0601fa49fb09815ca9e07057a185a31ee56a2488
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Unreviewed, fix x86 breaking due to exhausted registers
4         https://bugs.webkit.org/show_bug.cgi?id=175823
5
6         * dfg/DFGByteCodeParser.cpp:
7         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
8
9 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
10
11         Unreviewed, build fix after r222563
12         https://bugs.webkit.org/show_bug.cgi?id=175823
13
14         * runtime/JSArrayInlines.h:
15
16 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
17
18         Add Above/Below comparisons for UInt32 patterns
19         https://bugs.webkit.org/show_bug.cgi?id=177281
20
21         Reviewed by Saam Barati.
22
23         Sometimes, we would like to have UInt32 operations in JS. While VM does
24         not support UInt32 nicely, VM supports efficient Int32 operations. As long
25         as signedness does not matter, we can just perform Int32 operations instead
26         and recognize its bit pattern as UInt32.
27
28         But of course, some operations respect signedness. The most frequently
29         used one is comparison. Octane/zlib performs UInt32 comparison by performing
30         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
31         UInt32 in Int32 form. And op_unsigned will generate Double value if
32         the generated Int32 is < 0 (which should be UInt32).
33
34         There is a chance for optimization. The given code pattern is the following.
35
36             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
37
38         This can be converted to the following.
39
40             op_urshift(@1) below:< op_urshift(@2)
41
42         The above conversion is nice since
43
44         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
45         this check depends on the value of Int32, dropping this check is not as easy as
46         removing Int32 edge filters.
47
48         2. We can perform unsigned comparison in Int32 form. We do not need to convert
49         them to DoubleRep.
50
51         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
52         op_unsigned offers huge win.
53
54         At first, my patch attempts to convert the above thing in DFG pipeline.
55         However it poses several problems.
56
57         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
58         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
59
60             2: UInt32ToNumber(@0)
61             3: MovHint(@2, xxx)
62             4: UInt32ToNumber(@1)
63             5: MovHint(@1, xxx)
64
65         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
66
67         So, instead, we start introducing a simple optimization in the bytecode compiler.
68         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
69         We adds op_below and op_above families to bytecodes. They only accept Int32 and
70         perform unsigned comparison.
71
72         This offers 4% performance improvement in Octane/zlib.
73
74                                     baseline                  patched
75
76         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
77
78         * bytecode/BytecodeDumper.cpp:
79         (JSC::BytecodeDumper<Block>::printCompareJump):
80         (JSC::BytecodeDumper<Block>::dumpBytecode):
81         * bytecode/BytecodeDumper.h:
82         * bytecode/BytecodeList.json:
83         * bytecode/BytecodeUseDef.h:
84         (JSC::computeUsesForBytecodeOffset):
85         (JSC::computeDefsForBytecodeOffset):
86         * bytecode/Opcode.h:
87         (JSC::isBranch):
88         * bytecode/PreciseJumpTargetsInlines.h:
89         (JSC::extractStoredJumpTargetsForBytecodeOffset):
90         * bytecompiler/BytecodeGenerator.cpp:
91         (JSC::BytecodeGenerator::emitJumpIfTrue):
92         (JSC::BytecodeGenerator::emitJumpIfFalse):
93         * bytecompiler/NodesCodegen.cpp:
94         (JSC::BinaryOpNode::emitBytecode):
95         * dfg/DFGAbstractInterpreterInlines.h:
96         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
97         * dfg/DFGByteCodeParser.cpp:
98         (JSC::DFG::ByteCodeParser::parseBlock):
99         * dfg/DFGCapabilities.cpp:
100         (JSC::DFG::capabilityLevel):
101         * dfg/DFGClobberize.h:
102         (JSC::DFG::clobberize):
103         * dfg/DFGDoesGC.cpp:
104         (JSC::DFG::doesGC):
105         * dfg/DFGFixupPhase.cpp:
106         (JSC::DFG::FixupPhase::fixupNode):
107         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
108         * dfg/DFGNodeType.h:
109         * dfg/DFGPredictionPropagationPhase.cpp:
110         * dfg/DFGSafeToExecute.h:
111         (JSC::DFG::safeToExecute):
112         * dfg/DFGSpeculativeJIT.cpp:
113         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
114         * dfg/DFGSpeculativeJIT.h:
115         * dfg/DFGSpeculativeJIT32_64.cpp:
116         (JSC::DFG::SpeculativeJIT::compile):
117         * dfg/DFGSpeculativeJIT64.cpp:
118         (JSC::DFG::SpeculativeJIT::compile):
119         * dfg/DFGStrengthReductionPhase.cpp:
120         (JSC::DFG::StrengthReductionPhase::handleNode):
121         * dfg/DFGValidate.cpp:
122         * ftl/FTLCapabilities.cpp:
123         (JSC::FTL::canCompile):
124         * ftl/FTLLowerDFGToB3.cpp:
125         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
126         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
127         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
128         * jit/JIT.cpp:
129         (JSC::JIT::privateCompileMainPass):
130         * jit/JIT.h:
131         * jit/JITArithmetic.cpp:
132         (JSC::JIT::emit_op_below):
133         (JSC::JIT::emit_op_beloweq):
134         (JSC::JIT::emit_op_jbelow):
135         (JSC::JIT::emit_op_jbeloweq):
136         (JSC::JIT::emit_compareUnsignedAndJump):
137         (JSC::JIT::emit_compareUnsigned):
138         * jit/JITArithmetic32_64.cpp:
139         (JSC::JIT::emit_compareUnsignedAndJump):
140         (JSC::JIT::emit_compareUnsigned):
141         * llint/LowLevelInterpreter.asm:
142         * llint/LowLevelInterpreter32_64.asm:
143         * llint/LowLevelInterpreter64.asm:
144         * parser/Nodes.h:
145         (JSC::ExpressionNode::isBinaryOpNode const):
146
147 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
148
149         [DFG] Support ArrayPush with multiple args
150         https://bugs.webkit.org/show_bug.cgi?id=175823
151
152         Reviewed by Saam Barati.
153
154         This patch implements ArrayPush(with multiple arguments) in DFG and FTL. Previously, they are not handled
155         by ArrayPush. Then they go to generic direct call to Array#push and it does in slow path. This patch
156         extends ArrayPush to push multiple arguments in a bulk push manner.
157
158         The problem of ArrayPush is that we need to perform ArrayPush atomically: If OSR exit occurs in the middle
159         of ArrayPush, we incorrectly push pushed elements twice. Once we start pushing values, we should not exit.
160         But we do not want to iterate elements twice, once for type checks and once for actually pushing it. It
161         could move elements between registers and memory back and forth.
162
163         This patch achieves the above goal by separating type checks from ArrayPush. When starting ArrayPush, type
164         checks for elements are already done by separately emitted Check nodes.
165
166         We also add JSArray::pushInline for DFG operations just calling JSArray::push. And we also use it in
167         arrayProtoFuncPush's fast path.
168
169         This patch significantly improves performance of `push(multiple args)`.
170
171                                             baseline                  patched
172             Microbenchmarks:
173                 array-push-0            461.8455+-28.9995    ^    151.3438+-6.5653        ^ definitely 3.0516x faster
174                 array-push-1            133.8845+-7.0349     ?    136.1775+-5.8327        ? might be 1.0171x slower
175                 array-push-2            675.6555+-13.4645    ^    145.8747+-6.4621        ^ definitely 4.6318x faster
176                 array-push-3            849.5284+-15.2540    ^    253.4421+-9.1249        ^ definitely 3.3520x faster
177
178                                             baseline                  patched
179             SixSpeed:
180                 spread-literal.es5       90.3482+-6.6514     ^     24.8123+-2.3304        ^ definitely 3.6413x faster
181
182         * dfg/DFGByteCodeParser.cpp:
183         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
184         * dfg/DFGFixupPhase.cpp:
185         (JSC::DFG::FixupPhase::fixupNode):
186         * dfg/DFGNodeType.h:
187         * dfg/DFGOperations.cpp:
188         * dfg/DFGOperations.h:
189         * dfg/DFGSpeculativeJIT.cpp:
190         (JSC::DFG::SpeculativeJIT::compileArrayPush):
191         * dfg/DFGSpeculativeJIT.h:
192         (JSC::DFG::SpeculativeJIT::callOperation):
193         * dfg/DFGSpeculativeJIT32_64.cpp:
194         (JSC::DFG::SpeculativeJIT::compile):
195         * dfg/DFGSpeculativeJIT64.cpp:
196         (JSC::DFG::SpeculativeJIT::compile):
197         * dfg/DFGStoreBarrierInsertionPhase.cpp:
198         * ftl/FTLLowerDFGToB3.cpp:
199         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
200         * jit/JITOperations.h:
201         * runtime/ArrayPrototype.cpp:
202         (JSC::arrayProtoFuncPush):
203         * runtime/JSArray.cpp:
204         (JSC::JSArray::push):
205         * runtime/JSArray.h:
206         * runtime/JSArrayInlines.h:
207         (JSC::JSArray::pushInline):
208
209 2017-09-26  Joseph Pecoraro  <pecoraro@apple.com>
210
211         Web Inspector: Remove unused parameter of Page.reload
212         https://bugs.webkit.org/show_bug.cgi?id=177522
213
214         Reviewed by Matt Baker.
215
216         * inspector/protocol/Page.json:
217
218 2017-09-26  Filip Pizlo  <fpizlo@apple.com>
219
220         Put g_gigacageBasePtr into its own page and make it read-only
221         https://bugs.webkit.org/show_bug.cgi?id=174972
222
223         Reviewed by Michael Saboff.
224         
225         C++ code doesn't have to know about this change. That includes C++ code that generates JIT code.
226         
227         But the offline assembler now needs to know about how to load from offsets of global variables.
228         This turned out to be easy to support by extending the existing expression support.
229
230         * llint/LowLevelInterpreter64.asm:
231         * offlineasm/ast.rb:
232         * offlineasm/parser.rb:
233         * offlineasm/transform.rb:
234         * offlineasm/x86.rb:
235
236 2017-09-26  Commit Queue  <commit-queue@webkit.org>
237
238         Unreviewed, rolling out r222518.
239         https://bugs.webkit.org/show_bug.cgi?id=177507
240
241         Break the High Sierra build (Requested by yusukesuzuki on
242         #webkit).
243
244         Reverted changeset:
245
246         "Add Above/Below comparisons for UInt32 patterns"
247         https://bugs.webkit.org/show_bug.cgi?id=177281
248         http://trac.webkit.org/changeset/222518
249
250 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
251
252         Add Above/Below comparisons for UInt32 patterns
253         https://bugs.webkit.org/show_bug.cgi?id=177281
254
255         Reviewed by Saam Barati.
256
257         Sometimes, we would like to have UInt32 operations in JS. While VM does
258         not support UInt32 nicely, VM supports efficient Int32 operations. As long
259         as signedness does not matter, we can just perform Int32 operations instead
260         and recognize its bit pattern as UInt32.
261
262         But of course, some operations respect signedness. The most frequently
263         used one is comparison. Octane/zlib performs UInt32 comparison by performing
264         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
265         UInt32 in Int32 form. And op_unsigned will generate Double value if
266         the generated Int32 is < 0 (which should be UInt32).
267
268         There is a chance for optimization. The given code pattern is the following.
269
270             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
271
272         This can be converted to the following.
273
274             op_urshift(@1) below:< op_urshift(@2)
275
276         The above conversion is nice since
277
278         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
279         this check depends on the value of Int32, dropping this check is not as easy as
280         removing Int32 edge filters.
281
282         2. We can perform unsigned comparison in Int32 form. We do not need to convert
283         them to DoubleRep.
284
285         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
286         op_unsigned offers huge win.
287
288         At first, my patch attempts to convert the above thing in DFG pipeline.
289         However it poses several problems.
290
291         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
292         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
293
294             2: UInt32ToNumber(@0)
295             3: MovHint(@2, xxx)
296             4: UInt32ToNumber(@1)
297             5: MovHint(@1, xxx)
298
299         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
300
301         So, instead, we start introducing a simple optimization in the bytecode compiler.
302         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
303         We adds op_below and op_above families to bytecodes. They only accept Int32 and
304         perform unsigned comparison.
305
306         This offers 4% performance improvement in Octane/zlib.
307
308                                     baseline                  patched
309
310         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
311
312         * bytecode/BytecodeDumper.cpp:
313         (JSC::BytecodeDumper<Block>::printCompareJump):
314         (JSC::BytecodeDumper<Block>::dumpBytecode):
315         * bytecode/BytecodeDumper.h:
316         * bytecode/BytecodeList.json:
317         * bytecode/BytecodeUseDef.h:
318         (JSC::computeUsesForBytecodeOffset):
319         (JSC::computeDefsForBytecodeOffset):
320         * bytecode/Opcode.h:
321         (JSC::isBranch):
322         * bytecode/PreciseJumpTargetsInlines.h:
323         (JSC::extractStoredJumpTargetsForBytecodeOffset):
324         * bytecompiler/BytecodeGenerator.cpp:
325         (JSC::BytecodeGenerator::emitJumpIfTrue):
326         (JSC::BytecodeGenerator::emitJumpIfFalse):
327         * bytecompiler/NodesCodegen.cpp:
328         (JSC::BinaryOpNode::emitBytecode):
329         * dfg/DFGAbstractInterpreterInlines.h:
330         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
331         * dfg/DFGByteCodeParser.cpp:
332         (JSC::DFG::ByteCodeParser::parseBlock):
333         * dfg/DFGCapabilities.cpp:
334         (JSC::DFG::capabilityLevel):
335         * dfg/DFGClobberize.h:
336         (JSC::DFG::clobberize):
337         * dfg/DFGDoesGC.cpp:
338         (JSC::DFG::doesGC):
339         * dfg/DFGFixupPhase.cpp:
340         (JSC::DFG::FixupPhase::fixupNode):
341         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
342         * dfg/DFGNodeType.h:
343         * dfg/DFGPredictionPropagationPhase.cpp:
344         * dfg/DFGSafeToExecute.h:
345         (JSC::DFG::safeToExecute):
346         * dfg/DFGSpeculativeJIT.cpp:
347         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
348         * dfg/DFGSpeculativeJIT.h:
349         * dfg/DFGSpeculativeJIT32_64.cpp:
350         (JSC::DFG::SpeculativeJIT::compile):
351         * dfg/DFGSpeculativeJIT64.cpp:
352         (JSC::DFG::SpeculativeJIT::compile):
353         * dfg/DFGStrengthReductionPhase.cpp:
354         (JSC::DFG::StrengthReductionPhase::handleNode):
355         * dfg/DFGValidate.cpp:
356         * ftl/FTLCapabilities.cpp:
357         (JSC::FTL::canCompile):
358         * ftl/FTLLowerDFGToB3.cpp:
359         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
360         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
361         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
362         * jit/JIT.cpp:
363         (JSC::JIT::privateCompileMainPass):
364         * jit/JIT.h:
365         * jit/JITArithmetic.cpp:
366         (JSC::JIT::emit_op_below):
367         (JSC::JIT::emit_op_beloweq):
368         (JSC::JIT::emit_op_jbelow):
369         (JSC::JIT::emit_op_jbeloweq):
370         (JSC::JIT::emit_compareUnsignedAndJump):
371         (JSC::JIT::emit_compareUnsigned):
372         * jit/JITArithmetic32_64.cpp:
373         (JSC::JIT::emit_compareUnsignedAndJump):
374         (JSC::JIT::emit_compareUnsigned):
375         * llint/LowLevelInterpreter.asm:
376         * llint/LowLevelInterpreter32_64.asm:
377         * llint/LowLevelInterpreter64.asm:
378         * parser/Nodes.h:
379         (JSC::ExpressionNode::isBinaryOpNode const):
380
381 2017-09-24  Keith Miller  <keith_miller@apple.com>
382
383         JSC build should use unified sources for derived sources
384         https://bugs.webkit.org/show_bug.cgi?id=177421
385
386         Reviewed by JF Bastien.
387
388         This patch make a couple of changes:
389
390         1) Make derived sources added to relevant bundles. I was going to add JSCBuiltins.cpp
391         to runtime but that kept breaking the windows build. I'll get back to it later
392         2) Move the derived location of some sources both for clarity and for ease of use.
393         3) Make auto generator scripts able to create directories if needed.
394         4) Move some scripts from the top level of the JavaScriptCore directory to a
395         more appropriate directory.
396         5) Move some CMake generation commands around for clarity.
397
398         * CMakeLists.txt:
399         * DerivedSources.make:
400         * JavaScriptCore.xcodeproj/project.pbxproj:
401         * Scripts/lazywriter.py:
402         (LazyFileWriter.close):
403         * Sources.txt:
404         * inspector/scripts/generate-inspector-protocol-bindings.py:
405         (IncrementalFileWriter.close):
406         * yarr/create_regex_tables: Renamed from Source/JavaScriptCore/create_regex_tables.
407         * yarr/generateYarrCanonicalizeUnicode: Renamed from Source/JavaScriptCore/generateYarrCanonicalizeUnicode.
408
409 2017-09-26  Zan Dobersek  <zdobersek@igalia.com>
410
411         Support building JavaScriptCore with the Bionic C library
412         https://bugs.webkit.org/show_bug.cgi?id=177427
413
414         Reviewed by Michael Catanzaro.
415
416         When compiling with the Bionic C library, the MachineContext.h header
417         should enable the same code paths that are enabled for the GNU C library.
418
419         The Bionic C library defines the __BIONIC__ macro, but unlike other C
420         libraries that mimic the GNU one, it doesn't define __GLIBC__. So the
421         __BIONIC__ macro checks have to match the __GLIBC__ ones.
422
423         * runtime/MachineContext.h:
424         (JSC::MachineContext::stackPointer):
425         (JSC::MachineContext::framePointer):
426         (JSC::MachineContext::instructionPointer):
427         (JSC::MachineContext::argumentPointer<1>):
428         (JSC::MachineContext::llintInstructionPointer):
429
430 2017-09-25  Devin Rousso  <webkit@devinrousso.com>
431
432         Web Inspector: move Console.addInspectedNode to DOM.setInspectedNode
433         https://bugs.webkit.org/show_bug.cgi?id=176827
434
435         Reviewed by Joseph Pecoraro.
436
437         * inspector/agents/InspectorConsoleAgent.h:
438
439         * inspector/agents/JSGlobalObjectConsoleAgent.h:
440         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
441         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode): Deleted.
442
443         * inspector/protocol/Console.json:
444         * inspector/protocol/DOM.json:
445
446 2017-09-25  Ryan Haddad  <ryanhaddad@apple.com>
447
448         Unreviewed, rebaseline builtins generator tests after r222473.
449
450         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
451
452 2017-09-25  Alex Christensen  <achristensen@webkit.org>
453
454         Make Attribute an enum class
455         https://bugs.webkit.org/show_bug.cgi?id=177414
456
457         Reviewed by Yusuke Suzuki.
458
459         I've had enough of these naming collisions.  This is what enum classes are for.
460         Unfortunately a lot of static_cast<unsigned> is necessary until those functions take
461         an OptionSet<Attribute> instead of an unsigned parameter, but this is a big step
462         towards where we ought to be.
463
464         * API/JSCallbackObjectFunctions.h:
465         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
466         * API/JSObjectRef.cpp:
467         (JSObjectMakeConstructor):
468         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
469         (BuiltinsInternalsWrapperImplementationGenerator.property_macro):
470         * bytecode/GetByIdStatus.cpp:
471         (JSC::GetByIdStatus::computeFromLLInt):
472         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
473         (JSC::GetByIdStatus::computeFor):
474         * bytecode/PropertyCondition.cpp:
475         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
476         (JSC::PropertyCondition::isValidValueForAttributes):
477         * bytecode/PutByIdStatus.cpp:
478         (JSC::PutByIdStatus::computeFor):
479         * bytecompiler/BytecodeGenerator.cpp:
480         (JSC::BytecodeGenerator::instantiateLexicalVariables):
481         (JSC::BytecodeGenerator::variable):
482         * bytecompiler/BytecodeGenerator.h:
483         (JSC::Variable::isReadOnly const):
484         (JSC::Variable::setIsReadOnly):
485         * bytecompiler/NodesCodegen.cpp:
486         (JSC::PropertyListNode::emitBytecode):
487         * create_hash_table:
488         * debugger/DebuggerScope.cpp:
489         (JSC::DebuggerScope::getOwnPropertySlot):
490         * dfg/DFGOperations.cpp:
491         * inspector/JSInjectedScriptHostPrototype.cpp:
492         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
493         * inspector/JSJavaScriptCallFramePrototype.cpp:
494         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
495         * jit/Repatch.cpp:
496         (JSC::tryCacheGetByID):
497         * jsc.cpp:
498         (WTF::CustomGetter::getOwnPropertySlot):
499         (WTF::RuntimeArray::getOwnPropertySlot):
500         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
501         (WTF::DOMJITGetter::finishCreation):
502         (WTF::DOMJITGetterComplex::finishCreation):
503         (WTF::DOMJITFunctionObject::finishCreation):
504         (WTF::DOMJITCheckSubClassObject::finishCreation):
505         (GlobalObject::finishCreation):
506         * runtime/ArrayConstructor.cpp:
507         (JSC::ArrayConstructor::finishCreation):
508         * runtime/ArrayIteratorPrototype.cpp:
509         (JSC::ArrayIteratorPrototype::finishCreation):
510         * runtime/ArrayPrototype.cpp:
511         (JSC::ArrayPrototype::finishCreation):
512         * runtime/AsyncFromSyncIteratorPrototype.cpp:
513         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
514         * runtime/AsyncFunctionConstructor.cpp:
515         (JSC::AsyncFunctionConstructor::finishCreation):
516         * runtime/AsyncFunctionPrototype.cpp:
517         (JSC::AsyncFunctionPrototype::finishCreation):
518         * runtime/AsyncGeneratorFunctionConstructor.cpp:
519         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
520         * runtime/AsyncGeneratorFunctionPrototype.cpp:
521         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
522         * runtime/AsyncGeneratorPrototype.cpp:
523         (JSC::AsyncGeneratorPrototype::finishCreation):
524         * runtime/AsyncIteratorPrototype.cpp:
525         (JSC::AsyncIteratorPrototype::finishCreation):
526         * runtime/AtomicsObject.cpp:
527         (JSC::AtomicsObject::finishCreation):
528         * runtime/BooleanConstructor.cpp:
529         (JSC::BooleanConstructor::finishCreation):
530         * runtime/ClonedArguments.cpp:
531         (JSC::ClonedArguments::createStructure):
532         (JSC::ClonedArguments::getOwnPropertySlot):
533         (JSC::ClonedArguments::materializeSpecials):
534         * runtime/CommonSlowPaths.cpp:
535         (JSC::SLOW_PATH_DECL):
536         * runtime/ConsoleObject.cpp:
537         (JSC::ConsoleObject::finishCreation):
538         * runtime/DateConstructor.cpp:
539         (JSC::DateConstructor::finishCreation):
540         * runtime/DatePrototype.cpp:
541         (JSC::DatePrototype::finishCreation):
542         * runtime/DirectArguments.cpp:
543         (JSC::DirectArguments::overrideThings):
544         * runtime/Error.cpp:
545         (JSC::addErrorInfo):
546         * runtime/ErrorConstructor.cpp:
547         (JSC::ErrorConstructor::finishCreation):
548         * runtime/ErrorInstance.cpp:
549         (JSC::ErrorInstance::finishCreation):
550         * runtime/ErrorPrototype.cpp:
551         (JSC::ErrorPrototype::finishCreation):
552         * runtime/FunctionConstructor.cpp:
553         (JSC::FunctionConstructor::finishCreation):
554         * runtime/FunctionPrototype.cpp:
555         (JSC::FunctionPrototype::finishCreation):
556         (JSC::FunctionPrototype::addFunctionProperties):
557         (JSC::FunctionPrototype::initRestrictedProperties):
558         * runtime/GeneratorFunctionConstructor.cpp:
559         (JSC::GeneratorFunctionConstructor::finishCreation):
560         * runtime/GeneratorFunctionPrototype.cpp:
561         (JSC::GeneratorFunctionPrototype::finishCreation):
562         * runtime/GeneratorPrototype.cpp:
563         (JSC::GeneratorPrototype::finishCreation):
564         * runtime/GenericArgumentsInlines.h:
565         (JSC::GenericArguments<Type>::getOwnPropertySlot):
566         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
567         * runtime/InternalFunction.cpp:
568         (JSC::InternalFunction::finishCreation):
569         * runtime/IntlCollatorConstructor.cpp:
570         (JSC::IntlCollatorConstructor::finishCreation):
571         * runtime/IntlDateTimeFormatConstructor.cpp:
572         (JSC::IntlDateTimeFormatConstructor::finishCreation):
573         * runtime/IntlDateTimeFormatPrototype.cpp:
574         (JSC::IntlDateTimeFormatPrototype::finishCreation):
575         * runtime/IntlNumberFormatConstructor.cpp:
576         (JSC::IntlNumberFormatConstructor::finishCreation):
577         * runtime/IntlObject.cpp:
578         (JSC::IntlObject::finishCreation):
579         * runtime/IteratorPrototype.cpp:
580         (JSC::IteratorPrototype::finishCreation):
581         * runtime/JSArray.cpp:
582         (JSC::JSArray::getOwnPropertySlot):
583         (JSC::JSArray::setLengthWithArrayStorage):
584         * runtime/JSArrayBufferConstructor.cpp:
585         (JSC::JSArrayBufferConstructor::finishCreation):
586         * runtime/JSArrayBufferPrototype.cpp:
587         (JSC::JSArrayBufferPrototype::finishCreation):
588         * runtime/JSBoundFunction.cpp:
589         (JSC::JSBoundFunction::finishCreation):
590         * runtime/JSCJSValue.cpp:
591         (JSC::JSValue::putToPrimitive):
592         * runtime/JSDataView.cpp:
593         (JSC::JSDataView::getOwnPropertySlot):
594         * runtime/JSDataViewPrototype.cpp:
595         (JSC::JSDataViewPrototype::finishCreation):
596         * runtime/JSFunction.cpp:
597         (JSC::JSFunction::finishCreation):
598         (JSC::JSFunction::getOwnPropertySlot):
599         (JSC::JSFunction::defineOwnProperty):
600         (JSC::JSFunction::reifyLength):
601         (JSC::JSFunction::reifyName):
602         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
603         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
604         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
605         * runtime/JSGenericTypedArrayViewInlines.h:
606         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
607         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
608         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
609         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
610         * runtime/JSGlobalObject.cpp:
611         (JSC::JSGlobalObject::init):
612         (JSC::JSGlobalObject::addStaticGlobals):
613         * runtime/JSLexicalEnvironment.cpp:
614         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
615         * runtime/JSModuleNamespaceObject.cpp:
616         (JSC::JSModuleNamespaceObject::finishCreation):
617         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
618         * runtime/JSONObject.cpp:
619         (JSC::JSONObject::finishCreation):
620         * runtime/JSObject.cpp:
621         (JSC::getClassPropertyNames):
622         (JSC::JSObject::getOwnPropertySlotByIndex):
623         (JSC::ordinarySetSlow):
624         (JSC::JSObject::putInlineSlow):
625         (JSC::JSObject::putGetter):
626         (JSC::JSObject::putSetter):
627         (JSC::JSObject::putDirectAccessor):
628         (JSC::JSObject::putDirectCustomAccessor):
629         (JSC::JSObject::putDirectNonIndexAccessor):
630         (JSC::JSObject::deleteProperty):
631         (JSC::JSObject::deletePropertyByIndex):
632         (JSC::JSObject::getOwnPropertyNames):
633         (JSC::JSObject::putIndexedDescriptor):
634         (JSC::JSObject::defineOwnIndexedProperty):
635         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
636         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
637         (JSC::JSObject::getOwnPropertyDescriptor):
638         (JSC::putDescriptor):
639         (JSC::validateAndApplyPropertyDescriptor):
640         * runtime/JSObject.h:
641         (JSC::JSObject::putDirect):
642         * runtime/JSObjectInlines.h:
643         (JSC::JSObject::putDirectWithoutTransition):
644         (JSC::JSObject::putDirectInternal):
645         * runtime/JSPromiseConstructor.cpp:
646         (JSC::JSPromiseConstructor::finishCreation):
647         (JSC::JSPromiseConstructor::addOwnInternalSlots):
648         * runtime/JSPromisePrototype.cpp:
649         (JSC::JSPromisePrototype::finishCreation):
650         (JSC::JSPromisePrototype::addOwnInternalSlots):
651         * runtime/JSString.cpp:
652         (JSC::JSString::getStringPropertyDescriptor):
653         * runtime/JSString.h:
654         (JSC::JSString::getStringPropertySlot):
655         * runtime/JSSymbolTableObject.cpp:
656         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
657         * runtime/JSSymbolTableObject.h:
658         (JSC::symbolTableGet):
659         * runtime/JSTypedArrayViewConstructor.cpp:
660         (JSC::JSTypedArrayViewConstructor::finishCreation):
661         * runtime/JSTypedArrayViewPrototype.cpp:
662         (JSC::JSTypedArrayViewPrototype::finishCreation):
663         * runtime/LazyClassStructure.cpp:
664         (JSC::LazyClassStructure::Initializer::setConstructor):
665         * runtime/Lookup.cpp:
666         (JSC::reifyStaticAccessor):
667         (JSC::setUpStaticFunctionSlot):
668         * runtime/Lookup.h:
669         (JSC::HashTableValue::intrinsic const):
670         (JSC::HashTableValue::builtinGenerator const):
671         (JSC::HashTableValue::function const):
672         (JSC::HashTableValue::functionLength const):
673         (JSC::HashTableValue::propertyGetter const):
674         (JSC::HashTableValue::propertyPutter const):
675         (JSC::HashTableValue::domJIT const):
676         (JSC::HashTableValue::signature const):
677         (JSC::HashTableValue::accessorGetter const):
678         (JSC::HashTableValue::accessorSetter const):
679         (JSC::HashTableValue::constantInteger const):
680         (JSC::HashTableValue::lazyCellPropertyOffset const):
681         (JSC::HashTableValue::lazyClassStructureOffset const):
682         (JSC::HashTableValue::lazyPropertyCallback const):
683         (JSC::HashTableValue::builtinAccessorGetterGenerator const):
684         (JSC::HashTableValue::builtinAccessorSetterGenerator const):
685         (JSC::getStaticPropertySlotFromTable):
686         (JSC::putEntry):
687         (JSC::reifyStaticProperty):
688         * runtime/MapConstructor.cpp:
689         (JSC::MapConstructor::finishCreation):
690         * runtime/MapIteratorPrototype.cpp:
691         (JSC::MapIteratorPrototype::finishCreation):
692         * runtime/MapPrototype.cpp:
693         (JSC::MapPrototype::finishCreation):
694         * runtime/MathObject.cpp:
695         (JSC::MathObject::finishCreation):
696         * runtime/NativeErrorConstructor.cpp:
697         (JSC::NativeErrorConstructor::finishCreation):
698         * runtime/NativeErrorPrototype.cpp:
699         (JSC::NativeErrorPrototype::finishCreation):
700         * runtime/NumberConstructor.cpp:
701         (JSC::NumberConstructor::finishCreation):
702         * runtime/NumberPrototype.cpp:
703         (JSC::NumberPrototype::finishCreation):
704         * runtime/ObjectConstructor.cpp:
705         (JSC::ObjectConstructor::finishCreation):
706         (JSC::objectConstructorAssign):
707         (JSC::objectConstructorValues):
708         (JSC::objectConstructorDefineProperty):
709         * runtime/ObjectPrototype.cpp:
710         (JSC::ObjectPrototype::finishCreation):
711         (JSC::objectProtoFuncLookupGetter):
712         (JSC::objectProtoFuncLookupSetter):
713         * runtime/ProgramExecutable.cpp:
714         (JSC::ProgramExecutable::initializeGlobalProperties):
715         * runtime/PropertyDescriptor.cpp:
716         (JSC::PropertyDescriptor::writable const):
717         (JSC::PropertyDescriptor::enumerable const):
718         (JSC::PropertyDescriptor::configurable const):
719         (JSC::PropertyDescriptor::setUndefined):
720         (JSC::PropertyDescriptor::setDescriptor):
721         (JSC::PropertyDescriptor::setCustomDescriptor):
722         (JSC::PropertyDescriptor::setAccessorDescriptor):
723         (JSC::PropertyDescriptor::setWritable):
724         (JSC::PropertyDescriptor::setEnumerable):
725         (JSC::PropertyDescriptor::setConfigurable):
726         (JSC::PropertyDescriptor::setSetter):
727         (JSC::PropertyDescriptor::setGetter):
728         (JSC::PropertyDescriptor::attributesEqual const):
729         (JSC::PropertyDescriptor::attributesOverridingCurrent const):
730         * runtime/PropertySlot.cpp:
731         (JSC::PropertySlot::customGetter const):
732         * runtime/PropertySlot.h:
733         (JSC::operator| ):
734         (JSC::operator&):
735         (JSC::operator<):
736         (JSC::operator~):
737         (JSC::operator|=):
738         (JSC::PropertySlot::setUndefined):
739         * runtime/ProxyConstructor.cpp:
740         (JSC::makeRevocableProxy):
741         (JSC::ProxyConstructor::finishCreation):
742         * runtime/ProxyObject.cpp:
743         (JSC::ProxyObject::performHasProperty):
744         * runtime/ProxyRevoke.cpp:
745         (JSC::ProxyRevoke::finishCreation):
746         * runtime/ReflectObject.cpp:
747         (JSC::ReflectObject::finishCreation):
748         (JSC::reflectObjectDefineProperty):
749         * runtime/RegExpConstructor.cpp:
750         (JSC::RegExpConstructor::finishCreation):
751         * runtime/RegExpObject.cpp:
752         (JSC::RegExpObject::getOwnPropertySlot):
753         * runtime/RegExpPrototype.cpp:
754         (JSC::RegExpPrototype::finishCreation):
755         * runtime/ScopedArguments.cpp:
756         (JSC::ScopedArguments::overrideThings):
757         * runtime/SetConstructor.cpp:
758         (JSC::SetConstructor::finishCreation):
759         * runtime/SetIteratorPrototype.cpp:
760         (JSC::SetIteratorPrototype::finishCreation):
761         * runtime/SetPrototype.cpp:
762         (JSC::SetPrototype::finishCreation):
763         * runtime/SparseArrayValueMap.cpp:
764         (JSC::SparseArrayValueMap::putDirect):
765         (JSC::SparseArrayEntry::put):
766         * runtime/StringConstructor.cpp:
767         (JSC::StringConstructor::finishCreation):
768         * runtime/StringIteratorPrototype.cpp:
769         (JSC::StringIteratorPrototype::finishCreation):
770         * runtime/StringPrototype.cpp:
771         (JSC::StringPrototype::finishCreation):
772         * runtime/Structure.cpp:
773         (JSC::Structure::nonPropertyTransition):
774         (JSC::Structure::isSealed):
775         (JSC::Structure::isFrozen):
776         (JSC::Structure::getPropertyNamesFromStructure):
777         (JSC::Structure::prototypeChainMayInterceptStoreTo):
778         * runtime/StructureInlines.h:
779         (JSC::Structure::add):
780         * runtime/SymbolConstructor.cpp:
781         (JSC::SymbolConstructor::finishCreation):
782         * runtime/SymbolPrototype.cpp:
783         (JSC::SymbolPrototype::finishCreation):
784         * runtime/SymbolTable.h:
785         (JSC::SymbolTableEntry::Fast::getAttributes const):
786         (JSC::SymbolTableEntry::SymbolTableEntry):
787         (JSC::SymbolTableEntry::setAttributes):
788         * runtime/TemplateRegistry.cpp:
789         (JSC::TemplateRegistry::getTemplateObject):
790         * runtime/WeakMapConstructor.cpp:
791         (JSC::WeakMapConstructor::finishCreation):
792         * runtime/WeakMapPrototype.cpp:
793         (JSC::WeakMapPrototype::finishCreation):
794         * runtime/WeakSetConstructor.cpp:
795         (JSC::WeakSetConstructor::finishCreation):
796         * runtime/WeakSetPrototype.cpp:
797         (JSC::WeakSetPrototype::finishCreation):
798         * tools/JSDollarVMPrototype.cpp:
799         (JSC::JSDollarVMPrototype::finishCreation):
800         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
801         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
802         * wasm/js/WebAssemblyInstanceConstructor.cpp:
803         (JSC::WebAssemblyInstanceConstructor::finishCreation):
804         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
805         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
806         * wasm/js/WebAssemblyMemoryConstructor.cpp:
807         (JSC::WebAssemblyMemoryConstructor::finishCreation):
808         * wasm/js/WebAssemblyMemoryPrototype.cpp:
809         * wasm/js/WebAssemblyModuleConstructor.cpp:
810         (JSC::WebAssemblyModuleConstructor::finishCreation):
811         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
812         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
813         * wasm/js/WebAssemblyTableConstructor.cpp:
814         (JSC::WebAssemblyTableConstructor::finishCreation):
815
816 2017-09-23  Oleksandr Skachkov  <gskachkov@gmail.com>
817
818         [ESNext] Async iteration - Implement Async Generator - optimization
819         https://bugs.webkit.org/show_bug.cgi?id=175891
820
821         Reviewed by Yusuke Suzuki.
822
823         Add small optimization for async generators:
824         1. merging async generator queue to async generator itself
825         generator.@first / generator.@last is enough, by doing so,
826           we remove one unnecessary object alloc.
827         2. merging request with queue.
828
829         * builtins/AsyncGeneratorPrototype.js:
830         (globalPrivate.asyncGeneratorQueueIsEmpty):
831         (globalPrivate.asyncGeneratorQueueCreateItem):
832         (globalPrivate.asyncGeneratorQueueEnqueue):
833         (globalPrivate.asyncGeneratorQueueDequeue):
834         (globalPrivate.asyncGeneratorDequeue):
835         (globalPrivate.isSuspendYieldState):
836         (globalPrivate.asyncGeneratorEnqueue):
837         * builtins/BuiltinNames.h:
838         * bytecompiler/BytecodeGenerator.cpp:
839         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
840         * bytecompiler/BytecodeGenerator.h:
841         * bytecompiler/NodesCodegen.cpp:
842         (JSC::FunctionNode::emitBytecode):
843
844 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
845
846         test262: $.agent became $262.agent in test262 update
847         https://bugs.webkit.org/show_bug.cgi?id=177407
848
849         Reviewed by Yusuke Suzuki.
850
851         * jsc.cpp:
852         (GlobalObject::finishCreation):
853         Alias `$` and `$262` for now.
854
855 2017-09-22  Keith Miller  <keith_miller@apple.com>
856
857         Speculatively change iteration protocall to use the same next function
858         https://bugs.webkit.org/show_bug.cgi?id=175653
859
860         Reviewed by Saam Barati.
861
862         This patch speculatively makes a change to the iteration protocall to fetch the next
863         property immediately after calling the Symbol.iterator function. This is, in theory,
864         a breaking change, so we will see if this breaks things (most likely it won't as this
865         is a relatively subtle point).
866
867         See: https://github.com/tc39/ecma262/issues/976
868
869         * builtins/IteratorHelpers.js:
870         (performIteration):
871         * bytecompiler/BytecodeGenerator.cpp:
872         (JSC::BytecodeGenerator::emitEnumeration):
873         (JSC::BytecodeGenerator::emitIteratorNext):
874         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
875         (JSC::BytecodeGenerator::emitDelegateYield):
876         * bytecompiler/BytecodeGenerator.h:
877         * bytecompiler/NodesCodegen.cpp:
878         (JSC::ArrayPatternNode::bindValue const):
879         * inspector/JSInjectedScriptHost.cpp:
880         (Inspector::JSInjectedScriptHost::iteratorEntries):
881         * runtime/IteratorOperations.cpp:
882         (JSC::iteratorNext):
883         (JSC::iteratorStep):
884         (JSC::iteratorClose):
885         (JSC::iteratorForIterable):
886         * runtime/IteratorOperations.h:
887         (JSC::forEachInIterable):
888         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
889         (JSC::constructGenericTypedArrayViewFromIterator):
890         (JSC::constructGenericTypedArrayViewWithArguments):
891
892 2017-09-22  Fujii Hironori  <Hironori.Fujii@sony.com>
893
894         [Win64] Crashes in Yarr JIT compiled code
895         https://bugs.webkit.org/show_bug.cgi?id=177293
896
897         Reviewed by Yusuke Suzuki.
898
899         In x64 Windows, rcx register is used for the address of allocated
900         space for the return value. But, rcx is used for regT1 since
901         r221052. Save rcx in the stack.
902
903         * yarr/YarrJIT.cpp:
904         (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
905         (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
906
907 2017-09-22  Saam Barati  <sbarati@apple.com>
908
909         Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
910         https://bugs.webkit.org/show_bug.cgi?id=177368
911
912         Reviewed by Keith Miller.
913
914         * runtime/ErrorInstance.cpp:
915         (JSC::ErrorInstance::finishCreation):
916         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
917         (JSC::ErrorInstance::visitChildren):
918
919 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
920
921         [DFG][FTL] Profile array vector length for array allocation
922         https://bugs.webkit.org/show_bug.cgi?id=177051
923
924         Reviewed by Saam Barati.
925
926         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
927         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
928         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
929         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
930
931             empty array allocation,
932
933             var array = [];
934             array.push(0);
935             array.push(1);
936             array.push(2);
937             array.push(3);
938             array.push(4);
939
940             v.s. new_array_buffer case,
941
942             var array = [0];
943             array.push(1);
944             array.push(2);
945             array.push(3);
946             array.push(4);
947
948         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
949         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
950
951         We select 25 to make it fit to one of size classes.
952
953         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
954         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
955         is larger than 25, we just use it for allocation as before.
956
957         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
958
959             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
960             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
961
962         * bytecode/ArrayAllocationProfile.cpp:
963         (JSC::ArrayAllocationProfile::updateProfile):
964         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
965         * bytecode/ArrayAllocationProfile.h:
966         (JSC::ArrayAllocationProfile::selectIndexingType):
967         (JSC::ArrayAllocationProfile::vectorLengthHint):
968         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
969         * bytecode/CodeBlock.cpp:
970         (JSC::CodeBlock::updateAllArrayPredictions):
971         * dfg/DFGByteCodeParser.cpp:
972         (JSC::DFG::ByteCodeParser::parseBlock):
973         * dfg/DFGGraph.cpp:
974         (JSC::DFG::Graph::dump):
975         * dfg/DFGNode.h:
976         (JSC::DFG::Node::vectorLengthHint):
977         * dfg/DFGOperations.cpp:
978         * dfg/DFGOperations.h:
979         * dfg/DFGSpeculativeJIT64.cpp:
980         (JSC::DFG::SpeculativeJIT::compile):
981         * ftl/FTLLowerDFGToB3.cpp:
982         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
983         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
984         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
985         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
986         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
987         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
988         * runtime/ArrayConventions.h:
989         * runtime/JSArray.h:
990         (JSC::JSArray::tryCreate):
991
992 2017-09-22  Commit Queue  <commit-queue@webkit.org>
993
994         Unreviewed, rolling out r222380.
995         https://bugs.webkit.org/show_bug.cgi?id=177352
996
997         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
998         #webkit).
999
1000         Reverted changeset:
1001
1002         "[DFG][FTL] Profile array vector length for array allocation"
1003         https://bugs.webkit.org/show_bug.cgi?id=177051
1004         http://trac.webkit.org/changeset/222380
1005
1006 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1007
1008         [DFG][FTL] Profile array vector length for array allocation
1009         https://bugs.webkit.org/show_bug.cgi?id=177051
1010
1011         Reviewed by Saam Barati.
1012
1013         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
1014         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
1015         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
1016         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
1017
1018             empty array allocation,
1019
1020             var array = [];
1021             array.push(0);
1022             array.push(1);
1023             array.push(2);
1024             array.push(3);
1025             array.push(4);
1026
1027             v.s. new_array_buffer case,
1028
1029             var array = [0];
1030             array.push(1);
1031             array.push(2);
1032             array.push(3);
1033             array.push(4);
1034
1035         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
1036         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
1037
1038         We select 25 to make it fit to one of size classes.
1039
1040         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
1041         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
1042         is larger than 25, we just use it for allocation as before.
1043
1044         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
1045
1046             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
1047             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
1048
1049         * bytecode/ArrayAllocationProfile.cpp:
1050         (JSC::ArrayAllocationProfile::updateProfile):
1051         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
1052         * bytecode/ArrayAllocationProfile.h:
1053         (JSC::ArrayAllocationProfile::selectIndexingType):
1054         (JSC::ArrayAllocationProfile::vectorLengthHint):
1055         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
1056         * bytecode/CodeBlock.cpp:
1057         (JSC::CodeBlock::updateAllArrayPredictions):
1058         * dfg/DFGByteCodeParser.cpp:
1059         (JSC::DFG::ByteCodeParser::parseBlock):
1060         * dfg/DFGGraph.cpp:
1061         (JSC::DFG::Graph::dump):
1062         * dfg/DFGNode.h:
1063         (JSC::DFG::Node::vectorLengthHint):
1064         * dfg/DFGOperations.cpp:
1065         * dfg/DFGOperations.h:
1066         * dfg/DFGSpeculativeJIT64.cpp:
1067         (JSC::DFG::SpeculativeJIT::compile):
1068         * ftl/FTLLowerDFGToB3.cpp:
1069         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1070         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1071         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1072         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1073         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
1074         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
1075         * runtime/ArrayConventions.h:
1076         * runtime/JSArray.h:
1077         (JSC::JSArray::tryCreate):
1078
1079 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
1080
1081         Web Inspector: Remove support for CSS Regions
1082         https://bugs.webkit.org/show_bug.cgi?id=177287
1083
1084         Reviewed by Matt Baker.
1085
1086         * inspector/protocol/CSS.json:
1087         * inspector/protocol/OverlayTypes.json:
1088
1089 2017-09-21  Brian Burg  <bburg@apple.com>
1090
1091         Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
1092         https://bugs.webkit.org/show_bug.cgi?id=177010
1093         <rdar://problem/33134548>
1094
1095         Reviewed by Joseph Pecoraro.
1096
1097         Use "reload from origin" nomenclature instead of "reload ignoring cache".
1098
1099         * inspector/protocol/Page.json: Improve the comment, but don't change the
1100         parameter name since this would be a divergence from legacy protocols.
1101
1102 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
1103
1104         test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
1105         https://bugs.webkit.org/show_bug.cgi?id=177307
1106
1107         Reviewed by Michael Saboff.
1108
1109         * runtime/RegExpPrototype.cpp:
1110         In r221160 we added support for the new RegExp flag (dotAll).
1111         We needed to make space for it in FlagsString.
1112
1113 2017-09-20  Keith Miller  <keith_miller@apple.com>
1114
1115         JSC should use unified sources for platform specific files.
1116         https://bugs.webkit.org/show_bug.cgi?id=177290
1117
1118         Reviewed by Michael Saboff.
1119
1120         Add a list of platform specific source files and update the
1121         Generate Unified Sources phase of the Xcode build. I skipped WPE
1122         since that seems to have failed for some reason that I didn't
1123         fully understand. See:
1124         https://webkit-queues.webkit.org/results/4611260
1125
1126         Also, fix duplicate symbols in Glib remote inspector files.
1127
1128         * CMakeLists.txt:
1129         * JavaScriptCore.xcodeproj/project.pbxproj:
1130         * PlatformGTK.cmake:
1131         * PlatformMac.cmake:
1132         * SourcesGTK.txt: Added.
1133         * SourcesMac.txt: Added.
1134         * inspector/remote/glib/RemoteInspectorServer.cpp:
1135         (Inspector::RemoteInspectorServer::interfaceInfo):
1136         (Inspector::RemoteInspectorServer::setTargetList):
1137         (Inspector::RemoteInspectorServer::setupInspectorClient):
1138         (Inspector::RemoteInspectorServer::setup):
1139         (Inspector::RemoteInspectorServer::close):
1140         (Inspector::RemoteInspectorServer::connectionClosed):
1141         (Inspector::RemoteInspectorServer::sendMessageToBackend):
1142         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
1143         (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
1144
1145 2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>
1146
1147         [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
1148         https://bugs.webkit.org/show_bug.cgi?id=177017
1149
1150         Reviewed by Alex Christensen.
1151
1152         * API/JSRemoteInspector.cpp:
1153         (JSRemoteInspectorSetParentProcessInformation):
1154         * API/JSRemoteInspector.h:
1155         * inspector/remote/RemoteInspector.h:
1156
1157 2017-09-20  Keith Miller  <keith_miller@apple.com>
1158
1159         Rename source list file to Sources.txt
1160         https://bugs.webkit.org/show_bug.cgi?id=177283
1161
1162         Reviewed by Saam Barati.
1163
1164         * CMakeLists.txt:
1165         * JavaScriptCore.xcodeproj/project.pbxproj:
1166         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
1167
1168 2017-09-20  Keith Miller  <keith_miller@apple.com>
1169
1170         Unreviewed, fix string capitalization
1171
1172         * JavaScriptCore.xcodeproj/project.pbxproj:
1173
1174 2017-09-20  Keith Miller  <keith_miller@apple.com>
1175
1176         JSC Xcode build should use unified sources for platform independent files
1177         https://bugs.webkit.org/show_bug.cgi?id=177190
1178
1179         Reviewed by Saam Barati.
1180
1181         This patch changes the Xcode build to use unified sources. The
1182         main difference from a development perspective is that instead of
1183         added source files to Xcode they need to be added to the shared
1184         sources.txt. For now, platform specific files are still added
1185         to the JavaScriptCore target.
1186
1187         Because Xcode needs to know about all the files before we generate
1188         them all the unified source files need to be added to the
1189         JavaScriptCore framework target. As a result, if we run out of
1190         bundle files more will need to be added to the project. Currently,
1191         there are no spare files. If adding more bundle files becomes
1192         problematic we can change this.
1193
1194         LowLevelInterpreter.cpp can't be added to the unified source list yet
1195         due to a clang bug.
1196
1197         * CMakeLists.txt:
1198         * JavaScriptCore.xcodeproj/project.pbxproj:
1199         * sources.txt: Added.
1200
1201 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
1202
1203         [Win] Cannot find script to generate unified sources.
1204         https://bugs.webkit.org/show_bug.cgi?id=177014
1205
1206         Reviewed by Keith Miller.
1207
1208         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
1209
1210         * CMakeLists.txt:
1211         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1212
1213 2017-09-20  Alberto Garcia  <berto@igalia.com>
1214
1215         Fix HPPA and Alpha builds
1216         https://bugs.webkit.org/show_bug.cgi?id=177224
1217
1218         Reviewed by Alex Christensen.
1219
1220         * CMakeLists.txt:
1221
1222 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
1223
1224         ErrorInstance and Exception need destroy methods
1225         https://bugs.webkit.org/show_bug.cgi?id=177095
1226
1227         Reviewed by Saam Barati.
1228         
1229         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
1230         follow that type's protocol.
1231
1232         * runtime/ErrorInstance.cpp:
1233         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
1234         * runtime/ErrorInstance.h:
1235         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
1236
1237 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1238
1239         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
1240         https://bugs.webkit.org/show_bug.cgi?id=177070
1241
1242         Reviewed by Saam Barati.
1243
1244         Due to the security reason, our global object is immutable prototype exotic object.
1245         It prevents users from injecting proxies into the prototype chain of the global object[1].
1246         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
1247         of the global object after instantiating it.
1248
1249         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
1250         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
1251         edge cases.
1252
1253         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
1254
1255         * API/JSObjectRef.cpp:
1256         (JSObjectSetPrototype):
1257         * API/tests/CustomGlobalObjectClassTest.c:
1258         (globalObjectSetPrototypeTest):
1259
1260 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1261
1262         [DFG] Remove ToThis more aggressively
1263         https://bugs.webkit.org/show_bug.cgi?id=177056
1264
1265         Reviewed by Saam Barati.
1266
1267         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
1268         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
1269         and attempts to fold/convert to efficient nodes.
1270
1271         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
1272         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
1273
1274         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
1275         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
1276
1277         This removes GetGlobalThis from ES6 generators in common cases.
1278
1279         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
1280
1281         * dfg/DFGAbstractInterpreterInlines.h:
1282         (JSC::DFG::isToThisAnIdentity):
1283         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1284         * dfg/DFGClobberize.h:
1285         (JSC::DFG::clobberize):
1286         * dfg/DFGConstantFoldingPhase.cpp:
1287         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1288         * dfg/DFGDoesGC.cpp:
1289         (JSC::DFG::doesGC):
1290         * dfg/DFGFixupPhase.cpp:
1291         (JSC::DFG::FixupPhase::fixupNode):
1292         * dfg/DFGNode.h:
1293         (JSC::DFG::Node::convertToGetGlobalThis):
1294         * dfg/DFGNodeType.h:
1295         * dfg/DFGPredictionPropagationPhase.cpp:
1296         * dfg/DFGSafeToExecute.h:
1297         (JSC::DFG::safeToExecute):
1298         * dfg/DFGSpeculativeJIT.cpp:
1299         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
1300         * dfg/DFGSpeculativeJIT.h:
1301         * dfg/DFGSpeculativeJIT32_64.cpp:
1302         (JSC::DFG::SpeculativeJIT::compile):
1303         * dfg/DFGSpeculativeJIT64.cpp:
1304         (JSC::DFG::SpeculativeJIT::compile):
1305         * ftl/FTLCapabilities.cpp:
1306         (JSC::FTL::canCompile):
1307         * ftl/FTLLowerDFGToB3.cpp:
1308         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1309         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
1310         * runtime/JSGlobalLexicalEnvironment.cpp:
1311         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
1312         * runtime/JSGlobalLexicalEnvironment.h:
1313         * runtime/JSGlobalObject.cpp:
1314         (JSC::JSGlobalObject::toThis): Deleted.
1315         * runtime/JSGlobalObject.h:
1316         (JSC::JSGlobalObject::addressOfGlobalThis):
1317         * runtime/JSLexicalEnvironment.cpp:
1318         (JSC::JSLexicalEnvironment::toThis): Deleted.
1319         * runtime/JSLexicalEnvironment.h:
1320         * runtime/JSScope.cpp:
1321         (JSC::JSScope::toThis):
1322         * runtime/JSScope.h:
1323         * runtime/StrictEvalActivation.cpp:
1324         (JSC::StrictEvalActivation::toThis): Deleted.
1325         * runtime/StrictEvalActivation.h:
1326
1327 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1328
1329         Merge JSLexicalEnvironment and JSEnvironmentRecord
1330         https://bugs.webkit.org/show_bug.cgi?id=175492
1331
1332         Reviewed by Saam Barati.
1333
1334         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
1335         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
1336
1337         * CMakeLists.txt:
1338         * JavaScriptCore.xcodeproj/project.pbxproj:
1339         * dfg/DFGSpeculativeJIT.cpp:
1340         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1341         * dfg/DFGSpeculativeJIT32_64.cpp:
1342         (JSC::DFG::SpeculativeJIT::compile):
1343         * dfg/DFGSpeculativeJIT64.cpp:
1344         (JSC::DFG::SpeculativeJIT::compile):
1345         * ftl/FTLAbstractHeapRepository.h:
1346         * ftl/FTLLowerDFGToB3.cpp:
1347         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1348         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1349         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
1350         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
1351         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1352         * jit/JITPropertyAccess.cpp:
1353         (JSC::JIT::emitGetClosureVar):
1354         (JSC::JIT::emitPutClosureVar):
1355         (JSC::JIT::emitScopedArgumentsGetByVal):
1356         * jit/JITPropertyAccess32_64.cpp:
1357         (JSC::JIT::emitGetClosureVar):
1358         (JSC::JIT::emitPutClosureVar):
1359         * llint/LLIntOffsetsExtractor.cpp:
1360         * llint/LowLevelInterpreter.asm:
1361         * llint/LowLevelInterpreter32_64.asm:
1362         * llint/LowLevelInterpreter64.asm:
1363         * runtime/JSEnvironmentRecord.cpp: Removed.
1364         * runtime/JSEnvironmentRecord.h: Removed.
1365         * runtime/JSLexicalEnvironment.cpp:
1366         (JSC::JSLexicalEnvironment::visitChildren):
1367         (JSC::JSLexicalEnvironment::heapSnapshot):
1368         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1369         * runtime/JSLexicalEnvironment.h:
1370         (JSC::JSLexicalEnvironment::subspaceFor):
1371         (JSC::JSLexicalEnvironment::variables):
1372         (JSC::JSLexicalEnvironment::isValidScopeOffset):
1373         (JSC::JSLexicalEnvironment::variableAt):
1374         (JSC::JSLexicalEnvironment::offsetOfVariables):
1375         (JSC::JSLexicalEnvironment::offsetOfVariable):
1376         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
1377         (JSC::JSLexicalEnvironment::allocationSize):
1378         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
1379         (JSC::JSLexicalEnvironment::finishCreation):
1380         * runtime/JSModuleEnvironment.cpp:
1381         (JSC::JSModuleEnvironment::create):
1382         * runtime/JSObject.h:
1383         (JSC::JSObject::isEnvironment const):
1384         (JSC::JSObject::isEnvironmentRecord const): Deleted.
1385         * runtime/JSSegmentedVariableObject.h:
1386         * runtime/StringPrototype.cpp:
1387         (JSC::checkObjectCoercible):
1388
1389 2017-09-15  Saam Barati  <sbarati@apple.com>
1390
1391         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
1392         https://bugs.webkit.org/show_bug.cgi?id=176981
1393
1394         Reviewed by Yusuke Suzuki.
1395
1396         This patch makes inline arity fixup happen in two phases:
1397         1. We get all the values we need and MovHint them to the expected locals.
1398         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
1399            frame is already set up. If any SetLocal exits, we have a valid exit state.
1400            This is required because if we didn't do this in two phases, we may exit in
1401            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
1402            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
1403            of the frame right before exiting. For example, consider if we need to pad two args:
1404            [arg3][arg2][arg1][arg0]
1405            [fix ][fix ][arg3][arg2][arg1][arg0]
1406            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
1407            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
1408            [arg3][arg2][arg1][arg2][arg1][arg0]
1409            And the caller would then just end up thinking its argument are:
1410            [arg3][arg2][arg1][arg2]
1411            which is incorrect.
1412        
1413        
1414         This patch also fixes a couple of bugs in IdentitiyWithProfile:
1415         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
1416            It needed to store the result of evaluating its argument in a temporary that
1417            it creates. Otherwise, it might try to simply overwrite a constant
1418            or a register that it didn't own.
1419         2. We weren't eliminating this node in CSE inside the DFG.
1420
1421         * bytecompiler/NodesCodegen.cpp:
1422         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1423         * dfg/DFGByteCodeParser.cpp:
1424         (JSC::DFG::ByteCodeParser::inlineCall):
1425         * dfg/DFGCSEPhase.cpp:
1426
1427 2017-09-15  JF Bastien  <jfbastien@apple.com>
1428
1429         WTF: use Forward.h when appropriate instead of Vector.h
1430         https://bugs.webkit.org/show_bug.cgi?id=176984
1431
1432         Reviewed by Saam Barati.
1433
1434         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
1435
1436         * bytecode/HandlerInfo.h:
1437         * heap/GCIncomingRefCounted.h:
1438         * heap/GCSegmentedArray.h:
1439         * wasm/js/JSWebAssemblyModule.h:
1440
1441 2017-09-14  Saam Barati  <sbarati@apple.com>
1442
1443         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
1444         https://bugs.webkit.org/show_bug.cgi?id=176863
1445
1446         Reviewed by Keith Miller.
1447
1448         * CMakeLists.txt:
1449         * JavaScriptCore.xcodeproj/project.pbxproj:
1450         * runtime/ProxyObject.cpp:
1451         (JSC::performProxyGet):
1452         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1453         (JSC::ProxyObject::performHasProperty):
1454         (JSC::ProxyObject::getOwnPropertySlotCommon):
1455         (JSC::ProxyObject::performPut):
1456         (JSC::performProxyCall):
1457         (JSC::performProxyConstruct):
1458         (JSC::ProxyObject::performDelete):
1459         (JSC::ProxyObject::performPreventExtensions):
1460         (JSC::ProxyObject::performIsExtensible):
1461         (JSC::ProxyObject::performDefineOwnProperty):
1462         (JSC::ProxyObject::performGetOwnPropertyNames):
1463         (JSC::ProxyObject::performSetPrototype):
1464         (JSC::ProxyObject::performGetPrototype):
1465
1466 2017-09-14  Saam Barati  <sbarati@apple.com>
1467
1468         Make dumping the graph print when both when exitOK and !exitOK
1469         https://bugs.webkit.org/show_bug.cgi?id=176954
1470
1471         Reviewed by Keith Miller.
1472
1473         * dfg/DFGGraph.cpp:
1474         (JSC::DFG::Graph::dump):
1475
1476 2017-09-14  Saam Barati  <sbarati@apple.com>
1477
1478         It should be valid to exit before each set when doing arity fixup when inlining
1479         https://bugs.webkit.org/show_bug.cgi?id=176948
1480
1481         Reviewed by Keith Miller.
1482
1483         This patch makes it so that we can exit before each SetLocal when doing arity
1484         fixup during inlining. This is OK because if we exit at any of these SetLocals,
1485         we will simply exit to the beginning of the call instruction.
1486         
1487         Not doing this led to a bug where FixupPhase would insert a ValueRep of
1488         a node before the actual node. This is obviously invalid IR. I've added
1489         a new validation rule to catch this malformed IR.
1490
1491         * dfg/DFGByteCodeParser.cpp:
1492         (JSC::DFG::ByteCodeParser::inliningCost):
1493         (JSC::DFG::ByteCodeParser::inlineCall):
1494         * dfg/DFGValidate.cpp:
1495         * runtime/Options.h:
1496
1497 2017-09-14  Mark Lam  <mark.lam@apple.com>
1498
1499         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
1500         https://bugs.webkit.org/show_bug.cgi?id=176874
1501         <rdar://problem/34436415>
1502
1503         Reviewed by Saam Barati.
1504
1505         1. Make Probe::Stack play nice with ASan by:
1506
1507            a. using a local memcpy implementation that suppresses ASan on ASan builds.
1508               We don't want to use std:memcpy() which validates stack memory because
1509               we are intentionally copying stack memory beyond the current frame.
1510
1511            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
1512               This ensures that Page::flushWrites() only writes stack memory that was
1513               modified by a probe.  The probes should only modify stack memory that
1514               belongs to JSC stack data structures.  We don't want to inadvertently
1515               modify adjacent words that may belong to ASan (which may happen if
1516               s_chunkSize is larger than sizeof(uintptr_t)).
1517
1518            c. fixing a bug in Page dirtyBits management for when the size of the value to
1519               write is greater than s_chunkSize.  The fix in generic, but in practice,
1520               this currently only manifests on 32-bit ASan builds because
1521               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
1522               values.
1523
1524            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
1525               s_chunksPerPage we can have even on ASan builds.
1526
1527         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
1528            std::memcpy to avoid strict aliasing issues.
1529
1530         3. Optimized the implementation of Page::physicalAddressFor().
1531
1532         4. Optimized the implementation of Stack::set() in the recording of the low
1533            watermark.  We just record the lowest raw pointer now, and only compute the
1534            alignment to its chuck boundary later when the low watermark is requested.
1535
1536         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
1537
1538         No new test needed because this is already covered by testmasm with ASan enabled.
1539
1540         * assembler/ProbeContext.h:
1541         (JSC::Probe::CPUState::gpr const):
1542         (JSC::Probe::CPUState::spr const):
1543         (JSC::Probe::Context::gpr):
1544         (JSC::Probe::Context::spr):
1545         (JSC::Probe::Context::fpr):
1546         (JSC::Probe::Context::gprName):
1547         (JSC::Probe::Context::sprName):
1548         (JSC::Probe::Context::fprName):
1549         (JSC::Probe::Context::gpr const):
1550         (JSC::Probe::Context::spr const):
1551         (JSC::Probe::Context::fpr const):
1552         (JSC::Probe::Context::pc):
1553         (JSC::Probe::Context::fp):
1554         (JSC::Probe::Context::sp):
1555         (JSC::Probe:: const): Deleted.
1556         * assembler/ProbeStack.cpp:
1557         (JSC::Probe::copyStackPage):
1558         (JSC::Probe::Page::Page):
1559         (JSC::Probe::Page::flushWrites):
1560         * assembler/ProbeStack.h:
1561         (JSC::Probe::Page::get):
1562         (JSC::Probe::Page::set):
1563         (JSC::Probe::Page::dirtyBitFor):
1564         (JSC::Probe::Page::physicalAddressFor):
1565         (JSC::Probe::Stack::lowWatermark):
1566         (JSC::Probe::Stack::get):
1567         (JSC::Probe::Stack::set):
1568         * assembler/testmasm.cpp:
1569         (JSC::testProbeModifiesStackValues):
1570
1571 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1572
1573         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
1574         https://bugs.webkit.org/show_bug.cgi?id=176917
1575
1576         Reviewed by Saam Barati.
1577
1578         * dfg/DFGByteCodeParser.cpp:
1579         (JSC::DFG::ByteCodeParser::inliningCost):
1580         * runtime/Options.h:
1581
1582 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1583
1584         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
1585         https://bugs.webkit.org/show_bug.cgi?id=176867
1586
1587         Reviewed by Sam Weinig.
1588
1589         We rarely require private symbols when enumerating property names.
1590         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
1591         is specified, PropertyNameArray does not include private symbols.
1592         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
1593
1594         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
1595         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
1596
1597         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
1598
1599         * API/JSObjectRef.cpp:
1600         (JSObjectCopyPropertyNames):
1601         * bindings/ScriptValue.cpp:
1602         (Inspector::jsToInspectorValue):
1603         * bytecode/ObjectAllocationProfile.h:
1604         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1605         * runtime/EnumerationMode.h:
1606         * runtime/IntlObject.cpp:
1607         (JSC::supportedLocales):
1608         * runtime/JSONObject.cpp:
1609         (JSC::Stringifier::Stringifier):
1610         (JSC::Stringifier::Holder::appendNextProperty):
1611         (JSC::Walker::walk):
1612         * runtime/JSPropertyNameEnumerator.cpp:
1613         (JSC::JSPropertyNameEnumerator::create):
1614         * runtime/JSPropertyNameEnumerator.h:
1615         (JSC::propertyNameEnumerator):
1616         * runtime/ObjectConstructor.cpp:
1617         (JSC::objectConstructorGetOwnPropertyDescriptors):
1618         (JSC::objectConstructorAssign):
1619         (JSC::objectConstructorValues):
1620         (JSC::defineProperties):
1621         (JSC::setIntegrityLevel):
1622         (JSC::testIntegrityLevel):
1623         (JSC::ownPropertyKeys):
1624         * runtime/PropertyNameArray.h:
1625         (JSC::PropertyNameArray::PropertyNameArray):
1626         (JSC::PropertyNameArray::propertyNameMode const):
1627         (JSC::PropertyNameArray::privateSymbolMode const):
1628         (JSC::PropertyNameArray::addUncheckedInternal):
1629         (JSC::PropertyNameArray::addUnchecked):
1630         (JSC::PropertyNameArray::add):
1631         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
1632         (JSC::PropertyNameArray::includeSymbolProperties const):
1633         (JSC::PropertyNameArray::includeStringProperties const):
1634         (JSC::PropertyNameArray::mode const): Deleted.
1635         * runtime/ProxyObject.cpp:
1636         (JSC::ProxyObject::performGetOwnPropertyNames):
1637
1638 2017-09-13  Mark Lam  <mark.lam@apple.com>
1639
1640         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
1641         https://bugs.webkit.org/show_bug.cgi?id=176888
1642         <rdar://problem/34381832>
1643
1644         Not reviewed.
1645
1646         * JavaScriptCore.xcodeproj/project.pbxproj:
1647         * assembler/MacroAssembler.cpp:
1648         (JSC::stdFunctionCallback):
1649         * assembler/MacroAssemblerPrinter.cpp:
1650         (JSC::Printer::printCallback):
1651         * assembler/ProbeContext.h:
1652         (JSC::Probe:: const):
1653         (JSC::Probe::Context::Context):
1654         (JSC::Probe::Context::gpr):
1655         (JSC::Probe::Context::spr):
1656         (JSC::Probe::Context::fpr):
1657         (JSC::Probe::Context::gprName):
1658         (JSC::Probe::Context::sprName):
1659         (JSC::Probe::Context::fprName):
1660         (JSC::Probe::Context::pc):
1661         (JSC::Probe::Context::fp):
1662         (JSC::Probe::Context::sp):
1663         (JSC::Probe::CPUState::gpr const): Deleted.
1664         (JSC::Probe::CPUState::spr const): Deleted.
1665         (JSC::Probe::Context::arg): Deleted.
1666         (JSC::Probe::Context::gpr const): Deleted.
1667         (JSC::Probe::Context::spr const): Deleted.
1668         (JSC::Probe::Context::fpr const): Deleted.
1669         * assembler/ProbeFrame.h: Removed.
1670         * assembler/ProbeStack.cpp:
1671         (JSC::Probe::Page::Page):
1672         * assembler/ProbeStack.h:
1673         (JSC::Probe::Page::get):
1674         (JSC::Probe::Page::set):
1675         (JSC::Probe::Page::physicalAddressFor):
1676         (JSC::Probe::Stack::lowWatermark):
1677         (JSC::Probe::Stack::get):
1678         (JSC::Probe::Stack::set):
1679         * bytecode/ArithProfile.cpp:
1680         * bytecode/ArithProfile.h:
1681         * bytecode/ArrayProfile.h:
1682         (JSC::ArrayProfile::observeArrayMode): Deleted.
1683         * bytecode/CodeBlock.cpp:
1684         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
1685         * bytecode/CodeBlock.h:
1686         (JSC::CodeBlock::addressOfOSRExitCounter):
1687         * bytecode/ExecutionCounter.h:
1688         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
1689         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
1690         * bytecode/MethodOfGettingAValueProfile.cpp:
1691         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
1692         * bytecode/MethodOfGettingAValueProfile.h:
1693         * dfg/DFGDriver.cpp:
1694         (JSC::DFG::compileImpl):
1695         * dfg/DFGJITCode.cpp:
1696         (JSC::DFG::JITCode::findPC):
1697         * dfg/DFGJITCode.h:
1698         * dfg/DFGJITCompiler.cpp:
1699         (JSC::DFG::JITCompiler::linkOSRExits):
1700         (JSC::DFG::JITCompiler::link):
1701         * dfg/DFGOSRExit.cpp:
1702         (JSC::DFG::OSRExit::setPatchableCodeOffset):
1703         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
1704         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1705         (JSC::DFG::OSRExit::correctJump):
1706         (JSC::DFG::OSRExit::emitRestoreArguments):
1707         (JSC::DFG::OSRExit::compileOSRExit):
1708         (JSC::DFG::OSRExit::compileExit):
1709         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1710         (JSC::DFG::jsValueFor): Deleted.
1711         (JSC::DFG::restoreCalleeSavesFor): Deleted.
1712         (JSC::DFG::saveCalleeSavesFor): Deleted.
1713         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
1714         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
1715         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
1716         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
1717         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
1718         (JSC::DFG::emitRestoreArguments): Deleted.
1719         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
1720         (JSC::DFG::reifyInlinedCallFrames): Deleted.
1721         (JSC::DFG::adjustAndJumpToTarget): Deleted.
1722         (JSC::DFG::printOSRExit): Deleted.
1723         * dfg/DFGOSRExit.h:
1724         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
1725         * dfg/DFGOSRExitCompilerCommon.cpp:
1726         * dfg/DFGOSRExitCompilerCommon.h:
1727         * dfg/DFGOperations.cpp:
1728         * dfg/DFGOperations.h:
1729         * dfg/DFGThunks.cpp:
1730         (JSC::DFG::osrExitGenerationThunkGenerator):
1731         (JSC::DFG::osrExitThunkGenerator): Deleted.
1732         * dfg/DFGThunks.h:
1733         * jit/AssemblyHelpers.cpp:
1734         (JSC::AssemblyHelpers::debugCall):
1735         * jit/AssemblyHelpers.h:
1736         * jit/JITOperations.cpp:
1737         * jit/JITOperations.h:
1738         * profiler/ProfilerOSRExit.h:
1739         (JSC::Profiler::OSRExit::incCount): Deleted.
1740         * runtime/JSCJSValue.h:
1741         * runtime/JSCJSValueInlines.h:
1742         * runtime/VM.h:
1743
1744 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1745
1746         [JSC] Move class/struct used in other class' member out of anonymous namespace
1747         https://bugs.webkit.org/show_bug.cgi?id=176876
1748
1749         Reviewed by Saam Barati.
1750
1751         GCC warns if a class has a base or field whose type uses the anonymous namespace
1752         and it is defined in an included file. This is because this possibly violates
1753         one definition rule (ODR): if an included file has the anonymous namespace, each
1754         translation unit creates its private anonymous namespace. Thus, each type
1755         inside the anonymous namespace becomes different in each translation unit if
1756         the file is included in multiple translation units.
1757
1758         While the current use in JSC is not violating ODR since these cpp files are included
1759         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
1760         the actual bugs. So, in this patch, we just move related classes/structs out of
1761         the anonymous namespace.
1762
1763         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1764         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
1765         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
1766         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
1767         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
1768         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
1769         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
1770         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
1771         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
1772         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
1773         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
1774         * dfg/DFGLICMPhase.cpp:
1775
1776 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
1777
1778         Web Inspector: Event Listeners section does not update when listeners are added/removed
1779         https://bugs.webkit.org/show_bug.cgi?id=170570
1780         <rdar://problem/31501645>
1781
1782         Reviewed by Joseph Pecoraro.
1783
1784         * inspector/protocol/DOM.json:
1785         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
1786         contain any information about the event listeners that were added/removed. They serve more
1787         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
1788
1789 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1790
1791         [JSC] Fix Array allocation in Object.keys
1792         https://bugs.webkit.org/show_bug.cgi?id=176826
1793
1794         Reviewed by Saam Barati.
1795
1796         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
1797         We check isHavingABadTime() in ownPropertyKeys fast path.
1798         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
1799
1800         * runtime/ObjectConstructor.cpp:
1801         (JSC::ownPropertyKeys):
1802
1803 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1804
1805         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
1806         https://bugs.webkit.org/show_bug.cgi?id=176010
1807
1808         Reviewed by Filip Pizlo.
1809
1810         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
1811         It is used for meta property for objects (see peekMeta function in Ember.js).
1812
1813         This patch optimizes WeakMap#get.
1814
1815         1. We use inlineGet to inline WeakMap#get operation in the native function.
1816         Since this native function itself is very small, we should inline HashMap#get
1817         entirely in this function.
1818
1819         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
1820         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
1821         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
1822         ObjectUse, and Int32Use.
1823
1824         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
1825         calculate hash value for the key's Object and use this hash value to look up value from
1826         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
1827         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
1828         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
1829         patches.
1830
1831         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
1832         not used in Ember.js right now.
1833
1834         This patch optimizes WeakMap#get by 50%.
1835
1836                                  baseline                  patched
1837
1838         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
1839
1840         * bytecode/DirectEvalCodeCache.h:
1841         (JSC::DirectEvalCodeCache::tryGet):
1842         * bytecode/SpeculatedType.cpp:
1843         (JSC::dumpSpeculation):
1844         (JSC::speculationFromClassInfo):
1845         (JSC::speculationFromJSType):
1846         (JSC::speculationFromString):
1847         * bytecode/SpeculatedType.h:
1848         * dfg/DFGAbstractInterpreterInlines.h:
1849         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1850         * dfg/DFGByteCodeParser.cpp:
1851         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1852         * dfg/DFGClobberize.h:
1853         (JSC::DFG::clobberize):
1854         * dfg/DFGDoesGC.cpp:
1855         (JSC::DFG::doesGC):
1856         * dfg/DFGFixupPhase.cpp:
1857         (JSC::DFG::FixupPhase::fixupNode):
1858         * dfg/DFGHeapLocation.cpp:
1859         (WTF::printInternal):
1860         * dfg/DFGHeapLocation.h:
1861         * dfg/DFGNode.h:
1862         (JSC::DFG::Node::hasHeapPrediction):
1863         * dfg/DFGNodeType.h:
1864         * dfg/DFGOperations.cpp:
1865         * dfg/DFGOperations.h:
1866         * dfg/DFGPredictionPropagationPhase.cpp:
1867         * dfg/DFGSafeToExecute.h:
1868         (JSC::DFG::SafeToExecuteEdge::operator()):
1869         (JSC::DFG::safeToExecute):
1870         * dfg/DFGSpeculativeJIT.cpp:
1871         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1872         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1873         (JSC::DFG::SpeculativeJIT::speculate):
1874         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1875         * dfg/DFGSpeculativeJIT.h:
1876         (JSC::DFG::SpeculativeJIT::callOperation):
1877         * dfg/DFGSpeculativeJIT32_64.cpp:
1878         (JSC::DFG::SpeculativeJIT::compile):
1879         * dfg/DFGSpeculativeJIT64.cpp:
1880         (JSC::DFG::SpeculativeJIT::compile):
1881         * dfg/DFGUseKind.cpp:
1882         (WTF::printInternal):
1883         * dfg/DFGUseKind.h:
1884         (JSC::DFG::typeFilterFor):
1885         (JSC::DFG::isCell):
1886         * ftl/FTLCapabilities.cpp:
1887         (JSC::FTL::canCompile):
1888         * ftl/FTLLowerDFGToB3.cpp:
1889         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1890         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1891         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1892         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1893         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1894         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1895         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1896         * jit/JITOperations.h:
1897         * runtime/HashMapImpl.h:
1898         (JSC::WeakMapHash::hash):
1899         (JSC::WeakMapHash::equal):
1900         * runtime/Intrinsic.cpp:
1901         (JSC::intrinsicName):
1902         * runtime/Intrinsic.h:
1903         * runtime/JSType.h:
1904         * runtime/JSWeakMap.h:
1905         (JSC::isJSWeakMap):
1906         * runtime/JSWeakSet.h:
1907         (JSC::isJSWeakSet):
1908         * runtime/WeakMapBase.cpp:
1909         (JSC::WeakMapBase::get):
1910         * runtime/WeakMapBase.h:
1911         (JSC::WeakMapBase::HashTranslator::hash):
1912         (JSC::WeakMapBase::HashTranslator::equal):
1913         (JSC::WeakMapBase::inlineGet):
1914         * runtime/WeakMapPrototype.cpp:
1915         (JSC::WeakMapPrototype::finishCreation):
1916         (JSC::getWeakMap):
1917         (JSC::protoFuncWeakMapGet):
1918         * runtime/WeakSetPrototype.cpp:
1919         (JSC::getWeakSet):
1920
1921 2017-09-12  Keith Miller  <keith_miller@apple.com>
1922
1923         Rename JavaScriptCore CMake unifiable sources list
1924         https://bugs.webkit.org/show_bug.cgi?id=176823
1925
1926         Reviewed by Joseph Pecoraro.
1927
1928         This patch also changes the error message when the unified source
1929         bundler fails to be more accurate.
1930
1931         * CMakeLists.txt:
1932
1933 2017-09-12  Keith Miller  <keith_miller@apple.com>
1934
1935         Do unified source builds for JSC
1936         https://bugs.webkit.org/show_bug.cgi?id=176076
1937
1938         Reviewed by Geoffrey Garen.
1939
1940         This patch switches the CMake JavaScriptCore build to use unified sources.
1941         The Xcode build will be upgraded in a follow up patch.
1942
1943         Most of the source changes in this patch are fixing static
1944         variable/functions name collisions. The most common collisions
1945         were from our use of "static const bool verbose" and "using
1946         namespace ...". I fixed all the verbose cases and fixed the "using
1947         namespace" issues that occurred under the current bundling
1948         strategy. It's likely that more of the "using namespace" issues
1949         will need to be resolved in the future, particularly in the FTL.
1950
1951         I don't expect either of these problems will apply to other parts
1952         of the project nearly as much as in JSC. Using a verbose variable
1953         is a JSC idiom and JSC tends use the same, canonical, class name
1954         in multiple parts of the engine.
1955
1956         * CMakeLists.txt:
1957         * b3/B3CheckSpecial.cpp:
1958         (JSC::B3::CheckSpecial::forEachArg):
1959         (JSC::B3::CheckSpecial::generate):
1960         (JSC::B3::Air::numB3Args): Deleted.
1961         * b3/B3DuplicateTails.cpp:
1962         * b3/B3EliminateCommonSubexpressions.cpp:
1963         * b3/B3FixSSA.cpp:
1964         (JSC::B3::demoteValues):
1965         * b3/B3FoldPathConstants.cpp:
1966         * b3/B3InferSwitches.cpp:
1967         * b3/B3LowerMacrosAfterOptimizations.cpp:
1968         (): Deleted.
1969         * b3/B3LowerToAir.cpp:
1970         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
1971         (JSC::B3::Air::LowerToAir::run): Deleted.
1972         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
1973         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
1974         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
1975         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
1976         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
1977         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
1978         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
1979         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
1980         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
1981         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
1982         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
1983         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
1984         (JSC::B3::Air::LowerToAir::tmp): Deleted.
1985         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
1986         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
1987         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
1988         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
1989         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
1990         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1991         (JSC::B3::Air::LowerToAir::addr): Deleted.
1992         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
1993         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
1994         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
1995         (JSC::B3::Air::LowerToAir::imm): Deleted.
1996         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
1997         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
1998         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
1999         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
2000         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
2001         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
2002         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
2003         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
2004         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
2005         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
2006         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
2007         (JSC::B3::Air::LowerToAir::createStore): Deleted.
2008         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
2009         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
2010         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
2011         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
2012         (JSC::B3::Air::LowerToAir::print): Deleted.
2013         (JSC::B3::Air::LowerToAir::append): Deleted.
2014         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
2015         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
2016         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
2017         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
2018         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
2019         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
2020         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
2021         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
2022         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
2023         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
2024         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
2025         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
2026         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
2027         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
2028         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
2029         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
2030         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
2031         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
2032         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
2033         (JSC::B3::Air::LowerToAir::lower): Deleted.
2034         * b3/B3PatchpointSpecial.cpp:
2035         (JSC::B3::PatchpointSpecial::generate):
2036         * b3/B3ReduceDoubleToFloat.cpp:
2037         (JSC::B3::reduceDoubleToFloat):
2038         * b3/B3ReduceStrength.cpp:
2039         * b3/B3StackmapGenerationParams.cpp:
2040         * b3/B3StackmapSpecial.cpp:
2041         (JSC::B3::StackmapSpecial::repsImpl):
2042         (JSC::B3::StackmapSpecial::repForArg):
2043         * b3/air/AirAllocateStackByGraphColoring.cpp:
2044         (JSC::B3::Air::allocateStackByGraphColoring):
2045         * b3/air/AirEmitShuffle.cpp:
2046         (JSC::B3::Air::emitShuffle):
2047         * b3/air/AirFixObviousSpills.cpp:
2048         * b3/air/AirLowerAfterRegAlloc.cpp:
2049         (JSC::B3::Air::lowerAfterRegAlloc):
2050         * b3/air/AirStackAllocation.cpp:
2051         (JSC::B3::Air::attemptAssignment):
2052         (JSC::B3::Air::assign):
2053         * bytecode/AccessCase.cpp:
2054         (JSC::AccessCase::generateImpl):
2055         * bytecode/CallLinkStatus.cpp:
2056         (JSC::CallLinkStatus::computeDFGStatuses):
2057         * bytecode/GetterSetterAccessCase.cpp:
2058         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2059         * bytecode/ObjectPropertyConditionSet.cpp:
2060         * bytecode/PolymorphicAccess.cpp:
2061         (JSC::PolymorphicAccess::addCases):
2062         (JSC::PolymorphicAccess::regenerate):
2063         * bytecode/PropertyCondition.cpp:
2064         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2065         * bytecode/StructureStubInfo.cpp:
2066         (JSC::StructureStubInfo::addAccessCase):
2067         * dfg/DFGArgumentsEliminationPhase.cpp:
2068         * dfg/DFGByteCodeParser.cpp:
2069         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
2070         (JSC::DFG::ByteCodeParser::inliningCost):
2071         (JSC::DFG::ByteCodeParser::inlineCall):
2072         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2073         (JSC::DFG::ByteCodeParser::handleInlining):
2074         (JSC::DFG::ByteCodeParser::planLoad):
2075         (JSC::DFG::ByteCodeParser::store):
2076         (JSC::DFG::ByteCodeParser::parseBlock):
2077         (JSC::DFG::ByteCodeParser::linkBlock):
2078         (JSC::DFG::ByteCodeParser::linkBlocks):
2079         * dfg/DFGCSEPhase.cpp:
2080         * dfg/DFGInPlaceAbstractState.cpp:
2081         (JSC::DFG::InPlaceAbstractState::merge):
2082         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2083         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
2084         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2085         * dfg/DFGMovHintRemovalPhase.cpp:
2086         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2087         * dfg/DFGPhantomInsertionPhase.cpp:
2088         * dfg/DFGPutStackSinkingPhase.cpp:
2089         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2090         * dfg/DFGVarargsForwardingPhase.cpp:
2091         * ftl/FTLAbstractHeap.cpp:
2092         (JSC::FTL::AbstractHeap::compute):
2093         * ftl/FTLAbstractHeapRepository.cpp:
2094         (JSC::FTL::AbstractHeapRepository::decorateMemory):
2095         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
2096         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
2097         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
2098         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
2099         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
2100         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
2101         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
2102         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
2103         * ftl/FTLLink.cpp:
2104         (JSC::FTL::link):
2105         * heap/MarkingConstraintSet.cpp:
2106         (JSC::MarkingConstraintSet::add):
2107         * interpreter/ShadowChicken.cpp:
2108         (JSC::ShadowChicken::update):
2109         * jit/BinarySwitch.cpp:
2110         (JSC::BinarySwitch::BinarySwitch):
2111         (JSC::BinarySwitch::build):
2112         * llint/LLIntData.cpp:
2113         (JSC::LLInt::Data::loadStats):
2114         (JSC::LLInt::Data::saveStats):
2115         * runtime/ArrayPrototype.cpp:
2116         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2117         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2118         * runtime/ErrorInstance.cpp:
2119         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
2120         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
2121         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
2122         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
2123         * runtime/IntlDateTimeFormat.cpp:
2124         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2125         * runtime/PromiseDeferredTimer.cpp:
2126         (JSC::PromiseDeferredTimer::doWork):
2127         (JSC::PromiseDeferredTimer::addPendingPromise):
2128         (JSC::PromiseDeferredTimer::cancelPendingPromise):
2129         * runtime/TypeProfiler.cpp:
2130         (JSC::TypeProfiler::insertNewLocation):
2131         * runtime/TypeProfilerLog.cpp:
2132         (JSC::TypeProfilerLog::processLogEntries):
2133         * runtime/WeakMapPrototype.cpp:
2134         (JSC::protoFuncWeakMapDelete):
2135         (JSC::protoFuncWeakMapGet):
2136         (JSC::protoFuncWeakMapHas):
2137         (JSC::protoFuncWeakMapSet):
2138         (JSC::getWeakMapData): Deleted.
2139         * runtime/WeakSetPrototype.cpp:
2140         (JSC::protoFuncWeakSetDelete):
2141         (JSC::protoFuncWeakSetHas):
2142         (JSC::protoFuncWeakSetAdd):
2143         (JSC::getWeakMapData): Deleted.
2144         * testRegExp.cpp:
2145         (testOneRegExp):
2146         (runFromFiles):
2147         * wasm/WasmB3IRGenerator.cpp:
2148         (JSC::Wasm::parseAndCompile):
2149         * wasm/WasmBBQPlan.cpp:
2150         (JSC::Wasm::BBQPlan::moveToState):
2151         (JSC::Wasm::BBQPlan::parseAndValidateModule):
2152         (JSC::Wasm::BBQPlan::prepare):
2153         (JSC::Wasm::BBQPlan::compileFunctions):
2154         (JSC::Wasm::BBQPlan::complete):
2155         * wasm/WasmFaultSignalHandler.cpp:
2156         (JSC::Wasm::trapHandler):
2157         * wasm/WasmOMGPlan.cpp:
2158         (JSC::Wasm::OMGPlan::OMGPlan):
2159         (JSC::Wasm::OMGPlan::work):
2160         * wasm/WasmPlan.cpp:
2161         (JSC::Wasm::Plan::fail):
2162         * wasm/WasmSignature.cpp:
2163         (JSC::Wasm::SignatureInformation::adopt):
2164         * wasm/WasmWorklist.cpp:
2165         (JSC::Wasm::Worklist::enqueue):
2166
2167 2017-09-12  Michael Saboff  <msaboff@apple.com>
2168
2169         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
2170         https://bugs.webkit.org/show_bug.cgi?id=176814
2171
2172         Reviewed by Mark Lam.
2173
2174         The copy and advance indices where off by one and needed a little fine tuning.
2175
2176         * runtime/StringPrototype.cpp:
2177         (JSC::substituteBackreferencesSlow):
2178
2179 2017-09-11  Mark Lam  <mark.lam@apple.com>
2180
2181         More exception check book-keeping needed found by 32-bit JSC test failures.
2182         https://bugs.webkit.org/show_bug.cgi?id=176742
2183
2184         Reviewed by Michael Saboff and Keith Miller.
2185
2186         * dfg/DFGOperations.cpp:
2187
2188 2017-09-11  Mark Lam  <mark.lam@apple.com>
2189
2190         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
2191         https://bugs.webkit.org/show_bug.cgi?id=176722
2192
2193         Reviewed by Saam Barati.
2194
2195         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
2196         in effect when jsc is invoked.
2197
2198         * jsc.cpp:
2199         (CommandLine::parseArguments):
2200
2201 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
2202
2203         Unreviewed, rolling out r221854.
2204
2205         The test added with this change fails on 32-bit JSC bots.
2206
2207         Reverted changeset:
2208
2209         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
2210         https://bugs.webkit.org/show_bug.cgi?id=176010
2211         http://trac.webkit.org/changeset/221854
2212
2213 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2214
2215         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
2216         https://bugs.webkit.org/show_bug.cgi?id=176010
2217
2218         Reviewed by Filip Pizlo.
2219
2220         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
2221         It is used for meta property for objects (see peekMeta function in Ember.js).
2222
2223         This patch optimizes WeakMap#get.
2224
2225         1. We use inlineGet to inline WeakMap#get operation in the native function.
2226         Since this native function itself is very small, we should inline HashMap#get
2227         entirely in this function.
2228
2229         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
2230         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
2231         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
2232         ObjectUse, and Int32Use.
2233
2234         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
2235         calculate hash value for the key's Object and use this hash value to look up value from
2236         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
2237         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
2238         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
2239         patches.
2240
2241         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
2242         not used in Ember.js right now.
2243
2244         This patch optimizes WeakMap#get by 50%.
2245
2246                                  baseline                  patched
2247
2248         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
2249
2250         * bytecode/DirectEvalCodeCache.h:
2251         (JSC::DirectEvalCodeCache::tryGet):
2252         * bytecode/SpeculatedType.cpp:
2253         (JSC::dumpSpeculation):
2254         (JSC::speculationFromClassInfo):
2255         (JSC::speculationFromJSType):
2256         (JSC::speculationFromString):
2257         * bytecode/SpeculatedType.h:
2258         * dfg/DFGAbstractInterpreterInlines.h:
2259         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2260         * dfg/DFGByteCodeParser.cpp:
2261         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2262         * dfg/DFGClobberize.h:
2263         (JSC::DFG::clobberize):
2264         * dfg/DFGDoesGC.cpp:
2265         (JSC::DFG::doesGC):
2266         * dfg/DFGFixupPhase.cpp:
2267         (JSC::DFG::FixupPhase::fixupNode):
2268         * dfg/DFGHeapLocation.cpp:
2269         (WTF::printInternal):
2270         * dfg/DFGHeapLocation.h:
2271         * dfg/DFGNode.h:
2272         (JSC::DFG::Node::hasHeapPrediction):
2273         * dfg/DFGNodeType.h:
2274         * dfg/DFGOperations.cpp:
2275         * dfg/DFGOperations.h:
2276         * dfg/DFGPredictionPropagationPhase.cpp:
2277         * dfg/DFGSafeToExecute.h:
2278         (JSC::DFG::SafeToExecuteEdge::operator()):
2279         (JSC::DFG::safeToExecute):
2280         * dfg/DFGSpeculativeJIT.cpp:
2281         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
2282         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
2283         (JSC::DFG::SpeculativeJIT::speculate):
2284         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
2285         * dfg/DFGSpeculativeJIT.h:
2286         (JSC::DFG::SpeculativeJIT::callOperation):
2287         * dfg/DFGSpeculativeJIT32_64.cpp:
2288         (JSC::DFG::SpeculativeJIT::compile):
2289         * dfg/DFGSpeculativeJIT64.cpp:
2290         (JSC::DFG::SpeculativeJIT::compile):
2291         * dfg/DFGUseKind.cpp:
2292         (WTF::printInternal):
2293         * dfg/DFGUseKind.h:
2294         (JSC::DFG::typeFilterFor):
2295         (JSC::DFG::isCell):
2296         * ftl/FTLCapabilities.cpp:
2297         (JSC::FTL::canCompile):
2298         * ftl/FTLLowerDFGToB3.cpp:
2299         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2300         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
2301         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
2302         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
2303         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2304         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
2305         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
2306         * jit/JITOperations.h:
2307         * runtime/Intrinsic.cpp:
2308         (JSC::intrinsicName):
2309         * runtime/Intrinsic.h:
2310         * runtime/JSType.h:
2311         * runtime/JSWeakMap.h:
2312         (JSC::isJSWeakMap):
2313         * runtime/JSWeakSet.h:
2314         (JSC::isJSWeakSet):
2315         * runtime/WeakMapBase.cpp:
2316         (JSC::WeakMapBase::get):
2317         * runtime/WeakMapBase.h:
2318         (JSC::WeakMapBase::HashTranslator::hash):
2319         (JSC::WeakMapBase::HashTranslator::equal):
2320         (JSC::WeakMapBase::inlineGet):
2321         * runtime/WeakMapPrototype.cpp:
2322         (JSC::WeakMapPrototype::finishCreation):
2323         (JSC::getWeakMap):
2324         (JSC::protoFuncWeakMapGet):
2325         * runtime/WeakSetPrototype.cpp:
2326         (JSC::getWeakSet):
2327
2328 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2329
2330         [JSC] Optimize Object.keys by using careful array allocation
2331         https://bugs.webkit.org/show_bug.cgi?id=176654
2332
2333         Reviewed by Darin Adler.
2334
2335         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
2336         function in JS apps. Luckily Object.keys has several good features.
2337
2338         1. Once PropertyNameArray is allocated, we know the length of the result array since
2339         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
2340         but it rarely appears. ProxyObject case goes to the generic path.
2341
2342         2. Object.keys does not need to access object after listing PropertyNameArray. It means
2343         that we do not need to worry about enumeration attribute change by touching object.
2344
2345         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
2346         with the size and ArrayContiguous indexing shape.
2347
2348         This further improves SixSpeed object-assign.es5 by 13%.
2349
2350                                             baseline                  patched
2351         Microbenchmarks:
2352            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
2353            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
2354
2355                                             baseline                  patched
2356         SixSpeed:
2357            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
2358
2359         BTW, the further optimization of Object.keys can be considered: introducing own property keys
2360         cache which is similar to the current enumeration cache. But this patch is orthogonal to
2361         this optimization!
2362
2363         * runtime/ObjectConstructor.cpp:
2364         (JSC::objectConstructorValues):
2365         (JSC::ownPropertyKeys):
2366         * runtime/ObjectConstructor.h:
2367
2368 2017-09-10  Mark Lam  <mark.lam@apple.com>
2369
2370         Fix all ExceptionScope verification failures in JavaScriptCore.
2371         https://bugs.webkit.org/show_bug.cgi?id=176662
2372         <rdar://problem/34352085>
2373
2374         Reviewed by Filip Pizlo.
2375
2376         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
2377            verification for release builds too (though this requires manually setting
2378            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
2379
2380            This is useful because it allows us to run the tests more quickly to check
2381            if any regressions have occurred.  Debug builds run so much slower and not
2382            good for a quick turn around.  Debug builds are necessary though to get
2383            trace information without inlining by the C++ compiler.  This is necessary to
2384            diagnose where the missing exception check is.
2385
2386         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
2387            simulated throw when an exception scope verification fails.
2388
2389            Previously, this option dumps the stack trace on all simulated throws.  That
2390            turned out to not be very useful, and slows down the debugging process.
2391            Instead, the new implementation captures the stack trace and only dumps it
2392            if we have a verification failure.
2393
2394         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
2395            to pass with JSC_validateExceptionChecks=true.
2396
2397         * bytecode/CodeBlock.cpp:
2398         (JSC::CodeBlock::finishCreation):
2399         * dfg/DFGOSRExit.cpp:
2400         (JSC::DFG::OSRExit::executeOSRExit):
2401         * dfg/DFGOperations.cpp:
2402         * interpreter/Interpreter.cpp:
2403         (JSC::eval):
2404         (JSC::loadVarargs):
2405         (JSC::Interpreter::unwind):
2406         (JSC::Interpreter::executeProgram):
2407         (JSC::Interpreter::executeCall):
2408         (JSC::Interpreter::executeConstruct):
2409         (JSC::Interpreter::prepareForRepeatCall):
2410         (JSC::Interpreter::execute):
2411         (JSC::Interpreter::executeModuleProgram):
2412         * jit/JITOperations.cpp:
2413         (JSC::getByVal):
2414         * jsc.cpp:
2415         (WTF::CustomGetter::customGetterAcessor):
2416         (GlobalObject::moduleLoaderImportModule):
2417         (GlobalObject::moduleLoaderResolve):
2418         * llint/LLIntSlowPaths.cpp:
2419         (JSC::LLInt::getByVal):
2420         (JSC::LLInt::setUpCall):
2421         * parser/Parser.h:
2422         (JSC::Parser::popScopeInternal):
2423         * runtime/AbstractModuleRecord.cpp:
2424         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2425         (JSC::AbstractModuleRecord::resolveImport):
2426         (JSC::AbstractModuleRecord::resolveExportImpl):
2427         (JSC::getExportedNames):
2428         (JSC::AbstractModuleRecord::getModuleNamespace):
2429         * runtime/ArrayPrototype.cpp:
2430         (JSC::getProperty):
2431         (JSC::unshift):
2432         (JSC::arrayProtoFuncToString):
2433         (JSC::arrayProtoFuncToLocaleString):
2434         (JSC::arrayProtoFuncJoin):
2435         (JSC::arrayProtoFuncPop):
2436         (JSC::arrayProtoFuncPush):
2437         (JSC::arrayProtoFuncReverse):
2438         (JSC::arrayProtoFuncShift):
2439         (JSC::arrayProtoFuncSlice):
2440         (JSC::arrayProtoFuncSplice):
2441         (JSC::arrayProtoFuncUnShift):
2442         (JSC::arrayProtoFuncIndexOf):
2443         (JSC::arrayProtoFuncLastIndexOf):
2444         (JSC::concatAppendOne):
2445         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2446         (JSC::arrayProtoPrivateFuncAppendMemcpy):
2447         * runtime/CatchScope.h:
2448         * runtime/CommonSlowPaths.cpp:
2449         (JSC::SLOW_PATH_DECL):
2450         * runtime/DatePrototype.cpp:
2451         (JSC::dateProtoFuncSetTime):
2452         (JSC::setNewValueFromTimeArgs):
2453         * runtime/DirectArguments.h:
2454         (JSC::DirectArguments::length const):
2455         * runtime/ErrorPrototype.cpp:
2456         (JSC::errorProtoFuncToString):
2457         * runtime/ExceptionFuzz.cpp:
2458         (JSC::doExceptionFuzzing):
2459         * runtime/ExceptionScope.h:
2460         (JSC::ExceptionScope::needExceptionCheck):
2461         (JSC::ExceptionScope::assertNoException):
2462         * runtime/GenericArgumentsInlines.h:
2463         (JSC::GenericArguments<Type>::defineOwnProperty):
2464         * runtime/HashMapImpl.h:
2465         (JSC::HashMapImpl::rehash):
2466         * runtime/IntlDateTimeFormat.cpp:
2467         (JSC::IntlDateTimeFormat::formatToParts):
2468         * runtime/JSArray.cpp:
2469         (JSC::JSArray::defineOwnProperty):
2470         (JSC::JSArray::put):
2471         * runtime/JSCJSValue.cpp:
2472         (JSC::JSValue::putToPrimitive):
2473         (JSC::JSValue::putToPrimitiveByIndex):
2474         * runtime/JSCJSValueInlines.h:
2475         (JSC::JSValue::toIndex const):
2476         (JSC::JSValue::get const):
2477         (JSC::JSValue::getPropertySlot const):
2478         (JSC::JSValue::equalSlowCaseInline):
2479         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2480         (JSC::constructGenericTypedArrayViewFromIterator):
2481         (JSC::constructGenericTypedArrayViewWithArguments):
2482         * runtime/JSGenericTypedArrayViewInlines.h:
2483         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2484         * runtime/JSGlobalObject.cpp:
2485         (JSC::JSGlobalObject::put):
2486         * runtime/JSGlobalObjectFunctions.cpp:
2487         (JSC::decode):
2488         (JSC::globalFuncEval):
2489         (JSC::globalFuncProtoGetter):
2490         (JSC::globalFuncProtoSetter):
2491         (JSC::globalFuncImportModule):
2492         * runtime/JSInternalPromise.cpp:
2493         (JSC::JSInternalPromise::then):
2494         * runtime/JSInternalPromiseDeferred.cpp:
2495         (JSC::JSInternalPromiseDeferred::create):
2496         * runtime/JSJob.cpp:
2497         (JSC::JSJobMicrotask::run):
2498         * runtime/JSModuleEnvironment.cpp:
2499         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2500         (JSC::JSModuleEnvironment::put):
2501         (JSC::JSModuleEnvironment::deleteProperty):
2502         * runtime/JSModuleLoader.cpp:
2503         (JSC::JSModuleLoader::provide):
2504         (JSC::JSModuleLoader::loadAndEvaluateModule):
2505         (JSC::JSModuleLoader::loadModule):
2506         (JSC::JSModuleLoader::linkAndEvaluateModule):
2507         (JSC::JSModuleLoader::requestImportModule):
2508         * runtime/JSModuleRecord.cpp:
2509         (JSC::JSModuleRecord::link):
2510         (JSC::JSModuleRecord::instantiateDeclarations):
2511         * runtime/JSONObject.cpp:
2512         (JSC::Stringifier::stringify):
2513         (JSC::Stringifier::toJSON):
2514         (JSC::JSONProtoFuncParse):
2515         * runtime/JSObject.cpp:
2516         (JSC::JSObject::calculatedClassName):
2517         (JSC::ordinarySetSlow):
2518         (JSC::JSObject::putInlineSlow):
2519         (JSC::JSObject::ordinaryToPrimitive const):
2520         (JSC::JSObject::toPrimitive const):
2521         (JSC::JSObject::hasInstance):
2522         (JSC::JSObject::getPropertyNames):
2523         (JSC::JSObject::toNumber const):
2524         (JSC::JSObject::defineOwnIndexedProperty):
2525         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2526         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2527         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2528         (JSC::validateAndApplyPropertyDescriptor):
2529         (JSC::JSObject::defineOwnNonIndexProperty):
2530         (JSC::JSObject::getGenericPropertyNames):
2531         * runtime/JSObject.h:
2532         (JSC::JSObject::get const):
2533         * runtime/JSObjectInlines.h:
2534         (JSC::JSObject::getPropertySlot const):
2535         (JSC::JSObject::getPropertySlot):
2536         (JSC::JSObject::getNonIndexPropertySlot):
2537         (JSC::JSObject::putInlineForJSObject):
2538         * runtime/JSPromiseConstructor.cpp:
2539         (JSC::constructPromise):
2540         * runtime/JSPromiseDeferred.cpp:
2541         (JSC::JSPromiseDeferred::create):
2542         * runtime/JSScope.cpp:
2543         (JSC::abstractAccess):
2544         (JSC::JSScope::resolve):
2545         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
2546         (JSC::JSScope::abstractResolve):
2547         * runtime/LiteralParser.cpp:
2548         (JSC::LiteralParser<CharType>::tryJSONPParse):
2549         (JSC::LiteralParser<CharType>::parse):
2550         * runtime/Lookup.h:
2551         (JSC::putEntry):
2552         * runtime/MapConstructor.cpp:
2553         (JSC::constructMap):
2554         * runtime/NumberPrototype.cpp:
2555         (JSC::numberProtoFuncToString):
2556         * runtime/ObjectConstructor.cpp:
2557         (JSC::objectConstructorSetPrototypeOf):
2558         (JSC::objectConstructorGetOwnPropertyDescriptor):
2559         (JSC::objectConstructorGetOwnPropertyDescriptors):
2560         (JSC::objectConstructorAssign):
2561         (JSC::objectConstructorValues):
2562         (JSC::toPropertyDescriptor):
2563         (JSC::objectConstructorDefineProperty):
2564         (JSC::defineProperties):
2565         (JSC::objectConstructorDefineProperties):
2566         (JSC::ownPropertyKeys):
2567         * runtime/ObjectPrototype.cpp:
2568         (JSC::objectProtoFuncHasOwnProperty):
2569         (JSC::objectProtoFuncIsPrototypeOf):
2570         (JSC::objectProtoFuncLookupGetter):
2571         (JSC::objectProtoFuncLookupSetter):
2572         (JSC::objectProtoFuncToLocaleString):
2573         (JSC::objectProtoFuncToString):
2574         * runtime/Options.h:
2575         * runtime/ParseInt.h:
2576         (JSC::toStringView):
2577         * runtime/ProxyObject.cpp:
2578         (JSC::performProxyGet):
2579         (JSC::ProxyObject::performPut):
2580         * runtime/ReflectObject.cpp:
2581         (JSC::reflectObjectDefineProperty):
2582         * runtime/RegExpConstructor.cpp:
2583         (JSC::toFlags):
2584         (JSC::regExpCreate):
2585         (JSC::constructRegExp):
2586         * runtime/RegExpObject.cpp:
2587         (JSC::collectMatches):
2588         * runtime/RegExpObjectInlines.h:
2589         (JSC::RegExpObject::execInline):
2590         (JSC::RegExpObject::matchInline):
2591         * runtime/RegExpPrototype.cpp:
2592         (JSC::regExpProtoFuncTestFast):
2593         (JSC::regExpProtoFuncExec):
2594         (JSC::regExpProtoFuncMatchFast):
2595         (JSC::regExpProtoFuncToString):
2596         (JSC::regExpProtoFuncSplitFast):
2597         * runtime/ScriptExecutable.cpp:
2598         (JSC::ScriptExecutable::newCodeBlockFor):
2599         (JSC::ScriptExecutable::prepareForExecutionImpl):
2600         * runtime/SetConstructor.cpp:
2601         (JSC::constructSet):
2602         * runtime/ThrowScope.cpp:
2603         (JSC::ThrowScope::simulateThrow):
2604         * runtime/VM.cpp:
2605         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
2606         * runtime/VM.h:
2607         * runtime/WeakMapPrototype.cpp:
2608         (JSC::protoFuncWeakMapSet):
2609         * runtime/WeakSetPrototype.cpp:
2610         (JSC::protoFuncWeakSetAdd):
2611         * wasm/js/WebAssemblyModuleConstructor.cpp:
2612         (JSC::WebAssemblyModuleConstructor::createModule):
2613         * wasm/js/WebAssemblyModuleRecord.cpp:
2614         (JSC::WebAssemblyModuleRecord::link):
2615         * wasm/js/WebAssemblyPrototype.cpp:
2616         (JSC::reject):
2617         (JSC::webAssemblyCompileFunc):
2618         (JSC::resolve):
2619         (JSC::webAssemblyInstantiateFunc):
2620
2621 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
2622
2623         Error should compute .stack and friends lazily
2624         https://bugs.webkit.org/show_bug.cgi?id=176645
2625
2626         Reviewed by Saam Barati.
2627         
2628         Building the string portion of the stack trace after we walk the stack accounts for most of
2629         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
2630         Vector<StackFrame> so that it can build the string only once it's really needed.
2631         
2632         This is an enormous speed-up for programs that allocate and throw exceptions.
2633         
2634         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
2635         
2636         It's a 2.2x speed-up for throwing and catching an Error.
2637         
2638         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
2639         
2640         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
2641         delta-blue-try-catch is 1.16x faster.
2642
2643         * interpreter/Interpreter.cpp:
2644         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
2645         (JSC::GetStackTraceFunctor::operator() const):
2646         (JSC::Interpreter::getStackTrace):
2647         * interpreter/Interpreter.h:
2648         * runtime/Error.cpp:
2649         (JSC::getStackTrace):
2650         (JSC::getBytecodeOffset):
2651         (JSC::addErrorInfo):
2652         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
2653         * runtime/Error.h:
2654         * runtime/ErrorInstance.cpp:
2655         (JSC::ErrorInstance::ErrorInstance):
2656         (JSC::ErrorInstance::finishCreation):
2657         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2658         (JSC::ErrorInstance::visitChildren):
2659         (JSC::ErrorInstance::getOwnPropertySlot):
2660         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
2661         (JSC::ErrorInstance::defineOwnProperty):
2662         (JSC::ErrorInstance::put):
2663         (JSC::ErrorInstance::deleteProperty):
2664         * runtime/ErrorInstance.h:
2665         * runtime/Exception.cpp:
2666         (JSC::Exception::visitChildren):
2667         (JSC::Exception::finishCreation):
2668         * runtime/Exception.h:
2669         * runtime/StackFrame.cpp:
2670         (JSC::StackFrame::visitChildren):
2671         * runtime/StackFrame.h:
2672         (JSC::StackFrame::StackFrame):
2673
2674 2017-09-09  Mark Lam  <mark.lam@apple.com>
2675
2676         [Re-landing] Use JIT probes for DFG OSR exit.
2677         https://bugs.webkit.org/show_bug.cgi?id=175144
2678         <rdar://problem/33437050>
2679
2680         Not reviewed.  Original patch reviewed by Saam Barati.
2681
2682         Relanding r221774.
2683
2684         * JavaScriptCore.xcodeproj/project.pbxproj:
2685         * assembler/MacroAssembler.cpp:
2686         (JSC::stdFunctionCallback):
2687         * assembler/MacroAssemblerPrinter.cpp:
2688         (JSC::Printer::printCallback):
2689         * assembler/ProbeContext.h:
2690         (JSC::Probe::CPUState::gpr const):
2691         (JSC::Probe::CPUState::spr const):
2692         (JSC::Probe::Context::Context):
2693         (JSC::Probe::Context::arg):
2694         (JSC::Probe::Context::gpr):
2695         (JSC::Probe::Context::spr):
2696         (JSC::Probe::Context::fpr):
2697         (JSC::Probe::Context::gprName):
2698         (JSC::Probe::Context::sprName):
2699         (JSC::Probe::Context::fprName):
2700         (JSC::Probe::Context::gpr const):
2701         (JSC::Probe::Context::spr const):
2702         (JSC::Probe::Context::fpr const):
2703         (JSC::Probe::Context::pc):
2704         (JSC::Probe::Context::fp):
2705         (JSC::Probe::Context::sp):
2706         (JSC::Probe:: const): Deleted.
2707         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
2708         * assembler/ProbeStack.cpp:
2709         (JSC::Probe::Page::Page):
2710         * assembler/ProbeStack.h:
2711         (JSC::Probe::Page::get):
2712         (JSC::Probe::Page::set):
2713         (JSC::Probe::Page::physicalAddressFor):
2714         (JSC::Probe::Stack::lowWatermark):
2715         (JSC::Probe::Stack::get):
2716         (JSC::Probe::Stack::set):
2717         * bytecode/ArithProfile.cpp:
2718         * bytecode/ArithProfile.h:
2719         * bytecode/ArrayProfile.h:
2720         (JSC::ArrayProfile::observeArrayMode):
2721         * bytecode/CodeBlock.cpp:
2722         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
2723         * bytecode/CodeBlock.h:
2724         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
2725         * bytecode/ExecutionCounter.h:
2726         (JSC::ExecutionCounter::hasCrossedThreshold const):
2727         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
2728         * bytecode/MethodOfGettingAValueProfile.cpp:
2729         (JSC::MethodOfGettingAValueProfile::reportValue):
2730         * bytecode/MethodOfGettingAValueProfile.h:
2731         * dfg/DFGDriver.cpp:
2732         (JSC::DFG::compileImpl):
2733         * dfg/DFGJITCode.cpp:
2734         (JSC::DFG::JITCode::findPC): Deleted.
2735         * dfg/DFGJITCode.h:
2736         * dfg/DFGJITCompiler.cpp:
2737         (JSC::DFG::JITCompiler::linkOSRExits):
2738         (JSC::DFG::JITCompiler::link):
2739         * dfg/DFGOSRExit.cpp:
2740         (JSC::DFG::jsValueFor):
2741         (JSC::DFG::restoreCalleeSavesFor):
2742         (JSC::DFG::saveCalleeSavesFor):
2743         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2744         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2745         (JSC::DFG::saveOrCopyCalleeSavesFor):
2746         (JSC::DFG::createDirectArgumentsDuringExit):
2747         (JSC::DFG::createClonedArgumentsDuringExit):
2748         (JSC::DFG::OSRExit::OSRExit):
2749         (JSC::DFG::emitRestoreArguments):
2750         (JSC::DFG::OSRExit::executeOSRExit):
2751         (JSC::DFG::reifyInlinedCallFrames):
2752         (JSC::DFG::adjustAndJumpToTarget):
2753         (JSC::DFG::printOSRExit):
2754         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2755         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2756         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
2757         (JSC::DFG::OSRExit::correctJump): Deleted.
2758         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
2759         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
2760         (JSC::DFG::OSRExit::compileExit): Deleted.
2761         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2762         * dfg/DFGOSRExit.h:
2763         (JSC::DFG::OSRExitState::OSRExitState):
2764         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2765         * dfg/DFGOSRExitCompilerCommon.cpp:
2766         * dfg/DFGOSRExitCompilerCommon.h:
2767         * dfg/DFGOperations.cpp:
2768         * dfg/DFGOperations.h:
2769         * dfg/DFGThunks.cpp:
2770         (JSC::DFG::osrExitThunkGenerator):
2771         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2772         * dfg/DFGThunks.h:
2773         * jit/AssemblyHelpers.cpp:
2774         (JSC::AssemblyHelpers::debugCall): Deleted.
2775         * jit/AssemblyHelpers.h:
2776         * jit/JITOperations.cpp:
2777         * jit/JITOperations.h:
2778         * profiler/ProfilerOSRExit.h:
2779         (JSC::Profiler::OSRExit::incCount):
2780         * runtime/JSCJSValue.h:
2781         * runtime/JSCJSValueInlines.h:
2782         * runtime/VM.h:
2783
2784 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
2785
2786         Unreviewed, rolling out r221774.
2787
2788         This change introduced three debug JSC test timeouts.
2789
2790         Reverted changeset:
2791
2792         "Use JIT probes for DFG OSR exit."
2793         https://bugs.webkit.org/show_bug.cgi?id=175144
2794         http://trac.webkit.org/changeset/221774
2795
2796 2017-09-09  Mark Lam  <mark.lam@apple.com>
2797
2798         Avoid duplicate computations of ExecState::vm().
2799         https://bugs.webkit.org/show_bug.cgi?id=176647
2800
2801         Reviewed by Saam Barati.
2802
2803         Because while computing ExecState::vm() is cheap, it is not free.
2804
2805         This patch also:
2806         1. gets rids of some convenience methods in CallFrame that implicitly does a
2807            ExecState::vm() computation.  This minimizes the chance of us accidentally
2808            computing ExecState::vm() more than necessary.
2809         2. passes vm (when available) to methodTable().
2810         3. passes vm (when available) to JSLockHolder.
2811
2812         * API/JSBase.cpp:
2813         (JSCheckScriptSyntax):
2814         (JSGarbageCollect):
2815         (JSReportExtraMemoryCost):
2816         (JSSynchronousGarbageCollectForDebugging):
2817         (JSSynchronousEdenCollectForDebugging):
2818         * API/JSCallbackConstructor.h:
2819         (JSC::JSCallbackConstructor::create):
2820         * API/JSCallbackObject.h:
2821         (JSC::JSCallbackObject::create):
2822         * API/JSContext.mm:
2823         (-[JSContext setException:]):
2824         * API/JSContextRef.cpp:
2825         (JSContextGetGlobalObject):
2826         (JSContextCreateBacktrace):
2827         * API/JSManagedValue.mm:
2828         (-[JSManagedValue value]):
2829         * API/JSObjectRef.cpp:
2830         (JSObjectMake):
2831         (JSObjectMakeFunctionWithCallback):
2832         (JSObjectMakeConstructor):
2833         (JSObjectMakeFunction):
2834         (JSObjectSetPrototype):
2835         (JSObjectHasProperty):
2836         (JSObjectGetProperty):
2837         (JSObjectSetProperty):
2838         (JSObjectSetPropertyAtIndex):
2839         (JSObjectDeleteProperty):
2840         (JSObjectGetPrivateProperty):
2841         (JSObjectSetPrivateProperty):
2842         (JSObjectDeletePrivateProperty):
2843         (JSObjectIsFunction):
2844         (JSObjectCallAsFunction):
2845         (JSObjectCallAsConstructor):
2846         (JSObjectCopyPropertyNames):
2847         (JSPropertyNameAccumulatorAddName):
2848         * API/JSScriptRef.cpp:
2849         * API/JSTypedArray.cpp:
2850         (JSValueGetTypedArrayType):
2851         (JSObjectMakeTypedArrayWithArrayBuffer):
2852         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
2853         (JSObjectGetTypedArrayBytesPtr):
2854         (JSObjectGetTypedArrayBuffer):
2855         (JSObjectMakeArrayBufferWithBytesNoCopy):
2856         (JSObjectGetArrayBufferBytesPtr):
2857         * API/JSWeakObjectMapRefPrivate.cpp:
2858         * API/JSWrapperMap.mm:
2859         (constructorHasInstance):
2860         (makeWrapper):
2861         * API/ObjCCallbackFunction.mm:
2862         (objCCallbackFunctionForInvocation):
2863         * bytecode/CodeBlock.cpp:
2864         (JSC::CodeBlock::CodeBlock):
2865         (JSC::CodeBlock::jettison):
2866         * bytecode/CodeBlock.h:
2867         (JSC::CodeBlock::addConstant):
2868         (JSC::CodeBlock::replaceConstant):
2869         * bytecode/PutByIdStatus.cpp:
2870         (JSC::PutByIdStatus::computeFromLLInt):
2871         (JSC::PutByIdStatus::computeFor):
2872         * dfg/DFGDesiredWatchpoints.cpp:
2873         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2874         * dfg/DFGGraph.h:
2875         (JSC::DFG::Graph::globalThisObjectFor):
2876         * dfg/DFGOperations.cpp:
2877         * ftl/FTLOSRExitCompiler.cpp:
2878         (JSC::FTL::compileFTLOSRExit):
2879         * ftl/FTLOperations.cpp:
2880         (JSC::FTL::operationPopulateObjectInOSR):
2881         (JSC::FTL::operationMaterializeObjectInOSR):
2882         * heap/GCAssertions.h:
2883         * inspector/InjectedScriptHost.cpp:
2884         (Inspector::InjectedScriptHost::wrapper):
2885         * inspector/JSInjectedScriptHost.cpp:
2886         (Inspector::JSInjectedScriptHost::subtype):
2887         (Inspector::constructInternalProperty):
2888         (Inspector::JSInjectedScriptHost::getInternalProperties):
2889         (Inspector::JSInjectedScriptHost::weakMapEntries):
2890         (Inspector::JSInjectedScriptHost::weakSetEntries):
2891         (Inspector::JSInjectedScriptHost::iteratorEntries):
2892         * inspector/JSJavaScriptCallFrame.cpp:
2893         (Inspector::valueForScopeLocation):
2894         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2895         (Inspector::toJS):
2896         * inspector/ScriptCallStackFactory.cpp:
2897         (Inspector::extractSourceInformationFromException):
2898         (Inspector::createScriptArguments):
2899         * interpreter/CachedCall.h:
2900         (JSC::CachedCall::CachedCall):
2901         * interpreter/CallFrame.h:
2902         (JSC::ExecState::atomicStringTable const): Deleted.
2903         (JSC::ExecState::propertyNames const): Deleted.
2904         (JSC::ExecState::emptyList const): Deleted.
2905         (JSC::ExecState::interpreter): Deleted.
2906         (JSC::ExecState::heap): Deleted.
2907         * interpreter/Interpreter.cpp:
2908         (JSC::Interpreter::executeProgram):
2909         (JSC::Interpreter::execute):
2910         (JSC::Interpreter::executeModuleProgram):
2911         * jit/JIT.cpp:
2912         (JSC::JIT::privateCompileMainPass):
2913         * jit/JITOperations.cpp:
2914         * jit/JITWorklist.cpp:
2915         (JSC::JITWorklist::compileNow):
2916         * jsc.cpp:
2917         (WTF::RuntimeArray::create):
2918         (WTF::RuntimeArray::getOwnPropertySlot):
2919         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2920         (WTF::DOMJITFunctionObject::unsafeFunction):
2921         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2922         (GlobalObject::moduleLoaderFetch):
2923         (functionDumpCallFrame):
2924         (functionCreateRoot):
2925         (functionGetElement):
2926         (functionSetElementRoot):
2927         (functionCreateSimpleObject):
2928         (functionSetHiddenValue):
2929         (functionCreateProxy):
2930         (functionCreateImpureGetter):
2931         (functionCreateCustomGetterObject):
2932         (functionCreateDOMJITNodeObject):
2933         (functionCreateDOMJITGetterObject):
2934         (functionCreateDOMJITGetterComplexObject):
2935         (functionCreateDOMJITFunctionObject):
2936         (functionCreateDOMJITCheckSubClassObject):
2937         (functionGCAndSweep):
2938         (functionFullGC):
2939         (functionEdenGC):
2940         (functionHeapSize):
2941         (functionShadowChickenFunctionsOnStack):
2942         (functionSetGlobalConstRedeclarationShouldNotThrow):
2943         (functionJSCOptions):
2944         (functionFailNextNewCodeBlock):
2945         (functionMakeMasquerader):
2946         (functionDumpTypesForAllVariables):
2947         (functionFindTypeForExpression):
2948         (functionReturnTypeFor):
2949         (functionDumpBasicBlockExecutionRanges):
2950         (functionBasicBlockExecutionCount):
2951         (functionDrainMicrotasks):
2952         (functionGenerateHeapSnapshot):
2953         (functionEnsureArrayStorage):
2954         (functionStartSamplingProfiler):
2955         (runInteractive):
2956         * llint/LLIntSlowPaths.cpp:
2957         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2958         * parser/ModuleAnalyzer.cpp:
2959         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2960         * profiler/ProfilerBytecode.cpp:
2961         (JSC::Profiler::Bytecode::toJS const):
2962         * profiler/ProfilerBytecodeSequence.cpp:
2963         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
2964         * profiler/ProfilerBytecodes.cpp:
2965         (JSC::Profiler::Bytecodes::toJS const):
2966         * profiler/ProfilerCompilation.cpp:
2967         (JSC::Profiler::Compilation::toJS const):
2968         * profiler/ProfilerCompiledBytecode.cpp:
2969         (JSC::Profiler::CompiledBytecode::toJS const):
2970         * profiler/ProfilerDatabase.cpp:
2971         (JSC::Profiler::Database::toJS const):
2972         * profiler/ProfilerEvent.cpp:
2973         (JSC::Profiler::Event::toJS const):
2974         * profiler/ProfilerOSRExit.cpp:
2975         (JSC::Profiler::OSRExit::toJS const):
2976         * profiler/ProfilerOrigin.cpp:
2977         (JSC::Profiler::Origin::toJS const):
2978         * profiler/ProfilerProfiledBytecodes.cpp:
2979         (JSC::Profiler::ProfiledBytecodes::toJS const):
2980         * runtime/AbstractModuleRecord.cpp:
2981         (JSC::identifierToJSValue):
2982         (JSC::AbstractModuleRecord::resolveExportImpl):
2983         (JSC::getExportedNames):
2984         * runtime/ArrayPrototype.cpp:
2985         (JSC::arrayProtoFuncToString):
2986         (JSC::arrayProtoFuncToLocaleString):
2987         * runtime/BooleanConstructor.cpp:
2988         (JSC::constructBooleanFromImmediateBoolean):
2989         * runtime/CallData.cpp:
2990         (JSC::call):
2991         * runtime/CommonSlowPaths.cpp:
2992         (JSC::SLOW_PATH_DECL):
2993         * runtime/CommonSlowPaths.h:
2994         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2995         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2996         * runtime/Completion.cpp:
2997         (JSC::checkSyntax):
2998         (JSC::evaluate):
2999         (JSC::loadAndEvaluateModule):
3000         (JSC::loadModule):
3001         (JSC::linkAndEvaluateModule):
3002         (JSC::importModule):
3003         * runtime/ConstructData.cpp:
3004         (JSC::construct):
3005         * runtime/DatePrototype.cpp:
3006         (JSC::dateProtoFuncToJSON):
3007         * runtime/DirectArguments.h:
3008         (JSC::DirectArguments::length const):
3009         * runtime/DirectEvalExecutable.cpp:
3010         (JSC::DirectEvalExecutable::create):
3011         * runtime/ErrorPrototype.cpp:
3012         (JSC::errorProtoFuncToString):
3013         * runtime/ExceptionHelpers.cpp:
3014         (JSC::createUndefinedVariableError):
3015         (JSC::errorDescriptionForValue):
3016         * runtime/FunctionConstructor.cpp:
3017         (JSC::constructFunction):
3018         * runtime/GenericArgumentsInlines.h:
3019         (JSC::GenericArguments<Type>::getOwnPropertyNames):
3020         * runtime/IdentifierInlines.h:
3021         (JSC::Identifier::add):
3022         * runtime/IndirectEvalExecutable.cpp:
3023         (JSC::IndirectEvalExecutable::create):
3024         * runtime/InternalFunction.cpp:
3025         (JSC::InternalFunction::finishCreation):
3026         (JSC::InternalFunction::createSubclassStructureSlow):
3027         * runtime/JSArray.cpp:
3028         (JSC::JSArray::getOwnPropertySlot):
3029         (JSC::JSArray::put):
3030         (JSC::JSArray::deleteProperty):
3031         (JSC::JSArray::getOwnNonIndexPropertyNames):
3032         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
3033         * runtime/JSArray.h:
3034         (JSC::JSArray::shiftCountForShift):
3035         * runtime/JSCJSValue.cpp:
3036         (JSC::JSValue::dumpForBacktrace const):
3037         * runtime/JSDataView.cpp:
3038         (JSC::JSDataView::getOwnPropertySlot):
3039         (JSC::JSDataView::deleteProperty):
3040         (JSC::JSDataView::getOwnNonIndexPropertyNames):
3041         * runtime/JSFunction.cpp:
3042         (JSC::JSFunction::getOwnPropertySlot):
3043         (JSC::JSFunction::deleteProperty):
3044         (JSC::JSFunction::reifyName):
3045         * runtime/JSGlobalObjectFunctions.cpp:
3046         (JSC::globalFuncEval):
3047         * runtime/JSInternalPromise.cpp:
3048         (JSC::JSInternalPromise::then):
3049         * runtime/JSLexicalEnvironment.cpp:
3050         (JSC::JSLexicalEnvironment::deleteProperty):
3051         * runtime/JSMap.cpp:
3052         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
3053         * runtime/JSMapIterator.h:
3054         (JSC::JSMapIterator::advanceIter):
3055         * runtime/JSModuleEnvironment.cpp:
3056         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
3057         * runtime/JSModuleLoader.cpp:
3058         (JSC::printableModuleKey):
3059         (JSC::JSModuleLoader::provide):
3060         (JSC::JSModuleLoader::loadAndEvaluateModule):
3061         (JSC::JSModuleLoader::loadModule):
3062         (JSC::JSModuleLoader::linkAndEvaluateModule):
3063         (JSC::JSModuleLoader::requestImportModule):
3064         * runtime/JSModuleNamespaceObject.h:
3065         * runtime/JSModuleRecord.cpp:
3066         (JSC::JSModuleRecord::evaluate):
3067         * runtime/JSONObject.cpp:
3068         (JSC::Stringifier::Stringifier):
3069         (JSC::Stringifier::appendStringifiedValue):
3070         (JSC::Stringifier::Holder::appendNextProperty):
3071         * runtime/JSObject.cpp:
3072         (JSC::JSObject::calculatedClassName):
3073         (JSC::JSObject::putByIndex):
3074         (JSC::JSObject::ordinaryToPrimitive const):
3075         (JSC::JSObject::toPrimitive const):
3076         (JSC::JSObject::hasInstance):
3077         (JSC::JSObject::getOwnPropertyNames):
3078         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3079         (JSC::getCustomGetterSetterFunctionForGetterSetter):
3080         (JSC::JSObject::getOwnPropertyDescriptor):
3081         (JSC::JSObject::getMethod):
3082         * runtime/JSObject.h:
3083         (JSC::JSObject::createRawObject):
3084         (JSC::JSFinalObject::create):
3085         * runtime/JSObjectInlines.h:
3086         (JSC::JSObject::canPerformFastPutInline):
3087         (JSC::JSObject::putInlineForJSObject):
3088         (JSC::JSObject::hasOwnProperty const):
3089         * runtime/JSScope.cpp:
3090         (JSC::isUnscopable):
3091         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
3092         * runtime/JSSet.cpp:
3093         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
3094         * runtime/JSSetIterator.h:
3095         (JSC::JSSetIterator::advanceIter):
3096         * runtime/JSString.cpp:
3097         (JSC::JSString::getStringPropertyDescriptor):
3098         * runtime/JSString.h:
3099         (JSC::JSString::getStringPropertySlot):
3100         * runtime/MapConstructor.cpp:
3101         (JSC::constructMap):
3102         * runtime/ModuleProgramExecutable.cpp:
3103         (JSC::ModuleProgramExecutable::create):
3104         * runtime/ObjectPrototype.cpp:
3105         (JSC::objectProtoFuncToLocaleString):
3106         * runtime/ProgramExecutable.h:
3107         * runtime/RegExpObject.cpp:
3108         (JSC::RegExpObject::getOwnPropertySlot):
3109         (JSC::RegExpObject::deleteProperty):
3110         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
3111         (JSC::RegExpObject::getPropertyNames):
3112         (JSC::RegExpObject::getGenericPropertyNames):
3113         (JSC::RegExpObject::put):
3114         * runtime/ScopedArguments.h:
3115         (JSC::ScopedArguments::length const):
3116         * runtime/StrictEvalActivation.h:
3117         (JSC::StrictEvalActivation::create):
3118         * runtime/StringObject.cpp:
3119         (JSC::isStringOwnProperty):
3120         (JSC::StringObject::deleteProperty):
3121         (JSC::StringObject::getOwnNonIndexPropertyNames):
3122         * tools/JSDollarVMPrototype.cpp:
3123         (JSC::JSDollarVMPrototype::gc):
3124         (JSC::JSDollarVMPrototype::edenGC):
3125         * wasm/js/WebAssemblyModuleRecord.cpp:
3126         (JSC::WebAssemblyModuleRecord::evaluate):
3127
3128 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3129
3130         [DFG] NewArrayWithSize(size)'s size does not care negative zero
3131         https://bugs.webkit.org/show_bug.cgi?id=176300
3132
3133         Reviewed by Saam Barati.
3134
3135         NewArrayWithSize(size)'s size does not care negative zero as
3136         is the same to NewTypedArray. We propagate this information
3137         in DFGBackwardsPropagationPhase. This removes negative zero
3138         check in kraken fft's deinterleave function.
3139
3140         * dfg/DFGBackwardsPropagationPhase.cpp:
3141         (JSC::DFG::BackwardsPropagationPhase::propagate):
3142
3143 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3144
3145         [DFG] PutByVal with Array::Generic is too generic
3146         https://bugs.webkit.org/show_bug.cgi?id=176345
3147
3148         Reviewed by Filip Pizlo.
3149
3150         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
3151         We could have the case like,
3152
3153             dst[key] = src[key];
3154
3155         with string or symbol keys. But they are handled in slow path.
3156         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
3157         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
3158
3159         This improves SixSpeed object-assign.es5 by 9.1%.
3160
3161         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
3162
3163         * dfg/DFGFixupPhase.cpp:
3164         (JSC::DFG::FixupPhase::fixupNode):
3165         * dfg/DFGOperations.cpp:
3166         (JSC::DFG::putByVal):
3167         (JSC::DFG::putByValInternal):
3168         (JSC::DFG::putByValCellInternal):
3169         (JSC::DFG::putByValCellStringInternal):
3170         (JSC::DFG::operationPutByValInternal): Deleted.
3171         * dfg/DFGOperations.h:
3172         * dfg/DFGSpeculativeJIT.cpp:
3173         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
3174         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
3175         * dfg/DFGSpeculativeJIT.h:
3176         (JSC::DFG::SpeculativeJIT::callOperation):
3177         * dfg/DFGSpeculativeJIT32_64.cpp:
3178         (JSC::DFG::SpeculativeJIT::compile):
3179         * dfg/DFGSpeculativeJIT64.cpp:
3180         (JSC::DFG::SpeculativeJIT::compile):
3181         * ftl/FTLLowerDFGToB3.cpp:
3182         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
3183         * jit/JITOperations.h:
3184
3185 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3186
3187         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
3188         https://bugs.webkit.org/show_bug.cgi?id=176590
3189
3190         Reviewed by Saam Barati.
3191
3192         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
3193
3194                                          baseline                  patched
3195
3196         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
3197         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
3198
3199         * dfg/DFGFixupPhase.cpp:
3200         (JSC::DFG::FixupPhase::fixupNode):
3201         * dfg/DFGOperations.cpp:
3202         (JSC::DFG::getByValObject):
3203         * dfg/DFGOperations.h:
3204         * dfg/DFGSpeculativeJIT.cpp:
3205         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
3206         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
3207         * dfg/DFGSpeculativeJIT.h:
3208         * dfg/DFGSpeculativeJIT32_64.cpp:
3209         (JSC::DFG::SpeculativeJIT::compile):
3210         * dfg/DFGSpeculativeJIT64.cpp:
3211         (JSC::DFG::SpeculativeJIT::compile):
3212         * ftl/FTLLowerDFGToB3.cpp:
3213         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3214
3215 2017-09-07  Mark Lam  <mark.lam@apple.com>
3216
3217         Use JIT probes for DFG OSR exit.
3218         https://bugs.webkit.org/show_bug.cgi?id=175144
3219         <rdar://problem/33437050>
3220
3221         Reviewed by Saam Barati.
3222
3223         This patch does the following:
3224         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
3225            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
3226            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
3227            generates a thunk that just executes the OSR exit.
3228
3229            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
3230            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
3231            CPU registers, and providing the Probe::Stack mechanism for modifying the
3232            stack frame.
3233
3234            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
3235            OSRExit::compileExit().  It is basically a re-write of those functions to
3236            execute the OSR exit work instead of compiling code to execute the work.
3237
3238            As a result, we get the following savings:
3239            a. no more OSR exit ramp compilation time.
3240            b. no use of JIT executable memory for storing each unique OSR exit ramp.
3241
3242            On the negative side, we incur these costs:
3243
3244            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
3245               version of the ramp.  However, OSR exits are rare.  Hence, this small
3246               difference should not matter much.  It is also offset by the savings from
3247               (a).
3248
3249            d. the Probe::Stack allocates 1K pages for memory for buffering stack
3250               modifcations.  The number of these pages depends on the span of stack memory
3251               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
3252               tends to only modify values in the current DFG frame and the current
3253               VMEntryRecord, the number of pages tends to only be 1 or 2.
3254
3255               Using the jsc tests as a workload, the vast majority of tests that do OSR
3256               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
3257               A few tests that are pathological uses up to 14 pages, and one particularly
3258               bad test (function-apply-many-args.js) uses 513 pages.
3259
3260            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
3261            only executed once to compute some values for the exit site that is used by
3262            all exit operations from that site, and a 2nd part to execute the exit.  The
3263            1st part is protected by a checking if exit.exitState has already been
3264            initialized.  The computed values are cached in exit.exitState.
3265
3266            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
3267            longer need the facility to patch the site that jumps to the OSR exit ramp.
3268            The DFG::JITCompiler has been modified to remove this patching code.
3269
3270         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
3271            std::memcpy to avoid strict aliasing issues.
3272
3273            Also optimized the implementation of Probe::Stack::physicalAddressFor().
3274
3275         3. Miscellaneous convenience methods added to make the Probe::Context easier of
3276            use.
3277
3278         4. Added a Probe::Frame class that makes it easier to get/set operands and
3279            arguments in a given frame using the deferred write properties of the
3280            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
3281            the OSR exit ramp.
3282
3283         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
3284            JIT versions of these functions are still left in place because they are still
3285            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
3286            These functions include:
3287
3288            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
3289                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
3290            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
3291                DFGOSRExit.cpp's reifyInlinedCallFrames()
3292            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
3293                DFGOSRExit.cpp's adjustAndJumpToTarget()
3294
3295            MethodOfGettingAValueProfile::emitReportValue() ==>
3296                MethodOfGettingAValueProfile::reportValue()
3297
3298            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
3299                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
3300            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
3301                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
3302
3303         * JavaScriptCore.xcodeproj/project.pbxproj:
3304         * assembler/MacroAssembler.cpp:
3305         (JSC::stdFunctionCallback):
3306         * assembler/MacroAssemblerPrinter.cpp:
3307         (JSC::Printer::printCallback):
3308         * assembler/ProbeContext.h:
3309         (JSC::Probe::CPUState::gpr const):
3310         (JSC::Probe::CPUState::spr const):
3311         (JSC::Probe::Context::Context):
3312         (JSC::Probe::Context::arg):
3313         (JSC::Probe::Context::gpr):
3314         (JSC::Probe::Context::spr):
3315         (JSC::Probe::Context::fpr):
3316         (JSC::Probe::Context::gprName):
3317         (JSC::Probe::Context::sprName):
3318         (JSC::Probe::Context::fprName):
3319         (JSC::Probe::Context::gpr const):
3320         (JSC::Probe::Context::spr const):
3321         (JSC::Probe::Context::fpr const):
3322         (JSC::Probe::Context::pc):
3323         (JSC::Probe::Context::fp):
3324         (JSC::Probe::Context::sp):
3325         (JSC::Probe:: const): Deleted.
3326         * assembler/ProbeFrame.h: Added.
3327         (JSC::Probe::Frame::Frame):
3328         (JSC::Probe::Frame::getArgument):
3329         (JSC::Probe::Frame::getOperand):
3330         (JSC::Probe::Frame::get):
3331         (JSC::Probe::Frame::setArgument):
3332         (JSC::Probe::Frame::setOperand):
3333         (JSC::Probe::Frame::set):
3334         * assembler/ProbeStack.cpp:
3335         (JSC::Probe::Page::Page):
3336         * assembler/ProbeStack.h:
3337         (JSC::Probe::Page::get):
3338         (JSC::Probe::Page::set):
3339         (JSC::Probe::Page::physicalAddressFor):
3340         (JSC::Probe::Stack::lowWatermark):
3341         (JSC::Probe::Stack::get):
3342         (JSC::Probe::Stack::set):
3343         * bytecode/ArithProfile.cpp:
3344         * bytecode/ArithProfile.h:
3345         * bytecode/ArrayProfile.h:
3346         (JSC::ArrayProfile::observeArrayMode):
3347         * bytecode/CodeBlock.cpp:
3348         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
3349         * bytecode/CodeBlock.h:
3350         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
3351         * bytecode/ExecutionCounter.h:
3352         (JSC::ExecutionCounter::hasCrossedThreshold const):
3353         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
3354         * bytecode/MethodOfGettingAValueProfile.cpp:
3355         (JSC::MethodOfGettingAValueProfile::reportValue):
3356         * bytecode/MethodOfGettingAValueProfile.h:
3357         * dfg/DFGDriver.cpp:
3358         (JSC::DFG::compileImpl):
3359         * dfg/DFGJITCode.cpp:
3360         (JSC::DFG::JITCode::findPC): Deleted.
3361         * dfg/DFGJITCode.h:
3362         * dfg/DFGJITCompiler.cpp:
3363         (JSC::DFG::JITCompiler::linkOSRExits):
3364         (JSC::DFG::JITCompiler::link):
3365         * dfg/DFGOSRExit.cpp:
3366         (JSC::DFG::jsValueFor):
3367         (JSC::DFG::restoreCalleeSavesFor):
3368         (JSC::DFG::saveCalleeSavesFor):
3369         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3370         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3371         (JSC::DFG::saveOrCopyCalleeSavesFor):
3372         (JSC::DFG::createDirectArgumentsDuringExit):
3373         (JSC::DFG::createClonedArgumentsDuringExit):
3374         (JSC::DFG::OSRExit::OSRExit):
3375         (JSC::DFG::emitRestoreArguments):
3376         (JSC::DFG::OSRExit::executeOSRExit):
3377         (JSC::DFG::reifyInlinedCallFrames):
3378         (JSC::DFG::adjustAndJumpToTarget):
3379         (JSC::DFG::printOSRExit):
3380         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
3381         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
3382         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
3383         (JSC::DFG::OSRExit::correctJump): Deleted.
3384         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
3385         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
3386         (JSC::DFG::OSRExit::compileExit): Deleted.
3387         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
3388         * dfg/DFGOSRExit.h:
3389         (JSC::DFG::OSRExitState::OSRExitState):
3390         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
3391         * dfg/DFGOSRExitCompilerCommon.cpp:
3392         * dfg/DFGOSRExitCompilerCommon.h:
3393         * dfg/DFGOperations.cpp:
3394         * dfg/DFGOperations.h:
3395         * dfg/DFGThunks.cpp:
3396         (JSC::DFG::osrExitThunkGenerator):
3397         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
3398         * dfg/DFGThunks.h:
3399         * jit/AssemblyHelpers.cpp:
3400         (JSC::AssemblyHelpers::debugCall): Deleted.
3401         * jit/AssemblyHelpers.h:
3402         * jit/JITOperations.cpp:
3403         * jit/JITOperations.h:
3404         * profiler/ProfilerOSRExit.h:
3405         (JSC::Profiler::OSRExit::incCount):
3406         * runtime/JSCJSValue.h:
3407         * runtime/JSCJSValueInlines.h:
3408         * runtime/VM.h:
3409
3410 2017-09-07  Michael Saboff  <msaboff@apple.com>
3411
3412         Add support for RegExp named capture groups
3413         https://bugs.webkit.org/show_bug.cgi?id=176435
3414
3415         Reviewed by Filip Pizlo.
3416
3417         Added parsing for both naming a captured parenthesis as well and using a named group in
3418         a back reference.  Also added support for using named groups with String.prototype.replace().
3419
3420         This patch does not throw Syntax Errors as described in the current spec text for the two
3421         cases of malformed back references in String.prototype.replace() as I believe that it
3422         is inconsistent with the current semantics for handling of other malformed replacement
3423         tokens.  I filed an issue for the requested change to the proposed spec and also filed
3424         a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
3425
3426         This patch does not implement strength reduction in the optimizing JITs for named capture
3427         groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
3428
3429         * dfg/DFGAbstractInterpreterInlines.h:
3430         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3431         * dfg/DFGStrengthReductionPhase.cpp:
3432         (JSC::DFG::StrengthReductionPhase::handleNode):
3433         * runtime/CommonIdentifiers.h:
3434         * runtime/JSGlobalObject.cpp:
3435         (JSC::JSGlobalObject::init):
3436         (JSC::JSGlobalObject::haveABadTime):
3437         * runtime/JSGlobalObject.h:
3438         (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
3439         * runtime/RegExp.cpp:
3440         (JSC::RegExp::finishCreation):
3441         * runtime/RegExp.h:
3442         * runtime/RegExpMatchesArray.cpp:
3443         (JSC::createStructureImpl):
3444         (JSC::createRegExpMatchesArrayWithGroupsStructure):
3445         (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
3446         * runtime/RegExpMatchesArray.h:
3447         (JSC::createRegExpMatchesArray):
3448         * runtime/StringPrototype.cpp:
3449         (JSC::substituteBackreferencesSlow):
3450         (JSC::replaceUsingRegExpSearch):
3451         * yarr/YarrParser.h:
3452         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
3453         (JSC::Yarr::Parser::parseEscape):
3454         (JSC::Yarr::Parser::parseParenthesesBegin):
3455         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
3456         (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
3457         (JSC::Yarr::Parser::isIdentifierStart):
3458         (JSC::Yarr::Parser::isIdentifierPart):
3459         (JSC::Yarr::Parser::tryConsumeGroupName):
3460         * yarr/YarrPattern.cpp:
3461         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
3462         (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
3463         (JSC::Yarr::YarrPattern::errorMessage):
3464         * yarr/YarrPattern.h:
3465         (JSC::Yarr::YarrPattern::reset):
3466         * yarr/YarrSyntaxChecker.cpp:
3467         (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
3468         (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
3469
3470 2017-09-07  Myles C. Maxfield  <mmaxfield@apple.com>
3471
3472         [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
3473         https://bugs.webkit.org/show_bug.cgi?id=176561
3474
3475         Reviewed by Brent Fulgham.
3476
3477         * runtime/IntlObject.cpp:
3478         (JSC::defaultLocale):
3479
3480 2017-09-07  Joseph Pecoraro  <pecoraro@apple.com>
3481
3482         Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
3483         https://bugs.webkit.org/show_bug.cgi?id=176563
3484         <rdar://problem/19639583>
3485
3486         Reviewed by Matt Baker.
3487
3488         * inspector/protocol/DOM.json:
3489         Add an event that is useful for augmented inspectors to inspect
3490         a node. Web pages will still prefer Inspector.inspect.
3491
3492 2017-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3493
3494         [JSC] Remove "malloc" and "free" from JSC/API
3495         https://bugs.webkit.org/show_bug.cgi?id=176331
3496
3497         Reviewed by Keith Miller.
3498
3499         Remove "malloc" and "free" manual calls in JSC/API.
3500
3501         * API/JSValue.mm:
3502         (createStructHandlerMap):
3503         * API/JSWrapperMap.mm:
3504         (parsePropertyAttributes):
3505         (makeSetterName):
3506         (copyPrototypeProperties):
3507         Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
3508
3509         * API/ObjcRuntimeExtras.h:
3510         (adoptSystem):
3511         Add adoptSystem to automate calling system free().
3512
3513         (protocolImplementsProtocol):
3514         (forEachProtocolImplementingProtocol):
3515         (forEachMethodInClass):
3516         (forEachMethodInProtocol):
3517         (forEachPropertyInProtocol):
3518         (StringRange::StringRange):
3519         (StringRange::operator const char* const):
3520         (StringRange::get const):
3521         Use CString for backend.
3522
3523         (StructBuffer::StructBuffer):
3524         (StructBuffer::~StructBuffer):
3525         (StringRange::~StringRange): Deleted.
3526         Use fastAlignedMalloc/astAlignedFree to get aligned memory.
3527
3528 2017-09-06  Mark Lam  <mark.lam@apple.com>
3529
3530         constructGenericTypedArrayViewWithArguments() is missing an exception check.
3531         https://bugs.webkit.org/show_bug.cgi?id=176485
3532         <rdar://problem/33898874>
3533
3534         Reviewed by Keith Miller.
3535
3536         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3537         (JSC::constructGenericTypedArrayViewWithArguments):
3538
3539 2017-09-06  Saam Barati  <sbarati@apple.com>
3540
3541         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
3542         https://bugs.webkit.org/show_bug.cgi?id=176346
3543
3544         Reviewed by Mark Lam.
3545
3546         * b3/B3Procedure.cpp:
3547         (JSC::B3::Procedure::Procedure):
3548         (JSC::B3::Procedure::setNumEntrypoints):
3549         * b3/B3Procedure.h:
3550         (JSC::B3::Procedure::setNumEntrypoints): Deleted.
3551         * b3/air/AirCode.cpp:
3552         (JSC::B3::Air::defaultPrologueGenerator):
3553         (JSC::B3::Air::Code::Code):
3554         (JSC::B3::Air::Code::setNumEntrypoints):
3555         * b3/air/AirCode.h:
3556         (JSC::B3::Air::Code::setPrologueForEntrypoint):
3557         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
3558         (JSC::B3::Air::Code::setEntrypoints):
3559         (JSC::B3::Air::Code::setEntrypointLabels):
3560         * b3/air/AirGenerate.cpp:
3561         (JSC::B3::Air::generate):
3562         * ftl/FTLLowerDFGToB3.cpp:
3563         (JSC::FTL::DFG::LowerDFGToB3::lower):
3564
3565 2017-09-06  Saam Barati  <sbarati@apple.com>
3566
3567         ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
3568         https://bugs.webkit.org/show_bug.cgi?id=176470
3569
3570         Reviewed by Mark Lam.
3571
3572         Update Node::convertToCheckStructureImmediate's assertion to allow
3573         the node to either be a CheckStructure or CheckStructureOrEmpty.
3574
3575         * dfg/DFGNode.h:
3576         (JSC::DFG::Node::convertToCheckStructureImmediate):
3577
3578 2017-09-05  Saam Barati  <sbarati@apple.com>
3579
3580         isNotCellSpeculation is wrong with respect to SpecEmpty
3581         https://bugs.webkit.org/show_bug.cgi?id=176429
3582
3583         Reviewed by Michael Saboff.
3584
3585         The isNotCellSpeculation(SpeculatedType t) function was not taking into account
3586         SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
3587         the empty value will fail a NotCell check. This bug would cause us to erroneously
3588         generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
3589
3590         * bytecode/SpeculatedType.h:
3591         (JSC::isNotCellSpeculation):
3592
3593 2017-09-05  Saam Barati  <sbarati@apple.com>
3594
3595         Make the distinction between entrypoints and CFG roots more clear by naming things better
3596         https://bugs.webkit.org/show_bug.cgi?id=176336
3597
3598         Reviewed by Mark Lam and Keith Miller and Michael Saboff.
3599
3600         This patch does renaming to make the distinction between Graph::m_entrypoints
3601         and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
3602         Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
3603         Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
3604         size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
3605         to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
3606         field to m_rootToArguments.
3607         
3608         Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
3609         when compiling with EntrySwitch. It represents the logical number of entrypoints
3610         the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
3611         cases.
3612
3613         * dfg/DFGByteCodeParser.cpp:
3614         (JSC::DFG::ByteCodeParser::parseBlock):
3615         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3616         * dfg/DFGCFG.h:
3617         (JSC::DFG::CFG::roots):
3618         (JSC::DFG::CPSCFG::CPSCFG):
3619         * dfg/DFGCPSRethreadingPhase.cpp:
3620         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
3621         * dfg/DFGDCEPhase.cpp:
3622         (JSC::DFG::DCEPhase::run):
3623         * dfg/DFGGraph.cpp:
3624         (JSC::DFG::Graph::dump):
3625         (JSC::DFG::Graph::determineReachability):
3626         (JSC::DFG::Graph::blocksInPreOrder):
3627         (JSC::DFG::Graph::blocksInPostOrder):
3628         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3629         * dfg/DFGGraph.h:
3630         (JSC::DFG::Graph::isRoot):
3631         (JSC::DFG::Graph::isEntrypoint): Deleted.
3632         * dfg/DFGInPlaceAbstractState.cpp:
3633         (JSC::DFG::InPlaceAbstractState::initialize):
3634         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3635         (JSC::DFG::createPreHeader):
3636         * dfg/DFGMaximalFlushInsertionPhase.cpp:
3637         (JSC::DFG::MaximalFlushInsertionPhase::run):
3638         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
3639         * dfg/DFGOSREntrypointCreationPhase.cpp:
3640         (JSC::DFG::OSREntrypointCreationPhase::run):
3641         * dfg/DFGPredictionInjectionPhase.cpp:
3642         (JSC::DFG::PredictionInjectionPhase::run):
3643         * dfg/DFGSSAConversionPhase.cpp:
3644         (JSC::DFG::SSAConversionPhase::run):
3645         * dfg/DFGSpeculativeJIT.cpp:
3646         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3647         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3648         * dfg/DFGTypeCheckHoistingPhase.cpp:
3649         (JSC::DFG::TypeCheckHoistingPhase::run):
3650         * dfg/DFGValidate.cpp:
3651
3652 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3653
3654         test262: Completion values for control flow do not match the spec
3655         https://bugs.webkit.org/show_bug.cgi?id=171265
3656
3657         Reviewed by Saam Barati.
3658
3659         * bytecompiler/BytecodeGenerator.h:
3660         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
3661         When we care about having proper completion values (global code
3662         in programs, modules, and eval) insert undefined results for
3663         control flow statements.
3664
3665         * bytecompiler/NodesCodegen.cpp:
3666         (JSC::SourceElements::emitBytecode):
3667         Reduce writing a default `undefined` value to the completion result to
3668         only once before the last statement we know will produce a value.
3669
3670         (JSC::IfElseNode::emitBytecode):
3671         (JSC::WithNode::emitBytecode):
3672         (JSC::WhileNode::emitBytecode):
3673         (JSC::ForNode::emitBytecode):
3674         (JSC::ForInNode::emitBytecode):
3675         (JSC::ForOfNode::emitBytecode):
3676         (JSC::SwitchNode::emitBytecode):
3677         Insert an undefined to handle cases where code may break out of an
3678         if/else or with statement (break/continue).
3679
3680         (JSC::TryNode::emitBytecode):
3681         Same handling for break cases. Also, finally block statement completion
3682         values are always ignored for the try statement result.
3683
3684         (JSC::ClassDeclNode::emitBytecode):
3685         Class declarations, like function declarations, produce an empty result.
3686
3687         * parser/Nodes.cpp:
3688         (JSC::SourceElements::lastStatement):
3689         (JSC::SourceElements::hasCompletionValue):
3690         (JSC::SourceElements::hasEarlyBreakOrContinue):
3691         (JSC::BlockNode::lastStatement):
3692         (JSC::BlockNode::singleStatement):
3693         (JSC::BlockNode::hasCompletionValue):
3694         (JSC::BlockNode::hasEarlyBreakOrContinue):
3695         (JSC::ScopeNode::singleStatement):
3696         (JSC::ScopeNode::hasCompletionValue):
3697         (JSC::ScopeNode::hasEarlyBreakOrContinue):
3698         The only non-trivial cases need to loop through their list of statements
3699         to determine if this has a completion value or not. Likewise for
3700         determining if there is an early break / continue, meaning a break or
3701         continue statement with no preceding statement that has a completion value.
3702
3703         * parser/Nodes.h:
3704         (JSC::StatementNode::next):
3705         (JSC::StatementNode::hasCompletionValue):
3706         Helper to check if a statement nodes produces a completion value or not.
3707
3708 2017-09-04  Saam Barati  <sbarati@apple.com>
3709
3710         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
3711         https://bugs.webkit.org/show_bug.cgi?id=176317
3712
3713         Reviewed by Keith Miller.
3714
3715         It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
3716         the SetLocal of a particular value where the value is the empty JSValue.
3717         On 64-bit platforms, the empty value is zero. This means that the empty value
3718         passes a cell check. This will lead to a crash when we dereference null to load
3719         the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
3720         in the structure checks it hoists. On 64-bit platforms, instead of emitting a
3721         CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
3722         the empty value to flow through. If the value isn't empty, it'll perform the normal
3723         structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
3724         on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
3725         value to flow through.
3726
3727         * dfg/DFGAbstractInterpreterInlines.h:
3728         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3729         * dfg/DFGArgumentsEliminationPhase.cpp:
3730         * dfg/DFGClobberize.h:
3731         (JSC::DFG::clobberize):
3732         * dfg/DFGConstantFoldingPhase.cpp:
3733         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3734         * dfg/DFGDoesGC.cpp:
3735         (JSC::DFG::doesGC):
3736         * dfg/DFGFixupPhase.cpp:
3737         (JSC::DFG::FixupPhase::fixupNode):
3738         * dfg/DFGNode.h:
3739         (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
3740         (JSC::DFG::Node::hasStructureSet):
3741         * dfg/DFGNodeType.h:
3742         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3743         * dfg/DFGPredictionPropagationPhase.cpp:
3744         * dfg/DFGSafeToExecute.h:
3745         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
3746         (JSC::DFG::SafeToExecuteEdge::operator()):
3747         (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
3748         (JSC::DFG::safeToExecute):
3749         * dfg/DFGSpeculativeJIT.cpp:
3750         (JSC::DFG::SpeculativeJIT::emitStructureCheck):
3751         (JSC::DFG::SpeculativeJIT::compileCheckStructure):
3752         * dfg/DFGSpeculativeJIT.h:
3753         * dfg/DFGSpeculativeJIT32_64.cpp:
3754         (JSC::DFG::SpeculativeJIT::compile):
3755         * dfg/DFGSpeculativeJIT64.cpp:
3756         (JSC::DFG::SpeculativeJIT::compile):
3757         * dfg/DFGTypeCheckHoistingPhase.cpp:
3758         (JSC::DFG::TypeCheckHoistingPhase::run):
3759         * dfg/DFGValidate.cpp:
3760         * ftl/FTLCapabilities.cpp:
3761         (JSC::FTL::canCompile):
3762         * ftl/FTLLowerDFGToB3.cpp:
3763         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3764         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
3765
3766 2017-09-04  Saam Barati  <sbarati@apple.com>
3767
3768         Support compiling catch in the FTL
3769         https://bugs.webkit.org/show_bug.cgi?id=175396
3770
3771         Reviewed by Filip Pizlo.
3772
3773         This patch implements op_catch in the FTL. It extends the DFG implementation
3774         by supporting multiple entrypoints in DFG-SSA. This patch implements this
3775         by introducing an EntrySwitch node. When converting to SSA, we introduce a new
3776         root block with an EntrySwitch that has the previous DFG entrypoints as its
3777         successors. By convention, we pick the zeroth entry point index to be the
3778         op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
3779         switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
3780         simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
3781         SSAConversion creates can not exit because we would both not know where to exit
3782         to in the program: we would not have valid OSR exit state. This design also
3783         mandates that anything we hoist above EntrySwitch in the new root block
3784         can not exit since they also do not have valid OSR exit state.
3785         
3786         This patch also adds a new metadata node named InitializeEntrypointArguments.
3787         InitializeEntrypointArguments is a metadata node that initializes the flush format for
3788         the arguments at a given entrypoint. For a given entrypoint index, this node
3789         tells AI and OSRAvailabilityAnalysis what the flush format for each argument
3790         is. This allows each individual entrypoint to have an independent set of
3791         argument types. Currently, this won't happen in practice because ArgumentPosition
3792         unifies flush formats, but this is an implementation detail we probably want
3793         to modify in the future. SSAConversion will add InitializeEntrypointArguments
3794         to the beginning of each of the original DFG entrypoint blocks.
3795         
3796         This patch also adds the ability to specify custom prologue code generators in Air.
3797         This allows the FTL to specify a custom prologue for catch entrypoints that
3798         matches the op_catch OSR entry calling convention that the DFG uses. This way,
3799         the baseline JIT code OSR enters into op_catch the same way both in the DFG
3800         and the FTL. In the future, we can use this same mechanism to perform stack
3801         overflow checks instead of using a patchpoint.
3802
3803         * b3/air/AirCode.cpp:
3804         (JSC::B3::Air::Code::isEntrypoint):
3805         (JSC::B3::Air::Code::entrypointIndex):
3806         * b3/air/AirCode.h:
3807         (JSC::B3::Air::Code::setPrologueForEntrypoint):
3808         (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
3809         * b3/air/AirGenerate.cpp:
3810         (JSC::B3::Air::generate):
3811         * dfg/DFGAbstractInterpreterInlines.h:
3812         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3813         * dfg/DFGBasicBlock.h:
3814         * dfg/DFGByteCodeParser.cpp:
3815         (JSC::DFG::ByteCodeParser::parseBlock):
3816         (JSC::DFG::ByteCodeParser::parse):
3817         * dfg/DFGCFG.h:
3818         (JSC::DFG::selectCFG):
3819         * dfg/DFGClobberize.h:
3820         (JSC::DFG::clobberize):
3821         * dfg/DFGClobbersExitState.cpp:
3822         (JSC::DFG::clobbersExitState):
3823         * dfg/DFGCommonData.cpp:
3824         (JSC::DFG::CommonData::shrinkToFit):
3825         (JSC::DFG::CommonData::finalizeCatchEntrypoints):
3826         * dfg/DFGCommonData.h:
3827         (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
3828         (JSC::DFG::CommonData::appendCatchEntrypoint):
3829         * dfg/DFGDoesGC.cpp:
3830         (JSC::DFG::doesGC):
3831         * dfg/DFGFixupPhase.cpp:
3832         (JSC::DFG::FixupPhase::fixupNode):
3833         * dfg/DFGGraph.cpp:
3834         (JSC::DFG::Graph::dump):
3835         (JSC::DFG::Graph::invalidateCFG):
3836         (JSC::DFG::Graph::ensureCPSCFG):
3837         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3838         * dfg/DFGGraph.h:
3839         (JSC::DFG::Graph::isEntrypoint):
3840         * dfg/DFGInPlaceAbstractState.cpp:
3841         (JSC::DFG::InPlaceAbstractState::initialize):
3842         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3843         * dfg/DFGJITCode.cpp:
3844         (JSC::DFG::JITCode::shrinkToFit):
3845         (JSC::DFG::JITCode::finalizeOSREntrypoints):
3846         * dfg/DFGJITCode.h:
3847         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
3848         (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
3849         * dfg/DFGJITCompiler.cpp:
3850         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3851         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
3852         * dfg/DFGMayExit.cpp:
3853         * dfg/DFGNode.h:
3854         (JSC::DFG::Node::isEntrySwitch):
3855         (JSC::DFG::Node::isTerminal):
3856         (JSC::DFG::Node::entrySwitchData):
3857         (JSC::DFG::Node::numSuccessors):
3858         (JSC::DFG::Node::successor):
3859         (JSC::DFG::Node::entrypointIndex):
3860         * dfg/DFGNodeType.h:
3861         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3862         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3863         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3864         * dfg/DFGOSREntry.cpp:
3865         (JSC::DFG::prepareCatchOSREntry):
3866         * dfg/DFGOSREntry.h:
3867         * dfg/DFGOSREntrypointCreationPhase.cpp:
3868         (JSC::DFG::OSREntrypointCreationPhase::run):
3869         * dfg/DFGPredictionPropagationPhase.cpp:
3870         * dfg/DFGSSAConversionPhase.cpp:
3871         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
3872         (JSC::DFG::SSAConversionPhase::run):
3873         * dfg/DFGSafeToExecute.h:
3874         (JSC::DFG::safeToExecute):
3875         * dfg/DFGSpeculativeJIT.cpp:
3876         (JSC::DFG::SpeculativeJIT::linkOSREntries):
3877         * dfg/DFGSpeculativeJIT32_64.cpp:
3878         (JSC::DFG::SpeculativeJIT::compile):
3879         * dfg/DFGSpeculativeJIT64.cpp:
3880         (JSC::DFG::SpeculativeJIT::compile):
3881         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
3882         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
3883         * dfg/DFGValidate.cpp:
3884         * ftl/FTLCapabilities.cpp:
3885         (JSC::FTL::canCompile):
3886         * ftl/FTLCompile.cpp:
3887         (JSC::FTL::compile):
3888         * ftl/FTLLowerDFGToB3.cpp:
3889         (JSC::FTL::DFG::LowerDFGToB3::lower):
3890         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3891         (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
3892         (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
3893         (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):