):
1668         * API/JSContextRef.cpp:
1669         (JSContextGetGlobalObject):
1670         (JSContextCreateBacktrace):
1671         * API/JSManagedValue.mm:
1672         (-[JSManagedValue value]):
1673         * API/JSObjectRef.cpp:
1674         (JSObjectMake):
1675         (JSObjectMakeFunctionWithCallback):
1676         (JSObjectMakeConstructor):
1677         (JSObjectMakeFunction):
1678         (JSObjectSetPrototype):
1679         (JSObjectHasProperty):
1680         (JSObjectGetProperty):
1681         (JSObjectSetProperty):
1682         (JSObjectSetPropertyAtIndex):
1683         (JSObjectDeleteProperty):
1684         (JSObjectGetPrivateProperty):
1685         (JSObjectSetPrivateProperty):
1686         (JSObjectDeletePrivateProperty):
1687         (JSObjectIsFunction):
1688         (JSObjectCallAsFunction):
1689         (JSObjectCallAsConstructor):
1690         (JSObjectCopyPropertyNames):
1691         (JSPropertyNameAccumulatorAddName):
1692         * API/JSScriptRef.cpp:
1693         * API/JSTypedArray.cpp:
1694         (JSValueGetTypedArrayType):
1695         (JSObjectMakeTypedArrayWithArrayBuffer):
1696         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
1697         (JSObjectGetTypedArrayBytesPtr):
1698         (JSObjectGetTypedArrayBuffer):
1699         (JSObjectMakeArrayBufferWithBytesNoCopy):
1700         (JSObjectGetArrayBufferBytesPtr):
1701         * API/JSWeakObjectMapRefPrivate.cpp:
1702         * API/JSWrapperMap.mm:
1703         (constructorHasInstance):
1704         (makeWrapper):
1705         * API/ObjCCallbackFunction.mm:
1706         (objCCallbackFunctionForInvocation):
1707         * bytecode/CodeBlock.cpp:
1708         (JSC::CodeBlock::CodeBlock):
1709         (JSC::CodeBlock::jettison):
1710         * bytecode/CodeBlock.h:
1711         (JSC::CodeBlock::addConstant):
1712         (JSC::CodeBlock::replaceConstant):
1713         * bytecode/PutByIdStatus.cpp:
1714         (JSC::PutByIdStatus::computeFromLLInt):
1715         (JSC::PutByIdStatus::computeFor):
1716         * dfg/DFGDesiredWatchpoints.cpp:
1717         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1718         * dfg/DFGGraph.h:
1719         (JSC::DFG::Graph::globalThisObjectFor):
1720         * dfg/DFGOperations.cpp:
1721         * ftl/FTLOSRExitCompiler.cpp:
1722         (JSC::FTL::compileFTLOSRExit):
1723         * ftl/FTLOperations.cpp:
1724         (JSC::FTL::operationPopulateObjectInOSR):
1725         (JSC::FTL::operationMaterializeObjectInOSR):
1726         * heap/GCAssertions.h:
1727         * inspector/InjectedScriptHost.cpp:
1728         (Inspector::InjectedScriptHost::wrapper):
1729         * inspector/JSInjectedScriptHost.cpp:
1730         (Inspector::JSInjectedScriptHost::subtype):
1731         (Inspector::constructInternalProperty):
1732         (Inspector::JSInjectedScriptHost::getInternalProperties):
1733         (Inspector::JSInjectedScriptHost::weakMapEntries):
1734         (Inspector::JSInjectedScriptHost::weakSetEntries):
1735         (Inspector::JSInjectedScriptHost::iteratorEntries):
1736         * inspector/JSJavaScriptCallFrame.cpp:
1737         (Inspector::valueForScopeLocation):
1738         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
1739         (Inspector::toJS):
1740         * inspector/ScriptCallStackFactory.cpp:
1741         (Inspector::extractSourceInformationFromException):
1742         (Inspector::createScriptArguments):
1743         * interpreter/CachedCall.h:
1744         (JSC::CachedCall::CachedCall):
1745         * interpreter/CallFrame.h:
1746         (JSC::ExecState::atomicStringTable const): Deleted.
1747         (JSC::ExecState::propertyNames const): Deleted.
1748         (JSC::ExecState::emptyList const): Deleted.
1749         (JSC::ExecState::interpreter): Deleted.
1750         (JSC::ExecState::heap): Deleted.
1751         * interpreter/Interpreter.cpp:
1752         (JSC::Interpreter::executeProgram):
1753         (JSC::Interpreter::execute):
1754         (JSC::Interpreter::executeModuleProgram):
1755         * jit/JIT.cpp:
1756         (JSC::JIT::privateCompileMainPass):
1757         * jit/JITOperations.cpp:
1758         * jit/JITWorklist.cpp:
1759         (JSC::JITWorklist::compileNow):
1760         * jsc.cpp:
1761         (WTF::RuntimeArray::create):
1762         (WTF::RuntimeArray::getOwnPropertySlot):
1763         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
1764         (WTF::DOMJITFunctionObject::unsafeFunction):
1765         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1766         (GlobalObject::moduleLoaderFetch):
1767         (functionDumpCallFrame):
1768         (functionCreateRoot):
1769         (functionGetElement):
1770         (functionSetElementRoot):
1771         (functionCreateSimpleObject):
1772         (functionSetHiddenValue):
1773         (functionCreateProxy):
1774         (functionCreateImpureGetter):
1775         (functionCreateCustomGetterObject):
1776         (functionCreateDOMJITNodeObject):
1777         (functionCreateDOMJITGetterObject):
1778         (functionCreateDOMJITGetterComplexObject):
1779         (functionCreateDOMJITFunctionObject):
1780         (functionCreateDOMJITCheckSubClassObject):
1781         (functionGCAndSweep):
1782         (functionFullGC):
1783         (functionEdenGC):
1784         (functionHeapSize):
1785         (functionShadowChickenFunctionsOnStack):
1786         (functionSetGlobalConstRedeclarationShouldNotThrow):
1787         (functionJSCOptions):
1788         (functionFailNextNewCodeBlock):
1789         (functionMakeMasquerader):
1790         (functionDumpTypesForAllVariables):
1791         (functionFindTypeForExpression):
1792         (functionReturnTypeFor):
1793         (functionDumpBasicBlockExecutionRanges):
1794         (functionBasicBlockExecutionCount):
1795         (functionDrainMicrotasks):
1796         (functionGenerateHeapSnapshot):
1797         (functionEnsureArrayStorage):
1798         (functionStartSamplingProfiler):
1799         (runInteractive):
1800         * llint/LLIntSlowPaths.cpp:
1801         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1802         * parser/ModuleAnalyzer.cpp:
1803         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1804         * profiler/ProfilerBytecode.cpp:
1805         (JSC::Profiler::Bytecode::toJS const):
1806         * profiler/ProfilerBytecodeSequence.cpp:
1807         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
1808         * profiler/ProfilerBytecodes.cpp:
1809         (JSC::Profiler::Bytecodes::toJS const):
1810         * profiler/ProfilerCompilation.cpp:
1811         (JSC::Profiler::Compilation::toJS const):
1812         * profiler/ProfilerCompiledBytecode.cpp:
1813         (JSC::Profiler::CompiledBytecode::toJS const):
1814         * profiler/ProfilerDatabase.cpp:
1815         (JSC::Profiler::Database::toJS const):
1816         * profiler/ProfilerEvent.cpp:
1817         (JSC::Profiler::Event::toJS const):
1818         * profiler/ProfilerOSRExit.cpp:
1819         (JSC::Profiler::OSRExit::toJS const):
1820         * profiler/ProfilerOrigin.cpp:
1821         (JSC::Profiler::Origin::toJS const):
1822         * profiler/ProfilerProfiledBytecodes.cpp:
1823         (JSC::Profiler::ProfiledBytecodes::toJS const):
1824         * runtime/AbstractModuleRecord.cpp:
1825         (JSC::identifierToJSValue):
1826         (JSC::AbstractModuleRecord::resolveExportImpl):
1827         (JSC::getExportedNames):
1828         * runtime/ArrayPrototype.cpp:
1829         (JSC::arrayProtoFuncToString):
1830         (JSC::arrayProtoFuncToLocaleString):
1831         * runtime/BooleanConstructor.cpp:
1832         (JSC::constructBooleanFromImmediateBoolean):
1833         * runtime/CallData.cpp:
1834         (JSC::call):
1835         * runtime/CommonSlowPaths.cpp:
1836         (JSC::SLOW_PATH_DECL):
1837         * runtime/CommonSlowPaths.h:
1838         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1839         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1840         * runtime/Completion.cpp:
1841         (JSC::checkSyntax):
1842         (JSC::evaluate):
1843         (JSC::loadAndEvaluateModule):
1844         (JSC::loadModule):
1845         (JSC::linkAndEvaluateModule):
1846         (JSC::importModule):
1847         * runtime/ConstructData.cpp:
1848         (JSC::construct):
1849         * runtime/DatePrototype.cpp:
1850         (JSC::dateProtoFuncToJSON):
1851         * runtime/DirectArguments.h:
1852         (JSC::DirectArguments::length const):
1853         * runtime/DirectEvalExecutable.cpp:
1854         (JSC::DirectEvalExecutable::create):
1855         * runtime/ErrorPrototype.cpp:
1856         (JSC::errorProtoFuncToString):
1857         * runtime/ExceptionHelpers.cpp:
1858         (JSC::createUndefinedVariableError):
1859         (JSC::errorDescriptionForValue):
1860         * runtime/FunctionConstructor.cpp:
1861         (JSC::constructFunction):
1862         * runtime/GenericArgumentsInlines.h:
1863         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1864         * runtime/IdentifierInlines.h:
1865         (JSC::Identifier::add):
1866         * runtime/IndirectEvalExecutable.cpp:
1867         (JSC::IndirectEvalExecutable::create):
1868         * runtime/InternalFunction.cpp:
1869         (JSC::InternalFunction::finishCreation):
1870         (JSC::InternalFunction::createSubclassStructureSlow):
1871         * runtime/JSArray.cpp:
1872         (JSC::JSArray::getOwnPropertySlot):
1873         (JSC::JSArray::put):
1874         (JSC::JSArray::deleteProperty):
1875         (JSC::JSArray::getOwnNonIndexPropertyNames):
1876         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
1877         * runtime/JSArray.h:
1878         (JSC::JSArray::shiftCountForShift):
1879         * runtime/JSCJSValue.cpp:
1880         (JSC::JSValue::dumpForBacktrace const):
1881         * runtime/JSDataView.cpp:
1882         (JSC::JSDataView::getOwnPropertySlot):
1883         (JSC::JSDataView::deleteProperty):
1884         (JSC::JSDataView::getOwnNonIndexPropertyNames):
1885         * runtime/JSFunction.cpp:
1886         (JSC::JSFunction::getOwnPropertySlot):
1887         (JSC::JSFunction::deleteProperty):
1888         (JSC::JSFunction::reifyName):
1889         * runtime/JSGlobalObjectFunctions.cpp:
1890         (JSC::globalFuncEval):
1891         * runtime/JSInternalPromise.cpp:
1892         (JSC::JSInternalPromise::then):
1893         * runtime/JSLexicalEnvironment.cpp:
1894         (JSC::JSLexicalEnvironment::deleteProperty):
1895         * runtime/JSMap.cpp:
1896         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1897         * runtime/JSMapIterator.h:
1898         (JSC::JSMapIterator::advanceIter):
1899         * runtime/JSModuleEnvironment.cpp:
1900         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1901         * runtime/JSModuleLoader.cpp:
1902         (JSC::printableModuleKey):
1903         (JSC::JSModuleLoader::provide):
1904         (JSC::JSModuleLoader::loadAndEvaluateModule):
1905         (JSC::JSModuleLoader::loadModule):
1906         (JSC::JSModuleLoader::linkAndEvaluateModule):
1907         (JSC::JSModuleLoader::requestImportModule):
1908         * runtime/JSModuleNamespaceObject.h:
1909         * runtime/JSModuleRecord.cpp:
1910         (JSC::JSModuleRecord::evaluate):
1911         * runtime/JSONObject.cpp:
1912         (JSC::Stringifier::Stringifier):
1913         (JSC::Stringifier::appendStringifiedValue):
1914         (JSC::Stringifier::Holder::appendNextProperty):
1915         * runtime/JSObject.cpp:
1916         (JSC::JSObject::calculatedClassName):
1917         (JSC::JSObject::putByIndex):
1918         (JSC::JSObject::ordinaryToPrimitive const):
1919         (JSC::JSObject::toPrimitive const):
1920         (JSC::JSObject::hasInstance):
1921         (JSC::JSObject::getOwnPropertyNames):
1922         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1923         (JSC::getCustomGetterSetterFunctionForGetterSetter):
1924         (JSC::JSObject::getOwnPropertyDescriptor):
1925         (JSC::JSObject::getMethod):
1926         * runtime/JSObject.h:
1927         (JSC::JSObject::createRawObject):
1928         (JSC::JSFinalObject::create):
1929         * runtime/JSObjectInlines.h:
1930         (JSC::JSObject::canPerformFastPutInline):
1931         (JSC::JSObject::putInlineForJSObject):
1932         (JSC::JSObject::hasOwnProperty const):
1933         * runtime/JSScope.cpp:
1934         (JSC::isUnscopable):
1935         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1936         * runtime/JSSet.cpp:
1937         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
1938         * runtime/JSSetIterator.h:
1939         (JSC::JSSetIterator::advanceIter):
1940         * runtime/JSString.cpp:
1941         (JSC::JSString::getStringPropertyDescriptor):
1942         * runtime/JSString.h:
1943         (JSC::JSString::getStringPropertySlot):
1944         * runtime/MapConstructor.cpp:
1945         (JSC::constructMap):
1946         * runtime/ModuleProgramExecutable.cpp:
1947         (JSC::ModuleProgramExecutable::create):
1948         * runtime/ObjectPrototype.cpp:
1949         (JSC::objectProtoFuncToLocaleString):
1950         * runtime/ProgramExecutable.h:
1951         * runtime/RegExpObject.cpp:
1952         (JSC::RegExpObject::getOwnPropertySlot):
1953         (JSC::RegExpObject::deleteProperty):
1954         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
1955         (JSC::RegExpObject::getPropertyNames):
1956         (JSC::RegExpObject::getGenericPropertyNames):
1957         (JSC::RegExpObject::put):
1958         * runtime/ScopedArguments.h:
1959         (JSC::ScopedArguments::length const):
1960         * runtime/StrictEvalActivation.h:
1961         (JSC::StrictEvalActivation::create):
1962         * runtime/StringObject.cpp:
1963         (JSC::isStringOwnProperty):
1964         (JSC::StringObject::deleteProperty):
1965         (JSC::StringObject::getOwnNonIndexPropertyNames):
1966         * tools/JSDollarVMPrototype.cpp:
1967         (JSC::JSDollarVMPrototype::gc):
1968         (JSC::JSDollarVMPrototype::edenGC):
1969         * wasm/js/WebAssemblyModuleRecord.cpp:
1970         (JSC::WebAssemblyModuleRecord::evaluate):
1971
1972 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1973
1974         [DFG] NewArrayWithSize(size)'s size does not care negative zero
1975         https://bugs.webkit.org/show_bug.cgi?id=176300
1976
1977         Reviewed by Saam Barati.
1978
1979         NewArrayWithSize(size)'s size does not care negative zero as
1980         is the same to NewTypedArray. We propagate this information
1981         in DFGBackwardsPropagationPhase. This removes negative zero
1982         check in kraken fft's deinterleave function.
1983
1984         * dfg/DFGBackwardsPropagationPhase.cpp:
1985         (JSC::DFG::BackwardsPropagationPhase::propagate):
1986
1987 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1988
1989         [DFG] PutByVal with Array::Generic is too generic
1990         https://bugs.webkit.org/show_bug.cgi?id=176345
1991
1992         Reviewed by Filip Pizlo.
1993
1994         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
1995         We could have the case like,
1996
1997             dst[key] = src[key];
1998
1999         with string or symbol keys. But they are handled in slow path.
2000         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
2001         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
2002
2003         This improves SixSpeed object-assign.es5 by 9.1%.
2004
2005         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
2006
2007         * dfg/DFGFixupPhase.cpp:
2008         (JSC::DFG::FixupPhase::fixupNode):
2009         * dfg/DFGOperations.cpp:
2010         (JSC::DFG::putByVal):
2011         (JSC::DFG::putByValInternal):
2012         (JSC::DFG::putByValCellInternal):
2013         (JSC::DFG::putByValCellStringInternal):
2014         (JSC::DFG::operationPutByValInternal): Deleted.
2015         * dfg/DFGOperations.h:
2016         * dfg/DFGSpeculativeJIT.cpp:
2017         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
2018         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
2019         * dfg/DFGSpeculativeJIT.h:
2020         (JSC::DFG::SpeculativeJIT::callOperation):
2021         * dfg/DFGSpeculativeJIT32_64.cpp:
2022         (JSC::DFG::SpeculativeJIT::compile):
2023         * dfg/DFGSpeculativeJIT64.cpp:
2024         (JSC::DFG::SpeculativeJIT::compile):
2025         * ftl/FTLLowerDFGToB3.cpp:
2026         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2027         * jit/JITOperations.h:
2028
2029 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2030
2031         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
2032         https://bugs.webkit.org/show_bug.cgi?id=176590
2033
2034         Reviewed by Saam Barati.
2035
2036         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
2037
2038                                          baseline                  patched
2039
2040         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
2041         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
2042
2043         * dfg/DFGFixupPhase.cpp:
2044         (JSC::DFG::FixupPhase::fixupNode):
2045         * dfg/DFGOperations.cpp:
2046         (JSC::DFG::getByValObject):
2047         * dfg/DFGOperations.h:
2048         * dfg/DFGSpeculativeJIT.cpp:
2049         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
2050         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
2051         * dfg/DFGSpeculativeJIT.h:
2052         * dfg/DFGSpeculativeJIT32_64.cpp:
2053         (JSC::DFG::SpeculativeJIT::compile):
2054         * dfg/DFGSpeculativeJIT64.cpp:
2055         (JSC::DFG::SpeculativeJIT::compile):
2056         * ftl/FTLLowerDFGToB3.cpp:
2057         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2058
2059 2017-09-07  Mark Lam  <mark.lam@apple.com>
2060
2061         Use JIT probes for DFG OSR exit.
2062         https://bugs.webkit.org/show_bug.cgi?id=175144
2063         <rdar://problem/33437050>
2064
2065         Reviewed by Saam Barati.
2066
2067         This patch does the following:
2068         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
2069            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
2070            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
2071            generates a thunk that just executes the OSR exit.
2072
2073            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
2074            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
2075            CPU registers, and providing the Probe::Stack mechanism for modifying the
2076            stack frame.
2077
2078            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
2079            OSRExit::compileExit().  It is basically a re-write of those functions to
2080            execute the OSR exit work instead of compiling code to execute the work.
2081
2082            As a result, we get the following savings:
2083            a. no more OSR exit ramp compilation time.
2084            b. no use of JIT executable memory for storing each unique OSR exit ramp.
2085
2086            On the negative side, we incur these costs:
2087
2088            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
2089               version of the ramp.  However, OSR exits are rare.  Hence, this small
2090               difference should not matter much.  It is also offset by the savings from
2091               (a).
2092
2093            d. the Probe::Stack allocates 1K pages for memory for buffering stack
2094               modifcations.  The number of these pages depends on the span of stack memory
2095               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
2096               tends to only modify values in the current DFG frame and the current
2097               VMEntryRecord, the number of pages tends to only be 1 or 2.
2098
2099               Using the jsc tests as a workload, the vast majority of tests that do OSR
2100               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
2101               A few tests that are pathological uses up to 14 pages, and one particularly
2102               bad test (function-apply-many-args.js) uses 513 pages.
2103
2104            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
2105            only executed once to compute some values for the exit site that is used by
2106            all exit operations from that site, and a 2nd part to execute the exit.  The
2107            1st part is protected by a checking if exit.exitState has already been
2108            initialized.  The computed values are cached in exit.exitState.
2109
2110            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
2111            longer need the facility to patch the site that jumps to the OSR exit ramp.
2112            The DFG::JITCompiler has been modified to remove this patching code.
2113
2114         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
2115            std::memcpy to avoid strict aliasing issues.
2116
2117            Also optimized the implementation of Probe::Stack::physicalAddressFor().
2118
2119         3. Miscellaneous convenience methods added to make the Probe::Context easier of
2120            use.
2121
2122         4. Added a Probe::Frame class that makes it easier to get/set operands and
2123            arguments in a given frame using the deferred write properties of the
2124            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
2125            the OSR exit ramp.
2126
2127         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
2128            JIT versions of these functions are still left in place because they are still
2129            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
2130            These functions include:
2131
2132            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
2133                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
2134            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
2135                DFGOSRExit.cpp's reifyInlinedCallFrames()
2136            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
2137                DFGOSRExit.cpp's adjustAndJumpToTarget()
2138
2139            MethodOfGettingAValueProfile::emitReportValue() ==>
2140                MethodOfGettingAValueProfile::reportValue()
2141
2142            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
2143                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
2144            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
2145                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
2146
2147         * JavaScriptCore.xcodeproj/project.pbxproj:
2148         * assembler/MacroAssembler.cpp:
2149         (JSC::stdFunctionCallback):
2150         * assembler/MacroAssemblerPrinter.cpp:
2151         (JSC::Printer::printCallback):
2152         * assembler/ProbeContext.h:
2153         (JSC::Probe::CPUState::gpr const):
2154         (JSC::Probe::CPUState::spr const):
2155         (JSC::Probe::Context::Context):
2156         (JSC::Probe::Context::arg):
2157         (JSC::Probe::Context::gpr):
2158         (JSC::Probe::Context::spr):
2159         (JSC::Probe::Context::fpr):
2160         (JSC::Probe::Context::gprName):
2161         (JSC::Probe::Context::sprName):
2162         (JSC::Probe::Context::fprName):
2163         (JSC::Probe::Context::gpr const):
2164         (JSC::Probe::Context::spr const):
2165         (JSC::Probe::Context::fpr const):
2166         (JSC::Probe::Context::pc):
2167         (JSC::Probe::Context::fp):
2168         (JSC::Probe::Context::sp):
2169         (JSC::Probe:: const): Deleted.
2170         * assembler/ProbeFrame.h: Added.
2171         (JSC::Probe::Frame::Frame):
2172         (JSC::Probe::Frame::getArgument):
2173         (JSC::Probe::Frame::getOperand):
2174         (JSC::Probe::Frame::get):
2175         (JSC::Probe::Frame::setArgument):
2176         (JSC::Probe::Frame::setOperand):
2177         (JSC::Probe::Frame::set):
2178         * assembler/ProbeStack.cpp:
2179         (JSC::Probe::Page::Page):
2180         * assembler/ProbeStack.h:
2181         (JSC::Probe::Page::get):
2182         (JSC::Probe::Page::set):
2183         (JSC::Probe::Page::physicalAddressFor):
2184         (JSC::Probe::Stack::lowWatermark):
2185         (JSC::Probe::Stack::get):
2186         (JSC::Probe::Stack::set):
2187         * bytecode/ArithProfile.cpp:
2188         * bytecode/ArithProfile.h:
2189         * bytecode/ArrayProfile.h:
2190         (JSC::ArrayProfile::observeArrayMode):
2191         * bytecode/CodeBlock.cpp:
2192         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
2193         * bytecode/CodeBlock.h:
2194         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
2195         * bytecode/ExecutionCounter.h:
2196         (JSC::ExecutionCounter::hasCrossedThreshold const):
2197         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
2198         * bytecode/MethodOfGettingAValueProfile.cpp:
2199         (JSC::MethodOfGettingAValueProfile::reportValue):
2200         * bytecode/MethodOfGettingAValueProfile.h:
2201         * dfg/DFGDriver.cpp:
2202         (JSC::DFG::compileImpl):
2203         * dfg/DFGJITCode.cpp:
2204         (JSC::DFG::JITCode::findPC): Deleted.
2205         * dfg/DFGJITCode.h:
2206         * dfg/DFGJITCompiler.cpp:
2207         (JSC::DFG::JITCompiler::linkOSRExits):
2208         (JSC::DFG::JITCompiler::link):
2209         * dfg/DFGOSRExit.cpp:
2210         (JSC::DFG::jsValueFor):
2211         (JSC::DFG::restoreCalleeSavesFor):
2212         (JSC::DFG::saveCalleeSavesFor):
2213         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2214         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2215         (JSC::DFG::saveOrCopyCalleeSavesFor):
2216         (JSC::DFG::createDirectArgumentsDuringExit):
2217         (JSC::DFG::createClonedArgumentsDuringExit):
2218         (JSC::DFG::OSRExit::OSRExit):
2219         (JSC::DFG::emitRestoreArguments):
2220         (JSC::DFG::OSRExit::executeOSRExit):
2221         (JSC::DFG::reifyInlinedCallFrames):
2222         (JSC::DFG::adjustAndJumpToTarget):
2223         (JSC::DFG::printOSRExit):
2224         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2225         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2226         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
2227         (JSC::DFG::OSRExit::correctJump): Deleted.
2228         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
2229         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
2230         (JSC::DFG::OSRExit::compileExit): Deleted.
2231         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2232         * dfg/DFGOSRExit.h:
2233         (JSC::DFG::OSRExitState::OSRExitState):
2234         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2235         * dfg/DFGOSRExitCompilerCommon.cpp:
2236         * dfg/DFGOSRExitCompilerCommon.h:
2237         * dfg/DFGOperations.cpp:
2238         * dfg/DFGOperations.h:
2239         * dfg/DFGThunks.cpp:
2240         (JSC::DFG::osrExitThunkGenerator):
2241         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2242         * dfg/DFGThunks.h:
2243         * jit/AssemblyHelpers.cpp:
2244         (JSC::AssemblyHelpers::debugCall): Deleted.
2245         * jit/AssemblyHelpers.h:
2246         * jit/JITOperations.cpp:
2247         * jit/JITOperations.h:
2248         * profiler/ProfilerOSRExit.h:
2249         (JSC::Profiler::OSRExit::incCount):
2250         * runtime/JSCJSValue.h:
2251         * runtime/JSCJSValueInlines.h:
2252         * runtime/VM.h:
2253
2254 2017-09-07  Michael Saboff  <msaboff@apple.com>
2255
2256         Add support for RegExp named capture groups
2257         https://bugs.webkit.org/show_bug.cgi?id=176435
2258
2259         Reviewed by Filip Pizlo.
2260
2261         Added parsing for both naming a captured parenthesis as well and using a named group in
2262         a back reference.  Also added support for using named groups with String.prototype.replace().
2263
2264         This patch does not throw Syntax Errors as described in the current spec text for the two
2265         cases of malformed back references in String.prototype.replace() as I believe that it
2266         is inconsistent with the current semantics for handling of other malformed replacement
2267         tokens.  I filed an issue for the requested change to the proposed spec and also filed
2268         a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
2269
2270         This patch does not implement strength reduction in the optimizing JITs for named capture
2271         groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
2272
2273         * dfg/DFGAbstractInterpreterInlines.h:
2274         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2275         * dfg/DFGStrengthReductionPhase.cpp:
2276         (JSC::DFG::StrengthReductionPhase::handleNode):
2277         * runtime/CommonIdentifiers.h:
2278         * runtime/JSGlobalObject.cpp:
2279         (JSC::JSGlobalObject::init):
2280         (JSC::JSGlobalObject::haveABadTime):
2281         * runtime/JSGlobalObject.h:
2282         (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
2283         * runtime/RegExp.cpp:
2284         (JSC::RegExp::finishCreation):
2285         * runtime/RegExp.h:
2286         * runtime/RegExpMatchesArray.cpp:
2287         (JSC::createStructureImpl):
2288         (JSC::createRegExpMatchesArrayWithGroupsStructure):
2289         (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
2290         * runtime/RegExpMatchesArray.h:
2291         (JSC::createRegExpMatchesArray):
2292         * runtime/StringPrototype.cpp:
2293         (JSC::substituteBackreferencesSlow):
2294         (JSC::replaceUsingRegExpSearch):
2295         * yarr/YarrParser.h:
2296         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
2297         (JSC::Yarr::Parser::parseEscape):
2298         (JSC::Yarr::Parser::parseParenthesesBegin):
2299         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
2300         (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
2301         (JSC::Yarr::Parser::isIdentifierStart):
2302         (JSC::Yarr::Parser::isIdentifierPart):
2303         (JSC::Yarr::Parser::tryConsumeGroupName):
2304         * yarr/YarrPattern.cpp:
2305         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
2306         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
2307         (JSC::Yarr::YarrPattern::errorMessage):
2308         * yarr/YarrPattern.h:
2309         (JSC::Yarr::YarrPattern::reset):
2310         * yarr/YarrSyntaxChecker.cpp:
2311         (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
2312         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
2313
2314 2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>
2315
2316         [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
2317         https://bugs.webkit.org/show_bug.cgi?id=176561
2318
2319         Reviewed by Brent Fulgham.
2320
2321         * runtime/IntlObject.cpp:
2322         (JSC::defaultLocale):
2323
2324 2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>
2325
2326         Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
2327         https://bugs.webkit.org/show_bug.cgi?id=176563
2328         <rdar://problem/19639583>
2329
2330         Reviewed by Matt Baker.
2331
2332         * inspector/protocol/DOM.json:
2333         Add an event that is useful for augmented inspectors to inspect
2334         a node. Web pages will still prefer Inspector.inspect.
2335
2336 2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2337
2338         [JSC] Remove "malloc" and "free" from JSC/API
2339         https://bugs.webkit.org/show_bug.cgi?id=176331
2340
2341         Reviewed by Keith Miller.
2342
2343         Remove "malloc" and "free" manual calls in JSC/API.
2344
2345         * API/JSValue.mm:
2346         (createStructHandlerMap):
2347         * API/JSWrapperMap.mm:
2348         (parsePropertyAttributes):
2349         (makeSetterName):
2350         (copyPrototypeProperties):
2351         Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
2352
2353         * API/ObjcRuntimeExtras.h:
2354         (adoptSystem):
2355         Add adoptSystem to automate calling system free().
2356
2357         (protocolImplementsProtocol):
2358         (forEachProtocolImplementingProtocol):
2359         (forEachMethodInClass):
2360         (forEachMethodInProtocol):
2361         (forEachPropertyInProtocol):
2362         (StringRange::StringRange):
2363         (StringRange::operator const char* const):
2364         (StringRange::get const):
2365         Use CString for backend.
2366
2367         (StructBuffer::StructBuffer):
2368         (StructBuffer::~StructBuffer):
2369         (StringRange::~StringRange): Deleted.
2370         Use fastAlignedMalloc/astAlignedFree to get aligned memory.
2371
2372 2017-09-06  Mark Lam  <mark.lam@apple.com>
2373
2374         constructGenericTypedArrayViewWithArguments() is missing an exception check.
2375         https://bugs.webkit.org/show_bug.cgi?id=176485
2376         <rdar://problem/33898874>
2377
2378         Reviewed by Keith Miller.
2379
2380         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2381         (JSC::constructGenericTypedArrayViewWithArguments):
2382
2383 2017-09-06  Saam Barati  <sbarati@apple.com>
2384
2385         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
2386         https://bugs.webkit.org/show_bug.cgi?id=176346
2387
2388         Reviewed by Mark Lam.
2389
2390         * b3/B3Procedure.cpp:
2391         (JSC::B3::Procedure::Procedure):
2392         (JSC::B3::Procedure::setNumEntrypoints):
2393         * b3/B3Procedure.h:
2394         (JSC::B3::Procedure::setNumEntrypoints): Deleted.
2395         * b3/air/AirCode.cpp:
2396         (JSC::B3::Air::defaultPrologueGenerator):
2397         (JSC::B3::Air::Code::Code):
2398         (JSC::B3::Air::Code::setNumEntrypoints):
2399         * b3/air/AirCode.h:
2400         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2401         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2402         (JSC::B3::Air::Code::setEntrypoints):
2403         (JSC::B3::Air::Code::setEntrypointLabels):
2404         * b3/air/AirGenerate.cpp:
2405         (JSC::B3::Air::generate):
2406         * ftl/FTLLowerDFGToB3.cpp:
2407         (JSC::FTL::DFG::LowerDFGToB3::lower):
2408
2409 2017-09-06  Saam Barati  <sbarati@apple.com>
2410
2411         ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
2412         https://bugs.webkit.org/show_bug.cgi?id=176470
2413
2414         Reviewed by Mark Lam.
2415
2416         Update Node::convertToCheckStructureImmediate's assertion to allow
2417         the node to either be a CheckStructure or CheckStructureOrEmpty.
2418
2419         * dfg/DFGNode.h:
2420         (JSC::DFG::Node::convertToCheckStructureImmediate):
2421
2422 2017-09-05  Saam Barati  <sbarati@apple.com>
2423
2424         isNotCellSpeculation is wrong with respect to SpecEmpty
2425         https://bugs.webkit.org/show_bug.cgi?id=176429
2426
2427         Reviewed by Michael Saboff.
2428
2429         The isNotCellSpeculation(SpeculatedType t) function was not taking into account
2430         SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
2431         the empty value will fail a NotCell check. This bug would cause us to erroneously
2432         generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
2433
2434         * bytecode/SpeculatedType.h:
2435         (JSC::isNotCellSpeculation):
2436
2437 2017-09-05  Saam Barati  <sbarati@apple.com>
2438
2439         Make the distinction between entrypoints and CFG roots more clear by naming things better
2440         https://bugs.webkit.org/show_bug.cgi?id=176336
2441
2442         Reviewed by Mark Lam and Keith Miller and Michael Saboff.
2443
2444         This patch does renaming to make the distinction between Graph::m_entrypoints
2445         and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
2446         Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
2447         Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
2448         size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
2449         to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
2450         field to m_rootToArguments.
2451         
2452         Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
2453         when compiling with EntrySwitch. It represents the logical number of entrypoints
2454         the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
2455         cases.
2456
2457         * dfg/DFGByteCodeParser.cpp:
2458         (JSC::DFG::ByteCodeParser::parseBlock):
2459         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2460         * dfg/DFGCFG.h:
2461         (JSC::DFG::CFG::roots):
2462         (JSC::DFG::CPSCFG::CPSCFG):
2463         * dfg/DFGCPSRethreadingPhase.cpp:
2464         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
2465         * dfg/DFGDCEPhase.cpp:
2466         (JSC::DFG::DCEPhase::run):
2467         * dfg/DFGGraph.cpp:
2468         (JSC::DFG::Graph::dump):
2469         (JSC::DFG::Graph::determineReachability):
2470         (JSC::DFG::Graph::blocksInPreOrder):
2471         (JSC::DFG::Graph::blocksInPostOrder):
2472         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2473         * dfg/DFGGraph.h:
2474         (JSC::DFG::Graph::isRoot):
2475         (JSC::DFG::Graph::isEntrypoint): Deleted.
2476         * dfg/DFGInPlaceAbstractState.cpp:
2477         (JSC::DFG::InPlaceAbstractState::initialize):
2478         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2479         (JSC::DFG::createPreHeader):
2480         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2481         (JSC::DFG::MaximalFlushInsertionPhase::run):
2482         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2483         * dfg/DFGOSREntrypointCreationPhase.cpp:
2484         (JSC::DFG::OSREntrypointCreationPhase::run):
2485         * dfg/DFGPredictionInjectionPhase.cpp:
2486         (JSC::DFG::PredictionInjectionPhase::run):
2487         * dfg/DFGSSAConversionPhase.cpp:
2488         (JSC::DFG::SSAConversionPhase::run):
2489         * dfg/DFGSpeculativeJIT.cpp:
2490         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2491         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2492         * dfg/DFGTypeCheckHoistingPhase.cpp:
2493         (JSC::DFG::TypeCheckHoistingPhase::run):
2494         * dfg/DFGValidate.cpp:
2495
2496 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
2497
2498         test262: Completion values for control flow do not match the spec
2499         https://bugs.webkit.org/show_bug.cgi?id=171265
2500
2501         Reviewed by Saam Barati.
2502
2503         * bytecompiler/BytecodeGenerator.h:
2504         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
2505         When we care about having proper completion values (global code
2506         in programs, modules, and eval) insert undefined results for
2507         control flow statements.
2508
2509         * bytecompiler/NodesCodegen.cpp:
2510         (JSC::SourceElements::emitBytecode):
2511         Reduce writing a default `undefined` value to the completion result to
2512         only once before the last statement we know will produce a value.
2513
2514         (JSC::IfElseNode::emitBytecode):
2515         (JSC::WithNode::emitBytecode):
2516         (JSC::WhileNode::emitBytecode):
2517         (JSC::ForNode::emitBytecode):
2518         (JSC::ForInNode::emitBytecode):
2519         (JSC::ForOfNode::emitBytecode):
2520         (JSC::SwitchNode::emitBytecode):
2521         Insert an undefined to handle cases where code may break out of an
2522         if/else or with statement (break/continue).
2523
2524         (JSC::TryNode::emitBytecode):
2525         Same handling for break cases. Also, finally block statement completion
2526         values are always ignored for the try statement result.
2527
2528         (JSC::ClassDeclNode::emitBytecode):
2529         Class declarations, like function declarations, produce an empty result.
2530
2531         * parser/Nodes.cpp:
2532         (JSC::SourceElements::lastStatement):
2533         (JSC::SourceElements::hasCompletionValue):
2534         (JSC::SourceElements::hasEarlyBreakOrContinue):
2535         (JSC::BlockNode::lastStatement):
2536         (JSC::BlockNode::singleStatement):
2537         (JSC::BlockNode::hasCompletionValue):
2538         (JSC::BlockNode::hasEarlyBreakOrContinue):
2539         (JSC::ScopeNode::singleStatement):
2540         (JSC::ScopeNode::hasCompletionValue):
2541         (JSC::ScopeNode::hasEarlyBreakOrContinue):
2542         The only non-trivial cases need to loop through their list of statements
2543         to determine if this has a completion value or not. Likewise for
2544         determining if there is an early break / continue, meaning a break or
2545         continue statement with no preceding statement that has a completion value.
2546
2547         * parser/Nodes.h:
2548         (JSC::StatementNode::next):
2549         (JSC::StatementNode::hasCompletionValue):
2550         Helper to check if a statement nodes produces a completion value or not.
2551
2552 2017-09-04  Saam Barati  <sbarati@apple.com>
2553
2554         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
2555         https://bugs.webkit.org/show_bug.cgi?id=176317
2556
2557         Reviewed by Keith Miller.
2558
2559         It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
2560         the SetLocal of a particular value where the value is the empty JSValue.
2561         On 64-bit platforms, the empty value is zero. This means that the empty value
2562         passes a cell check. This will lead to a crash when we dereference null to load
2563         the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
2564         in the structure checks it hoists. On 64-bit platforms, instead of emitting a
2565         CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
2566         the empty value to flow through. If the value isn't empty, it'll perform the normal
2567         structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
2568         on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
2569         value to flow through.
2570
2571         * dfg/DFGAbstractInterpreterInlines.h:
2572         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2573         * dfg/DFGArgumentsEliminationPhase.cpp:
2574         * dfg/DFGClobberize.h:
2575         (JSC::DFG::clobberize):
2576         * dfg/DFGConstantFoldingPhase.cpp:
2577         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2578         * dfg/DFGDoesGC.cpp:
2579         (JSC::DFG::doesGC):
2580         * dfg/DFGFixupPhase.cpp:
2581         (JSC::DFG::FixupPhase::fixupNode):
2582         * dfg/DFGNode.h:
2583         (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
2584         (JSC::DFG::Node::hasStructureSet):
2585         * dfg/DFGNodeType.h:
2586         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2587         * dfg/DFGPredictionPropagationPhase.cpp:
2588         * dfg/DFGSafeToExecute.h:
2589         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2590         (JSC::DFG::SafeToExecuteEdge::operator()):
2591         (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
2592         (JSC::DFG::safeToExecute):
2593         * dfg/DFGSpeculativeJIT.cpp:
2594         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
2595         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
2596         * dfg/DFGSpeculativeJIT.h:
2597         * dfg/DFGSpeculativeJIT32_64.cpp:
2598         (JSC::DFG::SpeculativeJIT::compile):
2599         * dfg/DFGSpeculativeJIT64.cpp:
2600         (JSC::DFG::SpeculativeJIT::compile):
2601         * dfg/DFGTypeCheckHoistingPhase.cpp:
2602         (JSC::DFG::TypeCheckHoistingPhase::run):
2603         * dfg/DFGValidate.cpp:
2604         * ftl/FTLCapabilities.cpp:
2605         (JSC::FTL::canCompile):
2606         * ftl/FTLLowerDFGToB3.cpp:
2607         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2608         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
2609
2610 2017-09-04  Saam Barati  <sbarati@apple.com>
2611
2612         Support compiling catch in the FTL
2613         https://bugs.webkit.org/show_bug.cgi?id=175396
2614
2615         Reviewed by Filip Pizlo.
2616
2617         This patch implements op_catch in the FTL. It extends the DFG implementation
2618         by supporting multiple entrypoints in DFG-SSA. This patch implements this
2619         by introducing an EntrySwitch node. When converting to SSA, we introduce a new
2620         root block with an EntrySwitch that has the previous DFG entrypoints as its
2621         successors. By convention, we pick the zeroth entry point index to be the
2622         op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
2623         switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
2624         simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
2625         SSAConversion creates can not exit because we would both not know where to exit
2626         to in the program: we would not have valid OSR exit state. This design also
2627         mandates that anything we hoist above EntrySwitch in the new root block
2628         can not exit since they also do not have valid OSR exit state.
2629         
2630         This patch also adds a new metadata node named InitializeEntrypointArguments.
2631         InitializeEntrypointArguments is a metadata node that initializes the flush format for
2632         the arguments at a given entrypoint. For a given entrypoint index, this node
2633         tells AI and OSRAvailabilityAnalysis what the flush format for each argument
2634         is. This allows each individual entrypoint to have an independent set of
2635         argument types. Currently, this won't happen in practice because ArgumentPosition
2636         unifies flush formats, but this is an implementation detail we probably want
2637         to modify in the future. SSAConversion will add InitializeEntrypointArguments
2638         to the beginning of each of the original DFG entrypoint blocks.
2639         
2640         This patch also adds the ability to specify custom prologue code generators in Air.
2641         This allows the FTL to specify a custom prologue for catch entrypoints that
2642         matches the op_catch OSR entry calling convention that the DFG uses. This way,
2643         the baseline JIT code OSR enters into op_catch the same way both in the DFG
2644         and the FTL. In the future, we can use this same mechanism to perform stack
2645         overflow checks instead of using a patchpoint.
2646
2647         * b3/air/AirCode.cpp:
2648         (JSC::B3::Air::Code::isEntrypoint):
2649         (JSC::B3::Air::Code::entrypointIndex):
2650         * b3/air/AirCode.h:
2651         (JSC::B3::Air::Code::setPrologueForEntrypoint):
2652         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2653         * b3/air/AirGenerate.cpp:
2654         (JSC::B3::Air::generate):
2655         * dfg/DFGAbstractInterpreterInlines.h:
2656         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2657         * dfg/DFGBasicBlock.h:
2658         * dfg/DFGByteCodeParser.cpp:
2659         (JSC::DFG::ByteCodeParser::parseBlock):
2660         (JSC::DFG::ByteCodeParser::parse):
2661         * dfg/DFGCFG.h:
2662         (JSC::DFG::selectCFG):
2663         * dfg/DFGClobberize.h:
2664         (JSC::DFG::clobberize):
2665         * dfg/DFGClobbersExitState.cpp:
2666         (JSC::DFG::clobbersExitState):
2667         * dfg/DFGCommonData.cpp:
2668         (JSC::DFG::CommonData::shrinkToFit):
2669         (JSC::DFG::CommonData::finalizeCatchEntrypoints):
2670         * dfg/DFGCommonData.h:
2671         (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
2672         (JSC::DFG::CommonData::appendCatchEntrypoint):
2673         * dfg/DFGDoesGC.cpp:
2674         (JSC::DFG::doesGC):
2675         * dfg/DFGFixupPhase.cpp:
2676         (JSC::DFG::FixupPhase::fixupNode):
2677         * dfg/DFGGraph.cpp:
2678         (JSC::DFG::Graph::dump):
2679         (JSC::DFG::Graph::invalidateCFG):
2680         (JSC::DFG::Graph::ensureCPSCFG):
2681         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2682         * dfg/DFGGraph.h:
2683         (JSC::DFG::Graph::isEntrypoint):
2684         * dfg/DFGInPlaceAbstractState.cpp:
2685         (JSC::DFG::InPlaceAbstractState::initialize):
2686         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2687         * dfg/DFGJITCode.cpp:
2688         (JSC::DFG::JITCode::shrinkToFit):
2689         (JSC::DFG::JITCode::finalizeOSREntrypoints):
2690         * dfg/DFGJITCode.h:
2691         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
2692         (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
2693         * dfg/DFGJITCompiler.cpp:
2694         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2695         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2696         * dfg/DFGMayExit.cpp:
2697         * dfg/DFGNode.h:
2698         (JSC::DFG::Node::isEntrySwitch):
2699         (JSC::DFG::Node::isTerminal):
2700         (JSC::DFG::Node::entrySwitchData):
2701         (JSC::DFG::Node::numSuccessors):
2702         (JSC::DFG::Node::successor):
2703         (JSC::DFG::Node::entrypointIndex):
2704         * dfg/DFGNodeType.h:
2705         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2706         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2707         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2708         * dfg/DFGOSREntry.cpp:
2709         (JSC::DFG::prepareCatchOSREntry):
2710         * dfg/DFGOSREntry.h:
2711         * dfg/DFGOSREntrypointCreationPhase.cpp:
2712         (JSC::DFG::OSREntrypointCreationPhase::run):
2713         * dfg/DFGPredictionPropagationPhase.cpp:
2714         * dfg/DFGSSAConversionPhase.cpp:
2715         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
2716         (JSC::DFG::SSAConversionPhase::run):
2717         * dfg/DFGSafeToExecute.h:
2718         (JSC::DFG::safeToExecute):
2719         * dfg/DFGSpeculativeJIT.cpp:
2720         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2721         * dfg/DFGSpeculativeJIT32_64.cpp:
2722         (JSC::DFG::SpeculativeJIT::compile):
2723         * dfg/DFGSpeculativeJIT64.cpp:
2724         (JSC::DFG::SpeculativeJIT::compile):
2725         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
2726         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
2727         * dfg/DFGValidate.cpp:
2728         * ftl/FTLCapabilities.cpp:
2729         (JSC::FTL::canCompile):
2730         * ftl/FTLCompile.cpp:
2731         (JSC::FTL::compile):
2732         * ftl/FTLLowerDFGToB3.cpp:
2733         (JSC::FTL::DFG::LowerDFGToB3::lower):
2734         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2735         (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
2736         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
2737         (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
2738         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2739         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
2740         (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
2741         (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
2742         * ftl/FTLOutput.cpp:
2743         (JSC::FTL::Output::entrySwitch):
2744         * ftl/FTLOutput.h:
2745         * jit/JITOperations.cpp:
2746
2747 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2748
2749         [DFG][FTL] Efficiently execute number#toString()
2750         https://bugs.webkit.org/show_bug.cgi?id=170007
2751
2752         Reviewed by Keith Miller.
2753
2754         In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
2755         However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.
2756
2757         While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
2758         So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
2759         Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
2760         speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
2761         It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).
2762
2763         In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
2764         throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
2765         conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
2766         radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
2767         We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
2768         It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.
2769
2770         Added microbenchmarks show performance improvement.
2771
2772                                                       baseline                  patched
2773
2774         number-to-string-with-radix-cse           43.8312+-1.3017     ^      7.4930+-0.5105        ^ definitely 5.8496x faster
2775         number-to-string-with-radix-10             7.2775+-0.5225     ^      2.1906+-0.1864        ^ definitely 3.3222x faster
2776         number-to-string-with-radix               39.7378+-1.4921     ^     16.6137+-0.7776        ^ definitely 2.3919x faster
2777         number-to-string-strength-reduction       94.9667+-2.7157     ^      9.3060+-0.7202        ^ definitely 10.2049x faster
2778
2779         * dfg/DFGAbstractInterpreterInlines.h:
2780         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2781         * dfg/DFGClobberize.h:
2782         (JSC::DFG::clobberize):
2783         * dfg/DFGConstantFoldingPhase.cpp:
2784         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2785         * dfg/DFGDoesGC.cpp:
2786         (JSC::DFG::doesGC):
2787         * dfg/DFGFixupPhase.cpp:
2788         (JSC::DFG::FixupPhase::fixupNode):
2789         * dfg/DFGGraph.h:
2790         (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
2791         (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
2792         (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
2793         * dfg/DFGNode.h:
2794         (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
2795         (JSC::DFG::Node::hasValidRadixConstant):
2796         (JSC::DFG::Node::validRadixConstant):
2797         * dfg/DFGNodeType.h:
2798         * dfg/DFGPredictionPropagationPhase.cpp:
2799         * dfg/DFGSafeToExecute.h:
2800         (JSC::DFG::safeToExecute):
2801         * dfg/DFGSpeculativeJIT.cpp:
2802         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
2803         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
2804         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
2805         * dfg/DFGSpeculativeJIT.h:
2806         * dfg/DFGSpeculativeJIT32_64.cpp:
2807         (JSC::DFG::SpeculativeJIT::compile):
2808         * dfg/DFGSpeculativeJIT64.cpp:
2809         (JSC::DFG::SpeculativeJIT::compile):
2810         * dfg/DFGStrengthReductionPhase.cpp:
2811         (JSC::DFG::StrengthReductionPhase::handleNode):
2812         * ftl/FTLCapabilities.cpp:
2813         (JSC::FTL::canCompile):
2814         * ftl/FTLLowerDFGToB3.cpp:
2815         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2816         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
2817         * runtime/JSGlobalObject.cpp:
2818         (JSC::JSGlobalObject::JSGlobalObject):
2819         (JSC::JSGlobalObject::init):
2820         (JSC::JSGlobalObject::visitChildren):
2821         * runtime/JSGlobalObject.h:
2822         (JSC::JSGlobalObject::numberToStringWatchpoint):
2823         (JSC::JSGlobalObject::numberProtoToStringFunction const):
2824         * runtime/NumberPrototype.cpp:
2825         (JSC::NumberPrototype::finishCreation):
2826         (JSC::toStringWithRadixInternal):
2827         (JSC::toStringWithRadix):
2828         (JSC::int32ToStringInternal):
2829         (JSC::numberToStringInternal):
2830         * runtime/NumberPrototype.h:
2831
2832 2017-09-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2833
2834         [DFG] Consider increasing the number of DFG worklist threads
2835         https://bugs.webkit.org/show_bug.cgi?id=176222
2836
2837         Reviewed by Saam Barati.
2838
2839         Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
2840         very long time if the target function is very large. However, DFG worklist
2841         has only one thread before this patch. Therefore, one function that takes
2842         too much time to be compiled can prevent the other functions from being
2843         compiled in DFG or upper tiers.
2844
2845         One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
2846         super long time (447 ms) because of its super large size of the function.
2847         While this function never gets compiled in FTL due to its large size,
2848         it can be compiled in DFG and takes super long time. Subsequent "a8" function
2849         compilation in DFG is blocked by this "a1". As a consequence, the benchmark
2850         takes very long time in a1/Baseline code, which is slower than DFG of course.
2851
2852         While FTL has a bit more threads, DFG worklist has only one thread. This patch
2853         adds one more thread to DFG worklist to alleviate the above situation. This
2854         change significantly improves Octane/zlib performance.
2855
2856                                     baseline                  patched
2857
2858         zlib           x2     482.32825+-6.07640    ^   408.66072+-14.03856      ^ definitely 1.1803x faster
2859
2860         * runtime/Options.h:
2861
2862 2017-09-04  Sam Weinig  <sam@webkit.org>
2863
2864         [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
2865         https://bugs.webkit.org/show_bug.cgi?id=176312
2866
2867         Reviewed by Darin Adler.
2868
2869         * runtime/CommonIdentifiers.h:
2870
2871             Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
2872             to WebCoreBuiltinNames in WebCore.
2873
2874 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2875
2876         Remove "malloc" and "free" use
2877         https://bugs.webkit.org/show_bug.cgi?id=176310
2878
2879         Reviewed by Darin Adler.
2880
2881         Use Vector instead.
2882
2883         * API/JSWrapperMap.mm:
2884         (selectorToPropertyName):
2885
2886 2017-09-03  Darin Adler  <darin@apple.com>
2887
2888         Try to fix Windows build.
2889
2890         * runtime/JSGlobalObjectFunctions.cpp: #include <unicode/utf8.h>.
2891
2892 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2893
2894         [WTF] Add C++03 allocator interface for GCC < 6
2895         https://bugs.webkit.org/show_bug.cgi?id=176301
2896
2897         Reviewed by Darin Adler.
2898
2899         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2900
2901 2017-09-03  Chris Dumez  <cdumez@apple.com>
2902
2903         Unreviewed, rolling out r221555.
2904
2905         Did not fix Windows build
2906
2907         Reverted changeset:
2908
2909         "Unreviewed attempt to fix Windows build."
2910         http://trac.webkit.org/changeset/221555
2911
2912 2017-09-03  Chris Dumez  <cdumez@apple.com>
2913
2914         Unreviewed attempt to fix Windows build.
2915
2916         * runtime/JSGlobalObjectFunctions.cpp:
2917
2918 2017-09-03  Chris Dumez  <cdumez@apple.com>
2919
2920         Unreviewed, rolling out r221552.
2921
2922         Broke the build
2923
2924         Reverted changeset:
2925
2926         "[WTF] Add C++03 allocator interface for GCC < 6"
2927         https://bugs.webkit.org/show_bug.cgi?id=176301
2928         http://trac.webkit.org/changeset/221552
2929
2930 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2931
2932         [WTF] Add C++03 allocator interface for GCC < 6
2933         https://bugs.webkit.org/show_bug.cgi?id=176301
2934
2935         Reviewed by Darin Adler.
2936
2937         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2938
2939 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2940
2941         [JSC] Clean up BytecodeLivenessAnalysis
2942         https://bugs.webkit.org/show_bug.cgi?id=176295
2943
2944         Reviewed by Saam Barati.
2945
2946         Previously, computeDefsForBytecodeOffset was a bit customizable.
2947         This is used for try-catch handler's liveness analysis. But after
2948         careful generatorification implementation, it is now not necessary.
2949         This patch drops this customizability.
2950
2951         * bytecode/BytecodeGeneratorification.cpp:
2952         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
2953         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
2954         * bytecode/BytecodeLivenessAnalysis.cpp:
2955         (JSC::BytecodeLivenessAnalysis::computeKills):
2956         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
2957         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
2958         * bytecode/BytecodeLivenessAnalysis.h:
2959         * bytecode/BytecodeLivenessAnalysisInlines.h:
2960         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
2961         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
2962         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
2963         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
2964         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
2965         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
2966         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
2967         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
2968         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
2969         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.
2970
2971 2017-09-03  Sam Weinig  <sam@webkit.org>
2972
2973         Remove CanvasProxy
2974         https://bugs.webkit.org/show_bug.cgi?id=176288
2975
2976         Reviewed by Yusuke Suzuki.
2977
2978         CanvasProxy does not appear to be in any current HTML spec
2979         and was disabled and unimplemented in our tree. Time to 
2980         get rid of it.
2981
2982         * Configurations/FeatureDefines.xcconfig:
2983
2984 2017-09-02  Oliver Hunt  <oliver@apple.com>
2985
2986         Need an API to get the global context from JSObjectRef
2987         https://bugs.webkit.org/show_bug.cgi?id=176291
2988
2989         Reviewed by Saam Barati.
2990
2991         Very simple additional API, starting off as SPI on principle.
2992
2993         * API/JSObjectRef.cpp:
2994         (JSObjectGetGlobalContext):
2995         * API/JSObjectRefPrivate.h:
2996         * API/tests/testapi.c:
2997         (main):
2998
2999 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3000
3001         [DFG] Relax arity requirement
3002         https://bugs.webkit.org/show_bug.cgi?id=175523
3003
3004         Reviewed by Saam Barati.
3005
3006         Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
3007         It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
3008         of the pre-ES6.
3009
3010         This patch removes the above restriction by performing the arity fixup in DFG.
3011
3012         SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
3013
3014                                        baseline                  patched
3015
3016         defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
3017         rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
3018         spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
3019         generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster
3020
3021         * bytecode/InlineCallFrame.cpp:
3022         (JSC::InlineCallFrame::dumpInContext const):
3023         * bytecode/InlineCallFrame.h:
3024         (JSC::InlineCallFrame::InlineCallFrame):
3025         * dfg/DFGAbstractInterpreterInlines.h:
3026         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3027         * dfg/DFGArgumentsEliminationPhase.cpp:
3028         * dfg/DFGArgumentsUtilities.cpp:
3029         (JSC::DFG::argumentsInvolveStackSlot):
3030         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3031         * dfg/DFGByteCodeParser.cpp:
3032         (JSC::DFG::ByteCodeParser::setLocal):
3033         (JSC::DFG::ByteCodeParser::setArgument):
3034         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
3035         (JSC::DFG::ByteCodeParser::flush):
3036         (JSC::DFG::ByteCodeParser::getArgumentCount):
3037         (JSC::DFG::ByteCodeParser::inliningCost):
3038         (JSC::DFG::ByteCodeParser::inlineCall):
3039         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3040         (JSC::DFG::ByteCodeParser::parseBlock):
3041         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3042         * dfg/DFGCommonData.cpp:
3043         (JSC::DFG::CommonData::validateReferences):
3044         * dfg/DFGConstantFoldingPhase.cpp:
3045         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3046         * dfg/DFGGraph.cpp:
3047         (JSC::DFG::Graph::isLiveInBytecode):
3048         * dfg/DFGGraph.h:
3049         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
3050         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3051         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3052         * dfg/DFGOSRExit.cpp:
3053         (JSC::DFG::OSRExit::emitRestoreArguments):
3054         * dfg/DFGOSRExitCompilerCommon.cpp:
3055         (JSC::DFG::reifyInlinedCallFrames):
3056         * dfg/DFGPreciseLocalClobberize.h:
3057         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3058         * dfg/DFGSpeculativeJIT.cpp:
3059         (JSC::DFG::SpeculativeJIT::emitGetLength):
3060         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3061         * dfg/DFGStackLayoutPhase.cpp:
3062         (JSC::DFG::StackLayoutPhase::run):
3063         * ftl/FTLCompile.cpp:
3064         (JSC::FTL::compile):
3065         * ftl/FTLLowerDFGToB3.cpp:
3066         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3067         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3068         * ftl/FTLOperations.cpp:
3069         (JSC::FTL::operationMaterializeObjectInOSR):
3070         * interpreter/StackVisitor.cpp:
3071         (JSC::StackVisitor::readInlinedFrame):
3072         * jit/AssemblyHelpers.h:
3073         (JSC::AssemblyHelpers::argumentsStart):
3074         * jit/SetupVarargsFrame.cpp:
3075         (JSC::emitSetupVarargsFrameFastCase):
3076         * runtime/ClonedArguments.cpp:
3077         (JSC::ClonedArguments::createWithInlineFrame):
3078         * runtime/CommonSlowPaths.h:
3079         (JSC::CommonSlowPaths::numberOfExtraSlots):
3080         (JSC::CommonSlowPaths::numberOfStackPaddingSlots):
3081         (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots):
3082         (JSC::CommonSlowPaths::arityCheckFor):
3083         * runtime/StackAlignment.h:
3084         (JSC::stackAlignmentBytes):
3085         (JSC::stackAlignmentRegisters):
3086
3087 2017-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3088
3089         [FTL] FTL allocation for async Function is incorrect
3090         https://bugs.webkit.org/show_bug.cgi?id=176214
3091
3092         Reviewed by Saam Barati.
3093
3094         In FTL, allocating async function / async generator function was incorrectly using
3095         JSFunction logic. While it is not observable right now since sizeof(JSFunction) == sizeof(JSAsyncFunction),
3096         but it is a bug.
3097
3098         * ftl/FTLLowerDFGToB3.cpp:
3099         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3100
3101 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3102
3103         [JSC] Fix "name" and "length" of Proxy revoke function
3104         https://bugs.webkit.org/show_bug.cgi?id=176155
3105
3106         Reviewed by Mark Lam.
3107
3108         ProxyRevoke's length should be configurable. And it does not have
3109         its own name. We add NameVisibility enum to InternalFunction to
3110         control visibility of the name.
3111
3112         * runtime/InternalFunction.cpp:
3113         (JSC::InternalFunction::finishCreation):
3114         * runtime/InternalFunction.h:
3115         * runtime/ProxyRevoke.cpp:
3116         (JSC::ProxyRevoke::finishCreation):
3117
3118 2017-08-31  Saam Barati  <sbarati@apple.com>
3119
3120         Throwing an exception in the DFG/FTL should not cause a jettison
3121         https://bugs.webkit.org/show_bug.cgi?id=176060
3122         <rdar://problem/34143348>
3123
3124         Reviewed by Keith Miller.
3125
3126         Throwing an exception is not something that should be a jettison-able
3127         OSR exit. We used to count Throw/ThrowStaticError towards our OSR exit
3128         counts which could cause a CodeBlock to jettison and recompile. This
3129         was dumb. Throwing an exception is not a reason to jettison and
3130         recompile in the way that a speculation failure is. This patch
3131         treats Throw/ThrowStaticError as true terminals in DFG IR.
3132
3133         * bytecode/BytecodeUseDef.h:
3134         (JSC::computeUsesForBytecodeOffset):
3135         * dfg/DFGAbstractInterpreterInlines.h:
3136         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3137         * dfg/DFGByteCodeParser.cpp:
3138         (JSC::DFG::ByteCodeParser::parseBlock):
3139         * dfg/DFGClobberize.h:
3140         (JSC::DFG::clobberize):
3141         * dfg/DFGFixupPhase.cpp:
3142         (JSC::DFG::FixupPhase::fixupNode):
3143         * dfg/DFGInPlaceAbstractState.cpp:
3144         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3145         * dfg/DFGNode.h:
3146         (JSC::DFG::Node::isTerminal):
3147         (JSC::DFG::Node::isPseudoTerminal):
3148         (JSC::DFG::Node::errorType):
3149         * dfg/DFGNodeType.h:
3150         * dfg/DFGOperations.cpp:
3151         * dfg/DFGOperations.h:
3152         * dfg/DFGPredictionPropagationPhase.cpp:
3153         * dfg/DFGSpeculativeJIT.cpp:
3154         (JSC::DFG::SpeculativeJIT::compileThrow):
3155         (JSC::DFG::SpeculativeJIT::compileThrowStaticError):
3156         * dfg/DFGSpeculativeJIT.h:
3157         (JSC::DFG::SpeculativeJIT::callOperation):
3158         * dfg/DFGSpeculativeJIT32_64.cpp:
3159         (JSC::DFG::SpeculativeJIT::compile):
3160         * dfg/DFGSpeculativeJIT64.cpp:
3161         (JSC::DFG::SpeculativeJIT::compile):
3162         * ftl/FTLLowerDFGToB3.cpp:
3163         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3164         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
3165         (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
3166         * jit/JITOperations.h:
3167
3168 2017-08-31  Saam Barati  <sbarati@apple.com>
3169
3170         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
3171         https://bugs.webkit.org/show_bug.cgi?id=176206
3172
3173         Reviewed by Keith Miller.
3174
3175         Mark fixed the main issue in Graph::methodOfGettingAValueProfileFor in r208560
3176         when he fixed it from overwriting invalid parts of the ArithProfile when the
3177         currentNode and the operandNode are from the same bytecode. However, the
3178         mechanism used to determine same bytecode was comparing NodeOrigin. That's
3179         slightly wrong. We need to compare semantic origin, since two NodeOrigins can
3180         have the same semantic origin, but differ only in exitOK. For example,
3181         in the below IR, the DoubleRep and the Phi have the same semantic
3182         origin, but different NodeOrigins.
3183
3184         43 Phi(JS|PureInt, NonBoolInt32|NonIntAsdouble, W:SideState, bc#63, ExitInvalid)
3185         58 ExitOK(MustGen, W:SideState, bc#63)
3186         51 DoubleRep(Check:Number:Kill:@43, Double|PureInt, BytecodeDouble, Exits, bc#63)
3187         54 ArithNegate(DoubleRep:Kill:@51<Double>, Double|UseAsOther|MayHaveDoubleResult, AnyIntAsDouble|NonIntAsdouble, NotSet, Exits, bc#63)
3188
3189         * dfg/DFGGraph.cpp:
3190         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3191
3192 2017-08-31  Don Olmstead  <don.olmstead@sony.com>
3193
3194         [CMake] Make USE_CF conditional within Windows
3195         https://bugs.webkit.org/show_bug.cgi?id=176173
3196
3197         Reviewed by Alex Christensen.
3198
3199         * PlatformWin.cmake:
3200
3201 2017-08-31  Saam Barati  <sbarati@apple.com>
3202
3203         useSeparatedWXHeap should never be true when not on iOS
3204         https://bugs.webkit.org/show_bug.cgi?id=176190
3205
3206         Reviewed by JF Bastien.
3207
3208         If you set useSeparatedWXHeap to true on X86_64, and launch the jsc shell,
3209         the process insta-crashes. Let's silently ignore that option and set it
3210         to false when not on iOS.
3211
3212         * runtime/Options.cpp:
3213         (JSC::recomputeDependentOptions):
3214
3215 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
3216
3217         Fix debug crashes.
3218
3219         Rubber stamped by Mark Lam.
3220
3221         * runtime/JSArrayBufferView.cpp:
3222         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3223
3224 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
3225
3226         All of the different ArrayBuffer::data's should be CagedPtr<>
3227         https://bugs.webkit.org/show_bug.cgi?id=175515
3228
3229         Reviewed by Michael Saboff.
3230         
3231         This straightforwardly implements what the title says.
3232
3233         * runtime/ArrayBuffer.cpp:
3234         (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
3235         (JSC::ArrayBufferContents::destroy):
3236         (JSC::ArrayBufferContents::tryAllocate):
3237         (JSC::ArrayBufferContents::makeShared):
3238         (JSC::ArrayBufferContents::copyTo):
3239         (JSC::ArrayBuffer::createFromBytes):
3240         (JSC::ArrayBuffer::transferTo):
3241         * runtime/ArrayBuffer.h:
3242         (JSC::SharedArrayBufferContents::data const):
3243         (JSC::ArrayBufferContents::data const):
3244         (JSC::ArrayBuffer::data):
3245         (JSC::ArrayBuffer::data const):
3246         * runtime/ArrayBufferView.h:
3247         (JSC::ArrayBufferView::baseAddress const):
3248         * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid.
3249         * runtime/DataView.h:
3250         (JSC::DataView::get):
3251         (JSC::DataView::set):
3252         * runtime/JSArrayBufferView.cpp:
3253         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3254         * runtime/JSArrayBufferView.h:
3255         (JSC::JSArrayBufferView::ConstructionContext::vector const):
3256         (JSC::JSArrayBufferView::vector const):
3257         * runtime/JSGenericTypedArrayViewInlines.h:
3258         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3259
3260 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
3261
3262         Strings need to be in some kind of gigacage
3263         https://bugs.webkit.org/show_bug.cgi?id=174924
3264
3265         Reviewed by Oliver Hunt.
3266
3267         * runtime/JSString.cpp:
3268         (JSC::JSRopeString::resolveRopeToAtomicString const):
3269         (JSC::JSRopeString::resolveRope const):
3270         * runtime/JSString.h:
3271         (JSC::JSString::create):
3272         (JSC::JSString::createHasOtherOwner):
3273         * runtime/JSStringBuilder.h:
3274         * runtime/VM.h:
3275         (JSC::VM::gigacageAuxiliarySpace):
3276
3277 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3278
3279         [JSC] Use reifying system for "name" property of builtin JSFunction
3280         https://bugs.webkit.org/show_bug.cgi?id=175260
3281
3282         Reviewed by Saam Barati.
3283
3284         Currently builtin JSFunction uses direct property for "name", which is different
3285         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
3286         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
3287         JSFunction::createBuiltinFunction.
3288
3289         We would like to store the "correct" name in FunctionExecutable. For example,
3290         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
3291         instead of specifying name when creating JSFunction. To do so, we add a new
3292         annotations, @getter and @overriddenName. When @getter is specified, the name of
3293         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
3294         the name of the function becomes "xxx".
3295
3296         We also treat @xxx as anonymous builtin functions that cannot be achieved in
3297         the current JS without privilege.
3298
3299         * Scripts/builtins/builtins_generate_combined_header.py:
3300         (generate_section_for_code_table_macro):
3301         * Scripts/builtins/builtins_generate_combined_implementation.py:
3302         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3303         * Scripts/builtins/builtins_generate_separate_header.py:
3304         (generate_section_for_code_table_macro):
3305         * Scripts/builtins/builtins_generate_separate_implementation.py:
3306         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3307         * Scripts/builtins/builtins_model.py:
3308         (BuiltinFunction.__init__):
3309         (BuiltinFunction.fromString):
3310         * Scripts/builtins/builtins_templates.py:
3311         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
3312         (overriddenName.string_appeared_here.match):
3313         (intrinsic.RegExpTestIntrinsic.test):
3314         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
3315         (overriddenName.string_appeared_here.match):
3316         (intrinsic.RegExpTestIntrinsic.test):
3317         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3318         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3319         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3320         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3321         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3322         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3323         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3324         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3325         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3326         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3327         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3328         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3329         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3330         * builtins/AsyncIteratorPrototype.js:
3331         (symbolAsyncIteratorGetter): Deleted.
3332         * builtins/BuiltinExecutables.cpp:
3333         (JSC::BuiltinExecutables::BuiltinExecutables):
3334         * builtins/BuiltinExecutables.h:
3335         * builtins/BuiltinNames.h:
3336         * builtins/FunctionPrototype.js:
3337         (symbolHasInstance): Deleted.
3338         * builtins/GlobalOperations.js:
3339         (globalPrivate.speciesGetter): Deleted.
3340         * builtins/IteratorPrototype.js:
3341         (symbolIteratorGetter): Deleted.
3342         * builtins/PromiseConstructor.js:
3343         (all.newResolveElement.return.resolve):
3344         (all.newResolveElement):
3345         (all):
3346         * builtins/PromiseOperations.js:
3347         (globalPrivate.newPromiseCapability.executor):
3348         (globalPrivate.newPromiseCapability):
3349         (globalPrivate.createResolvingFunctions.resolve):
3350         (globalPrivate.createResolvingFunctions.reject):
3351         (globalPrivate.createResolvingFunctions):
3352         * builtins/RegExpPrototype.js:
3353         (match): Deleted.
3354         (replace): Deleted.
3355         (search): Deleted.
3356         (split): Deleted.
3357         * jsc.cpp:
3358         (functionCreateBuiltin):
3359         * runtime/AsyncIteratorPrototype.cpp:
3360         (JSC::AsyncIteratorPrototype::finishCreation):
3361         * runtime/FunctionPrototype.cpp:
3362         (JSC::FunctionPrototype::addFunctionProperties):
3363         * runtime/IteratorPrototype.cpp:
3364         (JSC::IteratorPrototype::finishCreation):
3365         * runtime/JSFunction.cpp:
3366         (JSC::JSFunction::finishCreation):
3367         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3368         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
3369         (JSC::JSFunction::createBuiltinFunction): Deleted.
3370         * runtime/JSFunction.h:
3371         * runtime/JSGlobalObject.cpp:
3372         (JSC::JSGlobalObject::init):
3373         * runtime/JSObject.cpp:
3374         (JSC::JSObject::putDirectBuiltinFunction):
3375         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
3376         * runtime/JSTypedArrayViewPrototype.cpp:
3377         (JSC::JSTypedArrayViewPrototype::finishCreation):
3378         * runtime/Lookup.cpp:
3379         (JSC::reifyStaticAccessor):
3380         * runtime/MapPrototype.cpp:
3381         (JSC::MapPrototype::finishCreation):
3382         * runtime/RegExpPrototype.cpp:
3383         (JSC::RegExpPrototype::finishCreation):
3384         * runtime/SetPrototype.cpp:
3385         (JSC::SetPrototype::finishCreation):
3386
3387 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
3388
3389         Unreviewed, rolling out r221327.
3390
3391         This change caused test262 failures.
3392
3393         Reverted changeset:
3394
3395         "[JSC] Use reifying system for "name" property of builtin
3396         JSFunction"
3397         https://bugs.webkit.org/show_bug.cgi?id=175260
3398         http://trac.webkit.org/changeset/221327
3399
3400 2017-08-30  Matt Lewis  <jlewis3@apple.com>
3401
3402         Unreviewed, rolling out r221384.
3403
3404         This patch caused multiple 32-bit JSC test failures.
3405
3406         Reverted changeset:
3407
3408         "Strings need to be in some kind of gigacage"
3409         https://bugs.webkit.org/show_bug.cgi?id=174924
3410         http://trac.webkit.org/changeset/221384
3411
3412 2017-08-30  Saam Barati  <sbarati@apple.com>
3413
3414         semicolon is being interpreted as an = in the LiteralParser
3415         https://bugs.webkit.org/show_bug.cgi?id=176114
3416
3417         Reviewed by Oliver Hunt.
3418
3419         When lexing a semicolon in the LiteralParser, we were properly
3420         setting the TokenType on the current token, however, we were
3421         *returning* the wrong TokenType. The lex function both returns
3422         the TokenType and sets it on the current token. Semicolon was
3423         setting the TokenType to semicolon, but returning the TokenType
3424         for '='. This caused programs like `x;123` to be interpreted as
3425         `x=123`.
3426
3427         * runtime/LiteralParser.cpp:
3428         (JSC::LiteralParser<CharType>::Lexer::lex):
3429         (JSC::LiteralParser<CharType>::Lexer::next):
3430
3431 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
3432
3433         Strings need to be in some kind of gigacage
3434         https://bugs.webkit.org/show_bug.cgi?id=174924
3435
3436         Reviewed by Oliver Hunt.
3437
3438         * runtime/JSString.cpp:
3439         (JSC::JSRopeString::resolveRopeToAtomicString const):
3440         (JSC::JSRopeString::resolveRope const):
3441         * runtime/JSString.h:
3442         (JSC::JSString::create):
3443         (JSC::JSString::createHasOtherOwner):
3444         * runtime/JSStringBuilder.h:
3445         * runtime/VM.h:
3446         (JSC::VM::gigacageAuxiliarySpace):
3447
3448 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3449
3450         [ESNext] Async iteration - Implement async iteration statement: for-await-of
3451         https://bugs.webkit.org/show_bug.cgi?id=166698
3452
3453         Reviewed by Yusuke Suzuki.
3454
3455         Implementation of the for-await-of statement.
3456
3457         * bytecompiler/BytecodeGenerator.cpp:
3458         (JSC::BytecodeGenerator::emitEnumeration):
3459         (JSC::BytecodeGenerator::emitIteratorNext):
3460         * bytecompiler/BytecodeGenerator.h:
3461         * parser/ASTBuilder.h:
3462         (JSC::ASTBuilder::createForOfLoop):
3463         * parser/NodeConstructors.h:
3464         (JSC::ForOfNode::ForOfNode):
3465         * parser/Nodes.h:
3466         (JSC::ForOfNode::isForAwait const):
3467         * parser/Parser.cpp:
3468         (JSC::Parser<LexerType>::parseForStatement):
3469         * parser/Parser.h:
3470         (JSC::Scope::setSourceParseMode):
3471         (JSC::Scope::setIsFunction):
3472         (JSC::Scope::setIsAsyncGeneratorFunction):
3473         (JSC::Scope::setIsAsyncGeneratorFunctionBody):
3474         * parser/SyntaxChecker.h:
3475         (JSC::SyntaxChecker::createForOfLoop):
3476
3477 2017-08-29  Commit Queue  <commit-queue@webkit.org>
3478
3479         Unreviewed, rolling out r221317.
3480         https://bugs.webkit.org/show_bug.cgi?id=176090
3481
3482         "It broke a testing mode because we will never FTL compile a
3483         function that repeatedly throws" (Requested by saamyjoon on
3484         #webkit).
3485
3486         Reverted changeset:
3487
3488         "Throwing an exception in the DFG/FTL should not be a
3489         jettison-able OSR exit"
3490         https://bugs.webkit.org/show_bug.cgi?id=176060
3491         http://trac.webkit.org/changeset/221317
3492
3493 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3494
3495         [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
3496         https://bugs.webkit.org/show_bug.cgi?id=175895
3497
3498         Reviewed by Saam Barati.
3499
3500         We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
3501         are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
3502         But rather than introducing a special fixup edge (like, NonStringCellUse), converting
3503         CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
3504         In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
3505         if one side of the children is constant non String cell.
3506
3507         This slightly optimizes map/set iteration.
3508
3509         set-for-each          4.5064+-0.3072     ^      3.2862+-0.2098        ^ definitely 1.3713x faster
3510         large-map-iteration  56.2583+-1.6640           53.6798+-2.0097          might be 1.0480x faster
3511         set-for-of            8.8058+-0.5953     ^      7.5832+-0.3805        ^ definitely 1.1612x faster
3512         map-for-each          4.2633+-0.2694     ^      3.3967+-0.3013        ^ definitely 1.2551x faster
3513         map-for-of           13.1556+-0.5707           12.4911+-0.6004          might be 1.0532x faster
3514
3515         * dfg/DFGAbstractInterpreterInlines.h:
3516         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3517         * dfg/DFGConstantFoldingPhase.cpp:
3518         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3519         * dfg/DFGNode.h:
3520         (JSC::DFG::Node::convertToCompareEqPtr):
3521
3522 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3523
3524         [JSC] Use reifying system for "name" property of builtin JSFunction
3525         https://bugs.webkit.org/show_bug.cgi?id=175260
3526
3527         Reviewed by Saam Barati.
3528
3529         Currently builtin JSFunction uses direct property for "name", which is different
3530         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
3531         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
3532         JSFunction::createBuiltinFunction.
3533
3534         We would like to store the "correct" name in FunctionExecutable. For example,
3535         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
3536         instead of specifying name when creating JSFunction. To do so, we add a new
3537         annotations, @getter and @overriddenName. When @getter is specified, the name of
3538         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
3539         the name of the function becomes "xxx".
3540
3541         * Scripts/builtins/builtins_generate_combined_header.py:
3542         (generate_section_for_code_table_macro):
3543         * Scripts/builtins/builtins_generate_combined_implementation.py:
3544         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3545         * Scripts/builtins/builtins_generate_separate_header.py:
3546         (generate_section_for_code_table_macro):
3547         * Scripts/builtins/builtins_generate_separate_implementation.py:
3548         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3549         * Scripts/builtins/builtins_model.py:
3550         (BuiltinFunction.__init__):
3551         (BuiltinFunction.fromString):
3552         * Scripts/builtins/builtins_templates.py:
3553         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
3554         (overriddenName.string_appeared_here.match):
3555         (intrinsic.RegExpTestIntrinsic.test):
3556         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
3557         (overriddenName.string_appeared_here.match):
3558         (intrinsic.RegExpTestIntrinsic.test):
3559         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3560         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3561         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3562         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3563         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3564         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3565         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3566         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3567         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3568         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3569         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3570         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3571         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3572         * builtins/BuiltinExecutables.cpp:
3573         (JSC::BuiltinExecutables::BuiltinExecutables):
3574         * builtins/BuiltinExecutables.h:
3575         * builtins/FunctionPrototype.js:
3576         (symbolHasInstance): Deleted.
3577         * builtins/GlobalOperations.js:
3578         (globalPrivate.speciesGetter): Deleted.
3579         * builtins/IteratorPrototype.js:
3580         (symbolIteratorGetter): Deleted.
3581         * builtins/RegExpPrototype.js:
3582         (match): Deleted.
3583         (replace): Deleted.
3584         (search): Deleted.
3585         (split): Deleted.
3586         * jsc.cpp:
3587         (functionCreateBuiltin):
3588         * runtime/FunctionPrototype.cpp:
3589         (JSC::FunctionPrototype::addFunctionProperties):
3590         * runtime/IteratorPrototype.cpp:
3591         (JSC::IteratorPrototype::finishCreation):
3592         * runtime/JSFunction.cpp:
3593         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3594         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
3595         (JSC::JSFunction::createBuiltinFunction): Deleted.
3596         * runtime/JSFunction.h:
3597         * runtime/JSGlobalObject.cpp:
3598         (JSC::JSGlobalObject::init):
3599         * runtime/JSObject.cpp:
3600         (JSC::JSObject::putDirectBuiltinFunction):
3601         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
3602         * runtime/JSTypedArrayViewPrototype.cpp:
3603         (JSC::JSTypedArrayViewPrototype::finishCreation):
3604         * runtime/Lookup.cpp:
3605         (JSC::reifyStaticAccessor):
3606         * runtime/RegExpPrototype.cpp:
3607         (JSC::RegExpPrototype::finishCreation):
3608
3609 2017-08-29  Saam Barati  <sbarati@apple.com>
3610
3611         Throwing an exception in the DFG/FTL should not be a jettison-able OSR exit
3612         https://bugs.webkit.org/show_bug.cgi?id=176060
3613
3614         Reviewed by Michael Saboff.
3615
3616         OSR exitting when we throw an exception is expected behavior. We should
3617         not count these exits towards our jettison OSR exit threshold.
3618
3619         * bytecode/ExitKind.cpp:
3620         (JSC::exitKindToString):
3621         (JSC::exitKindMayJettison):
3622         * bytecode/ExitKind.h:
3623         * dfg/DFGSpeculativeJIT32_64.cpp:
3624         (JSC::DFG::SpeculativeJIT::compile):
3625         * dfg/DFGSpeculativeJIT64.cpp:
3626         (JSC::DFG::SpeculativeJIT::compile):
3627         * ftl/FTLLowerDFGToB3.cpp:
3628         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
3629
3630 2017-08-29  Chris Dumez  <cdumez@apple.com>
3631
3632         Add initial support for dataTransferItem.webkitGetAsEntry()
3633         https://bugs.webkit.org/show_bug.cgi?id=176038
3634         <rdar://problem/34121095>
3635
3636         Reviewed by Wenson Hsieh.
3637
3638         Add CommonIdentifier needed by [EnabledAtRuntime].
3639
3640         * runtime/CommonIdentifiers.h:
3641
3642 2017-08-27  Devin Rousso  <webkit@devinrousso.com>
3643
3644         Web Inspector: Record actions performed on WebGLRenderingContext
3645         https://bugs.webkit.org/show_bug.cgi?id=174483
3646         <rdar://problem/34040722>
3647
3648         Reviewed by Matt Baker.
3649
3650         * inspector/protocol/Recording.json:
3651         * inspector/scripts/codegen/generator.py:
3652         Add type and mapping for WebGL: "canvas-webgl" => CanvasWebGL
3653
3654 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3655
3656         Unreviewed, suppress warnings in GTK port
3657
3658         The "block" variable hides the argument variable.
3659
3660         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
3661         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
3662
3663 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3664
3665         Merge WeakMapData into JSWeakMap and JSWeakSet
3666         https://bugs.webkit.org/show_bug.cgi?id=143919
3667
3668         Reviewed by Darin Adler.
3669
3670         This patch changes WeakMapData from JSCell to JSDestructibleObject,
3671         renaming it to WeakMapBase, and JSWeakMap and JSWeakSet simply inherit
3672         it instead of separately allocating WeakMapData. This reduces memory
3673         consumption and allocation times.
3674
3675         Also this patch a bit optimizes sizeof(DeadKeyCleaner) by dropping m_target
3676         field. Since this class is always embedded in WeakMapBase, we can calculate
3677         WeakMapBase address from the address of DeadKeyCleaner.
3678
3679         This patch does not include the optimization changing WeakMapData to Set
3680         for JSWeakSet.
3681
3682         * CMakeLists.txt:
3683         * JavaScriptCore.xcodeproj/project.pbxproj:
3684         * inspector/JSInjectedScriptHost.cpp:
3685         (Inspector::JSInjectedScriptHost::weakMapSize):
3686         (Inspector::JSInjectedScriptHost::weakMapEntries):
3687         (Inspector::JSInjectedScriptHost::weakSetSize):
3688         (Inspector::JSInjectedScriptHost::weakSetEntries):
3689         * runtime/JSWeakMap.cpp:
3690         (JSC::JSWeakMap::finishCreation): Deleted.
3691         (JSC::JSWeakMap::visitChildren): Deleted.
3692         * runtime/JSWeakMap.h:
3693         (JSC::JSWeakMap::createStructure): Deleted.
3694         (JSC::JSWeakMap::create): Deleted.
3695         (JSC::JSWeakMap::weakMapData): Deleted.
3696         (JSC::JSWeakMap::JSWeakMap): Deleted.
3697         * runtime/JSWeakSet.cpp:
3698         (JSC::JSWeakSet::finishCreation): Deleted.
3699         (JSC::JSWeakSet::visitChildren): Deleted.
3700         * runtime/JSWeakSet.h:
3701         (JSC::JSWeakSet::createStructure): Deleted.
3702         (JSC::JSWeakSet::create): Deleted.
3703         (JSC::JSWeakSet::weakMapData): Deleted.
3704         (JSC::JSWeakSet::JSWeakSet): Deleted.
3705         * runtime/VM.cpp:
3706         (JSC::VM::VM):
3707         * runtime/VM.h:
3708         * runtime/WeakMapBase.cpp: Renamed from Source/JavaScriptCore/runtime/WeakMapData.cpp.
3709         (JSC::WeakMapBase::WeakMapBase):
3710         (JSC::WeakMapBase::destroy):
3711         (JSC::WeakMapBase::estimatedSize):
3712         (JSC::WeakMapBase::visitChildren):
3713         (JSC::WeakMapBase::set):
3714         (JSC::WeakMapBase::get):
3715         (JSC::WeakMapBase::remove):
3716         (JSC::WeakMapBase::contains):
3717         (JSC::WeakMapBase::clear):
3718         (JSC::WeakMapBase::DeadKeyCleaner::target):
3719         (JSC::WeakMapBase::DeadKeyCleaner::visitWeakReferences):
3720         (JSC::WeakMapBase::DeadKeyCleaner::finalizeUnconditionally):
3721         * runtime/WeakMapBase.h: Renamed from Source/JavaScriptCore/runtime/WeakMapData.h.
3722         (JSC::WeakMapBase::size const):
3723         * runtime/WeakMapPrototype.cpp:
3724         (JSC::getWeakMap):
3725         (JSC::protoFuncWeakMapDelete):
3726         (JSC::protoFuncWeakMapGet):
3727         (JSC::protoFuncWeakMapHas):
3728         (JSC::protoFuncWeakMapSet):
3729         (JSC::getWeakMapData): Deleted.
3730         * runtime/WeakSetPrototype.cpp:
3731         (JSC::getWeakSet):
3732         (JSC::protoFuncWeakSetDelete):
3733         (JSC::protoFuncWeakSetHas):
3734         (JSC::protoFuncWeakSetAdd):
3735         (JSC::getWeakMapData): Deleted.
3736
3737 2017-08-25  Daniel Bates  <dabates@apple.com>
3738
3739         Demarcate code added due to lack of NSDMI for aggregates
3740         https://bugs.webkit.org/show_bug.cgi?id=175990
3741
3742         Reviewed by Andy Estes.
3743
3744         * domjit/DOMJITEffect.h:
3745         (JSC::DOMJIT::Effect::Effect):
3746         (JSC::DOMJIT::Effect::forWrite):
3747         (JSC::DOMJIT::Effect::forRead):
3748         (JSC::DOMJIT::Effect::forReadWrite):
3749         (JSC::DOMJIT::Effect::forPure):
3750         (JSC::DOMJIT::Effect::forDef):
3751         * runtime/HasOwnPropertyCache.h:
3752         (JSC::HasOwnPropertyCache::Entry::Entry):
3753         (JSC::HasOwnPropertyCache::Entry::operator=): Deleted.
3754         * wasm/WasmFormat.h: Modernize some of the code while I am here. Also
3755         make some comments read well.
3756         (JSC::Wasm::CallableFunction::CallableFunction):
3757         * wasm/js/WebAssemblyFunction.cpp:
3758         (JSC::WebAssemblyFunction::WebAssemblyFunction):
3759         * wasm/js/WebAssemblyWrapperFunction.cpp:
3760         (JSC::WebAssemblyWrapperFunction::create):
3761
3762 2017-08-25  Saam Barati  <sbarati@apple.com>
3763
3764         Unreviewed. Fix 32-bit after r221196
3765
3766         * jit/JITOpcodes32_64.cpp:
3767         (JSC::JIT::emit_op_catch):
3768
3769 2017-08-25  Chris Dumez  <cdumez@apple.com>
3770
3771         Land stubs for File and Directory Entries API interfaces
3772         https://bugs.webkit.org/show_bug.cgi?id=175993
3773         <rdar://problem/34087477>
3774
3775         Reviewed by Ryosuke Niwa.
3776
3777         Add CommonIdentifiers needed for [EnabledAtRuntime].
3778
3779         * runtime/CommonIdentifiers.h:
3780
3781 2017-08-25  Brian Burg  <bburg@apple.com>
3782
3783         Web Automation: add capabilities to control ICE candidate filtering and insecure media capture
3784         https://bugs.webkit.org/show_bug.cgi?id=175563
3785         <rdar://problem/33734492>
3786
3787         Reviewed by Joseph Pecoraro.
3788
3789         Add macros for new capability protocol string names. Let's use a reverse
3790         domain name notification for these capabilities so we know whether they are
3791         intended for a particular client/port or any WebKit client, and what feature they
3792         are related to (i.e., webrtc).
3793
3794         * inspector/remote/RemoteInspectorConstants.h:
3795
3796 2017-08-24  Brian Burg  <bburg@apple.com>
3797
3798         Web Automation: use automation session configurations to propagate per-session settings
3799         https://bugs.webkit.org/show_bug.cgi?id=175562
3800         <rdar://problem/30853362>
3801
3802         Reviewed by Joseph Pecoraro.
3803
3804         Add a Cocoa-specific code path to forward capabilities when requesting
3805         a new session from the remote inspector (i.e., automation) client.
3806
3807         If other ports want to use this, then we can convert Cocoa types to WebKit types later.
3808
3809         * inspector/remote/RemoteInspector.h:
3810         * inspector/remote/RemoteInspectorConstants.h:
3811         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3812         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
3813
3814 2017-08-25  Saam Barati  <sbarati@apple.com>
3815
3816         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
3817         https://bugs.webkit.org/show_bug.cgi?id=175893
3818
3819         Reviewed by Mark Lam.
3820
3821         * dfg/DFGJITCode.cpp:
3822         (JSC::DFG::JITCode::finalizeOSREntrypoints):
3823         * dfg/DFGJITCode.h:
3824         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
3825         * dfg/DFGSpeculativeJIT.cpp:
3826         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3827
3828 2017-08-25  Saam Barati  <sbarati@apple.com>
3829
3830         Support compiling catch in the DFG
3831         https://bugs.webkit.org/show_bug.cgi?id=174590
3832         <rdar://problem/34047845>
3833
3834         Reviewed by Filip Pizlo.
3835
3836         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
3837         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
3838         
3839         To implement catch in the DFG, this patch introduces the concept of multiple
3840         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
3841         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
3842         patch contains many straight forward changes generalizing the code to handle more than
3843         one entrypoint.
3844         
3845         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
3846         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
3847         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
3848         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
3849         and SSANaturalLoops vs CPSNaturalLoops.
3850         
3851         The way we compile the catch entrypoint is by bootstrapping the state
3852         of the program by loading all live bytecode locals from a buffer. The OSR
3853         entry code will store all live values into that buffer before jumping to
3854         the entrypoint. The OSR entry code is also responsible for performing type
3855         proofs of the arguments before doing an OSR entry. If there is a type
3856         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
3857         each catch entrypoint knows the argument type proofs it must perform to enter
3858         into the DFG. Currently, all entrypoints' arguments flush format are unified
3859         via ArgumentPosition, but this is just an implementation detail. The code is
3860         written more generally to assume that each entrypoint may perform its own distinct
3861         proof.
3862         
3863         op_catch now performs value profiling for all live bytecode locals in the
3864         LLInt and baseline JIT. This information is then fed into the DFG via the
3865         ExtractCatchLocal node in the prediction propagation phase.
3866         
3867         This patch also changes how we generate op_catch in bytecode. All op_catches
3868         are now split out at the end of the program in bytecode. This ensures that
3869         no op_catch is inside a try block. This is needed to ensure correctness in
3870         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
3871         before SetLocals inside a try block. If an op_catch were in a try block, this
3872         would cause the phase to insert a Flush before one of the state bootstrapping
3873         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
3874         its own at the end of a bytecode stream seemed like the most elegant solution since
3875         it better represents that we treat op_catch as an entrypoint. This is true
3876         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
3877         via normal control flow. Because op_catch cannot throw, this will not break
3878         any previous semantics of op_catch. Logically, it'd be valid to split try
3879         blocks around any non-throwing bytecode operation.
3880
3881         * CMakeLists.txt:
3882         * JavaScriptCore.xcodeproj/project.pbxproj:
3883         * bytecode/BytecodeDumper.cpp:
3884         (JSC::BytecodeDumper<Block>::dumpBytecode):
3885         * bytecode/BytecodeList.json:
3886         * bytecode/BytecodeUseDef.h:
3887         (JSC::computeUsesForBytecodeOffset):
3888         * bytecode/CodeBlock.cpp:
3889         (JSC::CodeBlock::finishCreation):
3890         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
3891         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):