[JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2017-10-22  Zan Dobersek  <zdobersek@igalia.com>

        [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
        https://bugs.webkit.org/show_bug.cgi?id=178452

        Reviewed by Yusuke Suzuki.

        * heap/RegisterState.h: Re-enable the custom RegisterState and
        ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
        cause any crashes nowadays.

2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling
        https://bugs.webkit.org/show_bug.cgi?id=178647

        Reviewed by Saam Barati.

        There is much code counting slow cases in fast paths to call `linkSlowCase` carefully. This is really error-prone
        since the number of slow cases depends on values of instruction's metadata. We have linkAllSlowCasesForBytecodeOffset,
        which drains all slow cases for a specified bytecode offset. In typical cases like just calling a slow path function,
        this is enough. We use linkAllSlowCasesForBytecodeOffset as much as possible. It significantly simplifies the code.

        * jit/JIT.h:
        (JSC::JIT::linkAllSlowCases):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_unsigned):
        (JSC::JIT::emit_compareAndJump):
        (JSC::JIT::emit_compareAndJumpSlow):
        (JSC::JIT::emitSlow_op_inc):
        (JSC::JIT::emitSlow_op_dec):
        (JSC::JIT::emitSlow_op_mod):
        (JSC::JIT::emitSlow_op_negate):
        (JSC::JIT::emitSlow_op_bitand):
        (JSC::JIT::emitSlow_op_bitor):
        (JSC::JIT::emitSlow_op_bitxor):
        (JSC::JIT::emitSlow_op_lshift):
        (JSC::JIT::emitSlow_op_rshift):
        (JSC::JIT::emitSlow_op_urshift):
        (JSC::JIT::emitSlow_op_add):
        (JSC::JIT::emitSlow_op_div):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emitSlow_op_sub):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_compareAndJumpSlow):
        (JSC::JIT::emitSlow_op_unsigned):
        (JSC::JIT::emitSlow_op_inc):
        (JSC::JIT::emitSlow_op_dec):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITInlines.h:
        (JSC::JIT::linkAllSlowCasesForBytecodeOffset):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emitSlow_op_create_this):
        (JSC::JIT::emitSlow_op_check_tdz):
        (JSC::JIT::emitSlow_op_to_this):
        (JSC::JIT::emitSlow_op_to_primitive):
        (JSC::JIT::emitSlow_op_not):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):
        (JSC::JIT::emitSlow_op_instanceof):
        (JSC::JIT::emitSlow_op_instanceof_custom):
        (JSC::JIT::emitSlow_op_to_number):
        (JSC::JIT::emitSlow_op_to_string):
        (JSC::JIT::emitSlow_op_loop_hint):
        (JSC::JIT::emitSlow_op_check_traps):
        (JSC::JIT::emitSlow_op_has_indexed_property):
        (JSC::JIT::emitSlow_op_get_direct_pname):
        (JSC::JIT::emitSlow_op_has_structure_property):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emitSlow_op_instanceof):
        (JSC::JIT::emitSlow_op_instanceof_custom):
        (JSC::JIT::emitSlow_op_to_primitive):
        (JSC::JIT::emitSlow_op_not):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):
        (JSC::JIT::emitSlow_op_to_number):
        (JSC::JIT::emitSlow_op_to_string):
        (JSC::JIT::emitSlow_op_create_this):
        (JSC::JIT::emitSlow_op_to_this):
        (JSC::JIT::emitSlow_op_check_tdz):
        (JSC::JIT::emitSlow_op_has_indexed_property):
        (JSC::JIT::emitSlow_op_get_direct_pname):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_try_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id_with_this):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::emitSlow_op_resolve_scope):
        (JSC::JIT::emitSlow_op_get_from_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_try_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id_with_this):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::emitSlow_op_resolve_scope):
        (JSC::JIT::emitSlow_op_get_from_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):

2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Clean up baseline slow path
        https://bugs.webkit.org/show_bug.cgi?id=178646

        Reviewed by Saam Barati.

        If the given op is just calling a slow path function, we should use DEFINE_SLOW_OP instead.
        It is good since (1) we can reduce the manual emitting code and (2) it can clarify which
        function is implemented as a slow path call. This patch is an attempt to reduce 32bit specific
        code in baseline JIT.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_pow): Deleted.
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_strcat): Deleted.
        (JSC::JIT::emit_op_push_with_scope): Deleted.
        (JSC::JIT::emit_op_assert): Deleted.
        (JSC::JIT::emit_op_create_lexical_environment): Deleted.
        (JSC::JIT::emit_op_throw_static_error): Deleted.
        (JSC::JIT::emit_op_new_array_with_spread): Deleted.
        (JSC::JIT::emit_op_spread): Deleted.
        (JSC::JIT::emit_op_get_enumerable_length): Deleted.
        (JSC::JIT::emit_op_has_generic_property): Deleted.
        (JSC::JIT::emit_op_get_property_enumerator): Deleted.
        (JSC::JIT::emit_op_to_index_string): Deleted.
        (JSC::JIT::emit_op_create_direct_arguments): Deleted.
        (JSC::JIT::emit_op_create_scoped_arguments): Deleted.
        (JSC::JIT::emit_op_create_cloned_arguments): Deleted.
        (JSC::JIT::emit_op_create_rest): Deleted.
        (JSC::JIT::emit_op_unreachable): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_strcat): Deleted.
        (JSC::JIT::emit_op_push_with_scope): Deleted.
        (JSC::JIT::emit_op_assert): Deleted.
        (JSC::JIT::emit_op_create_lexical_environment): Deleted.
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
        (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
        (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
        (JSC::JIT::emit_op_define_data_property): Deleted.
        (JSC::JIT::emit_op_define_accessor_property): Deleted.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
        (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
        (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
        (JSC::JIT::emit_op_put_by_val_with_this): Deleted.

2017-10-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unused Console.setMonitoringXHREnabled
        https://bugs.webkit.org/show_bug.cgi?id=178617

        Reviewed by Sam Weinig.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
        * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
        * inspector/protocol/Console.json:
        Removed files and method.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        This can use the base ConsoleAgent now.

2017-10-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove per-host-function CTI stub in 32bit environment
        https://bugs.webkit.org/show_bug.cgi?id=178581

        Reviewed by Saam Barati.

        JIT::privateCompileCTINativeCall only exists in 32bit environment and it is almost the same to native call CTI stub.
        The only difference is that it embed the address of the host function directly in the generated stub. This means
        that we have per-host-function CTI stub only in 32bit environment.

        This patch just removes it and use one CTI stub instead. This design is the same to the current 64bit implementation.

        * jit/JIT.cpp:
        (JSC::JIT::compileCTINativeCall): Deleted.
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTINativeCall): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall): Deleted.
        * jit/JITThunks.cpp:
        (JSC::JITThunks::hostFunctionStub):

2017-10-20  Antoine Quint  <graouts@apple.com>

        [Web Animations] Provide basic timeline and animation interfaces
        https://bugs.webkit.org/show_bug.cgi?id=178526

        Reviewed by Dean Jackson.

        Remove the WEB_ANIMATIONS compile-time flag.

        * Configurations/FeatureDefines.xcconfig:

2017-10-20  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r223744, r223750, and r223751.
        https://bugs.webkit.org/show_bug.cgi?id=178594

        These caused consistent failures in test that existed and were
        added in the patches. (Requested by mlewis13 on #webkit).

        Reverted changesets:

        "[JSC] ScriptFetcher should be notified directly from module
        pipeline"
        https://bugs.webkit.org/show_bug.cgi?id=178340
        https://trac.webkit.org/changeset/223744

        "Unreviewed, fix changed line number in test expect files"
        https://bugs.webkit.org/show_bug.cgi?id=178340
        https://trac.webkit.org/changeset/223750

        "Unreviewed, follow up to reflect comments"
        https://bugs.webkit.org/show_bug.cgi?id=178340
        https://trac.webkit.org/changeset/223751

2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, follow up to reflect comments
        https://bugs.webkit.org/show_bug.cgi?id=178340

        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::notifyCompleted):

2017-10-20  Saam Barati  <sbarati@apple.com>

        Optimize accesses to how we get the direct prototype
        https://bugs.webkit.org/show_bug.cgi?id=178548

        Reviewed by Yusuke Suzuki.

        This patch makes JSObject::getPrototypeDirect take VM& as a parameter
        so it can use the faster version of the structure accessor function.
        The reason for making this change is that JSObjet::getPrototypeDirect
        is called on the hot path in property lookup.

        * API/JSObjectRef.cpp:
        (JSObjectGetPrototype):
        * jsc.cpp:
        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
        (WTF::DOMJITGetterBaseJSObject::customGetter):
        (functionCreateProxy):
        * runtime/ArrayPrototype.cpp:
        (JSC::speciesWatchpointIsValid):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::sanitizedToString):
        * runtime/JSArray.cpp:
        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::lastInPrototypeChain):
        (JSC::JSGlobalObject::resetPrototype):
        (JSC::JSGlobalObject::finishCreation):
        * runtime/JSGlobalObjectInlines.h:
        (JSC::JSGlobalObject::objectPrototypeIsSane):
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
        * runtime/JSMap.cpp:
        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
        * runtime/JSObject.cpp:
        (JSC::JSObject::calculatedClassName):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::getPrototype):
        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
        (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
        (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
        (JSC::JSObject::prototypeChainMayInterceptStoreTo):
        * runtime/JSObject.h:
        (JSC::JSObject::finishCreation):
        (JSC::JSObject::getPrototypeDirect const):
        (JSC::JSObject::getPrototype):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::canPerformFastPutInline):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::getNonIndexPropertySlot):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget):
        * runtime/JSSet.cpp:
        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
        * runtime/ProgramExecutable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):
        * runtime/StructureInlines.h:
        (JSC::Structure::isValid const):

2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ARM64] static_cast<int32_t>() in BinaryOpNode::emitBytecode() prevents op_unsigned emission
        https://bugs.webkit.org/show_bug.cgi?id=178379

        Reviewed by Saam Barati.

        We reuse jsNumber's checking mechanism here to precisely check the generated number is within uint32_t
        in bytecode compiler. This is reasonable since the NumberNode will generate the exact this JSValue.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::BinaryOpNode::emitBytecode):

2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] ScriptFetcher should be notified directly from module pipeline
        https://bugs.webkit.org/show_bug.cgi?id=178340

        Reviewed by Sam Weinig.

        Previously, we use JSStdFunction to let WebCore inform the module pipeline results.
        We setup JSStdFunction to the resulted promise of the module pipeline. It is super
        ad-hoc since JSStdFunction's lambda need extra-careful to make it non-cyclic-referenced.
        JSStdFunction's lambda can capture variables, but they are not able to be marked by GC.

        But now, we have ScriptFetcher. It is introduced after we implemented the module pipeline
        notification mechanism by using JSStdFunction. But it is appropriate one to receive notification
        from the module pipeline by observer style.

        This patch removes the above ad-hoc JSStdFunction use. And now ScriptFetcher receives
        completion/failure notifications from the module pipeline.

        * builtins/ModuleLoaderPrototype.js:
        (loadModule):
        (loadAndEvaluateModule):
        * runtime/Completion.cpp:
        (JSC::loadModule):
        * runtime/Completion.h:
        * runtime/JSModuleLoader.cpp:
        (JSC::jsValueToModuleKey):
        (JSC::JSModuleLoader::notifyCompleted):
        (JSC::JSModuleLoader::notifyFailed):
        * runtime/JSModuleLoader.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeNotifyCompleted):
        (JSC::moduleLoaderPrototypeNotifyFailed):
        * runtime/ScriptFetcher.h:
        (JSC::ScriptFetcher::notifyLoadCompleted):
        (JSC::ScriptFetcher::notifyLoadFailed):

2017-10-19  JF Bastien  <jfbastien@apple.com>

        WebAssembly: no VM / JS version of everything but Instance
        https://bugs.webkit.org/show_bug.cgi?id=177473

        Reviewed by Filip Pizlo, Saam Barati.

        This change entails cleaning up and splitting a bunch of code which we had
        intertwined between C++ classes which represent JS objects, and pure C++
        implementation objects. This specific change goes most of the way towards
        allowing JSC's WebAssembly to work without VM / JS, up to but excluding
        JSWebAssemblyInstance (there's Wasm::Instance, but it's not *the* thing
        yet). Because of this we still have a few FIXME identifying places that need to
        change. A follow-up change will go the rest of the way.

        I went about this change in the simplest way possible: grep the
        JavaScriptCore/wasm directory for "JS[^C_]" as well as "VM" and exclude the /js/
        sub-directory (which contains the JS implementation of WebAssembly).

        None of this change removes the need for a JIT entitlement to be able to use
        WebAssembly. We don't have an interpreter, the process therefore still needs to
        be allowed to JIT to use these pure-C++ APIs.

        Interesting things to note:

          - Remove VM from Plan and associated places. It can just live as a capture in
            the callback lambda if it's needed.
          - Wasm::Memory shouldn't require a VM. It was only used to ask the GC to
            collect. We now instead pass two lambdas at construction time for this
            purpose: one to notify of memory pressure, and the other to ask for
            syncrhonous memory reclamation. This allows whoever creates the memory to
            dictate how to react to both these cases, and for a JS embedding that's to
            call the GC (async or sync, respectively).
          - Move grow logic from JSWebAssemblyMemory to Wasm::Memory::grow. Use Expected
            there, with an enum class for failure types.
          - Exceeding max on memory growth now returns a range error as per spec. This
            is a (very minor) breaking change: it used to throw OOM error. Update the
            corresponding test.
          - When generating the grow_memory opcode, no need to get the VM. Instead,
            reach directly for Wasm::Memory and grow it.
          - JSWebAssemblyMemory::grow can now always throw on failure, because it's only
            ever called from JS (not from grow_memory as before).
          - Wasm::Memory now takes a callback for successful growth. This allows JS
            wrappers to register themselves when growth succeeds without Wasm::Memory
            knowning anything about JS. It'll also allow creating a list of callbacks
            for when we add thread support (we'll want to notify many wrappers, all
            under a lock).
          - Wasm::Memory is now back to being the source of truth about address / size,
            used directly by generated code instead of JSWebAssemblyMemory.
          - Move wasmToJS from the general WasmBinding header to its own header under
            wasm/js. It's only used by wasm/js/JSWebAssemblyCodeBlock.cpp, and uses VM,
            and therefore isn't general WebAssembly.
          - Make Wasm::Context an actual type (just a struct holding a
            JSWebAssemlyInstance for now) instead of an alias for that. Notably this
            doesn't add anything to the Context and doesn't change what actually gets
            passed around in JIT code (fast TLS or registers) because these changes
            potentially impact performance. The entire purpose of this change is to
            allow passing Wasm::Context around without having to know about VM. Since VM
            contains a Wasm::Context the JS embedding is effectively the same, but with
            this setup a non-JS embedding is much better off.
          - Move JSWebAssembly into the JS folder.
          - OMGPlan: use Wasm::CodeBlock directly instead of JSWebAssemblyCodeBlock.
          - wasm->JS stubs are now on the instance's tail as raw pointers, instead of
            being on JSWebAssemblyCodeBlock, and are now called wasm->Embedder
            stubs. The owned reference is still on JSWebAssemblyCodeBlock, and is still
            called wasm->JS stub. This move means that the embedder must, after creating
            a Wasm::CodeBlock, somehow create the stubs to call back into the
            embedder. This removes an indirection in the generated code because
            the B3 IR generator now reaches into the instance instead of
            JSWebAssemblyCodeBlock.
          - Move more CodeBlock things. Compilation completion is now marked by its own
            atomic<bool> flag instead of a nullptr plan: that required using a lock, and
            was causing a deadlock in stack-trace.js because before my changes
            JSWebAssemblyCodeBlock did its own completion checking separately from
            Wasm::CodeBlock, without getting the lock. Now that everything points to
            Wasm::CodeBlock and there's no cached completion marker, the lock was being
            acquired in a sanity-check assertion.
          - Embedder -> Wasm wrappers are now generated through a function that's passed
            in at compilation time, instead of being hard-coded as a JS -> Wasm wrapper.
          - WasmMemory doens't need to know about fault handling thunks. Only the IR
            generator should know, and should make sure that the exception throwing
            thunk is generated if any memory is present (note: with signal handling not
            all of them generate an exception check).
          - Make exception throwing pluggable: instead of having a hard-coded
            JS-specific lambda we now have a regular C++ function being called from JIT
            code when a WebAssembly exception is thrown. This allows any embedder to get
            called as they wish. For now a process can only have a single of these
            functions (i.e. only one embedder per process) because the trap handler is a
            singleton. That can be fixed in in #177475.
          - Create WasmEmbedder.h where all embedder plugging will live.
          - Split up JSWebAssemblyTable into Wasm::Table which is
            refcounted. JSWebAssemblyTable now only contains the JS functions in the
            table, and Wasm::Table is what's used by the JIT code to lookup where to
            call and do the instance check (for context switch). Note that this creates
            an extra allocation for all the instances in Wasm::Table, and in exchange
            removes an indirection in JIT code because the instance used to be obtained
            off of the JS function. Also note that it's the embedder than keeps the
            instances alive, not Wasm::Table (which holds a dumb pointer to the
            instance), because doing otherwise would cause reference cycles.
           - Add WasmInstance. It doesn't do much for now, owns globals.
           - JSWebAssembly instance now doesn't just contain the imported functions as
             JSObjects, it also has the corresponding import's instance and wasm
             entrypoint. This triples the space allocated per instance's imported
             function, but there shouldn't be that many imports. This has two upsides: it
             creates smaller and faster code, and makes is easier to disassociate
             embedder-specific things from embedder-neutral things. The small / faster
             win is in two places: B3 IR generator only needs offsetOfImportFunction for
             the call opcode (when the called index is an import) to know whether the
             import is wasm->wasm or wasm->embedder (this isn't known at compile-time
             because it's dependent on the import object), this is now done by seeing if
             that import function has an associated target instance (only wasm->wasm
             does); the other place is wasmBinding which uses offsetOfImportFunction to
             figure out the wasm->wasm target instance, and then gets
             WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation to do a tail
             call. The disassociation comes because the target instance can be
             Wasm::Instance once we change what the Context is, and
             WasmEntrypointLoadLocation is already embedder-independent. As a next step I
             can move this tail allocation from JSWebAssemblyInstance to Wasm::Instance,
             and leave importFunction in as an opaque pointer which is embedder-specific,
             and in JS will remain WriteBarrier<JSObject>.
           - Rename VMEntryFrame to EntryFrame, and in many places pass a pointer to it
             around instead of VM. This is a first step in allowing entry frames which
             aren't stored on VM, but which are instead stored in an embedder-specific
             location. That change won't really affect JS except through code churn, but
             will allow WebAssembly to use some machinery in a generic manner without
             having a VM.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
        * debugger/Debugger.cpp:
        (JSC::Debugger::stepOutOfFunction):
        (JSC::Debugger::returnEvent):
        (JSC::Debugger::unwindEvent):
        (JSC::Debugger::didExecuteProgram):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::compileOSRExit):
        (JSC::DFG::OSRExit::compileExit):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::wasmAwareLexicalGlobalObject):
        (JSC::CallFrame::callerFrame):
        (JSC::CallFrame::unsafeCallerFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::callerFrame const):
        (JSC::ExecState::callerFrameOrEntryFrame const):
        (JSC::ExecState::unsafeCallerFrameOrEntryFrame const):
        * interpreter/FrameTracers.h:
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
        (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::operator() const):
        (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
        (JSC::Interpreter::unwind):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::StackVisitor):
        (JSC::StackVisitor::gotoNextFrame):
        (JSC::StackVisitor::readNonInlinedFrame):
        (JSC::StackVisitor::Frame::dump const):
        * interpreter/StackVisitor.h:
        (JSC::StackVisitor::Frame::callerIsEntryFrame const):
        * interpreter/VMEntryRecord.h:
        (JSC::VMEntryRecord::prevTopEntryFrame):
        (JSC::VMEntryRecord::unsafePrevTopEntryFrame):
        (JSC::EntryFrame::vmEntryRecordOffset):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::loadWasmContextInstance):
        (JSC::AssemblyHelpers::storeWasmContextInstance):
        (JSC::AssemblyHelpers::loadWasmContextInstanceNeedsMacroScratchRegister):
        (JSC::AssemblyHelpers::storeWasmContextInstanceNeedsMacroScratchRegister):
        (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        * jit/JITOperations.cpp:
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::nativeForGenerator):
        * jsc.cpp:
        (functionDumpCallFrame):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntThunks.cpp:
        (JSC::vmEntryRecord):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::FrameWalker):
        (JSC::FrameWalker::advanceToParentFrame):
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        * runtime/ThrowScope.cpp:
        (JSC::ThrowScope::~ThrowScope):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        (JSC::VM::topEntryFrameOffset):
        * runtime/VMTraps.cpp:
        (JSC::isSaneFrame):
        (JSC::VMTraps::tryInstallTrapBreakpoints):
        (JSC::VMTraps::invalidateCodeBlocksOnStack):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::B3IRGenerator::addGrowMemory):
        (JSC::Wasm::B3IRGenerator::addCurrentMemory):
        (JSC::Wasm::B3IRGenerator::addCall):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::BBQPlan):
        (JSC::Wasm::BBQPlan::compileFunctions):
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmBBQPlan.h:
        * wasm/WasmBBQPlanInlines.h:
        (JSC::Wasm::BBQPlan::initializeCallees):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmBinding.h:
        * wasm/WasmCodeBlock.cpp:
        (JSC::Wasm::CodeBlock::create):
        (JSC::Wasm::CodeBlock::CodeBlock):
        (JSC::Wasm::CodeBlock::compileAsync):
        (JSC::Wasm::CodeBlock::setCompilationFinished):
        * wasm/WasmCodeBlock.h:
        (JSC::Wasm::CodeBlock::offsetOfImportStubs):
        (JSC::Wasm::CodeBlock::allocationSize):
        (JSC::Wasm::CodeBlock::importWasmToEmbedderStub):
        (JSC::Wasm::CodeBlock::offsetOfImportWasmToEmbedderStub):
        (JSC::Wasm::CodeBlock::wasmToJSCallStubForImport):
        (JSC::Wasm::CodeBlock::compilationFinished):
        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
        (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
        * wasm/WasmContext.cpp:
        (JSC::Wasm::Context::useFastTLS):
        (JSC::Wasm::Context::load const):
        (JSC::Wasm::Context::store):
        * wasm/WasmContext.h:
        * wasm/WasmEmbedder.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
        * wasm/WasmFaultSignalHandler.cpp:
        * wasm/WasmFaultSignalHandler.h:
        * wasm/WasmFormat.h:
        * wasm/WasmInstance.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
        (JSC::Wasm::Instance::Instance):
        (JSC::Wasm::Instance::~Instance):
        (JSC::Wasm::Instance::extraMemoryAllocated const):
        * wasm/WasmInstance.h: Added.
        (JSC::Wasm::Instance::create):
        (JSC::Wasm::Instance::finalizeCreation):
        (JSC::Wasm::Instance::module):
        (JSC::Wasm::Instance::codeBlock):
        (JSC::Wasm::Instance::memory):
        (JSC::Wasm::Instance::table):
        (JSC::Wasm::Instance::loadI32Global const):
        (JSC::Wasm::Instance::loadI64Global const):
        (JSC::Wasm::Instance::loadF32Global const):
        (JSC::Wasm::Instance::loadF64Global const):
        (JSC::Wasm::Instance::setGlobal):
        (JSC::Wasm::Instance::offsetOfCachedStackLimit):
        (JSC::Wasm::Instance::cachedStackLimit const):
        (JSC::Wasm::Instance::setCachedStackLimit):
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::Memory):
        (JSC::Wasm::Memory::create):
        (JSC::Wasm::Memory::~Memory):
        (JSC::Wasm::Memory::grow):
        * wasm/WasmMemory.h:
        (JSC::Wasm::Memory::offsetOfMemory):
        (JSC::Wasm::Memory::offsetOfSize):
        * wasm/WasmMemoryInformation.cpp:
        (JSC::Wasm::PinnedRegisterInfo::get):
        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
        * wasm/WasmMemoryInformation.h:
        (JSC::Wasm::PinnedRegisterInfo::toSave const):
        * wasm/WasmMemoryMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
        (JSC::Wasm::makeString):
        * wasm/WasmMemoryMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
        * wasm/WasmModule.cpp:
        (JSC::Wasm::makeValidationCallback):
        (JSC::Wasm::Module::validateSync):
        (JSC::Wasm::Module::validateAsync):
        (JSC::Wasm::Module::getOrCreateCodeBlock):
        (JSC::Wasm::Module::compileSync):
        (JSC::Wasm::Module::compileAsync):
        * wasm/WasmModule.h:
        * wasm/WasmModuleParser.cpp:
        (JSC::Wasm::ModuleParser::parseTableHelper):
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::OMGPlan):
        (JSC::Wasm::OMGPlan::runForIndex):
        * wasm/WasmOMGPlan.h:
        * wasm/WasmPageCount.h:
        (JSC::Wasm::PageCount::isValid const):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan):
        (JSC::Wasm::Plan::runCompletionTasks):
        (JSC::Wasm::Plan::addCompletionTask):
        (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
        * wasm/WasmPlan.h:
        (JSC::Wasm::Plan::dontFinalize):
        * wasm/WasmSignature.cpp:
        * wasm/WasmSignature.h:
        * wasm/WasmTable.cpp: Added.
        (JSC::Wasm::Table::create):
        (JSC::Wasm::Table::~Table):
        (JSC::Wasm::Table::Table):
        (JSC::Wasm::Table::grow):
        (JSC::Wasm::Table::clearFunction):
        (JSC::Wasm::Table::setFunction):
        * wasm/WasmTable.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h.
        (JSC::Wasm::Table::maximum const):
        (JSC::Wasm::Table::size const):
        (JSC::Wasm::Table::offsetOfSize):
        (JSC::Wasm::Table::offsetOfFunctions):
        (JSC::Wasm::Table::offsetOfInstances):
        (JSC::Wasm::Table::isValidSize):
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
        (JSC::Wasm::Thunks::setThrowWasmException):
        (JSC::Wasm::Thunks::throwWasmException):
        * wasm/WasmThunks.h:
        * wasm/WasmWorklist.cpp:
        (JSC::Wasm::Worklist::stopAllPlansForContext):
        * wasm/WasmWorklist.h:
        * wasm/js/JSToWasm.cpp: Added.
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/JSToWasm.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
        * wasm/js/JSWebAssembly.cpp: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.cpp.
        * wasm/js/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.h.
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::create):
        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
        (JSC::JSWebAssemblyInstance::finishCreation):
        (JSC::JSWebAssemblyInstance::visitChildren):
        (JSC::JSWebAssemblyInstance::finalizeCreation):
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/JSWebAssemblyInstance.h:
        (JSC::JSWebAssemblyInstance::instance):
        (JSC::JSWebAssemblyInstance::context const):
        (JSC::JSWebAssemblyInstance::table):
        (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
        (JSC::JSWebAssemblyInstance::setMemory):
        (JSC::JSWebAssemblyInstance::offsetOfTail):
        (JSC::JSWebAssemblyInstance::importFunctionInfo):
        (JSC::JSWebAssemblyInstance::offsetOfTargetInstance):
        (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint):
        (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
        (JSC::JSWebAssemblyInstance::importFunction):
        (JSC::JSWebAssemblyInstance::internalMemory):
        (JSC::JSWebAssemblyInstance::wasmCodeBlock const):
        (JSC::JSWebAssemblyInstance::offsetOfWasmTable):
        (JSC::JSWebAssemblyInstance::offsetOfCallee):
        (JSC::JSWebAssemblyInstance::offsetOfGlobals):
        (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock):
        (JSC::JSWebAssemblyInstance::offsetOfWasmMemory):
        (JSC::JSWebAssemblyInstance::cachedStackLimit const):
        (JSC::JSWebAssemblyInstance::setCachedStackLimit):
        (JSC::JSWebAssemblyInstance::wasmMemory):
        (JSC::JSWebAssemblyInstance::wasmModule):
        (JSC::JSWebAssemblyInstance::allocationSize):
        (JSC::JSWebAssemblyInstance::module const):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::create):
        (JSC::JSWebAssemblyMemory::adopt):
        (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
        (JSC::JSWebAssemblyMemory::grow):
        (JSC::JSWebAssemblyMemory::growSuccessCallback):
        * wasm/js/JSWebAssemblyMemory.h:
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::moduleInformation const):
        (JSC::JSWebAssemblyModule::exportSymbolTable const):
        (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace const):
        (JSC::JSWebAssemblyModule::callee const):
        (JSC::JSWebAssemblyModule::codeBlock):
        (JSC::JSWebAssemblyModule::module):
        * wasm/js/JSWebAssemblyModule.h:
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::create):
        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
        (JSC::JSWebAssemblyTable::visitChildren):
        (JSC::JSWebAssemblyTable::grow):
        (JSC::JSWebAssemblyTable::getFunction):
        (JSC::JSWebAssemblyTable::clearFunction):
        (JSC::JSWebAssemblyTable::setFunction):
        * wasm/js/JSWebAssemblyTable.h:
        (JSC::JSWebAssemblyTable::isValidSize):
        (JSC::JSWebAssemblyTable::maximum const):
        (JSC::JSWebAssemblyTable::size const):
        (JSC::JSWebAssemblyTable::table):
        * wasm/js/WasmToJS.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.cpp.
        (JSC::Wasm::materializeImportJSCell):
        (JSC::Wasm::wasmToJS):
        (JSC::Wasm::wasmToJSException):
        * wasm/js/WasmToJS.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        (JSC::webAssemblyMemoryProtoFuncGrow):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::constructJSWebAssemblyModule):
        (JSC::WebAssemblyModuleConstructor::createModule):
        * wasm/js/WebAssemblyModuleConstructor.h:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::webAssemblyCompileFunc):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::webAssemblyValidateFunc):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::WebAssemblyWrapperFunction::create):

2017-10-19  Mark Lam  <mark.lam@apple.com>

        Stringifier::appendStringifiedValue() is missing an exception check.
        https://bugs.webkit.org/show_bug.cgi?id=178386
        <rdar://problem/35027610>

        Reviewed by Saam Barati.

        * runtime/JSONObject.cpp:
        (JSC::Stringifier::appendStringifiedValue):

2017-10-19  Saam Barati  <sbarati@apple.com>

        REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning: comparison is always false due to limited range of data type [-Wtype-limits]
        https://bugs.webkit.org/show_bug.cgi?id=178543

        Reviewed by Filip Pizlo.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):

2017-10-19  Saam Barati  <sbarati@apple.com>

        re-inline ObjectAllocationProfile::initializeProfile
        https://bugs.webkit.org/show_bug.cgi?id=178532

        Rubber stamped by Michael Saboff.

        I un-inlined this function when implementing poly proto.
        This patch re-inlines it. In my testing, it looks like it
        might be a 0.5% speedometer progression to inline it.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/CodeBlock.cpp:
        * bytecode/ObjectAllocationProfile.cpp: Removed.
        * bytecode/ObjectAllocationProfileInlines.h: Copied from Source/JavaScriptCore/bytecode/ObjectAllocationProfile.cpp.
        (JSC::ObjectAllocationProfile::initializeProfile):
        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
        * runtime/FunctionRareData.cpp:

2017-10-19  Michael Saboff  <msaboff@apple.com>

        Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
        https://bugs.webkit.org/show_bug.cgi?id=178521

        Reviewed by JF Bastien.

        * ucd/emoji-data.txt: Replaced with the Unicode Emoji 5.0 version of the file as that is the most recent
        standard version.  The prior version was the draft 6.0 version.

2017-10-19  Saam Barati  <sbarati@apple.com>

        We should hard code the poly proto offset
        https://bugs.webkit.org/show_bug.cgi?id=178531

        Reviewed by Filip Pizlo.

        This patch embraces that the poly proto offset is always zero. It's already
        the case that we would always get the inline offset zero for poly proto just
        by construction. This just hardcodes this assumption throughout the codebase.
        This appears to be a 1% speedometer progression in my testing.
        
        The downside of this patch is that it may require changing how we do
        things when we implement poly proto when inheriting from builtin
        types. I think we can face this problem when we decide to implement
        that.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateWithGuard):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_instanceof):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_instanceof):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeDirect):
        * runtime/JSObject.h:
        (JSC::JSObject::locationForOffset const):
        (JSC::JSObject::locationForOffset):
        (JSC::JSObject::getDirect const):
        * runtime/PropertyOffset.h:
        * runtime/Structure.cpp:
        (JSC::Structure::create):
        (JSC::Structure::dump const):
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::storedPrototype const):
        (JSC::Structure::storedPrototypeObject const):

2017-10-19  Saam Barati  <sbarati@apple.com>

        Turn various poly proto RELEASE_ASSERTs into ASSERTs because they're on the hot path in speedometer
        https://bugs.webkit.org/show_bug.cgi?id=178529

        Reviewed by Mark Lam.

        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::storedPrototypeObject const):
        (JSC::Structure::storedPrototypeStructure const):
        (JSC::Structure::storedPrototype const):
        (JSC::Structure::prototypeForLookup const):
        (JSC::Structure::prototypeChain const):

2017-10-19  Saam Barati  <sbarati@apple.com>

        Turn poly proto back on by default and remove the option
        https://bugs.webkit.org/show_bug.cgi?id=178525

        Reviewed by Mark Lam.

        I added this option because I thought it'd speed speedometer up because the
        original poly proto patch slowed speedometer down. It turns out that
        allocating poly proto objects is not what slows speedometer down. It's
        other code I added in the runtime that needs to be poly proto aware. I'll
        be addressing these in follow up patches.

        * runtime/Options.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::shouldConvertToPolyProto):

2017-10-19  Robin Morisset  <rmorisset@apple.com>

        Turn recursive tail calls into loops
        https://bugs.webkit.org/show_bug.cgi?id=176601

        Reviewed by Saam Barati.

        We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
        One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
        Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
        We do this part through modifying the computation of the jump targets.
        Importantly, we only do this splitting for functions that have tail calls.
        It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.

        We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
        The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasTailCalls const):
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::getJumpTargetsForBytecodeOffset):
        (JSC::computePreciseJumpTargetsInternal):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::hasTailCalls const):
        (JSC::UnlinkedCodeBlock::setHasTailCalls):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnter):
        (JSC::BytecodeGenerator::emitCallInTailPosition):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
        (JSC::DFG::ByteCodeParser::makeBlockTargetable):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):

2017-10-18  Mark Lam  <mark.lam@apple.com>

        RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
        https://bugs.webkit.org/show_bug.cgi?id=177600
        <rdar://problem/34710985>

        Reviewed by Saam Barati.

        According to http://www.ecma-international.org/ecma-262/8.0/#sec-validateandapplypropertydescriptor,
        section 9.1.6.3-7.a.ii, we should only check if the value is the same if the
        descriptor value is present.

        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::defineOwnProperty):

2017-10-18  Keith Miller  <keith_miller@apple.com>

        Setup WebCore build to start using unified sources.
        https://bugs.webkit.org/show_bug.cgi?id=178362

        Reviewed by Tim Horton.

        Change comments in source list files. Also, pass explicit names for build files.

        * CMakeLists.txt:
        * PlatformGTK.cmake:
        * PlatformMac.cmake:
        * Sources.txt:
        * SourcesGTK.txt:
        * SourcesMac.txt:

2017-10-18  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r223321.
        https://bugs.webkit.org/show_bug.cgi?id=178476

        This protocol change broke some internal builds (Requested by
        brrian__ on #webkit).

        Reverted changeset:

        "Web Inspector: provide a way to enable/disable event
        listeners"
        https://bugs.webkit.org/show_bug.cgi?id=177451
        https://trac.webkit.org/changeset/223321

2017-10-18  Mark Lam  <mark.lam@apple.com>

        The compiler should always register a structure when it adds its transitionWatchPointSet.
        https://bugs.webkit.org/show_bug.cgi?id=178420
        <rdar://problem/34814024>

        Reviewed by Saam Barati and Filip Pizlo.

        Instead of invoking addLazily() to add a structure's transitionWatchpointSet, we
        now invoke Graph::registerAndWatchStructureTransition() on the structure.
        registerAndWatchStructureTransition() both registers the structure and add its
        transitionWatchpointSet to the plan desired watchpoints.

        Graph::registerAndWatchStructureTransition() is based on Graph::registerStructure()
        except registerAndWatchStructureTransition() adds the structure's
        transitionWatchpointSet unconditionally.

        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine const):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::registerAndWatchStructureTransition):
        * dfg/DFGGraph.h:

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        - The second set of addLazily()s is redundant.  This set is executed only when
          prototypeChainIsSane is true, and prototypeChainIsSane can only be true if and
          only if we've executed the if statement above it.  That preceding if statement
          already registerAndWatchStructureTransition() the same 2 structures.  Hence,
          this second set can be deleted.

        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::addLazily):
        - Deleted an unused function.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):

2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove unused private name structure
        https://bugs.webkit.org/show_bug.cgi?id=178436

        Reviewed by Sam Weinig.

        It is no longer used. This patch just removes it.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::numberObjectStructure const):
        (JSC::JSGlobalObject::privateNameStructure const): Deleted.

2017-10-18  Ryosuke Niwa  <rniwa@webkit.org>

        Fix macOS and iOS builds after r223594.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] __proto__ getter should be fast
        https://bugs.webkit.org/show_bug.cgi?id=178067

        Reviewed by Saam Barati.

        In our ES6 class implementation, we access __proto__ field to retrieve super constructor.
        Currently, it is handled as an usual getter call to a generic function. And DFG just emits
        Call node for this. It is inefficient since typically we know the `prototype` of the given
        object when accessing `object.__proto__` since we emit CheckStructure for this `object`.
        If Structure has mono proto, we can immediately fold it to constant value. If it is poly proto,
        we can still change this to efficient access to poly proto slot.

        This patch implements GetPrototypeOf DFG node. This node efficiently accesses to prototype of
        the given object. And in AI and ByteCodeParser phase, we attempt to fold it to constant.
        ByteCodeParser's folding is a bit important since we have `callee.__proto__` code to get super
        constructor. If we can change this to constant, we can reify CallLinkInfo with this constant.
        This paves the way to optimizing ArrayConstructor super calls[1], which is particularly important
        for ARES-6 ML.

        And we also optimize Reflect.getPrototypeOf and Object.getPrototypeOf with this GetPrototypeOf node.

        Currently, __proto__ access for poly proto object is not handled well in IC. But we add code handling
        poly proto in GetPrototypeOf since Reflect.getPrototypeOf and Object.getPrototypeOf can use it.
        Once IC starts handling poly proto & intrinsic getter well, this code will be used for that too.

        This patch improves SixSpeed super.es6 by 3.42x.

                                 baseline                  patched

        super.es6           123.6666+-3.9917     ^     36.1684+-1.0351        ^ definitely 3.4192x faster

        [1]: https://bugs.webkit.org/show_bug.cgi?id=178064

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
        (JSC::DFG::ByteCodeParser::handleGetById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::shouldSpeculateFunction):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateFunction):
        (JSC::DFG::SpeculativeJIT::speculateFinalObject):
        (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
        * jit/IntrinsicEmitter.cpp:
        (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
        * jit/JITOperations.h:
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::booleanPrototype const):
        (JSC::JSGlobalObject::numberPrototype const):
        (JSC::JSGlobalObject::booleanObjectStructure const):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/ObjectConstructor.cpp:
        * runtime/ReflectObject.cpp:

2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r223523.

        A test for this change is failing on debug JSC bots.

        Reverted changeset:

        "[JSC] __proto__ getter should be fast"
        https://bugs.webkit.org/show_bug.cgi?id=178067
        https://trac.webkit.org/changeset/223523

2017-10-17  Youenn Fablet  <youenn@apple.com>

        Add preliminary support for fetch event
        https://bugs.webkit.org/show_bug.cgi?id=178171

        Reviewed by Chris Dumez.

        Adding events

        * runtime/JSPromise.h:

2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] __proto__ getter should be fast
        https://bugs.webkit.org/show_bug.cgi?id=178067

        Reviewed by Saam Barati.

        In our ES6 class implementation, we access __proto__ field to retrieve super constructor.
        Currently, it is handled as an usual getter call to a generic function. And DFG just emits
        Call node for this. It is inefficient since typically we know the `prototype` of the given
        object when accessing `object.__proto__` since we emit CheckStructure for this `object`.
        If Structure has mono proto, we can immediately fold it to constant value. If it is poly proto,
        we can still change this to efficient access to poly proto slot.

        This patch implements GetPrototypeOf DFG node. This node efficiently accesses to prototype of
        the given object. And in AI and ByteCodeParser phase, we attempt to fold it to constant.
        ByteCodeParser's folding is a bit important since we have `callee.__proto__` code to get super
        constructor. If we can change this to constant, we can reify CallLinkInfo with this constant.
        This paves the way to optimizing ArrayConstructor super calls[1], which is particularly important
        for ARES-6 ML.

        And we also optimize Reflect.getPrototypeOf and Object.getPrototypeOf with this GetPrototypeOf node.

        Currently, __proto__ access for poly proto object is not handled well in IC. But we add code handling
        poly proto in GetPrototypeOf since Reflect.getPrototypeOf and Object.getPrototypeOf can use it.
        Once IC starts handling poly proto & intrinsic getter well, this code will be used for that too.

        This patch improves SixSpeed super.es6 by 3.42x.

                                 baseline                  patched

        super.es6           123.6666+-3.9917     ^     36.1684+-1.0351        ^ definitely 3.4192x faster

        [1]: https://bugs.webkit.org/show_bug.cgi?id=178064

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
        (JSC::DFG::ByteCodeParser::handleGetById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::shouldSpeculateFunction):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateFunction):
        (JSC::DFG::SpeculativeJIT::speculateFinalObject):
        (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
        * jit/IntrinsicEmitter.cpp:
        (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/ObjectConstructor.cpp:
        * runtime/ReflectObject.cpp:

2017-10-17  Keith Miller  <keith_miller@apple.com>

        Change WebCore sources to work with unified source builds
        https://bugs.webkit.org/show_bug.cgi?id=178229

        Rubber stamped by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2017-10-15  Filip Pizlo  <fpizlo@apple.com>

        Make some asserts into release asserts
        https://bugs.webkit.org/show_bug.cgi?id=178324

        Reviewed by Saam Barati.
        
        These asserts are not on perf critical paths, so they might as well be release asserts.

        * runtime/DataView.h:
        (JSC::DataView::get):
        (JSC::DataView::set):

2017-10-16  JF Bastien  <jfbastien@apple.com>

        JSRunLoopTimer: reduce likely race when used improperly
        https://bugs.webkit.org/show_bug.cgi?id=178298
        <rdar://problem/32899816>

        Reviewed by Saam Barati.

        If an API user sets a timer on JSRunLoopTimer, and then racily
        destroys the JSRunLoopTimer while the timer is firing then it's
        possible for timerDidFire to cause a use-after-free and / or crash
        because e.g. m_apiLock becomes a nullptr while timerDidFire is
        executing. That results from an invalid use of JSRunLoopTimer, but
        we should try to be more resilient for that type of misuse because
        it's not necessarily easy to catch by inspection.

        With this change the only remaining race is if the timer fires,
        and then only timerDidFire's prologue executes, but not the load
        of the m_apiLock pointer from `this`. It's a much smaller race.

        Separately, I'll reach out to API users who are seemingly misusing
        the API.

        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::timerDidFire): put m_apiLock on the stack,
        and checks for nullptr. This prevents loading it twice off of
        `this` and turns a nullptr deref into "just" a use-after-free.
        (JSC::JSRunLoopTimer::~JSRunLoopTimer): acquire m_apiLock before
        calling m_vm->unregisterRunLoopTimer(this), which in turn does
        CFRunLoopRemoveTimer / CFRunLoopTimerInvalidate. This prevents
        timerDidFire from doing much while the timers are un-registered.
        ~JSRunLoopTimer also needs to set m_apiLock to nullptr before
        releasing the lock, so it needs its own local copy.

2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Perform module specifier validation at parsing time
        https://bugs.webkit.org/show_bug.cgi?id=178256

        Reviewed by Darin Adler.

        This patch make module loader's `resolve` operation synchronous. And we validate
        module's requested module names when instantiating the module instead of satisfying
        module's dependencies. This change is not observable to users. But this is precise
        to the spec and this optimizes & simplifies the current module loader a bit by
        reducing object allocations.

        Previously, we have an object called pair in the module loader. This is pair of
        module's name and module's record. And we use it to link one module to dependent
        modules. Now, it is replaced with module's registry entry.

        We also change our loader functions to take a registry entry instead of a module key.
        Previous design is due to the consideration that these APIs may be exposed to users
        in whatwg/loader spec. However, this won't happen. This change removes unnecessary
        repeatedly hash map lookups.

        * builtins/ModuleLoaderPrototype.js:
        (globalPrivate.newRegistryEntry):
        (requestFetch):
        (requestInstantiate):
        (requestSatisfy):
        (link):
        (moduleEvaluation):
        (loadModule):
        * jsc.cpp:
        (GlobalObject::moduleLoaderResolve):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::finishCreation):
        (JSC::AbstractModuleRecord::hostResolveImportedModule):
        * runtime/JSGlobalObject.h:
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::resolveSync):
        (JSC::JSModuleLoader::resolve):
        * runtime/JSModuleLoader.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeResolveSync):

2017-10-14  Devin Rousso  <webkit@devinrousso.com>

        Web Inspector: provide a way to enable/disable event listeners
        https://bugs.webkit.org/show_bug.cgi?id=177451

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/DOM.json:
        Add `setEventListenerDisabled` command that enables/disables a specific event listener
        during event dispatch. When a disabled event listener is fired, the listener's callback will
        not be called.

2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        Reland "Add Above/Below comparisons for UInt32 patterns"
        https://bugs.webkit.org/show_bug.cgi?id=177281

        Reviewed by Saam Barati.

        We reland this patch without DFGStrengthReduction change to see what causes
        regression in the iOS bot.

        Sometimes, we would like to have UInt32 operations in JS. While VM does
        not support UInt32 nicely, VM supports efficient Int32 operations. As long
        as signedness does not matter, we can just perform Int32 operations instead
        and recognize its bit pattern as UInt32.

        But of course, some operations respect signedness. The most frequently
        used one is comparison. Octane/zlib performs UInt32 comparison by performing
        `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
        UInt32 in Int32 form. And op_unsigned will generate Double value if
        the generated Int32 is < 0 (which should be UInt32).

        There is a chance for optimization. The given code pattern is the following.

            op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))

        This can be converted to the following.

            op_urshift(@1) below:< op_urshift(@2)

        The above conversion is nice since

        1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
        this check depends on the value of Int32, dropping this check is not as easy as
        removing Int32 edge filters.

        2. We can perform unsigned comparison in Int32 form. We do not need to convert
        them to DoubleRep.

        Since the above comparison exists in Octane/zlib's *super* hot path, dropping
        op_unsigned offers huge win.

        At first, my patch attempts to convert the above thing in DFG pipeline.
        However it poses several problems.

        1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
        2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,

            2: UInt32ToNumber(@0)
            3: MovHint(@2, xxx)
            4: UInt32ToNumber(@1)
            5: MovHint(@1, xxx)

        we could drop @5's MovHint. But @3 is difficult since @4 can exit.

        So, instead, we start introducing a simple optimization in the bytecode compiler.
        It performs pattern matching for op_urshift and comparison to drop op_unsigned.
        We adds op_below and op_above families to bytecodes. They only accept Int32 and
        perform unsigned comparison.

        This offers 4% performance improvement in Octane/zlib.

                                    baseline                  patched

        zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster

        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::printCompareJump):
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        * bytecode/BytecodeDumper.h:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/Opcode.h:
        (JSC::isBranch):
        * bytecode/PreciseJumpTargetsInlines.h:
        (JSC::extractStoredJumpTargetsForBytecodeOffset):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitJumpIfTrue):
        (JSC::BytecodeGenerator::emitJumpIfFalse):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BinaryOpNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_below):
        (JSC::JIT::emit_op_beloweq):
        (JSC::JIT::emit_op_jbelow):
        (JSC::JIT::emit_op_jbeloweq):
        (JSC::JIT::emit_compareUnsignedAndJump):
        (JSC::JIT::emit_compareUnsigned):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_compareUnsignedAndJump):
        (JSC::JIT::emit_compareUnsigned):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * parser/Nodes.h:
        (JSC::ExpressionNode::isBinaryOpNode const):

2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
        https://bugs.webkit.org/show_bug.cgi?id=178210

        Reviewed by Saam Barati.

        In Wasm, we have two JS functions exposed to users: WebAssemblyFunction and WebAssemblyWrapperFunction.
        The former is an exported wasm function and the latter is an imported & exported function. Since they
        have [[Call]], they should be categorized into "function" in typeof operation.

        However, these functions do not implement our function protocol correctly. They inherit JSFunction.
        But JSType of WebAssemblyFunction is WebAssemblyFunctionType, and one of WebAssemblyWrapperFunction is
        ObjectType. Since both do not have TypeOfShouldCallGetCallData, they return "object" when performing
        typeof operation.

        In this patch, we address the above issue by the following 2 fixes.

        1. We add TypeOfShouldCallGetCallData to WebAssemblyFunction. This is the same way how we implement
        InternalFunction. Since WebAssemblyFunction requires WebAssemblyFunctionType for fast checking in Wasm
        implementation, we cannot make this JSFunctionType.

        2. On the other hand, WebAssemblyWrapperFunction does not require a specific JSType. So this patch
        changes JSType of WebAssemblyWrapperFunction to JSFunctionType. JSFunctionType can be usable for derived
        classes of JSFunction (e.g. JSCustomGetterSetterFunction).

        * wasm/js/WebAssemblyFunction.h:
        (JSC::WebAssemblyFunction::signatureIndex const): Deleted.
        (JSC::WebAssemblyFunction::wasmEntrypointLoadLocation const): Deleted.
        (JSC::WebAssemblyFunction::callableFunction const): Deleted.
        (JSC::WebAssemblyFunction::jsEntrypoint): Deleted.
        (JSC::WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::WebAssemblyWrapperFunction::createStructure):
        * wasm/js/WebAssemblyWrapperFunction.h:
        (JSC::WebAssemblyWrapperFunction::signatureIndex const): Deleted.
        (JSC::WebAssemblyWrapperFunction::wasmEntrypointLoadLocation const): Deleted.
        (JSC::WebAssemblyWrapperFunction::callableFunction const): Deleted.
        (JSC::WebAssemblyWrapperFunction::function): Deleted.

2017-10-12  Per Arne Vollan  <pvollan@apple.com>

        [Win64] JSC compile error.
        https://bugs.webkit.org/show_bug.cgi?id=178213

        Reviewed by Alex Christensen.

        Add static cast from int64 to uintptr_t.

        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::executeOSRExit):

2017-09-29  Filip Pizlo  <fpizlo@apple.com>

        Enable gigacage on iOS
        https://bugs.webkit.org/show_bug.cgi?id=177586

        Reviewed by JF Bastien.

        The hardest part of enabling Gigacage on iOS is that it requires loading global variables while
        executing JS, so the LLInt needs to know how to load from global variables on all platforms that
        have Gigacage. So, this teaches ARM64 how to load from global variables.
        
        Also, this makes the code handle disabling the gigacage a bit better.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::caged):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cage):
        (JSC::AssemblyHelpers::cageConditionally):
        * offlineasm/arm64.rb:
        * offlineasm/asm.rb:
        * offlineasm/instructions.rb:

2017-10-11  Sam Weinig  <sam@webkit.org>

        Remove out-parameter variants of copyToVector
        https://bugs.webkit.org/show_bug.cgi?id=178155

        Reviewed by Tim Horton.

        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
        (Inspector::ScriptDebugServer::dispatchDidParseSource):
        (Inspector::ScriptDebugServer::dispatchFailedToParseSource):
        (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
            
            Replace out-parameter based copyToVector, with one that returns a Vector.

2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        Support integrity="" on module scripts
        https://bugs.webkit.org/show_bug.cgi?id=177959

        Reviewed by Sam Weinig.

        This patch adds Subresource Integrity check for module scripts. Currently,
        only top-level module can be verified with integrity parameter since there
        is no way to perform integrity check onto the imported modules.

        In JSC side, we add `parameters` to the entry point of the module loader
        pipeline. This is fetching parameters and used when fetching modules.

        We separately pass this parameters to the pipeline along with the script fetcher.
        The script fetcher is only one for module graph since this is the initiator of
        this module graph loading. On the other hand, this parameters is for each
        module fetching. While setting "integrity" parameters to this script fetcher is
        sufficient to pass parameters to top-level-module's fetching, it is not enough
        for the future extension.

        In the future, we will investigate a way to pass parameters to each non-top-level
        module. At that time, this `parameters` should be per-module. This is because
        "integrity" value should be different for each module. For example, we will accept
        some form of syntax to add parameters to `import`. Some proposed syntax is like
        https://discourse.wicg.io/t/specifying-nonce-or-integrity-when-importing-modules/1861

        import "./xxx.js" integrity "xxxxxxx"

        In this case, this `parameters` will be passed to "./xxx.js" module fetching. This
        `parameters` should be different from the one of top-level-module's one. That's why
        we need per-module `parameters` and why this patch adds `parameters` to the module pipeline.

        On the other hand, we also want to keep script fetcher. This `per-module-graph` thing
        is important to offer module-graph-wide information. For example, import.meta would
        have `import.meta.scriptElement`, which is the script element fetching the module graph
        including this. So, we keep the both, script fetcher and parameters.
        https://github.com/tc39/proposal-import-meta

        This parameters will be finally used by pipeline's fetch hook, and WebCore side
        can use this parameters to fetch modules.

        We also further clean up the module pipeline by dropping unnecessary features.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * builtins/ModuleLoaderPrototype.js:
        (requestFetch):
        (requestInstantiate):
        (requestSatisfy):
        (loadModule):
        (loadAndEvaluateModule):
        This loadAndEvaluateModule should be implemented by just calling loadModule and
        linkAndEvaluateModule. We can drop requestReady and requestLink.

        (requestLink): Deleted.
        (requestImportModule): Deleted.
        * jsc.cpp:
        (GlobalObject::moduleLoaderImportModule):
        (GlobalObject::moduleLoaderFetch):
        import and fetch hook takes parameters. Currently, we always pass `undefined` for
        import hook. When dynamic `import()` is extended to accept additional parameters
        like integrity, this parameters will be replaced with the actual value.

        (functionLoadModule):
        (runWithOptions):
        * runtime/Completion.cpp:
        (JSC::loadAndEvaluateModule):
        (JSC::loadModule):
        (JSC::importModule):
        * runtime/Completion.h:
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncImportModule):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::loadAndEvaluateModule):
        (JSC::JSModuleLoader::loadModule):
        (JSC::JSModuleLoader::requestImportModule):
        (JSC::JSModuleLoader::importModule):
        (JSC::JSModuleLoader::fetch):
        * runtime/JSModuleLoader.h:
        * runtime/JSScriptFetchParameters.cpp: Added.
        (JSC::JSScriptFetchParameters::destroy):
        * runtime/JSScriptFetchParameters.h: Added.
        (JSC::JSScriptFetchParameters::createStructure):
        (JSC::JSScriptFetchParameters::create):
        (JSC::JSScriptFetchParameters::parameters const):
        (JSC::JSScriptFetchParameters::JSScriptFetchParameters):
        Add ScriptFetchParameters' JSCell wrapper, JSScriptFetchParameters.
        It is used in the module pipeline.

        * runtime/JSType.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeFetch):
        * runtime/ScriptFetchParameters.h: Added.
        (JSC::ScriptFetchParameters::~ScriptFetchParameters):
        Add ScriptFetchParameters. We can define our own custom ScriptFetchParameters
        by inheriting this class. WebCore creates ModuleFetchParameters by inheriting
        this.

        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        import.meta should not be assignable
        https://bugs.webkit.org/show_bug.cgi?id=178202

        Reviewed by Saam Barati.

        `import.meta` cannot be used for LHS. This patch adds MetaPropertyNode
        and make NewTargetNode and ImportMetaNode as derived classes of MetaPropertyNode.
        We change the parser not to allow assignments for MetaPropertyNode.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ImportMetaNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createImportMetaExpr):
        (JSC::ASTBuilder::isMetaProperty):
        (JSC::ASTBuilder::isImportMeta):
        * parser/NodeConstructors.h:
        (JSC::MetaPropertyNode::MetaPropertyNode):
        (JSC::NewTargetNode::NewTargetNode):
        (JSC::ImportMetaNode::ImportMetaNode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isMetaProperty const):
        (JSC::ExpressionNode::isImportMeta const):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::metaPropertyName):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):
        (JSC::Parser<LexerType>::parseUnaryExpression):
        * parser/Parser.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createImportMetaExpr):
        (JSC::SyntaxChecker::isMetaProperty):
        (JSC::SyntaxChecker::isImportMeta):

2017-10-11  Saam Barati  <sbarati@apple.com>

        Runtime disable poly proto because it may be a 3-4% Speedometer regression
        https://bugs.webkit.org/show_bug.cgi?id=178192

        Reviewed by JF Bastien.

        * runtime/Options.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::shouldConvertToPolyProto):

2017-10-11  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r223113 and r223121.
        https://bugs.webkit.org/show_bug.cgi?id=178182

        Reintroduced 20% regression on Kraken (Requested by rniwa on
        #webkit).

        Reverted changesets:

        "Enable gigacage on iOS"
        https://bugs.webkit.org/show_bug.cgi?id=177586
        https://trac.webkit.org/changeset/223113

        "Use one virtual allocation for all gigacages and their
        runways"
        https://bugs.webkit.org/show_bug.cgi?id=178050
        https://trac.webkit.org/changeset/223121

2017-10-11  Michael Saboff  <msaboff@apple.com>

        Update JavaScriptCore/ucd/CaseFolding.txt to Unicode database 10.0
        https://bugs.webkit.org/show_bug.cgi?id=178106

        Reviewed by Keith Miller.

        * ucd/CaseFolding.txt:

2017-10-11  Caio Lima  <ticaiolima@gmail.com>

        Object properties are undefined in super.call() but not in this.call()
        https://bugs.webkit.org/show_bug.cgi?id=177230

        Reviewed by Saam Barati.

        Bytecode generation for "super.call(...)" or "super.apply(...)"
        shouldn't be considered as CallFunctionCallDotNode or
        ApplyFunctionCallDotNode because they should be considered as common
        super property access as any other function. According to spec[1],
        "super" is not refering to parent constructor.

        [1] - https://tc39.github.io/ecma262/#sec-super-keyword-runtime-semantics-evaluation

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeFunctionCallNode):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::makeFunctionCallNode):

2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Drop Instantiate hook in ES6 module loader
        https://bugs.webkit.org/show_bug.cgi?id=178162

        Reviewed by Sam Weinig.

        This patch is a part of patch series for module loader refactoring to adopt
        integrity="" parameters and introduce new whatwg module import mechanism.

        In this patch, we drop instantiate hook in module loader. This hook is originally
        introduced because it is defined in whatwg/loader spec. But this hook is not
        used in our implementation, and this hook won't be used since (1) whatwg/loader
        spec is abandoned, and (2) this type of hooks should be done in Service Workers.

        In addition, this patch applies some cleaning up of our module loader JS code
        to simplify things. This change paves the way to more efficient loader implementation
        with great flexibility to adopt integrity="" parameters.

        * builtins/ModuleLoaderPrototype.js:
        (requestInstantiate):
        (provideFetch):
        provide is changed to provideFetch since we only used this function with Fetch stage parameter.

        (fulfillInstantiate): Deleted.
        (commitInstantiated): Deleted.
        (instantiation): Deleted.
        They are merged into requestInstantiate code. This is simpler.

        (provide): Deleted.
        * jsc.cpp:
        * runtime/Completion.cpp:
        (JSC::loadAndEvaluateModule):
        (JSC::loadModule):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::provideFetch):
        (JSC::JSModuleLoader::provide): Deleted.
        Changed to provideFetch.

        (JSC::JSModuleLoader::instantiate): Deleted.
        Drop this hook.

        * runtime/JSModuleLoader.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeInstantiate): Deleted.
        Drop this hook.

2017-10-10  Saam Barati  <sbarati@apple.com>

        Prototype structure transition should be a deferred transition
        https://bugs.webkit.org/show_bug.cgi?id=177734

        Reviewed by Keith Miller.

        Absence ObjectPropertyConditions work by verifying both that the Structure 
        does not have a particular property and that its prototype has
        remained constant. However, the prototype transition was firing
        the transition watchpoint before setting the object's structure.
        This meant that isValid for Absence would never return false because
        the prototype changed. Clearly this is wrong. The reason this didn't
        break OPCs in general is that we'd also check if we could still watch
        the OPC. In this case, we can't still watch it because we're inspecting
        a structure with an invalidated transition watchpoint. To fix
        this weird quirk of the code, I'm making it so that doing a prototype
        transition uses the DeferredStructureTransitionWatchpointFire machinery.
        
        This patch also fixes some dead code that I left in regarding
        poly proto in OPC.

        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeDirect):
        * runtime/Structure.cpp:
        (JSC::Structure::changePrototypeTransition):
        * runtime/Structure.h:

2017-10-10  Robin Morisset  <rmorisset@apple.com>

        Avoid allocating useless landingBlocks in DFGByteCodeParser::handleInlining()
        https://bugs.webkit.org/show_bug.cgi?id=177926

        Reviewed by Saam Barati.

        When doing polyvariant inlining, there used to be a landing block for each callee, each of which was then linked to a continuation block.
        With this change, we allocate the continuation block first, and pass it to the inlining routine so that op_ret in the callee link directly to it.
        The only subtlety is that when inlining an intrinsic we must do the jump by hand, and also remember to call processSetLocalQueue with nextOffset before it.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):

2017-10-10  Guillaume Emont  <guijemont@igalia.com>

        Fix compilation when MASM_PROBE (and therefore DFG) are disabled
        https://bugs.webkit.org/show_bug.cgi?id=178134

        Reviewed by Saam Barati.

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        Disable some code when building without DFG_JIT.

2017-10-10  Sam Weinig  <sam@webkit.org>

        Replace copyKeysToVector/copyValuesToVector with copyToVector(map.keys())/copyToVector(map.values())
        https://bugs.webkit.org/show_bug.cgi?id=178102

        Reviewed by Tim Horton.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):

2017-10-10  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix.

        Removed unused lambda capture.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::appendInverted):

2017-10-10  Saam Barati  <sbarati@apple.com>

        The prototype cache should be aware of the Executable it generates a Structure for
        https://bugs.webkit.org/show_bug.cgi?id=177907

        Reviewed by Filip Pizlo.

        This patch renames PrototypeMap to StructureCache because
        it is no longer a map of the prototypes in the VM. It's
        only used to cache Structures during object construction.
        
        The main change of this patch is to guarantee that Structures generated
        by the create_this originating from different two different Executables'
        bytecode won't hash-cons to the same thing. Previously, we could hash-cons
        them depending on the JSObject* prototype pointer. This would cause the last
        thing that hash-consed to overwrite the Structure's poly proto watchpoint. This
        happened because when we initialize a JSFunction's ObjectAllocationProfile,
        we set the resulting Structure's poly proto watchpoint. This could cause a Structure
        generating from some Executable e1 to end up with the poly proto watchpoint
        for another Executable e2 simply because JSFunctions backed by e1 and e2
        shared the same prototype. Then, based on profiling information, we may fire the
        wrong Executable's poly proto watchpoint. This patch fixes this bug by
        guaranteeing that Structures generating from create_this for different
        Executables are unique even if they share the same prototype by adding
        the FunctionExecutable* as another field in PrototypeKey.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/InternalFunctionAllocationProfile.h:
        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
        * bytecode/ObjectAllocationProfile.cpp:
        (JSC::ObjectAllocationProfile::initializeProfile):
        * dfg/DFGOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructureSlow):
        * runtime/IteratorOperations.cpp:
        (JSC::createIteratorResultObjectStructure):
        * runtime/JSBoundFunction.cpp:
        (JSC::getBoundFunctionStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/ObjectConstructor.h:
        (JSC::constructEmptyObject):
        * runtime/PrototypeKey.h:
        (JSC::PrototypeKey::PrototypeKey):
        (JSC::PrototypeKey::executable const):
        (JSC::PrototypeKey::operator== const):
        (JSC::PrototypeKey::hash const):
        * runtime/PrototypeMap.cpp: Removed.
        * runtime/PrototypeMap.h: Removed.
        * runtime/StructureCache.cpp: Copied from Source/JavaScriptCore/runtime/PrototypeMap.cpp.
        (JSC::StructureCache::createEmptyStructure):
        (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
        (JSC::StructureCache::emptyObjectStructureForPrototype):
        (JSC::PrototypeMap::createEmptyStructure): Deleted.
        (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure): Deleted.
        (JSC::PrototypeMap::emptyObjectStructureForPrototype): Deleted.
        * runtime/StructureCache.h: Copied from Source/JavaScriptCore/runtime/PrototypeMap.h.
        (JSC::StructureCache::StructureCache):
        (JSC::PrototypeMap::PrototypeMap): Deleted.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        `async` should be able to be used as an imported binding name
        https://bugs.webkit.org/show_bug.cgi?id=176573

        Reviewed by Saam Barati.

        Previously, we have ASYNC keyword in the parser. This is introduced only for performance,
        and ECMA262 spec does not categorize "async" to keyword. This makes parser code complicated,
        since ASYNC should be handled as IDENT. If we missed this ASYNC keyword, we cause a bug.
        For example, import declaration failed to bind imported binding to the name "async" because
        the parser considered ASYNC as keyword.

        This patch removes ASYNC keyword from the parser. By carefully handling ASYNC, we can keep
        the current performance without using this ASYNC keyword.

        We also add `escaped` field to token data since contextual keyword is valid only if it does
        not contain any escape sequences. We fix bunch of contextual keyword use with this fix too
        e.g. `of in for-of`. This improves test262 score.

        * parser/Keywords.table:
        * parser/Lexer.cpp:
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseStatementListItem):
        (JSC::Parser<LexerType>::parseForStatement):
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):
        (JSC::Parser<LexerType>::printUnexpectedTokenText):
        * parser/Parser.h:
        (JSC::Parser::matchContextualKeyword):
        * parser/ParserTokens.h:
        * runtime/CommonIdentifiers.h:

2017-10-09  Saam Barati  <sbarati@apple.com>

        We don't need to clearEmptyObjectStructureForPrototype because JSGlobalObject* is part of the cache's key
        https://bugs.webkit.org/show_bug.cgi?id=177987

        Reviewed by Filip Pizlo.

        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget):
        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): Deleted.
        * runtime/PrototypeMap.h:

2017-10-09  Filip Pizlo  <fpizlo@apple.com>

        JSCell::didBecomePrototype is racy
        https://bugs.webkit.org/show_bug.cgi?id=178110

        Reviewed by Saam Barati.
        
        The indexing type can be modified by any thread using CAS. So, we need to use atomics when
        modifying it. We don't need to use atomics when reading it though (since it's just one field).

        * runtime/JSCellInlines.h:
        (JSC::JSCell::didBecomePrototype):

2017-09-29  Filip Pizlo  <fpizlo@apple.com>

        Enable gigacage on iOS
        https://bugs.webkit.org/show_bug.cgi?id=177586

        Reviewed by JF Bastien.

        The hardest part of enabling Gigacage on iOS is that it requires loading global variables while
        executing JS, so the LLInt needs to know how to load from global variables on all platforms that
        have Gigacage. So, this teaches ARM64 how to load from global variables.
        
        Also, this makes the code handle disabling the gigacage a bit better.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::caged):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cage):
        (JSC::AssemblyHelpers::cageConditionally):
        * offlineasm/arm64.rb:
        * offlineasm/asm.rb:
        * offlineasm/instructions.rb:

2017-10-09  Robin Morisset  <rmorisset@apple.com>

        Evaluate the benefit of skipping dead code in the DFGByteCodeParser when a function returns in its first block
        https://bugs.webkit.org/show_bug.cgi?id=177925

        Reviewed by Saam Barati.

        We used to do a rather weird "optimisation" in the bytecode parser: when a function would return in its first block,
        the rest of the function was skipped. Since it has no actual impact on any benchmarks from what I could see, I removed
        that code. It allows some changes to parseBlock(), since it now returns void and no-longer bool (it was returning a boolean that said whether that case happened or not).

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):

2017-10-09  Robin Morisset  <rmorisset@apple.com>

        Refactor the inliner to simplify block linking
        https://bugs.webkit.org/show_bug.cgi?id=177922

        Reviewed by Saam Barati.

        The biggest refactor changes the way blocks are linked. In DFGByteCodeParser, most terminals (such as Jump or Branch) jump to nullptr initially, and have
        some metadata indicating the bytecode index corresponding to their targets. They are later linked to the right basic block using two fields of InlineStackEntry:
        - m_unlinkedBlocks is just a worklist of blocks with a terminal that needs to be linked
        - m_linkingTargets is a dictionary from bytecode indices to BasicBlock*
        Before refactoring, every block was automatically added to both of these fields, for the InlineStackEntry of whatever function allocated it.
        This created a significant number of corner cases, such as blocks allocated in a caller, with a terminal written by an inlined callee and pointing to a block in the callee,
        or blocks allocated in an inline callee, with a terminal written by the caller after it returns and pointing to a block in the caller, or blocks with a manually linked
        terminal that needs to be taken off m_unlinkedBlocks.
        I changed things so that blocks are only added to m_unlinkedBlocks when their terminal gets written (see the LAST_OPCODE macro) making it a lot easier to be in the "right" InlineStackEntry,
        that is the one that holds their target in its m_linkingTargets field.

        There are a few much smaller refactors in this patch:
        - parse() is now of type void insted of bool (it was always returning true)
        - The 7 and 8 arguments of handleCall were inlined in its 3 arguments version for readability
        - The 9 argument version was cleaned up and simplified
        - I made separate allocateBlock routines because the little dance with adoptRef(* new BasicBlock(...)) was being repeated in lots of places, and typos in that were a major source of bugs during other refactorings
        - Jumps are now created with explicit addJumpTo() functions, providing some sanity checking through asserts and didLink()
        - Blocks are only added to m_unlinkedBlocks if they end in a terminal that linkBlock works with (see LAST_OPCODE)

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::refineStatically):
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        (JSC::DFG::ByteCodeParser::handleVarargsCall):
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        (JSC::DFG::parse):
        (JSC::DFG::ByteCodeParser::cancelLinkingForBlock): Deleted.
        * dfg/DFGByteCodeParser.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):

2017-10-09  Michael Saboff  <msaboff@apple.com>

        Implement RegExp Unicode property escapes
        https://bugs.webkit.org/show_bug.cgi?id=172069

        Reviewed by JF Bastien.

        Added Unicode Properties by extending the existing CharacterClass processing.

        Introduced a new Python script, generateYarrUnicodePropertyTables.py, that parses
        Unicode Database files to create character class data.  The result is a set of functions
        that return character classes, one for each of the required Unicode properties.
        There are many cases where many properties are handled by one function, primarily due to
        property aliases, but also due to Script_Extension properties that are the same as the
        Script property for the same script value.

        Extended the BuiltInCharacterClassID enum so it can be used also for Unicode property
        character classes.  Unicode properties are the enum value BaseUnicodePropertyID plus a
        zero based value, that value being the index to the corrensponding character class
        function.  The generation script also creates static hashing tables similar to what we
        use for the generated .lut.h lookup table files.  These hashing tables map property
        names to the function index.  Using these hashing tables, we can lookup a property
        name and if present convert it to a function index.  We add that index to
        BaseUnicodePropertyID to create a BuiltInCharacterClassID.

        When we do syntax parsing, we convert the property to its corresponding BuiltInCharacterClassID.
        When doing real parsing we takes the returned BuiltInCharacterClassID and use it to get
        the actual character class by calling the corresponding generated function.

        Added a new CharacterClass constructor that can take literal arrays for ranges and matches
        to make the creation of large static character classes more efficent.

        Since the Unicode character classes typically have more matches and ranges, the character
        class matching in the interpreter has been updated to use binary searching for matches and
        ranges with more than 6 entries.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/generateYarrUnicodePropertyTables.py: Added.
        (openOrExit):
        (openUCDFileOrExit):
        (verifyUCDFilesExist):
        (ceilingToPowerOf2):
        (Aliases):
        (Aliases.__init__):
        (Aliases.parsePropertyAliasesFile):
        (Aliases.parsePropertyValueAliasesFile):
        (Aliases.globalAliasesFor):
        (Aliases.generalCategoryAliasesFor):
        (Aliases.generalCategoryForAlias):
        (Aliases.scriptAliasesFor):
        (Aliases.scriptNameForAlias):
        (PropertyData):
        (PropertyData.__init__):
        (PropertyData.setAliases):
        (PropertyData.makeCopy):
        (PropertyData.getIndex):
        (PropertyData.getCreateFuncName):
        (PropertyData.addMatch):
        (PropertyData.addRange):
        (PropertyData.addMatchUnorderedForMatchesAndRanges):
        (PropertyData.addRangeUnorderedForMatchesAndRanges):
        (PropertyData.addMatchUnordered):
        (PropertyData.addRangeUnordered):
        (PropertyData.removeMatchFromRanges):
        (PropertyData.removeMatch):
        (PropertyData.dumpMatchData):
        (PropertyData.dump):
        (PropertyData.dumpAll):
        (PropertyData.dumpAll.std):
        (PropertyData.createAndDumpHashTable):
        (Scripts):
        (Scripts.__init__):
        (Scripts.parseScriptsFile):
        (Scripts.parseScriptExtensionsFile):
        (Scripts.dump):
        (GeneralCategory):
        (GeneralCategory.__init__):
        (GeneralCategory.createSpecialPropertyData):
        (GeneralCategory.findPropertyGroupFor):
        (GeneralCategory.addNextCodePoints):
        (GeneralCategory.parse):
        (GeneralCategory.dump):
        (BinaryProperty):
        (BinaryProperty.__init__):
        (BinaryProperty.parsePropertyFile):
        (BinaryProperty.dump):
        * Scripts/hasher.py: Added.
        (stringHash):
        * Sources.txt:
        * ucd/DerivedBinaryProperties.txt: Added.
        * ucd/DerivedCoreProperties.txt: Added.
        * ucd/DerivedNormalizationProps.txt: Added.
        * ucd/PropList.txt: Added.
        * ucd/PropertyAliases.txt: Added.
        * ucd/PropertyValueAliases.txt: Added.
        * ucd/ScriptExtensions.txt: Added.
        * ucd/Scripts.txt: Added.
        * ucd/UnicodeData.txt: Added.
        * ucd/emoji-data.txt: Added.
        * yarr/Yarr.h:
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::testCharacterClass):
        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::parseEscape):
        (JSC::Yarr::Parser::parseTokens):
        (JSC::Yarr::Parser::isUnicodePropertyValueExpressionChar):
        (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::appendInverted):
        (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
        (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
        (JSC::Yarr::YarrPattern::errorMessage):
        (JSC::Yarr::PatternTerm::dump):
        * yarr/YarrPattern.h:
        (JSC::Yarr::CharacterRange::CharacterRange):
        (JSC::Yarr::CharacterClass::CharacterClass):
        (JSC::Yarr::YarrPattern::reset):
        (JSC::Yarr::YarrPattern::unicodeCharacterClassFor):
        * yarr/YarrUnicodeProperties.cpp: Added.
        (JSC::Yarr::HashTable::entry const):
        (JSC::Yarr::unicodeMatchPropertyValue):
        (JSC::Yarr::unicodeMatchProperty):
        (JSC::Yarr::createUnicodeCharacterClassFor):
        * yarr/YarrUnicodeProperties.h: Added.

2017-10-09  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r223015 and r223025.
        https://bugs.webkit.org/show_bug.cgi?id=178093

        Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
        #webkit).

        Reverted changesets:

        "Enable gigacage on iOS"
        https://bugs.webkit.org/show_bug.cgi?id=177586
        http://trac.webkit.org/changeset/223015

        "Unreviewed, disable Gigacage on ARM64 Linux"
        https://bugs.webkit.org/show_bug.cgi?id=177586
        http://trac.webkit.org/changeset/223025

2017-10-09  Keith Miller  <keith_miller@apple.com>

        Unreviewed, sort unified sources again now that they are numbered numerically rather than lexicographically.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r223022.

        This change introduced 18 test262 failures.

        Reverted changeset:

        "`async` should be able to be used as an imported binding
        name"
        https://bugs.webkit.org/show_bug.cgi?id=176573
        http://trac.webkit.org/changeset/223022

2017-10-09  Robin Morisset  <rmorisset@apple.com>

        Make the names of the options consistent
        https://bugs.webkit.org/show_bug.cgi?id=177933

        Reviewed by Saam Barati.

        I added an alias so the old spelling still works.
        I also fixed a bunch of typos in comments all around the codebase.

        * b3/B3LowerToAir.cpp:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSSAConversionPhase.h:
        * dfg/DFGSpeculativeJIT.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry):
        * jit/CallFrameShuffler.cpp:
        (JSC::CallFrameShuffler::prepareForTailCall):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseExportDeclaration):
        * runtime/Options.h:

2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>

        Safari 10 /11 problem with if (!await get(something)).
        https://bugs.webkit.org/show_bug.cgi?id=176685

        Reviewed by Saam Barati.

        Using unary operator before `await` lead to count it as identifier.
        According to spec https://tc39.github.io/ecma262/#sec-async-function-definitions
        and Note 1 `await` is as AwaitExpression and it is allowed to use unary operator

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parsePrimaryExpression):

2017-10-07  Filip Pizlo  <fpizlo@apple.com>

        direct-construct-arity-mismatch.js can have GCs that take ~70ms if you force poly proto and disable generational GC
        https://bugs.webkit.org/show_bug.cgi?id=178051

        Reviewed by Saam Barati.
        
        After I studied the profile of this test, I found two pathologies in our code relating to
        prototypes. I think that now that we support poly proto, it's more likely for these pathologies to
        happen. Also, the fact that we force poly proto in some tests, it's possible for one of our tests
        to trigger these pathologies.
        
        - WeakGCMap::m_prototoypes is the set of all prototypes. That's super dangerous. This patch turns
          this into a bit in the JSCell header. It uses the last spare bit in indexingTypeAndMisc. Note
          that we still have 6 spare bits in cellState, but those are a bit more annoying to get at.
        
        - WeakGCMap registers itself with GC using a std::function. That means allocating things in the
          malloc heap. This changes it to a virtual method on WeakGCMap. I don't know for sure that this is
          a problem area, but there are places where we could allocate a lot of WeakGCMaps, like if we have
          a lot of transition tables. It's good to reduce the amount of memory those require.
        
        Also, I saw a FIXME about turning the std::tuple in PrototypeMap into a struct, so I did that while
        I was at it. I initially thought that this would have to be part of my solution, but it turned out
        not to be. I think it's worth landing anyway since it makes the code a lot more clear.
        
        This fixes the timeout in that test and probably reduces memory consumption.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOperations.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
        (JSC::Heap::registerWeakGCMap):
        (JSC::Heap::unregisterWeakGCMap):
        * heap/Heap.h:
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        * runtime/AsyncFromSyncIteratorPrototype.cpp:
        (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
        * runtime/AsyncFunctionPrototype.cpp:
        (JSC::AsyncFunctionPrototype::finishCreation):
        * runtime/AsyncGeneratorFunctionPrototype.cpp:
        (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
        * runtime/AsyncGeneratorPrototype.cpp:
        (JSC::AsyncGeneratorPrototype::finishCreation):
        * runtime/AsyncIteratorPrototype.cpp:
        (JSC::AsyncIteratorPrototype::finishCreation):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/GeneratorFunctionPrototype.cpp:
        (JSC::GeneratorFunctionPrototype::finishCreation):
        * runtime/GeneratorPrototype.cpp:
        (JSC::GeneratorPrototype::finishCreation):
        * runtime/IndexingType.h:
        * runtime/IteratorPrototype.cpp:
        (JSC::IteratorPrototype::finishCreation):
        * runtime/JSCInlines.h:
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::mayBePrototype const):
        (JSC::JSCell::didBecomePrototype):
        * runtime/JSObject.cpp:
        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
        (JSC::JSObject::setPrototypeDirect):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget):
        * runtime/MapIteratorPrototype.cpp:
        (JSC::MapIteratorPrototype::finishCreation):
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::finishCreation):
        * runtime/PrototypeKey.h: Added.
        (JSC::PrototypeKey::PrototypeKey):
        (JSC::PrototypeKey::prototype const):
        (JSC::PrototypeKey::inlineCapacity const):
        (JSC::PrototypeKey::classInfo const):
        (JSC::PrototypeKey::globalObject const):
        (JSC::PrototypeKey::operator== const):
        (JSC::PrototypeKey::operator!= const):
        (JSC::PrototypeKey::operator bool const):
        (JSC::PrototypeKey::isHashTableDeletedValue const):
        (JSC::PrototypeKey::hash const):
        (JSC::PrototypeKeyHash::hash):
        (JSC::PrototypeKeyHash::equal):
        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::createEmptyStructure):
        (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
        * runtime/PrototypeMap.h:
        (JSC::PrototypeMap::PrototypeMap):
        * runtime/PrototypeMapInlines.h: Removed.
        * runtime/SetIteratorPrototype.cpp:
        (JSC::SetIteratorPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):
        * runtime/StringIteratorPrototype.cpp:
        (JSC::StringIteratorPrototype::finishCreation):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMapBase::~WeakGCMapBase):
        * runtime/WeakGCMapInlines.h:
        (JSC::KeyTraitsArg>::WeakGCMap):
        * runtime/WeakMapPrototype.cpp:
        (JSC::WeakMapPrototype::finishCreation):
        * runtime/WeakSetPrototype.cpp:
        (JSC::WeakSetPrototype::finishCreation):

2017-10-07  Filip Pizlo  <fpizlo@apple.com>

        Octane/splay can leak memory due to stray pointers on the stack when run from the command line
        https://bugs.webkit.org/show_bug.cgi?id=178054

        Reviewed by Saam Barati.
        
        This throws in a bunch of sanitize calls. It fixes the problem. It's also performance-neutral. In
        most cases, calling the sanitize function is O(1), because it doesn't have anything to do if the stack
        height stays relatively constant.

        * dfg/DFGOperations.cpp:
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        * ftl/FTLOSREntry.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::runCurrentPhase):
        * heap/MarkedAllocatorInlines.h:
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::allocate):
        * heap/Subspace.cpp:
        (JSC::Subspace::tryAllocateSlow):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::sanitizeStackInline):
        * jit/ThunkGenerators.cpp:
        (JSC::slowPathFor):
        * runtime/VM.h:
        (JSC::VM::addressOfLastStackTop):

2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        `async` should be able to be used as an imported binding name
        https://bugs.webkit.org/show_bug.cgi?id=176573

        Reviewed by Darin Adler.

        Previously, we have ASYNC keyword in the parser. This is introduced only for performance,
        and ECMA262 spec does not categorize "async" to keyword. This makes parser code complicated,
        since ASYNC should be handled as IDENT. If we missed this ASYNC keyword, we cause a bug.
        For example, import declaration failed to bind imported binding to the name "async" because
        the parser considered ASYNC as keyword.

        This patch removes ASYNC keyword from the parser. By carefully handling ASYNC, we can keep
        the current performance without using this ASYNC keyword.

        * parser/Keywords.table:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseStatementListItem):
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):
        (JSC::Parser<LexerType>::printUnexpectedTokenText):
        * parser/ParserTokens.h:
        * runtime/CommonIdentifiers.h:

2017-09-29  Filip Pizlo  <fpizlo@apple.com>

        Enable gigacage on iOS
        https://bugs.webkit.org/show_bug.cgi?id=177586

        Reviewed by JF Bastien.

        The hardest part of enabling Gigacage on iOS is that it requires loading global variables while
        executing JS, so the LLInt needs to know how to load from global variables on all platforms that
        have Gigacage. So, this teaches ARM64 how to load from global variables.
        
        Also, this makes the code handle disabling the gigacage a bit better.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::caged):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cage):
        (JSC::AssemblyHelpers::cageConditionally):
        * offlineasm/arm64.rb:
        * offlineasm/asm.rb:
        * offlineasm/instructions.rb:

2017-10-06  Michael Saboff  <msaboff@apple.com>

        Enable RegExp JIT for match only Unicode RegExp's
        https://bugs.webkit.org/show_bug.cgi?id=178033

        Reviewed by JF Bastien.

        I forgot to turn on JIT'ing for match-only Unicode RegExp's in r221052.  Do it now.

        * runtime/RegExp.cpp:
        (JSC::RegExp::compileMatchOnly):

2017-10-06  Alex Christensen  <achristensen@webkit.org>

        Build fix after r223002.

        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):

2017-10-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r222791 and r222873.
        https://bugs.webkit.org/show_bug.cgi?id=178031

        Caused crashes with workers/wasm LayoutTests (Requested by
        ryanhaddad on #webkit).

        Reverted changesets:

        "WebAssembly: no VM / JS version of everything but Instance"
        https://bugs.webkit.org/show_bug.cgi?id=177473
        http://trac.webkit.org/changeset/222791

        "WebAssembly: address no VM / JS follow-ups"
        https://bugs.webkit.org/show_bug.cgi?id=177887
        http://trac.webkit.org/changeset/222873

2017-10-06  Robin Morisset  <rmorisset@apple.com>

        Avoid integer overflow in DFGStrengthReduction.cpp
        https://bugs.webkit.org/show_bug.cgi?id=177944

        Reviewed by Saam Barati.

        The check that we won't do integer overflow by negating INT32_MIN was itself an integer overflow.
        I think that signed integer overflow is undefined behaviour in C, so I replace it by an explicit check that value != INT32_MIN instead.

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):

2017-10-05  Keith Miller  <keith_miller@apple.com>

        JSC generate unified sources doesn't need to run during installhdrs.
        https://bugs.webkit.org/show_bug.cgi?id=177640

        Reviewed by Dan Bernstein.

        generate unified sources doesn't need to have a xcconfig file
        since we don't have any feature defines. Also, remove the plist
        because there's no plist for this...

        * JavaScriptCore.xcodeproj/project.pbxproj:

2017-10-05  Jer Noble  <jer.noble@apple.com>

        [Cocoa] Enable ENABLE_ENCRYPTED_MEDIA build-time setting
        https://bugs.webkit.org/show_bug.cgi?id=177261

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig:

2017-10-05  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r222929.

        Caused assertion failures during LayoutTests.

        Reverted changeset:

        "Only add prototypes to the PrototypeMap if they're not
        already present"
        https://bugs.webkit.org/show_bug.cgi?id=177952
        http://trac.webkit.org/changeset/222929

2017-10-05  Carlos Alberto Lopez Perez  <clopez@igalia.com>

        Generate a compile error if release is built without compiler optimizations
        https://bugs.webkit.org/show_bug.cgi?id=177665

        Reviewed by Brian Burg.

        Pass -DRELEASE_WITHOUT_OPTIMIZATIONS to testair.cpp and testb3.cpp because
        this files are compiled with -O0 for build speed reasons after r195639.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2017-10-05  Saam Barati  <sbarati@apple.com>

        Only add prototypes to the PrototypeMap if they're not already present
        https://bugs.webkit.org/show_bug.cgi?id=177952

        Reviewed by Michael Saboff and JF Bastien.

        With poly proto, we need to call PrototypeMap::add more frequently since we don't
        know if the prototype is already in the map or not based solely on Structure.
        PrototypeMap::add was calling WeakMap::set unconditionally, which would unconditionally
        allocate a Weak handle. Allocating a Weak handle is expensive. It's at least 8x more
        expensive than just checking if the prototype is in the map prior to adding it. This
        patch makes the change to only add the prototype if it's not already in the map. To
        do this, I've added a WeakMap::add API that just forwards into HashMap's add API.
        This allows us to both only do a single hash table lookup and also to allocate only
        a single Weak handle when necessary.

        * runtime/PrototypeMapInlines.h:
        (JSC::PrototypeMap::addPrototype):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::add):

2017-10-05  Saam Barati  <sbarati@apple.com>

        Unreviewed. Disable probe OSR exit on 32-bit until it's fixed.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2017-10-05  Saam Barati  <sbarati@apple.com>

        Make sure all prototypes under poly proto get added into the VM's prototype map
        https://bugs.webkit.org/show_bug.cgi?id=177909

        Reviewed by Keith Miller.

        This is an invariant of prototypes that I broke when doing poly proto. This patch fixes it.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSCInlines.h:
        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::addPrototype): Deleted.
        * runtime/PrototypeMap.h:
        * runtime/PrototypeMapInlines.h:
        (JSC::PrototypeMap::isPrototype const):
        (JSC::PrototypeMap::addPrototype):

2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Introduce import.meta
        https://bugs.webkit.org/show_bug.cgi?id=177703

        Reviewed by Filip Pizlo.

        This patch adds stage 3 `import.meta`[1].
        We add a new hook function moduleLoaderCreateImportMetaProperties, which creates
        import meta properties object to this module. And we set this object as @meta
        private variable in module environments. So module code can access this by accessing
        @meta private variable.

        [1]: https://github.com/tc39/proposal-import-meta

        * builtins/BuiltinNames.h:
        * builtins/ModuleLoaderPrototype.js:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * jsc.cpp:
        (GlobalObject::moduleLoaderCreateImportMetaProperties):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseModuleSourceElements):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::createImportMetaProperties):
        * runtime/JSModuleLoader.h:
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::link):
        (JSC::JSModuleRecord::instantiateDeclarations):
        * runtime/JSModuleRecord.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):

2017-10-04  Saam Barati  <sbarati@apple.com>

        Make pertinent AccessCases watch the poly proto watchpoint
        https://bugs.webkit.org/show_bug.cgi?id=177765

        Reviewed by Keith Miller.

        This patch makes it so that stubs that encounter a structure with a
        valid poly proto watchpoint will watch the poly proto watchpoint. This
        ensures that if the watchpoint is fired, the stub will be cleared
        and have a chance to regenerate. In an ideal world, this will lead
        to the stub generating better code since it may never encounter the
        non-poly proto structure again.
        
        This patch also fixes a bug in the original poly proto code where
        I accidentally had a condition inverted. The bad code caused a
        stub that continually cached two structures which are structurally
        equivalent but with different prototype objects to always clear itself.
        The code should have been written differently. It should have only
        cleared if the poly proto watchpoint *was not* fired. The code
        accidentally cleared only if stub *was* fired.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::commit):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::addCases):
        (WTF::printInternal):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessGenerationResult::shouldResetStubAndFireWatchpoints const):
        (JSC::AccessGenerationResult::addWatchpointToFire):
        (JSC::AccessGenerationResult::fireWatchpoints):
        (JSC::AccessGenerationResult::shouldResetStub const): Deleted.
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::addAccessCase):
        (JSC::StructureStubInfo::reset):
        * bytecode/Watchpoint.h:
        (JSC::InlineWatchpointSet::inflate):
        * jit/Repatch.cpp:
        (JSC::fireWatchpointsAndClearStubIfNeeded):
        (JSC::tryCacheGetByID):
        (JSC::repatchGetByID):
        (JSC::tryCachePutByID):
        (JSC::repatchPutByID):
        (JSC::tryCacheIn):
        (JSC::repatchIn):
        (JSC::tryRepatchIn): Deleted.

2017-10-04  Matt Baker  <mattbaker@apple.com>

        Web Inspector: Improve CanvasManager recording events
        https://bugs.webkit.org/show_bug.cgi?id=177762

        Reviewed by Devin Rousso.

        * inspector/protocol/Canvas.json:
        Renamed events for clarity and consistency; made recording data optional.

2017-10-04  JF Bastien  <jfbastien@apple.com>

        WTF: Update std::expected to match current proposal
        https://bugs.webkit.org/show_bug.cgi?id=177881

        Reviewed by Mark Lam.

        Update API.

        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmModule.cpp:
        (JSC::Wasm::makeValidationResult):
        * wasm/WasmParser.h:
        * wasm/WasmValidate.cpp:
        * wasm/generateWasmValidateInlinesHeader.py:
        (loadMacro):
        (storeMacro):

2017-10-04  JF Bastien  <jfbastien@apple.com>

        WebAssembly: address no VM / JS follow-ups
        https://bugs.webkit.org/show_bug.cgi?id=177887

        Reviewed by Saam Barati.

        All minor fixes, no functional changes.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::B3IRGenerator::addCurrentMemory):
        (JSC::Wasm::B3IRGenerator::addCall):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        * wasm/WasmContext.cpp:
        (JSC::Wasm::Context::store):
        * wasm/WasmMemoryMode.h:
        * wasm/WasmTable.h:
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
        (JSC::JSWebAssemblyTable::grow):

2017-10-04  Mark Lam  <mark.lam@apple.com>

        Add support for using Probe DFG OSR Exit behind a runtime flag.
        https://bugs.webkit.org/show_bug.cgi?id=177844
        <rdar://problem/34801425>

        Reviewed by Saam Barati.

        This is based on the code originally posted in https://bugs.webkit.org/show_bug.cgi?id=175144
        (in r221774 and r221832) with some optimizations and bug fixes added.  The probe
        based DFG OSR Exit is only enabled if Options::useProbeOSRExit() is true.  We're
        landing this behind an option switch to make it easier to tune performance using
        the probe based OSR exit.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssembler.cpp:
        (JSC::stdFunctionCallback):
        * assembler/MacroAssemblerPrinter.cpp:
        (JSC::Printer::printCallback):
        * assembler/ProbeContext.cpp:
        (JSC::Probe::executeProbe):
        (JSC::Probe::flushDirtyStackPages):
        * assembler/ProbeContext.h:
        (JSC::Probe::Context::Context):
        (JSC::Probe::Context::arg):
        * assembler/ProbeFrame.h: Added.
        (JSC::Probe::Frame::Frame):
        (JSC::Probe::Frame::argument):
        (JSC::Probe::Frame::operand):
        (JSC::Probe::Frame::setArgument):
        (JSC::Probe::Frame::setOperand):
        (JSC::Probe::Frame::get):
        (JSC::Probe::Frame::set):
        * assembler/ProbeStack.cpp:
        (JSC::Probe::Page::lowWatermarkFromVisitingDirtyChunks):
        (JSC::Probe::Stack::Stack):
        (JSC::Probe::Stack::lowWatermarkFromVisitingDirtyPages):
        * assembler/ProbeStack.h:
        (JSC::Probe::Stack::Stack):
        (JSC::Probe::Stack::lowWatermark):
        (JSC::Probe::Stack::set):
        (JSC::Probe::Stack::savedStackPointer const):
        (JSC::Probe::Stack::setSavedStackPointer):
        (JSC::Probe::Stack::newStackPointer const): Deleted.
        (JSC::Probe::Stack::setNewStackPointer): Deleted.
        * bytecode/ArrayProfile.h:
        (JSC::ArrayProfile::observeArrayMode):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
        * bytecode/ExecutionCounter.h:
        (JSC::ExecutionCounter::hasCrossedThreshold const):
        (JSC::ExecutionCounter::setNewThresholdForOSRExit):
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::reportValue):
        * bytecode/MethodOfGettingAValueProfile.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::jsValueFor):
        (JSC::DFG::restoreCalleeSavesFor):
        (JSC::DFG::saveCalleeSavesFor):
        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        (JSC::DFG::saveOrCopyCalleeSavesFor):
        (JSC::DFG::createDirectArgumentsDuringExit):
        (JSC::DFG::createClonedArgumentsDuringExit):
        (JSC::DFG::emitRestoreArguments):
        (JSC::DFG::OSRExit::executeOSRExit):
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        (JSC::DFG::printOSRExit):
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExitState::OSRExitState):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitThunkGenerator):
        * dfg/DFGThunks.h:
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::tryToSetConstantRecovery):
        (JSC::DFG::VariableEventStream::reconstruct const):
        (JSC::DFG::VariableEventStream::tryToSetConstantRecovery const): Deleted.
        * dfg/DFGVariableEventStream.h:
        * profiler/ProfilerOSRExit.h:
        (JSC::Profiler::OSRExit::incCount):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        * runtime/Options.h:

2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r222840.

        This change breaks internal builds.

        Reverted changeset:

        "Generate a compile error if release is built without compiler
        optimizations"
        https://bugs.webkit.org/show_bug.cgi?id=177665
        http://trac.webkit.org/changeset/222840

2017-10-04  Carlos Alberto Lopez Perez  <clopez@igalia.com>

        Generate a compile error if release is built without compiler optimizations
        https://bugs.webkit.org/show_bug.cgi?id=177665

        Reviewed by Michael Catanzaro.

        Pass -DRELEASE_WITHOUT_OPTIMIZATIONS to testair.cpp and testb3.cpp because
        this files are compiled with -O0 for build speed reasons after r195639.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2017-10-03  Jon Davis  <jond@apple.com>

        Update WebAssembly to "Supported"
        https://bugs.webkit.org/show_bug.cgi?id=177831

        Reviewed by Alexey Proskuryakov.
        
        Cleaned up Async Iteration and Object rest/spread to use "In Development" 
        instead of "In development". 

        * features.json: 

2017-10-03  Saam Barati  <sbarati@apple.com>

        Implement polymorphic prototypes
        https://bugs.webkit.org/show_bug.cgi?id=176391

        Reviewed by Filip Pizlo.

        This patch changes JSC's object model with respect to where the prototype
        of an object is stored. Previously, it was always stored as
        a constant value inside Structure. So an object's structure used to
        always tell you what its prototype is. Anytime an object changed
        its prototype, it would do a structure transition. This enables
        a large class of optimizations: just by doing a structure check,
        we know what the prototype is.
        
        However, this design falls down when you have many objects that
        have the same shape, but only differ in what their prototype value
        is. This arises in many JS programs. A simple, and probably common, example
        is when the program has a constructor inside of a function:
        ```
        function foo() {
            class C {
                constructor() { this.field1 = 42; ...; this.fieldN = 42; }
                method1() { doStuffWith(this.field); }
                method2() { doStuffWith(this.field); }
            }
            let c = new C;
            do things with c;
            }
        repeatedly call foo() here.
        ```
        
        Before this patch, in the above program, each time `new C` created an
        object, it would create an object with a different structure. The
        reason for this is that each time foo is called, there is a new
        instance of C.prototype. However, each `new C` that was created
        with have identical shape sans its prototype value. This would
        cause all ICs that used `c` to quickly give up on any form of caching
        because they would see too many structures and give up and permanently
        divert control flow to the slow path.
        
        This patch fixes this issue by expanding the notion of where the prototype
        of an object is stored. There are now two notions of where the prototype
        is stored. A Structure can now be in two modes:
        1. Mono proto mode. This is the same mode as we used to have. It means
        the structure itself has a constant prototype value.
        2. Poly proto mode. This means the structure knows nothing about the
        prototype value itself. Objects with this structure store their prototype
        in normal object field storage. The structure will tell you the offset of
        this prototype inside the object's storage. As of today, we only reserve
        inline slots for the prototype field because poly proto only occurs
        for JSFinalObject. However, this will be expanded to support out of line
        offsets in a future patch when we extend poly proto to work when we inherit
        from builtin types like Map and Array.
        
        In this initial patch, we do poly proto style inline caching whenever
        we see an object that is poly proto or if an object in its prototype lookup
        chain is poly proto. Poly proto ICs work by verifying the lookup chain
        at runtime. This essentially boils down to performing structure checks
        up the prototype chain. In a future patch, we're going to extend object
        property condition set to work with objects that don't have poly proto bases.
        
        Initially, accesses that have poly proto access chains will always turn
        into GetById/PutById in the DFG. In a future patch, I'm going to teach
        the DFG how to inline certain accesses that have poly proto in the access
        chain.
        
        One of most interesting parts about this patch is how we decide when to go
        poly proto. This patch uses a profiling based approach. An IC will inform
        a watchpoint that it sees an opportunity when two Structure's are structurally
        the same, sans the base object's prototype. This means that two structures
        have equivalent shapes all the way up the prototype chain. To support fast
        structural comparison, we compute a hash for a structure based on the properties
        it has. We compute this hash as we add properties to the structure. This
        computation is nearly free since we always add UniquedStringImpl*'s which
        already have their hashes computed. To compare structural equivalence, we
        just compare hash values all the way up the prototype chain. This means we
        can get hash conflicts between two structures, but it's extremely rare. First,
        it'll be rare for two structures to have the same hash. Secondly, we only
        consider structures originating from the same executable.
        
        How we set up this poly proto watchpoint is crucial to its design. When we create_this
        an object originating from some executable, that executable will create a Box<InlineWatchpointSet>.
        Each structure that originates from this executable will get a copy of that
        Box<InlineWatchpointSet>. As that structure transitions to new structures,
        they too will get a copy of that Box<InilneWatchpointSet>. Therefore, when
        invalidating an arbitrary structure's poly proto watchpoint, we will know
        the next time we create_this from that executable that it had been
        invalidated, and that we should create an object with a poly proto
        structure. We also use the pointer value of this Box<InlineWatchpointSet>
        to determine if two structures originated from the same executable. This
        pruning will severely limit the chances of getting a hash conflict in practice.
        
        This patch is neutral on my MBP on traditional JS benchmarks like Octane/Kraken/Sunspider.
        It may be a 1-2% ARES-6 progression.
        
        This patch is between neutral and a 9x progression on the various tests
        I added. Most of the microbenchmarks are progressed by at least 50%.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * builtins/BuiltinNames.cpp:
        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::BuiltinNames):
        (JSC::BuiltinNames::underscoreProtoPrivateName const):
        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::AccessCase):
        (JSC::AccessCase::create):
        (JSC::AccessCase::commit):
        (JSC::AccessCase::guardedByStructureCheck const):
        (JSC::AccessCase::canReplace const):
        (JSC::AccessCase::dump const):
        (JSC::AccessCase::visitWeak const):
        (JSC::AccessCase::propagateTransitions const):
        (JSC::AccessCase::generateWithGuard):
        (JSC::AccessCase::generateImpl):
        * bytecode/AccessCase.h:
        (JSC::AccessCase::usesPolyProto const):
        (JSC::AccessCase::AccessCase):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/GetterSetterAccessCase.cpp:
        (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
        (JSC::GetterSetterAccessCase::create):
        * bytecode/GetterSetterAccessCase.h:
        * bytecode/InternalFunctionAllocationProfile.h:
        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
        * bytecode/IntrinsicGetterAccessCase.cpp:
        (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
        * bytecode/IntrinsicGetterAccessCase.h:
        * bytecode/ModuleNamespaceAccessCase.cpp:
        (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
        * bytecode/ObjectAllocationProfile.cpp: Added.
        (JSC::ObjectAllocationProfile::initializeProfile):
        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::clear):
        (JSC::ObjectAllocationProfile::initialize): Deleted.
        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): Deleted.
        * bytecode/ObjectPropertyConditionSet.cpp:
        * bytecode/PolyProtoAccessChain.cpp: Added.
        (JSC::PolyProtoAccessChain::create):
        (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const):
        (JSC::PolyProtoAccessChain::operator== const):
        (JSC::PolyProtoAccessChain::dump const):
        * bytecode/PolyProtoAccessChain.h: Added.
        (JSC::PolyProtoAccessChain::clone):
        (JSC::PolyProtoAccessChain:: const):
        (JSC::PolyProtoAccessChain::operator!= const):
        (JSC::PolyProtoAccessChain::forEach const):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::addCases):
        (JSC::PolymorphicAccess::regenerate):
        (WTF::printInternal):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessGenerationResult::shouldResetStub const):
        (JSC::AccessGenerationState::AccessGenerationState):
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        * bytecode/ProxyableAccessCase.cpp:
        (JSC::ProxyableAccessCase::ProxyableAccessCase):
        (JSC::ProxyableAccessCase::create):
        * bytecode/ProxyableAccessCase.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::addAccessCase):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::load):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::canDoFastSpread):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_instanceof):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_instanceof):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        (JSC::tryRepatchIn):
        * jsc.cpp:
        (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
        (WTF::DOMJITGetterBaseJSObject::createStructure):
        (WTF::DOMJITGetterBaseJSObject::create):
        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
        (WTF::DOMJITGetterBaseJSObject::customGetter):
        (WTF::DOMJITGetterBaseJSObject::finishCreation):
        (GlobalObject::finishCreation):
        (functionCreateDOMJITGetterBaseJSObject):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/ArrayPrototype.cpp:
        (JSC::holesMustForwardToPrototype):
        (JSC::fastJoin):
        (JSC::arrayProtoFuncReverse):
        (JSC::moveElements):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createEmpty):
        (JSC::ClonedArguments::createWithInlineFrame):
        (JSC::ClonedArguments::createWithMachineFrame):
        (JSC::ClonedArguments::createByCopyingFrom):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::visitChildren):
        * runtime/FunctionExecutable.h:
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::initializeObjectAllocationProfile):
        * runtime/FunctionRareData.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructureSlow):
        * runtime/JSArray.cpp:
        (JSC::JSArray::fastSlice):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
        * runtime/JSArrayInlines.h:
        (JSC::JSArray::canFastCopy):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContextAssumingStructure const):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::prototypeForConstruction):
        (JSC::JSFunction::allocateAndInitializeRareData):
        (JSC::JSFunction::initializeRareData):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSFunction.h:
        * runtime/JSMap.cpp:
        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
        (JSC::JSMap::canCloneFastAndNonObservable):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putInlineSlow):
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::convertUndecidedToArrayStorage):
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::ensureInt32Slow):
        (JSC::JSObject::ensureDoubleSlow):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC::JSObject::setPrototypeDirect):
        (JSC::JSObject::ordinaryToPrimitive const):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
        (JSC::JSObject::getEnumerableLength):
        (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
        (JSC::JSObject::prototypeChainMayInterceptStoreTo):
        (JSC::JSObject::needsSlowPutIndexing const):
        (JSC::JSObject::suggestedArrayStorageTransition const):
        * runtime/JSObject.h:
        (JSC::JSObject::finishCreation):
        (JSC::JSObject::getPrototypeDirect const):
        (JSC::JSObject::getPropertySlot):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::getNonIndexPropertySlot):
        (JSC::JSObject::putInlineForJSObject):
        * runtime/JSPropertyNameEnumerator.h:
        (JSC::propertyNameEnumerator):
        * runtime/JSSet.cpp:
        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
        (JSC::JSSet::canCloneFastAndNonObservable):
        * runtime/LazyClassStructure.h:
        (JSC::LazyClassStructure::prototypeConcurrently const): Deleted.
        * runtime/Operations.cpp:
        (JSC::normalizePrototypeChain):
        * runtime/Operations.h:
        * runtime/Options.h:
        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::createEmptyStructure):
        (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
        (JSC::PrototypeMap::emptyObjectStructureForPrototype):
        (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
        * runtime/PrototypeMap.h:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::create):
        (JSC::Structure::holesMustForwardToPrototype const):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::isCheapDuringGC):
        (JSC::Structure::toStructureShape):
        (JSC::Structure::dump const):
        (JSC::Structure::canCachePropertyNameEnumerator const):
        (JSC::Structure::anyObjectInChainMayInterceptIndexedAccesses const): Deleted.
        (JSC::Structure::needsSlowPutIndexing const): Deleted.
        (JSC::Structure::suggestedArrayStorageTransition const): Deleted.
        (JSC::Structure::prototypeForLookup const): Deleted.
        (JSC::Structure::prototypeChainMayInterceptStoreTo): Deleted.
        (JSC::Structure::canUseForAllocationsOf): Deleted.
        * runtime/Structure.h:
        * runtime/StructureChain.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::create):
        (JSC::Structure::storedPrototypeObject const):
        (JSC::Structure::storedPrototypeStructure const):
        (JSC::Structure::storedPrototype const):
        (JSC::prototypeForLookupPrimitiveImpl):