Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-27  Mark Lam  <mark.lam@apple.com>
2
3         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
4         https://bugs.webkit.org/show_bug.cgi?id=177423
5         <rdar://problem/34621320>
6
7         Reviewed by Keith Miller.
8
9         * yarr/YarrParser.h:
10         (JSC::Yarr::Parser::tryConsumeGroupName):
11
12 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
13
14         Unreviewed, fix x86 breaking due to exhausted registers
15         https://bugs.webkit.org/show_bug.cgi?id=175823
16
17         * dfg/DFGByteCodeParser.cpp:
18         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
19
20 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
21
22         Unreviewed, build fix after r222563
23         https://bugs.webkit.org/show_bug.cgi?id=175823
24
25         * runtime/JSArrayInlines.h:
26
27 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
28
29         Add Above/Below comparisons for UInt32 patterns
30         https://bugs.webkit.org/show_bug.cgi?id=177281
31
32         Reviewed by Saam Barati.
33
34         Sometimes, we would like to have UInt32 operations in JS. While VM does
35         not support UInt32 nicely, VM supports efficient Int32 operations. As long
36         as signedness does not matter, we can just perform Int32 operations instead
37         and recognize its bit pattern as UInt32.
38
39         But of course, some operations respect signedness. The most frequently
40         used one is comparison. Octane/zlib performs UInt32 comparison by performing
41         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
42         UInt32 in Int32 form. And op_unsigned will generate Double value if
43         the generated Int32 is < 0 (which should be UInt32).
44
45         There is a chance for optimization. The given code pattern is the following.
46
47             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
48
49         This can be converted to the following.
50
51             op_urshift(@1) below:< op_urshift(@2)
52
53         The above conversion is nice since
54
55         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
56         this check depends on the value of Int32, dropping this check is not as easy as
57         removing Int32 edge filters.
58
59         2. We can perform unsigned comparison in Int32 form. We do not need to convert
60         them to DoubleRep.
61
62         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
63         op_unsigned offers huge win.
64
65         At first, my patch attempts to convert the above thing in DFG pipeline.
66         However it poses several problems.
67
68         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
69         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
70
71             2: UInt32ToNumber(@0)
72             3: MovHint(@2, xxx)
73             4: UInt32ToNumber(@1)
74             5: MovHint(@1, xxx)
75
76         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
77
78         So, instead, we start introducing a simple optimization in the bytecode compiler.
79         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
80         We adds op_below and op_above families to bytecodes. They only accept Int32 and
81         perform unsigned comparison.
82
83         This offers 4% performance improvement in Octane/zlib.
84
85                                     baseline                  patched
86
87         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
88
89         * bytecode/BytecodeDumper.cpp:
90         (JSC::BytecodeDumper<Block>::printCompareJump):
91         (JSC::BytecodeDumper<Block>::dumpBytecode):
92         * bytecode/BytecodeDumper.h:
93         * bytecode/BytecodeList.json:
94         * bytecode/BytecodeUseDef.h:
95         (JSC::computeUsesForBytecodeOffset):
96         (JSC::computeDefsForBytecodeOffset):
97         * bytecode/Opcode.h:
98         (JSC::isBranch):
99         * bytecode/PreciseJumpTargetsInlines.h:
100         (JSC::extractStoredJumpTargetsForBytecodeOffset):
101         * bytecompiler/BytecodeGenerator.cpp:
102         (JSC::BytecodeGenerator::emitJumpIfTrue):
103         (JSC::BytecodeGenerator::emitJumpIfFalse):
104         * bytecompiler/NodesCodegen.cpp:
105         (JSC::BinaryOpNode::emitBytecode):
106         * dfg/DFGAbstractInterpreterInlines.h:
107         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
108         * dfg/DFGByteCodeParser.cpp:
109         (JSC::DFG::ByteCodeParser::parseBlock):
110         * dfg/DFGCapabilities.cpp:
111         (JSC::DFG::capabilityLevel):
112         * dfg/DFGClobberize.h:
113         (JSC::DFG::clobberize):
114         * dfg/DFGDoesGC.cpp:
115         (JSC::DFG::doesGC):
116         * dfg/DFGFixupPhase.cpp:
117         (JSC::DFG::FixupPhase::fixupNode):
118         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
119         * dfg/DFGNodeType.h:
120         * dfg/DFGPredictionPropagationPhase.cpp:
121         * dfg/DFGSafeToExecute.h:
122         (JSC::DFG::safeToExecute):
123         * dfg/DFGSpeculativeJIT.cpp:
124         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
125         * dfg/DFGSpeculativeJIT.h:
126         * dfg/DFGSpeculativeJIT32_64.cpp:
127         (JSC::DFG::SpeculativeJIT::compile):
128         * dfg/DFGSpeculativeJIT64.cpp:
129         (JSC::DFG::SpeculativeJIT::compile):
130         * dfg/DFGStrengthReductionPhase.cpp:
131         (JSC::DFG::StrengthReductionPhase::handleNode):
132         * dfg/DFGValidate.cpp:
133         * ftl/FTLCapabilities.cpp:
134         (JSC::FTL::canCompile):
135         * ftl/FTLLowerDFGToB3.cpp:
136         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
137         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
138         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
139         * jit/JIT.cpp:
140         (JSC::JIT::privateCompileMainPass):
141         * jit/JIT.h:
142         * jit/JITArithmetic.cpp:
143         (JSC::JIT::emit_op_below):
144         (JSC::JIT::emit_op_beloweq):
145         (JSC::JIT::emit_op_jbelow):
146         (JSC::JIT::emit_op_jbeloweq):
147         (JSC::JIT::emit_compareUnsignedAndJump):
148         (JSC::JIT::emit_compareUnsigned):
149         * jit/JITArithmetic32_64.cpp:
150         (JSC::JIT::emit_compareUnsignedAndJump):
151         (JSC::JIT::emit_compareUnsigned):
152         * llint/LowLevelInterpreter.asm:
153         * llint/LowLevelInterpreter32_64.asm:
154         * llint/LowLevelInterpreter64.asm:
155         * parser/Nodes.h:
156         (JSC::ExpressionNode::isBinaryOpNode const):
157
158 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
159
160         [DFG] Support ArrayPush with multiple args
161         https://bugs.webkit.org/show_bug.cgi?id=175823
162
163         Reviewed by Saam Barati.
164
165         This patch implements ArrayPush(with multiple arguments) in DFG and FTL. Previously, they are not handled
166         by ArrayPush. Then they go to generic direct call to Array#push and it does in slow path. This patch
167         extends ArrayPush to push multiple arguments in a bulk push manner.
168
169         The problem of ArrayPush is that we need to perform ArrayPush atomically: If OSR exit occurs in the middle
170         of ArrayPush, we incorrectly push pushed elements twice. Once we start pushing values, we should not exit.
171         But we do not want to iterate elements twice, once for type checks and once for actually pushing it. It
172         could move elements between registers and memory back and forth.
173
174         This patch achieves the above goal by separating type checks from ArrayPush. When starting ArrayPush, type
175         checks for elements are already done by separately emitted Check nodes.
176
177         We also add JSArray::pushInline for DFG operations just calling JSArray::push. And we also use it in
178         arrayProtoFuncPush's fast path.
179
180         This patch significantly improves performance of `push(multiple args)`.
181
182                                             baseline                  patched
183             Microbenchmarks:
184                 array-push-0            461.8455+-28.9995    ^    151.3438+-6.5653        ^ definitely 3.0516x faster
185                 array-push-1            133.8845+-7.0349     ?    136.1775+-5.8327        ? might be 1.0171x slower
186                 array-push-2            675.6555+-13.4645    ^    145.8747+-6.4621        ^ definitely 4.6318x faster
187                 array-push-3            849.5284+-15.2540    ^    253.4421+-9.1249        ^ definitely 3.3520x faster
188
189                                             baseline                  patched
190             SixSpeed:
191                 spread-literal.es5       90.3482+-6.6514     ^     24.8123+-2.3304        ^ definitely 3.6413x faster
192
193         * dfg/DFGByteCodeParser.cpp:
194         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
195         * dfg/DFGFixupPhase.cpp:
196         (JSC::DFG::FixupPhase::fixupNode):
197         * dfg/DFGNodeType.h:
198         * dfg/DFGOperations.cpp:
199         * dfg/DFGOperations.h:
200         * dfg/DFGSpeculativeJIT.cpp:
201         (JSC::DFG::SpeculativeJIT::compileArrayPush):
202         * dfg/DFGSpeculativeJIT.h:
203         (JSC::DFG::SpeculativeJIT::callOperation):
204         * dfg/DFGSpeculativeJIT32_64.cpp:
205         (JSC::DFG::SpeculativeJIT::compile):
206         * dfg/DFGSpeculativeJIT64.cpp:
207         (JSC::DFG::SpeculativeJIT::compile):
208         * dfg/DFGStoreBarrierInsertionPhase.cpp:
209         * ftl/FTLLowerDFGToB3.cpp:
210         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
211         * jit/JITOperations.h:
212         * runtime/ArrayPrototype.cpp:
213         (JSC::arrayProtoFuncPush):
214         * runtime/JSArray.cpp:
215         (JSC::JSArray::push):
216         * runtime/JSArray.h:
217         * runtime/JSArrayInlines.h:
218         (JSC::JSArray::pushInline):
219
220 2017-09-26  Joseph Pecoraro  <pecoraro@apple.com>
221
222         Web Inspector: Remove unused parameter of Page.reload
223         https://bugs.webkit.org/show_bug.cgi?id=177522
224
225         Reviewed by Matt Baker.
226
227         * inspector/protocol/Page.json:
228
229 2017-09-26  Filip Pizlo  <fpizlo@apple.com>
230
231         Put g_gigacageBasePtr into its own page and make it read-only
232         https://bugs.webkit.org/show_bug.cgi?id=174972
233
234         Reviewed by Michael Saboff.
235         
236         C++ code doesn't have to know about this change. That includes C++ code that generates JIT code.
237         
238         But the offline assembler now needs to know about how to load from offsets of global variables.
239         This turned out to be easy to support by extending the existing expression support.
240
241         * llint/LowLevelInterpreter64.asm:
242         * offlineasm/ast.rb:
243         * offlineasm/parser.rb:
244         * offlineasm/transform.rb:
245         * offlineasm/x86.rb:
246
247 2017-09-26  Commit Queue  <commit-queue@webkit.org>
248
249         Unreviewed, rolling out r222518.
250         https://bugs.webkit.org/show_bug.cgi?id=177507
251
252         Break the High Sierra build (Requested by yusukesuzuki on
253         #webkit).
254
255         Reverted changeset:
256
257         "Add Above/Below comparisons for UInt32 patterns"
258         https://bugs.webkit.org/show_bug.cgi?id=177281
259         http://trac.webkit.org/changeset/222518
260
261 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
262
263         Add Above/Below comparisons for UInt32 patterns
264         https://bugs.webkit.org/show_bug.cgi?id=177281
265
266         Reviewed by Saam Barati.
267
268         Sometimes, we would like to have UInt32 operations in JS. While VM does
269         not support UInt32 nicely, VM supports efficient Int32 operations. As long
270         as signedness does not matter, we can just perform Int32 operations instead
271         and recognize its bit pattern as UInt32.
272
273         But of course, some operations respect signedness. The most frequently
274         used one is comparison. Octane/zlib performs UInt32 comparison by performing
275         `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
276         UInt32 in Int32 form. And op_unsigned will generate Double value if
277         the generated Int32 is < 0 (which should be UInt32).
278
279         There is a chance for optimization. The given code pattern is the following.
280
281             op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
282
283         This can be converted to the following.
284
285             op_urshift(@1) below:< op_urshift(@2)
286
287         The above conversion is nice since
288
289         1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
290         this check depends on the value of Int32, dropping this check is not as easy as
291         removing Int32 edge filters.
292
293         2. We can perform unsigned comparison in Int32 form. We do not need to convert
294         them to DoubleRep.
295
296         Since the above comparison exists in Octane/zlib's *super* hot path, dropping
297         op_unsigned offers huge win.
298
299         At first, my patch attempts to convert the above thing in DFG pipeline.
300         However it poses several problems.
301
302         1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
303         2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
304
305             2: UInt32ToNumber(@0)
306             3: MovHint(@2, xxx)
307             4: UInt32ToNumber(@1)
308             5: MovHint(@1, xxx)
309
310         we could drop @5's MovHint. But @3 is difficult since @4 can exit.
311
312         So, instead, we start introducing a simple optimization in the bytecode compiler.
313         It performs pattern matching for op_urshift and comparison to drop op_unsigned.
314         We adds op_below and op_above families to bytecodes. They only accept Int32 and
315         perform unsigned comparison.
316
317         This offers 4% performance improvement in Octane/zlib.
318
319                                     baseline                  patched
320
321         zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
322
323         * bytecode/BytecodeDumper.cpp:
324         (JSC::BytecodeDumper<Block>::printCompareJump):
325         (JSC::BytecodeDumper<Block>::dumpBytecode):
326         * bytecode/BytecodeDumper.h:
327         * bytecode/BytecodeList.json:
328         * bytecode/BytecodeUseDef.h:
329         (JSC::computeUsesForBytecodeOffset):
330         (JSC::computeDefsForBytecodeOffset):
331         * bytecode/Opcode.h:
332         (JSC::isBranch):
333         * bytecode/PreciseJumpTargetsInlines.h:
334         (JSC::extractStoredJumpTargetsForBytecodeOffset):
335         * bytecompiler/BytecodeGenerator.cpp:
336         (JSC::BytecodeGenerator::emitJumpIfTrue):
337         (JSC::BytecodeGenerator::emitJumpIfFalse):
338         * bytecompiler/NodesCodegen.cpp:
339         (JSC::BinaryOpNode::emitBytecode):
340         * dfg/DFGAbstractInterpreterInlines.h:
341         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
342         * dfg/DFGByteCodeParser.cpp:
343         (JSC::DFG::ByteCodeParser::parseBlock):
344         * dfg/DFGCapabilities.cpp:
345         (JSC::DFG::capabilityLevel):
346         * dfg/DFGClobberize.h:
347         (JSC::DFG::clobberize):
348         * dfg/DFGDoesGC.cpp:
349         (JSC::DFG::doesGC):
350         * dfg/DFGFixupPhase.cpp:
351         (JSC::DFG::FixupPhase::fixupNode):
352         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
353         * dfg/DFGNodeType.h:
354         * dfg/DFGPredictionPropagationPhase.cpp:
355         * dfg/DFGSafeToExecute.h:
356         (JSC::DFG::safeToExecute):
357         * dfg/DFGSpeculativeJIT.cpp:
358         (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
359         * dfg/DFGSpeculativeJIT.h:
360         * dfg/DFGSpeculativeJIT32_64.cpp:
361         (JSC::DFG::SpeculativeJIT::compile):
362         * dfg/DFGSpeculativeJIT64.cpp:
363         (JSC::DFG::SpeculativeJIT::compile):
364         * dfg/DFGStrengthReductionPhase.cpp:
365         (JSC::DFG::StrengthReductionPhase::handleNode):
366         * dfg/DFGValidate.cpp:
367         * ftl/FTLCapabilities.cpp:
368         (JSC::FTL::canCompile):
369         * ftl/FTLLowerDFGToB3.cpp:
370         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
371         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
372         (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
373         * jit/JIT.cpp:
374         (JSC::JIT::privateCompileMainPass):
375         * jit/JIT.h:
376         * jit/JITArithmetic.cpp:
377         (JSC::JIT::emit_op_below):
378         (JSC::JIT::emit_op_beloweq):
379         (JSC::JIT::emit_op_jbelow):
380         (JSC::JIT::emit_op_jbeloweq):
381         (JSC::JIT::emit_compareUnsignedAndJump):
382         (JSC::JIT::emit_compareUnsigned):
383         * jit/JITArithmetic32_64.cpp:
384         (JSC::JIT::emit_compareUnsignedAndJump):
385         (JSC::JIT::emit_compareUnsigned):
386         * llint/LowLevelInterpreter.asm:
387         * llint/LowLevelInterpreter32_64.asm:
388         * llint/LowLevelInterpreter64.asm:
389         * parser/Nodes.h:
390         (JSC::ExpressionNode::isBinaryOpNode const):
391
392 2017-09-24  Keith Miller  <keith_miller@apple.com>
393
394         JSC build should use unified sources for derived sources
395         https://bugs.webkit.org/show_bug.cgi?id=177421
396
397         Reviewed by JF Bastien.
398
399         This patch make a couple of changes:
400
401         1) Make derived sources added to relevant bundles. I was going to add JSCBuiltins.cpp
402         to runtime but that kept breaking the windows build. I'll get back to it later
403         2) Move the derived location of some sources both for clarity and for ease of use.
404         3) Make auto generator scripts able to create directories if needed.
405         4) Move some scripts from the top level of the JavaScriptCore directory to a
406         more appropriate directory.
407         5) Move some CMake generation commands around for clarity.
408
409         * CMakeLists.txt:
410         * DerivedSources.make:
411         * JavaScriptCore.xcodeproj/project.pbxproj:
412         * Scripts/lazywriter.py:
413         (LazyFileWriter.close):
414         * Sources.txt:
415         * inspector/scripts/generate-inspector-protocol-bindings.py:
416         (IncrementalFileWriter.close):
417         * yarr/create_regex_tables: Renamed from Source/JavaScriptCore/create_regex_tables.
418         * yarr/generateYarrCanonicalizeUnicode: Renamed from Source/JavaScriptCore/generateYarrCanonicalizeUnicode.
419
420 2017-09-26  Zan Dobersek  <zdobersek@igalia.com>
421
422         Support building JavaScriptCore with the Bionic C library
423         https://bugs.webkit.org/show_bug.cgi?id=177427
424
425         Reviewed by Michael Catanzaro.
426
427         When compiling with the Bionic C library, the MachineContext.h header
428         should enable the same code paths that are enabled for the GNU C library.
429
430         The Bionic C library defines the __BIONIC__ macro, but unlike other C
431         libraries that mimic the GNU one, it doesn't define __GLIBC__. So the
432         __BIONIC__ macro checks have to match the __GLIBC__ ones.
433
434         * runtime/MachineContext.h:
435         (JSC::MachineContext::stackPointer):
436         (JSC::MachineContext::framePointer):
437         (JSC::MachineContext::instructionPointer):
438         (JSC::MachineContext::argumentPointer<1>):
439         (JSC::MachineContext::llintInstructionPointer):
440
441 2017-09-25  Devin Rousso  <webkit@devinrousso.com>
442
443         Web Inspector: move Console.addInspectedNode to DOM.setInspectedNode
444         https://bugs.webkit.org/show_bug.cgi?id=176827
445
446         Reviewed by Joseph Pecoraro.
447
448         * inspector/agents/InspectorConsoleAgent.h:
449
450         * inspector/agents/JSGlobalObjectConsoleAgent.h:
451         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
452         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode): Deleted.
453
454         * inspector/protocol/Console.json:
455         * inspector/protocol/DOM.json:
456
457 2017-09-25  Ryan Haddad  <ryanhaddad@apple.com>
458
459         Unreviewed, rebaseline builtins generator tests after r222473.
460
461         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
462
463 2017-09-25  Alex Christensen  <achristensen@webkit.org>
464
465         Make Attribute an enum class
466         https://bugs.webkit.org/show_bug.cgi?id=177414
467
468         Reviewed by Yusuke Suzuki.
469
470         I've had enough of these naming collisions.  This is what enum classes are for.
471         Unfortunately a lot of static_cast<unsigned> is necessary until those functions take
472         an OptionSet<Attribute> instead of an unsigned parameter, but this is a big step
473         towards where we ought to be.
474
475         * API/JSCallbackObjectFunctions.h:
476         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
477         * API/JSObjectRef.cpp:
478         (JSObjectMakeConstructor):
479         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
480         (BuiltinsInternalsWrapperImplementationGenerator.property_macro):
481         * bytecode/GetByIdStatus.cpp:
482         (JSC::GetByIdStatus::computeFromLLInt):
483         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
484         (JSC::GetByIdStatus::computeFor):
485         * bytecode/PropertyCondition.cpp:
486         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
487         (JSC::PropertyCondition::isValidValueForAttributes):
488         * bytecode/PutByIdStatus.cpp:
489         (JSC::PutByIdStatus::computeFor):
490         * bytecompiler/BytecodeGenerator.cpp:
491         (JSC::BytecodeGenerator::instantiateLexicalVariables):
492         (JSC::BytecodeGenerator::variable):
493         * bytecompiler/BytecodeGenerator.h:
494         (JSC::Variable::isReadOnly const):
495         (JSC::Variable::setIsReadOnly):
496         * bytecompiler/NodesCodegen.cpp:
497         (JSC::PropertyListNode::emitBytecode):
498         * create_hash_table:
499         * debugger/DebuggerScope.cpp:
500         (JSC::DebuggerScope::getOwnPropertySlot):
501         * dfg/DFGOperations.cpp:
502         * inspector/JSInjectedScriptHostPrototype.cpp:
503         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
504         * inspector/JSJavaScriptCallFramePrototype.cpp:
505         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
506         * jit/Repatch.cpp:
507         (JSC::tryCacheGetByID):
508         * jsc.cpp:
509         (WTF::CustomGetter::getOwnPropertySlot):
510         (WTF::RuntimeArray::getOwnPropertySlot):
511         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
512         (WTF::DOMJITGetter::finishCreation):
513         (WTF::DOMJITGetterComplex::finishCreation):
514         (WTF::DOMJITFunctionObject::finishCreation):
515         (WTF::DOMJITCheckSubClassObject::finishCreation):
516         (GlobalObject::finishCreation):
517         * runtime/ArrayConstructor.cpp:
518         (JSC::ArrayConstructor::finishCreation):
519         * runtime/ArrayIteratorPrototype.cpp:
520         (JSC::ArrayIteratorPrototype::finishCreation):
521         * runtime/ArrayPrototype.cpp:
522         (JSC::ArrayPrototype::finishCreation):
523         * runtime/AsyncFromSyncIteratorPrototype.cpp:
524         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
525         * runtime/AsyncFunctionConstructor.cpp:
526         (JSC::AsyncFunctionConstructor::finishCreation):
527         * runtime/AsyncFunctionPrototype.cpp:
528         (JSC::AsyncFunctionPrototype::finishCreation):
529         * runtime/AsyncGeneratorFunctionConstructor.cpp:
530         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
531         * runtime/AsyncGeneratorFunctionPrototype.cpp:
532         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
533         * runtime/AsyncGeneratorPrototype.cpp:
534         (JSC::AsyncGeneratorPrototype::finishCreation):
535         * runtime/AsyncIteratorPrototype.cpp:
536         (JSC::AsyncIteratorPrototype::finishCreation):
537         * runtime/AtomicsObject.cpp:
538         (JSC::AtomicsObject::finishCreation):
539         * runtime/BooleanConstructor.cpp:
540         (JSC::BooleanConstructor::finishCreation):
541         * runtime/ClonedArguments.cpp:
542         (JSC::ClonedArguments::createStructure):
543         (JSC::ClonedArguments::getOwnPropertySlot):
544         (JSC::ClonedArguments::materializeSpecials):
545         * runtime/CommonSlowPaths.cpp:
546         (JSC::SLOW_PATH_DECL):
547         * runtime/ConsoleObject.cpp:
548         (JSC::ConsoleObject::finishCreation):
549         * runtime/DateConstructor.cpp:
550         (JSC::DateConstructor::finishCreation):
551         * runtime/DatePrototype.cpp:
552         (JSC::DatePrototype::finishCreation):
553         * runtime/DirectArguments.cpp:
554         (JSC::DirectArguments::overrideThings):
555         * runtime/Error.cpp:
556         (JSC::addErrorInfo):
557         * runtime/ErrorConstructor.cpp:
558         (JSC::ErrorConstructor::finishCreation):
559         * runtime/ErrorInstance.cpp:
560         (JSC::ErrorInstance::finishCreation):
561         * runtime/ErrorPrototype.cpp:
562         (JSC::ErrorPrototype::finishCreation):
563         * runtime/FunctionConstructor.cpp:
564         (JSC::FunctionConstructor::finishCreation):
565         * runtime/FunctionPrototype.cpp:
566         (JSC::FunctionPrototype::finishCreation):
567         (JSC::FunctionPrototype::addFunctionProperties):
568         (JSC::FunctionPrototype::initRestrictedProperties):
569         * runtime/GeneratorFunctionConstructor.cpp:
570         (JSC::GeneratorFunctionConstructor::finishCreation):
571         * runtime/GeneratorFunctionPrototype.cpp:
572         (JSC::GeneratorFunctionPrototype::finishCreation):
573         * runtime/GeneratorPrototype.cpp:
574         (JSC::GeneratorPrototype::finishCreation):
575         * runtime/GenericArgumentsInlines.h:
576         (JSC::GenericArguments<Type>::getOwnPropertySlot):
577         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
578         * runtime/InternalFunction.cpp:
579         (JSC::InternalFunction::finishCreation):
580         * runtime/IntlCollatorConstructor.cpp:
581         (JSC::IntlCollatorConstructor::finishCreation):
582         * runtime/IntlDateTimeFormatConstructor.cpp:
583         (JSC::IntlDateTimeFormatConstructor::finishCreation):
584         * runtime/IntlDateTimeFormatPrototype.cpp:
585         (JSC::IntlDateTimeFormatPrototype::finishCreation):
586         * runtime/IntlNumberFormatConstructor.cpp:
587         (JSC::IntlNumberFormatConstructor::finishCreation):
588         * runtime/IntlObject.cpp:
589         (JSC::IntlObject::finishCreation):
590         * runtime/IteratorPrototype.cpp:
591         (JSC::IteratorPrototype::finishCreation):
592         * runtime/JSArray.cpp:
593         (JSC::JSArray::getOwnPropertySlot):
594         (JSC::JSArray::setLengthWithArrayStorage):
595         * runtime/JSArrayBufferConstructor.cpp:
596         (JSC::JSArrayBufferConstructor::finishCreation):
597         * runtime/JSArrayBufferPrototype.cpp:
598         (JSC::JSArrayBufferPrototype::finishCreation):
599         * runtime/JSBoundFunction.cpp:
600         (JSC::JSBoundFunction::finishCreation):
601         * runtime/JSCJSValue.cpp:
602         (JSC::JSValue::putToPrimitive):
603         * runtime/JSDataView.cpp:
604         (JSC::JSDataView::getOwnPropertySlot):
605         * runtime/JSDataViewPrototype.cpp:
606         (JSC::JSDataViewPrototype::finishCreation):
607         * runtime/JSFunction.cpp:
608         (JSC::JSFunction::finishCreation):
609         (JSC::JSFunction::getOwnPropertySlot):
610         (JSC::JSFunction::defineOwnProperty):
611         (JSC::JSFunction::reifyLength):
612         (JSC::JSFunction::reifyName):
613         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
614         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
615         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
616         * runtime/JSGenericTypedArrayViewInlines.h:
617         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
618         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
619         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
620         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
621         * runtime/JSGlobalObject.cpp:
622         (JSC::JSGlobalObject::init):
623         (JSC::JSGlobalObject::addStaticGlobals):
624         * runtime/JSLexicalEnvironment.cpp:
625         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
626         * runtime/JSModuleNamespaceObject.cpp:
627         (JSC::JSModuleNamespaceObject::finishCreation):
628         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
629         * runtime/JSONObject.cpp:
630         (JSC::JSONObject::finishCreation):
631         * runtime/JSObject.cpp:
632         (JSC::getClassPropertyNames):
633         (JSC::JSObject::getOwnPropertySlotByIndex):
634         (JSC::ordinarySetSlow):
635         (JSC::JSObject::putInlineSlow):
636         (JSC::JSObject::putGetter):
637         (JSC::JSObject::putSetter):
638         (JSC::JSObject::putDirectAccessor):
639         (JSC::JSObject::putDirectCustomAccessor):
640         (JSC::JSObject::putDirectNonIndexAccessor):
641         (JSC::JSObject::deleteProperty):
642         (JSC::JSObject::deletePropertyByIndex):
643         (JSC::JSObject::getOwnPropertyNames):
644         (JSC::JSObject::putIndexedDescriptor):
645         (JSC::JSObject::defineOwnIndexedProperty):
646         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
647         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
648         (JSC::JSObject::getOwnPropertyDescriptor):
649         (JSC::putDescriptor):
650         (JSC::validateAndApplyPropertyDescriptor):
651         * runtime/JSObject.h:
652         (JSC::JSObject::putDirect):
653         * runtime/JSObjectInlines.h:
654         (JSC::JSObject::putDirectWithoutTransition):
655         (JSC::JSObject::putDirectInternal):
656         * runtime/JSPromiseConstructor.cpp:
657         (JSC::JSPromiseConstructor::finishCreation):
658         (JSC::JSPromiseConstructor::addOwnInternalSlots):
659         * runtime/JSPromisePrototype.cpp:
660         (JSC::JSPromisePrototype::finishCreation):
661         (JSC::JSPromisePrototype::addOwnInternalSlots):
662         * runtime/JSString.cpp:
663         (JSC::JSString::getStringPropertyDescriptor):
664         * runtime/JSString.h:
665         (JSC::JSString::getStringPropertySlot):
666         * runtime/JSSymbolTableObject.cpp:
667         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
668         * runtime/JSSymbolTableObject.h:
669         (JSC::symbolTableGet):
670         * runtime/JSTypedArrayViewConstructor.cpp:
671         (JSC::JSTypedArrayViewConstructor::finishCreation):
672         * runtime/JSTypedArrayViewPrototype.cpp:
673         (JSC::JSTypedArrayViewPrototype::finishCreation):
674         * runtime/LazyClassStructure.cpp:
675         (JSC::LazyClassStructure::Initializer::setConstructor):
676         * runtime/Lookup.cpp:
677         (JSC::reifyStaticAccessor):
678         (JSC::setUpStaticFunctionSlot):
679         * runtime/Lookup.h:
680         (JSC::HashTableValue::intrinsic const):
681         (JSC::HashTableValue::builtinGenerator const):
682         (JSC::HashTableValue::function const):
683         (JSC::HashTableValue::functionLength const):
684         (JSC::HashTableValue::propertyGetter const):
685         (JSC::HashTableValue::propertyPutter const):
686         (JSC::HashTableValue::domJIT const):
687         (JSC::HashTableValue::signature const):
688         (JSC::HashTableValue::accessorGetter const):
689         (JSC::HashTableValue::accessorSetter const):
690         (JSC::HashTableValue::constantInteger const):
691         (JSC::HashTableValue::lazyCellPropertyOffset const):
692         (JSC::HashTableValue::lazyClassStructureOffset const):
693         (JSC::HashTableValue::lazyPropertyCallback const):
694         (JSC::HashTableValue::builtinAccessorGetterGenerator const):
695         (JSC::HashTableValue::builtinAccessorSetterGenerator const):
696         (JSC::getStaticPropertySlotFromTable):
697         (JSC::putEntry):
698         (JSC::reifyStaticProperty):
699         * runtime/MapConstructor.cpp:
700         (JSC::MapConstructor::finishCreation):
701         * runtime/MapIteratorPrototype.cpp:
702         (JSC::MapIteratorPrototype::finishCreation):
703         * runtime/MapPrototype.cpp:
704         (JSC::MapPrototype::finishCreation):
705         * runtime/MathObject.cpp:
706         (JSC::MathObject::finishCreation):
707         * runtime/NativeErrorConstructor.cpp:
708         (JSC::NativeErrorConstructor::finishCreation):
709         * runtime/NativeErrorPrototype.cpp:
710         (JSC::NativeErrorPrototype::finishCreation):
711         * runtime/NumberConstructor.cpp:
712         (JSC::NumberConstructor::finishCreation):
713         * runtime/NumberPrototype.cpp:
714         (JSC::NumberPrototype::finishCreation):
715         * runtime/ObjectConstructor.cpp:
716         (JSC::ObjectConstructor::finishCreation):
717         (JSC::objectConstructorAssign):
718         (JSC::objectConstructorValues):
719         (JSC::objectConstructorDefineProperty):
720         * runtime/ObjectPrototype.cpp:
721         (JSC::ObjectPrototype::finishCreation):
722         (JSC::objectProtoFuncLookupGetter):
723         (JSC::objectProtoFuncLookupSetter):
724         * runtime/ProgramExecutable.cpp:
725         (JSC::ProgramExecutable::initializeGlobalProperties):
726         * runtime/PropertyDescriptor.cpp:
727         (JSC::PropertyDescriptor::writable const):
728         (JSC::PropertyDescriptor::enumerable const):
729         (JSC::PropertyDescriptor::configurable const):
730         (JSC::PropertyDescriptor::setUndefined):
731         (JSC::PropertyDescriptor::setDescriptor):
732         (JSC::PropertyDescriptor::setCustomDescriptor):
733         (JSC::PropertyDescriptor::setAccessorDescriptor):
734         (JSC::PropertyDescriptor::setWritable):
735         (JSC::PropertyDescriptor::setEnumerable):
736         (JSC::PropertyDescriptor::setConfigurable):
737         (JSC::PropertyDescriptor::setSetter):
738         (JSC::PropertyDescriptor::setGetter):
739         (JSC::PropertyDescriptor::attributesEqual const):
740         (JSC::PropertyDescriptor::attributesOverridingCurrent const):
741         * runtime/PropertySlot.cpp:
742         (JSC::PropertySlot::customGetter const):
743         * runtime/PropertySlot.h:
744         (JSC::operator| ):
745         (JSC::operator&):
746         (JSC::operator<):
747         (JSC::operator~):
748         (JSC::operator|=):
749         (JSC::PropertySlot::setUndefined):
750         * runtime/ProxyConstructor.cpp:
751         (JSC::makeRevocableProxy):
752         (JSC::ProxyConstructor::finishCreation):
753         * runtime/ProxyObject.cpp:
754         (JSC::ProxyObject::performHasProperty):
755         * runtime/ProxyRevoke.cpp:
756         (JSC::ProxyRevoke::finishCreation):
757         * runtime/ReflectObject.cpp:
758         (JSC::ReflectObject::finishCreation):
759         (JSC::reflectObjectDefineProperty):
760         * runtime/RegExpConstructor.cpp:
761         (JSC::RegExpConstructor::finishCreation):
762         * runtime/RegExpObject.cpp:
763         (JSC::RegExpObject::getOwnPropertySlot):
764         * runtime/RegExpPrototype.cpp:
765         (JSC::RegExpPrototype::finishCreation):
766         * runtime/ScopedArguments.cpp:
767         (JSC::ScopedArguments::overrideThings):
768         * runtime/SetConstructor.cpp:
769         (JSC::SetConstructor::finishCreation):
770         * runtime/SetIteratorPrototype.cpp:
771         (JSC::SetIteratorPrototype::finishCreation):
772         * runtime/SetPrototype.cpp:
773         (JSC::SetPrototype::finishCreation):
774         * runtime/SparseArrayValueMap.cpp:
775         (JSC::SparseArrayValueMap::putDirect):
776         (JSC::SparseArrayEntry::put):
777         * runtime/StringConstructor.cpp:
778         (JSC::StringConstructor::finishCreation):
779         * runtime/StringIteratorPrototype.cpp:
780         (JSC::StringIteratorPrototype::finishCreation):
781         * runtime/StringPrototype.cpp:
782         (JSC::StringPrototype::finishCreation):
783         * runtime/Structure.cpp:
784         (JSC::Structure::nonPropertyTransition):
785         (JSC::Structure::isSealed):
786         (JSC::Structure::isFrozen):
787         (JSC::Structure::getPropertyNamesFromStructure):
788         (JSC::Structure::prototypeChainMayInterceptStoreTo):
789         * runtime/StructureInlines.h:
790         (JSC::Structure::add):
791         * runtime/SymbolConstructor.cpp:
792         (JSC::SymbolConstructor::finishCreation):
793         * runtime/SymbolPrototype.cpp:
794         (JSC::SymbolPrototype::finishCreation):
795         * runtime/SymbolTable.h:
796         (JSC::SymbolTableEntry::Fast::getAttributes const):
797         (JSC::SymbolTableEntry::SymbolTableEntry):
798         (JSC::SymbolTableEntry::setAttributes):
799         * runtime/TemplateRegistry.cpp:
800         (JSC::TemplateRegistry::getTemplateObject):
801         * runtime/WeakMapConstructor.cpp:
802         (JSC::WeakMapConstructor::finishCreation):
803         * runtime/WeakMapPrototype.cpp:
804         (JSC::WeakMapPrototype::finishCreation):
805         * runtime/WeakSetConstructor.cpp:
806         (JSC::WeakSetConstructor::finishCreation):
807         * runtime/WeakSetPrototype.cpp:
808         (JSC::WeakSetPrototype::finishCreation):
809         * tools/JSDollarVMPrototype.cpp:
810         (JSC::JSDollarVMPrototype::finishCreation):
811         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
812         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
813         * wasm/js/WebAssemblyInstanceConstructor.cpp:
814         (JSC::WebAssemblyInstanceConstructor::finishCreation):
815         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
816         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
817         * wasm/js/WebAssemblyMemoryConstructor.cpp:
818         (JSC::WebAssemblyMemoryConstructor::finishCreation):
819         * wasm/js/WebAssemblyMemoryPrototype.cpp:
820         * wasm/js/WebAssemblyModuleConstructor.cpp:
821         (JSC::WebAssemblyModuleConstructor::finishCreation):
822         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
823         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
824         * wasm/js/WebAssemblyTableConstructor.cpp:
825         (JSC::WebAssemblyTableConstructor::finishCreation):
826
827 2017-09-23  Oleksandr Skachkov  <gskachkov@gmail.com>
828
829         [ESNext] Async iteration - Implement Async Generator - optimization
830         https://bugs.webkit.org/show_bug.cgi?id=175891
831
832         Reviewed by Yusuke Suzuki.
833
834         Add small optimization for async generators:
835         1. merging async generator queue to async generator itself
836         generator.@first / generator.@last is enough, by doing so,
837           we remove one unnecessary object alloc.
838         2. merging request with queue.
839
840         * builtins/AsyncGeneratorPrototype.js:
841         (globalPrivate.asyncGeneratorQueueIsEmpty):
842         (globalPrivate.asyncGeneratorQueueCreateItem):
843         (globalPrivate.asyncGeneratorQueueEnqueue):
844         (globalPrivate.asyncGeneratorQueueDequeue):
845         (globalPrivate.asyncGeneratorDequeue):
846         (globalPrivate.isSuspendYieldState):
847         (globalPrivate.asyncGeneratorEnqueue):
848         * builtins/BuiltinNames.h:
849         * bytecompiler/BytecodeGenerator.cpp:
850         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
851         * bytecompiler/BytecodeGenerator.h:
852         * bytecompiler/NodesCodegen.cpp:
853         (JSC::FunctionNode::emitBytecode):
854
855 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
856
857         test262: $.agent became $262.agent in test262 update
858         https://bugs.webkit.org/show_bug.cgi?id=177407
859
860         Reviewed by Yusuke Suzuki.
861
862         * jsc.cpp:
863         (GlobalObject::finishCreation):
864         Alias `$` and `$262` for now.
865
866 2017-09-22  Keith Miller  <keith_miller@apple.com>
867
868         Speculatively change iteration protocall to use the same next function
869         https://bugs.webkit.org/show_bug.cgi?id=175653
870
871         Reviewed by Saam Barati.
872
873         This patch speculatively makes a change to the iteration protocall to fetch the next
874         property immediately after calling the Symbol.iterator function. This is, in theory,
875         a breaking change, so we will see if this breaks things (most likely it won't as this
876         is a relatively subtle point).
877
878         See: https://github.com/tc39/ecma262/issues/976
879
880         * builtins/IteratorHelpers.js:
881         (performIteration):
882         * bytecompiler/BytecodeGenerator.cpp:
883         (JSC::BytecodeGenerator::emitEnumeration):
884         (JSC::BytecodeGenerator::emitIteratorNext):
885         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
886         (JSC::BytecodeGenerator::emitDelegateYield):
887         * bytecompiler/BytecodeGenerator.h:
888         * bytecompiler/NodesCodegen.cpp:
889         (JSC::ArrayPatternNode::bindValue const):
890         * inspector/JSInjectedScriptHost.cpp:
891         (Inspector::JSInjectedScriptHost::iteratorEntries):
892         * runtime/IteratorOperations.cpp:
893         (JSC::iteratorNext):
894         (JSC::iteratorStep):
895         (JSC::iteratorClose):
896         (JSC::iteratorForIterable):
897         * runtime/IteratorOperations.h:
898         (JSC::forEachInIterable):
899         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
900         (JSC::constructGenericTypedArrayViewFromIterator):
901         (JSC::constructGenericTypedArrayViewWithArguments):
902
903 2017-09-22  Fujii Hironori  <Hironori.Fujii@sony.com>
904
905         [Win64] Crashes in Yarr JIT compiled code
906         https://bugs.webkit.org/show_bug.cgi?id=177293
907
908         Reviewed by Yusuke Suzuki.
909
910         In x64 Windows, rcx register is used for the address of allocated
911         space for the return value. But, rcx is used for regT1 since
912         r221052. Save rcx in the stack.
913
914         * yarr/YarrJIT.cpp:
915         (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
916         (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
917
918 2017-09-22  Saam Barati  <sbarati@apple.com>
919
920         Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
921         https://bugs.webkit.org/show_bug.cgi?id=177368
922
923         Reviewed by Keith Miller.
924
925         * runtime/ErrorInstance.cpp:
926         (JSC::ErrorInstance::finishCreation):
927         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
928         (JSC::ErrorInstance::visitChildren):
929
930 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
931
932         [DFG][FTL] Profile array vector length for array allocation
933         https://bugs.webkit.org/show_bug.cgi?id=177051
934
935         Reviewed by Saam Barati.
936
937         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
938         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
939         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
940         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
941
942             empty array allocation,
943
944             var array = [];
945             array.push(0);
946             array.push(1);
947             array.push(2);
948             array.push(3);
949             array.push(4);
950
951             v.s. new_array_buffer case,
952
953             var array = [0];
954             array.push(1);
955             array.push(2);
956             array.push(3);
957             array.push(4);
958
959         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
960         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
961
962         We select 25 to make it fit to one of size classes.
963
964         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
965         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
966         is larger than 25, we just use it for allocation as before.
967
968         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
969
970             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
971             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
972
973         * bytecode/ArrayAllocationProfile.cpp:
974         (JSC::ArrayAllocationProfile::updateProfile):
975         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
976         * bytecode/ArrayAllocationProfile.h:
977         (JSC::ArrayAllocationProfile::selectIndexingType):
978         (JSC::ArrayAllocationProfile::vectorLengthHint):
979         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
980         * bytecode/CodeBlock.cpp:
981         (JSC::CodeBlock::updateAllArrayPredictions):
982         * dfg/DFGByteCodeParser.cpp:
983         (JSC::DFG::ByteCodeParser::parseBlock):
984         * dfg/DFGGraph.cpp:
985         (JSC::DFG::Graph::dump):
986         * dfg/DFGNode.h:
987         (JSC::DFG::Node::vectorLengthHint):
988         * dfg/DFGOperations.cpp:
989         * dfg/DFGOperations.h:
990         * dfg/DFGSpeculativeJIT64.cpp:
991         (JSC::DFG::SpeculativeJIT::compile):
992         * ftl/FTLLowerDFGToB3.cpp:
993         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
994         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
995         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
996         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
997         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
998         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
999         * runtime/ArrayConventions.h:
1000         * runtime/JSArray.h:
1001         (JSC::JSArray::tryCreate):
1002
1003 2017-09-22  Commit Queue  <commit-queue@webkit.org>
1004
1005         Unreviewed, rolling out r222380.
1006         https://bugs.webkit.org/show_bug.cgi?id=177352
1007
1008         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
1009         #webkit).
1010
1011         Reverted changeset:
1012
1013         "[DFG][FTL] Profile array vector length for array allocation"
1014         https://bugs.webkit.org/show_bug.cgi?id=177051
1015         http://trac.webkit.org/changeset/222380
1016
1017 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1018
1019         [DFG][FTL] Profile array vector length for array allocation
1020         https://bugs.webkit.org/show_bug.cgi?id=177051
1021
1022         Reviewed by Saam Barati.
1023
1024         Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
1025         new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
1026         if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
1027         the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
1028
1029             empty array allocation,
1030
1031             var array = [];
1032             array.push(0);
1033             array.push(1);
1034             array.push(2);
1035             array.push(3);
1036             array.push(4);
1037
1038             v.s. new_array_buffer case,
1039
1040             var array = [0];
1041             array.push(1);
1042             array.push(2);
1043             array.push(3);
1044             array.push(4);
1045
1046         In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
1047         we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
1048
1049         We select 25 to make it fit to one of size classes.
1050
1051         In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
1052         If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
1053         is larger than 25, we just use it for allocation as before.
1054
1055         Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
1056
1057             new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
1058             spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
1059
1060         * bytecode/ArrayAllocationProfile.cpp:
1061         (JSC::ArrayAllocationProfile::updateProfile):
1062         (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
1063         * bytecode/ArrayAllocationProfile.h:
1064         (JSC::ArrayAllocationProfile::selectIndexingType):
1065         (JSC::ArrayAllocationProfile::vectorLengthHint):
1066         (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
1067         * bytecode/CodeBlock.cpp:
1068         (JSC::CodeBlock::updateAllArrayPredictions):
1069         * dfg/DFGByteCodeParser.cpp:
1070         (JSC::DFG::ByteCodeParser::parseBlock):
1071         * dfg/DFGGraph.cpp:
1072         (JSC::DFG::Graph::dump):
1073         * dfg/DFGNode.h:
1074         (JSC::DFG::Node::vectorLengthHint):
1075         * dfg/DFGOperations.cpp:
1076         * dfg/DFGOperations.h:
1077         * dfg/DFGSpeculativeJIT64.cpp:
1078         (JSC::DFG::SpeculativeJIT::compile):
1079         * ftl/FTLLowerDFGToB3.cpp:
1080         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1081         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1082         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1083         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1084         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
1085         (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
1086         * runtime/ArrayConventions.h:
1087         * runtime/JSArray.h:
1088         (JSC::JSArray::tryCreate):
1089
1090 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
1091
1092         Web Inspector: Remove support for CSS Regions
1093         https://bugs.webkit.org/show_bug.cgi?id=177287
1094
1095         Reviewed by Matt Baker.
1096
1097         * inspector/protocol/CSS.json:
1098         * inspector/protocol/OverlayTypes.json:
1099
1100 2017-09-21  Brian Burg  <bburg@apple.com>
1101
1102         Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
1103         https://bugs.webkit.org/show_bug.cgi?id=177010
1104         <rdar://problem/33134548>
1105
1106         Reviewed by Joseph Pecoraro.
1107
1108         Use "reload from origin" nomenclature instead of "reload ignoring cache".
1109
1110         * inspector/protocol/Page.json: Improve the comment, but don't change the
1111         parameter name since this would be a divergence from legacy protocols.
1112
1113 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
1114
1115         test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
1116         https://bugs.webkit.org/show_bug.cgi?id=177307
1117
1118         Reviewed by Michael Saboff.
1119
1120         * runtime/RegExpPrototype.cpp:
1121         In r221160 we added support for the new RegExp flag (dotAll).
1122         We needed to make space for it in FlagsString.
1123
1124 2017-09-20  Keith Miller  <keith_miller@apple.com>
1125
1126         JSC should use unified sources for platform specific files.
1127         https://bugs.webkit.org/show_bug.cgi?id=177290
1128
1129         Reviewed by Michael Saboff.
1130
1131         Add a list of platform specific source files and update the
1132         Generate Unified Sources phase of the Xcode build. I skipped WPE
1133         since that seems to have failed for some reason that I didn't
1134         fully understand. See:
1135         https://webkit-queues.webkit.org/results/4611260
1136
1137         Also, fix duplicate symbols in Glib remote inspector files.
1138
1139         * CMakeLists.txt:
1140         * JavaScriptCore.xcodeproj/project.pbxproj:
1141         * PlatformGTK.cmake:
1142         * PlatformMac.cmake:
1143         * SourcesGTK.txt: Added.
1144         * SourcesMac.txt: Added.
1145         * inspector/remote/glib/RemoteInspectorServer.cpp:
1146         (Inspector::RemoteInspectorServer::interfaceInfo):
1147         (Inspector::RemoteInspectorServer::setTargetList):
1148         (Inspector::RemoteInspectorServer::setupInspectorClient):
1149         (Inspector::RemoteInspectorServer::setup):
1150         (Inspector::RemoteInspectorServer::close):
1151         (Inspector::RemoteInspectorServer::connectionClosed):
1152         (Inspector::RemoteInspectorServer::sendMessageToBackend):
1153         (Inspector::RemoteInspectorServer::sendMessageToFrontend):
1154         (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
1155
1156 2017-09-20  Stephan Szabo  <stephan.szabo@sony.com>
1157
1158         [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
1159         https://bugs.webkit.org/show_bug.cgi?id=177017
1160
1161         Reviewed by Alex Christensen.
1162
1163         * API/JSRemoteInspector.cpp:
1164         (JSRemoteInspectorSetParentProcessInformation):
1165         * API/JSRemoteInspector.h:
1166         * inspector/remote/RemoteInspector.h:
1167
1168 2017-09-20  Keith Miller  <keith_miller@apple.com>
1169
1170         Rename source list file to Sources.txt
1171         https://bugs.webkit.org/show_bug.cgi?id=177283
1172
1173         Reviewed by Saam Barati.
1174
1175         * CMakeLists.txt:
1176         * JavaScriptCore.xcodeproj/project.pbxproj:
1177         * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
1178
1179 2017-09-20  Keith Miller  <keith_miller@apple.com>
1180
1181         Unreviewed, fix string capitalization
1182
1183         * JavaScriptCore.xcodeproj/project.pbxproj:
1184
1185 2017-09-20  Keith Miller  <keith_miller@apple.com>
1186
1187         JSC Xcode build should use unified sources for platform independent files
1188         https://bugs.webkit.org/show_bug.cgi?id=177190
1189
1190         Reviewed by Saam Barati.
1191
1192         This patch changes the Xcode build to use unified sources. The
1193         main difference from a development perspective is that instead of
1194         added source files to Xcode they need to be added to the shared
1195         sources.txt. For now, platform specific files are still added
1196         to the JavaScriptCore target.
1197
1198         Because Xcode needs to know about all the files before we generate
1199         them all the unified source files need to be added to the
1200         JavaScriptCore framework target. As a result, if we run out of
1201         bundle files more will need to be added to the project. Currently,
1202         there are no spare files. If adding more bundle files becomes
1203         problematic we can change this.
1204
1205         LowLevelInterpreter.cpp can't be added to the unified source list yet
1206         due to a clang bug.
1207
1208         * CMakeLists.txt:
1209         * JavaScriptCore.xcodeproj/project.pbxproj:
1210         * sources.txt: Added.
1211
1212 2017-09-20  Per Arne Vollan  <pvollan@apple.com>
1213
1214         [Win] Cannot find script to generate unified sources.
1215         https://bugs.webkit.org/show_bug.cgi?id=177014
1216
1217         Reviewed by Keith Miller.
1218
1219         The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
1220
1221         * CMakeLists.txt:
1222         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1223
1224 2017-09-20  Alberto Garcia  <berto@igalia.com>
1225
1226         Fix HPPA and Alpha builds
1227         https://bugs.webkit.org/show_bug.cgi?id=177224
1228
1229         Reviewed by Alex Christensen.
1230
1231         * CMakeLists.txt:
1232
1233 2017-09-18  Filip Pizlo  <fpizlo@apple.com>
1234
1235         ErrorInstance and Exception need destroy methods
1236         https://bugs.webkit.org/show_bug.cgi?id=177095
1237
1238         Reviewed by Saam Barati.
1239         
1240         When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
1241         follow that type's protocol.
1242
1243         * runtime/ErrorInstance.cpp:
1244         (JSC::ErrorInstance::destroy): Implement this to fix leaks.
1245         * runtime/ErrorInstance.h:
1246         * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
1247
1248 2017-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1249
1250         [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
1251         https://bugs.webkit.org/show_bug.cgi?id=177070
1252
1253         Reviewed by Saam Barati.
1254
1255         Due to the security reason, our global object is immutable prototype exotic object.
1256         It prevents users from injecting proxies into the prototype chain of the global object[1].
1257         But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
1258         of the global object after instantiating it.
1259
1260         This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
1261         of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
1262         edge cases.
1263
1264         [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
1265
1266         * API/JSObjectRef.cpp:
1267         (JSObjectSetPrototype):
1268         * API/tests/CustomGlobalObjectClassTest.c:
1269         (globalObjectSetPrototypeTest):
1270
1271 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1272
1273         [DFG] Remove ToThis more aggressively
1274         https://bugs.webkit.org/show_bug.cgi?id=177056
1275
1276         Reviewed by Saam Barati.
1277
1278         The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
1279         We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
1280         and attempts to fold/convert to efficient nodes.
1281
1282         We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
1283         we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
1284
1285         Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
1286         watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
1287
1288         This removes GetGlobalThis from ES6 generators in common cases.
1289
1290         spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
1291
1292         * dfg/DFGAbstractInterpreterInlines.h:
1293         (JSC::DFG::isToThisAnIdentity):
1294         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1295         * dfg/DFGClobberize.h:
1296         (JSC::DFG::clobberize):
1297         * dfg/DFGConstantFoldingPhase.cpp:
1298         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1299         * dfg/DFGDoesGC.cpp:
1300         (JSC::DFG::doesGC):
1301         * dfg/DFGFixupPhase.cpp:
1302         (JSC::DFG::FixupPhase::fixupNode):
1303         * dfg/DFGNode.h:
1304         (JSC::DFG::Node::convertToGetGlobalThis):
1305         * dfg/DFGNodeType.h:
1306         * dfg/DFGPredictionPropagationPhase.cpp:
1307         * dfg/DFGSafeToExecute.h:
1308         (JSC::DFG::safeToExecute):
1309         * dfg/DFGSpeculativeJIT.cpp:
1310         (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
1311         * dfg/DFGSpeculativeJIT.h:
1312         * dfg/DFGSpeculativeJIT32_64.cpp:
1313         (JSC::DFG::SpeculativeJIT::compile):
1314         * dfg/DFGSpeculativeJIT64.cpp:
1315         (JSC::DFG::SpeculativeJIT::compile):
1316         * ftl/FTLCapabilities.cpp:
1317         (JSC::FTL::canCompile):
1318         * ftl/FTLLowerDFGToB3.cpp:
1319         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1320         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
1321         * runtime/JSGlobalLexicalEnvironment.cpp:
1322         (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
1323         * runtime/JSGlobalLexicalEnvironment.h:
1324         * runtime/JSGlobalObject.cpp:
1325         (JSC::JSGlobalObject::toThis): Deleted.
1326         * runtime/JSGlobalObject.h:
1327         (JSC::JSGlobalObject::addressOfGlobalThis):
1328         * runtime/JSLexicalEnvironment.cpp:
1329         (JSC::JSLexicalEnvironment::toThis): Deleted.
1330         * runtime/JSLexicalEnvironment.h:
1331         * runtime/JSScope.cpp:
1332         (JSC::JSScope::toThis):
1333         * runtime/JSScope.h:
1334         * runtime/StrictEvalActivation.cpp:
1335         (JSC::StrictEvalActivation::toThis): Deleted.
1336         * runtime/StrictEvalActivation.h:
1337
1338 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1339
1340         Merge JSLexicalEnvironment and JSEnvironmentRecord
1341         https://bugs.webkit.org/show_bug.cgi?id=175492
1342
1343         Reviewed by Saam Barati.
1344
1345         JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
1346         We can merge JSEnvironmentRecord and JSLexicalEnvironment.
1347
1348         * CMakeLists.txt:
1349         * JavaScriptCore.xcodeproj/project.pbxproj:
1350         * dfg/DFGSpeculativeJIT.cpp:
1351         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1352         * dfg/DFGSpeculativeJIT32_64.cpp:
1353         (JSC::DFG::SpeculativeJIT::compile):
1354         * dfg/DFGSpeculativeJIT64.cpp:
1355         (JSC::DFG::SpeculativeJIT::compile):
1356         * ftl/FTLAbstractHeapRepository.h:
1357         * ftl/FTLLowerDFGToB3.cpp:
1358         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1359         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1360         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
1361         (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
1362         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1363         * jit/JITPropertyAccess.cpp:
1364         (JSC::JIT::emitGetClosureVar):
1365         (JSC::JIT::emitPutClosureVar):
1366         (JSC::JIT::emitScopedArgumentsGetByVal):
1367         * jit/JITPropertyAccess32_64.cpp:
1368         (JSC::JIT::emitGetClosureVar):
1369         (JSC::JIT::emitPutClosureVar):
1370         * llint/LLIntOffsetsExtractor.cpp:
1371         * llint/LowLevelInterpreter.asm:
1372         * llint/LowLevelInterpreter32_64.asm:
1373         * llint/LowLevelInterpreter64.asm:
1374         * runtime/JSEnvironmentRecord.cpp: Removed.
1375         * runtime/JSEnvironmentRecord.h: Removed.
1376         * runtime/JSLexicalEnvironment.cpp:
1377         (JSC::JSLexicalEnvironment::visitChildren):
1378         (JSC::JSLexicalEnvironment::heapSnapshot):
1379         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1380         * runtime/JSLexicalEnvironment.h:
1381         (JSC::JSLexicalEnvironment::subspaceFor):
1382         (JSC::JSLexicalEnvironment::variables):
1383         (JSC::JSLexicalEnvironment::isValidScopeOffset):
1384         (JSC::JSLexicalEnvironment::variableAt):
1385         (JSC::JSLexicalEnvironment::offsetOfVariables):
1386         (JSC::JSLexicalEnvironment::offsetOfVariable):
1387         (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
1388         (JSC::JSLexicalEnvironment::allocationSize):
1389         (JSC::JSLexicalEnvironment::finishCreationUninitialized):
1390         (JSC::JSLexicalEnvironment::finishCreation):
1391         * runtime/JSModuleEnvironment.cpp:
1392         (JSC::JSModuleEnvironment::create):
1393         * runtime/JSObject.h:
1394         (JSC::JSObject::isEnvironment const):
1395         (JSC::JSObject::isEnvironmentRecord const): Deleted.
1396         * runtime/JSSegmentedVariableObject.h:
1397         * runtime/StringPrototype.cpp:
1398         (JSC::checkObjectCoercible):
1399
1400 2017-09-15  Saam Barati  <sbarati@apple.com>
1401
1402         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
1403         https://bugs.webkit.org/show_bug.cgi?id=176981
1404
1405         Reviewed by Yusuke Suzuki.
1406
1407         This patch makes inline arity fixup happen in two phases:
1408         1. We get all the values we need and MovHint them to the expected locals.
1409         2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
1410            frame is already set up. If any SetLocal exits, we have a valid exit state.
1411            This is required because if we didn't do this in two phases, we may exit in
1412            the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
1413            we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
1414            of the frame right before exiting. For example, consider if we need to pad two args:
1415            [arg3][arg2][arg1][arg0]
1416            [fix ][fix ][arg3][arg2][arg1][arg0]
1417            We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
1418            for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
1419            [arg3][arg2][arg1][arg2][arg1][arg0]
1420            And the caller would then just end up thinking its argument are:
1421            [arg3][arg2][arg1][arg2]
1422            which is incorrect.
1423        
1424        
1425         This patch also fixes a couple of bugs in IdentitiyWithProfile:
1426         1. The bytecode generator for this bytecode intrinsic was written incorrectly.
1427            It needed to store the result of evaluating its argument in a temporary that
1428            it creates. Otherwise, it might try to simply overwrite a constant
1429            or a register that it didn't own.
1430         2. We weren't eliminating this node in CSE inside the DFG.
1431
1432         * bytecompiler/NodesCodegen.cpp:
1433         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1434         * dfg/DFGByteCodeParser.cpp:
1435         (JSC::DFG::ByteCodeParser::inlineCall):
1436         * dfg/DFGCSEPhase.cpp:
1437
1438 2017-09-15  JF Bastien  <jfbastien@apple.com>
1439
1440         WTF: use Forward.h when appropriate instead of Vector.h
1441         https://bugs.webkit.org/show_bug.cgi?id=176984
1442
1443         Reviewed by Saam Barati.
1444
1445         There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
1446
1447         * bytecode/HandlerInfo.h:
1448         * heap/GCIncomingRefCounted.h:
1449         * heap/GCSegmentedArray.h:
1450         * wasm/js/JSWebAssemblyModule.h:
1451
1452 2017-09-14  Saam Barati  <sbarati@apple.com>
1453
1454         We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
1455         https://bugs.webkit.org/show_bug.cgi?id=176863
1456
1457         Reviewed by Keith Miller.
1458
1459         * CMakeLists.txt:
1460         * JavaScriptCore.xcodeproj/project.pbxproj:
1461         * runtime/ProxyObject.cpp:
1462         (JSC::performProxyGet):
1463         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1464         (JSC::ProxyObject::performHasProperty):
1465         (JSC::ProxyObject::getOwnPropertySlotCommon):
1466         (JSC::ProxyObject::performPut):
1467         (JSC::performProxyCall):
1468         (JSC::performProxyConstruct):
1469         (JSC::ProxyObject::performDelete):
1470         (JSC::ProxyObject::performPreventExtensions):
1471         (JSC::ProxyObject::performIsExtensible):
1472         (JSC::ProxyObject::performDefineOwnProperty):
1473         (JSC::ProxyObject::performGetOwnPropertyNames):
1474         (JSC::ProxyObject::performSetPrototype):
1475         (JSC::ProxyObject::performGetPrototype):
1476
1477 2017-09-14  Saam Barati  <sbarati@apple.com>
1478
1479         Make dumping the graph print when both when exitOK and !exitOK
1480         https://bugs.webkit.org/show_bug.cgi?id=176954
1481
1482         Reviewed by Keith Miller.
1483
1484         * dfg/DFGGraph.cpp:
1485         (JSC::DFG::Graph::dump):
1486
1487 2017-09-14  Saam Barati  <sbarati@apple.com>
1488
1489         It should be valid to exit before each set when doing arity fixup when inlining
1490         https://bugs.webkit.org/show_bug.cgi?id=176948
1491
1492         Reviewed by Keith Miller.
1493
1494         This patch makes it so that we can exit before each SetLocal when doing arity
1495         fixup during inlining. This is OK because if we exit at any of these SetLocals,
1496         we will simply exit to the beginning of the call instruction.
1497         
1498         Not doing this led to a bug where FixupPhase would insert a ValueRep of
1499         a node before the actual node. This is obviously invalid IR. I've added
1500         a new validation rule to catch this malformed IR.
1501
1502         * dfg/DFGByteCodeParser.cpp:
1503         (JSC::DFG::ByteCodeParser::inliningCost):
1504         (JSC::DFG::ByteCodeParser::inlineCall):
1505         * dfg/DFGValidate.cpp:
1506         * runtime/Options.h:
1507
1508 2017-09-14  Mark Lam  <mark.lam@apple.com>
1509
1510         AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
1511         https://bugs.webkit.org/show_bug.cgi?id=176874
1512         <rdar://problem/34436415>
1513
1514         Reviewed by Saam Barati.
1515
1516         1. Make Probe::Stack play nice with ASan by:
1517
1518            a. using a local memcpy implementation that suppresses ASan on ASan builds.
1519               We don't want to use std:memcpy() which validates stack memory because
1520               we are intentionally copying stack memory beyond the current frame.
1521
1522            b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
1523               This ensures that Page::flushWrites() only writes stack memory that was
1524               modified by a probe.  The probes should only modify stack memory that
1525               belongs to JSC stack data structures.  We don't want to inadvertently
1526               modify adjacent words that may belong to ASan (which may happen if
1527               s_chunkSize is larger than sizeof(uintptr_t)).
1528
1529            c. fixing a bug in Page dirtyBits management for when the size of the value to
1530               write is greater than s_chunkSize.  The fix in generic, but in practice,
1531               this currently only manifests on 32-bit ASan builds because
1532               sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
1533               values.
1534
1535            d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
1536               s_chunksPerPage we can have even on ASan builds.
1537
1538         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
1539            std::memcpy to avoid strict aliasing issues.
1540
1541         3. Optimized the implementation of Page::physicalAddressFor().
1542
1543         4. Optimized the implementation of Stack::set() in the recording of the low
1544            watermark.  We just record the lowest raw pointer now, and only compute the
1545            alignment to its chuck boundary later when the low watermark is requested.
1546
1547         5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
1548
1549         No new test needed because this is already covered by testmasm with ASan enabled.
1550
1551         * assembler/ProbeContext.h:
1552         (JSC::Probe::CPUState::gpr const):
1553         (JSC::Probe::CPUState::spr const):
1554         (JSC::Probe::Context::gpr):
1555         (JSC::Probe::Context::spr):
1556         (JSC::Probe::Context::fpr):
1557         (JSC::Probe::Context::gprName):
1558         (JSC::Probe::Context::sprName):
1559         (JSC::Probe::Context::fprName):
1560         (JSC::Probe::Context::gpr const):
1561         (JSC::Probe::Context::spr const):
1562         (JSC::Probe::Context::fpr const):
1563         (JSC::Probe::Context::pc):
1564         (JSC::Probe::Context::fp):
1565         (JSC::Probe::Context::sp):
1566         (JSC::Probe:: const): Deleted.
1567         * assembler/ProbeStack.cpp:
1568         (JSC::Probe::copyStackPage):
1569         (JSC::Probe::Page::Page):
1570         (JSC::Probe::Page::flushWrites):
1571         * assembler/ProbeStack.h:
1572         (JSC::Probe::Page::get):
1573         (JSC::Probe::Page::set):
1574         (JSC::Probe::Page::dirtyBitFor):
1575         (JSC::Probe::Page::physicalAddressFor):
1576         (JSC::Probe::Stack::lowWatermark):
1577         (JSC::Probe::Stack::get):
1578         (JSC::Probe::Stack::set):
1579         * assembler/testmasm.cpp:
1580         (JSC::testProbeModifiesStackValues):
1581
1582 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1583
1584         [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
1585         https://bugs.webkit.org/show_bug.cgi?id=176917
1586
1587         Reviewed by Saam Barati.
1588
1589         * dfg/DFGByteCodeParser.cpp:
1590         (JSC::DFG::ByteCodeParser::inliningCost):
1591         * runtime/Options.h:
1592
1593 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1594
1595         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
1596         https://bugs.webkit.org/show_bug.cgi?id=176867
1597
1598         Reviewed by Sam Weinig.
1599
1600         We rarely require private symbols when enumerating property names.
1601         This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
1602         is specified, PropertyNameArray does not include private symbols.
1603         This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
1604
1605         One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
1606         It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
1607
1608         object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
1609
1610         * API/JSObjectRef.cpp:
1611         (JSObjectCopyPropertyNames):
1612         * bindings/ScriptValue.cpp:
1613         (Inspector::jsToInspectorValue):
1614         * bytecode/ObjectAllocationProfile.h:
1615         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1616         * runtime/EnumerationMode.h:
1617         * runtime/IntlObject.cpp:
1618         (JSC::supportedLocales):
1619         * runtime/JSONObject.cpp:
1620         (JSC::Stringifier::Stringifier):
1621         (JSC::Stringifier::Holder::appendNextProperty):
1622         (JSC::Walker::walk):
1623         * runtime/JSPropertyNameEnumerator.cpp:
1624         (JSC::JSPropertyNameEnumerator::create):
1625         * runtime/JSPropertyNameEnumerator.h:
1626         (JSC::propertyNameEnumerator):
1627         * runtime/ObjectConstructor.cpp:
1628         (JSC::objectConstructorGetOwnPropertyDescriptors):
1629         (JSC::objectConstructorAssign):
1630         (JSC::objectConstructorValues):
1631         (JSC::defineProperties):
1632         (JSC::setIntegrityLevel):
1633         (JSC::testIntegrityLevel):
1634         (JSC::ownPropertyKeys):
1635         * runtime/PropertyNameArray.h:
1636         (JSC::PropertyNameArray::PropertyNameArray):
1637         (JSC::PropertyNameArray::propertyNameMode const):
1638         (JSC::PropertyNameArray::privateSymbolMode const):
1639         (JSC::PropertyNameArray::addUncheckedInternal):
1640         (JSC::PropertyNameArray::addUnchecked):
1641         (JSC::PropertyNameArray::add):
1642         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
1643         (JSC::PropertyNameArray::includeSymbolProperties const):
1644         (JSC::PropertyNameArray::includeStringProperties const):
1645         (JSC::PropertyNameArray::mode const): Deleted.
1646         * runtime/ProxyObject.cpp:
1647         (JSC::ProxyObject::performGetOwnPropertyNames):
1648
1649 2017-09-13  Mark Lam  <mark.lam@apple.com>
1650
1651         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
1652         https://bugs.webkit.org/show_bug.cgi?id=176888
1653         <rdar://problem/34381832>
1654
1655         Not reviewed.
1656
1657         * JavaScriptCore.xcodeproj/project.pbxproj:
1658         * assembler/MacroAssembler.cpp:
1659         (JSC::stdFunctionCallback):
1660         * assembler/MacroAssemblerPrinter.cpp:
1661         (JSC::Printer::printCallback):
1662         * assembler/ProbeContext.h:
1663         (JSC::Probe:: const):
1664         (JSC::Probe::Context::Context):
1665         (JSC::Probe::Context::gpr):
1666         (JSC::Probe::Context::spr):
1667         (JSC::Probe::Context::fpr):
1668         (JSC::Probe::Context::gprName):
1669         (JSC::Probe::Context::sprName):
1670         (JSC::Probe::Context::fprName):
1671         (JSC::Probe::Context::pc):
1672         (JSC::Probe::Context::fp):
1673         (JSC::Probe::Context::sp):
1674         (JSC::Probe::CPUState::gpr const): Deleted.
1675         (JSC::Probe::CPUState::spr const): Deleted.
1676         (JSC::Probe::Context::arg): Deleted.
1677         (JSC::Probe::Context::gpr const): Deleted.
1678         (JSC::Probe::Context::spr const): Deleted.
1679         (JSC::Probe::Context::fpr const): Deleted.
1680         * assembler/ProbeFrame.h: Removed.
1681         * assembler/ProbeStack.cpp:
1682         (JSC::Probe::Page::Page):
1683         * assembler/ProbeStack.h:
1684         (JSC::Probe::Page::get):
1685         (JSC::Probe::Page::set):
1686         (JSC::Probe::Page::physicalAddressFor):
1687         (JSC::Probe::Stack::lowWatermark):
1688         (JSC::Probe::Stack::get):
1689         (JSC::Probe::Stack::set):
1690         * bytecode/ArithProfile.cpp:
1691         * bytecode/ArithProfile.h:
1692         * bytecode/ArrayProfile.h:
1693         (JSC::ArrayProfile::observeArrayMode): Deleted.
1694         * bytecode/CodeBlock.cpp:
1695         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
1696         * bytecode/CodeBlock.h:
1697         (JSC::CodeBlock::addressOfOSRExitCounter):
1698         * bytecode/ExecutionCounter.h:
1699         (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
1700         (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
1701         * bytecode/MethodOfGettingAValueProfile.cpp:
1702         (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
1703         * bytecode/MethodOfGettingAValueProfile.h:
1704         * dfg/DFGDriver.cpp:
1705         (JSC::DFG::compileImpl):
1706         * dfg/DFGJITCode.cpp:
1707         (JSC::DFG::JITCode::findPC):
1708         * dfg/DFGJITCode.h:
1709         * dfg/DFGJITCompiler.cpp:
1710         (JSC::DFG::JITCompiler::linkOSRExits):
1711         (JSC::DFG::JITCompiler::link):
1712         * dfg/DFGOSRExit.cpp:
1713         (JSC::DFG::OSRExit::setPatchableCodeOffset):
1714         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
1715         (JSC::DFG::OSRExit::codeLocationForRepatch const):
1716         (JSC::DFG::OSRExit::correctJump):
1717         (JSC::DFG::OSRExit::emitRestoreArguments):
1718         (JSC::DFG::OSRExit::compileOSRExit):
1719         (JSC::DFG::OSRExit::compileExit):
1720         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1721         (JSC::DFG::jsValueFor): Deleted.
1722         (JSC::DFG::restoreCalleeSavesFor): Deleted.
1723         (JSC::DFG::saveCalleeSavesFor): Deleted.
1724         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
1725         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
1726         (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
1727         (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
1728         (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
1729         (JSC::DFG::emitRestoreArguments): Deleted.
1730         (JSC::DFG::OSRExit::executeOSRExit): Deleted.
1731         (JSC::DFG::reifyInlinedCallFrames): Deleted.
1732         (JSC::DFG::adjustAndJumpToTarget): Deleted.
1733         (JSC::DFG::printOSRExit): Deleted.
1734         * dfg/DFGOSRExit.h:
1735         (JSC::DFG::OSRExitState::OSRExitState): Deleted.
1736         * dfg/DFGOSRExitCompilerCommon.cpp:
1737         * dfg/DFGOSRExitCompilerCommon.h:
1738         * dfg/DFGOperations.cpp:
1739         * dfg/DFGOperations.h:
1740         * dfg/DFGThunks.cpp:
1741         (JSC::DFG::osrExitGenerationThunkGenerator):
1742         (JSC::DFG::osrExitThunkGenerator): Deleted.
1743         * dfg/DFGThunks.h:
1744         * jit/AssemblyHelpers.cpp:
1745         (JSC::AssemblyHelpers::debugCall):
1746         * jit/AssemblyHelpers.h:
1747         * jit/JITOperations.cpp:
1748         * jit/JITOperations.h:
1749         * profiler/ProfilerOSRExit.h:
1750         (JSC::Profiler::OSRExit::incCount): Deleted.
1751         * runtime/JSCJSValue.h:
1752         * runtime/JSCJSValueInlines.h:
1753         * runtime/VM.h:
1754
1755 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1756
1757         [JSC] Move class/struct used in other class' member out of anonymous namespace
1758         https://bugs.webkit.org/show_bug.cgi?id=176876
1759
1760         Reviewed by Saam Barati.
1761
1762         GCC warns if a class has a base or field whose type uses the anonymous namespace
1763         and it is defined in an included file. This is because this possibly violates
1764         one definition rule (ODR): if an included file has the anonymous namespace, each
1765         translation unit creates its private anonymous namespace. Thus, each type
1766         inside the anonymous namespace becomes different in each translation unit if
1767         the file is included in multiple translation units.
1768
1769         While the current use in JSC is not violating ODR since these cpp files are included
1770         only once for unified sources, specifying `-Wno-subobject-linkage` could miss
1771         the actual bugs. So, in this patch, we just move related classes/structs out of
1772         the anonymous namespace.
1773
1774         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1775         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
1776         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
1777         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
1778         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
1779         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
1780         (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
1781         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
1782         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
1783         (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
1784         (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
1785         * dfg/DFGLICMPhase.cpp:
1786
1787 2017-09-13  Devin Rousso  <webkit@devinrousso.com>
1788
1789         Web Inspector: Event Listeners section does not update when listeners are added/removed
1790         https://bugs.webkit.org/show_bug.cgi?id=170570
1791         <rdar://problem/31501645>
1792
1793         Reviewed by Joseph Pecoraro.
1794
1795         * inspector/protocol/DOM.json:
1796         Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
1797         contain any information about the event listeners that were added/removed. They serve more
1798         as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
1799
1800 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1801
1802         [JSC] Fix Array allocation in Object.keys
1803         https://bugs.webkit.org/show_bug.cgi?id=176826
1804
1805         Reviewed by Saam Barati.
1806
1807         When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
1808         We check isHavingABadTime() in ownPropertyKeys fast path.
1809         And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
1810
1811         * runtime/ObjectConstructor.cpp:
1812         (JSC::ownPropertyKeys):
1813
1814 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1815
1816         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
1817         https://bugs.webkit.org/show_bug.cgi?id=176010
1818
1819         Reviewed by Filip Pizlo.
1820
1821         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
1822         It is used for meta property for objects (see peekMeta function in Ember.js).
1823
1824         This patch optimizes WeakMap#get.
1825
1826         1. We use inlineGet to inline WeakMap#get operation in the native function.
1827         Since this native function itself is very small, we should inline HashMap#get
1828         entirely in this function.
1829
1830         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
1831         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
1832         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
1833         ObjectUse, and Int32Use.
1834
1835         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
1836         calculate hash value for the key's Object and use this hash value to look up value from
1837         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
1838         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
1839         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
1840         patches.
1841
1842         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
1843         not used in Ember.js right now.
1844
1845         This patch optimizes WeakMap#get by 50%.
1846
1847                                  baseline                  patched
1848
1849         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
1850
1851         * bytecode/DirectEvalCodeCache.h:
1852         (JSC::DirectEvalCodeCache::tryGet):
1853         * bytecode/SpeculatedType.cpp:
1854         (JSC::dumpSpeculation):
1855         (JSC::speculationFromClassInfo):
1856         (JSC::speculationFromJSType):
1857         (JSC::speculationFromString):
1858         * bytecode/SpeculatedType.h:
1859         * dfg/DFGAbstractInterpreterInlines.h:
1860         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1861         * dfg/DFGByteCodeParser.cpp:
1862         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1863         * dfg/DFGClobberize.h:
1864         (JSC::DFG::clobberize):
1865         * dfg/DFGDoesGC.cpp:
1866         (JSC::DFG::doesGC):
1867         * dfg/DFGFixupPhase.cpp:
1868         (JSC::DFG::FixupPhase::fixupNode):
1869         * dfg/DFGHeapLocation.cpp:
1870         (WTF::printInternal):
1871         * dfg/DFGHeapLocation.h:
1872         * dfg/DFGNode.h:
1873         (JSC::DFG::Node::hasHeapPrediction):
1874         * dfg/DFGNodeType.h:
1875         * dfg/DFGOperations.cpp:
1876         * dfg/DFGOperations.h:
1877         * dfg/DFGPredictionPropagationPhase.cpp:
1878         * dfg/DFGSafeToExecute.h:
1879         (JSC::DFG::SafeToExecuteEdge::operator()):
1880         (JSC::DFG::safeToExecute):
1881         * dfg/DFGSpeculativeJIT.cpp:
1882         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
1883         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
1884         (JSC::DFG::SpeculativeJIT::speculate):
1885         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1886         * dfg/DFGSpeculativeJIT.h:
1887         (JSC::DFG::SpeculativeJIT::callOperation):
1888         * dfg/DFGSpeculativeJIT32_64.cpp:
1889         (JSC::DFG::SpeculativeJIT::compile):
1890         * dfg/DFGSpeculativeJIT64.cpp:
1891         (JSC::DFG::SpeculativeJIT::compile):
1892         * dfg/DFGUseKind.cpp:
1893         (WTF::printInternal):
1894         * dfg/DFGUseKind.h:
1895         (JSC::DFG::typeFilterFor):
1896         (JSC::DFG::isCell):
1897         * ftl/FTLCapabilities.cpp:
1898         (JSC::FTL::canCompile):
1899         * ftl/FTLLowerDFGToB3.cpp:
1900         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1901         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1902         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
1903         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
1904         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1905         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
1906         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
1907         * jit/JITOperations.h:
1908         * runtime/HashMapImpl.h:
1909         (JSC::WeakMapHash::hash):
1910         (JSC::WeakMapHash::equal):
1911         * runtime/Intrinsic.cpp:
1912         (JSC::intrinsicName):
1913         * runtime/Intrinsic.h:
1914         * runtime/JSType.h:
1915         * runtime/JSWeakMap.h:
1916         (JSC::isJSWeakMap):
1917         * runtime/JSWeakSet.h:
1918         (JSC::isJSWeakSet):
1919         * runtime/WeakMapBase.cpp:
1920         (JSC::WeakMapBase::get):
1921         * runtime/WeakMapBase.h:
1922         (JSC::WeakMapBase::HashTranslator::hash):
1923         (JSC::WeakMapBase::HashTranslator::equal):
1924         (JSC::WeakMapBase::inlineGet):
1925         * runtime/WeakMapPrototype.cpp:
1926         (JSC::WeakMapPrototype::finishCreation):
1927         (JSC::getWeakMap):
1928         (JSC::protoFuncWeakMapGet):
1929         * runtime/WeakSetPrototype.cpp:
1930         (JSC::getWeakSet):
1931
1932 2017-09-12  Keith Miller  <keith_miller@apple.com>
1933
1934         Rename JavaScriptCore CMake unifiable sources list
1935         https://bugs.webkit.org/show_bug.cgi?id=176823
1936
1937         Reviewed by Joseph Pecoraro.
1938
1939         This patch also changes the error message when the unified source
1940         bundler fails to be more accurate.
1941
1942         * CMakeLists.txt:
1943
1944 2017-09-12  Keith Miller  <keith_miller@apple.com>
1945
1946         Do unified source builds for JSC
1947         https://bugs.webkit.org/show_bug.cgi?id=176076
1948
1949         Reviewed by Geoffrey Garen.
1950
1951         This patch switches the CMake JavaScriptCore build to use unified sources.
1952         The Xcode build will be upgraded in a follow up patch.
1953
1954         Most of the source changes in this patch are fixing static
1955         variable/functions name collisions. The most common collisions
1956         were from our use of "static const bool verbose" and "using
1957         namespace ...". I fixed all the verbose cases and fixed the "using
1958         namespace" issues that occurred under the current bundling
1959         strategy. It's likely that more of the "using namespace" issues
1960         will need to be resolved in the future, particularly in the FTL.
1961
1962         I don't expect either of these problems will apply to other parts
1963         of the project nearly as much as in JSC. Using a verbose variable
1964         is a JSC idiom and JSC tends use the same, canonical, class name
1965         in multiple parts of the engine.
1966
1967         * CMakeLists.txt:
1968         * b3/B3CheckSpecial.cpp:
1969         (JSC::B3::CheckSpecial::forEachArg):
1970         (JSC::B3::CheckSpecial::generate):
1971         (JSC::B3::Air::numB3Args): Deleted.
1972         * b3/B3DuplicateTails.cpp:
1973         * b3/B3EliminateCommonSubexpressions.cpp:
1974         * b3/B3FixSSA.cpp:
1975         (JSC::B3::demoteValues):
1976         * b3/B3FoldPathConstants.cpp:
1977         * b3/B3InferSwitches.cpp:
1978         * b3/B3LowerMacrosAfterOptimizations.cpp:
1979         (): Deleted.
1980         * b3/B3LowerToAir.cpp:
1981         (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
1982         (JSC::B3::Air::LowerToAir::run): Deleted.
1983         (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
1984         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
1985         (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
1986         (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
1987         (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
1988         (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
1989         (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
1990         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
1991         (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
1992         (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
1993         (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
1994         (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
1995         (JSC::B3::Air::LowerToAir::tmp): Deleted.
1996         (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
1997         (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
1998         (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
1999         (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
2000         (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
2001         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
2002         (JSC::B3::Air::LowerToAir::addr): Deleted.
2003         (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
2004         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
2005         (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
2006         (JSC::B3::Air::LowerToAir::imm): Deleted.
2007         (JSC::B3::Air::LowerToAir::bitImm): Deleted.
2008         (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
2009         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
2010         (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
2011         (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
2012         (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
2013         (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
2014         (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
2015         (JSC::B3::Air::LowerToAir::appendShift): Deleted.
2016         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
2017         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
2018         (JSC::B3::Air::LowerToAir::createStore): Deleted.
2019         (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
2020         (JSC::B3::Air::LowerToAir::appendStore): Deleted.
2021         (JSC::B3::Air::LowerToAir::moveForType): Deleted.
2022         (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
2023         (JSC::B3::Air::LowerToAir::print): Deleted.
2024         (JSC::B3::Air::LowerToAir::append): Deleted.
2025         (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
2026         (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
2027         (JSC::B3::Air::LowerToAir::newBlock): Deleted.
2028         (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
2029         (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
2030         (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
2031         (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
2032         (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
2033         (JSC::B3::Air::LowerToAir::createBranch): Deleted.
2034         (JSC::B3::Air::LowerToAir::createCompare): Deleted.
2035         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
2036         (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
2037         (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
2038         (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
2039         (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
2040         (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
2041         (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
2042         (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
2043         (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
2044         (JSC::B3::Air::LowerToAir::lower): Deleted.
2045         * b3/B3PatchpointSpecial.cpp:
2046         (JSC::B3::PatchpointSpecial::generate):
2047         * b3/B3ReduceDoubleToFloat.cpp:
2048         (JSC::B3::reduceDoubleToFloat):
2049         * b3/B3ReduceStrength.cpp:
2050         * b3/B3StackmapGenerationParams.cpp:
2051         * b3/B3StackmapSpecial.cpp:
2052         (JSC::B3::StackmapSpecial::repsImpl):
2053         (JSC::B3::StackmapSpecial::repForArg):
2054         * b3/air/AirAllocateStackByGraphColoring.cpp:
2055         (JSC::B3::Air::allocateStackByGraphColoring):
2056         * b3/air/AirEmitShuffle.cpp:
2057         (JSC::B3::Air::emitShuffle):
2058         * b3/air/AirFixObviousSpills.cpp:
2059         * b3/air/AirLowerAfterRegAlloc.cpp:
2060         (JSC::B3::Air::lowerAfterRegAlloc):
2061         * b3/air/AirStackAllocation.cpp:
2062         (JSC::B3::Air::attemptAssignment):
2063         (JSC::B3::Air::assign):
2064         * bytecode/AccessCase.cpp:
2065         (JSC::AccessCase::generateImpl):
2066         * bytecode/CallLinkStatus.cpp:
2067         (JSC::CallLinkStatus::computeDFGStatuses):
2068         * bytecode/GetterSetterAccessCase.cpp:
2069         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2070         * bytecode/ObjectPropertyConditionSet.cpp:
2071         * bytecode/PolymorphicAccess.cpp:
2072         (JSC::PolymorphicAccess::addCases):
2073         (JSC::PolymorphicAccess::regenerate):
2074         * bytecode/PropertyCondition.cpp:
2075         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2076         * bytecode/StructureStubInfo.cpp:
2077         (JSC::StructureStubInfo::addAccessCase):
2078         * dfg/DFGArgumentsEliminationPhase.cpp:
2079         * dfg/DFGByteCodeParser.cpp:
2080         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
2081         (JSC::DFG::ByteCodeParser::inliningCost):
2082         (JSC::DFG::ByteCodeParser::inlineCall):
2083         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2084         (JSC::DFG::ByteCodeParser::handleInlining):
2085         (JSC::DFG::ByteCodeParser::planLoad):
2086         (JSC::DFG::ByteCodeParser::store):
2087         (JSC::DFG::ByteCodeParser::parseBlock):
2088         (JSC::DFG::ByteCodeParser::linkBlock):
2089         (JSC::DFG::ByteCodeParser::linkBlocks):
2090         * dfg/DFGCSEPhase.cpp:
2091         * dfg/DFGInPlaceAbstractState.cpp:
2092         (JSC::DFG::InPlaceAbstractState::merge):
2093         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2094         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
2095         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2096         * dfg/DFGMovHintRemovalPhase.cpp:
2097         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2098         * dfg/DFGPhantomInsertionPhase.cpp:
2099         * dfg/DFGPutStackSinkingPhase.cpp:
2100         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2101         * dfg/DFGVarargsForwardingPhase.cpp:
2102         * ftl/FTLAbstractHeap.cpp:
2103         (JSC::FTL::AbstractHeap::compute):
2104         * ftl/FTLAbstractHeapRepository.cpp:
2105         (JSC::FTL::AbstractHeapRepository::decorateMemory):
2106         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
2107         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
2108         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
2109         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
2110         (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
2111         (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
2112         (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
2113         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
2114         * ftl/FTLLink.cpp:
2115         (JSC::FTL::link):
2116         * heap/MarkingConstraintSet.cpp:
2117         (JSC::MarkingConstraintSet::add):
2118         * interpreter/ShadowChicken.cpp:
2119         (JSC::ShadowChicken::update):
2120         * jit/BinarySwitch.cpp:
2121         (JSC::BinarySwitch::BinarySwitch):
2122         (JSC::BinarySwitch::build):
2123         * llint/LLIntData.cpp:
2124         (JSC::LLInt::Data::loadStats):
2125         (JSC::LLInt::Data::saveStats):
2126         * runtime/ArrayPrototype.cpp:
2127         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2128         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2129         * runtime/ErrorInstance.cpp:
2130         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
2131         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
2132         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
2133         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
2134         * runtime/IntlDateTimeFormat.cpp:
2135         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2136         * runtime/PromiseDeferredTimer.cpp:
2137         (JSC::PromiseDeferredTimer::doWork):
2138         (JSC::PromiseDeferredTimer::addPendingPromise):
2139         (JSC::PromiseDeferredTimer::cancelPendingPromise):
2140         * runtime/TypeProfiler.cpp:
2141         (JSC::TypeProfiler::insertNewLocation):
2142         * runtime/TypeProfilerLog.cpp:
2143         (JSC::TypeProfilerLog::processLogEntries):
2144         * runtime/WeakMapPrototype.cpp:
2145         (JSC::protoFuncWeakMapDelete):
2146         (JSC::protoFuncWeakMapGet):
2147         (JSC::protoFuncWeakMapHas):
2148         (JSC::protoFuncWeakMapSet):
2149         (JSC::getWeakMapData): Deleted.
2150         * runtime/WeakSetPrototype.cpp:
2151         (JSC::protoFuncWeakSetDelete):
2152         (JSC::protoFuncWeakSetHas):
2153         (JSC::protoFuncWeakSetAdd):
2154         (JSC::getWeakMapData): Deleted.
2155         * testRegExp.cpp:
2156         (testOneRegExp):
2157         (runFromFiles):
2158         * wasm/WasmB3IRGenerator.cpp:
2159         (JSC::Wasm::parseAndCompile):
2160         * wasm/WasmBBQPlan.cpp:
2161         (JSC::Wasm::BBQPlan::moveToState):
2162         (JSC::Wasm::BBQPlan::parseAndValidateModule):
2163         (JSC::Wasm::BBQPlan::prepare):
2164         (JSC::Wasm::BBQPlan::compileFunctions):
2165         (JSC::Wasm::BBQPlan::complete):
2166         * wasm/WasmFaultSignalHandler.cpp:
2167         (JSC::Wasm::trapHandler):
2168         * wasm/WasmOMGPlan.cpp:
2169         (JSC::Wasm::OMGPlan::OMGPlan):
2170         (JSC::Wasm::OMGPlan::work):
2171         * wasm/WasmPlan.cpp:
2172         (JSC::Wasm::Plan::fail):
2173         * wasm/WasmSignature.cpp:
2174         (JSC::Wasm::SignatureInformation::adopt):
2175         * wasm/WasmWorklist.cpp:
2176         (JSC::Wasm::Worklist::enqueue):
2177
2178 2017-09-12  Michael Saboff  <msaboff@apple.com>
2179
2180         String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
2181         https://bugs.webkit.org/show_bug.cgi?id=176814
2182
2183         Reviewed by Mark Lam.
2184
2185         The copy and advance indices where off by one and needed a little fine tuning.
2186
2187         * runtime/StringPrototype.cpp:
2188         (JSC::substituteBackreferencesSlow):
2189
2190 2017-09-11  Mark Lam  <mark.lam@apple.com>
2191
2192         More exception check book-keeping needed found by 32-bit JSC test failures.
2193         https://bugs.webkit.org/show_bug.cgi?id=176742
2194
2195         Reviewed by Michael Saboff and Keith Miller.
2196
2197         * dfg/DFGOperations.cpp:
2198
2199 2017-09-11  Mark Lam  <mark.lam@apple.com>
2200
2201         Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
2202         https://bugs.webkit.org/show_bug.cgi?id=176722
2203
2204         Reviewed by Saam Barati.
2205
2206         For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
2207         in effect when jsc is invoked.
2208
2209         * jsc.cpp:
2210         (CommandLine::parseArguments):
2211
2212 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
2213
2214         Unreviewed, rolling out r221854.
2215
2216         The test added with this change fails on 32-bit JSC bots.
2217
2218         Reverted changeset:
2219
2220         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
2221         https://bugs.webkit.org/show_bug.cgi?id=176010
2222         http://trac.webkit.org/changeset/221854
2223
2224 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2225
2226         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
2227         https://bugs.webkit.org/show_bug.cgi?id=176010
2228
2229         Reviewed by Filip Pizlo.
2230
2231         It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
2232         It is used for meta property for objects (see peekMeta function in Ember.js).
2233
2234         This patch optimizes WeakMap#get.
2235
2236         1. We use inlineGet to inline WeakMap#get operation in the native function.
2237         Since this native function itself is very small, we should inline HashMap#get
2238         entirely in this function.
2239
2240         2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
2241         very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
2242         to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
2243         ObjectUse, and Int32Use.
2244
2245         3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
2246         calculate hash value for the key's Object and use this hash value to look up value from
2247         JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
2248         It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
2249         But anyway, the current one already optimizes the performance, so we leave this for the subsequent
2250         patches.
2251
2252         We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
2253         not used in Ember.js right now.
2254
2255         This patch optimizes WeakMap#get by 50%.
2256
2257                                  baseline                  patched
2258
2259         weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
2260
2261         * bytecode/DirectEvalCodeCache.h:
2262         (JSC::DirectEvalCodeCache::tryGet):
2263         * bytecode/SpeculatedType.cpp:
2264         (JSC::dumpSpeculation):
2265         (JSC::speculationFromClassInfo):
2266         (JSC::speculationFromJSType):
2267         (JSC::speculationFromString):
2268         * bytecode/SpeculatedType.h:
2269         * dfg/DFGAbstractInterpreterInlines.h:
2270         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2271         * dfg/DFGByteCodeParser.cpp:
2272         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2273         * dfg/DFGClobberize.h:
2274         (JSC::DFG::clobberize):
2275         * dfg/DFGDoesGC.cpp:
2276         (JSC::DFG::doesGC):
2277         * dfg/DFGFixupPhase.cpp:
2278         (JSC::DFG::FixupPhase::fixupNode):
2279         * dfg/DFGHeapLocation.cpp:
2280         (WTF::printInternal):
2281         * dfg/DFGHeapLocation.h:
2282         * dfg/DFGNode.h:
2283         (JSC::DFG::Node::hasHeapPrediction):
2284         * dfg/DFGNodeType.h:
2285         * dfg/DFGOperations.cpp:
2286         * dfg/DFGOperations.h:
2287         * dfg/DFGPredictionPropagationPhase.cpp:
2288         * dfg/DFGSafeToExecute.h:
2289         (JSC::DFG::SafeToExecuteEdge::operator()):
2290         (JSC::DFG::safeToExecute):
2291         * dfg/DFGSpeculativeJIT.cpp:
2292         (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
2293         (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
2294         (JSC::DFG::SpeculativeJIT::speculate):
2295         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
2296         * dfg/DFGSpeculativeJIT.h:
2297         (JSC::DFG::SpeculativeJIT::callOperation):
2298         * dfg/DFGSpeculativeJIT32_64.cpp:
2299         (JSC::DFG::SpeculativeJIT::compile):
2300         * dfg/DFGSpeculativeJIT64.cpp:
2301         (JSC::DFG::SpeculativeJIT::compile):
2302         * dfg/DFGUseKind.cpp:
2303         (WTF::printInternal):
2304         * dfg/DFGUseKind.h:
2305         (JSC::DFG::typeFilterFor):
2306         (JSC::DFG::isCell):
2307         * ftl/FTLCapabilities.cpp:
2308         (JSC::FTL::canCompile):
2309         * ftl/FTLLowerDFGToB3.cpp:
2310         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2311         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
2312         (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
2313         (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
2314         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2315         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
2316         (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
2317         * jit/JITOperations.h:
2318         * runtime/Intrinsic.cpp:
2319         (JSC::intrinsicName):
2320         * runtime/Intrinsic.h:
2321         * runtime/JSType.h:
2322         * runtime/JSWeakMap.h:
2323         (JSC::isJSWeakMap):
2324         * runtime/JSWeakSet.h:
2325         (JSC::isJSWeakSet):
2326         * runtime/WeakMapBase.cpp:
2327         (JSC::WeakMapBase::get):
2328         * runtime/WeakMapBase.h:
2329         (JSC::WeakMapBase::HashTranslator::hash):
2330         (JSC::WeakMapBase::HashTranslator::equal):
2331         (JSC::WeakMapBase::inlineGet):
2332         * runtime/WeakMapPrototype.cpp:
2333         (JSC::WeakMapPrototype::finishCreation):
2334         (JSC::getWeakMap):
2335         (JSC::protoFuncWeakMapGet):
2336         * runtime/WeakSetPrototype.cpp:
2337         (JSC::getWeakSet):
2338
2339 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2340
2341         [JSC] Optimize Object.keys by using careful array allocation
2342         https://bugs.webkit.org/show_bug.cgi?id=176654
2343
2344         Reviewed by Darin Adler.
2345
2346         SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
2347         function in JS apps. Luckily Object.keys has several good features.
2348
2349         1. Once PropertyNameArray is allocated, we know the length of the result array since
2350         we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
2351         but it rarely appears. ProxyObject case goes to the generic path.
2352
2353         2. Object.keys does not need to access object after listing PropertyNameArray. It means
2354         that we do not need to worry about enumeration attribute change by touching object.
2355
2356         This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
2357         with the size and ArrayContiguous indexing shape.
2358
2359         This further improves SixSpeed object-assign.es5 by 13%.
2360
2361                                             baseline                  patched
2362         Microbenchmarks:
2363            object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
2364            object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
2365
2366                                             baseline                  patched
2367         SixSpeed:
2368            object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
2369
2370         BTW, the further optimization of Object.keys can be considered: introducing own property keys
2371         cache which is similar to the current enumeration cache. But this patch is orthogonal to
2372         this optimization!
2373
2374         * runtime/ObjectConstructor.cpp:
2375         (JSC::objectConstructorValues):
2376         (JSC::ownPropertyKeys):
2377         * runtime/ObjectConstructor.h:
2378
2379 2017-09-10  Mark Lam  <mark.lam@apple.com>
2380
2381         Fix all ExceptionScope verification failures in JavaScriptCore.
2382         https://bugs.webkit.org/show_bug.cgi?id=176662
2383         <rdar://problem/34352085>
2384
2385         Reviewed by Filip Pizlo.
2386
2387         1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
2388            verification for release builds too (though this requires manually setting
2389            ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
2390
2391            This is useful because it allows us to run the tests more quickly to check
2392            if any regressions have occurred.  Debug builds run so much slower and not
2393            good for a quick turn around.  Debug builds are necessary though to get
2394            trace information without inlining by the C++ compiler.  This is necessary to
2395            diagnose where the missing exception check is.
2396
2397         2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
2398            simulated throw when an exception scope verification fails.
2399
2400            Previously, this option dumps the stack trace on all simulated throws.  That
2401            turned out to not be very useful, and slows down the debugging process.
2402            Instead, the new implementation captures the stack trace and only dumps it
2403            if we have a verification failure.
2404
2405         3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
2406            to pass with JSC_validateExceptionChecks=true.
2407
2408         * bytecode/CodeBlock.cpp:
2409         (JSC::CodeBlock::finishCreation):
2410         * dfg/DFGOSRExit.cpp:
2411         (JSC::DFG::OSRExit::executeOSRExit):
2412         * dfg/DFGOperations.cpp:
2413         * interpreter/Interpreter.cpp:
2414         (JSC::eval):
2415         (JSC::loadVarargs):
2416         (JSC::Interpreter::unwind):
2417         (JSC::Interpreter::executeProgram):
2418         (JSC::Interpreter::executeCall):
2419         (JSC::Interpreter::executeConstruct):
2420         (JSC::Interpreter::prepareForRepeatCall):
2421         (JSC::Interpreter::execute):
2422         (JSC::Interpreter::executeModuleProgram):
2423         * jit/JITOperations.cpp:
2424         (JSC::getByVal):
2425         * jsc.cpp:
2426         (WTF::CustomGetter::customGetterAcessor):
2427         (GlobalObject::moduleLoaderImportModule):
2428         (GlobalObject::moduleLoaderResolve):
2429         * llint/LLIntSlowPaths.cpp:
2430         (JSC::LLInt::getByVal):
2431         (JSC::LLInt::setUpCall):
2432         * parser/Parser.h:
2433         (JSC::Parser::popScopeInternal):
2434         * runtime/AbstractModuleRecord.cpp:
2435         (JSC::AbstractModuleRecord::hostResolveImportedModule):
2436         (JSC::AbstractModuleRecord::resolveImport):
2437         (JSC::AbstractModuleRecord::resolveExportImpl):
2438         (JSC::getExportedNames):
2439         (JSC::AbstractModuleRecord::getModuleNamespace):
2440         * runtime/ArrayPrototype.cpp:
2441         (JSC::getProperty):
2442         (JSC::unshift):
2443         (JSC::arrayProtoFuncToString):
2444         (JSC::arrayProtoFuncToLocaleString):
2445         (JSC::arrayProtoFuncJoin):
2446         (JSC::arrayProtoFuncPop):
2447         (JSC::arrayProtoFuncPush):
2448         (JSC::arrayProtoFuncReverse):
2449         (JSC::arrayProtoFuncShift):
2450         (JSC::arrayProtoFuncSlice):
2451         (JSC::arrayProtoFuncSplice):
2452         (JSC::arrayProtoFuncUnShift):
2453         (JSC::arrayProtoFuncIndexOf):
2454         (JSC::arrayProtoFuncLastIndexOf):
2455         (JSC::concatAppendOne):
2456         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2457         (JSC::arrayProtoPrivateFuncAppendMemcpy):
2458         * runtime/CatchScope.h:
2459         * runtime/CommonSlowPaths.cpp:
2460         (JSC::SLOW_PATH_DECL):
2461         * runtime/DatePrototype.cpp:
2462         (JSC::dateProtoFuncSetTime):
2463         (JSC::setNewValueFromTimeArgs):
2464         * runtime/DirectArguments.h:
2465         (JSC::DirectArguments::length const):
2466         * runtime/ErrorPrototype.cpp:
2467         (JSC::errorProtoFuncToString):
2468         * runtime/ExceptionFuzz.cpp:
2469         (JSC::doExceptionFuzzing):
2470         * runtime/ExceptionScope.h:
2471         (JSC::ExceptionScope::needExceptionCheck):
2472         (JSC::ExceptionScope::assertNoException):
2473         * runtime/GenericArgumentsInlines.h:
2474         (JSC::GenericArguments<Type>::defineOwnProperty):
2475         * runtime/HashMapImpl.h:
2476         (JSC::HashMapImpl::rehash):
2477         * runtime/IntlDateTimeFormat.cpp:
2478         (JSC::IntlDateTimeFormat::formatToParts):
2479         * runtime/JSArray.cpp:
2480         (JSC::JSArray::defineOwnProperty):
2481         (JSC::JSArray::put):
2482         * runtime/JSCJSValue.cpp:
2483         (JSC::JSValue::putToPrimitive):
2484         (JSC::JSValue::putToPrimitiveByIndex):
2485         * runtime/JSCJSValueInlines.h:
2486         (JSC::JSValue::toIndex const):
2487         (JSC::JSValue::get const):
2488         (JSC::JSValue::getPropertySlot const):
2489         (JSC::JSValue::equalSlowCaseInline):
2490         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2491         (JSC::constructGenericTypedArrayViewFromIterator):
2492         (JSC::constructGenericTypedArrayViewWithArguments):
2493         * runtime/JSGenericTypedArrayViewInlines.h:
2494         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2495         * runtime/JSGlobalObject.cpp:
2496         (JSC::JSGlobalObject::put):
2497         * runtime/JSGlobalObjectFunctions.cpp:
2498         (JSC::decode):
2499         (JSC::globalFuncEval):
2500         (JSC::globalFuncProtoGetter):
2501         (JSC::globalFuncProtoSetter):
2502         (JSC::globalFuncImportModule):
2503         * runtime/JSInternalPromise.cpp:
2504         (JSC::JSInternalPromise::then):
2505         * runtime/JSInternalPromiseDeferred.cpp:
2506         (JSC::JSInternalPromiseDeferred::create):
2507         * runtime/JSJob.cpp:
2508         (JSC::JSJobMicrotask::run):
2509         * runtime/JSModuleEnvironment.cpp:
2510         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2511         (JSC::JSModuleEnvironment::put):
2512         (JSC::JSModuleEnvironment::deleteProperty):
2513         * runtime/JSModuleLoader.cpp:
2514         (JSC::JSModuleLoader::provide):
2515         (JSC::JSModuleLoader::loadAndEvaluateModule):
2516         (JSC::JSModuleLoader::loadModule):
2517         (JSC::JSModuleLoader::linkAndEvaluateModule):
2518         (JSC::JSModuleLoader::requestImportModule):
2519         * runtime/JSModuleRecord.cpp:
2520         (JSC::JSModuleRecord::link):
2521         (JSC::JSModuleRecord::instantiateDeclarations):
2522         * runtime/JSONObject.cpp:
2523         (JSC::Stringifier::stringify):
2524         (JSC::Stringifier::toJSON):
2525         (JSC::JSONProtoFuncParse):
2526         * runtime/JSObject.cpp:
2527         (JSC::JSObject::calculatedClassName):
2528         (JSC::ordinarySetSlow):
2529         (JSC::JSObject::putInlineSlow):
2530         (JSC::JSObject::ordinaryToPrimitive const):
2531         (JSC::JSObject::toPrimitive const):
2532         (JSC::JSObject::hasInstance):
2533         (JSC::JSObject::getPropertyNames):
2534         (JSC::JSObject::toNumber const):
2535         (JSC::JSObject::defineOwnIndexedProperty):
2536         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2537         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2538         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2539         (JSC::validateAndApplyPropertyDescriptor):
2540         (JSC::JSObject::defineOwnNonIndexProperty):
2541         (JSC::JSObject::getGenericPropertyNames):
2542         * runtime/JSObject.h:
2543         (JSC::JSObject::get const):
2544         * runtime/JSObjectInlines.h:
2545         (JSC::JSObject::getPropertySlot const):
2546         (JSC::JSObject::getPropertySlot):
2547         (JSC::JSObject::getNonIndexPropertySlot):
2548         (JSC::JSObject::putInlineForJSObject):
2549         * runtime/JSPromiseConstructor.cpp:
2550         (JSC::constructPromise):
2551         * runtime/JSPromiseDeferred.cpp:
2552         (JSC::JSPromiseDeferred::create):
2553         * runtime/JSScope.cpp:
2554         (JSC::abstractAccess):
2555         (JSC::JSScope::resolve):
2556         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
2557         (JSC::JSScope::abstractResolve):
2558         * runtime/LiteralParser.cpp:
2559         (JSC::LiteralParser<CharType>::tryJSONPParse):
2560         (JSC::LiteralParser<CharType>::parse):
2561         * runtime/Lookup.h:
2562         (JSC::putEntry):
2563         * runtime/MapConstructor.cpp:
2564         (JSC::constructMap):
2565         * runtime/NumberPrototype.cpp:
2566         (JSC::numberProtoFuncToString):
2567         * runtime/ObjectConstructor.cpp:
2568         (JSC::objectConstructorSetPrototypeOf):
2569         (JSC::objectConstructorGetOwnPropertyDescriptor):
2570         (JSC::objectConstructorGetOwnPropertyDescriptors):
2571         (JSC::objectConstructorAssign):
2572         (JSC::objectConstructorValues):
2573         (JSC::toPropertyDescriptor):
2574         (JSC::objectConstructorDefineProperty):
2575         (JSC::defineProperties):
2576         (JSC::objectConstructorDefineProperties):
2577         (JSC::ownPropertyKeys):
2578         * runtime/ObjectPrototype.cpp:
2579         (JSC::objectProtoFuncHasOwnProperty):
2580         (JSC::objectProtoFuncIsPrototypeOf):
2581         (JSC::objectProtoFuncLookupGetter):
2582         (JSC::objectProtoFuncLookupSetter):
2583         (JSC::objectProtoFuncToLocaleString):
2584         (JSC::objectProtoFuncToString):
2585         * runtime/Options.h:
2586         * runtime/ParseInt.h:
2587         (JSC::toStringView):
2588         * runtime/ProxyObject.cpp:
2589         (JSC::performProxyGet):
2590         (JSC::ProxyObject::performPut):
2591         * runtime/ReflectObject.cpp:
2592         (JSC::reflectObjectDefineProperty):
2593         * runtime/RegExpConstructor.cpp:
2594         (JSC::toFlags):
2595         (JSC::regExpCreate):
2596         (JSC::constructRegExp):
2597         * runtime/RegExpObject.cpp:
2598         (JSC::collectMatches):
2599         * runtime/RegExpObjectInlines.h:
2600         (JSC::RegExpObject::execInline):
2601         (JSC::RegExpObject::matchInline):
2602         * runtime/RegExpPrototype.cpp:
2603         (JSC::regExpProtoFuncTestFast):
2604         (JSC::regExpProtoFuncExec):
2605         (JSC::regExpProtoFuncMatchFast):
2606         (JSC::regExpProtoFuncToString):
2607         (JSC::regExpProtoFuncSplitFast):
2608         * runtime/ScriptExecutable.cpp:
2609         (JSC::ScriptExecutable::newCodeBlockFor):
2610         (JSC::ScriptExecutable::prepareForExecutionImpl):
2611         * runtime/SetConstructor.cpp:
2612         (JSC::constructSet):
2613         * runtime/ThrowScope.cpp:
2614         (JSC::ThrowScope::simulateThrow):
2615         * runtime/VM.cpp:
2616         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
2617         * runtime/VM.h:
2618         * runtime/WeakMapPrototype.cpp:
2619         (JSC::protoFuncWeakMapSet):
2620         * runtime/WeakSetPrototype.cpp:
2621         (JSC::protoFuncWeakSetAdd):
2622         * wasm/js/WebAssemblyModuleConstructor.cpp:
2623         (JSC::WebAssemblyModuleConstructor::createModule):
2624         * wasm/js/WebAssemblyModuleRecord.cpp:
2625         (JSC::WebAssemblyModuleRecord::link):
2626         * wasm/js/WebAssemblyPrototype.cpp:
2627         (JSC::reject):
2628         (JSC::webAssemblyCompileFunc):
2629         (JSC::resolve):
2630         (JSC::webAssemblyInstantiateFunc):
2631
2632 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
2633
2634         Error should compute .stack and friends lazily
2635         https://bugs.webkit.org/show_bug.cgi?id=176645
2636
2637         Reviewed by Saam Barati.
2638         
2639         Building the string portion of the stack trace after we walk the stack accounts for most of
2640         the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
2641         Vector<StackFrame> so that it can build the string only once it's really needed.
2642         
2643         This is an enormous speed-up for programs that allocate and throw exceptions.
2644         
2645         It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
2646         
2647         It's a 2.2x speed-up for throwing and catching an Error.
2648         
2649         It's a 1.17x speed-up for the WSL test suite (which throws a lot).
2650         
2651         It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
2652         delta-blue-try-catch is 1.16x faster.
2653
2654         * interpreter/Interpreter.cpp:
2655         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
2656         (JSC::GetStackTraceFunctor::operator() const):
2657         (JSC::Interpreter::getStackTrace):
2658         * interpreter/Interpreter.h:
2659         * runtime/Error.cpp:
2660         (JSC::getStackTrace):
2661         (JSC::getBytecodeOffset):
2662         (JSC::addErrorInfo):
2663         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
2664         * runtime/Error.h:
2665         * runtime/ErrorInstance.cpp:
2666         (JSC::ErrorInstance::ErrorInstance):
2667         (JSC::ErrorInstance::finishCreation):
2668         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2669         (JSC::ErrorInstance::visitChildren):
2670         (JSC::ErrorInstance::getOwnPropertySlot):
2671         (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
2672         (JSC::ErrorInstance::defineOwnProperty):
2673         (JSC::ErrorInstance::put):
2674         (JSC::ErrorInstance::deleteProperty):
2675         * runtime/ErrorInstance.h:
2676         * runtime/Exception.cpp:
2677         (JSC::Exception::visitChildren):
2678         (JSC::Exception::finishCreation):
2679         * runtime/Exception.h:
2680         * runtime/StackFrame.cpp:
2681         (JSC::StackFrame::visitChildren):
2682         * runtime/StackFrame.h:
2683         (JSC::StackFrame::StackFrame):
2684
2685 2017-09-09  Mark Lam  <mark.lam@apple.com>
2686
2687         [Re-landing] Use JIT probes for DFG OSR exit.
2688         https://bugs.webkit.org/show_bug.cgi?id=175144
2689         <rdar://problem/33437050>
2690
2691         Not reviewed.  Original patch reviewed by Saam Barati.
2692
2693         Relanding r221774.
2694
2695         * JavaScriptCore.xcodeproj/project.pbxproj:
2696         * assembler/MacroAssembler.cpp:
2697         (JSC::stdFunctionCallback):
2698         * assembler/MacroAssemblerPrinter.cpp:
2699         (JSC::Printer::printCallback):
2700         * assembler/ProbeContext.h:
2701         (JSC::Probe::CPUState::gpr const):
2702         (JSC::Probe::CPUState::spr const):
2703         (JSC::Probe::Context::Context):
2704         (JSC::Probe::Context::arg):
2705         (JSC::Probe::Context::gpr):
2706         (JSC::Probe::Context::spr):
2707         (JSC::Probe::Context::fpr):
2708         (JSC::Probe::Context::gprName):
2709         (JSC::Probe::Context::sprName):
2710         (JSC::Probe::Context::fprName):
2711         (JSC::Probe::Context::gpr const):
2712         (JSC::Probe::Context::spr const):
2713         (JSC::Probe::Context::fpr const):
2714         (JSC::Probe::Context::pc):
2715         (JSC::Probe::Context::fp):
2716         (JSC::Probe::Context::sp):
2717         (JSC::Probe:: const): Deleted.
2718         * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
2719         * assembler/ProbeStack.cpp:
2720         (JSC::Probe::Page::Page):
2721         * assembler/ProbeStack.h:
2722         (JSC::Probe::Page::get):
2723         (JSC::Probe::Page::set):
2724         (JSC::Probe::Page::physicalAddressFor):
2725         (JSC::Probe::Stack::lowWatermark):
2726         (JSC::Probe::Stack::get):
2727         (JSC::Probe::Stack::set):
2728         * bytecode/ArithProfile.cpp:
2729         * bytecode/ArithProfile.h:
2730         * bytecode/ArrayProfile.h:
2731         (JSC::ArrayProfile::observeArrayMode):
2732         * bytecode/CodeBlock.cpp:
2733         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
2734         * bytecode/CodeBlock.h:
2735         (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
2736         * bytecode/ExecutionCounter.h:
2737         (JSC::ExecutionCounter::hasCrossedThreshold const):
2738         (JSC::ExecutionCounter::setNewThresholdForOSRExit):
2739         * bytecode/MethodOfGettingAValueProfile.cpp:
2740         (JSC::MethodOfGettingAValueProfile::reportValue):
2741         * bytecode/MethodOfGettingAValueProfile.h:
2742         * dfg/DFGDriver.cpp:
2743         (JSC::DFG::compileImpl):
2744         * dfg/DFGJITCode.cpp:
2745         (JSC::DFG::JITCode::findPC): Deleted.
2746         * dfg/DFGJITCode.h:
2747         * dfg/DFGJITCompiler.cpp:
2748         (JSC::DFG::JITCompiler::linkOSRExits):
2749         (JSC::DFG::JITCompiler::link):
2750         * dfg/DFGOSRExit.cpp:
2751         (JSC::DFG::jsValueFor):
2752         (JSC::DFG::restoreCalleeSavesFor):
2753         (JSC::DFG::saveCalleeSavesFor):
2754         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2755         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2756         (JSC::DFG::saveOrCopyCalleeSavesFor):
2757         (JSC::DFG::createDirectArgumentsDuringExit):
2758         (JSC::DFG::createClonedArgumentsDuringExit):
2759         (JSC::DFG::OSRExit::OSRExit):
2760         (JSC::DFG::emitRestoreArguments):
2761         (JSC::DFG::OSRExit::executeOSRExit):
2762         (JSC::DFG::reifyInlinedCallFrames):
2763         (JSC::DFG::adjustAndJumpToTarget):
2764         (JSC::DFG::printOSRExit):
2765         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2766         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2767         (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
2768         (JSC::DFG::OSRExit::correctJump): Deleted.
2769         (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
2770         (JSC::DFG::OSRExit::compileOSRExit): Deleted.
2771         (JSC::DFG::OSRExit::compileExit): Deleted.
2772         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2773         * dfg/DFGOSRExit.h:
2774         (JSC::DFG::OSRExitState::OSRExitState):
2775         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2776         * dfg/DFGOSRExitCompilerCommon.cpp:
2777         * dfg/DFGOSRExitCompilerCommon.h:
2778         * dfg/DFGOperations.cpp:
2779         * dfg/DFGOperations.h:
2780         * dfg/DFGThunks.cpp:
2781         (JSC::DFG::osrExitThunkGenerator):
2782         (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2783         * dfg/DFGThunks.h:
2784         * jit/AssemblyHelpers.cpp:
2785         (JSC::AssemblyHelpers::debugCall): Deleted.
2786         * jit/AssemblyHelpers.h:
2787         * jit/JITOperations.cpp:
2788         * jit/JITOperations.h:
2789         * profiler/ProfilerOSRExit.h:
2790         (JSC::Profiler::OSRExit::incCount):
2791         * runtime/JSCJSValue.h:
2792         * runtime/JSCJSValueInlines.h:
2793         * runtime/VM.h:
2794
2795 2017-09-09  Ryan Haddad  <ryanhaddad@apple.com>
2796
2797         Unreviewed, rolling out r221774.
2798
2799         This change introduced three debug JSC test timeouts.
2800
2801         Reverted changeset:
2802
2803         "Use JIT probes for DFG OSR exit."
2804         https://bugs.webkit.org/show_bug.cgi?id=175144
2805         http://trac.webkit.org/changeset/221774
2806
2807 2017-09-09  Mark Lam  <mark.lam@apple.com>
2808
2809         Avoid duplicate computations of ExecState::vm().
2810         https://bugs.webkit.org/show_bug.cgi?id=176647
2811
2812         Reviewed by Saam Barati.
2813
2814         Because while computing ExecState::vm() is cheap, it is not free.
2815
2816         This patch also:
2817         1. gets rids of some convenience methods in CallFrame that implicitly does a
2818            ExecState::vm() computation.  This minimizes the chance of us accidentally
2819            computing ExecState::vm() more than necessary.
2820         2. passes vm (when available) to methodTable().
2821         3. passes vm (when available) to JSLockHolder.
2822
2823         * API/JSBase.cpp:
2824         (JSCheckScriptSyntax):
2825         (JSGarbageCollect):
2826         (JSReportExtraMemoryCost):
2827         (JSSynchronousGarbageCollectForDebugging):
2828         (JSSynchronousEdenCollectForDebugging):
2829         * API/JSCallbackConstructor.h:
2830         (JSC::JSCallbackConstructor::create):
2831         * API/JSCallbackObject.h:
2832         (JSC::JSCallbackObject::create):
2833         * API/JSContext.mm:
2834         (-[JSContext setException:]):
2835         * API/JSContextRef.cpp:
2836         (JSContextGetGlobalObject):
2837         (JSContextCreateBacktrace):
2838         * API/JSManagedValue.mm:
2839         (-[JSManagedValue value]):
2840         * API/JSObjectRef.cpp:
2841         (JSObjectMake):
2842         (JSObjectMakeFunctionWithCallback):
2843         (JSObjectMakeConstructor):
2844         (JSObjectMakeFunction):
2845         (JSObjectSetPrototype):
2846         (JSObjectHasProperty):
2847         (JSObjectGetProperty):
2848         (JSObjectSetProperty):
2849         (JSObjectSetPropertyAtIndex):
2850         (JSObjectDeleteProperty):
2851         (JSObjectGetPrivateProperty):
2852         (JSObjectSetPrivateProperty):
2853         (JSObjectDeletePrivateProperty):
2854         (JSObjectIsFunction):
2855         (JSObjectCallAsFunction):
2856         (JSObjectCallAsConstructor):
2857         (JSObjectCopyPropertyNames):
2858         (JSPropertyNameAccumulatorAddName):
2859         * API/JSScriptRef.cpp:
2860         * API/JSTypedArray.cpp:
2861         (JSValueGetTypedArrayType):
2862         (JSObjectMakeTypedArrayWithArrayBuffer):
2863         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
2864         (JSObjectGetTypedArrayBytesPtr):
2865         (JSObjectGetTypedArrayBuffer):
2866         (JSObjectMakeArrayBufferWithBytesNoCopy):
2867         (JSObjectGetArrayBufferBytesPtr):
2868         * API/JSWeakObjectMapRefPrivate.cpp:
2869         * API/JSWrapperMap.mm:
2870         (constructorHasInstance):
2871         (makeWrapper):
2872         * API/ObjCCallbackFunction.mm:
2873         (objCCallbackFunctionForInvocation):
2874         * bytecode/CodeBlock.cpp:
2875         (JSC::CodeBlock::CodeBlock):
2876         (JSC::CodeBlock::jettison):
2877         * bytecode/CodeBlock.h:
2878         (JSC::CodeBlock::addConstant):
2879         (JSC::CodeBlock::replaceConstant):
2880         * bytecode/PutByIdStatus.cpp:
2881         (JSC::PutByIdStatus::computeFromLLInt):
2882         (JSC::PutByIdStatus::computeFor):
2883         * dfg/DFGDesiredWatchpoints.cpp:
2884         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2885         * dfg/DFGGraph.h:
2886         (JSC::DFG::Graph::globalThisObjectFor):
2887         * dfg/DFGOperations.cpp:
2888         * ftl/FTLOSRExitCompiler.cpp:
2889         (JSC::FTL::compileFTLOSRExit):
2890         * ftl/FTLOperations.cpp:
2891         (JSC::FTL::operationPopulateObjectInOSR):
2892         (JSC::FTL::operationMaterializeObjectInOSR):
2893         * heap/GCAssertions.h:
2894         * inspector/InjectedScriptHost.cpp:
2895         (Inspector::InjectedScriptHost::wrapper):
2896         * inspector/JSInjectedScriptHost.cpp:
2897         (Inspector::JSInjectedScriptHost::subtype):
2898         (Inspector::constructInternalProperty):
2899         (Inspector::JSInjectedScriptHost::getInternalProperties):
2900         (Inspector::JSInjectedScriptHost::weakMapEntries):
2901         (Inspector::JSInjectedScriptHost::weakSetEntries):
2902         (Inspector::JSInjectedScriptHost::iteratorEntries):
2903         * inspector/JSJavaScriptCallFrame.cpp:
2904         (Inspector::valueForScopeLocation):
2905         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2906         (Inspector::toJS):
2907         * inspector/ScriptCallStackFactory.cpp:
2908         (Inspector::extractSourceInformationFromException):
2909         (Inspector::createScriptArguments):
2910         * interpreter/CachedCall.h:
2911         (JSC::CachedCall::CachedCall):
2912         * interpreter/CallFrame.h:
2913         (JSC::ExecState::atomicStringTable const): Deleted.
2914         (JSC::ExecState::propertyNames const): Deleted.
2915         (JSC::ExecState::emptyList const): Deleted.
2916         (JSC::ExecState::interpreter): Deleted.
2917         (JSC::ExecState::heap): Deleted.
2918         * interpreter/Interpreter.cpp:
2919         (JSC::Interpreter::executeProgram):
2920         (JSC::Interpreter::execute):
2921         (JSC::Interpreter::executeModuleProgram):
2922         * jit/JIT.cpp:
2923         (JSC::JIT::privateCompileMainPass):
2924         * jit/JITOperations.cpp:
2925         * jit/JITWorklist.cpp:
2926         (JSC::JITWorklist::compileNow):
2927         * jsc.cpp:
2928         (WTF::RuntimeArray::create):
2929         (WTF::RuntimeArray::getOwnPropertySlot):
2930         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2931         (WTF::DOMJITFunctionObject::unsafeFunction):
2932         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2933         (GlobalObject::moduleLoaderFetch):
2934         (functionDumpCallFrame):
2935         (functionCreateRoot):
2936         (functionGetElement):
2937         (functionSetElementRoot):
2938         (functionCreateSimpleObject):
2939         (functionSetHiddenValue):
2940         (functionCreateProxy):
2941         (functionCreateImpureGetter):
2942         (functionCreateCustomGetterObject):
2943         (functionCreateDOMJITNodeObject):
2944         (functionCreateDOMJITGetterObject):
2945         (functionCreateDOMJITGetterComplexObject):
2946         (functionCreateDOMJITFunctionObject):
2947         (functionCreateDOMJITCheckSubClassObject):
2948         (functionGCAndSweep):
2949         (functionFullGC):
2950         (functionEdenGC):
2951         (functionHeapSize):
2952         (functionShadowChickenFunctionsOnStack):
2953         (functionSetGlobalConstRedeclarationShouldNotThrow):
2954         (functionJSCOptions):
2955         (functionFailNextNewCodeBlock):
2956         (functionMakeMasquerader):
2957         (functionDumpTypesForAllVariables):
2958         (functionFindTypeForExpression):
2959         (functionReturnTypeFor):
2960         (functionDumpBasicBlockExecutionRanges):
2961         (functionBasicBlockExecutionCount):
2962         (functionDrainMicrotasks):
2963         (functionGenerateHeapSnapshot):
2964         (functionEnsureArrayStorage):
2965         (functionStartSamplingProfiler):
2966         (runInteractive):
2967         * llint/LLIntSlowPaths.cpp:
2968         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2969         * parser/ModuleAnalyzer.cpp:
2970         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2971         * profiler/ProfilerBytecode.cpp:
2972         (JSC::Profiler::Bytecode::toJS const):
2973         * profiler/ProfilerBytecodeSequence.cpp:
2974         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
2975         * profiler/ProfilerBytecodes.cpp:
2976         (JSC::Profiler::Bytecodes::toJS const):
2977         * profiler/ProfilerCompilation.cpp:
2978         (JSC::Profiler::Compilation::toJS const):
2979         * profiler/ProfilerCompiledBytecode.cpp:
2980         (JSC::Profiler::CompiledBytecode::toJS const):
2981         * profiler/ProfilerDatabase.cpp:
2982         (JSC::Profiler::Database::toJS const):
2983         * profiler/ProfilerEvent.cpp:
2984         (JSC::Profiler::Event::toJS const):
2985         * profiler/ProfilerOSRExit.cpp:
2986         (JSC::Profiler::OSRExit::toJS const):
2987         * profiler/ProfilerOrigin.cpp:
2988         (JSC::Profiler::Origin::toJS const):
2989         * profiler/ProfilerProfiledBytecodes.cpp:
2990         (JSC::Profiler::ProfiledBytecodes::toJS const):
2991         * runtime/AbstractModuleRecord.cpp:
2992         (JSC::identifierToJSValue):
2993         (JSC::AbstractModuleRecord::resolveExportImpl):
2994         (JSC::getExportedNames):
2995         * runtime/ArrayPrototype.cpp:
2996         (JSC::arrayProtoFuncToString):
2997         (JSC::arrayProtoFuncToLocaleString):
2998         * runtime/BooleanConstructor.cpp:
2999         (JSC::constructBooleanFromImmediateBoolean):
3000         * runtime/CallData.cpp:
3001         (JSC::call):
3002         * runtime/CommonSlowPaths.cpp:
3003         (JSC::SLOW_PATH_DECL):
3004         * runtime/CommonSlowPaths.h:
3005         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3006         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
3007         * runtime/Completion.cpp:
3008         (JSC::checkSyntax):
3009         (JSC::evaluate):
3010         (JSC::loadAndEvaluateModule):
3011         (JSC::loadModule):
3012         (JSC::linkAndEvaluateModule):
3013         (JSC::importModule):
3014         * runtime/ConstructData.cpp:
3015         (JSC::construct):
3016         * runtime/DatePrototype.cpp:
3017         (JSC::dateProtoFuncToJSON):
3018         * runtime/DirectArguments.h:
3019         (JSC::DirectArguments::length const):
3020         * runtime/DirectEvalExecutable.cpp:
3021         (JSC::DirectEvalExecutable::create):
3022         * runtime/ErrorPrototype.cpp:
3023         (JSC::errorProtoFuncToString):
3024         * runtime/ExceptionHelpers.cpp:
3025         (JSC::createUndefinedVariableError):
3026         (JSC::errorDescriptionForValue):
3027         * runtime/FunctionConstructor.cpp:
3028         (JSC::constructFunction):
3029         * runtime/GenericArgumentsInlines.h:
3030         (JSC::GenericArguments<Type>::getOwnPropertyNames):
3031         * runtime/IdentifierInlines.h:
3032         (JSC::Identifier::add):
3033         * runtime/IndirectEvalExecutable.cpp:
3034         (JSC::IndirectEvalExecutable::create):
3035         * runtime/InternalFunction.cpp:
3036         (JSC::InternalFunction::finishCreation):
3037         (JSC::InternalFunction::createSubclassStructureSlow):
3038         * runtime/JSArray.cpp:
3039         (JSC::JSArray::getOwnPropertySlot):
3040         (JSC::JSArray::put):
3041         (JSC::JSArray::deleteProperty):
3042         (JSC::JSArray::getOwnNonIndexPropertyNames):
3043         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
3044         * runtime/JSArray.h:
3045         (JSC::JSArray::shiftCountForShift):
3046         * runtime/JSCJSValue.cpp:
3047         (JSC::JSValue::dumpForBacktrace const):
3048         * runtime/JSDataView.cpp:
3049         (JSC::JSDataView::getOwnPropertySlot):
3050         (JSC::JSDataView::deleteProperty):
3051         (JSC::JSDataView::getOwnNonIndexPropertyNames):
3052         * runtime/JSFunction.cpp:
3053         (JSC::JSFunction::getOwnPropertySlot):
3054         (JSC::JSFunction::deleteProperty):
3055         (JSC::JSFunction::reifyName):
3056         * runtime/JSGlobalObjectFunctions.cpp:
3057         (JSC::globalFuncEval):
3058         * runtime/JSInternalPromise.cpp:
3059         (JSC::JSInternalPromise::then):
3060         * runtime/JSLexicalEnvironment.cpp:
3061         (JSC::JSLexicalEnvironment::deleteProperty):
3062         * runtime/JSMap.cpp:
3063         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
3064         * runtime/JSMapIterator.h:
3065         (JSC::JSMapIterator::advanceIter):
3066         * runtime/JSModuleEnvironment.cpp:
3067         (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
3068         * runtime/JSModuleLoader.cpp:
3069         (JSC::printableModuleKey):
3070         (JSC::JSModuleLoader::provide):
3071         (JSC::JSModuleLoader::loadAndEvaluateModule):
3072         (JSC::JSModuleLoader::loadModule):
3073         (JSC::JSModuleLoader::linkAndEvaluateModule):
3074         (JSC::JSModuleLoader::requestImportModule):
3075         * runtime/JSModuleNamespaceObject.h:
3076         * runtime/JSModuleRecord.cpp:
3077         (JSC::JSModuleRecord::evaluate):
3078         * runtime/JSONObject.cpp:
3079         (JSC::Stringifier::Stringifier):
3080         (JSC::Stringifier::appendStringifiedValue):
3081         (JSC::Stringifier::Holder::appendNextProperty):
3082         * runtime/JSObject.cpp:
3083         (JSC::JSObject::calculatedClassName):
3084         (JSC::JSObject::putByIndex):
3085         (JSC::JSObject::ordinaryToPrimitive const):
3086         (JSC::JSObject::toPrimitive const):
3087         (JSC::JSObject::hasInstance):
3088         (JSC::JSObject::getOwnPropertyNames):
3089         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3090         (JSC::getCustomGetterSetterFunctionForGetterSetter):
3091         (JSC::JSObject::getOwnPropertyDescriptor):
3092         (JSC::JSObject::getMethod):
3093         * runtime/JSObject.h:
3094         (JSC::JSObject::createRawObject):
3095         (JSC::JSFinalObject::create):
3096         * runtime/JSObjectInlines.h:
3097         (JSC::JSObject::canPerformFastPutInline):
3098         (JSC::JSObject::putInlineForJSObject):
3099         (JSC::JSObject::hasOwnProperty const):
3100         * runtime/JSScope.cpp:
3101         (JSC::isUnscopable):
3102         (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
3103         * runtime/JSSet.cpp:
3104         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
3105         * runtime/JSSetIterator.h:
3106         (JSC::JSSetIterator::advanceIter):
3107         * runtime/JSString.cpp:
3108         (JSC::JSString::getStringPropertyDescriptor):
3109         * runtime/JSString.h:
3110         (JSC::JSString::getStringPropertySlot):
3111         * runtime/MapConstructor.cpp:
3112         (JSC::constructMap):
3113         * runtime/ModuleProgramExecutable.cpp:
3114         (JSC::ModuleProgramExecutable::create):
3115         * runtime/ObjectPrototype.cpp:
3116         (JSC::objectProtoFuncToLocaleString):
3117         * runtime/ProgramExecutable.h:
3118         * runtime/RegExpObject.cpp:
3119         (JSC::RegExpObject::getOwnPropertySlot):
3120         (JSC::RegExpObject::deleteProperty):
3121         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
3122         (JSC::RegExpObject::getPropertyNames):
3123         (JSC::RegExpObject::getGenericPropertyNames):
3124         (JSC::RegExpObject::put):
3125         * runtime/ScopedArguments.h:
3126         (JSC::ScopedArguments::length const):
3127         * runtime/StrictEvalActivation.h:
3128         (JSC::StrictEvalActivation::create):
3129         * runtime/StringObject.cpp:
3130         (JSC::isStringOwnProperty):
3131         (JSC::StringObject::deleteProperty):
3132         (JSC::StringObject::getOwnNonIndexPropertyNames):
3133         * tools/JSDollarVMPrototype.cpp:
3134         (JSC::JSDollarVMPrototype::gc):
3135         (JSC::JSDollarVMPrototype::edenGC):
3136         * wasm/js/WebAssemblyModuleRecord.cpp:
3137         (JSC::WebAssemblyModuleRecord::evaluate):
3138
3139 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3140
3141         [DFG] NewArrayWithSize(size)'s size does not care negative zero
3142         https://bugs.webkit.org/show_bug.cgi?id=176300
3143
3144         Reviewed by Saam Barati.
3145
3146         NewArrayWithSize(size)'s size does not care negative zero as
3147         is the same to NewTypedArray. We propagate this information
3148         in DFGBackwardsPropagationPhase. This removes negative zero
3149         check in kraken fft's deinterleave function.
3150
3151         * dfg/DFGBackwardsPropagationPhase.cpp:
3152         (JSC::DFG::BackwardsPropagationPhase::propagate):
3153
3154 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3155
3156         [DFG] PutByVal with Array::Generic is too generic
3157         https://bugs.webkit.org/show_bug.cgi?id=176345
3158
3159         Reviewed by Filip Pizlo.
3160
3161         Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
3162         We could have the case like,
3163
3164             dst[key] = src[key];
3165
3166         with string or symbol keys. But they are handled in slow path.
3167         This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
3168         to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
3169
3170         This improves SixSpeed object-assign.es5 by 9.1%.
3171
3172         object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
3173
3174         * dfg/DFGFixupPhase.cpp:
3175         (JSC::DFG::FixupPhase::fixupNode):
3176         * dfg/DFGOperations.cpp:
3177         (JSC::DFG::putByVal):
3178         (JSC::DFG::putByValInternal):
3179         (JSC::DFG::putByValCellInternal):
3180         (JSC::DFG::putByValCellStringInternal):
3181         (JSC::DFG::operationPutByValInternal): Deleted.
3182         * dfg/DFGOperations.h:
3183         * dfg/DFGSpeculativeJIT.cpp:
3184         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
3185         (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
3186         * dfg/DFGSpeculativeJIT.h:
3187         (JSC::DFG::SpeculativeJIT::callOperation):
3188         * dfg/DFGSpeculativeJIT32_64.cpp:
3189         (JSC::DFG::SpeculativeJIT::compile):
3190         * dfg/DFGSpeculativeJIT64.cpp:
3191         (JSC::DFG::SpeculativeJIT::compile):
3192         * ftl/FTLLowerDFGToB3.cpp:
3193         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
3194         * jit/JITOperations.h:
3195
3196 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3197
3198         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
3199         https://bugs.webkit.org/show_bug.cgi?id=176590
3200
3201         Reviewed by Saam Barati.
3202
3203         We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
3204
3205                                          baseline                  patched
3206
3207         object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
3208         object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
3209
3210         * dfg/DFGFixupPhase.cpp:
3211         (JSC::DFG::FixupPhase::fixupNode):
3212         * dfg/DFGOperations.cpp:
3213         (JSC::DFG::getByValObject):
3214         * dfg/DFGOperations.h:
3215         * dfg/DFGSpeculativeJIT.cpp:
3216         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
3217         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
3218         * dfg/DFGSpeculativeJIT.h:
3219         * dfg/DFGSpeculativeJIT32_64.cpp:
3220         (JSC::DFG::SpeculativeJIT::compile):
3221         * dfg/DFGSpeculativeJIT64.cpp:
3222         (JSC::DFG::SpeculativeJIT::compile):
3223         * ftl/FTLLowerDFGToB3.cpp:
3224         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3225
3226 2017-09-07  Mark Lam  <mark.lam@apple.com>
3227
3228         Use JIT probes for DFG OSR exit.
3229         https://bugs.webkit.org/show_bug.cgi?id=175144
3230         <rdar://problem/33437050>
3231
3232         Reviewed by Saam Barati.
3233
3234         This patch does the following:
3235         1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
3236            While osrExitGenerationThunkGenerator() generates a thunk that compiles a
3237            unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
3238            generates a thunk that just executes the OSR exit.
3239
3240            The osrExitThunkGenerator() generated thunk works by using a single JIT probe
3241            to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
3242            CPU registers, and providing the Probe::Stack mechanism for modifying the
3243            stack frame.
3244
3245            OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
3246            OSRExit::compileExit().  It is basically a re-write of those functions to
3247            execute the OSR exit work instead of compiling code to execute the work.
3248
3249            As a result, we get the following savings:
3250            a. no more OSR exit ramp compilation time.
3251            b. no use of JIT executable memory for storing each unique OSR exit ramp.
3252
3253            On the negative side, we incur these costs:
3254
3255            c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
3256               version of the ramp.  However, OSR exits are rare.  Hence, this small
3257               difference should not matter much.  It is also offset by the savings from
3258               (a).
3259
3260            d. the Probe::Stack allocates 1K pages for memory for buffering stack
3261               modifcations.  The number of these pages depends on the span of stack memory
3262               that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
3263               tends to only modify values in the current DFG frame and the current
3264               VMEntryRecord, the number of pages tends to only be 1 or 2.
3265
3266               Using the jsc tests as a workload, the vast majority of tests that do OSR
3267               exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
3268               A few tests that are pathological uses up to 14 pages, and one particularly
3269               bad test (function-apply-many-args.js) uses 513 pages.
3270
3271            Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
3272            only executed once to compute some values for the exit site that is used by
3273            all exit operations from that site, and a 2nd part to execute the exit.  The
3274            1st part is protected by a checking if exit.exitState has already been
3275            initialized.  The computed values are cached in exit.exitState.
3276
3277            Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
3278            longer need the facility to patch the site that jumps to the OSR exit ramp.
3279            The DFG::JITCompiler has been modified to remove this patching code.
3280
3281         2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
3282            std::memcpy to avoid strict aliasing issues.
3283
3284            Also optimized the implementation of Probe::Stack::physicalAddressFor().
3285
3286         3. Miscellaneous convenience methods added to make the Probe::Context easier of
3287            use.
3288
3289         4. Added a Probe::Frame class that makes it easier to get/set operands and
3290            arguments in a given frame using the deferred write properties of the
3291            Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
3292            the OSR exit ramp.
3293
3294         5. Cloned or converted some functions needed by the OSR exit ramp.  The original
3295            JIT versions of these functions are still left in place because they are still
3296            needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
3297            These functions include:
3298
3299            DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
3300                CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
3301            DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
3302                DFGOSRExit.cpp's reifyInlinedCallFrames()
3303            DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
3304                DFGOSRExit.cpp's adjustAndJumpToTarget()
3305
3306            MethodOfGettingAValueProfile::emitReportValue() ==>
3307                MethodOfGettingAValueProfile::reportValue()
3308
3309            DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
3310                DFGOSRExit.cpp's createDirectArgumentsDuringExit()
3311            DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
3312                DFGOSRExit.cpp's createClonedArgumentsDuringExit()
3313
3314         * JavaScriptCore.xcodeproj/project.pbxproj:
3315         * assembler/MacroAssembler.cpp:
3316         (JSC::stdFunctionCallback):
3317         * assembler/MacroAssemblerPrinter.cpp:
3318         (JSC::Printer::printCallback):
3319         * assembler/ProbeContext.h:
3320         (JSC::Probe::CPUState::gpr const):
3321         (JSC::Probe::CPUState::spr const):
3322         (JSC::Probe::Context::Context):
3323         (JSC::Probe::Context::arg):
3324         (JSC::Probe::Context::gpr):
3325         (JSC::Probe::Context::spr):
3326         (JSC::Probe::Context::fpr):
3327         (JSC::Probe::Context::gprName):
3328         (JSC::Probe::Context::sprName):
3329         (JSC::Probe::Context::fprName):
3330         (JSC::Probe::Context::gpr const):
3331         (JSC::Probe::Context::spr const):
3332         (JSC::Probe::Context::fpr const):
3333         (JSC::Probe::Context::pc):
3334         (JSC::Probe::Context::fp):
3335         (JSC::Probe::Context::sp):
3336         (JSC::Probe:: const): Deleted.
3337         * assembler/ProbeFrame.h: Added.
3338         (JSC::Probe::Frame::Frame):
3339         (JSC::Probe::Frame::getArgument):
3340         (JSC::Probe::Frame::getOperand):
3341         (JSC::Probe::Frame::get):
3342         (JSC::Probe::Frame::setArgument):
3343         (JSC::Probe::Frame::setOperand):
3344